🔒 Security / Authentication Update

July 20, 2022 12:12 pm

Over the last few months, the tape holding together our aging authentication system has started to fall and really show its age. You've probably been redirected to the login screen while trying to do anything, not been able to get the wardrobe or forums to load, and sometimes felt that it’s completely broken.

So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.

I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.

Benefits

Central source of truth

auth.subeta.net has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.

You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".

2022 Encryption Method

The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.

We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.

This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...

User-based Keys

Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.

Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.

Password Update

As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.

Login Update

You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.

Thank you 🙏

Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (🤞), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.

July 20, 2022, 2:41 pm by

Worked perfectly for me on the first try.

July 20, 2022, 2:33 pm by

This whole thing hurts my brain. It took forever for me to figure out how to log in right 😒

July 20, 2022, 2:33 pm by

Please try again, there was an issue where the first time did not go through even if you were entering the information correctly. This should be fixed for you now, as well as for people trying the first time going forward.

July 20, 2022, 2:27 pm by

took my email and password just fine, logged me in right away.

July 20, 2022, 2:11 pm by

I used my correct email but it says it is invalid.

July 20, 2022, 2:03 pm by

You can see what email you currently have set at https://subeta.net/preferences.php?act=profile. If it doesn't match or you need to set it to something else, send a message to .net">support.net.

July 20, 2022, 2:01 pm by

As an add-on to my last comment..

Her account has been part of subeta for over 15 Years. It would be ... Frustrating to say the Least if it were lost due to this not being mentioned in the news Before it was implemented.

July 20, 2022, 1:59 pm by

VERY IMPORTANT...

What if we have forgotten what email we signed up with because we Always leave our account logged in and/ or logged in using username and password for the last who-knows-how-many years? Is there a way to change our email and Then log in using the new method? What if we already tried logging in using the new method and didn't realize our account was on an old email (and therefore cannot be accessed)? (There is someone I know who is Already having issues with this..)

July 20, 2022, 1:58 pm by

Completed

July 20, 2022, 1:56 pm by

I guess I did it right because the banner went away. Even though it rejected my correct email and correct password the first time around.

July 20, 2022, 1:50 pm by

finally works after hours of trying ^^

July 20, 2022, 1:47 pm by

hmm.. I'm just guessing here, I tried numerous time to login in, didnt work, changed password, still didnt work. But I changed my passw again with 1 capital word and special others, I didnt with old pasw, but this did worked after that. So I Finally got in, ^-^

July 20, 2022, 1:43 pm by

just making sure, thanks for understanding

July 20, 2022, 1:40 pm by

It will will not let me sign into the new system! I guess user not found needs to be found!

July 20, 2022, 1:36 pm by

You shouldn't have to switch back to using gmail for Subeta! See if you can change your email on https://subeta.net/preferences.php?act=profile. If not, you can email .net">support.net to set your protonmail address as where you want Subeta emails sent.

July 20, 2022, 1:34 pm by

I did have to reset my password but it seems to have worked fine for me otherwise.

July 20, 2022, 1:32 pm by

We are hoping to polish the page further and add some more elements to really solidify the look and feel, yeah! We just know that people have had to work around authorization issues for a while and wanted to get this out there, especially with the other changes such as the new email provider.

July 20, 2022, 1:31 pm by

Hey wait I switch my email to my proton mail does that mean I have to switch back to my Google mail?

July 20, 2022, 1:30 pm by

eyo it worked eventually! (i swear complain about a thing and it works just to shut you up lol)

July 20, 2022, 1:25 pm by

Worked on the second try.

July 20, 2022, 1:25 pm by

I understand, it is the easiest and most secure method for Subeta. Keith is literally a one more show holding everything together (we appreciate you).

That being said, it still feels like a gotcha page/phishing attempt.

July 20, 2022, 1:14 pm by

Maybe this might be of use if you have time, but as you point out, it may be too much work with very little payoff.

July 20, 2022, 1:08 pm by

The Internet is a tricky place, especially these days, and your caution is understandable. But a centralized auth system/site is the best way to integrate old and new Subeta, and be able to make changes as needed to the process. If Keith tried to design it separately and implement it across different pieces, changes would be immensely more complicated as well as break features individually.

For instance, the fix that Keith just deployed for emails/passwords not matching wouldn't be so easy without that centralized site. This also means that if there's a leak or vulnerability from somewhere upstream that needs patching, it can be done immediately across everything. It's way easier to fix vulnerabilities this way as well as make improvements.

July 20, 2022, 1:07 pm by

Galaxia it seems to be working for the time being, I logged out of the site all together and tried to log in and I managed to log in this time although I had a choice of two options classic subeta or something dealing with the wardrobe (not sure now) I clicked on the classic subeta and I was in and so far I am not seeing the banner at the top of the page anymore about logging into the new site. Hope the fix worked for me.

July 20, 2022, 1:06 pm by

I tried it in chrome on my phone and all I get is this error Incorrect username/password combo! So I'm staying in firefox forever n I'm too scared to try it in firefox cuz I might not be able to log back in

July 20, 2022, 1:06 pm by

Galaxia mentioned email, and I think that's another good example of a change that happened behind the scenes here. We're testing the transaction e-mail flow (lost password) from a new provider that does not track clicks or opens, and is generally more privacy and consumer focused.

Our normal emails up to this point come from one of the major email providers, who's job it is to get as much data about you as possible from us. Data that we never investigate (I've never once looked at how many people open our emails -- that is probably why I'm not a millionaire ;p) or use is packaged and sold downstream without any of us knowing, and tbh I'd rather not do that.

Anyway, just a fun lil tidbit!

July 20, 2022, 1:04 pm by

(sorry not sure which to ping) Before I do any of this, do you know how this might affect third party sites that allow users to log in (like SubetaLodge) and maintain lists like collections or allow the staff for the sites to add new items as they're added here?

July 20, 2022, 1:04 pm by

The email on my profile is the one I've always had and which received Subeta newsletters when you used to send them. I deleted Subeta cookies in my browser but the new link login still said invalid email or password. I was able to log in again, though, using the old login. I'm just going to leave it for now until whatever bugs there are have bee sorted out.

July 20, 2022, 1:03 pm by

yubikey might also cause a lot of CS tickets in the event people lose their keys. The benefit, though, is it being a brick wall to account takeover. For me personally, it's sent a stalker packing after I got tired of them attempting to get through the time based code on my email. i wish more sites supported it.

July 20, 2022, 1:00 pm by

OK, I got it to work! I had to clear out my cookies on my browser, which also logged me out. Then I went to the new login site. (A link to this on the old login page would be appreciated, but presumably those changes are on the way.) It still didn't work with my autofill password for some reason, but when I manually typed it in, it worked!

July 20, 2022, 1:00 pm by

🤦‍♂️ Fix for that typo incoming.

July 20, 2022, 12:59 pm by

You can see what email you have set at https://subeta.net/preferences.php?act=profile.

July 20, 2022, 12:58 pm by

You may want to check some of the spelling on the new login page. Things like "catious" instead of "cautious" make it look kinda scammy.

July 20, 2022, 12:58 pm by

lol forever logged into my testing account because of all of the auth stuff 😭

July 20, 2022, 12:58 pm by

Okay, I finally got it to accept. Changed the pw AGAIN and then it finally took. fingers crossed

July 20, 2022, 12:57 pm by

I don't know which email I used to sign up. It was a long time ago. ;u;

July 20, 2022, 12:56 pm by

We'll offer time-based & SMS based (both via twilio, so authy/g authenticator will work). I honestly dunno how to support yubikey / it likely wouldn't be worth the time to learn it.

July 20, 2022, 12:56 pm by

Hm, ok, well, looking through the comments here I think I'm just gonna wait awhile before I mess with this...

July 20, 2022, 12:55 pm by

I tried to be as clear as possible in the news post that there was no immediate danger of being logged out, or kicked out of your account if you couldn't use the new system, I guess not enough 😅

I'm glad it worked in the end, that was the deploy that Galaxia mentioned I pushed out to fix the issue and I hope it's not a problem again!

July 20, 2022, 12:55 pm by

Logging it without problems!

July 20, 2022, 12:54 pm by

Please consider the use of out of band 2FA: Time based token (Authy, Google Authenticator) FIDO2 key (Yubikey, Titan, Solokey)

July 20, 2022, 12:54 pm by

Are you still having this issue as of 12:53pm? Keith deployed a fix for the password/email issue, but please let us know if it's not working!

July 20, 2022, 12:53 pm by

Personally I was able to change my password, thanks for the fix!

July 20, 2022, 12:53 pm by

I have logged in via the new method, but I still have the "using old cookies" bar. It disappeared for a few and came back.

Also agree with the going to have to agree with others. Using an external site to log in seems phishy.

July 20, 2022, 12:49 pm by

Same thing here I tried to log into the new site and it is telling me that my e-mail is invalid and I know for a fact that my e-mail address is correct, because that is the only one I have ever had and used, I have no other e-mail address. I have no problem at all logging into the old system.

July 20, 2022, 12:48 pm by

Make sure that the URL is https://auth.subeta.net, and that it has a little yellow lock next to the kumos. Thank you for being security-conscious and asking!

Keith has also deployed a fix, so please try again now if it wasn't working before.

We're currently working through emails as well; as part of the backend work we've gone to a new email provider and there's a bit of a backlog, but that is in progress!

July 20, 2022, 12:48 pm by

Going "I forgot my password" did nothing. Never got an email... oddly enough double pressing after getting "invalid password/email" worked.

I guess this responds to the metaphoric banging on top of the TV to get the station

July 20, 2022, 12:47 pm by

Are you sure that's not a fake link? 🧐

July 20, 2022, 12:46 pm by

Well this was horribly stressful. I logged out and tried to log back in, got the same as a lot of people here are posting: "Password invalid" Tried to reset my password about 5 times (waiting a few minutes between each and checking every folder in my email). I had logged out so there felt like there was nothing I could do? I ended up just spamming trying to log in with my email / pass I knew was correct and after trying REPEATEDLY, it suddenly accepted the password.

Yikes.

July 20, 2022, 12:44 pm by

Ditto to no email being sent to reset password. I was also a tester of this, so I'm not sure if that has anything to do with it.

Use @username to mention someone. Supports markdown formatting.

Logged Out

🔒 Security / Authentication Update

Leave a Comment