These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

Player Features and Ideas Discussion

 
  • Topic is locked indefinitely.
 

Account security / Two factor / Multifactor authentication
Author
Previous Topic Next Topic
Pink Rabid
Caldari Provisions
Caldari State
#1 - 2014-11-15 10:04:39 UTC  |  Edited by: Pink Rabid
I appreciate this will have been discussed before, but I'd like to voice my desire for increased account security protection.

At the moment, I believe anyone can login to the game if they know (or have keylogged etc) the username and password. They can then instantly transfer all ISK and contract off items and basically drain the account dry. This is a constant nagging concern for me, particularly as I'm used to much higher security measures from other games on the market.

A few suggestions -

- When logging in to the game from a new IP address, require a code which is sent to my email address. Code no longer required once that particular IP address is authenticated. I should be able to clear the list of authenticated IP addresses from my account management page.

- Similar to above, but have a "trusted" computer so when a non-trusted computer accesses the account, it must be verified via a code before it can be added to a trusted-computer list.

- Google authenticator.

- Develop your own authenticator (phone app and/or keyring token).

It would be a big weight off our minds as far as losing valuable assets on our characters!
Jurico Elemenohpe
Flipsid3 Tactics
#2 - 2014-11-15 10:56:15 UTC
Pink Rabid wrote:
I appreciate this will have been discussed before, but I'd like to voice my desire for increased account security protection.

At the moment, I believe anyone can login to the game if they know (or have keylogged etc) the username and password. They can then instantly transfer all ISK and contract off items and basically drain the account dry. This is a constant nagging concern for me, particularly as I'm used to much higher security measures from other games on the market.

A few suggestions -

- When logging in to the game from a new IP address, require a code which is sent to my email address. Code no longer required once that particular IP address is authenticated. I should be able to clear the list of authenticated IP addresses from my account management page.

- Google authenticator.

- Develop your own authenticator (phone app and/or keyring token).

It would be a big weight off our minds as far as losing valuable assets on our characters!
Yeah, but you can petition it if it does get hacked. And they get permabanned, you get your stuff back and continue doing whatever you were doing.
Ix Method
Doomheim
#3 - 2014-11-15 11:12:45 UTC
Jurico Elemenohpe wrote:
Yeah, but you can petition it if it does get hacked. And they get permabanned, you get your stuff back and continue doing whatever you were doing.

That's all very lovely but if they're going to allow you to use your account to access third party sites a bored GM listening to dreary sob stories isn't really going to cut it.

+1

Travelling at the speed of love.
Keras Authion
Science and Trade Institute
Caldari State
#4 - 2014-11-15 16:03:03 UTC
Better security is a good goal and i fully support that. However, getting the verification is going to drive anyone with a dynamic IP insane.

This post was rated "C" for capsuleer.
Jean Luc Lemmont
Carebears on Fire
#5 - 2014-11-15 16:55:11 UTC
Keras Authion wrote:
Better security is a good goal and i fully support that. However, getting the verification is going to drive anyone with a dynamic IP insane.


Just make it opt-in. It's not that hard.

Will I get banned for boxing!?!?!

This thread has degenerated to the point it's become like two bald men fighting over a comb. -- Doc Fury

It's bonuses, not boni, you cretins.
Antillie Sa'Kan
Imperial Shipment
Amarr Empire
#6 - 2014-11-15 16:59:43 UTC  |  Edited by: Antillie Sa'Kan
Pink Rabid wrote:
- When logging in to the game from a new IP address, require a code which is sent to my email address. Code no longer required once that particular IP address is authenticated. I should be able to clear the list of authenticated IP addresses from my account management page.

- Google authenticator.

- Develop your own authenticator (phone app and/or keyring token).

It would be a big weight off our minds as far as losing valuable assets on our characters!

1. Dynamic IPs are a thing. Especially in Europe. This will annoy people far too much.

2. Not a bad idea, but I don't like the idea of tying everything in my life to Google, despite how cool they might be most of the time.

3. I would prefer something from an established vendor such as RSA.

However, +1 for the overall idea of two factor authentication as an option for those that want it. I think some of us would even be willing to a pay a small one time fee to enable it. Like $10 or so.
Kaerakh
Obscure Joke Implied
#7 - 2014-11-15 17:04:34 UTC
Don't see the point. As far as I'm aware, account hacks are exceedingly uncommon in EVE(which is odd considering there's more to steal than a wow clone).

Besides if your password is bone, 12345, or (insert name and birthyear here) you really deserve to get hacked.

Schrodinger's Hot Dropper

The Fate of Forum Alts

Guaranteed Success
elitatwo
Zansha Expansion
#8 - 2014-11-15 19:18:47 UTC
Pink Rabid wrote:
.....-very good idea-....

- Google authenticator.!


I will drop this in here:

https://www.yubico.com/

Eve Minions is recruiting.

This is the law of ship progression!

Aura sound-clips: Aura forever
Antillie Sa'Kan
Imperial Shipment
Amarr Empire
#9 - 2014-11-15 22:54:06 UTC  |  Edited by: Antillie Sa'Kan
Kaerakh wrote:
Don't see the point. As far as I'm aware, account hacks are exceedingly uncommon in EVE(which is odd considering there's more to steal than a wow clone).

Besides if your password is bone, 12345, or (insert name and birthyear here) you really deserve to get hacked.

This is probably due to WoW being much more popular than EVE. Larger target, more demand for the stolen goods and all that.

As much as I personally dislike people who use terrible passwords helping everyone secure their accounts is good for the game as a whole and everyone who plays.

Also many people use the same password in many different places. So if the usernames and passwords for some random large retail website are stolen there is a reasonable chance that some of those login credentials will also work for EVE accounts. (And accounts at other places.)

A simple software or hardware token easily addresses this issue.
Kaerakh
Obscure Joke Implied
#10 - 2014-11-15 23:09:39 UTC
Antillie Sa'Kan wrote:
Kaerakh wrote:
Don't see the point. As far as I'm aware, account hacks are exceedingly uncommon in EVE(which is odd considering there's more to steal than a wow clone).

Besides if your password is bone, 12345, or (insert name and birthyear here) you really deserve to get hacked.

This is probably due to WoW being much more popular than EVE. Larger target, more demand for the stolen goods and all that.

As much as I personally dislike people who use terrible passwords helping everyone secure their accounts is good for the game as a whole and everyone who plays.

Also many people use the same password in many different places. So if the usernames and passwords for some random large retail website are stolen there is a reasonable chance that some of those login credentials will also work for EVE accounts. (And accounts at other places.)

A simple software or hardware token easily addresses this issue.



I said wow clone, not wow.

Moving on from your misrepresentation of my point, my main concern is simply that it's not relevant. I've only heard of maybe 3 instances where an account was hacked in EVE and they were all high profile characters. Meaning that it was a special circumstance and not representative of the game as a whole.

So in summation. I think the idea's sentiment is good natured, but in practicality a waste of time for a non-existent issue.

Schrodinger's Hot Dropper

The Fate of Forum Alts

Guaranteed Success
Antillie Sa'Kan
Imperial Shipment
Amarr Empire
#11 - 2014-11-15 23:48:51 UTC
Kaerakh wrote:
I said wow clone, not wow.

Moving on from your misrepresentation of my point, my main concern is simply that it's not relevant. I've only heard of maybe 3 instances where an account was hacked in EVE and they were all high profile characters. Meaning that it was a special circumstance and not representative of the game as a whole.

So in summation. I think the idea's sentiment is good natured, but in practicality a waste of time for a non-existent issue.

What applies to WoW also applies to it's clones. Moving on from your strawman argument, I think you may be right. However without access to customer support call/ticket data that I don't think CCP will ever make public I don't think we can really answer this question.
Thomas Gallant
Quafe Company Courier Shipping
#12 - 2014-11-16 00:33:11 UTC
I know I'd like to see something like this, even if account hacking is very rare in this game, extra security options would be nice. There's more than one company that offers a security key option out there, not just google. Also having some other optional way to increase security (security question, E-mail, etc.) would be nice.

Also for those that have dynamic IP addresses, a opt-in check for IP region would still be an option I think. If an account has been logged in from England 27,942 times, and then is logged in from china one day, it could challenge it with an e-mail or security question. granted, the use of proxies could make things more complex than that, but it'd be an opt-in only option. For those that want the same way of logging in as before, nothing would change.

Two more ideas: Allow "autherized" devices, and as another means of a confirmation, use the same thing as they have for account management, "name a character on this account".

No doubt there are a few other options that could be done as well that I can't think of atm, but if it's opt in only, I don't really see much of a downside.
Antillie Sa'Kan
Imperial Shipment
Amarr Empire
#13 - 2014-11-16 01:14:45 UTC  |  Edited by: Antillie Sa'Kan
Thomas Gallant wrote:
I know I'd like to see something like this, even if account hacking is very rare in this game, extra security options would be nice. There's more than one company that offers a security key option out there, not just google. Also having some other optional way to increase security (security question, E-mail, etc.) would be nice.

Also for those that have dynamic IP addresses, a opt-in check for IP region would still be an option I think. If an account has been logged in from England 27,942 times, and then is logged in from china one day, it could challenge it with an e-mail or security question. granted, the use of proxies could make things more complex than that, but it'd be an opt-in only option. For those that want the same way of logging in as before, nothing would change.

Two more ideas: Allow "autherized" devices, and as another means of a confirmation, use the same thing as they have for account management, "name a character on this account".

No doubt there are a few other options that could be done as well that I can't think of atm, but if it's opt in only, I don't really see much of a downside.

The real question that Kaerakh was getting at is what costs CCP more money, account theft support tickets, or a two factor authentication system. In the end most security decisions are business decisions and we just don't have access to the data on this that CCP does.

Sadly proxies and IP block sales and reallocations make geo locating IPs inaccurate at best and totally worthless at worst. However you can generally use the assigned RIR to make a general guess at the part of the world an IP probably comes from.

Authorized devices is a bit more tricky. The account management site uses cookies for this. The concept of cookies that other sites can't access is somewhat unique to the HTTP/HTTPS spec and even then they aren't perfect. I haven't gone looking for XSS issues on the EVE sites (nor will I) but it only takes one and suddenly your "authorized device" cookie is in the hands of an attacker.

You can still do "authorized devices" outside of the HTTP/HTTPS spec. Steam does it. But I am not familiar with how Steam guards against the copying or theft of the authorization token.
Wizzard117
Wizzard117 Corporation
#14 - 2014-11-16 01:39:07 UTC
More security is good especially if it' s an opt-in feature and doesn't bother me too much

This could've been even made as a roleplay ingame feature like
- when docked you start game after relog in captain's quarter
- you have to enter some sort of PIN code to allow usage of wallet, trade window, market, hangars and anything else

Kinda like locking/unlocking you garage to use your car.
Wendelgard
The Scope
Gallente Federation
#15 - 2014-11-17 12:49:13 UTC
Antillie Sa'Kan wrote:
Pink Rabid wrote:
- When logging in to the game from a new IP address, require a code which is sent to my email address. Code no longer required once that particular IP address is authenticated. I should be able to clear the list of authenticated IP addresses from my account management page.

- Google authenticator.

- Develop your own authenticator (phone app and/or keyring token).

It would be a big weight off our minds as far as losing valuable assets on our characters!

1. Dynamic IPs are a thing. Especially in Europe. This will annoy people far too much.
[...].


Pink, binding an account to an IP this would not work. For instqance, my internet connection is somewhat stable. I do not think, you would not file a ticket for getting access to your account only connection has crashed and you were assigned a new IP. Would you do this? I do not think so. Buying me an USB dongle for €10,00 or less - agreed if I could verify all my accounts.

Wendelgard
Pink Rabid
Caldari Provisions
Caldari State
#16 - 2014-11-17 12:59:22 UTC
Added the following suggested method to the original post -

"Similar to above, but have a "trusted" computer so when a non-trusted computer accesses the account, it must be verified via a code before it can be added to a trusted-computer list."

More to address the valid points that people are making about dynamic IP addresses than anything else. I think the key point here is that the community seems to support enhanced account security (albeit some would like it to be optional) rather than the exact form it would take.
elitatwo
Zansha Expansion
#17 - 2014-11-17 13:25:17 UTC
Wendelgard wrote:
-shorted for reading-
Pink, binding an account to an IP this would not work. For instqance, my internet connection is somewhat stable. I do not think, you would not file a ticket for getting access to your account only connection has crashed and you were assigned a new IP. Would you do this? I do not think so. Buying me an USB dongle for €10,00 or less - agreed if I could verify all my accounts.

Wendelgard



Did you take a look at my link? If CCP would buy those in bulk, they would cost less and if they ask nice they would propably even put an EVE stamp on Smile

Eve Minions is recruiting.

This is the law of ship progression!

Aura sound-clips: Aura forever
Kaerakh
Obscure Joke Implied
#18 - 2014-11-17 16:15:35 UTC
Antillie Sa'Kan wrote:
Kaerakh wrote:
I said wow clone, not wow.

Moving on from your misrepresentation of my point, my main concern is simply that it's not relevant. I've only heard of maybe 3 instances where an account was hacked in EVE and they were all high profile characters. Meaning that it was a special circumstance and not representative of the game as a whole.

So in summation. I think the idea's sentiment is good natured, but in practicality a waste of time for a non-existent issue.

What applies to WoW also applies to it's clones. Moving on from your strawman argument, I think you may be right. However without access to customer support call/ticket data that I don't think CCP will ever make public I don't think we can really answer this question.


I'm glad that you agree that I'm correct, but you're the only one conducting a strawman. You're saying I said WoW when I said WoW clone. Ergo, you are misrepresenting my argument to better attack it. A strawman.

Schrodinger's Hot Dropper

The Fate of Forum Alts

Guaranteed Success
Jean Luc Lemmont
Carebears on Fire
#19 - 2014-11-17 16:39:17 UTC
I should also add - I would very much like to make sure we can use one authenticator for multiple accounts. I really do not want to keep track of which of my five authenticators goes with which of my five accounts.

Will I get banned for boxing!?!?!

This thread has degenerated to the point it's become like two bald men fighting over a comb. -- Doc Fury

It's bonuses, not boni, you cretins.