I don't want to use filemaker's own login interface, I want to customize one, what should I do?
You can use File Options to auto login and then use your own layout/script to handle login
If you are using a custom login you are building an additional layer of pseudo-security. There have been many, many threads on this and why this is a very bad idea.
1. Make an account that has no rights to see or do anything except the custom login layout.
2. Make your file to auto login on this account and open the custom login layout
3. Use the 'account' script steps
@DavidZakary: I don't see any problems in this method
Suggestion: post a small sample of this method here. See how many can 'get in'.
Sent from miPhone
hbrendel There have been many people that have thought that and have been proven wrong. Ask shblackwell, jormond or wimdecorte about it. They'll set you straight.
hbrendel wrote: @DavidZakary: I don't see any problems in this method
Do a search on this forum for 'ersatz security' and read the arguments.
It makes no sense to me to compromise security in a big way just to pretty up a login dialog.
As has been said often, your strongest security is knowing who is getting into the file. If you let them into the file, half the battle is lost already.
We we don’t sound the warning because we want to be difficult. We have experience with those types of ersatz security methods, and have seen the disasterous results when a user or former employee circumvents the scripted security approach and makes off with, or exposes, a sensitive or company data. The risk is real, and the threat is devastating for a small to medium business. ( information is one if the strongest commodities in the black market )
wimdecorte reminds us regularly, “abscence of evidence is not evidence of abscence”. Just because we individually can’t see how someone can get around it, doesn’t mean it’s not possible.
If you build something thing like this for a client or a company, at the least, be sure you get them to sign a waiver showing you warned them if the danger. And the better move is to refuse to do it. Data integrity is more important than than convenience and ascetic.
A similar post came up a couple of months ago Creating Custom Professional Login Layouts for iOS SDK Apps. (No Default FM UserPass Screen)
Please read this thread and attached PDF.
A Conversation About '2 Factor Authentication'
Check these from DevCon past:
OK, I post this little database.
If someone gets in, please let me know how.
I take it that you are not in agreement that you are incurring more risk than just using the security scheme?
Let's try this, as a narrative describing your login:
Would you agree that #1 is more risky than doing proper authentication *before* there is access to the file?
I agree on the fact that the original security scheme is best.
I just wondered if my suggestion would be OK for those who want to make their own login layout.
I emphasize that I never do it myself. Just for now the finger practice.
hbrendel wrote: I just wondered if my suggestion would be OK for those who want to make their own login layout.
IMHO: an emphatic NO.
Does editing one of the scripts count as "getting in"?
Here you go...
My popcorn hasn't even finished popping.
Thanks DavidZakary. I hadn't even looked at the file yet.
I'd say so. If you can edit a script you can do pretty much anything you want.
I am convinced. As I said: I wouldn't really do it. Just was thinking with the OP.
But really: how did you do it?
David Wikström wrote: Does editing one of the scripts count as "getting in"?
David Wikström wrote:
Or preventing a script from running, running any other script, stopping a script.... if security is going to handled by scripts then any of these actions can break it.
It's not a good idea posting how to hack into a file on a public forum. My lips are sealed and fingers bound to silence.
I still am curious. What about a PM? Is this possible on this forum?
In the videos that Bev posted from DevCon, and some in that long thread I posted, it is discussed.
DavidZakary Is it possible to crack-through even if the file is encrypted?
Yes. Locally, they would need the encryption key. But that would defeat the purpose of using the auto-login.
Hosted remotely, if you let them in first, you’ve lost half the battle.
raganmix2 wrote: Is it possible to crack-through even if the file is encrypted?
Is it possible to crack-through even if the file is encrypted?
To expand on jormond's answer: Encryption-at-Rest (EAR) protects the file when it is closed (at rest). FMS already has the file open and hosted so EAR does not come into play when you auto-login into a hosted file.
EAR on a hosted file protects the file when it is not hosted and its backups.
If you have a local file then EAR will prompt the user for the encryption key *before* the authentication challenge so you your users would need to know the encryption key which kinda defeats the purpose of having one to some extent, it would be shared among multiple users and thus you can't consider it a secret anymore.
Yeah, I know by now.
If you just would tell me how...
... forgot to delete FullAccess account ?
currently (with file in hand), it is possible to access any file that has a FullAccess account.
...,If you delete the full access account ( in login.fmp12 ), ...someone can access the file using the previous technique ?
..., without the account (fullaccess) I only see one more possibility ( I.I ) ... more selective and less plausible.
This thread again illustrates the issues that arise when employing ersatz “security” systems on the FileMaker Platform.
Please note the various threads, videos, and Blogs cited in responses by several people including Wim, Beverly, and Josh.
Additionally, at the 20th DevCon in 2015 I did a program about what I might find if I did a Security Audit of your solution. The video for that is here:
David Zakary notes:
It's not a good idea posting how to hack into a file on a public forum.
I am in almost complete agreement with this. However, if there was a vulnerability and if FileMaker,Inc. has addressed it, then I have on several occasions given a general description of that vulnerability and told how to close it. I do not want to be unduly self-promotional here, but my FileMaker Security BLOG describes a number of these instances:
Particularly these items:
Generally speaking, the further away you go from what FMI has provided as security tools, especially for Identity and Access Management and for Privileges Management, the more likely you are to run into difficulties and to create vulnerabilities that do not already exist.
Steven H. Blackwell
Platinum Member Emeritus, FileMaker Business Alliance
[quote]OK, I post this little database.
If someone gets in, please let me know how.[/quote]
does it has username and password in this script?
I too want to have this idea of having extra Login,
imagine if a store has one PC and many users. everyone knows the "restricted login" username and password. and it is given only once when the App starts. later on they can just use the second level Username and password. to change their login.
'like listed username and indiuvidual Pin.'
In you're in China, maybe can contact with me. Shanghai
Retrieving data ...