These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
 

Yubikeys for 2FA please
Author
Previous Topic Next Topic
Queloor Zefram
Hogyoku
Goonswarm Federation
#1 - 2017-06-05 11:31:44 UTC

Hello,

I'd like to use 2FA, but not on a mobile phone.

Could CCP please implement a Yubikey for 2FA of the eve login ?

Best regards
Donnachadh
United Allegiance of Undesirables
#2 - 2017-06-05 12:39:28 UTC
I do not really care one way or the other just curious.

Why do we need 2FA for a game?

Why Yubikey and not one of the other systems on the market?

What if I do not want to use a Yubikey?
Do Little
Bluenose Trading
#3 - 2017-06-05 17:14:17 UTC
2 factor authentication does not require a mobile phone (unless you choose to use Google authenticate). If you login from a new computer, CCP will send an authentication code to the email address associated with the account. You can tell the game to trust the computer - so it's a 1 time thing and makes it a lot more difficult for people to hack your account.

If your account is hacked and you aren't using 2FA, don't expect much sympathy.
Old Pervert
Perkone
Caldari State
#4 - 2017-06-05 17:57:55 UTC
Why would you not want to use it on a smartphone, tablet, or other existing device?

I completely agree with 2FA, it was the first thing I turned on when I subbed my alt accounts. I also think that a valid 2FA code should be valid for only a single login attempt.

In this regard, if you end up getting keylogged, they cannot punch the same 2FA in after you've used it (before it expires).

If they wanted to go seriously overboard, it wouldn't be too terribly difficult to build an encryption mechanism similar to PKI where both the server and the client know what the 2FA code SHOULD be, and do their handshake based on a hashed value from the expected 2FA code.

Client sends a greeting to Server when the user types their stuff in
Server sends an encrypted hash
Client decrypts the hash with expected 2FA code, if hash doesn't compute, it drops the connection and warns user
Client sends user/password using regular TLS
Server authorizes credentials
Client gets ready to party and blow up space hookers.

Doing this would make it impossible for a malicious MITM person to spoof the connection, as they would not be able to complete a handshake with the client prior to relaying credentials to the CCP server. Of course "trusting this computer" would invalidate such a technique. But for the ultraparanoid, it would certainly be an option.


Because email recovery exists, it is easy enough to get around if you lose or damage your mobile device.