IT Новости
3 просмотров
Рейтинг статьи
1 звезда2 звезды3 звезды4 звезды5 звезд

Type email and password

Authentication without email and password.

I am trying to have an authentication system for apis. But unlike traditional way, this will be without email and password

The front end is an android app. Initially the app will have empty auth_token in the local storage, now the app requests for an auth token from the server, by sending the mobile_number, device_id and gcm_id.

Now the server generates a 16 securerandom hex, and sends it as auth token to the front end.

Now the front end has to call all the apis using this auth token.

The server user table will be like this

id || mobile_number || device_id || gcm_id || auth_token

Question 1:

Should I generate my auth token based on the mobile_number, device id or can it be independently generated?

Question 2:

Should the auth token be changed? or can I use the same auth token permanently for the user. If it has to be changed .. can you please guide me in pointing out which strategy to use

Question 3:

What are the pitfalls for this kind of authentication. I don’t want the user to type the email and password, but at the same time want to identify the user for personalization calculations.

2 Answers 2

Authentication tokens are passwords. They should generally be designed to be handled by the client and server automatically with periodic rotation, to mitigate the risks of potential brute force attacks or credential leakage such as through a compromised user device or another server bug like Heartbleed. Make your tokens expire every so often, maybe 2 weeks or a month, and have the client app either require re-authentication when a token expires, or automatically make a request to refresh the token before it happens.

The user authentication scheme you’re describing is for a device, not a user. You won’t be able to identify one user from another reliably using those details, but that’s not to say email+password is any better, it just comes with different usage expectations. You’re identifying a mobile device by its device_id and adding some confidence that its owner hasn’t changed by verifying the phone number. I’m not familiar with GCM so I’m not sure what property that adds. To add another factor of device authentication that is not so straightforward for another party to spoof, I suggest having your client app generate its own «something you know» password to use for requesting an initial token. That device-internal password can be its secret for authenticating with the service for purposes of automatic token issuance, and can be rotated more infrequently than the regular per-request auth token.

For both your client secret and your auth tokens, just like passwords you should aim to make them long and random. If the auth token is auto-rotating, you can allow for it to be much shorter without introducing realistic risks, to a degree. I’d say at least 16 random bytes even for a short-lived token should be the minimum, as 12 characters are within the realm of practical offline hash brute-forcing, and it’s good to have a sizeable window of safety between what’s plausible today and tomorrow’s improvements in cracking capabilities.

It’s important to remember that what you’re describing will not authenticate a person, but simply an individual device. It sounds like that’s what you intend to do for your project but it’s important to understand the distinction and what it implies.

Google Account Manager Showing Error Instead of Type Email and Password? Here is How to Fix It

Did you try our previous method to bypass FRP on android Samsung Galaxy devices, but couldn’t see the “Type Email and Password” option? Or, are you getting an “Error” message there? Here is the solution to these problems.

As you all know Google designed a security method called Factory Reset Protection (FRP) to make it sure that no one can replace the original owner’s credentials with his own after the phone is reset. It is a great feature to help reduce the theft cases.

But in many cases, the original owners also forget the password or change the account password just before or after the mobile reset. In these cases, the user can not log into his own phone.

The same thing happened to one of my friends.

In an early morning, he phoned me and told me he was getting a strange message after his Samsung Galaxy phone’s factory reset. He was entering original email and password but even then Google was throwing a message asking him to wait for next 24 hours as he had changed the password meanwhile. He told me he had waited for 48 hours but even then he was still getting the same error.

I took the phone and told him to wait for some time so that I could bypass the FRP as I had already done, according to the previous post. But it was not as easy as I thought. When I repeated the same procedure on this J5 phone, I was not getting any “Type Email and Password” option on Google Account Manager. Instead of that, there was an Error file.

After surfing the internet and applying different methods, I couldn’t succeed. While googling, I landed on this YouTube video. I followed it but Chrome was not allowing me to download any Google Account Manager apk file from the site as it was shown in the video. After trying different options, finally, I devised my own method to install the required APK file on the Samsung Galaxy phone.

Video Credit: GSM-ABC

If the method shown in the video is not working for you too, try this one which worked for me like a charm.

Step by Step Method to enable “Type Email and Password” option in Galaxy Android phone

Step 1: Invoke Google chrome on Samsung Galaxy device, install QuickShortCutMaker and ES File Explorer as we have discussed in our previous post of bypassing FRP on Android devices.

Step 2: After you have successfully got access to Chrome, launch it and enter “apps.samsung.com” address in the address bar and hit Enter.

Читать еще:  Как убрать переадресацию с айфона

Step 3: Scroll down a bit and tap on Samsung Galaxy Apps.

Step 4: In the Search option, type ES File Explorer. Hit enter and open the app. If it is not installed, install it. Otherwise, it will open as we have already installed it by following the previous method.

In fact, I used ES File Explorer to install the Google Account Manager APK as Chrome was not allowing me to install it. Every time I tried, it said the download is declined due to some security risks. But I wanted to get it by any means. So, I used the following trick.

Step 5: In ES File Explorer, tap on “Fast Access” button and then tap on the down arrow next to “Favorite” and then on “+ Add”.

Step 6: In the path field, write “https://www.google.com” and in the name field, type any name. As it is Google’s main page, so we are giving it “Google” name. Tap on “Add” to finish.

Step 7: Again, go to Fast Access > Favorite and select “Google”.

Step 8: Search for “google account manager” in Google search engine.

Step 9: Ignore the first one or two ads, and click “Google Account Manager APKs – …. result as shown in the screenshot below.

Step 10. Scroll down a little bit and there you’ll see all versions of Google Account manager released so far.

Step 11: At this stage, you’ll have to find the compatible Google Account Manager for your device. Download one by one each APK file and try to install it. Start from the bottom. For me, Google Account Manager 6.0.1 worked. But it may be different for your device. It may be 4.0.3, 4.4.4, 5.1, 7.0 or even Google Account Manager 7.1.

Step 12: Tap on the little downloading icon. On the next page, scroll down to find the direct download link.

Step 13: When the download completes, open file and install it.

Step 14: Once the compatible Google Account Manager is installed, go back to ES File Explorer > Fast Access > Download.

Step 15: Here tap on QuickShortCutMaker and install it again to launch it. Becuase we can’t go to Home screen, so re-installing the app is the easiest method to re-open.

Step 16: Open QuickShortCuMaker and type “Google account manager” in the search field.

Step 17: When you see Google Account Manager in the results, tap on the small down arrow next to the Google Account Manager.

Step 18: Scroll down until you find Type Email and Password. Tap on it to open it further.

Step 19: Now tap on Try.

Step 20: Voila! You have successfully launched the “Retype password” window.

Step 21: Tap on three dots at the top of the screen and then on “Browser sign-in”.

Step 22: Select the terms and conditions and enter your own email and password.

Step 23: Now restart your device normally and set it up.

Congratulation! You have successfully entered the new Gmail ID and password in the Samsung Galaxy phone.

PS: This method is conducted on Samsung Galaxy J5 (6) but it should also work on the following devices.

  • Tab 4, Pro, Active
  • Note 7 N930, N930A, N930V, N930P, N930R4, N930T, N930W8, N930, N930F, N930G
  • Note 5 N920V, N920P, N920R, N920T, N920A, N920I, N920G, N9208, N920C and N920CD
  • Note Edge N915FY, N915A, N915T, N915K, N915L, N915S, N915G, N915D
  • Note 4 N910F, N910K, N910C, N910FQ, N910H, N910U, N910G, N910S, N910L
  • S7 edge G935, G935F, G935FD, G935A, G935R, G935T, G935P, G935V
  • S7 G930 (USA), G930R (US Cellular), G930T (T-Mobile & Metro PCS), G930A (AT&T, Cricket), G930P (Sprint, Boost, Virgin Mobile), G930V (Verizon), G930F, G930FD
  • S6 edge+ G928V, G928P, G928R, G928F, G928G, G928T, G928I, G928A
  • S6 edge G925, G9250, G925F, G925A, G925K, G925I, G925Q, G925T, G925L, G925S
  • S6 G9200, G920T, G920I, G920S, G920FD, G920F, G920A, G9209, G9208/SS
  • S5 Neo G903F, G903W
  • S5 G900F, G900I, G900M, G900A, G900T, G900W8, G900K, G900L, G900S
  • E7 E7000, E700F, E7009, E700F/DS, E700H, E700H/DD, E700H/DS, E700M, E700M/DS
  • E5 Models
  • Samsung Galaxy J7, J5, J3, J2 and J1 Models
  • Alpha
  • A9, A8, A7, A3 and A5 Models.
  • Core Prime and Grand Prime Models.

Type email and password not showing Error fix

Type email and password not showing. Google Account Manager Showing Error Instead of “Type Email and password”. While using bypass application this problem occurred while bypassing removing FRP lock. And we cannot enter email ID and password while it’s raining and FRP can be removed by this following tutorial.

Type email and password not showing error

Type email and password whenever try to change email address and password in your android smartphone without having knowledge of real password of your device you can not change your email by email ID and password by using quick shortcut maker.

The Same condition Occurred when we trying to use quick shortcut maker and type Google account manager on the search field we found an error instead of email and password. we can not enter any email ID or password after having this error. The Same condition happened hundred of time with me while I am using this application on my mobile phone.

Remember, we have to use supported google account manager version. Before installing anything else. it is better to install it first after that install anything on Android.

How to fix “Type email and password” not showing

finally, To remove the error we have only one solution to install with you and install google account manager on our android mobile phone. In Other words, We can you fix that issue by installing Google account manager our smartphone. we have to follow this process to install Google account manager on the mobile phone.

Download fix “Type email and password”

If you really want to fix this issue then download Google account manager. Open your chrome browser and open Pangu.in and go to menu bar click on Google account manager Just download and install it if you have lollipop version then you 5.0 Google account manager.

Читать еще:  Переадресация абонент недоступен

if you have marshmallow andro >google account manager. after that , this error will be gone

Download google account manager.

Different Ways To Bypass FRP Samsung

Bypass FRP lock On Different Android versions

Do not try to install it on any other Android operating system this is only supporting on android mobile phone.

Sometimes it gives error while strolling in this condition we have to buy power device once again by our device once again to make it complete.

runspired / form.html

Hope this works.

This comment has been minimized.

Copy link Quote reply

richlv commented Feb 21, 2019

First, everybody: DON’T DO THIS. It is a stupid idea that has been propagated too far.

@atodd-geoplan, the responses by @ezfe and @ivanhoe011 explain the situation well. If you do this to your users, they will:

  • hate you
  • do something else with their passwords that will make the security worse (simple passwords etc)

If those are actually your users on platforms you control, you just disable password remembering feature in their browsers. You might still run into the two problems above, but at least you won’t be messing up in a more global way.

@ConnorsFan, if you have a browser that is used on a shared system by hundreds of users, you disable password saving feature in that browser. Easy, works, and is actually more secure.

@AwokeKnowing, unexpectedly auto-filling some fields in management forms is a real problem. It could be solved by all browsers obeying some simple flag. if there were no assholes abusing the flag for real login forms.

You, people here trying to mess with users, are the reason why browsers have to do extra work to be useful for their users.

This comment has been minimized.

Copy link Quote reply

shubhamyugtia001 commented Mar 6, 2019

is there any proper solution for this or not,

because it can cause big loss if it is not working in firefox,
i have used autocomplete = «new-password» and it worked in chrome

This comment has been minimized.

Copy link Quote reply

PTC-JoshuaMatthews commented Apr 3, 2019 •

To those saying let the browser do what it wants, I think you are missing use cases where this functionality just makes 0 sense. For instance, administration portals where multiple users are being created by a site admin. It would be a security issue if say. the site admin’s password gets autofilled into the password box for an employee they are creating and they walk away, come back and because the required password field is already filled they don’t know to fill it with the correct password now. Not only that, but they can’t even see what password is in it to easily check if they entered it or chrome did. Ultimately user ends up with the wrong password and UI flow is bad because we can’t enforce a required password box properly.

This comment has been minimized.

Copy link Quote reply

ben-dappen commented Apr 3, 2019

@PTC-JoshuaMatthews is correct. There are lots of scenarios where autofilling saved passwords is a huge problem. Two cases we deal with regularly are:

Administrative accounts that are creating/resetting passwords for other users. Having the fields auto-populate is a huge pain and introduces errors.

Shared computers: If you have a terminal in a gym or patient check-in station at a doctors office you obviously don’t want the system to remember credentials or allow people to use a password manager.

In this case browsers should just follow the autocomplete=’off’ standard — I get that they think it’s overused (it probably is) but sadly it looks like we have to resort to javascript hacks to get this to work even though there’s already a published standard for it.

This comment has been minimized.

Copy link Quote reply

greatBigMassive commented Apr 5, 2019

Hello, I’ve seen all the different solutions for this and I completely understand why @PTC-JoshuaMatthews and @ben-dappen want this turned off by default. It shoulder really be turned off by default for all browsers and let the user decide if they want the feature turned on by learning about it. It’s a pain for developers in environments where multiple people might share the same computer. It’s stupid.

Anyway, I’ve created a solution for this, works in Google and it completely removes the popup window without any crazy hidden input fields or timeouts. You just embed a script and tell it the id of the password field and it does the rest. I must admit, it probably needs «World testing» so I’m expecting people to come back with tweaks but it’s out there now.

This comment has been minimized.

Copy link Quote reply

lucaasleaal commented May 17, 2019

People talking about not doing something that we should allowed to control.
I want to disable this not for login, but for the new account form. There is no benefit in using an already saved password for a new account, the user should be forced to type it in (or paste if using a password manager).

This comment has been minimized.

Copy link Quote reply

UnDeAdYeTii commented May 21, 2019 •

People talking about not doing something that we should allowed to control.
I want to disable this not for login, but for the new account form. There is no benefit in using an already saved password for a new account, the user should be forced to type it in (or paste if using a password manager).

Exactly. In my case, when an admin is updating a user account (or a user is updating their profile information) the browser is sticking its nose where it doesn’t belong, prefilling the password field. It means that every time a user is updated, their password field needs to be stripped prior to saving the form, otherwise they adopt whatever password your browser remembered — which for the admin’s case would likely be their password, or one of the other thousands of users’ passwords. It’s frustrating and I absolutely hate the browsers for ignoring explicit commands to not fill these fields. But hey, what do I know, I’m just a developer of this system — surely the browser devs know what’s best in my case /s

Читать еще:  Адресная книга active directory

I propose the following: autofill=»mateimfuckinseriousdontautofillyouprick»

This comment has been minimized.

Copy link Quote reply

BlackHatos commented Jul 17, 2019 •

none of above solutions are working in chrome 75.

This comment has been minimized.

Copy link Quote reply

runspired commented Jul 19, 2019

This gist is pretty old and I’m sure that the right way to do this has evolved since it was written. I don’t write the kinds of apps that necessitated this any more so I haven’t kept up with techniques.

That said, I’d love to respond to the folks like @richlv that have very obviously never worked on certain kinds of systems where this is a necessity. More broadly speaking I agree that 99% of the time for applications you should not try to turn off password autocomplete.

So when should you? I’ve encountered three kinds of applications

  1. when you have an app designed to be used my multiple users on one device.
  2. when you have an app designed for multiple accounts on one device with different passwords
  3. when you are presenting a form to someone to create a new password or account (autocomplete tries very hard to fill in the new password field with existing passwords)

In addition to more typical apps that might have these requirements, Javascript applications run a ton of tablet applications that handle hundreds to thousands of users logging in on the device just once (and stupidly saving credentials or giving browsers enough info to decide to autocomplete the next user despite best efforts not to). An example is a table app that collects registrations at a kiosk.

TL;DR There are extremely valid reasons to turn off autocomplete. Stop complaining and go build cool shit.

This comment has been minimized.

Copy link Quote reply

richlv commented Jul 19, 2019

@runspired, your cases 1 and 2, and the description below, seem to be the cases where the device is controlled by a company, or is always shared by multiple users in any case. The correct solution there is to disable autocomplete in the browser, as it could cause confusion with other websites — you cannot control those.

As for the third case, that is where «autocomplete=off» would fit in wonderfully. If people stop abusing it, it would likely work all over the place.

This comment has been minimized.

Copy link Quote reply

lainz commented Jan 28, 2020 •

Thanks, the one that worked for me is form autocomplete=»off», I had to disable the entire form, since it was picking a random input that is even not related to login credentials, seems that’s using some kind of AI to detect automatically login fields.

This comment has been minimized.

Copy link Quote reply

JordonMMG commented Jan 31, 2020 •

I need this functionality because i have a password for inner functionality that isn’t related to a user’s profile which should be shared across a single team for access. No auto fill should be used on such a field.

new-password did not work for me in the tag. I had to place it in the tag for both password and confirm password.

This comment has been minimized.

Copy link Quote reply

gregg-cbs commented Feb 3, 2020

It looks like Chrome will force a password suggestion when the input is type=password regardless of what you try do.
They want to put the option in the users hands which is fine.

An option for everyone out there is to make the input type=text and use a font that looks like the password dots.

This comment has been minimized.

Copy link Quote reply

motsmanish commented Feb 8, 2020 •

The working solution for Chrome Version 79.0.3945.130 | 80.0.3987.87
Stackoverflow link: https://stackoverflow.com/a/51617163/1228430

This comment has been minimized.

Copy link Quote reply

ShivaMiyapuram commented Feb 19, 2020

autocomplete = ‘nope’ was working fine in Chrome 79.

Tried using autocomplete = ‘any-random-string’. But it’s not working in Chrome version 80.

This comment has been minimized.

Copy link Quote reply

AliN11 commented Feb 27, 2020

You can make it simpler by using only this input between your real inputs (username and password):

This comment has been minimized.

Copy link Quote reply

marena commented Mar 5, 2020 •

This is my workaround. At the begining of your form insert code below. Inner div with -100vw is there for chrome show password extensions. Like ‘Show and Hide Passwords’ etc (they adding eye icon image before end body tag).

This comment has been minimized.

Copy link Quote reply

JVwork commented Mar 8, 2020

Hey there, try this:

  • use the classic autocomplete=»off» on the autocomplete input
  • for the autocomplete input, use a name not corresponding to any stuff like address (or parts, in any language), username, etc. for example, just try name=»ac»

. so, to wrap it up — autocomplete=»off» + name=»ac»

This comment has been minimized.

Copy link Quote reply

nass1988 commented Mar 20, 2020 •

I use, autocomplete=»off», name=»password» , and ++ placeholder=»» ++

This comment has been minimized.

Copy link Quote reply

lucacerza commented Apr 1, 2020

Hey there,
try this solution:

  1. change the type from «password» to «tel»
  1. in the add this:

This comment has been minimized.

Copy link Quote reply

tejaswinikhambe commented Apr 3, 2020

Hello ,
I tried above mentioned solutions , but none are working for me in Firefox,
Has anyone got any working solution to off auto complete , which works for all browsers or at least Chrome and FF?

  • © 2020 GitHub, Inc.
  • Terms
  • Privacy
  • Security
  • Status
  • Help

You can’t perform that action at this time.

You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.

Ссылка на основную публикацию
ВсеИнструменты 220 Вольт