Jong, Thanks for the feedback. What you have laid out is an interesting concept. I like the thought that went into it and obviously its working well for you. I will take your feedback and add it to my thought process. My main project only has one location but I will have users connecting in from Wakanda, and 4d for IOS. That may make things more interesting. But since 80% of the Wakanda authentication is all but useless when connecting with a 4D database as the primary source, its worth a look. I still cannot figure out how the authentication in 4D for IOS works since it only prompts for a username. I guess if you can foggier out a persons email address you can have access to their available resources from the IOS gateway?
Still good food for thought. Hopefully you have depreciated the use of md5 as one of you hashes. These days I would not do anything less than SHA256. Bcrypt or PBK-DF2 would be even stronger. Plus the Bcrypt or PBK can have salt in the password hashes. > On Sep 6, 2019, at 2:47 AM, Jörg Knebel via 4D_Tech <4d_tech@lists.4d.com> > wrote: > > Eric, > >> On 6 Sep 2019, at 24:22 AEST, Eric Naujock via 4D_Tech >> <4d_tech@lists.4d.com> wrote: >> >> Does anyone have a replacement login system for 4D that offers stronger >> authentication security than the current system. Since the current system >> does not enforce password changes, or password complexity it is a pretty >> poor system in the current age. While the encryption is crypt is is still >> brute force attackable as well. There are no failed login lockouts. Nor is >> three the ability to have two factor authentication? Or is this something >> beyond what anyone out there is using. > > I roll my own system for more than 25 years now. > It allows to manage access rights on record level divided by read only and > read write. > > Here are some pointers to give you an idea. > > All the information are hold in the data-file and therefore a kind of > mirroring of the structure is > ( [Tables], [Fields], [Staff], [Passwords], [Branches], [Departments] etc.) > > The passwords are stored as hashes (MD5…SHA512) which makes it a bit harder > but not immune against brut force attacks. > A mandatory change of passwords after a period of time or number of logins > can be implemented as well as x-way authentication can be implemented. > To use this as an addition to the 4D-build-in stuff is also possible, but I > don’t see a reason why. > > The access rights for each user are hold in arrays for each user within an > organisation like this: > > READ ONLY > NA AA UA DA BA FA > [Table1] √ > > [TableN] √ > > READ WRITE > NA AA UA DA BA FA > [Table1] √ > > [TableN] √ > > > Legend: > > NA No Access > AA Author Access > UA Unit Access > DA Department Access > BA Branch Access > FA Full Access > > Every table has the following LongINT “Head Fields” : > > UserIDRefCreated > UserIDRefModified > xCorpCreated > xBranchCreated > xDepartmentCreated > xUnitCreated > > Every time a user is accessing a table his rights (arrays see above) are > applied. > > Granted to implement this in an existing application will take some doing but > it could be worth it. > > For instant if someone within an organisation changes to a different branch > but will hold the “same” position, no access rights have to be adjusted and > the data from the former branch/department/etc. cannot be accessed any more. > > HTH > > > Cheers > Jörg > > > ********************************************************************** > 4D Internet Users Group (4D iNUG) > Archive: http://lists.4d.com/archives.html > Options: https://lists.4d.com/mailman/options/4d_tech > Unsub: mailto:4d_tech-unsubscr...@lists.4d.com > ********************************************************************** ********************************************************************** 4D Internet Users Group (4D iNUG) Archive: http://lists.4d.com/archives.html Options: https://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************
