Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

Display Name Only Log In - Coming April 2, 2013

STAR WARS: The Old Republic > English > General Discussion
Display Name Only Log In - Coming April 2, 2013
First BioWare Post First BioWare Post

Mukkoo's Avatar


Mukkoo
03.07.2013 , 06:18 AM | #341
Quote: Originally Posted by Nealzeypoo View Post
Can we fix the android authenicator. The number text for mine is black. I have to use it in landscape to be able to see the numbers
Had the same problem. This happens when you open up the app after not having properly closed it before. When I press the 'go back' button once or twice on my HTC phone, it reverts to the normal dislpay.

Hope that helps.

FenraelWolfmien's Avatar


FenraelWolfmien
03.07.2013 , 06:56 AM | #342
The display name has always been valid for login. While that is a stupid security flub on the part of EA/Bioware it isn't a new issue. Having half your login info *is* a security issue because it's that much less work for someone if they really wanted to grab your info, but those cows left the barn years ago. It would be nice if they let us change our forum name.

I don't think it's a major problem anyway, unless their client is like DAOC's when it first came out and it would handshake with anyone who was listening. That's exaggeration but close enough as a representative idea. I don't know how TOR transmits login info but I assume it operates the same way most clients do regarding crypto. If someone busts that cyrpto then it really don't matter where they got your username from because you're screwed anyway.

If you're talking about getting phished, well... that's beyond the scope of security professionals and enters the realm of very patient support staff to help you resolve your own created issues.

I still wanna change my forum name though.

Alduinsm's Avatar


Alduinsm
03.07.2013 , 07:02 AM | #343
Quote: Originally Posted by Jedlosson View Post
SW ToR does not use the IP verification.

I have dynamically changing IP address so I have to verify new IP every week when trying to log into Guild Wars 2. SW ToR never bothered to verify anything about my IP despite of this fact.
Remove your Authenticator/Security Key and you will be asked to answer your Security Questions whenever your IP changes.
Shin

drgnmstr_'s Avatar


drgnmstr_
03.07.2013 , 07:20 AM | #344
Quote: Originally Posted by Phillip_BW View Post
1
Only people that post on the Forums have their Display Name visible to others currently. Even then we took that into account when designing the updated system and I wouldn't recommend trying to attack known Display Names...

You should log on to Steam again - they currently only use the equivalent of DisplayName, and that name is what you are known as to all your friends (and in the community section of Steam for that matter).
HAHAHAHAHA!!! Have you logged in to steam lately? I'm going to assume no since this is inaccurate information.

Yes Steam doesn't make you log in with your email address, however they also don't use your display name either. my Steam account is one name and my display name on the forums is completely different. NI suggest next time before you spread false information, that you do research first.

On that note, since you want to remove Email addresses as the login ID, why aren't we able to use an actual user name instead of the display name? You do know that display names don't allow numbers which makes the available permutations for a name less than desirable, right?

Jacen_Starsolo's Avatar


Jacen_Starsolo
03.07.2013 , 07:24 AM | #345
I tried to strengthen my password in TOR. I tried to generate a long complex password with KeePass. Even after I do a random gen in KeePass I go in and change a few around. And TOR wouldn't accept it unless I shortened it CONSIDERABLY. Like cut it to 1/3 the length. What kind of "superior security" is that?

PhantomNJ's Avatar


PhantomNJ
03.07.2013 , 07:24 AM | #346
Quote: Originally Posted by Phillip_BW View Post

The note we sent out was only changing the username aspect of authentication. All of the other peices such as passwords and Security Keys remain in place. I hope that makes more sense...


OK, I've finished this reply up to the end of page 20. Given the sheer length of this post I'll reply again for page 21+ soon!
Phillip,

As a fellow Information Security professional, let me just say you've been doing yeoman's work in trying to explain what does and does not constitute security with regards to authentication. It can't be easy when something that seems intuitively obvious to most is actually incorrect.

Keep up the good fight.

Alduinsm's Avatar


Alduinsm
03.07.2013 , 07:25 AM | #347
Quote: Originally Posted by drgnmstr_ View Post
HAHAHAHAHA!!! Have you logged in to steam lately? I'm going to assume no since this is inaccurate information.

Yes Steam doesn't make you log in with your email address, however they also don't use your display name either. my Steam account is one name and my display name on the forums is completely different. NI suggest next time before you spread false information, that you do research first.

On that note, since you want to remove Email addresses as the login ID, why aren't we able to use an actual user name instead of the display name? You do know that display names don't allow numbers which makes the available permutations for a name less than desirable, right?
About Steam
http://www.swtor.com/community/showt...16#edit5961316
Quote:
I stand corrected and apologize for the assumption (yes, I made an *** of myself!). I've used the same display name since before most people had heard of Steam and have never attempted to change it. At the same time (and the reason I didn't think it was changeable), the current security of Steam means that knowledge of my username in Steam has no bearing on the actual security of my account. Many people have tried (Steam emails me) and none have succeeded. I may not work at Valve, but I have to hand it to their team that they have one of the best/secure authentication systems in the industry. Of course I'm egotistical enough to think that we have one of the best too, and our upcoming improvements (Display Name is a piece of those improvements) will only make our system stronger.
Shin

Mogic's Avatar


Mogic
03.07.2013 , 07:26 AM | #348
Quote: Originally Posted by Jedlosson View Post
SW ToR does not use the IP verification.

I have dynamically changing IP address so I have to verify new IP every week when trying to log into Guild Wars 2. SW ToR never bothered to verify anything about my IP despite of this fact.
Unless its changed since beta/ launch and Phillip is completely wrong, the only way to not get the SAQ's when your IP changed was to have an authenticator attached to the account. I remember going through the testing for this in Beta and it was the same at launch until I put the authenticator on.

Quote: Originally Posted by Phillip_BW View Post
As others have pointed out, if you log in from a different location and/or machine, you will be prompted for a SQA if you don't have a Security Key.
There is one caveat - if you are a new 'F2P' player and have never bought anything, you currently don't have a email address and probably don't have SQA's associated with your account. You can add either at any time of course, but until you do your account will only ever be secured by a Display Name and password combination.
We may change it so that all players have at least a valid email address at some point in the future, but currently it is optional up until the point you want to buy something and therefore associate a real money transaction against your account.

Merouk's Avatar


Merouk
03.07.2013 , 07:40 AM | #349
Quote: Originally Posted by Phillip_BW View Post
In a lot of systems (mainly corporate and military) the username is a given piece of information that the person using it has no control over specifying. It's usually a standard format that is commonly derived from the persons actual name or an internal identifier. My BioWare login internally is no different in that respect. This is one of the contributing factors on why username in of itself should never be a major concern around the security of an authentication system.
Forget about security for a second. You are not giving us control over whether the username is hidden or visible, and lack of control is obviously what's making us "vocal." It doesn't matter whether a hidden username actually increases security or not; in our minds it does. Consider the cost of implementing a hidden username or non-login forum name solely against the benefit of shutting us the hell up and having happier customers.

It's what you're doing with your posting, anyway, trying to get us to be less vocal. It's not working for some of us. You're using reason and logical explanations to argue agains how we feel. It's not working.

DarthTHC's Avatar


DarthTHC
03.07.2013 , 07:46 AM | #350
You know, I was very leery of the change given just the bit of information that came out initially.

After reading Phillip_BW's posts on the topic, I'm very much looking forward to these changes. Seems like a step in the right direction and Phillip_BW obviously knows his stuff.