Initial answers below!
For those of you wondering why MrYellowDuck surfaced, you will find there was a theme hiding in the answers to the original posts a couple of weeks ago when I mentioned I was lining up some ducks. It was meant as a bit of humour in what is otherwise a very boring topic, so please don't get too side tracked by MrYellowDuck himself...
One of the aspects of the current (pre-April 2nd) implementation is that it is possible to get in to a state where you are asked a Security Question every time you log in. The changes on April 2nd will eliminate that state, and from April 2nd onwards you will only be prompted if we detect a change that warrants revalidation.
So every time I have to answer a security question now, I will have to check my email and copy-paste a code?
That is a major annoyance for me, as everytime I restart my PC the game and the website ask for a security question.
Please tell me, that that is not true!
I won't go into detail on all the aspects that we use to determine a change has occured other than to say IP address is indeed one of the aspects. I realise that will be very annoying for those people with an ISP that changes out IP addresses on a regular basis, but that frequency of being asked for an Email Security Code based on just IP address change will not change from how often it does get asked today. As a number of people have pointed out the solution there would be to get a Security Key which while it does ask you every time you want to log in, does not have the small delay in waiting for an email to arrive.
The frequency you are describing does appear to be the state issue I originally described however, and that will stop happening going forwards.
Yes, if you have a Security Key, that trumps everything else and you will not have to additionally enter an Email Security Code. ISP's that change IP address every day on their customers was taken into consideration, but sadly we can't eliminate the IP address out of the equation and still stay at a reasonable level of security within the authentication process.
This leaves two questions open for me:
1. How do you determine "changed location" ? before I got a authenticator, I was prompted my security question every day I logged in, simply cause my ISP hands me a different IP every day. The chance, that I will ever reuse the same IP is very low, even though I am always using the same computer. I would obviously not be pleased, if I would have to wait for a mail and enter some security code very single day in the future. Or is this security measure void, if there is an authenticator used ?
2. Since this information is obviously important enough that the security chief does post himself, how long will it take to get this information translated into the two other languages, that this forum supports ? (This time it is not "just before the weekend")
Oh and on a side note... Maybe I am just not getting the joke or it is lost in translation, but if I were making fun of customers, who are weary about security issues, by comparing them with a hysterical duck, my boss would likely lock me up in the companies basement and deny me any access to public channels.. .and he would do right.
For the direct question on how we determined changed location, there are many factors taken into account, and this is one of those pieces where it isn't quite straight forward to figure out for an attacker. So I'll leave the attackers with work to do...
For the side note, I'm anything but making fun of customers - my intent was to make fun of a ficticious yellow duck as an attempt to bring a bit of humour into what is otherwise a very boring topic. That and continue a theme from the previous answers to the thread from a couple of weeks ago. No offense intended!
Sadly the answer is not what you wanted to hear. There is a certain point where keeping security at an acceptable level has to outweigh the inconvienence - if that were not the case, we would gladly do away with passwords and their ilk without a second thought! There are bad people out there that would love to take over other peoples accounts - and our authentication system (and all its complexities) are what stops them.
This apparently is issue many players will have, so I'm really hoping for some reasonable reply(meaning not "I'm sorry but you'll have to suck it up and deal with email or authenticator").
Oh, come on, everyone should have at least one 'unsafe' email for such things.
I do have many unsafe email addresses - I'm not actually asking for donations though, so no email address should be given
Our system is not designed that way - currently an 'account' is directly related to a set of characters, and there are no plans to have yet another layer of (master?) account that links several accounts together.
Is there anything being developed that will merge multiple licenses into one account?
The names I had to select for the other accounts aren't necessarily as easy to remember.
We are working on getting the Security Key back in stock within EU as quickly as we can - I'm in constant contact with the people who run the EU side of the Origin Store where the keys are sold, and as soon as I have a better date than 'soon' I'll be sure to get a post up.
Do you know where Security Keys are for sale in the EU and/or generally outside of the US? As far as I'm aware, Security Keys are not currently for sale outside of the US.
Perhaps Mr. Philip_BW could help with this?
It was more of a theme based on my previous comments about getting ducks lined up - I don't actually have a bathtub duck, but am now thinking of getting one!
This made me litearlly laugh out loud. I'd not seen that link before, but it was well worth the read! Thanks! It's the reason I'm thinking of getting a rubber duck now...
Considering how many people asked pretty much the same question in various different guises of language, the use of Mr. YellowDuck was warranted. Yellow ducks are adorable, but real ducks are the most terrifying things to be behold. Would have rather he used "Generic SWTOR Player #7789"?
Maybe Mr. Phillip_BW talks to his yellow bathtub duck a lot, to share his security ideas and secrets.
I'd have had to go with 'droid references and single-file bantha's, and it wouldn't have made as much sense. I'll try to pick something more Star Wars oriented for next time perhaps.
My question is this:
What's with everything being duck related?
Shouldn't you be getting all your Jawas in a row?
I've never seen a duck round these parts till you showed up.
I've no idea if the name is taken in-game as a character. If it is, it's nothing to do with BioWare. I did however register the account name while writing up the post, so the only MrYellowDuck posts you might see will be mine...
I bet that name is now taken in game if it wasn't already.
Yes - the bug referenced will be fixed as part of this implementation on April 2nd. It didn't affect many players, but it sure is annoying for them and I'm all for a better login experience (as long as it stays secure!).
My brother has that problem, too. He needs to answer the security question every single time he logs in, even when he does it from the same PC. According to phone support, some accounts are bugged that way and need to answer the question every time and "they are working on it". He was told that back in June, though. Hopefully that won't mean the people that suffer from that bug will get spammed by these new security question e-mails every single time he logs into the game or forums.