These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
 

2-Step Authentication for EVE Online accounts
Author
Previous Topic Next Topic
Favonius85
Polaris Rising
Goonswarm Federation
#1 - 2012-09-20 16:53:13 UTC
Google, Dropbox, Battle.net, and lots of other online services offer the option to enable 2-Step authentication for their accounts, using an Android or iPhone device or a purchasable dongle to generate login codes. Was wondering what everyone thought about having the option available for our EVE accounts.
Goldensaver
Maraque Enterprises
Just let it happen
#2 - 2012-09-20 17:00:26 UTC  |  Edited by: Goldensaver
Ugh. I hate those things. If I could scrap them all, I would. Sorry, but it's an extra step that wastes time in my opinion.

Edit: of course, I forgot to put in that if it were optional, I guess I wouldn't mind. I mean, it can't hurt if it's just another choice to make.
Favonius85
Polaris Rising
Goonswarm Federation
#3 - 2012-09-20 17:04:04 UTC
I don't think it should be made mandatory by any means. Simply something optional that can be enabled to improve account security.
Luc Chastot
#4 - 2012-09-20 17:11:12 UTC
As annoying as 2-step verification can get sometimes, I always use it. Considering CCP is planning to move the login to the launcher, I would think this wouldn't be too hard to implement.

Make it idiot-proof and someone will make a better idiot.

NiGhTTraX
Deep Core Mining Inc.
Caldari State
#5 - 2012-09-20 17:13:42 UTC
They already said they will implement this. Search forum, search CSM minutes, search...

If you're gonna post here thinking your idea is the greatest thing since bacon and that it will save EVE and possibly all humankind with it, you're gonna have a bad time.
Favonius85
Polaris Rising
Goonswarm Federation
#6 - 2012-09-20 17:37:26 UTC
NiGhTTraX wrote:
They already said they will implement this. Search forum, search CSM minutes, search...



"Authenticators are coming, email verification needs to be sorted but it’s something they’re working
on and hopefully getting done soon. Anti-hacking is mostly talking about injection stuff, which
they’re working on and dealing with. "

Oops, found on page 149 of this summer's CSM minutes.

Anyway, yes please CCP Blink
Hans Momaki
State War Academy
Caldari State
#7 - 2012-09-20 20:14:21 UTC
YES, YES, YES! ASAP please. Optional ofcourse.
Vi'ach
#8 - 2012-09-20 21:59:42 UTC  |  Edited by: Vi'ach
No thanks, if people can't secure their own accounts and insist on using their Faceache username/password for all their net logins then they deserve to have their accounts hacked. Granted, there is a duty for the developers to "protect" their side of the authentication, but devs should not have to deal with users inability to protect themselves.

http://nix.so/6g
Luc Chastot
#9 - 2012-09-21 07:38:15 UTC
Vi'ach wrote:
No thanks, if people can't secure their own accounts and insist on using their Faceache username/password for all their net logins then they deserve to have their accounts hacked. Granted, there is a duty for the developers to "protect" their side of the authentication, but devs should not have to deal with users inability to protect themselves.

http://nix.so/6g


Online Attack Scenario:
(Assuming one thousand guesses per second) 3.36 million trillion trillion centuries

I would still use 2-step verification.

Make it idiot-proof and someone will make a better idiot.

Vi'ach
#10 - 2012-09-21 10:03:33 UTC  |  Edited by: Vi'ach
Luc Chastot wrote:

Online Attack Scenario:
(Assuming one thousand guesses per second) 3.36 million trillion trillion centuries

I would still use 2-step verification.


You are talking about a brute force attack, which I would assume the devs have ways to stop automated attacks like that, it makes no difference if users use the same login details for lots of services which are then compromised. The attacker does not need to brute force the authentication, as he/she has the details from the 3rd party site.

Again, users should protect themselves and not expect the world to hold their hand!

EDIT: A 2-step process can't be optional either as it will leave holes in the authentication making it redundant, plus a waste of dev time.
S'totan
Republic Military School
Minmatar Republic
#11 - 2012-09-21 21:47:45 UTC
I have a better idea!!!!!

..... stop sharing your account information with people...
D'Argo Sun'Crichton
BlazingAngels
#12 - 2012-12-15 22:38:31 UTC
Vi'ach wrote:
Luc Chastot wrote:

Online Attack Scenario:
(Assuming one thousand guesses per second) 3.36 million trillion trillion centuries

I would still use 2-step verification.


You are talking about a brute force attack, which I would assume the devs have ways to stop automated attacks like that, it makes no difference if users use the same login details for lots of services which are then compromised. The attacker does not need to brute force the authentication, as he/she has the details from the 3rd party site.

Again, users should protect themselves and not expect the world to hold their hand!

EDIT: A 2-step process can't be optional either as it will leave holes in the authentication making it redundant, plus a waste of dev time.



A 2-step process can't be optional?? Then explain how Battle.net is able to do it and they dont seem to have any issues running both single signon and 2 part process signons at the same time. Yes, it would mean that those who didnt use the 2step method would be more vulerable than those who did use it, however to say it cannot be made optional because of holes and redundancy is purely incorrect. You simply do a account check during login "Isauthenticationenabled=Yes Queryforauthentication"
"Isauthenticationenabled=no Proceedlogin"
Sir Substance
Sebiestor Tribe
Minmatar Republic
#13 - 2012-12-16 06:53:04 UTC
CCP gave out physical tokens at fanfest 2011, as a beta run, and then never implemented the code for it.

I am sad.

The beatings will continue until posting improves. -Magnus Cortex

Official Eve Online changelist: Togglable PvP. - Jordanna Bauer
Konrad Kane
#14 - 2012-12-16 12:45:38 UTC
Sir Substance wrote:
CCP gave out physical tokens at fanfest 2011, as a beta run, and then never implemented the code for it.

I am sad.


SecureID now do softtokens, which remove the requirement for a physical device. Just as secure and have the added bonus of being able to cut and paste the random password.
Mallak Azaria
Caldari Provisions
Caldari State
#15 - 2012-12-17 01:31:11 UTC
EVE supports a 64-character password. Make full use of it.

This post was lovingly crafted by a member of the Goonwaffe Posting Cabal, proud member of the popular gay hookup site somethingawful.com, Spelling Bee, Grammar Gestapo & #1 Official Gevlon Goblin Fanclub member.
Rams Trough'put
White Knight's Production inc.
#16 - 2012-12-17 07:10:26 UTC
I haven't seen some spam messages I seen when I was on xbox live, those message that offer level ups and and achievement unlocking for a slight fee but they need ur account info to the work, that all the 8-15 year olds(and older according the the forums) fall for all the time.....Sometimes it doesn't help how hard the password is.
Aptenodytes
Reckless Abandon
#17 - 2012-12-18 10:44:31 UTC
As long as it's optional, why not? My password is a random 15 digit non-alphanumeric string so it's pretty much unnecessary for me, the only way someone's getting into my account is if CCP leaves the password database on a USB key on a train or something. And if that happens I would hope I'd get my assets back anyway.

I always figured these gizmos were simply to make a little extra cash for the games company. If people want to pay CCP to manage their security for them, then why not! I pay someone to clean my kitchen, which I could quite easily do myself. So as long as it doesn't inconvenience me (as in, it's optional), keeps other people happy, and makes money for CCP, then it's win-win.
Alundil
Rolled Out
#18 - 2012-12-18 19:13:18 UTC
http://securityledger.com/new-25-gpu-monster-devours-passwords-in-seconds/

Relying on passwords alone - even complex ones - isn't a good place to be. 2-factor authentication is a good first step. I support that move when it arrives.

I'm right behind you
androch
LitlCorp
#19 - 2012-12-18 20:21:37 UTC
i do not support this, authentication has never been needed in this game at all, the current system works fine, to even get at your account they have to know your account name and one of your characters (which if you use the same name in your account youre a bloody idiot)
Konrad Kane
#20 - 2012-12-18 21:15:51 UTC
TBH digital certs. are probably a much more elegant solution.