EVE General Discussion

That is a bad example, most cars do indeed have a lot of protective equipment to prevent injuries or death of driver and passengers in case of a car crash.




Even if you did everything right to prevent your computer, you might become victim of a zero-day-exploit that has no fix yet. Computer security has a lot to do with making things harder for the bad guys, while keeping in mind that there is never absolute security.

My main account is also more then 6 years old, was never hacked and other accounts of mine, with or without authenticator, were also never compromised, but that is beside the point. I have been skilled and lucky enough to prevent damage to my accounts so far. A security token, or call it an authenticator would be still much appreciated. If the option is given, I would happily purchase one from CCP.

Besides social darwinism is not only one of the most disgusting, it is also one of the most stupid ideas on the internet, but I guess people will only learn when reality strikes them hard.

I would pay for an Authenticator. My first encounter with one was in Project Entropia, later on World of Warcraft added one. So that clone copy TOR has one as well? Cool.

A few different companies have tried different mechanisms.

For example, Perfect World has a clicking keyboard (optional) for password entry. Whilst not 100% proof against keyloggers, it does provide a bit more safety than using manual keystrokes.

RIFT has the much appreciated Coin Lock system. If you login from a different location nothing can be traded or sold or destroyed until you enter the coinlock code emailed to your primary email account. Doesn't help if your email account is compromised as well; but it helps to prevent SOME of the harm if you end up losing your account.

If those features were optional in EVE Online, I would use them. This game represents hours of fun, entertainment and investment. I remain as secure as possible online, but if there are additional measures to help protect myself I'll welcome them. I wouldn't want to lose what I've been enjoying for so long.

Sounds like a fine example right there, whilst all the adult, computer savvy 'want to protect me and mine' have a serious discussion someone always has to get silly... remember we are talking about options hereand who is to say that CCP will implement any of them in the end

The challenge of security is not how hard it is to lock something down. That's easy. The challenge is balancing the locks against ease of use. THAT is the challenge!

Make it a choice indeed. Mandatory authenticators would be silly. It's a moot point as it will never happen.

I think the core concept is:

"It is sufficient for them"

It may not be sufficient for you or me; but they are willing to risk it with that level of security. (Hence optional extras for those of us that are less willing to risk our entertainment to such a degree)

IF CCP was to release RSA tokens for Eve, alot of players would adopt it.


They could even take it a step further, and make it profiable for themselves. IE charge $15 for the token, charge another $20 to have one activated/enabled on you're account permnantly.


It gives the players enough added security (having to hold something in you're hand that works like a unique car key, that the car will only accept that 1 key before it'll start up) to feel comfortable.

Of course it would be a good idea. I'd use one.

Which is why you should be running NoScript and Adblock Plus - I can't remember the last time I saw an advert for anything, and these days its verging on stupidity visiting unknown websites with scripting enabled.

you missed the point of my post.

I'll try an analogy: let's say we decide to write each other encrypted emails for extra security (in a world without asymmetric encryption for argument's sake).
If I send you the encryption key via email, the whole security precaution is moot. I have to send you the key out-of-band (e.g. via paper mail) for the encryption to be useful.

The authenticator app has to be deterministic, it will always produce the same outputs given the same serial number (and time of the day, number of times the button has been pressed, ...).
The algorithm used for this can be reverse-engineered and should not be considered secret.

The real secret is the serial number of your authenticator.
Transmitting this secret via your computer (by entering your authenticator serial number on some website) while you want to protect yourself against someone who might already have access to your computer (e.g. via a keylogger) is extremely stupid. With the logged serial number an attacker could simply clone your authenticator.

For the security measure to be effective the authenticator's serial number has to be transferred out-of-band - which is possible by either linking auth & account before it is sent to you/you download it or by having you transfer the auth serial number via SMS, paper mail, ...

Note that an authenticator application on your PC would be a very bad idea for the same reason - the authenticator's strength is that once set up somebody controlling your PC would not have access to it and would be limited to (hopefully complex) Man in the Middle attacks (e.g. logging the auth code you entered in the application, displaying you a "login failed" notice without passing the auth code to the server, then using the auth code to log in to your account within the next few minutes).

Then there is the problem how to verify that the person linking authenticator and account is really the account holder.
Username and password are not sufficient as they are entered on the compromised system all the time and as such probably known to any attacker (remember that you want sth stronger than username/password for a reason).
So you would have to send some identity verification like a copy of your passport (again out-of-band, so probably via mail or fax) when linking the authenticator to your account.

The authenticator serial number is typed in only once, when the authenticator is added to the account and never again, so if you added the authenticator to the account, then your system might be infected with a keylogger, or you are logging in from a public PC to check your EVE mail etc.. your system is still safe.

Someone might get the account name and PW, which is bad enough, but the authenticator will prevent him from logging into the account to get the tokens serial number. Deterministic or not, without the serial number of the authenticator and the key to generate a code he is still locked out and attempts to brute force access can be prevented by other means.

As I wrote earlier, nothing will give me complete security, but it will give me a lot more security since I am still a lot more secure then all the people thinking a long alphanumeric password is enough.

Since the bad persons usually go for the low hanging fruit I can be confident in the knowledge that the persons thinking a long alphanumeric password is enough are the first ones being targeted and those will also be the much easier prey.