These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
Previous page12
 

[Account shearing = BaD] A New case for "Two Factor Authentication
Author
Previous Topic Next Topic
Antillie Sa'Kan
Imperial Shipment
Amarr Empire
#21 - 2013-12-16 17:08:29 UTC
Batelle wrote:

communication operates on faster intervals than 30s for one. I'm not suggesting they would be cracked, rather that it won't stop people from sharing accounts that want to, because if information is provided to one party it can be transmitted to another. Weather its someone texting the code to another or something more sophisticated that reads it and keeps it updated, its at best an inconvenience that will deter some but not all.


I have done this myself for other MMOs that do use two factor authentication. All it takes is a phone call.

Batelle wrote:
Its already enough of a pain that I have to log in separately for each account. Logging in is something done often enough that even minor changes to the process should be implemented carefully. The mere fact that I would have to input an additional field every time is enough to make it a suboptimal solution, especially when made mandatory for everyone. Also, would I need 1 authenticator per account? to hell with that.


As someone who works with systems that use two factor authentication every day I can attest that this is a very legitimate compliant. In fact it is almost infuriating. However the systems I interact with have a real need for the level of security that they have so I tolerate it because I understand why it is necessary. EVE is not a banking or health records system, it is a game. Games do not generally need the level of security that banks and hospitals do.
Oddsodz
Federal Navy Academy
Gallente Federation
#22 - 2013-12-16 21:06:03 UTC
As some have pointed out. Them that wish to share their accounts will work around the system. I Have already seen a massive hole in my original plan (not going to tell you how lol). But it still works as a detriment to account shearing. Just not a great one.


I Myself would still want 2 step auth just to help keep my account safe. Them that don't want it, fine. Don't have it enabled.

Some say it not needed. I say they are wrong as there is no such thing as too much security, Remember, You have bank account info entered into you Eve accounts (all be it hidden/hashed). You should take your security seriously if you have bank info involved.
Batelle
Federal Navy Academy
#23 - 2013-12-16 21:10:27 UTC
Oddsodz wrote:

I Myself would still want 2 step auth just to help keep my account safe. Them that don't want it, fine. Don't have it enabled.


When I see that thread on this subforum I'll give you a like Blink

"**CCP is changing policy, and has asked that we discontinue the bonus credit program after November 7th. So until then, enjoy a super-bonus of 1B Blink Credit for each 60-day GTC you buy!"**

Never forget.
Daenika
Chambers of Shaolin
#24 - 2013-12-16 22:36:19 UTC  |  Edited by: Daenika
Quote:
And YES. if you have 15 accounts. Then that's 15 key codes. But it's not as bad as you think. If you was to test the app out (I know you can't as you have no smart device as you said) you would see that is is as simple as pick up phone and press one button on phone look at phone type numbers into login on PC. You are already doing this when you type your normal passwords in. So this is just one extra step. It really is that simple. But you would have to see it to understand it.


Problem is, 15 codes would take 7.5 minutes. In the case of a quick network blip or similar, that's a significant tactical disadvantage, especially since in the current system you could, at least theoretically, set up a macro key on a gaming keyboard to type your password and hit enter, and probably even tab to the next client for you too.

When WoW introduced this, I found an app that just sat in the background on my computer, and if I hit ctrl-shift-X, it would automatically type out the current authenticator code and hit enter for me, so I didn't have to whip out my phone. Something similar would be needed for this idea, which would basically make this just a glorified hardware ID authentication (like TERA).
Antillie Sa'Kan
Imperial Shipment
Amarr Empire
#25 - 2013-12-16 23:15:58 UTC  |  Edited by: Antillie Sa'Kan
Oddsodz wrote:
I say they are wrong as there is no such thing as too much security, Remember, You have bank account info entered into you Eve accounts (all be it hidden/hashed). You should take your security seriously if you have bank info involved.

This is an over simplification of what security does. If the cost of the security system exceeds the expected cost of the threat you are trying to mitigate then you have too much security. In a large organization the cost to daily productivity of having all employees spend 5-7 minutes at the start of the day logging in to the various security systems is not insignificant. However if all employees have access to a central payment processing system for a major bank then it is certainly worth it. However if the organization is a chain of restaurants then there is no real need for the waiters to have to pass through the same level of security when they enter orders into a computer for display back in the kitchen.

Applied to EVE this principal would suggest that two factor authentication would be useful to players who have access to a large amount of in game assets. Supercap alts, really space rich players, and directors in large corporations or alliance executor corps come to mind here. There is probably little need for every ratter or rank and file fleet member to have two factor authentication on their account. But the players that have full access to the assets of the corp or the ability to dissolve the alliance could reasonably be required by their corp to have two factor authentication on their account.

This of course assumes that account theft is enough of a problem to warrant implementing two factor authentication to begin with. Since I do not have access to this information I cannot make a judgment on this.

With regards to your bank info being stored on CCPs servers. I am pretty sure that CCPs website does not display your CC# and I am also pretty sure they store the information in an encrypted format as is required by the PCI data at rest encryption requirement, and as such it is pretty safe. As an example of modern encryption (AES), if you can tell me what this really says you will win a cookie:

ZwLMrCWJr1KXT8S2vkva8tTw1KVTgwSynQVDyuvH
Antillie Sa'Kan
Imperial Shipment
Amarr Empire
#26 - 2013-12-16 23:42:56 UTC  |  Edited by: Antillie Sa'Kan
Daenika wrote:
Problem is, 15 codes would take 7.5 minutes. In the case of a quick network blip or similar, that's a significant tactical disadvantage, especially since in the current system you could, at least theoretically, set up a macro key on a gaming keyboard to type your password and hit enter, and probably even tab to the next client for you too.

When WoW introduced this, I found an app that just sat in the background on my computer, and if I hit ctrl-shift-X, it would automatically type out the current authenticator code and hit enter for me, so I didn't have to whip out my phone. Something similar would be needed for this idea, which would basically make this just a glorified hardware ID authentication (like TERA).

Not really. Unless the current password is about to expire (not all tokens have a timer to tell you this though) you can generally just type in whatever is displayed and move on. It doesn't add that much time to each logon but it certainly gets annoying fast.

Running the authenticator on your Window PC that is also running the game client is a bit dumb as it undermines a good portion of the security that the system provides. But it is only a game, so, meh.
NaK'Lin
Seamen Force
#27 - 2013-12-17 07:23:41 UTC
-1

more loops to hop through to log in to your account, wait for authentications, blabla.

let's face it, you have a login, and a password. It is the CUSTOMER's responsibility to keep those safe. it is also the customer's responsibility to have their PC clean from trojans and keyloggers.
Don't use the same password on other sites / games, don't share it with anyone, and don't surf or download dubious sources on your gaming PC, do that from a second PC and you'll be fine.

CCP has no responsibility whatsoever, to be fair. They CAN (but don't have to) push security frther for all the mouthbreathers that seem to misplace their account data or save it on the "cloud" or whatnot.

the only thing I dislike currently is that on purchases of the character bazaar you need to provide the buyer with your login name. That's half the rent there. And we know how derpy some people are with passwords; a little social engineering and you're good to go.

I'd like to see character transfers based on your character ID (it's a unique number) or maybe an API string you can generate for that. It would really help.

But the OP proposed things? nope.

-1
Oddsodz
Federal Navy Academy
Gallente Federation
#28 - 2013-12-17 07:34:19 UTC  |  Edited by: Oddsodz
Some times it best to just let things go.

It is clear to me that some folks here just don't want to see change. Remember, Just because YOU don''t feel you need it. Does not mean that you should not have it,.,,,, And to belittle all the players that play the game who are not a mega corp CEO or a coalition head and say "You has no ISK you dont need 2 step Auth" is just down right silly. Shame on you for thinking in such a way.

Anyway. I have made my case for it. I Wish for 2 step auth to happen in the near future. The tools are already in place. Just a case of DEV time to work out how and what with who....

I Shall not be checking back on this thread.

Thanks for reading .


Oddsodz
Previous page12