My name is heartsemma. Long story short, I came here as a long-time minecraft player looking to contribute to the development of an API, and I’ve decided to help Sponge. Obviously, it would be better for me and the staff if I developed a plugin for the API to understand how it works before I started trying to make additions to the code. Thus, I’ve decided to create a two factor authentication plugin for connecting into individual minecraft servers.
The goal for this side project is to use the Time-based One-time Password Algorithm (for laymen, the google authenticator thingy) to add extra authentication when connecting to minecraft servers. Unfortunately, Mojang does not support any form of two-factor authentication for their accounts at the time of writing, and directly encourages its users to set up vulnerable security questions that are easy to exploit for someone skilled at SIGINT. Because of this, I thought it necessary to write a plugin that provides this security feature at the server level.
I have not written a lick of code yet, although I’ve worked on small encryption projects outside Sponge, and I plan on updating this thread as it begins development. I will be getting used to the Sponge API while I do, so get prepared for a few errors along the way. If you find a vulnerability or bug in my code, don’t hesitate to tell me about it. I’ll be embarrassed for letting it slip in, but I can take it. I will be updating this thread with the project link on github in due time (aka when I figure out how the Sponge API works).
I think you’re confused on what the plugin is. The Time-based One Time Password protocol is completely different than a One Time Pad encryption scheme. Only one pre-shared key is generated in TOTP at the beginning of registration. Codes, using the time and the aforementioned pre-shared key, are then generated with a pseudo-random number generator and then the server asks the user to send their code each time they log in.
It’s been a week and a half, and the plugin is nearing an experimental, bare-bones build ready for use on 1.10.2!
Since security plugins thrive on code review, it would be greatly appreciated if you could go to the aforementioned github link and yell at me about my code. I promise not to be offended.
