Forums

Auth on wrong password

Quick find code: 278-279-658-66188702

Ownage Omg

Ownage Omg

Posts: 14,364 Opal Posts by user Forum Profile RuneMetrics Profile
Why does the OSRS client ask for an authentication even when the password typed is incorrect? This is literally just an easy way for people to discover people's login names as it won't throw an authentication request if the username doesn't exist or if the account has it disabled.

It should only throw this window upon successful authentication via username and password....
Hardstyle
|
@OwnageRS
|
OSRS
|
U
K

12-Nov-2020 17:37:35 - Last edited on 16-Nov-2020 13:02:14 by Ownage Omg

Mrs Ana

Mrs Ana

Posts: 8,998 Rune Posts by user Forum Profile RuneMetrics Profile
I'm not sure why you got that, but I tried this on different browsers and I even cleared my history to ensure that whatever was saved prior to the cleanup is now deleted. This is to ensure that I get asked for the Authenticator code once I enter my account credentials. For the incorrect password, this is what I got:



For the correct password, this is what I got:


I have never heard of anyone being asked for the Authenticator code when the password has been entered incorrectly. It is not supposed to ask you for the Authenticator code given the fact that the information that you have provided is not the correct one. Do you mind sharing a screenshot of what you are getting when you enter the wrong password?

12-Nov-2020 21:36:11

Ownage Omg

Ownage Omg

Posts: 14,364 Opal Posts by user Forum Profile RuneMetrics Profile
Thank you Ms Ana for clarifying that. Not gonna lie, was feeling lazy so I didn't even bother to check the website. I do know for a fact it does this on the OSRS client.

E: Just tried using one of my other accounts to login to OSRS using an incorrect password and it'll ask for authentication.
Hardstyle
|
@OwnageRS
|
OSRS
|
U
K

13-Nov-2020 01:14:35 - Last edited on 13-Nov-2020 01:23:21 by Ownage Omg

Mrs Ana

Mrs Ana

Posts: 8,998 Rune Posts by user Forum Profile RuneMetrics Profile
I use the OSRS client to play the game as well and as soon as I enter an incorrect password, this is what I am shown:



I do not want to say that it is "impossible" to be asked for the Authenticator code when entering an incorrect password considering that you claim to be getting it, but it is not supposed to work like that. The security mechanism is designed to ask for the Authenticator code once the correct match of the login and password have been identified by Jagex's servers. If one or both are incorrect, then the Authenticator code pop-up should not generate as there is no true value of the login and password combination.

A screenshot or a GIF of what you are experiencing would definitely aid us in trying to figure out what's going on.

13-Nov-2020 15:35:38

Hmm
Jan Member 2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile
As noted above, OSRS client works differently to RS3 and the website.

In OSRS, it appears as above. 2FA is asked for even if the PW is wrong.

In RS3 and the Website, this is not the case.

Which method is better?

OSRS has advantages in that you will not know if the password you entered is correct. You only know that EITHER the password OR 2FA was wrong. You do not know which, or even if they were correct at all. This means in the situation of a brute force attack (which generally don't happen, but regardless), you will never know you got the correct password unless you ALSO got the correct 2FA at the time of entering it. This is actually preferable to knowing you got the correct password but not the correct 2FA, because the second you knew the password is correct you can stop brute forcing that particular bit, or use it in recovery requests, or in attempts to scam the owner ("i know your password, give me 100m or I'll macro on your account and get you banned" or something similar), or try use the same password on their email account and such.

In RS3 and the Website, if you do not get the 2FA prompt, you know the password was incorrect. If you do get the prompt, you know the password is correct, leading to the blackmail problems / appeal problems above.

IMO, the OSRS approach of asking for 2FA regardless of the password is better than the RS3/Website approach. However, Jagex fail on the fact they use both approaches anyway, and should stick to one or the other, not both.

While there's a small problem in using this to try and enumerate active accounts or accounts without 2FA at all, about 50% of all RS players have 2FA enabled and although the OSRS method is better IMO, I would personally say there's not much real threat about knowing if a single username exists or a whether it has 2FA because neither offers any real avenue to getting the password or 2FA anyway.

A username is not generally considered private information in most security systems.

15-Nov-2020 17:37:39 - Last edited on 15-Nov-2020 17:43:50 by Hmm

Hmm
Jan Member 2016

Hmm

Posts: 13,000 Opal Posts by user Forum Profile RuneMetrics Profile
I couldn't answer to why Mrs Ana might get the RS3 style behaviour and me and 0wnage and Iffy are asked 2FA regardless of PW on OSRS. There might be some extra variables we're not considering, such as username vs email login for example might change the behaviour here slightly. I'm a login name user, it'd be interesting to know if you all were too.

15-Nov-2020 17:47:10 - Last edited on 15-Nov-2020 17:53:24 by Hmm

Quick find code: 278-279-658-66188702 Back to Top