These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev Blog: Two-Factor Authenticaion... finally!

First post First post
Author
Previous Topic Next Topic
March rabbit
Aliastra
Gallente Federation
#21 - 2015-04-24 18:05:22 UTC
Steve Ronuken wrote:
March rabbit wrote:
Having Ericsson T29 as main mobile phone device i always hate when people mentions 2FA.
Hope this feature will always stay 'optional'.



There are actually windows apps for doing this as well. Which is something, at least.

Just the google Authenticator.

(there's also the email option)

Start the game, enter credentials, switch to browser, visit mailbox, copy something, switch to the game, paste something, enter the game.

Not sure if i like new procedure.

Steve Ronuken wrote:

Sure, it's not going to stop someone logging into Eve (yet. I'm hopeful there will be launcher updates to make multi account logins and sets of settings viable. I keep asking for them) it does at least protect the website.

Well. I can survive 2FA on web site.... Visiting it once in a while. So they can put 2FA, 3FA, N-FA with as big N as they want.
But making starting the game unnecessarily longer... No support from me.

The Mittani: "the inappropriate drunked joke"
virm pasuul
Imperial Academy
Amarr Empire
#22 - 2015-04-24 18:23:35 UTC
"Go to Account -> “Two Factor Authentication Settings” and follow the instructions."
I don't have this option :(
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#23 - 2015-04-24 18:34:33 UTC
March rabbit wrote:
Steve Ronuken wrote:
March rabbit wrote:
Having Ericsson T29 as main mobile phone device i always hate when people mentions 2FA.
Hope this feature will always stay 'optional'.



There are actually windows apps for doing this as well. Which is something, at least.

Just the google Authenticator.

(there's also the email option)

Start the game, enter credentials, switch to browser, visit mailbox, copy something, switch to the game, paste something, enter the game.

Not sure if i like new procedure.

Steve Ronuken wrote:

Sure, it's not going to stop someone logging into Eve (yet. I'm hopeful there will be launcher updates to make multi account logins and sets of settings viable. I keep asking for them) it does at least protect the website.

Well. I can survive 2FA on web site.... Visiting it once in a while. So they can put 2FA, 3FA, N-FA with as big N as they want.
But making starting the game unnecessarily longer... No support from me.



It's optional. And I'd be really surprised if that changes

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
thowlimer
Roprocor Ltd
#24 - 2015-04-24 18:37:02 UTC
Steve Ronuken wrote:
Pen Ris wrote:
LOL - 2 factor authentication, unless you want to bypass it, isn't actually two factor authentication.

Considering the high dependence on 3P app/forums/services and very recent and limited availability of federated identity(SSO); do you think this will stop anyone from improperly accessing accounts who also has the skills to obtain lists of username/passwords from those 3Ps?




With any luck, people weren't moronic enough to reuse the passwords.


https://www.youtube.com/watch?v=a6iW-8xPw3k

CCP Ghostrider
C C P
C C P Alliance
#25 - 2015-04-24 18:52:39 UTC
virm pasuul wrote:
"Go to Account -> “Two Factor Authentication Settings” and follow the instructions."
I don't have this option :(


It should be available next Tuesday, April 28th :)
SilentAsTheGrave
Aliastra
Gallente Federation
#26 - 2015-04-24 19:19:18 UTC
CCP Ghostrider wrote:
We are aware that having the launcher bypass is not optimal but a lot of bad stuff can take place if someone gets access to account management like changing the registered email address, password changes and character transfers. Two-factor protecting the client login itself requires effort from multiple teams but is on the backlog.

Shouldn't that be on the frontlog or whatever is a high priority? That's like bragging about a new door lock when the window is left wide open.
Aleida Aldeland
Doomheim
#27 - 2015-04-24 21:06:05 UTC

Does this have to be done every time?

Would be a lot more convenient if the second factor was only needed after a change of IP address / client.

Or if there was an optional "secure logout" which forced the use of second factor next login (for use in internet cafes).
Mara Rinn
Cosmic Goo Convertor
#28 - 2015-04-24 21:19:17 UTC
Axhind wrote:
Any chance of supporting something actually safe like Yubikey? E-mail and mobile apps can be hardly considered secure (better than nothing but that's about it).


I am a security noob: how is Yubikey safer than a TOTP app like 1Password or Google Authenticator?

Day 0 Advice for New Players
Mara Rinn
Cosmic Goo Convertor
#29 - 2015-04-24 21:23:09 UTC
SilentAsTheGrave wrote:
CCP Ghostrider wrote:
We are aware that having the launcher bypass is not optimal but a lot of bad stuff can take place if someone gets access to account management like changing the registered email address, password changes and character transfers. Two-factor protecting the client login itself requires effort from multiple teams but is on the backlog.

Shouldn't that be on the frontlog or whatever is a high priority? That's like bragging about a new door lock when the window is left wide open.


Thus TOTP update is about keeping the title deeds for the house under lock and key. Sure, nefarious people can steal everything in your house, but they can't take your house.

Day 0 Advice for New Players
Zappity
New Eden Tank Testing Services
#30 - 2015-04-24 21:34:45 UTC
devblog wrote:
This does not prevent people from logging into the game client by circumventing the launcher.
Oh. Well that's a pity. Please don't take away exe, though.

Zappity's Adventures for a taste of lowsec and nullsec.
Iroquoiss Pliskin
9B30FF Labs
#31 - 2015-04-24 21:45:05 UTC
Excellent feature, long overdue.

Can sometimes get annoying with multiple IP resets, but that's the price. Altho, in this case here I see there is an option to exempt the current machine from this - other MMOs don't provide this option.

Great. Big smile

// [PvP Damage Done by Class (Scylla)] //

[Cruisers Online]
Antihrist Pripravnik
Cultural Enrichment and Synergy of Diversity
Stain Neurodiverse Democracy
#32 - 2015-04-24 22:45:19 UTC
CCP Ghostrider wrote:
We are aware that having the launcher bypass is not optimal but a lot of bad stuff can take place if someone gets access to account management like changing the registered email address, password changes and character transfers. Two-factor protecting the client login itself requires effort from multiple teams but is on the backlog.


Exactly. The 2FA protection now protects what's critically important. If a bad guy manages to log in to the game and do some in-game damage, I can already log in to the account management page and see who logged in and from where. Fixing the damage is only a GM ticket away. However if someone manages to access the account management page and change e-mail and login credentials, the path to the account recovery might not be so short.

That's all in theory anyway Smile I pretty much trust my randomly generated cryptographically secure password which is periodically changed P But then again, one can not be too paranoid about security. Lol
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#33 - 2015-04-24 22:47:43 UTC
Zappity wrote:
devblog wrote:
This does not prevent people from logging into the game client by circumventing the launcher.
Oh. Well that's a pity. Please don't take away exe, though.



I'm curious. What do you use the exe file functionality for?

(I use it myself for 2 accounts, launcher for the third. Always curious to see what other people use it for)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Scatim Helicon
State War Academy
Caldari State
#34 - 2015-04-24 22:53:20 UTC
CCP Ghostrider wrote:
We are aware that having the launcher bypass is not optimal but a lot of bad stuff can take place if someone gets access to account management like changing the registered email address, password changes and character transfers. Two-factor protecting the client login itself requires effort from multiple teams but is on the backlog.

Why would you even release an account security feature before fixing the ability to bypass it? :psyduck:

Every time you post a WiS thread, Hilmar strangles a kitten.
Vincent Athena
Photosynth
#35 - 2015-04-24 22:53:47 UTC  |  Edited by: Vincent Athena
Steve Ronuken wrote:
Zappity wrote:
devblog wrote:
This does not prevent people from logging into the game client by circumventing the launcher.
Oh. Well that's a pity. Please don't take away exe, though.



I'm curious. What do you use the exe file functionality for?

(I use it myself for 2 accounts, launcher for the third. Always curious to see what other people use it for)

On a Mac, the best way to run multiple clients is to make clones with the Mac clonemaker. The clones go straight to the .exe file.

Scatim Helicon wrote:
CCP Ghostrider wrote:
We are aware that having the launcher bypass is not optimal but a lot of bad stuff can take place if someone gets access to account management like changing the registered email address, password changes and character transfers. Two-factor protecting the client login itself requires effort from multiple teams but is on the backlog.

Why would you even release an account security feature before fixing the ability to bypass it? :psyduck:

Because, for the account management page, you cannot bypass it. It can only be bypassed for the client. The worst that can happen there is they steal space pixels. And as any ganker will tell you, you should never shed a tear over losing space pixels.

Know a Frozen fan? Check this out

Frozen fanfiction
Primary This Rifter
Mutual Fund of the Something
#36 - 2015-04-24 22:55:53 UTC
CCP Ghostrider wrote:
We are aware that having the launcher bypass is not optimal but a lot of bad stuff can take place if someone gets access to account management like changing the registered email address, password changes and character transfers. Two-factor protecting the client login itself requires effort from multiple teams but is on the backlog.

If you cannot implement 2FA properly, do not ship it until you can.

Delivering a security feature that can be bypassed trivially is incompetence, plain and simple.
Scatim Helicon
State War Academy
Caldari State
#37 - 2015-04-24 22:56:21 UTC
On another note, a few years ago at Fanfest we were given key generators as part of our entry, I take it they will not be used for this (I still have mine somewhere)?

Every time you post a WiS thread, Hilmar strangles a kitten.
Tyberius Franklin
Federal Navy Academy
Gallente Federation
#38 - 2015-04-24 22:59:06 UTC
Thanks for this. Looking forward to getting it set up.
Hakaari Inkuran
State War Academy
Caldari State
#39 - 2015-04-24 23:25:18 UTC
CCP Logibro wrote:
After much work from CCP Ghostrider and friends, we are finally able to announce the roll-out of Two-Factor Authentication for Account management and our SSO service. Anyone wanting to keep their account secure should take a look at the latest dev blog for more details on how it works, and how to get it working on your accounts.

Not interested unless it ONLY asks for a code when logging in on an unrecognized system or ip address. This is a hassle that is currently circumventible for legacy code reasons? Effort is appreciated butno thank you.
Infinite Destruction
The Brotherhood MC
#40 - 2015-04-24 23:42:21 UTC
So with this new system (if activated) each and every time I log into one of my 6 accounts I would have to wait for an email with a code, and every time I log out and into one of my 12 alt toons, I would again have to wait for an email with a confirmation code ?

(Or, each and every time I log into one of those 18 different toons I would have to generate a new code on my smartphone and then enter that ?)

Yeah - ain't gonna happen.

And you do realize that this isn't likely to cut down on the number of people who claim they were hacked by the neighbour's dog or by cousin It (who probably of course have access to the "victim's" email on the same computer they have Eve installed on, and looky looky, a smart phone sitting right beside it) !