Skip to main content

Browse GamesGame JamsUpload GameDeveloper LogsCommunity
Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
Tags
itch.io Community » itch.io » Ideas & Feedback

Here is a revolutionary idea for you. Pherhaps let the users login sometimes?

A topic by xekova created Oct 02, 2023 Views: 354 Replies: 5
Viewing posts 1 to 3
xekova351 days ago(+2)

It is insane that I have to take literally 30 minutes in captcha to be able to login into my account. I should not have to install yet another useless app on my phone for two-factor authentication, why cannot I just use my email to receive a one time token? I mean even after I struggle through yet another captcha marathon which in the end becomes very mentally darning (mostly due to frustration), then this stupid site after all that hassle, finally sends a token to make sure it is me. Why not do that in the first place? Because it would be logical?

Reply
redonihunter350 days ago

Whatever are you talking about?

It literally took me less than a minute to log out and log in with 2fas auth to verify your strange claim. No captchas. No mail tokens. More like 20 seconds, actually.

Was your account compromised? Do you log in from public wlan hotspot or something? You do not know what literally means? Also, totp is optional. Is it mandatory for you?

We should be glad, if itch is boosting their security. I often see hacked accounts publishing scams. Even with 2fa it still is not perfect, as sessions can be stolen. Maybe your system was compromised without your knowing and your extra login attempt kept your account from being taken over.

Reply
No Time To PlayModerator350 days ago(+1)

If someone doesn't use 2FA for whatever reason, any login attempt is protected with a very aggressive reCaptcha, which as we all know has become almost impossible to bypass by actual human beings lately, while bots apparently have no problem.

Reply
redonihunter350 days ago(+1)

Oooh.

After updating my knowledge...

Depending on reCaptcha version, I might have not been challenged at all. But not really dependant on version, researchers that tried to circumvent it, easily cobbled together solutions that beat the system 50-80% of the time. I think it is reasonable to assume, the bad guys specialized in beating it have access to a solution that achieves the same results. And even when not, many bad guys are in areas where 5 bucks a day would pay for a lot of actual humans doing the job of solving the captcha manually. And since they have experience, they do it fast. And one can assume that whatever they do, it does pay at least to make a living and pay for electricity and computers.

But after reading about that one guy, that apparantly had his session stolen, not even 2fa is secure.

The danger of 2fa and captchas is, to rely on the security it claims to bring. In case of 2fa there was or is a design flaw, that it does not ask for 2fa again when you change passwords. (You might wanna press there, I am not sure, if itch security is aware of the flaw)

But how to protect against those bad guys. If there is a way for humans to enter, evil humans can think up methods to enter as well. If need be, they just use the front door, manually. Itch is a honey pot. Where else do you find people willing to download software from unknown people and willing to execute it on their system. The latest trend seems to be to release fake/stolen games with payment active.

I guess they just do it manually. Brute forcing is just not done. If they want to enter, they already have some credentials or made a new account. So solving any captchas will give them what they wanted. The case where mass solving of captchas achieves some, is spamming message boards. I do not notice this happening on itch (not since external links were highlighted).

Reply
xekova350 days ago(+1)

"If someone doesn't use 2FA for whatever reason"

I actually use it whenever I receive a token via email and that is fine with me. I do not want to link my phone to this page, no offense but I would be embarrassed to do so :D
I would just like to have the email way of 2fa as an option. Currently the site randomly decides whether I should be sent a token or not, which does not make it safe at all. I guess I get these captcha challenges as I both use VPN and tor, as for me privacy is a top prio.

Anyway I guess I overreacted a bit, I usually just ignored this issue, but that last time it was quite literally close to 30 minutes to be able to login which I think anyone would agree is a bit frustrating.

Reply
No Time To PlayModerator350 days ago

I meant on itch.io specifically. That's how login works here. You're right, 30 minutes seems excessive.

Reply
AboutFAQBlogContact us
Copyright © 2024 itch corp · Directory · Terms · Privacy · Cookies