These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev Blog: Two-Factor Authenticaion... finally!

First post First post
Author
Previous Topic Next Topic
Mara Rinn
Cosmic Goo Convertor
#61 - 2015-04-28 03:55:36 UTC
Sturmwolke wrote:
GA? No thanks.



There are many authenticator applications out there which allow you to enter a new authentication code through QR as displayed by EVE 2FA. I use "1Password" on iOS and OS X for example.

https://agilebits.com/onepassword

Day 0 Advice for New Players
Mara Rinn
Cosmic Goo Convertor
#62 - 2015-04-28 04:38:34 UTC
Axhind wrote:
Mara Rinn wrote:
Axhind wrote:
Any chance of supporting something actually safe like Yubikey? E-mail and mobile apps can be hardly considered secure (better than nothing but that's about it).


I am a security noob: how is Yubikey safer than a TOTP app like 1Password or Google Authenticator?


It's separate hardware key (FOB) making it far less likely to get compromised. Something that can not be said for e-mail or phones that are probably the most insecure devices people use (well except smart TVs and co).


The most insecure device in this mode, is the Windows PC USB port the YubiKey is being plugged in to.

Given the choice of offering TOTP to customers using an existing toolset, or having to deliver Yubikeys to customers, I would go for the TOTP solution, especially since it is the easier technical implementation. No point investing in a security system the customers (as a group) are not going to actually use. I still have two RSA keyfobs from the last 2FA plans that CCP had. That RSA-based system went nowhere in a hurry!

If I lose my phone, I still have the TOTP seed on my iPad and desktop. This makes disabling the 2FA much easier for me and CCP, since we don't have to engage in telephone calls at odd hours of the day. I just log in, reset the TOTP seed, and continue on my way (along with the usual remote bricking of the phone).

Risk = Probability of event x Damage caused by event

The cost of a "lost my Yubikey" event is significantly higher to all parties than a "lost my TOTP device" event. The probability of TOTP seed being compromised is significantly lower than losing the physical token (both per individual and statistically over the population). Even with the phone being stolen by a malicious third party, they still have to decrypt the storage and then decrypt the key locker.

If I was trying to steal an account from, say, an alliance financial officer or someone else in charge of significant in-game resources, I would hope that they have a Yubikey since it is not protected from my using it in the same way a TOTP key might be. In addition the time it will take the victim to address the loss is significantly higher, meaning I have far more time to plunder the account both ingame and through any stored credit card details.

The only downside to the password locker on my phone is that loss of one token (the phone) means I have to process lost keys for almost a thousand accounts.

Then again, I don't fancy carrying a thousand Yubikeys in my pocket.

Day 0 Advice for New Players
Daniel Jackson
Universal Exos
#63 - 2015-04-28 17:31:12 UTC
the "dont ask codes for this computer" option dosent do anything for client and the website i have to retype in the email code even when i check the box

I Vote YES! for Downloadable HI-RES Textures!!!!
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#64 - 2015-04-28 18:31:16 UTC
Daniel Jackson wrote:
the "dont ask codes for this computer" option dosent do anything for client and the website i have to retype in the email code even when i check the box



Did you log out, then log in with a different account? (it was working for me when I just stayed on one)

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Eria Quint
Republic University
Minmatar Republic
#65 - 2015-04-28 19:06:56 UTC
Hi,

Same issue here but I have the same thought it might have to do with multiple accounts and switching between them
Daniel Jackson
Universal Exos
#66 - 2015-04-28 19:48:21 UTC  |  Edited by: Daniel Jackson
Steve Ronuken wrote:
Daniel Jackson wrote:
the "dont ask codes for this computer" option dosent do anything for client and the website i have to retype in the email code even when i check the box



Did you log out, then log in with a different account? (it was working for me when I just stayed on one)

i tried both ways logging out and sign in with differnt account, i also tried logging out and logging in with same account.

i think it fixed the website issue but not with the actual game client

nvm i just logged out the website and tried logging back in and it asked me to put in a code again

note these are with the email codes as i do not have a smartphone to use an authenticator

I Vote YES! for Downloadable HI-RES Textures!!!!
Eria Quint
Republic University
Minmatar Republic
#67 - 2015-04-28 20:10:13 UTC
It happens as well with the authenticator
Raging Beaver
Republic University
Minmatar Republic
#68 - 2015-04-28 23:23:26 UTC
I happily enabled the feature on all accounts like 2 hours ago.
Found out that I need to re-enter the authenticator code when logging different accounts in through the launcher despite the "Remember..." option being selected.

The way I want this to work is:
1. Login through the launcher
2. Enter the code once and "Remember on this computer"
3. Never ever see this prompt for this account on this computer again. Doesn't matter if the IP, CPU, mobo, ram, country, account, weather, whatever changes. Something like the "Authorize this device" in iTunes.

Currently it doesn't work that way. Try again. Let me know when it does. Disabled on all accounts.
Leon Razor
Measure Zero
#69 - 2015-04-29 04:12:28 UTC  |  Edited by: Leon Razor
Raging Beaver wrote:
I happily enabled the feature on all accounts like 2 hours ago.
Found out that I need to re-enter the authenticator code when logging different accounts in through the launcher despite the "Remember..." option being selected.

The way I want this to work is:
1. Login through the launcher
2. Enter the code once and "Remember on this computer"
3. Never ever see this prompt for this account on this computer again. Doesn't matter if the IP, CPU, mobo, ram, country, account, weather, whatever changes. Something like the "Authorize this device" in iTunes.

Currently it doesn't work that way. Try again. Let me know when it does. Disabled on all accounts.


How is the Auth supposed to know it's the same computer (vs. an attacker) if any of these can change and still not prompt for the code: "the IP, CPU, mobo, ram, country, account, weather, whatever." Think about if what you are asking is a reasonable or logical demand for a minute and then get back to us.

Persisting on the IP changing is reasonable and would cover most inconveniences. (How often are you really changing your hardware?) Perhaps you prefer some file is stored on the HDD that identifies the device like a cookie? That would be more convenient I'm sure, but also less secure vs. some forms of attack.
Daniel Jackson
Universal Exos
#70 - 2015-04-29 04:36:32 UTC
i have the issue where its not remembered it on the same computer same everything

I Vote YES! for Downloadable HI-RES Textures!!!!
Leon Razor
Measure Zero
#71 - 2015-04-29 07:52:11 UTC
Daniel Jackson wrote:
i have the issue where its not remembered it on the same computer same everything


Same issue. I'm assuming this is a bug as I have to enter a code on the launcher every time even though I check "Don't ask for codes again on this computer."
Rachael Tyrelll
Dynatech Intergalactical Trading Ltd.
#72 - 2015-04-29 10:00:57 UTC
Guys, so glad you did this. Just activated for all acounts ... feeling so much safer now. Thanks!!!!!
Qual
Knights of a Once Square Table INC.
#73 - 2015-04-30 12:09:17 UTC
Yeah, I am having the issue with Launcher not respecting the "Do not ask again on this computer" flag as well.
Blinky3J
Kingsparrow Wormhole Division
Birds of Prey.
#74 - 2015-04-30 12:33:17 UTC
Daniel Jackson wrote:
the "dont ask codes for this computer" option dosent do anything for client and the website i have to retype in the email code even when i check the box



CCPlease. It's also, instead of it remembering the last account to log in, staying focused on one - not a huge problem, but an annoyance.

Is anyone not having this issue? Is it being worked on?
Eria Quint
Republic University
Minmatar Republic
#75 - 2015-04-30 12:53:43 UTC
This issue has been reported at CCP Customer support and they acknowledged the issue for a group of users (but not for all).

So guess they will work on it and publish a fix when the problem is identified and they found a solution
Oddsodz
Federal Navy Academy
Gallente Federation
#76 - 2015-04-30 19:35:01 UTC
Just posting to to say I have the same issue also. Things to note is that I have 2 accounts.

Hope this little bug is fix in good time.


As for having 2fA, I am very happy to have it. Thank you for filling my request ;-)

https://forums.eveonline.com/default.aspx?g=posts&t=304921
Daniel Jackson
Universal Exos
#77 - 2015-05-01 04:02:40 UTC
i have 2 accouns as well but only really log on 1 most the time and even my 2 accounts are 2 different client installs, but still using just 1 just dosent remeber

I Vote YES! for Downloadable HI-RES Textures!!!!
Saisin
Chao3's Rogue Operatives Corp
#78 - 2015-05-02 16:03:20 UTC
Reporting that the "remember this computer" does not work either, on two different machines with the client/launcher installed.
It does seem to wok on one machine where I only logs to the web site and not use the client.

It is really painful to have to get the codes every time I log into the game from my own machines. Looking forward to a fix soon, else I am going to be disabling two-step authentification...

Vote Borat Guereen for CSM XII

Check out the Minarchist Space Project
Arkumord Churhee
Nice Try.
#79 - 2015-05-03 08:14:37 UTC  |  Edited by: Arkumord Churhee
Same issue here.
I use 3 different accounts regularly, and it's annoying that i have to re-authenticate every account every time despite me clicking the "Don't ask for codes again on this computer" checkbox.

In general, I'm very happy they finally did this.

Edit: It's be nice if the account name you are asked to authenticate for would be displayed when the code is asked for.
Dyner
Brutor Tribe
Minmatar Republic
#80 - 2015-05-03 16:43:57 UTC
While I appreciate the effort. This isn't of much use.

"Yes. This does not prevent people from logging into the game client by circumventing the launcher. That is a legacy issue that we were unable to fix this time around."

So, how about doing what Trion did with RIFT and have a "Coin Lock", but have it extend beyond the currency and go into items. Make it so if the server doesn't recognize the IP it boots you out of the ship and prevents you from getting into a ship or access the Hanger Inventory until you unlock.

The server has already shown that it can boot people out of ships. All of my alts are in Capsules, even the ones that were in Rookie Ships (one of the major expansions did this).

---

Or

Add a third field to the game's login field: One-Time Password -or- One-Time Code

There. Done.

---

OR! Probably the easiest to do of all these...

For a quick fix. If the login server doesn't recognize the IP, have the game fail to login. Just pass it the same response you'd get if you entered the wrong password for a valid Login Name.

And fire off an email to the verified email address for said account.

With a validation link to authorize the new IP

En Masse does this for their accounts, Steam does it, Origin (EA) does this, YOUR WEBSITE does it.