These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

Login security, is a username and password enough

First post
Author
Previous Topic Next Topic
Deviana Sevidon
Jades Falcon Guards
#21 - 2012-01-10 13:51:20 UTC
Mangua Desnart wrote:


Actually Deviana, you raise quite a good point there with your very last word, most people have more than one Eve Online account and so this presents CCP with somewhat of an unusual circumstance, how do you protect multiple accounts with one authenticator, or would you be able to protect more than one account from an app version of the software, because you cannot install multiple instances of an app on a mobile device (to my knowledge - I am not a developer). This may be the reason why they have not said anything further on the subject since Fanfest...


I could think of two possible solutions, either do it like some other MMO company and create a master account that allows the player to integrate all EVE accounts into this account. This might be the best solutions, especially if we get a PC version of Dust514 one day and a World of Darkness MMORPG.

The more simple solution is, to allow the digipass serial number to be used on several accounts.

....as if 10,058 Goon voices cried out and were suddenly silenced.
Mangua Desnart
Mangua Desnart Corporation
#22 - 2012-01-10 13:52:31 UTC
Ursula LeGuinn wrote:


They'd have to allow players to tie multiple accounts to a single authenticator, yeah.


Again it is a question of how far you go with something like this, but that does bring its own set of security concerns.... I'm just saying

I personally would agree, one authenticator, multiple accounts - but how?
Ursula LeGuinn
Perkone
Caldari State
#23 - 2012-01-10 14:19:00 UTC  |  Edited by: Ursula LeGuinn
Mangua Desnart wrote:
I personally would agree, one authenticator, multiple accounts - but how?


Should be simple. I just looked it up, and the way people attach an authenticator to a WoW account is by accessing their account management page, then entering a serial number printed on the back of the physical authenticator (or generated upon installation by an authenticator app) into a blank field to tie the authenticator to that account.

A similar system for EVE would just allow you to use that serial number multiple times to synch your authenticator to all of your accounts. The codes generated by the authenticator would then be valid to log into all of them.

"The EVE forums are intended to provide a warm, friendly atmosphere for the EVE community." — EVElopedia
Mangua Desnart
Mangua Desnart Corporation
#24 - 2012-01-10 14:25:21 UTC
I must admit, thats what you did on the SWTOR app for Android.... I thought it was a little more restrictive than that though in that once you had tied an authenticator to an account, that was it, but I guess thats just programming.

QuestionI wonder if any GM's / Devs have looked at this threadQuestion
Mangua Desnart
Mangua Desnart Corporation
#25 - 2012-01-11 10:23:33 UTC
Ping, boing whatever... I know there has been some discussion on this thread already, I just wondered if anyone else would care to share a view on authenticators?
Jaroslav Unwanted
Brutor Tribe
Minmatar Republic
#26 - 2012-01-11 10:26:06 UTC
brain scan device..
Ultimate solution ..
Nobody will log into your account unless they physically have your brain Big smile
Mangua Desnart
Mangua Desnart Corporation
#27 - 2012-01-11 10:27:53 UTC
Not entirely practical.... yet, but thank you anyway
Bayushi Tamago
Sect of the Crimson Eisa
#28 - 2012-01-11 11:10:43 UTC  |  Edited by: Bayushi Tamago
A lot of people I know don't have smartphones of any description and no way of making online purchases, therefore, having these authenticators being optional would be most optimal, unless they offered a text based version (CCP texts your phone with the code)
e: People pay with plex sometimes because they have no other options
Mangua Desnart
Mangua Desnart Corporation
#29 - 2012-01-11 11:12:33 UTC
Bayushi Tamago wrote:
A lot of people I know don't have smartphones of any description and no way of making online purchases, therefore, having these authenticators being optional would be most optimal, unless they offered a text based version (CCP texts your phone with the code)
e: People pay with plex sometimes because they have no other options


Forgive me Bayushi, but how can you play Eve and not yet have a way of making an online purchase?
Indalecia
#30 - 2012-01-11 11:21:16 UTC
How about what Google did, you can enable the 2-step authentication.

They basically text you a 6-digit code on your mobile phone that you must enter (with your username/password) when logging in. You can choose to remember the code for 30 days on a single computer, so it's not a huge pain in the ass.

The problem with other solutions is that 1) I don't own a smartphone and 2) I use GNU/Linux, so an USB 3rd-party device would very likely be unsupported for my OS.

https://o.smium.org/ — v0.13.5 — A browser-based fitting tool and loadout sharing platform
Dbars Grinding
Center for Advanced Studies
Gallente Federation
#31 - 2012-01-11 11:22:22 UTC
show me where the bad man touched you.

I have more space likes than you. 
Avensys
The Waterworks
#32 - 2012-01-11 11:25:11 UTC  |  Edited by: Avensys
How do you link the authenticator to your account?

seems to me that this would have to be done over a separate communications channel with credentials that a hacker wouldn't have access to even if he had compromised your PC at the time you want to set up the link.

(paper) mail or fax with a copy of your passport?

otherwise it's mostly security theater.
Mangua Desnart
Mangua Desnart Corporation
#33 - 2012-01-11 11:39:43 UTC
Indalecia wrote:
I use GNU/Linux, so an USB 3rd-party device would very likely be unsupported for my OS.



We werent talking about a USB device, this is purely a key fob type affair that generates random numbers that is linked to your account
Mangua Desnart
Mangua Desnart Corporation
#34 - 2012-01-11 11:40:17 UTC
Dbars Grinding wrote:
show me where the bad man touched you.



I should be so lucky lol Evil
Mangua Desnart
Mangua Desnart Corporation
#35 - 2012-01-11 11:42:01 UTC
Avensys wrote:
How do you link the authenticator to your account?

seems to me that this would have to be done over a separate communications channel with credentials that a hacker wouldn't have access to even if he had compromised your PC at the time you want to set up the link.

(paper) mail or fax with a copy of your passport?

otherwise it's mostly security theater.



The way SWTOR do it is when you tie the authenticator to your account then you input the code that is on the fob / app at the time of setting it up and then I presume there is some back end magic and trickery that knows what the next numbers will be from that starting point
Deviana Sevidon
Jades Falcon Guards
#36 - 2012-01-11 12:03:07 UTC  |  Edited by: Deviana Sevidon
There is no magic involved and no communication between authenticator and server. The authenticator has a serial number that is added to the account .

If you press the button on your authenticator/mobile phone app, the software generates the authenticator key from the serial number and the time set in the mobile phone. Since the auth. serial number is registered on the account the login servers also knows which authenticator code is currently the correct one.

Edit:

Here is some additional information about how the process of the two factor authentication works: http://en.wikipedia.org/wiki/Two-factor_authentication

....as if 10,058 Goon voices cried out and were suddenly silenced.
1-Up Mushroom
Imperial Academy
Amarr Empire
#37 - 2012-01-11 12:49:21 UTC
Abdiel Kavash wrote:
Username/password is enough as long as the users are not idiots.

I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.

5 Senses In A Person... 4 Seasons In A Year... 3 Colors In A Stoplight... 2 Poles On The Earth... ONLY 1-UP MUSHROOM!!!  If You Like My Sig, Like Me!   Remember EVE is EVErything!
Skyla Kavatina
Federal Navy Academy
Gallente Federation
#38 - 2012-01-11 12:56:07 UTC
Ursula LeGuinn wrote:
Jenshae Chiroptera wrote:
This token attempt at security would be entirely optional, right?


Yeah. Well, the pioneers of the technology (WoW and TOR) offer them as optional features.


This is RSA SecureID technology that's been around for years although after a security breach at RSA in April last year many companies decided to re-examine the use of security tokens for two-factor authentication.
Deviana Sevidon
Jades Falcon Guards
#39 - 2012-01-11 13:16:31 UTC  |  Edited by: Deviana Sevidon
Yes there was a security breach, but because it is a two factor authentication it still does not mean that anyone can easily bypass the authenticator.

First someone still would need to know the authenticator serial number on the account, second it is at least unlikely that he has the key that allows him to generate a usable authenticator code, even with the serial number.

Yes, man in the middle attacks are also possible, but these are difficult to stage and have a high chance of being detected if the user also has a good anti-malware software.

The Authenticators are an additional layer of security and work quite well in that aspect and drastically reduce the chances of having an account compromised.

1-Up Mushroom wrote:
Abdiel Kavash wrote:
Username/password is enough as long as the users are not idiots.

I.e. never use the same password on multiple sites, don't visit "questionable" sites, scan any programs you download for viruses, never give your PW to anyone, never allow anyone else physical access to your machine.



And that seems quite naive to me. There are lot of possible options to attack a system, 'questionable' websites and software are the least of the worries, since there are a lot of security holes in widely used and legit softwares. Never sharing account access with anyone else is an excellent advise, but that will also not guarantee the security of the account.

Edit:

There is also an additonal benefit. With less cases of accounts being hacked, the CCP customer support staff has more time to deal with other petitions on their ticket queues.

....as if 10,058 Goon voices cried out and were suddenly silenced.
Mangua Desnart
Mangua Desnart Corporation
#40 - 2012-01-11 13:21:48 UTC
Deviana Sevidon wrote:


And that seems quite naive to me. There are lot of possible options to attack a system, 'questionable' websites and software are the least of the worries, since there are a lot of security holes in widely used and legit softwares. Never sharing account access with anyone else is an excellent advise, but that will also not guarantee the security of the account.

Edit:

There is also an additional benefit. With less cases of accounts being hacked, the CCP customer support staff has more time to deal with other petitions on their ticket queues.


Deviana, You seem quite knowledgeable about computer security, can I ask are you just an enthusiast in the subject or do you participate in the field in some professional capacity?