Community Forum Account Security and Authentication

answered

#1

I have just one question and is about the security behind the shared user account between this Community forum website and the main Dynalist website.

We all know that we can use the same account in both places. Considering the forum is a third party service although hosted under the same "dynalist.io" domain, I wonder how the account credentials authentication are being handled.

Recently I’ve noticed that although both services share the same account, they have kinda independent authentication processes. So, consider the following scenario: I was logged off from both services. Then I log in to the community by clicking the blue button on the top of its page, that says “Log In with Dynalist”. And I just realize that it automatically logs me in both services at the same time. I can, however, logoff from main Dynalist, and this doesn’t mean I’m logged off from the Community forum. The exact opposite behavior is also true, so if I log myself off from the Community forum, it doesn’t mean I’m also logged off from the main Dynalist…

The reason why I’m bringing this topic is that I’m little obsessed with security (no wonder I work with information security myself) and I feel a little concerned about it. I always try to logoff from every Web session and revoke access from any app from time to time. TBH, I don’t care about being still logged on in the Community forum, as long as the opened session from this site doesn’t bring a security risk that could allow someone to easily access the main Dynalist with my credentials. I would feel much more safer if there was a 2FA or MFA implemented already, but it seems there’s nothing on the horizon, for the short term.

To overcome this problem, I’m constantly logging off from both services before closing the browser. But it’s me, my way of doing it, not necessarily the best or wiser thing to do.

Thanks for listening!


#2

Your Dynalist account is acting as an SSO (Single Sign-on) here. Just like you won’t be able to open a person’s Gmail if they stay logged in on a site that they used Google Login to log in the first place, your Dynalist cannot be accessed via access to your forum account.

Does that make sense?


#3

Thanks for the quick reply.

Yes, that makes sense. I understand the concept behind the SSO authentication. Yes, giving your example where maybe an API is being used, one cannot access someone’s else Gmail just because the authentication to a different site is through Google services.

But allow me to stick with the Google example and consider this: Only one logon attempt to one of their services (Keep, Calendar, Gmail, etc) is enough for you to access any service; in other words by just opening Gmail you’re allowed to open any other Google service. The same applies for the logout, where you just need to logoff from one service and all of them are automatically logged off at the same time.

I just wish that the same behavior could be applied here. You can close this thread, it’s just some annoyance of mine, no big deal actually.

Thanks!


#4

I see.

Continuing with the Google example, Gmail and Calendar are on the same level, whereas Dynalist and Dynalist Forum are not. That’s why you need log into the forum and not automatically logged in like you’re with Google Calendar. Hope that makes sense!