July 13, 2020, 10:18:48 am

CAPTCHA issues and ideas

Started by OldGuy, July 27, 2019, 12:39:23 pm

0 Members and 1 Guest are viewing this topic.

OldGuy

1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?
2. Why not use Two Factor Authentication instead of CAPTCHA?

xyzzy

There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.

OldGuy

Quote from: xyzzy on July 27, 2019, 12:55:07 pm
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.

So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/

Jester

Or just get rid of it.

Was there some kind of issue that made this necessary?

Eclipse

Anti screen scraping.

Apparently the devs have not heard of anti-captcha scripts.



Dwight Dutton

Quote from: OldGuy on July 27, 2019, 12:39:23 pm1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?


Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.

OldGuy

Quote from: Dwight Dutton on July 27, 2019, 10:16:42 pm
Quote from: OldGuy on July 27, 2019, 12:39:23 pm1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?


Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.

We did that and as long as the status board was all we wanted, perfect. As soon as we navigated away, CAPTCHA!

etodd

July 28, 2019, 12:54:33 am #7 Last Edit: July 28, 2019, 01:03:22 am by etodd
Quote from: OldGuy on July 27, 2019, 10:51:18 pm
Quote from: Dwight Dutton on July 27, 2019, 10:16:42 pm
Quote from: OldGuy on July 27, 2019, 12:39:23 pm1. During a recent mission, the need to log back in and CAPTCHA was a true hindrance. Can we get a longer "timeout" enabled?


Open the WMIRS mission status board, and leave it running even if you don't need it.  It will auto refresh at intervals from 1 to 10 minutes, or anything in between (your choice) even if it is shrunk or in the background.  And you will never time out.

This works even if you are not in a mission.  Just open the status board for ANY mission and leave it running and Eservices / WMIRS never times out.


We did that and as long as the status board was all we wanted, perfect. As soon as we navigated away, CAPTCHA!


I beleve the key was to NOT navigate away. Leave that window open, and minimize if you want to. Open a NEW window to navigate away, so the mission window is still open in the background.
MS - MO - AP - MP - FRO - ESO

sUAS MP - sUAS Instructor - sUAS Check Pilot

Vegas1972

Quote from: OldGuy on July 27, 2019, 01:20:40 pm
Quote from: xyzzy on July 27, 2019, 12:55:07 pm
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.

So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/


I'm not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.
"Life is tough, but it's tougher if you're stupid.", Sgt. John M. Stryker.

Holding Pattern

July 28, 2019, 10:24:59 pm #9 Last Edit: July 28, 2019, 10:33:30 pm by Holding Pattern
Quote from: Vegas1972 on July 28, 2019, 08:13:14 pm
Quote from: OldGuy on July 27, 2019, 01:20:40 pm
Quote from: xyzzy on July 27, 2019, 12:55:07 pm
There are different kinds of two factor authentication. One kind sends a message to your cell phone. If you're in a place that has internet but not cell phone coverage, it won't work. Needing one specific form of communication, internet, is bad enough for an organization that responds to emergencies. Requiring two different forms to be simultaneously available doesn't seem like a good idea to me.

So have a toggle. Problem solved. BTW, my phone gets texts when on wifi.

https://www.howtogeek.com/229643/how-to-use-a-cellphone-without-any-service/


I'm not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.


There are hardware tokens available that you can flash to a common authentication system (TOTP being the most common).

Example:
https://www.protectimus.com/protectimus-slim-mini

SarDragon

I have noticed differences in "performance" between platforms and browsers. In Firefox (computer and phone) and Chrome (computer only), the Captcha is simply a checkbox, while in Edge (computer only), I get the "Pick the pictures" routine.
Dave Bowles
Maj, CAP
AT1, USN Retired
50 Year Member
Mitchell Award (unnumbered)
C/WO, CAP, Ret

Eclipse

The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.

"To further secure our portal, we have added a reCAPTCHA feature to esure (SIC) the person logging in is not a robot. "

Quote from: Vegas1972 on July 28, 2019, 08:13:14 pm
I'm not allowed to have mr cell phone at work but have access to the internet.  Two factor using a cell phone would kill me.  A toggle would be alright.  Losing the captcha altogether would awesomer.


TFA and similar security measures can be set to be indefinitely confirmed on trusted machines, and schemas
that are properly implemented using industry standard protocols work fine on mobile and desktop and generally
have multiple vectors for the second factor, including calling a landline telephone number.



NovemberWhiskey

Quote from: Eclipse on July 28, 2019, 11:10:15 pm
The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.

ref. also https://www.gocivilairpatrol.com/media/cms/R_120_001_ICL_CAP_CC_Memorandum_18__9D4CD773CDC5B.pdf

Eclipse

Quote from: NovemberWhiskey on July 28, 2019, 11:24:54 pm
Quote from: Eclipse on July 28, 2019, 11:10:15 pm
The reCAPTCHA feature was not added for "security". it was added in an attempt to thwart scripts 
from scraping the site for non-NHQ approved applications.

ref. also https://www.gocivilairpatrol.com/media/cms/R_120_001_ICL_CAP_CC_Memorandum_18__9D4CD773CDC5B.pdf


Now you did it.  Most of us aware of this were hoping if we walked barefoot and never looked it in the eye, it would go away.



NovemberWhiskey

As written, para 3 of that ICL certainly has the potential to make things interesting for the Hawaii Wing.

Eclipse

Quote from: NovemberWhiskey on July 28, 2019, 11:56:47 pm
As written, para 3 of that ICL certainly has the potential to make things interesting for the Hawaii Wing.


Seriously, Puerto Rico, too.

The free services CAP depends on to operate do not include host location guarantees in their SLAs.
That paragraph sets up the potential for a 7 figure unintended consequence for a solution
for a non-existent problem.



coudano

August 16, 2019, 08:41:06 pm #16 Last Edit: August 16, 2019, 08:54:05 pm by coudano
Well I'm officially sick of the CAPTCHA as well.

I would be _VERY_ interested to see some metrics describing the actual assessed risk that eservices is being scraped (or attempted), which is the justification for this measure.

I would be _VERY_ interested in doing a token based authentication where I login, validate myself, and then register my device so that any login attempt from my registered device doesn't CAPTCHA.  As in every online banking app/site out there today... (heck if i have a private key that's registered to my user account i shouldn't even need a username/password)
**Edit yeah if/when CAP does this we are going to need multiple devices per account, I login from my laptop, my ipad/EFB, and sometimes even my phone.

I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

:)

etodd

Are you clicking the checkbox FIRST, before entering the name and password?  This works most of the time for me, so I don't have to click photos. Usually if I've already been online earlier in the day.
MS - MO - AP - MP - FRO - ESO

sUAS MP - sUAS Instructor - sUAS Check Pilot

Slim

Quote from: coudano on August 16, 2019, 08:41:06 pm
I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

:)

For a little more fun, make them sit for 10 hours at a practice mission, maintaining a unit log in WMIRS, only to have to log in and go through the CAPTCHA business every time you need to make an entry.

Was much fun.

NOT!



Slim

jeders

Quote from: Slim on August 19, 2019, 03:34:49 am
Quote from: coudano on August 16, 2019, 08:41:06 pm
I would be _VERY_ interested in forcing whoever though the CAPTCHA was a good idea, to login to e-services a minimum of six times a day, every day, and time with a stopwatch how long it takes before said person starts twitching.

:)

For a little more fun, make them sit for 10 hours at a practice mission, maintaining a unit log in WMIRS, only to have to log in and go through the CAPTCHA business every time you need to make an entry.

Was much fun.

NOT!


Open a status log in one tab and the unit log in another. The status log continually updates and will keep you from being kicked for inactivity.
If you are confident in you abilities and experience, whether someone else is impressed is irrelevant. - Eclipse