All-in-one login for TMW

[wushin]

Any reason we don't create the same login 3 times? As in Game<->Wiki<->Forums?

[o11c]

It has been suggested before, but it's not technically feasible. Every piece of software has its own notion of what a "user" is ... and then there's the infinitely difficult task of not breaking any existing accounts.

[wushin]

Uniqueness across all accounts would only be Email. I know the problem people have with that. I'd also still make each require "authorization".
Existing get grand fathered in. The option should then be given to "Tie" Forums<->Game<->Wiki together. One Auth is not hard to handle these days what with the ldaps, sqls, rests, soaps, oAuths, jsons, etc. in the wild.
I'm not suggesting totally integrating the permissions and all the tiny bits.
I just want a single Sign Up. Username, Password & Email (if possible).
Everyone else can be "grandfathered" in but that just means having to deal with accounts and emails, etc.
Would not be that hard to start a "OneAuth" table
Table OneAuth

• username
  password
  email (Optional?)
  Wiki
  Forum
  Game

Everyone from when we flipped the switch going forward would be entered in all 3, whether they get automatically activated or have to approve themselves or we have to approve them still (wiki in point)

[o11c]

Current abstract plan based on IRC discussion (no implementation plan known yet):

Create a *new* database table with a set of (name, password, keys), and a 1-n table for each of the sites that currently require a login (forum, wiki, game).

Actions:

• When new users create an account. Since the wiki and forums support transactions but the game doesn't, create the game account first and then commit the others (to make sure that it can create subaccounts with the same name).
• For existing users, we need a way to create a new master account by "claiming" an existing account. The obvious way is: enter the username/password for one of the subservers, and if that username isn't already tied to the master account, create it (this is necessary so that they can choose their preferred username on the master account if they've already chosen in for the subaccounts. For example, I have "o11c" in all three places, but there currently is no way to prove that ...).
• Regardless of the mechanism by which you created your master account, you can always attach additional subaccounts by entering their username/password.
• Once you've associated a subaccount, you can reset the email/password of any or all of the sub ones from the master one.

There is just one major problem: how to keep the list of authorized accounts on the subserver synchronized in case of rollback or deliberate account deletion.

Note that test server accounts aren't tied to anything, but in the long term those are planned to be merged with the main server accounts once the GM level stuff is done. Wait, is this ready already? Oh wait, it was about protocol stability, and that is currently in progress.

[Relm]

What's stopping people from using the same username, password and email on all three services right now?

[wushin]

nothing is stopping them from using the same on all there. If a person uses the same on all three thats fine. But what happened in the past is someone had multiple accounts or sign-up differently, etc.

The need is a API to check the TMW server and then a script to check both forums and wiki. I have a bit o work done on https://github.com/wushin/themanaworld- ... te-account

Mainly once o11c's network fix is solid we should be able to start moving forward on this again.

[o11c]

Hey! My network fix is totally solid right now. I mean, it's solid like a kidney stone, but it *is* solid.

[Crush]

What's stopping people from using the same username, password and email on all three services right now?

Password reuse is a very bad practice we should not support. It makes people very susceptible to phishing.

[Relm]

Also, supposing we do have separate usernames and passwords already for these accounts, isn't it a loss of security since if someone hacked your forum account they can then get all your ingame goodies too? Wouldn't this make phishing for our ingame passwords easier similar to what Crush mentioned?

Also, my forum name is visible to everyone. My TMW username is not. So again, this is seems like a loss of security.

[Crush]

Also, supposing we do have separate usernames and passwords already for these accounts, isn't it a loss of security since if someone hacked your forum account they can then get all your ingame goodies too? Wouldn't this make phishing for our ingame passwords easier similar to what Crush mentioned?

Also, my forum name is visible to everyone. My TMW username is not. So again, this is seems like a loss of security.

That depends on the implementation details. A good single-sign-on solution stores the passwords in a database separated from the services which use it. In that case a vulnerability in one of the services can not affect the password storage.

This, of course, assumes that the user doesn't give away their password on their own.

[wushin]

It's not password reuse. It's a Single Username and Email for the Wiki, Forums and Game Account. Thus password resets can become automated and not based on whether we believe the email you sent to !reset. So instead of 3 possible accounts there is only 1 account. It makes everything easier for everyone.

We cannot continue to do all this hand holding. We have not the resources, nor the set-up for it. If in this day and age you get fooled by a Nigerian Prince or Romania Gypsy, you have it coming. Currently it's FAR easier to phish a game account via !reset than it would be for a scammer to get a player.

We have back-ups and the logging now needed to deal with any problems that may arise. We trust our host with our set-up. They are by far a more competent Wizard. As the old host, Platyna, was known to "fiddle" with the backend causing data loss and downtime.

It will work like any other login. Need a reset know the Email address & Username or Nothing happens. No human intervention in the process trying to decide whether or not we believe the story in the email sent to !reset. No more asking whats my Wiki/Forum account.

Sign up, have access to all via same name. Most likely using OAuth2 or some sort Tokenized Authentication because it eliminates a number of existing login problems in the current suite of software. https://auth0.com/blog/2014/01/07/angul ... -vs-token/

Considering the large portion of the Internet which already implements such methods they can't be any less secure than OpenSSL. (Facebook, Amazon, Google, etc.) Account Security is always a concern but no more so then currently. It's also improved greatly since o11c encrypted the passwords in the db last year or so.

The biggest CON to SSO is legacy accounts and association. Some people weren't required a valid email when they signed up for a Game Account. Some people didn't use the same email across all. Some didn't sign up for all 3.

So there will still be a lot of stuff to work out. First step though is to make the Game Accounts created via the form and not some wonky script that always returns true even when it failed.

Once we get the account associations settled. Most likely through either !reset or sending a "allow accounts to associate" email, we can look into setting up tokenized auth.

Which will make it harder to spoof the website and login. Easier to perform Account Wide functions; Post on wiki & forums unified, reset password, associate alts, bans, etc. In addition, we can look into then using stuff like Guild Sites authenticating to TMW and pulling account stats (Think Armory), Gravatars and other SSO service integration. Why? A MMORPG is social otherwise it's just a Massive On-line RPG. Part of the game exists outside the game.

You can't be in the present without one foot in the past and one foot in the future.