Apologies for not getting this posted sooner - we have verified that there is no 'fix' for the application that will allow for the Security Key to continue working through an upgrade to iOS version 7. The application itself does work in iOS7 (tested back in June on the developer beta Apple provided), however something inside the upgrade breaks the keystore being used internally within the phone. Any technical fix would take a longer time to get released (probably weeks), and by then the vast majority of Apple iPhone customers will have already upgraded. Not the best place to be, but that is where we are. Below is a list of steps you can use to get your Security Key working again if you do upgrade. If you already upgraded and currently have a broken Security Key application: Upgrade to iOS version 7 Uninstall/Delete the SWTOR SK application (Re)Install the SWTOR SK application again Visit swtor.com Do not enter a Security Key Code while logging in - this will show you the page with the link on for the 'Lost your Security Key?' process - follow the process for de-registering your Security Key This will involve reading an email sent to your verified email address which will let you move on to being able to register a Mobile Security Key once again Visit your account page on swtor.com and register the Security Key once more using the registration process If you are reading this before upgrading: Before upgrading iOS to version 7, visit your account page on swtor.com and disassociate the Security Key This will involve reading an email sent to your verified email address which will let you move on to being able to register a Mobile Security Key once again Upgrade to iOS version 7 Uninstall/Delete the SWTOR SK application (Re)Install the SWTOR SK application again Visit your account page on swtor.com and register the Security Key once more using the registration process If you do get stuck on the steps above, you can call our customer service team who can help, however please do try to use the website processes first as they are there to help you get back to logging in as quickly as possible without having to make a phone call.

Interesting approach there funkiestj. I thought I was pretty clear that one input action must equal only one action in game, but obviously not - so please find below red X's next to the correct answers. Enjoy!

So a number of people have asked about text macros. A couple of others (even on reddit!) have mentioned 'colour detection to determine which action to take' systems. I even saw a questions about sequence clicking... I even saw claims that we can't detect anything and won't do a thing about this issue. I'll address all four... Text Macros Strictly speaking, text macro's are against the ToS. If its for emotes etc and isn't being used as a way to advise others of an impending attack in a Warzone (inc snow! for example), then we will turn a blind eye to an extent. If you fire off emotes too many times in quick succession of course then you will get evaluated for if you are spamming. One click 'enter chat, type 'inc snow!', hit enter' text macros designed to warn others is completely against the ToS. You need to make a decision - do I take the time to type 'inc snow' to the ops group, or do I just keep fighting this person... Think of it as an evaluation on if you are using a tool that gives you an unfair advantage over somebody not using that same tool. Colour detection and evaluated action macros The very act of determining a colour of a pixel on screen and as a result then using a specific action is one of the easy to understand examples of what we call automation. As soon as you have two things happening based on one key press, then its against the ToS. Sequence clicking If you have a system set up so that if you hit the same key 4 times likes so: '1, 1, 1, 1' and instead of just firing off whatever 1 is bound to it fires off '1, 2, 3, 4', then as long as you keep it to 'one key == one other key hit' its in that grey area of not true automation. There is a caveat - you can't have the macro determine a minimum time between clicks to work around the global cool down timing and only fire the next button in sequence if the GCD has expired. If you instead have a system that when you hit 1, it fires of 1, 2, 3, 4 in quick succession or all at once (i.e. one click == many actions) in order to try and fire something that isn't currently in a cool down state then yes, that is against the ToS. Again, one click must always equal one action and only one action within the game. Detection of abuse There are many claims based on guesswork that we can't tell when a person is running automation for systems like field respeccing within seconds. Every time you interact with the server we log either the specific event or an aggregate of similar events firing multiple times. We can (and do!) look through those logs using analytic engines. If you want to know more about the concept, look up 'big data' in google - we strive to make all decisions on making changes to the game based on the data we have, and we have a lot of data. We also use that data for game forensics - we may not react in a real-time manner for most things, but as people foolish enough to speedhack know, we can and do act based on irrefutable data. Now, all that said, what are we going to be doing going forwards now that this issue is very much in the limelight? Expect changes to the ability to field respec in Warzones. We were already working on this as part of some upcoming PvP updates (Bruce detailed some of that this week I believe), and we may bring the field respec changes forward - or we may just keep them where they are so to not impact the game update schedules and instead update our existing Warzone game forensic reporting to include inhumanly fast field respec events. Either way my advise if you are currently macroing within Warzones is to stop.

Chiming in.... I'll be as clear as I can be. Automation of the game in any way is against the ToS. This includes macro'ing in order to respec during Warzone matches. Remapping keys on a keyboard (or Nostromo or Logitech) device so that one key press == one click or ability cast within the game is fine. Using a programmable keyboard or software macro so that one key press == multiple clicks or ability casts in the game is not. Hopefully that doesn't leave room for 'interpretation'. If it does, ask a binary question and I'll give a yes/no

Speedhacking is a real thing. So are suspensions and bans... We treat each report of speedhacking seriously and by using game data cull speed hackers from the game as they are detected. We have some awesome game engineers who have provided our Terms of Service team with a great set of tools to help in this area. These tools of course are not fool-proof, and while we do have to constantly develop our tools to keep up with 'bad' player ingenuity, we do catch up with people eventually if they do manage to avoid being detected in the first instance. Speedhacking and other exploits are bad. We will action any type of account including subscribers, so for those inclined to speedhack, please take that into account before giving into temptation. We also get a number of player reports when speedhackers come into game. A lot of these sadly are misunderstandings of other class abilities, but occasionally we do get a great report and we do take appropriate action. We don't have a 'name and shame' policy and as such will only ever say appropriate action will be taken if warranted. In case it isn't well known, its best not to post speedhackers character names and/or YouTube links in the forums - we also have a strict set of rules here as well as to what cannot be posted. The right thing to do if you see somebody speedhacking is to submit an in-game ticket by clicking the '?' and reporting harassment and in the text area typing in a short description of what occurred and when (including time-zone!). If you do fraps something and publish it, please only put that link in the ticket, and never in the forums. I don't want good people actioned for accidently breaking a completely different section of the ToS when they have good intent I appreciate everybody (including myself) would love to see a speedhacker actioned within minutes of being reported. It will take us hours or even occasionally days to get each confirmed reported account actioned appropriately (we do err on the side of caution as you should expect us to), so please bear with us while we work through our process.

Apologies for the delays we have had in getting the Physical Security Key made available once more within Europe. What I'm sure looks like an 'easy' thing to do is actually quite complicated internally. While the keys have been available in the Origin Store for the last couple of weeks, they were put up with prices that were different to what was advertised on the SWTOR website. You will be happy to hear that the prices agreed on are the lower of the two, and not the larger of the two I'm happy to announce that for most of Europe, the Physical Security Key is once more available. For the rest of Europe we are still working on making the Physical Security Key available once more in the following countries: Czech Republic Germany Poland Switzerland As soon as I have an update on these countries I will be posting another update. As each link is country specific for finding the key within the Origin Store, and as we can't guarantee that the links won't change over time, the easiest way to find the item in the store is to open the Origin Store in a browser ( http://store.origin.com ) and in the upper right-corner, type "Star Wars Physical Security Key" in the search box.

I hadn't given an update that the Physical Security Key is available again in the EU Origin Store just yet as we are still working with our partners in Europe on the pricing due to the mismatch which is causing confusion. As soon as we sort out what the pricing is, I'm sure we will post an update.

A quick update today the 22nd of April. After diagnosing a couple of places where the slowdown of outbound OTP emails became evident on the 13th April, the teams have written and implemented another hotfix in addition to increasing the amount of infrastructure handling the outbound emails. We will of course be monitoring the situation carefully as usual to see how effective this latest change is. And to think my original post that started this thread was based on data that ended on 12th April! I'm still kicking myself over that! As usual with these things, timing is everything... As mentioned previously there are also some other pieces of work I've called out which are still being worked on, so expect more news as those progress.

That was the answer we were looking for. The majority of the studio play on the 'official' servers on pretty much a daily basis. We aren't allowed to say what our character names are or even that we work here to our guild-mates, but we do play... Some of us more than others of course! We even have mini competitions between ourselves to see who can play the most of the most things.

A few responses... The Security Key entry means that you will not be sent an OTP message at any time unless you are trying to remove the Security Key from your account. While I've seen a number of people try to say that we are wanting to force people into using a Security Key, that is not correct - we are making changes to alleviate the issues for the people affected by the issues being talked about on the forums as it was never the plan to force people to use a Security Key on their account. I'm also not sure how long ago you had a CS agent discourage you to use the Mobile Security Key. The application is working well (apart from an Android glitch with font colours which can be fixed by going to the main menu in the app and back in to the code page again), and it does prevent the OTP message being required for normal authentication. We have also implemented a self-service system for lost/remove/replace scenarios which means you no longer have to call CS to fix a Security Key issue. I have this on my list of 'nice to have' and one day we may get there. No promises though as the cost associated with our Security Key implementation (the time-based system we already have) was covered a couple of years ago. I don't mind you asking again - I'm still asking for it myself! Still no news on if or when this might happen. If you are seeing the Physical Security Key in North America showing as out of stock, please press Ctrl-F5 to force a refresh of the page. There was a caching issue with some browsers that for some reason isn't automatically fixing itself even though we refreshed the cache associated with the /buy page last week. Simply removing the OTP system also means we would be removing the self-service for Security Key system, forcing people to have to call CS once more when they had a Security Key issue. That was a constant source of new threads before we launched the self-service options, and I don't think we want to go back there.... While the number of posts on this topic indicates there are some issues, you have to remember that people without the issue are not posting as they don't have a reason to (unless they are bored and actually read these posts). While we are working on solving the issues people are posting about, you have to keep in mind that the vast majority (and I do mean vast!) are not having the issues people are posting about. Don't get me wrong here - I'm not trying to say there is not a problem or that we are trying to dimiss the issues. Reality is very much the opposite when it comes to the seriousness that we are taking on ensuring all players can log in to the game when and where they want to as quickly as possible without also creating an account take over issue. You are spot on with both sides of this. We are using Dynect as our outbound mail service, and we have identified that there is sometimes a delay here as well. I've been monitoring the times between the generation of the OTP, the mail hitting Dynect,the mail successfully being delivered and then the next attempt at authentication using the code. We have identified a couple of places that might cause the slow-down when it does happen (my original analysis didn't cover a time period where we had internal delays at all and I was covering an entire week) and there are teams working on hotfixes already. I don't have an ETA and will update once I do. Given the impact not getting the email on time has we are not ignoring this issue at all. Regardless of the protestations otherwise, if we did allow people to choose their own level of security, and then they did have their account taken over by an attacker while set to the minimum (no password for the win right?), they would still expect their account to be restored to its original glory. Choice is all well and fine right up until a compromise happens, especially if you just lost multiple level 55's. Sadly there are a number of groups attacking MMO's for a multitude of reasons, and we have a duty to protect players accounts from their attacks. To counter some of the more advanced attacks, we have to provide advanced security as mitigation. To even consider providing some of the self-service options, we have had to move to the OTP model. TL;DR: Personal preference on levels of security of your SWTOR account is not an option. I mentioned you can allow 'swtor.com' as we use multiple sub-domains for the cookies. I don't want to say the sub-domain needed is 'account.swtor.com' even though I think that is the right specific sub-domain to allow, as I'm not 100% on which cookies are associated with which sub-domain of swtor.com. Allowing 'swtor.com' should allow all sub-domains, so being specific with the www at the front could stop the right cookies from being stored. Apologies for the confusion there. As for Mordac, I've been called worse, but usually as a joke given security related roles are hardly ever seen as ones where positive news is given out... IMO Mordac would go for the 'pint of blood needed to log in' approach. OTP in the end doesn't actually prevent information services. We have two people in the office who have a Galaxy S2, and the application is working for both of them. Neither are jailbroken if that is important... I don't know how to troubleshoot Android phones (my preference is still Windows Mobile), but I'm hoping uninstalling the app and installing it again from scratch may help. We protect all accounts in the same way, so yes, this setting change applies to everybody who is receiving OTP emails. As I get more updates on other work we have ongoing I'll be sure to post - I'll see if I can get more answers to questions posted again in the next couple of days if I have time...

A very quick update - we have just rolled out a change in the expiry time for the OTP message which allows it to be valid for a longer period of time, and we will be monitoring how effective the change is for if we need to tweak it further or not. I may even get a chance to answer some of the questions raised in this thread in a bit if I'm lucky...

Apologies for the lack of direct replies. Given the number of different threads, I've posted a new thread covering the different issues, and an update can be found at: http://www.swtor.com/community/showthread.php?t=626829

Now that things have settled in a bit since the changes we made with the authentication system, and also now that Rise of the Hutt Cartel is launched, I thought it best that we update you on some upcoming pieces of work we have around the One-Time-Password (OTP) system. No ducks involved! We have a number of topics that need addressing (in no particular order - they are all equally important!): OTP messages sometimes expire before they can be used IP address changes are very annoying Deleting cookies in a browser forces a new OTP every time Mobile Security Keys are only available to Subscribers Physical Security Keys are still out of stock in Europe OTP messages sometimes expire before they can be used There are quite a few reasons why there can be a delay in the email getting delivered in time, and not all of them on the SWTOR side of the fence. While we all expect email to instantaneously arrive, this is not always the case, and as a result we are changing how quickly the OTP code expires before it can be used successfully. Now the expiry isn't being changed dramatically (we are adding a number of minutes, not hours). But it is being increased based on analysis of the data we are seeing around when an OTP is sent, and how quickly those players affected by a delay in getting their email are able to attempt to enter in the OTP code. Needless to say the vast majority of the edge-cases are being catered for without dramatically reducing the security aspects associated with the expiry of the OTP message itself. I know a lot of people have many theories on why the message can be delayed, so let me go into what we are seeing based on logs. A small number of mail providers have an anti-spam measure called 'Greylisting' turned on regardless of the content of a different anti-spam system called 'SPF'. This has been the biggest cause of the delayed emails, and it is also why subsequent emails are making it through in a timelier manner. We tried to alleviate greylisting concerns by providing a valid SPF record, but if it's ignored as a bypass, then there isn't much we can do about that given we don't provide the mail service itself. This accounts for the bulk of the forum threads I have seen and researched are affected by this anti-spam system Some mail providers are taking just a really long time to process an incoming mail message. I can think of a few other anti-spam systems such as 'tarpitting' which can cause this sort of behavior, but to be honest, we don't know why some are taking longer to process mail messages than others. To make this more complicated, some 'good' mail providers can randomly delay incoming mail for no visible reason we can decipher The time delay from receiving the trigger to generate an OTP and actually completing sending the email itself to our mail sending provider is measured in seconds. Usually between 1 and 2, and sometimes less than 1. Delays between hops from that point onwards isn't something we have visibility into When all is said and done, if you don't get your OTP code fast enough, it becomes invalid. To cater for the small number of mail providers causing consistent issues, we are changing the expiry time appropriately, and we will be keeping a close eye on how that affects the players currently affected by this issue and if necessary we will tweak the value again. ETA: Within the next 7 days. If we can get away with a rolling hotfix to cover all the various servers involved we will, otherwise we will have to wait till next Tuesday's maintenance. This isn't a guarantee, and things are looking good for 7 days being the maximum, and not the minimum time for this change to be deployed. IP address changes are very annoying I have to wholeheartedly agree that having to enter a new OTP every time the IP changes is very annoying. We actually have pieces of the long-term fix already deployed, and the delay in being able implement the additional pieces to reduce the IP check's importance in our weighting of the various controls in place is two-fold. Firstly we have to prioritize this work alongside other clearly important pieces of work. Delaying work needed for the release of Rise of the Hutt Cartel for example was discussed and understandably getting the expansion out on time took precedence. Secondly, we have limited resource. As much as it would be nice if we could have lots more people on each of the teams involved in making the required changes, we are running a business... I can't give an ETA on when we will have the remaining pieces of work completed. I know its not what people want to hear, but as soon as we have an ETA for this, I will post a better timeframe for the change to be deployed. Deleting cookies in a browser forces a new OTP every time This is specific to using a web browser and our website. The game launcher is not affected by this behaviour. There is a very small number of people that are using what Chrome calls 'Incognito' browsing, AKA 'Private' in Firefox. This is where no browser cookies are available or persist. There are also settings within browsers for turning off cookies for all sites as a blanket setting. I realize that this provides some level of protection from browsing activity being associated and cross-referenced by ad agencies and the like, however this has a side effect for SWTOR - we rely on the presence of a web cookie as one of the many security checks we have in place to identify a machine. This is primarily due to ensuring security is maintained where a number of players share the same Internet connection - University networks, progressive companies that allow people to play SWTOR from work as well as Internet Cafe's or shared Wi-Fi hotspots. The cookie is not the only check we have in place, but it is treated with a high enough weight behind it that if it is not present, there will be an OTP sent. So, that leaves us with a few ways to not get prompted each and every time: Enable cookies for specific sites, and include SWTOR (usually swtor.com, but also sometimes starwarstheoldrepublic.com) Enable cookies for 'all the sites', and use plugins such as NoScript and Ghostery to stop 3rd party cookies that aren't site specific (this is my personal approach, and that is the only reason I mention it) Use a Mobile or Physical Security Key. I mention this not because we are trying to get everybody to use a Security Key (the OTP is also a form of dual-factor security so in the end everybody has increased security), but because it is one of the ways of avoiding having to be sent an OTP every time ETA: up to you as the person affected and which way you want to go. Or not at all if you don't mind the OTP message every time you log in. A side note on the Mobile Security Key topic - I have seen some people recommend using a mobile phone emulator and using the Mobile Security Key application that way, and while this technically works, it does break one of the reasons the Security Key is considered dual-factor in that your username, password and security key generator are all on the same machine. Putting the emulator on a separate machine would be more sensible, but we do not support the Mobile Security Key application if it is used within an emulator. Mobile Security Keys are only available to Subscribers This was a decision made before we launched the new Free to Play model SWTOR now works within. There is a substantial cost we absorb by providing the Mobile Security Key solution (even ignoring the 100 cartel coins per month you get as a side-benefit), and until we could provide a self-service model for losing or replacing a Mobile Security Key, we could not consider providing it to everybody. We are currently looking at providing the Mobile Security Key additionally to 'Preferred' status players as an authentication option in addition to Subscribers. The idea is that once you put a real dollar value against your account in the form of cartel coin purchases or even a subscription, we will acknowledge that trust in us as a studio and at that point provide the option to you as player. ETA: I don't have definite approval or even an estimated date for when this can go live, so I'm going out on a limb here and telling you far earlier in the process than we would normally do so. I blame Eric, Courtney and Amber for leading the way here and ruining my natural desire to be secretive. Physical Security Keys are still out of stock in Europe We are almost there with the logistics surrounding getting the Physical Security Key made available within Europe again. I'm expecting to have news on their availability back in the store sometime in the next couple of weeks. There is an ongoing internal issue with getting the Physical Security Key made available for Germany, Poland, Switzerland and the Czech Republic. I totally understand that the majority of the ISP's in Europe that require an IP change on a daily basis are located in Europe and you can be sure that we have the SWTOR Executives helping prioritize that issue internally to ensure we get the keys made available as soon as is possible. I will try to answer any questions as soon as I see them when time permits. I apologize in advance if helping organize all the above (in addition to my 'normal' job!) means I don't post quite as often as you might desire...

I've noted people read a lot more into the specific words that we use than we might actually be meaning regardless of intent, so of course you can...

We are tracking IP addresses. We are also checking (for the browser) a SWTOR site specific cookie. We are checking many things. People who deliberately delete cookies from their computers will have to be sent an OTP as part of log in. That is a self-inflicted situation and knowledge of just the cookie (the fear at least one prevalent poster appears to have) is not enough to 'hack' into an account on our site at least, so it is an unfounded fear to start with. We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.