π Security / Authentication Update
So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.
I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.
Benefits
#1 Central source of truth
[auth.subeta.net](notion://auth.subeta.net/) has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.
You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".
#2 2022 Encryption Method
The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.
We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.
This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...
#3 User-based Keys
Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.
Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.
Password Update
As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.
Login Update
You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.
Thank you π
Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (π€), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.
Posted by Keith
Load this on Kumos site
- Prev
- 1
- 2
- 3
- 4
- 5
- 6
- Next
@Targaryen @Tammynoneed20
Please try again, there was an issue where the first time did not go through even if you were entering the information correctly. This should be fixed for you now, as well as for people trying the first time going forward.
Please try again, there was an issue where the first time did not go through even if you were entering the information correctly. This should be fixed for you now, as well as for people trying the first time going forward.
FCoD@skydreamer
You can see what email you currently have set at https://subeta.net/preferences.php?act=profile. If it doesn't match or you need to set it to something else, send a message to support@Subeta.net.
You can see what email you currently have set at https://subeta.net/preferences.php?act=profile. If it doesn't match or you need to set it to something else, send a message to support@Subeta.net.
As an add-on to my last comment..
Her account has been part of subeta for over 15 Years. It would be ... Frustrating to say the Least if it were lost due to this not being mentioned in the news Before it was implemented.
Her account has been part of subeta for over 15 Years. It would be ... Frustrating to say the Least if it were lost due to this not being mentioned in the news Before it was implemented.
VERY IMPORTANT...
What if we have forgotten what email we signed up with because we Always leave our account logged in and/ or logged in using username and password for the last who-knows-how-many years? Is there a way to change our email and Then log in using the new method? What if we already tried logging in using the new method and didn't realize our account was on an old email (and therefore cannot be accessed)? (There is someone I know who is Already having issues with this..)
What if we have forgotten what email we signed up with because we Always leave our account logged in and/ or logged in using username and password for the last who-knows-how-many years? Is there a way to change our email and Then log in using the new method? What if we already tried logging in using the new method and didn't realize our account was on an old email (and therefore cannot be accessed)? (There is someone I know who is Already having issues with this..)
I guess I did it right because the banner went away. Even though it rejected my correct email and correct password the first time around.
hmm.. I'm just guessing here, I tried numerous time to login in, didnt work, changed password, still didnt work. But I changed my passw again with 1 capital word and special others, I didnt with old pasw, but this did worked after that. So I Finally got in, ^-^
It will will not let me sign into the new system! I guess user not found needs to be found!
@Loki
We are hoping to polish the page further and add some more elements to really solidify the look and feel, yeah! We just know that people have had to work around authorization issues for a while and wanted to get this out there, especially with the other changes such as the new email provider.
We are hoping to polish the page further and add some more elements to really solidify the look and feel, yeah! We just know that people have had to work around authorization issues for a while and wanted to get this out there, especially with the other changes such as the new email provider.
Hey wait I switch my email to my proton mail does that mean I have to switch back to my Google mail?
eyo it worked eventually! (i swear complain about a thing and it works just to shut you up lol)
I understand, it is the easiest and most secure method for Subeta. Keith is literally a one more show holding everything together (we appreciate you).
That being said, it still feels like a gotcha page/phishing attempt.
That being said, it still feels like a gotcha page/phishing attempt.
@KeithTest Maybe this might be of use if you have time, but as you point out, it may be too much work with very little payoff.
@Loki @NekoHime
The Internet is a tricky place, especially these days, and your caution is understandable. But a centralized auth system/site is the best way to integrate old and new Subeta, and be able to make changes as needed to the process. If Keith tried to design it separately and implement it across different pieces, changes would be immensely more complicated as well as break features individually.
For instance, the fix that Keith just deployed for emails/passwords not matching wouldn't be so easy without that centralized site. This also means that if there's a leak or vulnerability from somewhere upstream that needs patching, it can be done immediately across everything. It's way easier to fix vulnerabilities this way as well as make improvements.
The Internet is a tricky place, especially these days, and your caution is understandable. But a centralized auth system/site is the best way to integrate old and new Subeta, and be able to make changes as needed to the process. If Keith tried to design it separately and implement it across different pieces, changes would be immensely more complicated as well as break features individually.
For instance, the fix that Keith just deployed for emails/passwords not matching wouldn't be so easy without that centralized site. This also means that if there's a leak or vulnerability from somewhere upstream that needs patching, it can be done immediately across everything. It's way easier to fix vulnerabilities this way as well as make improvements.
Galaxia it seems to be working for the time being, I logged out of the site all together and tried to log in and I managed to log in this time although I had a choice of two options classic subeta or something dealing with the wardrobe (not sure now) I clicked on the classic subeta and I was in and so far I am not seeing the banner at the top of the page anymore about logging into the new site. Hope the fix worked for me.
I tried it in chrome on my phone and all I get is this error Incorrect username/password combo! So I'm staying in firefox forever n I'm too scared to try it in firefox cuz I might not be able to log back in
KeithTest
STAFF
Galaxia mentioned email, and I think that's another good example of a change that happened behind the scenes here. We're testing the transaction e-mail flow (lost password) from a new provider that does not track clicks or opens, and is generally more privacy and consumer focused.
Our normal emails up to this point come from one of the major email providers, who's job it is to get as much data about you as possible from us. Data that we never investigate (I've never once looked at how many people open our emails -- that is probably why I'm not a millionaire ;p) or use is packaged and sold downstream without any of us knowing, and tbh I'd rather not do that.
Anyway, just a fun lil tidbit!
Our normal emails up to this point come from one of the major email providers, who's job it is to get as much data about you as possible from us. Data that we never investigate (I've never once looked at how many people open our emails -- that is probably why I'm not a millionaire ;p) or use is packaged and sold downstream without any of us knowing, and tbh I'd rather not do that.
Anyway, just a fun lil tidbit!
The email on my profile is the one I've always had and which received Subeta newsletters when you used to send them. I deleted Subeta cookies in my browser but the new link login still said invalid email or password. I was able to log in again, though, using the old login. I'm just going to leave it for now until whatever bugs there are have bee sorted out.
@KeithTest yubikey might also cause a lot of CS tickets in the event people lose their keys. The benefit, though, is it being a brick wall to account takeover. For me personally, it's sent a stalker packing after I got tired of them attempting to get through the time based code on my email. i wish more sites supported it.
OK, I got it to work! I had to clear out my cookies on my browser, which also logged me out. Then I went to the new login site. (A link to this on the old login page would be appreciated, but presumably those changes are on the way.) It still didn't work with my autofill password for some reason, but when I manually typed it in, it worked!
You may want to check some of the spelling on the new login page. Things like "catious" instead of "cautious" make it look kinda scammy.
Okay, I finally got it to accept. Changed the pw AGAIN and then it finally took. fingers crossed
Hm, ok, well, looking through the comments here I think I'm just gonna wait awhile before I mess with this...
KeithTest
STAFF
@feral I tried to be as clear as possible in the news post that there was no immediate danger of being logged out, or kicked out of your account if you couldn't use the new system, I guess not enough π
I'm glad it worked in the end, that was the deploy that Galaxia mentioned I pushed out to fix the issue and I hope it's not a problem again!
I'm glad it worked in the end, that was the deploy that Galaxia mentioned I pushed out to fix the issue and I hope it's not a problem again!
Please consider the use of out of band 2FA:
Time based token (Authy, Google Authenticator)
FIDO2 key (Yubikey, Titan, Solokey)
Time based token (Authy, Google Authenticator)
FIDO2 key (Yubikey, Titan, Solokey)
@Mikestoker51
Are you still having this issue as of 12:53pm? Keith deployed a fix for the password/email issue, but please let us know if it's not working!
Are you still having this issue as of 12:53pm? Keith deployed a fix for the password/email issue, but please let us know if it's not working!
I have logged in via the new method, but I still have the "using old cookies" bar. It disappeared for a few and came back.
Also agree with the going to have to agree with others. Using an external site to log in seems phishy.
Also agree with the going to have to agree with others. Using an external site to log in seems phishy.
Same thing here I tried to log into the new site and it is telling me that my e-mail is invalid and I know for a fact that my e-mail address is correct, because that is the only one I have ever had and used, I have no other e-mail address. I have no problem at all logging into the old system.
@Raven
Make sure that the URL is https://auth.subeta.net, and that it has a little yellow lock next to the kumos. Thank you for being security-conscious and asking!
Keith has also deployed a fix, so please try again now if it wasn't working before.
We're currently working through emails as well; as part of the backend work we've gone to a new email provider and there's a bit of a backlog, but that is in progress!
Make sure that the URL is https://auth.subeta.net, and that it has a little yellow lock next to the kumos. Thank you for being security-conscious and asking!
Keith has also deployed a fix, so please try again now if it wasn't working before.
We're currently working through emails as well; as part of the backend work we've gone to a new email provider and there's a bit of a backlog, but that is in progress!
Going "I forgot my password" did nothing. Never got an email... oddly enough double pressing after getting "invalid password/email" worked.
I guess this responds to the metaphoric banging on top of the TV to get the station
I guess this responds to the metaphoric banging on top of the TV to get the station
Well this was horribly stressful.
I logged out and tried to log back in, got the same as a lot of people here are posting: "Password invalid"
Tried to reset my password about 5 times (waiting a few minutes between each and checking every folder in my email).
I had logged out so there felt like there was nothing I could do?
I ended up just spamming trying to log in with my email / pass I knew was correct and after trying REPEATEDLY, it suddenly accepted the password.
Yikes.
I logged out and tried to log back in, got the same as a lot of people here are posting: "Password invalid"
Tried to reset my password about 5 times (waiting a few minutes between each and checking every folder in my email).
I had logged out so there felt like there was nothing I could do?
I ended up just spamming trying to log in with my email / pass I knew was correct and after trying REPEATEDLY, it suddenly accepted the password.
Yikes.
Ditto to no email being sent to reset password. I was also a tester of this, so I'm not sure if that has anything to do with it.
So, email should be correct as I get the newsletters. Password is correct and it has special characters, numbers, capitalization. Yet invalid email/password at auth.subeta.net. Tried reset password - I'm still waiting for the email.
Anything else I am supposed to do?
Anything else I am supposed to do?