Player Features and Ideas Discussion

Hello all.

So I have been playing about with a new install of a Joomla on my web server. I Do this from time to time just to play with web server stuff and so on.

Anyway. In the new version of Joomla, they have added "Two Factor Authentication" or as it might be known here as "2 Step Authentication". This is a nice and fairly easy thing to setup on Joomla. All it really needed was one new app installed on my old Android phone and bingo Jingo I now have "Two Factor Authentication" on my site. Here is a video for them that wish to see how it works and is setup.

http://www.youtube.com/watch?v=NbG6eehASW8

Anyway. I Not sure if it could be done. But I would like to think that a DEV team could in theory make a new Android/iPhone/WindowsPhone app that does the same thing as to current "Google Authenticator" app as seen here

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

From what I can tell. You Don't need a google account to use the app for my website or phone. Yet it works as intended. This is great.

This would mean that we could/would have "Two Factor Authentication" or as it might be known here as "2 Step Authentication" for our Eve accounts.

The 2nd case for using "Two Factor Authentication" is that it would make it more of a hassle for "account shearing" too happen. As too share your account with somebody else would mean that you would have to be in direct contact with them at that time when you wish to use the account that is to be shared. As you would need to tell the the person logging into your Eve Account the 6 digit key code to log in. And that code changes every 30 seconds. This would mean that would be greatly reduced (but alas not fully eliminated). It would remove shared accounts from different time zones for sure.

The only bad thing I can say about this is that it would mean for it be fully effective would mean it would have to be mandatory for all Eve accounts to have "Two Factor Authentication". And that would bring some hassles with it at first. Like what to do about players that don't have or want smart phones and or tablets. I Would say the best way would be to have it off by default and then give players the choice to switch it on. Maybe then there could a a incentive program from CCP to give a choice to players to switch it on and receive a reward of some kind. But the kicker is. Once you turn it on. It is on forever. It can never be turn off for that account or any account that the player has attached to his e-mail address on his accounts. It's a "One in ALL in" type deal.

2nd bad thing is some players just might not like the extra time of looking at they phone every time they want to log in to there game. Rage Logging on of supers will be funny for some lol

Anyway. the more tech savy among you will understand what is on offer here.

Thanks for reading.

I should have said that there is inbuilt safe guards for that. In the setup you would get a set of "One Time only passwords" that you would print off and keep safe just for such a thing. This is what is used by this joomla system and it is what google is doing also. And yes you are right about the players that want to account share will just keep it off. But in time CCP could and should force all accounts to 2-step auth in the long run.

I already don't share my account with anyone. My account is completely secure. Why should I be forced jump through an annoying new hoop before being allowed to log in when I'm already achieving the desired result?

As a second point, I don't have a smartphone and I have no need for one. How do you propose I log into EVE if CCP should make it mandatory for everyone to use this authentication? Do you suggest that I should just be forced to quit EVE at that point?

A third and very significant point would be the matter of multiboxed accounts. If I have a fleet of 15 accounts that I log in, you're telling me that I need to get 15 different codes and enter them in?

A two step authentication is never a bad idea but I would suggest that they make it with a sms password or number that is sent to your phone for maximum compability.

I know that Microsoft does it and from my experience with it, it works great and takes only a few seconds for that sms to reach you - with bad reception I might add - and even I was surprised, being from Microsoft and working in one sentence...

It does not save GMs' time, it just swaps one problem (lost access/hacked) to similar (lost access/2-step related problems) and i'm not sure which is more severe.

Not Everyone has a phone? But they have a PC that can play Eve? What Madness is this? (I Am joking here)

But to address the lost phone/Smart Device thing. I Did post above about that.

I Did say there is a safe guard for that. It is the "One Time Use Password" set that you print off when you first enable the system. After you use one, it is destroyed and can not be used again. So should you have lose your smart device or left it at work one night. You can still log in just fine. And I am sure that a new "One Time Use Password" could be made and printed off to replace the one you used when you need too.

Final Fantasy XIV has, in their online store, a keychain of sorts that you can buy. It's battery-operated and its only purpose is to receive a 12-digit PIN for letting you log in via Two-Factor Authentication. If CCP were to ever implement Two-Factor Authentication as an option, that would be the best way.

That being said, even in a game like FFXIV where account theft is an incredibly high risk, they leave the option open to the players rather than forcing everyone to use it. You should never force something like that upon someone. If they want to use it, then good. If they don't want to use it, then they are entitled to make their own decisions.

As for my accounts, that's my responsibility to manage and so manage it I shall.

I fully support the implementation of Two-Factor Authentication. I absolutely under no circumstances support it being made mandatory for all accounts.

I also support the full implementation of Single Sign-On. If I log into my EVE account via the launcher it would be nice if I didn't also have to log in on the website. The reverse is also true.

No.

1) Will be circumvented by people that want to circumvent it.

2) Will be a PITA for the 98% of the rest of us.

3) CCP doesn't like account sharing but it doesn't particularly represent a threat to CCP's revenue or the game. The risks of account sharing a borne entirely by the players who do it. Part of the reason is that its hard to use account sharing to get a huge advantage over other players.

4) I'm all for making it an optional security feature. Many MMOs have it as an option.

Oh, yes. Clearly I should write down a few dozen codes and manage to not lose them so I can actually play the game I'm paying for when I don't have my phone around. What could be more fun than that?

Explain why it should be mandatory. Explain why it's worth losing subscriptions over.

communication operates on faster intervals than 30s for one. I'm not suggesting they would be cracked, rather that it won't stop people from sharing accounts that want to, because if information is provided to one party it can be transmitted to another. Weather its someone texting the code to another or something more sophisticated that reads it and keeps it updated, its at best an inconvenience that will deter some but not all.


Its already enough of a pain that I have to log in separately for each account. Logging in is something done often enough that even minor changes to the process should be implemented carefully. The mere fact that I would have to input an additional field every time is enough to make it a suboptimal solution, especially when made mandatory for everyone. Also, would I need 1 authenticator per account? to hell with that.



Except it doesn't scale very well. If my corp has a titan and a few trusted members share it, it doesn't make two titans obviously. While you could have some sort of shift system where two persons have opposite timezones, I doubt that this is how its done often in practice. Banning people who account share is a great way to deal with accusations of account hacks/thefts that stem from account sharing, furthermore, I think there are plenty of legal reasons for CCP to discourage people. But I also think there are a number of situations where account sharing is undetectable or otherwise ignored by CCP. I don't think they actively search out people for account sharing unless there is other suspicious activity going on with the account e.g. already under investigation for isk-buying. But I suppose thats just my opinion, having observed and known many long-time account sharers, none of whom were ever particularly secretive about it, or were ever to my knowledge warned/temp-banned. This includes but is not limited to handing over an account to an in-game friend to use or keep up training (say while away from Eve, on deployment, etc). But now I've said too much, inb4 ISD.