owkay... but I'll keep studying ietf specifications (as if I'm not already wasting my time in 10 projects at the same time)
My worthless thoughts. I started using the 2fa here when I received no less than five alerts over the course of several months someone was trying to reset my password to minecraft. This was in conjunction with another minecraft related breach attempt. The person was never successful, But I figured if I had 2fa on, even if they were successful in resetting the password and locking me out, they would not have access to ECC since they would not be on my pc. It would only be a matter of time for me to prove my identity and get things back to normal with minimal issues. I didn't care about other servers since I don't play anywhere else. Using 2fa because my pc being compromised wasn't even a thought. So to have something automate it from the pc would have been fine with me. For the forum, I even had the 30 day thing always on, since I didn't want to be bothered every I came to the forum. It was a hassle, but an understandable one that I endured. That was until it stopped working for no reason and locked me out. Now, I think it is more of a hassle than the risk. I think if such a tool/app/program/whatever existed, I would have used it. I understand the want and use for something like this.
WAT? I want to believe that's just because your username is relatively simple and likely to be confused with common usernames: honest mistakes and not really malicious intent. That's what I want to believe. But you know what? What the hell: I'm going to do this, regardless! Even though it'll be wasted time, it'll still be fun. Who's with me?
In all honesty that seems more like someone has an email that's pretty similar to yours and messed em up, but that's just my two cents.
Scenario: I 'break the algorithm'. Provided anyone can feasibly do this for a minecraft client within a time limit. I give out my applet out to a few friends and show off on the forums. This gets leaked/found by the people behind 2fa. Creators of 2fa want to kill me, get rid of the exploit. Something like this simply won't happen. Honestly if you want to keep using 2fa but don't want to keep your phone near you I would just install the bluestacks emulator and download the 2fa app to it. @Expipiplusone EDIT: I'm not familiar with the 2fa plugin, but I'd imagine that there's a way of setting it to allow extended logins from the same ip? Maybe make a suggestion?
What do you mean "break the algorithm"? 2fa authentication is not based on secrecy of the algorithm, but on the secrecy of the key (as any modern cryptographic algorithm). The algorithm is public. Or I misunderstood your comment.
multi-factor authentication is not a matter of "breaking the algorithm" Nor are there any "people behind 2fa". It's a system that relies on secure cryptographical alhorithms. The algorithms are public knowledge, standardized, and many implementations exist. But the fact that it's secure is a proven fact. idk wtf you're on about. But it's definitely not something from our reality.
I suppose I worded that poorly, it was a long night. What I was (atleast trying to) saying is that if someone had a way to determine something as secure as a 2fa key is accredited to be, from something as simple as a minecraft client, then the algorithm and the plugin would be updated for sure, as it's entire purpose is providing an additional level of security. IE. If I were to make a plugin that would decript an RSA key in a few seconds, it would change. All possibilities of doing that aside (Yes, I know, it won't happen, similarly to this topic altogether), if I were to do that then either nobody would use that method of securing their stuff, or the method itself would change.
However, there is no such way in this case. The point of the mod/macro is supposed to be "Take the secret code the server told you when you set up the 2fa, then use the official algorithm to derive the current valid code from it." - which is perfectly fine and the whole basis of 2fa apps. In this case the comparison would be "I write a macro that decrypts my RSA-secured data if I provide the macro with my private key".
You, the user, receive your own secret code. You need it to power any device that is supposed to tell you your current login code. Looking from a technological aspect, using a macro isn't different from using an official two-factor authentication app for your phone - both require the same data which you are actually supposed to hand to trustworthy software.
It's both time-based and secret key based. So unless you shared your secret key with some malicious people, there is zero chance of "cracking" this. (you shouldn't share the secret key with anything or anyone. though)
