Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

An update on the One-Time-Password system (April 16th 2013)

STAR WARS: The Old Republic > English > General Discussion
An update on the One-Time-Password system (April 16th 2013)
First BioWare Post First BioWare Post

FuryoftheStars's Avatar


FuryoftheStars
04.17.2013 , 02:52 PM | #111
Quote: Originally Posted by Andryah View Post
Please read recent posts between he and I... rather then jumping.
I have been reading the posts. Some how or another you have it stuck in your head that he is using the OTP as an excuse for leaving when his real complaints are something else and that he hasn't really tried to solve it yet before complaining.

As I already said, one can have issues with the game without them being the root cause for dissatisfaction. They are merely the other "straws" that ultimately breaks the camel's back.

He does not need to give you all of the details of what he has tried so far. You are not CS and he has already been in touch with them... should that not say enough?
The Shadowlands
||| Vanguard | Sage | Sentinel | Scoundrel

Phillip_BW's Avatar


Phillip_BW
04.17.2013 , 03:59 PM | #112 Click here to go to the next staff post in this thread. Next  

A few responses...

Quote: Originally Posted by Ivan-Drago View Post
So if i have the security key app on my phone ( which I was discouraged to use by a Bioware customer service representative), i don't have to wait for a email?

The Security Key entry means that you will not be sent an OTP message at any time unless you are trying to remove the Security Key from your account. While I've seen a number of people try to say that we are wanting to force people into using a Security Key, that is not correct - we are making changes to alleviate the issues for the people affected by the issues being talked about on the forums as it was never the plan to force people to use a Security Key on their account.
I'm also not sure how long ago you had a CS agent discourage you to use the Mobile Security Key. The application is working well (apart from an Android glitch with font colours which can be fixed by going to the main menu in the app and back in to the code page again), and it does prevent the OTP message being required for normal authentication. We have also implemented a self-service system for lost/remove/replace scenarios which means you no longer have to call CS to fix a Security Key issue.

Quote: Originally Posted by Verita View Post
I really wish you would switch to time-based One-time Passwords according to RFC 6238.

Then we could use apps like the Google Authenticator (and many others) which is available for iPhone, Android and Blackberry for free instead of having to install yet another app for authentication.

I have this on my list of 'nice to have' and one day we may get there. No promises though as the cost associated with our Security Key implementation (the time-based system we already have) was covered a couple of years ago.

Quote: Originally Posted by Dink View Post
And I'll just add this in again...

Please create a mobile security key for Windows Phone (7/8) so we don't have to carry around the keychain fob thingy.

I don't mind you asking again - I'm still asking for it myself! Still no news on if or when this might happen.

Quote: Originally Posted by CaptRavenous View Post
The SW:TOR website says Physical Security Keys are out-of-stock, so I can't buy one from you guys until they are back in stock. When will this be?

If you are seeing the Physical Security Key in North America showing as out of stock, please press Ctrl-F5 to force a refresh of the page. There was a caching issue with some browsers that for some reason isn't automatically fixing itself even though we refreshed the cache associated with the /buy page last week.

Quote: Originally Posted by Negranit View Post
First of all, Thank you Bioware for the reply. I have to say though, that I have a feeling there's something you're not telling us: why is it that difficult to simply remove this feature? No need to worry about making sure emails are sent on time, etc. Simply removing the one time password and bringing back the security questions shouldn't be that difficult, right?

Simply removing the OTP system also means we would be removing the self-service for Security Key system, forcing people to have to call CS once more when they had a Security Key issue. That was a constant source of new threads before we launched the self-service options, and I don't think we want to go back there....
While the number of posts on this topic indicates there are some issues, you have to remember that people without the issue are not posting as they don't have a reason to (unless they are bored and actually read these posts). While we are working on solving the issues people are posting about, you have to keep in mind that the vast majority (and I do mean vast!) are not having the issues people are posting about.
Don't get me wrong here - I'm not trying to say there is not a problem or that we are trying to dimiss the issues. Reality is very much the opposite when it comes to the seriousness that we are taking on ensuring all players can log in to the game when and where they want to as quickly as possible without also creating an account take over issue.

Quote: Originally Posted by Darzil View Post
The mail headers I see are interesting. The mail appears to come from Dynect (216.146.40.12) who I guess you are using as a mail service. The mail headers indicate ~1 second from there to my mailbox. It usually arrives too late for me to use the OTP. I will be very glad to see the time limit increase, but I'd also recommend you look at the process between the OTP generation and Dynect sending the mail. It varies greatly in performance. Sometimes if can take seconds, other times it can take 10-15 minutes repeatably.

You are spot on with both sides of this. We are using Dynect as our outbound mail service, and we have identified that there is sometimes a delay here as well. I've been monitoring the times between the generation of the OTP, the mail hitting Dynect,the mail successfully being delivered and then the next attempt at authentication using the code. We have identified a couple of places that might cause the slow-down when it does happen (my original analysis didn't cover a time period where we had internal delays at all and I was covering an entire week) and there are teams working on hotfixes already. I don't have an ETA and will update once I do. Given the impact not getting the email on time has we are not ignoring this issue at all.

Quote: Originally Posted by Mass View Post
Why is there no discussion of an option to opt out of two way authentication? Clearly, some value the extra security. Clearly, some are experiencing frustration with the barriers two way authentication presents in logging into the game. If I were offered the option of having password only login under the 'scary' condition that I would receive no support from customer service if my account was hacked and resulted in the loss of virtual items, I would gladly take it. Two way authentication is a resource burden for SWTOR -- having the option to not use it is a win for the service provider and a win for customer satisfaction.

Regardless of the protestations otherwise, if we did allow people to choose their own level of security, and then they did have their account taken over by an attacker while set to the minimum (no password for the win right?), they would still expect their account to be restored to its original glory. Choice is all well and fine right up until a compromise happens, especially if you just lost multiple level 55's. Sadly there are a number of groups attacking MMO's for a multitude of reasons, and we have a duty to protect players accounts from their attacks. To counter some of the more advanced attacks, we have to provide advanced security as mitigation. To even consider providing some of the self-service options, we have had to move to the OTP model.
TL;DR: Personal preference on levels of security of your SWTOR account is not an option.

Quote: Originally Posted by teclado View Post
I run firefox and, in general, I do not like cookies. I put an exception for "www.swtor.com" and that does not help. I have third party cookies disabled, first party enabled. Still no love. I don't know what to do here. I am not going to simply enable all cookies just so that I don't have to jump through these hoops every time. Instead, I will just minimize the number of times I post on these forums. But this time, I logged in specifically to say how much I hate, with a fiery passion, the million time password system.

EDIT: By the way, for anyone who is into Dilbert comic strips, this OTP system very much makes me think of Mordac the preventer of information services. Mordac is their IT guy and he takes a special pleasure in making it impossible for users to do anything. This OTP system is, in my opinion, so over the top in terms of security that it is most definitely something that Mordac would be in favor of.

I mentioned you can allow 'swtor.com' as we use multiple sub-domains for the cookies. I don't want to say the sub-domain needed is 'account.swtor.com' even though I think that is the right specific sub-domain to allow, as I'm not 100% on which cookies are associated with which sub-domain of swtor.com. Allowing 'swtor.com' should allow all sub-domains, so being specific with the www at the front could stop the right cookies from being stored. Apologies for the confusion there.

As for Mordac, I've been called worse, but usually as a joke given security related roles are hardly ever seen as ones where positive news is given out... IMO Mordac would go for the 'pint of blood needed to log in' approach. OTP in the end doesn't actually prevent information services.

Quote: Originally Posted by firephly View Post
Is any work going to be done as far as making sure that the mobile security key is compatible with more android cell phones? I have a galaxy s2 and it doesn't work. I would love to use it but I can't.

We have two people in the office who have a Galaxy S2, and the application is working for both of them. Neither are jailbroken if that is important... I don't know how to troubleshoot Android phones (my preference is still Windows Mobile), but I'm hoping uninstalling the app and installing it again from scratch may help.

Quote: Originally Posted by Andryah View Post
Cool.

Are you able to share any specifics? Is it the same setting for everyone?

We protect all accounts in the same way, so yes, this setting change applies to everybody who is receiving OTP emails.


As I get more updates on other work we have ongoing I'll be sure to post - I'll see if I can get more answers to questions posted again in the next couple of days if I have time...

Phillip Holmes
SWTOR Head of Security

teclado's Avatar


teclado
04.17.2013 , 05:09 PM | #113
Quote: Originally Posted by Phillip_BW View Post

I mentioned you can allow 'swtor.com' as we use multiple sub-domains for the cookies. I don't want to say the sub-domain needed is 'account.swtor.com' even though I think that is the right specific sub-domain to allow, as I'm not 100% on which cookies are associated with which sub-domain of swtor.com. Allowing 'swtor.com' should allow all sub-domains, so being specific with the www at the front could stop the right cookies from being stored. Apologies for the confusion there.
That worked! I added an exception in firefox to allow cookies from "swtor.com", logged in (OTP e-mail), logged off, closed firefox, re-opened firefox, logged in again...no OTP this time!! I re-read your original post and you did, in fact, mention "swtor.com". I must have assumed that "www" was implied.

I really do appreciate your response. I meant nothing personal with the "Mordac" comment. Thank you very much for your help!
Malovo, Malivar, Malivo, Malivó, Malovoa
Teclado, Teklado, Teclada, Téclado, Tecladö


~Harbinger~

Hillypoyas's Avatar


Hillypoyas
04.17.2013 , 10:16 PM | #114
Just to add my tuppance worth.

I can no longer log-in. The OTP arrives between 10 and 20 mins after I try to log in and of course has expired.

I'm beginning to regret renewing my subs. What's the point if I can't play the game? I'm sure you had good intentions when you implemented this, but listen ... there are people who simply cannot get into the game now. Is that not high priority for you?

(in Europe, no smart phone, OTP being requested everytime the PC is turned off.)

azzdawg's Avatar


azzdawg
04.17.2013 , 11:54 PM | #115
Simply another 2 subscriptions lost due to this headache of a securitysystem, i pay to play the game not have trouble every time i log in, i literally spent more time trouble shooting when trying to play. my account subscription only lasted 2 weeks because of this. Obviously this business likes to lose money.

HoldenSSV's Avatar


HoldenSSV
04.18.2013 , 02:32 AM | #116
I would like if I could have the mobile security key on two smartphones, for convenience with the family.

Merras's Avatar


Merras
04.18.2013 , 02:35 AM | #117
Dear Bioware,

simply give up back the original login system. This untested, unsafe stuff you developed is a very bad joke.
http://www.swtor.com/community/showthread.php?t=627767

Thanks.

macumba's Avatar


macumba
04.18.2013 , 02:44 AM | #118
Quote: Originally Posted by Phillip_BW View Post




You are spot on with both sides of this. We are using Dynect as our outbound mail service, and we have identified that there is sometimes a delay here as well. I've been monitoring the times between the generation of the OTP, the mail hitting Dynect,the mail successfully being delivered and then the next attempt at authentication using the code. We have identified a couple of places that might cause the slow-down when it does happen (my original analysis didn't cover a time period where we had internal delays at all and I was covering an entire week) and there are teams working on hotfixes already. I don't have an ETA and will update once I do. Given the impact not getting the email on time has we are not ignoring this issue at all.

good to see that someone from the outside nailed it for you.
the increase in time is a nice workaround but getting the email fast should still be top priority since the error is on your side.

that said your workaround in increasing the time works for me, but should have been implemented on monday, not yesterday. why ? because I don't care if other people play for free, I do not and asking me for a code that you are sending too late for your own system, then you are just not fulfilling your end of the bargain.

I'll say thank you anyway but I am not happy about how long it took you.
Just because you're not paranoid, doesn't mean they're not out to get you.

AlrikFassbauer's Avatar


AlrikFassbauer
04.18.2013 , 04:16 AM | #119
Here in Germany, at least in and around Cologne, the Physical Security Tokens are still available in some shops - Saturn electronics chain, for example. I can't judge *general* availbility throughout Germany, though.

twinionx's Avatar


twinionx
04.18.2013 , 05:42 AM | #120
Quote: Originally Posted by azzdawg View Post
Simply another 2 subscriptions lost due to this headache of a securitysystem, i pay to play the game not have trouble every time i log in, i literally spent more time trouble shooting when trying to play. my account subscription only lasted 2 weeks because of this. Obviously this business likes to lose money.
I have two accounts both subbed since SWTOR begins.

I am very close to unsubbing if this OTP does not resolve real soon.

Please revert back to the secret questions.