These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Information Portal

 
  • Topic is locked indefinitely.
 

Dev Blog: Two-Factor Authenticaion... finally!

First post First post
Author
Previous Topic Next Topic
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#81 - 2015-05-03 17:28:31 UTC
Dyner wrote:
While I appreciate the effort. This isn't of much use.

"Yes. This does not prevent people from logging into the game client by circumventing the launcher. That is a legacy issue that we were unable to fix this time around."

So, how about doing what Trion did with RIFT and have a "Coin Lock", but have it extend beyond the currency and go into items. Make it so if the server doesn't recognize the IP it boots you out of the ship and prevents you from getting into a ship or access the Hanger Inventory until you unlock.

The server has already shown that it can boot people out of ships. All of my alts are in Capsules, even the ones that were in Rookie Ships (one of the major expansions did this).

---

Or

Add a third field to the game's login field: One-Time Password -or- One-Time Code

There. Done.

---

OR! Probably the easiest to do of all these...

For a quick fix. If the login server doesn't recognize the IP, have the game fail to login. Just pass it the same response you'd get if you entered the wrong password for a valid Login Name.

And fire off an email to the verified email address for said account.

With a validation link to authorize the new IP

En Masse does this for their accounts, Steam does it, Origin (EA) does this, YOUR WEBSITE does it.



People like you, are one of the reasons developers and support staff drink.

Quote:
Add a third field to the game's login field: One-Time Password -or- One-Time Code

There. Done.


Then write the code behind it, to tie it into the authentication system. Because it doesn't use the same auth all the sites do.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Altirius Saldiaro
Doomheim
#82 - 2015-05-03 19:00:29 UTC
They really need to fix the bug with the option to not use authentication on this pc.
Dyner
Brutor Tribe
Minmatar Republic
#83 - 2015-05-03 20:01:11 UTC  |  Edited by: Dyner
Steve Ronuken wrote:



People like you, are one of the reasons developers and support staff drink.


Why secure the website entry if you can still get into other peoples' game account? CCP's website offers even less information about the person than most other Video Game account pages. Most give partial Billing/Shipping Addresses and partial Payment Option information.

CCP gives you the person's name, DOB, and email. That's it. --You get more from Facebook or other Social Media site (assuming you didn't make up a fake identity Blink )



...What they've said is: "We locked the front door, but left all the windows on the first floor open."


If my post came as cold. Then I apologize. I bluntly stated this does not do any good, because players can still easily have their accounts hijacked.

Steve Ronuken wrote:


Then write the code behind it, to tie it into the authentication system. Because it doesn't use the same auth all the sites do.



I don't have access to their login server.

I don't have their source code.

I did, however, offer several methods to accomplish the much-needed feature in the game client. The last one, I don't see requiring client-side changes. Because it would receive the same 'invalid login' response until the new IP address was validated.
Azahar Ortenegro
Seashells and Fireflies
#84 - 2015-05-04 19:59:25 UTC
I was going to give it a try, and then saw that you rely solely on third-party authenticators. It makes the whole thing kinda useless.
Ereshgikal
Wharf Crusaders
#85 - 2015-05-05 18:19:11 UTC
+1 on the "remember this computer" bug.

On top of it all, the launcher has started to ask me for a character's name on the account "since I haven't used this computer before". WTF? I have neither changed IP, nor changed anything on my computer. And if I provide a correct answer I am booted back to username/password. Provide a wrong character name, I at least get a nice red text stating what went wrong...

please...please...fix this

Security that inconveniences the proper user more than the attacker is of...uhm, very....limited use. I'll give 2FA one more week, then I am killing it off.
Ereshgikal
Wharf Crusaders
#86 - 2015-05-05 18:26:45 UTC
Dyner wrote:


I did, however, offer several methods to accomplish the much-needed feature in the game client. The last one, I don't see requiring client-side changes. Because it would receive the same 'invalid login' response until the new IP address was validated.



Locking it down if a new IP-address if used is very bad design in the age of mobile data. Some users are sitting on connections that rotate IP-addresses like they are part of a minigun. They would be fed up quite quickly and leave (which is bad).
Steve Ronuken
Fuzzwork Enterprises
Vote Steve Ronuken for CSM
#87 - 2015-05-05 21:25:30 UTC
Azahar Ortenegro wrote:
I was going to give it a try, and then saw that you rely solely on third-party authenticators. It makes the whole thing kinda useless.



How so?

They're using an industry standard Timed One Time Pass. As far as I'm aware, there aren't any cryptographic weaknesses with it.

Woo! CSM XI!

Fuzzwork Enterprises

Twitter: @fuzzysteve on Twitter
Tipper Trix
Center for Advanced Studies
Gallente Federation
#88 - 2015-05-07 01:48:45 UTC
Authenticator not remembering this PC bug here as well. First world problems.... Sad
Dyner
Brutor Tribe
Minmatar Republic
#89 - 2015-05-11 17:10:32 UTC
Ereshgikal wrote:
Dyner wrote:


I did, however, offer several methods to accomplish the much-needed feature in the game client. The last one, I don't see requiring client-side changes. Because it would receive the same 'invalid login' response until the new IP address was validated.



Locking it down if a new IP-address if used is very bad design in the age of mobile data. Some users are sitting on connections that rotate IP-addresses like they are part of a minigun. They would be fed up quite quickly and leave (which is bad).


It's a temporary solution until the EVE exe can be patched to also require authentication.

Why wouldn't people want to be slightly inconvienced if it meant the likely hood of logging in to find you stuff missing is barely past 0%.

Plus, if they didn't want it. They don't have to enable it.
Porucznik Borewicz
GreenSwarm
#90 - 2015-05-12 21:31:11 UTC
So CCP, when?
Arbor Wattle
Federal Defense Union
Gallente Federation
#91 - 2015-05-13 07:32:09 UTC
How do I turn it off?
I have to enter a character's name every time I login because my IP address keeps changing. It's just another annoyance that adds to the 10-15 min wait, for the launcher to be ready, so I can login and play the game.
Masao Kurata
Perkone
Caldari State
#92 - 2015-05-13 14:40:02 UTC
Arbor Wattle wrote:
How do I turn it off?
I have to enter a character's name every time I login because my IP address keeps changing. It's just another annoyance that adds to the 10-15 min wait, for the launcher to be ready, so I can login and play the game.


That actually happens a) without two factor authentication turned on and b) without your IP address changing. Yes it's annoying.
Axhind
Eternity INC.
Goonswarm Federation
#93 - 2015-05-21 04:16:34 UTC
While we are talking about online security how about moving the forums to TLS 1.2 instead of broken TLS 1.0?