Are you sick of having to take your phone whenever you need to input the 2fa code? You want a tool that automatically generates the code within your minecraft client and automatically calls the /2fa command whenever the server requires it without need of any intervention from you? You are in the right place! Unfortunately, such a tool does not exist (yet). Well, I'm sick of this: if it doesn't exist, I'm gonna make one myself, by Jove! I know it can be done, but I also know it's going to take a huge amount of time to 1) study the algorithm behind the OTP generator and 2) implement the code on minecraft starting from scratch. So here's a couple questions I'm gonna ask you before starting: Do you know whether such a tool actually exists already? (if it does, there's no point making one myself) Would you be interested in collaborating to develop it? Here's 2 possible ways I have in mind, with pros and cons. Make a new mod pros: I would be able to write in a powerful programming language (Java), which is essential if you want to implement in a humanly readable way a hash algorithm (macromod is terrible); cons: I would have to study Forge/LiteLoader/SomethingElse's API; other people who would like to use this tool would have to install another mod. Make a macromod script pros: no need to study new APIs; people who already have macromod would be able to just copy-paste the code; cons: implementing a hash algorithm on macromod would be a programming nightmare (partly because of terrible math, but mostly -unless I'm wrong- because you can't define functions). In both cases, I would have to throughly study the OTP algorithm in order to be able to implement it sensibly, one way or another. I'm leaning towards the second option, however I would greatly appreciate suggestions and remarks before starting. And of course I would appreciate even more so if you offered to help People who might be interested and/or who I know have some know-how: @314 @ScarabCoder @CrazySwagMaster1 @kukelekuuk00 and please tag anyone you think might be interested and/or whose opinion might be relevant. Thanks in advance! F.A.Q. Wouldn't such a tool completely defeat the purpose of 2fa authentication? Not completely: if your concern is that the computer where you play might be compromised or accessed from malicious users, then you should definitely not use such a tool; if your sole concern is that your password might be stolen or guessed, but you're reasonably confident that your computer is safe (as much as you are for your smartphone), then such a tool won't defeat the purpose of 2fa authentication. For more information, see the discussion below. Can't you just move you ass and get your phone? I guess I could, as I've been doing until now, however: I'm too lazy, so ridiculously lazy that I'm willing to spend days making such a tool (after all, "laziness is the engine of progress"); I have a script that does stuff whenever I login, however its commands won't be accepted before 2fa authentication, therefore I have to manually launch it after I manually insert the 2fa code, and this bothers me a lot. For more information, see the discussion below. Can't you just relinquish 2fa? I guess I could, but: I don't trust my minecraft password enough and I plan to slowly but steadily increase my wealth on ECC, so I'm not at ease thinking someone could guess my password and drain my bal; even if I periodically changed my password and always used very good passwords (which I'm too lazy to do for every password protected service I use), 2fa would still be much safer than that.
For reference: https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm https://tools.ietf.org/html/rfc6238 https://en.wikipedia.org/wiki/Base32 https://tools.ietf.org/html/rfc4648 https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm https://tools.ietf.org/html/rfc4226 https://en.wikipedia.org/wiki/Hash-based_message_authentication_code https://tools.ietf.org/html/rfc2104 https://en.wikipedia.org/wiki/SHA-1 https://tools.ietf.org/html/rfc3174
If this would work, I could help on that. I would need to study the Forge & LiteLoader's Api too. I know pretty fluent java script .
That was one of the most outrageously dumb name choices of the last century, there's people still confused nowadays
Not saying this is a bad idea or impossible at all as I like the principle, but I do have some questions for you. 1. Wouldn't having an code running the algorithm and autofilling the /2fa command when necessary sorta defeat the purpose of 2fa in the first place? 2. How would this mod handle switching computers? Obviously almost everyone's 2fa codes are different at any given time, so would that require some sort of database where your specific key function is stored, and you can access it via MC credentials or some sort of authorization?
Good questions, here's my answer to both. The purpose of 2fa is to avoid someone else logging with my account because they guessed my password: 2fa authentication with smartphone-generated codes is safe insofar I, and only I, have access to my smartphone. That's the critical point. If I, and only I, have access to my computer, then the same could be said for a computer-generated code. Actually I already have an app on the laptop where I play that generates the same codes as my smartphone: so it's already possible. It's just that I'm too lazy to manually open the app and manually type the code: so lazy that I'm willing to spend days on this project (LOL); before starting to use 2fa I had a macro that automatically activated fly, disabled lot messages, etc upon login; with 2fa I have to manually start that macro after I enter the 2fa code, because all the commands that macro sends would not be accepted: this bothers me unbelievably and I'd love to go back to that script going automatically, while at the same time keeping 2fa security. You might object that computers are shared more often than smartphones: but on the other end smartphones, being mobile, are accessed more easily. And, unless you have reasons not to trust your brother who happens to play on the same server, you can be reasonably safe if the code is generated within your personal computer. I'll answer your second question starting with another question: why would you switch computer in the first place and who owns them? This might be limited to personal experience, but I play minecraft only on my computer: because here I have my configuration, my mods, my macros, my todo list, my spreadsheet with information about members of my town and users whom I dealt with, just.. everything. Why on Earth would I play on another computer? The only reasonable scenario would be to just login after almost a week in order to avoid my bal get wiped, because for some reason I don't have access to my computer for more than a week. But I'll try to conceive different scenarios with multiple computers: I own them all and only trusted people have access to them: then it would be ok to install the key on both; I own only one, and only trusted people have access to them, but I occasionally login from another (unsafe) computer: then I'll obviously install the key only on the first one; none of those computers are safe: then I have absolutely no reason to install the key on any of those computers, ever. I general: if you trust that computer, then it's okay. If you don't, then don't.
the point of 2fa is to secure your account with another device. If you computer gets compromised, then at least your critical data secured with 2fa remains safe. If you handle 2fa on the same device you log in with, then when that device gets compromised, so does your 2fa. So yeah, doing this ruins the point of 2fa. (not that 2fa is at all important to a minecraft server.)
I see your point: 2fa codes generated on another device secure your account when your computer is compromised. However a second, broader point of 2fa is to secure your account when only your password is stolen or guessed, regardless of whether your computer is compromised or not. If my computer is compromised, then my password is compromised (or it can be bypassed) as well; however, if just my password is compromised, then my computer might still not be compromised: the first point is a particular case of the second. My tool surely defeats the first point. However it does not defeat the rest of the second, and (at least, in my case) I'm much more concerned with the latter: if my computer is compromised, my first concern would surely not be my minecraft account (which is a small subset of my digital life) but my whole computer (which is most of my digital life)!
Ever heard of a typo, m8? EDIT: #NoobAlert. I thought typo meant auto correct. by typo, I meant auto correct. Kuke, Sorry about that. Hope y'all believe me :c EDIT (#2): Long story short, I typed in "Java" and i hit post. Right as I hit post, It corrected.
...but why? Why would somebody even bother, though? In general someone gaining access to your account and then using it to cause harm to your ECC progress is very very slim. Genuine security incidents like that are very few and far between and really only happens to staff members, because that's where more havoc can be done. I'm going to assume that if you're using 2fa then obviously your password here is unique and nobody else knows it (and nobody has access to your computer). So I guess my point here is... If you find 2fa to be a hassle, why not just not use it?
I partly answered your question in my last edit of the OP (see F.A.Q.). Shortly, my minecraft password is not idiotic, but it's not excellent either (I prefer to commit my limited bone-and-flesh memory for good passwords for more critical stuff than minecraft) but at the same time I'm not at ease knowing someone might brute-force guess it. And: what if I chose to apply for staff? I'm not planning to do that at the moment, however you're never ready enough for circumstances.
Let's just be honest, how many people /really/ want to brute-force a Minecraft account password to maliciously drain someone's balance? I could understand someone doing it to gain access to a Moderator account (which at that time you enable 2fa), but for any regular user...as long as only you use your computer and have relatively decent password security your account is fine. I've had my MC account for three and a half years and nothing bad has happened to it. And my passwords are definitely...middle tier.
It's not even possible to brute-force minecraft passwords any more. 1) they also need your email, and 2) mojang account security has improved and it quickly blacklists IPs that try to brute-force. Even with a few thousand proxies you still can't bruteforce a single account. The only thing you need to pay attention to is that you should use different passwords (So don't use 1 password for everything),don't fall for shit like phishing (the source of all minecraft alts!), and subscribe your email to https://haveibeenpwned.com/ EDIT: Also never ever send people your .minecraft.
This, I didn't know. It starts to seem that my project is pointless... aww, I was already feeling eager-beaver
