FlexibleLogin [v0.17] for Sponge 7+ - Auth plugin - 2FA


The greeting messages don’t work; when I join the server, I am stuck and cannot do anything, and there are no messages that tell me how to log in or register. Since i know the commands, I can login or register with those commands, but this would not be good for other players because they’d join and have no idea how to get un-stuck. :weary:

Also players can be damaged while not logged-in. This should be fixed.


Sorry for that I thought I fixed that. Every time you introduced a new feature, you break something :unamused:
I’ll release an update now.

I forgot about that. I’ll fix that too.

EDIT: Update is uploaded


Ok great! :grin:
Thank you for this plugin.


Players can still be damaged when not logged in… also, recently, a player joined, and spawned underground somehow. I wonder if a glitch in the plugin caused the player to spawn underground.
But anyway at least players should be invincible when not logged in.


I never had this issue. FlexibleLogin doesn’t change the the position of a player. It just prevents movement in x and z direction. Do you have any other plugins which changes the position?


Nope, only other plugin just colors chat.
I don’t know why the player was underground; it could’ve been another reason; maybe the player dug himself into the ground and another player filled the hole. It probably won’t happen again so I wouldn’t worry about it


I think that’s a issue with Sponge itself. I’ve suffocated on login multiple times. It’s not very good about detecting “safe” locations


Shouldn’t that be up to the original ‘vanilla’ Minecraft software?


A new update is uploaded. This should fix both issues.


Hi, nice plugin. But does this plugin supports DoubleSaltedMD5:Salted2MD5 method to verify password? (like the one that authme does) Thank you!


FlexibleLogin currently only supports BCrypt and time based passwords (TOTP).

MD5 is pretty insecure nowadays.


i need status player online offline in db after /login or get out
and i need config use /register Because i need player register on webpage only
and delay time kick if player afk before /login
can you help me ?


Can’t you just check if the player is online?

Yes, I could implement that.


I know that it is mainly focussed for cracked servers. But I would like to give my admins a bit of extra protection on my premium server, that if in any case their account gets hacked the hacker can’t damage my server using that account. Could you add a permission and a configuration option that if it is true accepts the permissions and requires only the ones with the permission to register and requires them to login every time they join.

PS: and a function to have the players teleport on join to a certain location.



It’s not mainly focussed for cracked servers. The thought was really to add an second-auth system like Github has.
So I added TOTP (Time-based One-time Password), which is my opinion not a good user experience for normal users, because you’ll need to open the APP on your phone every time. FlexibleLogin also has in the last version a command only protection for important commands like /op or /pex.

If I understand it correctly, you mean a protection for users who only have this permission. Is that correct?

I’ll implement that.


I think that TOTP in combination with email is a better way to use TOTP.
It is not as secure as using an app or SMS.
But players would not have to install an external app that could be malicious,
server owners don’t have to pay for an Apple developer account just to host one app and server owners don’t have to pay for SMS costs.
TOTP with email is easier to use.
Especially because every owner of an premium account and almost every user of the internet already has an email address. And for server owners it’s easier to maintain.

Yes, exactly that, that only the group/user with that permission is forced to register and to login every time they join since.

I didn’t knew that it was possible to protect commands :D.
That’s a really cool feature and is certainly useful.
I’m going to use it in combination with PEX and CommandKits.
It’s main function is to allow normal players
to see when a staff-member is able to use
their special permissions
(using a slightly different prefix and a broadcast.)
It is a great improvement in security and fairness.

Thanks :smiley:


Google Authenticator from the official Apple or Google app store?

You don’t need to create an APP yourself. There are already some APPs out there. I created a small list:

Google Authenticator

Duo Mobile


Microsoft Authenticator

That’s a good point. I might implement that as well.

Okay, it’s added.


Well I didn’t knew that these TOTP authenticators exists.

But thank you. I really appreciate that you iplemented it.


I’ve just a question about this plugin. If I want to allow unpaid Minecraft account to join my server, everybody will must login to join the server. But, permissions are made on uuid. So is this still possible to let them join the server, even with this security login plugin ? Because, when I add a player to a group, I add it with his name, not with his uuid. Even if permission-ex link the username with the uuid.


On offline mode servers the uuid is generated based on the player name. So you’ll have the same permissions if you don’t change your name (including same case). I don’t know how PEX works exactly, but I’m assuming that it will access the uuid cache from the server. This means that the player have to be online at least once.