These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
12Next page
 

Security tokens/virtual security tokens as promised years ago.
Author
Previous Topic Next Topic
IDGAD
The Scope
Gallente Federation
#1 - 2014-05-25 23:37:09 UTC
A few fanfests ago we were given security tokens (of which the batteries are probably dead by now lol) with the idea that soon EVE would have optional security token authentication. Sadly this was never implemented even though EACH YEAR there seems to be a panel focused on security. If you don't want to go the costly route of having physical security tokens made, why does CCP not make a secure token app for Android and iCancer? If they even hate that idea, Google has a virtual authentication token software I'm pretty sure you can contract, which may be even cheaper than making your own software. This is minimum effort for the amount of security this would add, so why has it not been done?

TL;DR : That's not that much to read, go back to school.
Yang Aurilen
State War Academy
Caldari State
#2 - 2014-05-25 23:43:22 UTC
Because I don't want my google overlords to tell everyone that I play eve.

Post with your NPC alt main and not your main main alt!
Edmond Lewis
Of Tears and ISK
#3 - 2014-05-26 00:42:36 UTC
IDGAD wrote:
A few fanfests ago we were given security tokens (of which the batteries are probably dead by now lol) with the idea that soon EVE would have optional security token authentication. Sadly this was never implemented even though EACH YEAR there seems to be a panel focused on security. If you don't want to go the costly route of having physical security tokens made, why does CCP not make a secure token app for Android and iCancer? If they even hate that idea, Google has a virtual authentication token software I'm pretty sure you can contract, which may be even cheaper than making your own software. This is minimum effort for the amount of security this would add, so why has it not been done?

TL;DR : That's not that much to read, go back to school.


this has been asked many many times

might as well ask the wind
cause with all the other side things CCP is and has done, who knows why they haven't done it
45thtiger 0109
Pan-Intergalatic Business Community
#4 - 2014-05-26 01:08:29 UTC
Edmond Lewis wrote:
IDGAD wrote:
A few fanfests ago we were given security tokens (of which the batteries are probably dead by now lol) with the idea that soon EVE would have optional security token authentication. Sadly this was never implemented even though EACH YEAR there seems to be a panel focused on security. If you don't want to go the costly route of having physical security tokens made, why does CCP not make a secure token app for Android and iCancer? If they even hate that idea, Google has a virtual authentication token software I'm pretty sure you can contract, which may be even cheaper than making your own software. This is minimum effort for the amount of security this would add, so why has it not been done?

TL;DR : That's not that much to read, go back to school.


this has been asked many many times

might as well ask the wind
cause with all the other side things CCP is and has done, who knows why they haven't done it



Its was a side project that CCP back then was going to do but as we all know did not happen.

Like other projects which were going to take off and also did not happen.

I wonder if CCP this time are going to keep their promise and continue on the path what CCP said in Fanfest 2014.

Well we all have to wait and see what happen next.

**You Have to take the good with the bad and the bad with the good.

Welcome to EvE OnLiNe**
Adunh Slavy
#5 - 2014-05-26 01:18:25 UTC
It's not inexpensive to implment. Just on a guess, knowing what the corp I work pays for them, and they use thousands so assume some sort of bulk discount, it's $87 each. That includes the fob and the license for the duration of the fob.

How many would ccp sell? 3, 4 plex each, or a charge of ~$100 ... would CCP break even on such a thing?

Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.  - William Pitt
Destoya
Habitual Euthanasia
Pandemic Legion
#6 - 2014-05-26 01:23:44 UTC
Adunh Slavy wrote:
It's not inexpensive to implment. Just on a guess, knowing what the corp I work pays for them, and they use thousands so assume some sort of bulk discount, it's $87 each. That includes the fob and the license for the duration of the fob.

How many would ccp sell? 3, 4 plex each, or a charge of ~$100 ... would CCP break even on such a thing?


The obvious answer is to just do it like Blizzard with a mobile app that generates keys, physical phobs are a relic of the past.
TigerXtrm
KarmaFleet
Goonswarm Federation
#7 - 2014-05-26 01:30:04 UTC
Because it's an overly geeky idea that absolutely no-one is going to use except a few paranoid people.

Seriously, how many games, apps or websites do you know that use a physical token to let you log in?

There are some security features that could be offered, like the ability to set a country or range of IP adresses as being valid login locations. CCP mentioned that they'd like to do this, but the architecture isn't ready for it yet. But providing the option for a security token is just a complete waste of money and time for everyone in involved. And for the love of god don't even try to make it mandatory. This game would die faster than you could say 'security token'.

Keep your passwords up to date and change it weekly if you're really that paranoid about someone hacking into your virtual spaceships.

My YouTube Channel - EVE Tutorials & other game related things!

My Website - Blogs, Livestreams & Forums
Tarsas Phage
Sniggerdly
#8 - 2014-05-26 01:32:54 UTC
IDGAD wrote:
A few fanfests ago we were given security tokens (of which the batteries are probably dead by now lol) with the idea that soon EVE would have optional security token authentication. Sadly this was never implemented even though EACH YEAR there seems to be a panel focused on security. If you don't want to go the costly route of having physical security tokens made, why does CCP not make a secure token app for Android and iCancer? If they even hate that idea, Google has a virtual authentication token software I'm pretty sure you can contract, which may be even cheaper than making your own software. This is minimum effort for the amount of security this would add, so why has it not been done?

TL;DR : That's not that much to read, go back to school.


So 2-factor auth was discussed at Fan Fest this year during the Security round table... in fact it was pretty much the first topic of conversion brought up.

CCP would like to do it, and stated that much, however they went as far as saying that implementing 2-fa is not as much of a drop-in or "minimal effort" item as you might think. You might be able to do it on your turbo nerd neckbeardly PHP website in a few minutes, but with CCP's infrastructure it's a bit more involved.

But with Google Auth and maturing (and seemingly successful) services like Duo, at least the added expense of hardware tokens can be obviated.

As with anything, getting it dev time is a matter of enough people letting CCP know this directly - and I don't mean by throwing up "lol u drks dis iz so ez" know-it-all crapposts like yours.
Felicity Love
Doomheim
#9 - 2014-05-26 01:37:05 UTC
... (jedihandwave)... this isn't the security feature you were looking for...

"EVE is dying." -- The Four Forum Trolls of the Apocalypse.   ( Pick four, any four. They all smell.  )
Jessica Danikov
Network Danikov
#10 - 2014-05-26 08:16:43 UTC
Blizzard has a mobile authenticator app, does the job perfectly, good a place as any to find inspiration.
DrSmegma
Smegma United
#11 - 2014-05-26 08:31:39 UTC  |  Edited by: DrSmegma
Tarsas Phage wrote:

CCP would like to do it, and stated that much, however they went as far as saying that implementing 2-fa is not as much of a drop-in or "minimal effort" item as you might think. You might be able to do it on your turbo nerd neckbeardly PHP website in a few minutes, but with CCP's infrastructure it's a bit more involved.

And you actually believe this fact speaks in favour of CCP, don't you? By the way please explain to us why a web designer with knowledge of PHP is a neckbeard. I'm listening.

Eve too complicated? Try Astrum Regatta.
Adolph Weltschmerz
Deep Core Mining Inc.
Caldari State
#12 - 2014-05-26 08:41:30 UTC
Jessica Danikov wrote:
Blizzard has a mobile authenticator app, does the job perfectly, good a place as any to find inspiration.



This. Should be easy enough.
Prince Kobol
#13 - 2014-05-26 08:58:44 UTC
TigerXtrm wrote:
Because it's an overly geeky idea that absolutely no-one is going to use except a few paranoid people.

Seriously, how many games, apps or websites do you know that use a physical token to let you log in?

There are some security features that could be offered, like the ability to set a country or range of IP adresses as being valid login locations. CCP mentioned that they'd like to do this, but the architecture isn't ready for it yet. But providing the option for a security token is just a complete waste of money and time for everyone in involved. And for the love of god don't even try to make it mandatory. This game would die faster than you could say 'security token'.

Keep your passwords up to date and change it weekly if you're really that paranoid about someone hacking into your virtual spaceships.


It is not just about Account security, secure id tokens also helps in stopping RMT / Botters.

One of the biggest problems Eve has when fighting RMT / Bots is that you can create unlimited untraceable accounts.

When a Botter / RMT Merchant can create unlimited untraceable accounts then how do you stop them?
Rannasha Kore
Center for Advanced Studies
Gallente Federation
#14 - 2014-05-26 09:45:00 UTC
Prince Kobol wrote:
TigerXtrm wrote:
Because it's an overly geeky idea that absolutely no-one is going to use except a few paranoid people.

Seriously, how many games, apps or websites do you know that use a physical token to let you log in?

There are some security features that could be offered, like the ability to set a country or range of IP adresses as being valid login locations. CCP mentioned that they'd like to do this, but the architecture isn't ready for it yet. But providing the option for a security token is just a complete waste of money and time for everyone in involved. And for the love of god don't even try to make it mandatory. This game would die faster than you could say 'security token'.

Keep your passwords up to date and change it weekly if you're really that paranoid about someone hacking into your virtual spaceships.


It is not just about Account security, secure id tokens also helps in stopping RMT / Botters.

One of the biggest problems Eve has when fighting RMT / Bots is that you can create unlimited untraceable accounts.

When a Botter / RMT Merchant can create unlimited untraceable accounts then how do you stop them?


The standard implementation for 2-factor-authentication does nothing to prevent unlimited untraceable account creation.

Both Blizzards authenticator and the more generally used Google Authenticator (which is actually based on an open standard for which several different apps exist, you're not tied to Google to use this, despite it commonly being referred to by its Google-name) use the same principle:

With a secret initialization key shared only between the service and the user as well as the current time, a number is computed using mathematical functions that can't be reversed efficiently. Both user and service compute the number for the current time and if they match, authentication proceeds. This way, the user never has to transmit the secret key and the time component ensures that even if one of the numbers is intercepted, it is only valid for a very brief window of time (typically 30 seconds).

There are some additional details to this scheme, but the above is the basic idea. It is very simple to use and to implement (of course, the latter depends on how adjustable your auth-system is) and frankly it's silly that CCP hasn't added basic 2FA using the Google Authenticator system (which, as I mentioned before is not Google-exclusive despite the name that is most commonly used) yet.
Chribba
Otherworld Enterprises
Otherworld Empire
#15 - 2014-05-26 10:05:57 UTC
*generic* also add optional account lock-down by IP-address feature

/c

★★★ Secure 3rd party service ★★★

Visit my in-game channel 'Holy Veldspar'

Twitter @ChribbaVeldspar
Andski
Science and Trade Institute
Caldari State
#16 - 2014-05-26 10:22:16 UTC
Destoya wrote:
Adunh Slavy wrote:
It's not inexpensive to implment. Just on a guess, knowing what the corp I work pays for them, and they use thousands so assume some sort of bulk discount, it's $87 each. That includes the fob and the license for the duration of the fob.

How many would ccp sell? 3, 4 plex each, or a charge of ~$100 ... would CCP break even on such a thing?


The obvious answer is to just do it like Blizzard with a mobile app that generates keys, physical phobs are a relic of the past.


Blizzard sells and ships their fobs for $6.50. CCP could probably do it for $10 or a PLEX. Those $87 fobs are great if you need multi-factor authentication for a defense contractor's VPN, but overkill for an MMO.

Twitter: @EVEAndski

"It's easy to speak for the silent majority. They rarely object to what you put into their mouths."    - Abrazzar
Hevymetal
POT Corp
#17 - 2014-05-26 11:00:58 UTC
IDGAD wrote:
A few fanfests ago we were given security tokens (of which the batteries are probably dead by now lol) with the idea that soon EVE would have optional security token authentication. Sadly this was never implemented even though EACH YEAR there seems to be a panel focused on security. If you don't want to go the costly route of having physical security tokens made, why does CCP not make a secure token app for Android and iCancer? If they even hate that idea, Google has a virtual authentication token software I'm pretty sure you can contract, which may be even cheaper than making your own software. This is minimum effort for the amount of security this would add, so why has it not been done?

TL;DR : That's not that much to read, go back to school.


Noone told you? Your security tokens were deliverd and placed outside your Captian's Quarters last week. Now you just gotta open that darn door to get at them.
Brooks Puuntai
Solar Nexus.
#18 - 2014-05-26 11:10:46 UTC
Yang Aurilen wrote:
Because I don't want my google overlords to tell everyone that I play eve.
'

Google ads can get abit annoying with Eve. So I don't blame you.

Also word of advice to the OP, NEVER believe anything CCP says at fanfest. It is almost always hot air used to build hype for those who go there and/or watch streams. Almost nothing CCP "promises" comes to fruition or is released as they stated.


CCP's Motto: If it isn't broken, break it. If it is broken, ignore it. Improving NPE / Dynamic New Eden
Tarsas Phage
Sniggerdly
#19 - 2014-05-26 11:19:44 UTC
DrSmegma wrote:
Tarsas Phage wrote:

CCP would like to do it, and stated that much, however they went as far as saying that implementing 2-fa is not as much of a drop-in or "minimal effort" item as you might think. You might be able to do it on your turbo nerd neckbeardly PHP website in a few minutes, but with CCP's infrastructure it's a bit more involved.

And you actually believe this fact speaks in favour of CCP, don't you? By the way please explain to us why a web designer with knowledge of PHP is a neckbeard. I'm listening.


It's because so often the mega-nerd "this is UNIX I know this!" guys speak up here in acerbic tones and with a wave of their hand postulate something along the lines of "CCP is [ad hominem] because they don't do X when it is SO SIMPLE!" As if a semester of Java programming in university gives them insight into all the things, when they're not taking into consideration a lot more items than just the tech itself. It's annoying and unbecoming.

CCP didn't roll out 2fa before because they weren't satisfied, as a company, with the support requirements and cost behind hardware tokens when they tested this years ago. Now, we have near-ubiquitous smartphones, some with biometrics integrated and third parties providing mature and scalable solutions in this realm, and you're no longer beholden to companies like RSA/EMC as the only go-to for a decent 2fa solution. As they said at Fan Fest (I was there, in the room) it's now something they think they can reasonably pursue again.
Caviar Liberta
The Scope
Gallente Federation
#20 - 2014-05-26 11:41:13 UTC
Tarsas Phage wrote:
IDGAD wrote:
A few fanfests ago we were given security tokens (of which the batteries are probably dead by now lol) with the idea that soon EVE would have optional security token authentication. Sadly this was never implemented even though EACH YEAR there seems to be a panel focused on security. If you don't want to go the costly route of having physical security tokens made, why does CCP not make a secure token app for Android and iCancer? If they even hate that idea, Google has a virtual authentication token software I'm pretty sure you can contract, which may be even cheaper than making your own software. This is minimum effort for the amount of security this would add, so why has it not been done?

TL;DR : That's not that much to read, go back to school.


So 2-factor auth was discussed at Fan Fest this year during the Security round table... in fact it was pretty much the first topic of conversion brought up.


I use this on my google account. So if I log from a new machine/ip it will send the authenticator to an alternate e-mail or my phone.
12Next page