Thoughts and Ideas for a Security Plugin

Discussion in 'Bukkit Discussion' started by chris4315, Jan 3, 2014.

Thread Status:
Not open for further replies.
  1. Offline

    chris4315

    Hello. I've recently came up with this idea after recently enforcing my Facebook account with a text message-password system for verification. This gave me an idea; since many players want to make sure their accounts are secured on their server, why not enforce their logins with a verifiable "PIN"?

    This system would not consist of any of the player's personal information, other than their username, email (possibly) and IP address. Each time the player logged in from an unusual location or IP, they would receive a message telling them to visit a page and enter a secure PIN of their choice (which would be securely stored by SHA512 hashing for security) in order to access the server. When the player verified their PIN, that location is saved to a list of the player's "known locations" so they aren't bombarded with the need to enter a PIN all the time, and subsequently, they are allowed to enter the server. The next idea is a little different. The player, if logged in from an unusual location, would be logged into the server and then be asked to enter their secure PIN. If they fail to identify themselves, they would be kicked from the server. This action would be logged in the player's recent logins so that the player can see what's going on with their account.

    Here's an example:

    Joe is a server owner. He runs a high-profile server which needs 24/7 uptime, management and security. He has installed this new service which allows himself and his players to (optionally) create a secure PIN which would be required upon a login from a suspicious source. He registers his server and configures the server to ask for PIN verification upon each login, even though it is not mandatory. Joe enjoys this new service and deems it as a great part of maintaining server security and reducing the chance of his own or his players' accounts from being accessed without permission.


    It works like this:
    1: Joe attempts to login to his server
    2: He receives a message: This server is secured by MinePIN, please visit www.website.com/verify to verify yourself.
    3: Joe visits the website, which asks for his username and his chosen PIN. The service checks if this is the proper PIN.
    4: Joe has passed the verification process and can now login to his server and any other servers registered with the service. The login has been logged for records so Joe can check any time.

    I just wanted to know what the Bukkit/Minecraft community thinks of this (I plan to call it MinePIN). Please feel free to leave thoughts, ideas, and constructive criticism. Thanks!

     
  2. Offline

    Thepom360

    Nice idea. does joe have to be verified before entering More then one server?
     
  3. Offline

    JaguarJo

    The Minecraft client itself has a password for each user account. Unless "Joe" is sharing his account information with other people or logging onto offline mode servers, I don't really see why there is any reason for him to be worried about his account security. Have hacked accounts really become so common that we need a second password verification wall?
     
Thread Status:
Not open for further replies.

Share This Page