Sharis Posted September 17, 2018 Share Posted September 17, 2018 Hello, everyone, someone has mentioned that 2FA keys for offline systems are useless. I would like to know why and how it could be bypassed easily? Quote Link to comment Share on other sites More sharing options...
digininja Posted September 17, 2018 Share Posted September 17, 2018 Give us some more information, who mentioned it, is there some context? Quote Link to comment Share on other sites More sharing options...
Sharis Posted September 17, 2018 Author Share Posted September 17, 2018 Quote First lets make one thing clear, if its offline and is a useful software, there ARE going to be cracked versions of it anyway no matter what you do. There are great many examples of crackers which can patch almost all versions of offline softwares. However some ways I can suggest you.- Do not copy/reuse any code (especially authentication part) from other softwares, this will make you more vulnerable.- Use custom seeders, so that your software cannot be easily reverse engineered.- 2FA isn't going to help you for offline apps. So it is almost useless doing that.- Plus and most importantly, try releasing free versions of your software with most features, only reserve some extraordinary features for the commercial version (make sure the free version is more protected and more structurally authenticated and looked after better). People tend to crack your software less when you already have most features in your free versions. I'm gathering information of how to authenticate offline system. My first intentions was to implement 2FA usb key, but what I have gathered it seems that the best way to authenticate user is by hardware fingerprinting. But I want to know how 2FA usb key can be bypassed and why it's secure. Quote Link to comment Share on other sites More sharing options...
digininja Posted September 17, 2018 Share Posted September 17, 2018 Your original question was about licencing your software, 2FA is about authenticating users, they are two different things. Anything you do that is purely client side can be cracked, whether it is a basic password, USB token, 2FA codes (which are just passwords if you think about it), anything. They are cracked either by modifying the software and disabling the check or by working out how codes are generated and creating a code generator. If your 2FA codes are just MD5 of the current timestamp then I can create an app to generate a code whenever I want to. My suggestion for fingerprinting for licencing is just as vulnerable as a USB token except it requires one less USB port and can't get lost in a desk drawer or pinched by your kids to play with. - Do not copy/reuse any code (especially authentication part) from other softwares, this will make you more vulnerable. I'd disagree with this, find a project which is specifically written to do whatever you want and use that. No offence meant, but it doesn't sound like you are an expert in this area and so trying to roll your own authentication or licencing is probably going to end badly. It might not get hacked as no one might care, but the code probably won't be the best. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.