Not sure where to post this so starting here....

I am really frustrated it seems no matter what I try to do, SWTOR keeps asking me to enter a one time password. Patch the game: enter your one time password. Log out and back in: enter your onetime password. Go to SWTOR website and log in? Enter your one time password. It never even defaults to my questions like it used to for security.

Just tonight I think I have gotten 7-8 one-time passwords, all for unbelievably silly things (like entering my username and correct password at login to SWTOR, or logging in to the game). Is there some way to turn this nightmare off?

Set up your PC to accept cookies from SWTOR? From what I understand if they can't put a cookie on your PC it will send the 1 time password all the time.

Otherwise getting the security key will also work.

it sucks it really does

i even had 5 physical security keys in house not used from the 5 CE editions my houshold bought for game

so after getting tired of the one time password word thing i caved in and added one of them to all the accounts we used ... its an extra step now to log in and i hate it but seems it was a business decision imho more than security to entice people to get security keys by making the one time password as horrid and unfriendly to use as possible

i wish i didnt have to use the security keys but alas i think its the best forced option now as far as ease of use for website and game particulaly those with road warrior gaming laptops and dynamic IPS

if you need a securit key i think the iphone one is free ( not sure ) ? but with the iphone one you can not attach it to multiple accounts so if you have mutliple accounts in houshold youll need to get a physical key to attach up to 4 accounts to it

Oh I forgot the most unbelievably annoying case:

wait 20-45 minutes for a FP/ops, halfway through get disconnected log in...ONE TIME PASSWORD! Cripes, I am tied to my email just to play a game?

worse for me

half the time IT DOESNT EVEN SHOW UP

I SHOULDNT HAVE TO GO THROUGH MY EMAIL JUST TO LOGIN TO THE FORUMS TO COMPLAIN ABOUT THIS

EA IS TYPICALLY GOOD WITH SECURITY....as much as we all hate to admit it, they do that right if nothing else

i have yet to figure out a practial reason for all of this ********

This has become a major issue for people with more secure PCs than the average user.

Philip_BW, head of security here, has even admitted that the problem lies with people not having cookies enabled in their browsers, and admitted he himself does the same thing through third party programs! See it at the top of the page here.

Their security is cookie-dependent.

This gives you an idea of how good their security is.

Their security is cookie-dependent.

Wow. I thought they were tracking IP addresses. I don't know what to say now.

...

We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.

This would be great!

I'm one of those whose ISP forces a new IP address on a frequent basis. I was used to having to provide an answer to one of my secret questions on a daily basis. Having to check my e-mail everyday to login, (while being something I don't really mind doing to guarantee my account security), takes a lot longer than typing in the answer (especially because I often have to wait over a minute for the e-mail to arrive).

. That is a self-inflicted situation and knowledge of just the cookie (the fear at least one prevalent poster appears to have) is not enough to 'hack' into an account on our site at least, so it is an unfounded fear to start with.

Anybody can use a cross site scripting attack to steal the cookie of another which will allow them to be logged in on their website account.

Both the session id that the server uses and the session id that Drupal is using seems to be stored in the cookie that swtor.com uses. They could potentially use that to steal somebody's account couldn't they? I'm no expert in web security, it's more of an edge field to mine

Either way to others in the thread, buy the security key. Security keys are awesome and you never have to worry about it again. I just keep mine on my desk where I play rather than have one on my phone.

This has become a major issue for people with more secure PCs than the average user.

 

Philip_BW, head of security here, has even admitted that the problem lies with people not having cookies enabled in their browsers, and admitted he himself does the same thing through third party programs! See it at the top of the page here.

 

Their security is cookie-dependent.

 

This gives you an idea of how good their security is.

Do you have a good way to determine client uniqueness without using cookies/javascript or anything else clientside in a world of dynamic IP addresses?

Lets hear your solution.

We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis.

The IP adress of the provider contains the provider name. And you have the MAC adress of the PC. If the same PC with the same provider from the same region logs in, isn't that more than enough information to easily asume, that it is the same user and no activation is necessary? It is really stupid that I have to wait every day for an email to log in. Steam has basically the same system and they don't send me an email every day.

The IP adress of the provider contains the provider name. And you have the MAC adress of the PC. If the same PC with the same provider from the same region logs in, isn't that more than enough information to easily asume, that it is the same user and no activation is necessary? It is really stupid that I have to wait every day for an email to log in. Steam has basically the same system and they don't send me an email every day.

How do they get the mac address through the browser? I know their are methods, but they involve running client side script/code to get it, it'as not ever presented by the browser.

Steam is also software running on your computer, not your browser, the same way the launcher is software running on your system. Software on your system can get that, the browser can't.

just to be sure, I have steam running right now, but logging into steampowered prompts me for my code which it emails me.

also, take a look at the cookies before and after using the steam website and having to enter a code. notice the difference? notice the browserid cookie and the steamlogin cookie?

We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.

Can we note that you said 'when' not 'if'?

How do they get the mac address through the browser? I know their are methods, but they involve running client side script/code to get it, it'as not ever presented by the browser.

I wasn't referring to the cookie problematic, but to ISP who automatically disconnect your internet connection every 24h and assign a new IP, which requires a new activation email with Star Wars, but not with Steam (or Cryptic/Perfect World or whoever else uses the kind of activation system).

Cookie based security is horrible and VERY easy to spoof. Hence the reason that banks and financial institutions do not use it for security purposes.

If BioWare is truely worried about security (beyond the username and password fields already present), then they need to switch to the same security feature that online banking uses. I never have to provide a "one time password" or have a cookie present to log into my bank account from any computer i sit down at.

If it's good enough for financial banking....it's more than secure enough for an online game; and it's MUCH less cumbersome. Right now I have three choices:

1) Keep my home computer secure through cookie management

2) Be tied to only playing the game from somewhere I can get access to my e-mail to retrive a special code everytime I log in.

3) Be tied to only playing the game if I remembered to carry my security code keyfob around with me everywhere I go.

Has Bioware even released information on the cookie being used and what the official address it comes from are so that I could confiure an exception to allow that cookie while still keeping my home computers secure? Even if, I still go back to wondering why we have to jump through these hoops to begin with....do they really think my Bioware account needs different/better security than my checking account?

We are tracking IP addresses. We are also checking (for the browser) a SWTOR site specific cookie. We are checking many things.

 

People who deliberately delete cookies from their computers will have to be sent an OTP as part of log in. That is a self-inflicted situation and knowledge of just the cookie (the fear at least one prevalent poster appears to have) is not enough to 'hack' into an account on our site at least, so it is an unfounded fear to start with.

 

We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.

Phillip,

I believe you should be more careful when you dismiss legitimate customer concerns as "unfounded". To dismiss the way you did (when your own concerns about cookies are quite visible on this very site) only hurts the good things you have said and done.

Thank you for your efforts and all the explanations you have given us for these changes. I do like the pressure/suggestions you have tried to apply to the masses to make their online lives more secure. It is a tough fight.

BTW; The only suggestion regarding cookies you should be making is to retain SWTOR site related cookies (and EA/BW). To lump any other site's cookies within your discussion of SWTOR places you in their category...and you don't know what cookies are on customer computers (or shouldn't know ). Here's my wording for a part that raised my eyebrow: "People who deliberately delete SWTOR.COM cookies from their computers ...."

People who deliberately delete cookies from their computers will have to be sent an OTP as part of log in. That is a self-inflicted situation and knowledge of just the cookie (the fear at least one prevalent poster appears to have) is not enough to 'hack' into an account on our site at least, so it is an unfounded fear to start with.

No, but it's enough to defeat the entire OTP mechanic, which you apparently do not see as a problem.

This situation is not "self inflicted." Your site is the only one I deal with that requires me to lower my level of personal security settings in order to enable your clunky and broken site security mechanism to function in a non-annoying manner.

You still haven't answered why your site alone needs to use this mechanic, when dozens of other websites on the internet, many of which have personal data relating me that is far more sensitive than anything you will ever have, are able to maintain solid, reliable, completely adequate security without forcing an OTP interaction at every login, or being tied to client-side stored security state.

Anybody can use a cross site scripting attack to steal the cookie of another which will allow them to be logged in on their website account.

Not usually, at least if some minimal measures are taken. Look up the diverse measures that can be, and usually are, taken against cross-site attacks, in this case CSRF (cross-site request forgery). Cookies that encode session state are also usually cryptographically secured so that a server can detect modifications of the content.

And yes, tracking the client's IP address and restricting a session cookie to only be valid for requests from that address makes sense, since it makes fished session data a lot harder to use by raising the bar from just faking requests to circumnavigating parts of the internet infrastructure.

All in all, you can probably put enough trust in domain cookies for this site to be (1) sufficiently benign (chances are you gave them your credit card data anyway), and (2) following some sane-ish security guidelines.

Cookie based security is horrible and VERY easy to spoof. Hence the reason that banks and financial institutions do not use it for security purposes.

Except it's not cookie based login.. which is what you are inferring, where your login authentication (id, password) are stored in the cookie.

They are not using cookies for login per se... they are being used to detect if you are recognized as a prior valid login source. It's a recognition key only. So while yes someone could spoof a cookie in theory... it would not give them access to your account unless they also know your password.

Stop spreading fear/uncertainty/doubt.

Cookie based security is horrible and VERY easy to spoof. Hence the reason that banks and financial institutions do not use it for security purposes.

/facepalm

Its not cookie based security, it's using a cookie to track client uniqueness. There are many other controls in play. If all they were doing was storing a single cookie locally and trusting it, you might have half a leg to stand on here

If BioWare is truely worried about security (beyond the username and password fields already present), then they need to switch to the same security feature that online banking uses. I never have to provide a "one time password" or have a cookie present to log into my bank account from any computer i sit down at.

 

If it's good enough for financial banking....it's more than secure enough for an online game; and it's MUCH less cumbersome. Right now I have three choices:

 

1) Keep my home computer secure through cookie management

2) Be tied to only playing the game from somewhere I can get access to my e-mail to retrive a special code everytime I log in.

3) Be tied to only playing the game if I remembered to carry my security code keyfob around with me everywhere I go.

 

Has Bioware even released information on the cookie being used and what the official address it comes from are so that I could confiure an exception to allow that cookie while still keeping my home computers secure? Even if, I still go back to wondering why we have to jump through these hoops to begin with....do they really think my Bioware account needs different/better security than my checking account?

So much misinformation in this post. What is it you do for a living? i can tell you, what I do is work with, break into and help fix things exactly like what you posted above and I wouldn't put my faith in a lot of the auth systems used by banks.

auth systems are complex, SWTORS included and involve so many other things you just cannot see or understand behind the scenes that all you people spouting off at the mouth as arm chair security architects just makes me cringe.

I've got work to day but I will say this, knowing what I know about how SWTOR auth works (and I know more than most), I am quite happy with it, and testing and knowing about these systems is what I do every day. It has minor issues and minor flaws (some of which are actually getting fixed, or just have been fixed) but it's not bad.

At the end of the day, you do need to sit down and think about why there are no massive amounts of account hacks (or massive amounts of gold spam either) in SWTOR, and let that sink in for a bit.

Except it's not cookie based login.. which is what you are inferring, where your login authentication (id, password) are stored in the cookie.

 

They are not using cookies for login per se... they are being used to detect if you are recognized as a prior valid login source. It's a recognition key only. So while yes someone could spoof a cookie in theory... it would not give them access to your account unless they also know your password.

 

Stop spreading fear/uncertainty/doubt.

OMG someone who gets it!

i wish i could upvote you or give you something, you are a beacon in a sea of people confused about basic and complex security concepts.

And yes, tracking the client's IP address and restricting a session cookie to only be valid for requests from that address makes sense, since it makes fished session data a lot harder to use by raising the bar from just faking requests to circumnavigating parts of the internet infrastructure.

/Agree.

All in all, you can probably put enough trust in domain cookies for this site to be (1) sufficiently benign (chances are you gave them your credit card data anyway), and (2) following some sane-ish security guidelines.

Exactly. If someone is going to depend on cookie-bans in their browser to keep them secure... 1) that's a false sense of security in todays internet. 2) browsers allow you to customize security per web site these days precisely for people who believe disabling cookies protects them from internet attacks in general. So, enable cookies just for sites you trust, on a site by site basis.

Phllip is correct. with today's browser technology.... global cookie disablement is a self-inflicted event.

All that said.... people who want to complain... will.. no matter what.. and are often extremely good at playing victim. People who actually just want to solve the problem will listen to advice on how to overcome the problem and pick a choice within the rendered advice that works for them.

The only thing Bioware is really on the hook to address are as follows:

1) make hardware security keys available world wide (because they are THE best solution and should be in unrestricted supply world wide).

2) find a way to address ISPs that insist on resetting IP addresses every time some random mouse on the planet breaks wind.

I am really frustrated it seems no matter what I try to do, SWTOR keeps asking me to enter a one time password. Patch the game: enter your one time password. Log out and back in: enter your onetime password. Go to SWTOR website and log in? Enter your one time password. It never even defaults to my questions like it used to for security.

Working for me. I've been asked twice for my one password whatever, each from a different computer.

- Nydus