EVE General Discussion

There is one more part you are all missing.

There isn't a single valid code, rather there is a short list of valid codes.

Example: Authenticator displays a new code every 30 seconds, so validating computer makes a new list of codes in the sequence, say 20 of them, and that will cover a time mismatch of up to 10 minutes. As soon as you use a valid code from the list, the validating computer knows where in the sequence the authenticator is, which synchronizes both ends.

When you first start using the authenticator, you enter a code printed on the back which is used to create the numeric sequence (it isn't one number, but rather a bunch of constants that control a complex math function), as well as the current code on the authenticator. This synchronizes the authenticator and validating computer.

If they get too far out of sync, you have to contact customer support and re-initialize the process. This typically takes many months of not being used; they often use a cheap 20 ppm crystal of 32.768 kHz as a timebase. Changes in temperature, and the age of the crystal also affect the timebase accuracy. If my math is right, 20 ppm yields +- 51.84 seconds per month of possible error. Hence the need for a process of synchronization; a 20 code list is good for about 10 months.

Use the authenticator to login enough, and the validating computer can learn how fast or slow the authenticator clock is, and adapt the valid list length or expiry time.

Optional layer of protection. I like it and there's no reason to oppose it.

Ok this is a nice discussion but it got out from its initial discussion and that is sometimes good and sometimes not as good :)

I am still saying that an iOS or Android application that uses the same authentication mechanism as Google Authenticator or Battlenet.nets Authenticator methods is a very secure way of having Eve account privacy.

And to ensure that you are you.... you first had to login and select the new authentication method the server gives you a sequence to type into your mobile handset device and that in return gives you a "private" access code / string that shall be entered in return. What you have done now is to setup a private key that is assigned to your account.

The validation process is something else it still uses information regarding your handset (at least I would) and your private key and some other information to have as a base for the alghorithm the code being presented on the authentication application in your handset will give you a numbered sequence that is valid for lets say 2-3 minutes. That sequence is valid on the server side because the server has the same "base" information and can use "the same" algorithm on its side to translate that into a security code that will match the initial setup.

This setup its really really tough to break and works in the same way as a hardware one-time-password device does.
Like for your internet bank authentication or other. The setup isnt that hard and I wouldnt worry going online in any internet cafe around the globe cause after I have logged the old password has been useless for hours.

At least I would feel secure if it was implemented.

/chriz

i used one with WoW for ages. i didn't believe i would get hacked. but it happened. and for no reason i can recall. i never entered my password anywhere but the game and battle.net. no suspicious emails. only thing i can think of is picking up a random keylogger...somewhere. no clue.

anyhow...it happened. i caught it pretty early. tried to log in and could not. i called blizzard and spoke to a very nice guy for a while. he told me someone in korea had gotten in somehow and changed my password. probably to spam RMT for gold. he told me about authenticators and how i could d/l it free as an app for my phone and i was like "awesome!"

so i did that. and never had a problem after. i would totally support CCP authenticators. a mobile chat program would be fun too

They might be balking from the cost model studies (long term/short term) and system effectiveness . The whole layered authentication infrastructure costs money in licenses, hardware, staff and integration efforts.
As an MMO, there's no real pressing need for heavy IT sec protocols similar to large multi-national companies. Hence the feet dragging.

The hardware token itself, although some (on a personal level) may think it's cheap, isn't as cost effective as an issued software token. Then you need to consider how many real players will be buying these tokens, despite the favorable view, the pool probably won't exceed 100K at the most optimistic level. If I was betting, maybe within the 10-20K range.

Don't really know if other MMOs is making any profit, loss or is just breaking even on secondary authentication. Doubt they can profit considering the long live tokens vs capital and ongoing support costs that they will incur. Break even? Depends on how much discount they get for the tokens from the manufacturer and how much profit they tack on it when they resell it.

Change phone ...

/chriz

Time and authenticator serial number are the simplest.

We all have the correct time within 30 seconds, and you register your number with CCP.

If your authenticator gets run through the laundry and dead, you can cough up the serial number to get authentication turned off.

I suppose I should prepare myself for the inevitable trolling I'll receive for posting this, but I've been programming computers for over twenty years. I literally started around the age of eight; I was sent a cease and desist letter by Hasbro as an eleven year old for making a Monopoly game and distributing it on BBS'. Point being, I know computers well, and I know the common ways that key loggers and viruses are spread, and I don't use simple passwords by any means. Last year, for the first time, I had my PayPal account hacked because of a key logger. They drained quite a lot of money out of my account (despite it not actually having anything in it) because it was linked to my bank accounts.

In my opinion, if it can happen to me, it can happen to anyone.

you can read minds?