Jump to content

An update on the One-Time-Password system (April 16th 2013)


Phillip_BW

Recommended Posts

  • Replies 231
  • Created
  • Last Reply

Top Posters In This Topic

He came here adding his voice to those that are fed up with the rings and hoops. Your point 1 on your first post to him (and subsequent post) were attacking. So following those up with a "here's how not to get attacked" is still a form of attack.

 

Quite frankly, there are some people that are going to have this problem no matter how hard they or anyone else tries fixing things on the client's end. People deserve a place to have their voice heard for the frustration they are going through. Again, don't like it? Don't read their post. If they're crying for help but provide no details, then either move on or request more details. Pick on things that are not factual, consider it as being ignorant/misinformed (because that is not being rude), but don't pick on how they posted by saying nobody cares. That is being polite.

 

In my opinion, it is NOT polite for them to be arrogant and disrespectful. I disagree with your attitude, assuming that someone venting is under NO obligation to be respectful, but I am.

 

Excuse me? People continue to make excuses and complain because of personal reasons -- I'm sorry if it's "picking on them" by stating a fact -- people don't care whether or not you're upset because your girlfriend can't log on. Unnecessary information is unnecessary.

 

You're welcome to follow your own advice though -- don't like my posts? Ignore me, and don't read them.

 

/endbicker

Link to comment
Share on other sites

He does not have to. But I also don't expect him to misrepresent what he said either.

 

Ninja edit ftw.

 

You are making assumptions about him. Yes, he has other gripes about the game. That does not mean that they are the root cause of his wanting to leave. That's a leap of logic that does not flow smoothly.

Link to comment
Share on other sites

Ninja edit ftw.

 

You are making assumptions about him. Yes, he has other gripes about the game. That does not mean that they are the root cause of his wanting to leave. That's a leap of logic that does not flow smoothly.

 

:rolleyes: Yes.. I edited... to be more polite. Shocking I know.

 

LOOK.. if you cannot bother to read what he claimed + my comment back in context (he claimed he provided specifics) I really cannot help you with your thought process. Please go back and read. Right now.. you appear to just be focused on jumping on myself and Kilora for the sake of jumping. IMO, you have become ironicly bound to the very thing you are jumping about.

Edited by Andryah
Link to comment
Share on other sites

I am just saying that a login in a game may not take 5-20 minutes, because everything takes so long just annoys people. The normal one shoud only take 1-2, that is normal that is manageable and does not interfere.

But if you only have to open the browser then has to go to his email provider, and then go to the mail box, that's too complicated and annoys people. And who uses Outlook must also start it first and that takes sometimes too, unless it always starts with the launch of Windows.

And as long as one is always forced to open a further program to get playing swtor there will always be people who are dissatisfied.

And this problem can be solving in get a high sets the decay time, because it shows me that this system was not properly through roof, otherwise you would not say now which one the decay time high sat needs and if that is still not enough then again.

If you had think from the beginning than this problem coudnot exist , because you has think about the Emailproviders Spamfilltes.

Anyone who operates an MMO should not also fokousing on the players which living in the U.S.A because there are other people form diffent Countys with other Interntproviders,like in Europe, in addition to noticed one of the major markets for SWTOR is, many users from where have IPaddress ehich change frequently so you have also a Solution for them if you start a new system, if you donot than you donot think about them. And if you say "you work on it "afterwards louning a new system than you donot think about them agan. In the End this shows me that BW didn`t think much about ther new System.

And do for me with the whole text of BW is admission that they have not think about the new System and that th donot care about the Peopel who donot live in the U.S.A. Because if BW had Think about the People in Europ than the miet not launch thats a bad new System, where a lot of People unhappy are whit it.

And unhappy coustumers a very bad for a F2P game, because the will tell it evreywhere and unhappy coustumers donot speend money for a game and no money mins no game.

Also i misse some answers in the the text like:

why is there no token in EU? a linke to that answere woud be nice,if it exist.

How do i get the Mobiltoken if i have no IPhone or Androidphone?

what if you have a new email adress?

lost you Emailadress information, like the passwort?

why the new system?

is it wirly sylier as the the secourity Questens? for me not because:

it will not save my acount for a hack : if EA/BW is hackt my datas are gone, if my PC is Hackt the datas are gone, if my email acoount is hackt the datas are gone.

if you are login form a Hotspot there it is easyly to get your passwort and acountnames for SWtor accouns and for the Emailacount. (a Hotspot is open for every one so every on can get in the Hotspot and there is no sercourity in a Hotspot whits menens Hacker can read all the daters you tipp in the browser,)

it only save your acount aginst direct hacks, but that woud do a Seruretyquestions too. And a 100% secourity a gainst Hacks does not exists, because a Hacker will find always a way , if he realy wans.

 

PS:i have writh that text doring the time i wait to get to play SWtor (20min)

Edited by XStar_MT
Link to comment
Share on other sites

In my opinion, it is NOT polite for them to be arrogant and disrespectful. I disagree with your attitude, assuming that someone venting is under NO obligation to be respectful, but I am.

 

Excuse me? People continue to make excuses and complain because of personal reasons -- I'm sorry if it's "picking on them" by stating a fact -- people don't care whether or not you're upset because your girlfriend can't log on. Unnecessary information is unnecessary.

 

You're welcome to follow your own advice though -- don't like my posts? Ignore me, and don't read them.

 

/endbicker

 

And your getting after him for the unnecessary information is unnecessary. :rak_01:

Link to comment
Share on other sites

Please read recent posts between he and I... rather then jumping.

 

I have been reading the posts. Some how or another you have it stuck in your head that he is using the OTP as an excuse for leaving when his real complaints are something else and that he hasn't really tried to solve it yet before complaining.

 

As I already said, one can have issues with the game without them being the root cause for dissatisfaction. They are merely the other "straws" that ultimately breaks the camel's back.

 

He does not need to give you all of the details of what he has tried so far. You are not CS and he has already been in touch with them... should that not say enough?

Edited by FuryoftheStars
Link to comment
Share on other sites

  • Dev Post

A few responses...

So if i have the security key app on my phone ( which I was discouraged to use by a Bioware customer service representative), i don't have to wait for a email?

The Security Key entry means that you will not be sent an OTP message at any time unless you are trying to remove the Security Key from your account. While I've seen a number of people try to say that we are wanting to force people into using a Security Key, that is not correct - we are making changes to alleviate the issues for the people affected by the issues being talked about on the forums as it was never the plan to force people to use a Security Key on their account.

I'm also not sure how long ago you had a CS agent discourage you to use the Mobile Security Key. The application is working well (apart from an Android glitch with font colours which can be fixed by going to the main menu in the app and back in to the code page again), and it does prevent the OTP message being required for normal authentication. We have also implemented a self-service system for lost/remove/replace scenarios which means you no longer have to call CS to fix a Security Key issue.

I really wish you would switch to time-based One-time Passwords according to RFC 6238.

 

Then we could use apps like the Google Authenticator (and many others) which is available for iPhone, Android and Blackberry for free instead of having to install yet another app for authentication.

I have this on my list of 'nice to have' and one day we may get there. No promises though as the cost associated with our Security Key implementation (the time-based system we already have) was covered a couple of years ago.

And I'll just add this in again...

 

Please create a mobile security key for Windows Phone (7/8) so we don't have to carry around the keychain fob thingy.

I don't mind you asking again - I'm still asking for it myself! Still no news on if or when this might happen.

The SW:TOR website says Physical Security Keys are out-of-stock, so I can't buy one from you guys until they are back in stock. When will this be?

If you are seeing the Physical Security Key in North America showing as out of stock, please press Ctrl-F5 to force a refresh of the page. There was a caching issue with some browsers that for some reason isn't automatically fixing itself even though we refreshed the cache associated with the /buy page last week.

First of all, Thank you Bioware for the reply. I have to say though, that I have a feeling there's something you're not telling us: why is it that difficult to simply remove this feature? No need to worry about making sure emails are sent on time, etc. Simply removing the one time password and bringing back the security questions shouldn't be that difficult, right?

Simply removing the OTP system also means we would be removing the self-service for Security Key system, forcing people to have to call CS once more when they had a Security Key issue. That was a constant source of new threads before we launched the self-service options, and I don't think we want to go back there....

While the number of posts on this topic indicates there are some issues, you have to remember that people without the issue are not posting as they don't have a reason to (unless they are bored and actually read these posts). While we are working on solving the issues people are posting about, you have to keep in mind that the vast majority (and I do mean vast!) are not having the issues people are posting about.

Don't get me wrong here - I'm not trying to say there is not a problem or that we are trying to dimiss the issues. Reality is very much the opposite when it comes to the seriousness that we are taking on ensuring all players can log in to the game when and where they want to as quickly as possible without also creating an account take over issue.

The mail headers I see are interesting. The mail appears to come from Dynect (216.146.40.12) who I guess you are using as a mail service. The mail headers indicate ~1 second from there to my mailbox. It usually arrives too late for me to use the OTP. I will be very glad to see the time limit increase, but I'd also recommend you look at the process between the OTP generation and Dynect sending the mail. It varies greatly in performance. Sometimes if can take seconds, other times it can take 10-15 minutes repeatably.

You are spot on with both sides of this. We are using Dynect as our outbound mail service, and we have identified that there is sometimes a delay here as well. I've been monitoring the times between the generation of the OTP, the mail hitting Dynect,the mail successfully being delivered and then the next attempt at authentication using the code. We have identified a couple of places that might cause the slow-down when it does happen (my original analysis didn't cover a time period where we had internal delays at all and I was covering an entire week) and there are teams working on hotfixes already. I don't have an ETA and will update once I do. Given the impact not getting the email on time has we are not ignoring this issue at all.

Why is there no discussion of an option to opt out of two way authentication? Clearly, some value the extra security. Clearly, some are experiencing frustration with the barriers two way authentication presents in logging into the game. If I were offered the option of having password only login under the 'scary' condition that I would receive no support from customer service if my account was hacked and resulted in the loss of virtual items, I would gladly take it. Two way authentication is a resource burden for SWTOR -- having the option to not use it is a win for the service provider and a win for customer satisfaction.

Regardless of the protestations otherwise, if we did allow people to choose their own level of security, and then they did have their account taken over by an attacker while set to the minimum (no password for the win right?), they would still expect their account to be restored to its original glory. Choice is all well and fine right up until a compromise happens, especially if you just lost multiple level 55's. Sadly there are a number of groups attacking MMO's for a multitude of reasons, and we have a duty to protect players accounts from their attacks. To counter some of the more advanced attacks, we have to provide advanced security as mitigation. To even consider providing some of the self-service options, we have had to move to the OTP model.

TL;DR: Personal preference on levels of security of your SWTOR account is not an option.

I run firefox and, in general, I do not like cookies. I put an exception for "www.swtor.com" and that does not help. I have third party cookies disabled, first party enabled. Still no love. I don't know what to do here. I am not going to simply enable all cookies just so that I don't have to jump through these hoops every time. Instead, I will just minimize the number of times I post on these forums. But this time, I logged in specifically to say how much I hate, with a fiery passion, the million time password system.

 

EDIT: By the way, for anyone who is into Dilbert comic strips, this OTP system very much makes me think of Mordac the preventer of information services. Mordac is their IT guy and he takes a special pleasure in making it impossible for users to do anything. This OTP system is, in my opinion, so over the top in terms of security that it is most definitely something that Mordac would be in favor of.

I mentioned you can allow 'swtor.com' as we use multiple sub-domains for the cookies. I don't want to say the sub-domain needed is 'account.swtor.com' even though I think that is the right specific sub-domain to allow, as I'm not 100% on which cookies are associated with which sub-domain of swtor.com. Allowing 'swtor.com' should allow all sub-domains, so being specific with the www at the front could stop the right cookies from being stored. Apologies for the confusion there.

 

As for Mordac, I've been called worse, but usually as a joke given security related roles are hardly ever seen as ones where positive news is given out... :jawa_wink: IMO Mordac would go for the 'pint of blood needed to log in' approach. OTP in the end doesn't actually prevent information services.

Is any work going to be done as far as making sure that the mobile security key is compatible with more android cell phones? I have a galaxy s2 and it doesn't work. I would love to use it but I can't. :(

We have two people in the office who have a Galaxy S2, and the application is working for both of them. Neither are jailbroken if that is important... I don't know how to troubleshoot Android phones (my preference is still Windows Mobile), but I'm hoping uninstalling the app and installing it again from scratch may help.

Cool.

 

Are you able to share any specifics? Is it the same setting for everyone?

We protect all accounts in the same way, so yes, this setting change applies to everybody who is receiving OTP emails.

 

 

As I get more updates on other work we have ongoing I'll be sure to post - I'll see if I can get more answers to questions posted again in the next couple of days if I have time...

Link to comment
Share on other sites

I mentioned you can allow 'swtor.com' as we use multiple sub-domains for the cookies. I don't want to say the sub-domain needed is 'account.swtor.com' even though I think that is the right specific sub-domain to allow, as I'm not 100% on which cookies are associated with which sub-domain of swtor.com. Allowing 'swtor.com' should allow all sub-domains, so being specific with the www at the front could stop the right cookies from being stored. Apologies for the confusion there.

That worked! I added an exception in firefox to allow cookies from "swtor.com", logged in (OTP e-mail), logged off, closed firefox, re-opened firefox, logged in again...no OTP this time!! I re-read your original post and you did, in fact, mention "swtor.com". I must have assumed that "www" was implied.

 

I really do appreciate your response. I meant nothing personal with the "Mordac" comment. Thank you very much for your help!

Link to comment
Share on other sites

Just to add my tuppance worth.

 

I can no longer log-in. The OTP arrives between 10 and 20 mins after I try to log in and of course has expired.

 

I'm beginning to regret renewing my subs. What's the point if I can't play the game? I'm sure you had good intentions when you implemented this, but listen ... there are people who simply cannot get into the game now. Is that not high priority for you?

 

(in Europe, no smart phone, OTP being requested everytime the PC is turned off.)

Link to comment
Share on other sites

Simply another 2 subscriptions lost due to this headache of a securitysystem, i pay to play the game not have trouble every time i log in, i literally spent more time trouble shooting when trying to play. my account subscription only lasted 2 weeks because of this. Obviously this business likes to lose money. Edited by azzdawg
Link to comment
Share on other sites

 

 

 

You are spot on with both sides of this. We are using Dynect as our outbound mail service, and we have identified that there is sometimes a delay here as well. I've been monitoring the times between the generation of the OTP, the mail hitting Dynect,the mail successfully being delivered and then the next attempt at authentication using the code. We have identified a couple of places that might cause the slow-down when it does happen (my original analysis didn't cover a time period where we had internal delays at all and I was covering an entire week) and there are teams working on hotfixes already. I don't have an ETA and will update once I do. Given the impact not getting the email on time has we are not ignoring this issue at all.

 

 

good to see that someone from the outside nailed it for you.

the increase in time is a nice workaround but getting the email fast should still be top priority since the error is on your side.

 

that said your workaround in increasing the time works for me, but should have been implemented on monday, not yesterday. why ? because I don't care if other people play for free, I do not and asking me for a code that you are sending too late for your own system, then you are just not fulfilling your end of the bargain.

 

I'll say thank you anyway but I am not happy about how long it took you.

Link to comment
Share on other sites

Simply another 2 subscriptions lost due to this headache of a securitysystem, i pay to play the game not have trouble every time i log in, i literally spent more time trouble shooting when trying to play. my account subscription only lasted 2 weeks because of this. Obviously this business likes to lose money.

 

I have two accounts both subbed since SWTOR begins.

 

I am very close to unsubbing if this OTP does not resolve real soon.

 

Please revert back to the secret questions.

Link to comment
Share on other sites

Regardless of the protestations otherwise, if we did allow people to choose their own level of security, and then they did have their account taken over by an attacker while set to the minimum (no password for the win right?), they would still expect their account to be restored to its original glory. Choice is all well and fine right up until a compromise happens, especially if you just lost multiple level 55's. Sadly there are a number of groups attacking MMO's for a multitude of reasons, and we have a duty to protect players accounts from their attacks. To counter some of the more advanced attacks, we have to provide advanced security as mitigation. To even consider providing some of the self-service options, we have had to move to the OTP model.

TL;DR: Personal preference on levels of security of your SWTOR account is not an option.

 

And what about an option allowing to chose between the OTP and the good old security questions? You could set up the OTP as the default, and for people who have troubles with it and are smart enough to correctly remember their security questions with correct spelling and accentuation, symbols and such, they could resort to it.

 

I was fine typing the answer to my security question every day (2min to log in), and I am very displeased with this new (buggy) OTP system (half an hour to log in). I already was a littled displeased with it on the first days because it takes longer to go on my webmail and get the password, thant it took to type my secret question answer, and I would not have come here juste for it, but when it began to become buggy on tuesday, that became a huge annoyance. Maybe I should just cancel my sub...

 

I detailed my point of view there: BW hate the planet (please give us back the secret questions)

Link to comment
Share on other sites

Regardless of the protestations otherwise, if we did allow people to choose their own level of security, and then they did have their account taken over by an attacker while set to the minimum (no password for the win right?), they would still expect their account to be restored to its original glory. Choice is all well and fine right up until a compromise happens, especially if you just lost multiple level 55's. Sadly there are a number of groups attacking MMO's for a multitude of reasons, and we have a duty to protect players accounts from their attacks. To counter some of the more advanced attacks, we have to provide advanced security as mitigation. To even consider providing some of the self-service options, we have had to move to the OTP model.

TL;DR: Personal preference on levels of security of your SWTOR account is not an option.

 

Appreciate the communication and explanation. While I can sympathize with the perspective on individual security options from the service provider perspective, as the consumer, it may ultimately be a deal breaker. This is recreation for me, so if the barrier for entry is too inconvenient, I’ll do something else for recreation. I often log in for only 20 minutes or so. If it takes 20 minutes (or really more than 2-3) to login, it’s no longer an enjoyable experience. The distrust you have of folks not being able to read and accept a service agreement that states lowly secured accounts will not be restored is a little confounding. Does this mean you don’t expect anyone to follow any of your terms of service? After all, you implied customer expectation would trump a TOS. But I digress. When the security questions were in play, I was rarely asked for those in the launcher. Perhaps your 'trigger filter' for OTP could be set more closely to the security questions filter.

 

TL;DR: If logging in is too much of a hassle (as it currently is), some people will not continue to play.

Edited by Mass
Link to comment
Share on other sites

A few responses...

 

If you are seeing the Physical Security Key in North America showing as out of stock, please press Ctrl-F5 to force a refresh of the page. There was a caching issue with some browsers that for some reason isn't automatically fixing itself even though we refreshed the cache associated with the /buy page last week.

[/color]

 

Tried this, also tried logging in from a different browser, different computer, ensured all cache were cleared from my systems, and I still get "out of stock" when I log in (from north america). I'm a subscriber.

 

I've got one of my accounts using the security key on my iphone, but I don't think I can add the second account to my iphone based on what I've seen in the "security key" section of "my account"

 

Cheers

Link to comment
Share on other sites

A very quick update - we have just rolled out a change in the expiry time for the OTP message which allows it to be valid for a longer period of time, and we will be monitoring how effective the change is for if we need to tweak it further or not.

 

I may even get a chance to answer some of the questions raised in this thread in a bit if I'm lucky... :jawa_wink:

 

I have a question about the mobile security key option. Two months after launch, my fiance had to take his mobile security key off of his account because he got a new phone. It was removed without an issue, but there was no support for linking a new phone to the account. With the recent changes to the security key programs, we thought that would have fixed it. It didn't. He gets the exact same code every time from the computer to put into his phone. We have restarted, deleted cookies, restarted the phone, tried a different browser, logged in, logged out, and spent an hour and a half on the phone with a customer service agent. When we were able to speak to his supervisor, he said that it was an issue with the website. It is still not fixed. Can you tell me, please, when we might have some information on this issue, if anyone else is having this issue, and if there is a fix what it is? Thank you so much for your time. I know it is very valuable.

 

TL;DR linking a new phone security key to the account is not working after taking an old phone security key off the account. Why?

Link to comment
Share on other sites

IMO this whole One Time Password is such a muffed up way to get it "secure".

The "old" way was alot better. Number of questions that a person only know is the way to go.

You CLEARLY didnt think that one through (aswell as many other stuff)

As an active MMO player i have NEVER seen this kind of stupidity.

Proves that BW/EA doesnt know their stuff very well.

 

**** system will be **** system 4ever. LEARN THAT.

Link to comment
Share on other sites


×
×
  • Create New...