Conversation

Notices

1. Embed this notice
   Nicholas Dionysopoulos (nikosdion@fosstodon.org)'s status on Friday, 02-Jun-2023 09:13:23 JST Nicholas Dionysopoulos

   in reply to

   • Martin

   @MartinH Therefore, you are disabling the ONLY secure way of logging into your site. Because Joomla decided to water down this feature so much that it became a nuisance. I tried to keep y'all safe with WebAuthn and MFA but the Joomla! idiocracy prevailed. I should have kept this code as 3PD extensions. I should have known better than to trust Joomla! with my code. Well, not a mistake I'll be doing again!

   • clacke likes this.
   • Embed this notice
     Martin (martinh@social.cologne)'s status on Friday, 02-Jun-2023 09:13:24 JST Martin

     in reply to

     @nikosdion Deactivating WebAuth ist the very first thing I do when installing a new Joomla site.

   • Embed this notice
     Nicholas Dionysopoulos (nikosdion@fosstodon.org)'s status on Friday, 02-Jun-2023 09:13:25 JST Nicholas Dionysopoulos

     in reply to

     Another idiotic thing this so-called "security" #joomla patch gets wrong is that it does not reset the MFA retry count when you log in with WebAuthn (or any other "silent" login). You know, the authentication options which deliberately bypass MFA because the security is guaranteed otherwise.

   • Embed this notice
     Nicholas Dionysopoulos (nikosdion@fosstodon.org)'s status on Friday, 02-Jun-2023 09:13:26 JST Nicholas Dionysopoulos

     #joomla now has the only MFA implementation in the world with a pointless and user-hostile retry limit, therefore making sure that people WILL get locked out of their sites, with no way to get back in that doesn't involve database editing, thereby conditioning them to NOT use MFA. I should had never contributed this to Joomla. I should have known better. Stupid me.