MClaim without editing skins

Status

jomo

Feedback score
0
Posts
2
Reactions
0
Resources
0
Jake0oo0 and me built something similar a while ago, and there's no need to do the hassle of changing a user's skin. It's a super tiny Minecraft server that only authenticates users and kicks them with a random token. Here is the link to it with more details.

Since only the user knows that token, we can be sure it's them. Unless a user shares their name/uuid + token, this is 100% accurate and secure.

Some demo gifs for the UX:
GNTtNsf.gif


On the website:
0dl3nHg.gif
 
Type
Suggestion
Status
Denied
PebbleHost
High performance, consistent uptime and fast support. Minecraft hosting that just works.

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
Changing skins is much more secure than logging into the server. Logging in on a server doesn't require mojang's security questions while changing skins mostly does. Plus it's all done on site.
 

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
You could make them change the security questions to a random unique thing for all three and then verify that way. Then the system logs in and checks the security questions with the codes provided for that single person.
Isn't that much more complicated than changing skins?

Us checking for their security questions requires us to have their password. It doesn't make any sense and isn't that secure.
 

jomo

Feedback score
0
Posts
2
Reactions
0
Resources
0
Changing skins is much more secure than logging into the server. Logging in on a server doesn't require mojang's security questions while changing skins mostly does. Plus it's all done on site.

Logging in on a server still requires you to use your actual MC account to log in on the server, which authenticates it via Mojang's session server. If you think that's not reasonably secure, there's no real point in linking your MC account to your profile. (Because it's what you see on other MC servers).

I'm not exactly sure how you implemented the skin check, but it's definitely possible to guess the time a user is linking their account, and the skins are public. If I'm faster than the user, I could probably link their account to my profile. This is known as TOCTTOU.

This would not be possible with random tokens because they're not public.

I can only speak for myself, but I'd much rather quickly join an MC server instead of logging in on the MC website and enter all those security questions I have to look up every time.
 

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
Logging in on a server still requires you to use your actual MC account to log in on the server, which authenticates it via Mojang's session server.
You don't understand I think.

Changing a skin on Minecraft requires you to login on Mojang's site. That requires you to enter your security questions and answers.

Logging into a Minecraft client only requires to enter your email and username.

but it's definitely possible to guess the time a user is linking their account

It's not. It has super secret pixels and whatnot which you cannot see. There's no way to fake or bruteforce this.

I can only speak for myself, but I'd much rather quickly join an MC server instead of logging in on the MC website and enter all those security questions I have to look up every time
I'm not sure what you mean by this but you only have to enter security questions when verifying a account.

During the development of mclaim, the initial plan was to do the same method you stated however that still doesn't stop people from verifying unmigrated accounts/accounts they don't actually own. The method that's live now does.
 

Ajdin

I used to be a big deal on here but now irrelevant
Supreme
Feedback score
12
Posts
2,419
Reactions
3,404
Resources
0
Declined and archived.
 
Status
Top