Hi, is it possible to set up Login Guard for sending a "forgot password" SMS to the registered phone of the user instead of an email? Thanks.
#31545 Login Guard SMS forgot password
Posted in ‘UNiTE and Remote CLI’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
PHP version
n/a
Tool
UNiTE
Tool version
n/a
Latest post by on Saturday, 17 August 2019 17:17 CDT
Thursday, 18 July 2019 00:54 CDT
nicholas
Akeeba Staff
Manager
No. This has nothing to do with what LoginGuard is supposed to do. I would also say that you will probably not find any extension that can do that because it's a bad, impractical and impossible to implement idea:
So even if you could I would say that 100% you should absolutely and definitely NOT think about implementing such a feature. It would essentially replace all passwords with a 6-digit PIN which is trivial to hack. I understand what you had in mind but the law of unintended consequences applies very strongly to your idea. Sorry :(
- The email sending functionality for password resets is hardcoded in Joomla's com_users code. While a developer could conceivably write a plugin to also send an SMS message it would not be able to only send the SMS message instead of the email.
- Joomla requires a 32 character long alphanumeric code for resetting passwords as a matter of security. It would be impractical to send it by SMS and ask the user to type it.
- Overriding Joomla's password reset is conceivable with some trickery in some, but not all, circumstances. In this case a misguided developer could conceivably replace the reset token with a short lived, six digit code BUT this would make all accounts on the site susceptible to SIM swap attacks and plain old guessing (you'd have 2-10 minutes to guess the 6-digit code which is plenty of time). The reason this is not a massive issue for 2SV is that 2SV is used on top of a username and password not instead of.
So even if you could I would say that 100% you should absolutely and definitely NOT think about implementing such a feature. It would essentially replace all passwords with a 6-digit PIN which is trivial to hack. I understand what you had in mind but the law of unintended consequences applies very strongly to your idea. Sorry :(
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Thursday, 18 July 2019 05:50 CDT
bom
Thank you Nic. Your extensive and in depth explanation put a clear picture about the situation in my head. Again your expertise is priceless, thank you for your time!
Thursday, 18 July 2019 06:04 CDT
nicholas
Akeeba Staff
Manager
No problem :) Have a great day!
Nicholas K. Dionysopoulos
Lead Developer and Director
π¬π·Greek: native π¬π§English: excellent π«π·French: basic β’ π My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Saturday, 17 August 2019 17:17 CDT
System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.