Jump to content

An update on the One-Time-Password system (April 16th 2013)


Phillip_BW

Recommended Posts

  • Dev Post

Now that things have settled in a bit since the changes we made with the authentication system, and also now that Rise of the Hutt Cartel is launched, I thought it best that we update you on some upcoming pieces of work we have around the One-Time-Password (OTP) system. No ducks involved!

 

We have a number of topics that need addressing (in no particular order - they are all equally important!):

  • OTP messages sometimes expire before they can be used
  • IP address changes are very annoying
  • Deleting cookies in a browser forces a new OTP every time
  • Mobile Security Keys are only available to Subscribers
  • Physical Security Keys are still out of stock in Europe

 

OTP messages sometimes expire before they can be used

There are quite a few reasons why there can be a delay in the email getting delivered in time, and not all of them on the SWTOR side of the fence. While we all expect email to instantaneously arrive, this is not always the case, and as a result we are changing how quickly the OTP code expires before it can be used successfully.

 

Now the expiry isn't being changed dramatically (we are adding a number of minutes, not hours). But it is being increased based on analysis of the data we are seeing around when an OTP is sent, and how quickly those players affected by a delay in getting their email are able to attempt to enter in the OTP code. Needless to say the vast majority of the edge-cases are being catered for without dramatically reducing the security aspects associated with the expiry of the OTP message itself.

I know a lot of people have many theories on why the message can be delayed, so let me go into what we are seeing based on logs.

 

  • A small number of mail providers have an anti-spam measure called 'Greylisting' turned on regardless of the content of a different anti-spam system called 'SPF'. This has been the biggest cause of the delayed emails, and it is also why subsequent emails are making it through in a timelier manner. We tried to alleviate greylisting concerns by providing a valid SPF record, but if it's ignored as a bypass, then there isn't much we can do about that given we don't provide the mail service itself. This accounts for the bulk of the forum threads I have seen and researched are affected by this anti-spam system
  • Some mail providers are taking just a really long time to process an incoming mail message. I can think of a few other anti-spam systems such as 'tarpitting' which can cause this sort of behavior, but to be honest, we don't know why some are taking longer to process mail messages than others. To make this more complicated, some 'good' mail providers can randomly delay incoming mail for no visible reason we can decipher
  • The time delay from receiving the trigger to generate an OTP and actually completing sending the email itself to our mail sending provider is measured in seconds. Usually between 1 and 2, and sometimes less than 1. Delays between hops from that point onwards isn't something we have visibility into

When all is said and done, if you don't get your OTP code fast enough, it becomes invalid. To cater for the small number of mail providers causing consistent issues, we are changing the expiry time appropriately, and we will be keeping a close eye on how that affects the players currently affected by this issue and if necessary we will tweak the value again.

ETA: Within the next 7 days. If we can get away with a rolling hotfix to cover all the various servers involved we will, otherwise we will have to wait till next Tuesday's maintenance. This isn't a guarantee, and things are looking good for 7 days being the maximum, and not the minimum time for this change to be deployed.

 

IP address changes are very annoying

I have to wholeheartedly agree that having to enter a new OTP every time the IP changes is very annoying. We actually have pieces of the long-term fix already deployed, and the delay in being able implement the additional pieces to reduce the IP check's importance in our weighting of the various controls in place is two-fold.

 

Firstly we have to prioritize this work alongside other clearly important pieces of work. Delaying work needed for the release of Rise of the Hutt Cartel for example was discussed and understandably getting the expansion out on time took precedence.

Secondly, we have limited resource. As much as it would be nice if we could have lots more people on each of the teams involved in making the required changes, we are running a business...

 

I can't give an ETA on when we will have the remaining pieces of work completed. I know its not what people want to hear, but as soon as we have an ETA for this, I will post a better timeframe for the change to be deployed.

 

Deleting cookies in a browser forces a new OTP every time

This is specific to using a web browser and our website. The game launcher is not affected by this behaviour.

 

There is a very small number of people that are using what Chrome calls 'Incognito' browsing, AKA 'Private' in Firefox. This is where no browser cookies are available or persist. There are also settings within browsers for turning off cookies for all sites as a blanket setting.

 

I realize that this provides some level of protection from browsing activity being associated and cross-referenced by ad agencies and the like, however this has a side effect for SWTOR - we rely on the presence of a web cookie as one of the many security checks we have in place to identify a machine. This is primarily due to ensuring security is maintained where a number of players share the same Internet connection - University networks, progressive companies that allow people to play SWTOR from work as well as Internet Cafe's or shared Wi-Fi hotspots. The cookie is not the only check we have in place, but it is treated with a high enough weight behind it that if it is not present, there will be an OTP sent.

 

So, that leaves us with a few ways to not get prompted each and every time:

  • Enable cookies for specific sites, and include SWTOR (usually swtor.com, but also sometimes starwarstheoldrepublic.com)
  • Enable cookies for 'all the sites', and use plugins such as NoScript and Ghostery to stop 3rd party cookies that aren't site specific (this is my personal approach, and that is the only reason I mention it)
  • Use a Mobile or Physical Security Key. I mention this not because we are trying to get everybody to use a Security Key (the OTP is also a form of dual-factor security so in the end everybody has increased security), but because it is one of the ways of avoiding having to be sent an OTP every time

ETA: up to you as the person affected and which way you want to go. Or not at all if you don't mind the OTP message every time you log in.

A side note on the Mobile Security Key topic - I have seen some people recommend using a mobile phone emulator and using the Mobile Security Key application that way, and while this technically works, it does break one of the reasons the Security Key is considered dual-factor in that your username, password and security key generator are all on the same machine. Putting the emulator on a separate machine would be more sensible, but we do not support the Mobile Security Key application if it is used within an emulator.

 

Mobile Security Keys are only available to Subscribers

This was a decision made before we launched the new Free to Play model SWTOR now works within. There is a substantial cost we absorb by providing the Mobile Security Key solution (even ignoring the 100 cartel coins per month you get as a side-benefit), and until we could provide a self-service model for losing or replacing a Mobile Security Key, we could not consider providing it to everybody.

 

We are currently looking at providing the Mobile Security Key additionally to 'Preferred' status players as an authentication option in addition to Subscribers. The idea is that once you put a real dollar value against your account in the form of cartel coin purchases or even a subscription, we will acknowledge that trust in us as a studio and at that point provide the option to you as player.

 

ETA: I don't have definite approval or even an estimated date for when this can go live, so I'm going out on a limb here and telling you far earlier in the process than we would normally do so. I blame Eric, Courtney and Amber for leading the way here and ruining my natural desire to be secretive. :jawa_wink:

 

Physical Security Keys are still out of stock in Europe

We are almost there with the logistics surrounding getting the Physical Security Key made available within Europe again. I'm expecting to have news on their availability back in the store sometime in the next couple of weeks.

 

There is an ongoing internal issue with getting the Physical Security Key made available for Germany, Poland, Switzerland and the Czech Republic. I totally understand that the majority of the ISP's in Europe that require an IP change on a daily basis are located in Europe and you can be sure that we have the SWTOR Executives helping prioritize that issue internally to ensure we get the keys made available as soon as is possible.

 

I will try to answer any questions as soon as I see them when time permits. I apologize in advance if helping organize all the above (in addition to my 'normal' job!) means I don't post quite as often as you might desire...

Edited by EricMusco
Link to comment
Share on other sites

  • Replies 231
  • Created
  • Last Reply

Top Posters In This Topic

So if i have the security key app on my phone ( which I was discouraged to use by a Bioware customer service representative), i don't have to wait for a email?

 

A BioWare rep told you not to use the phone security key app? What?!

 

But yes, no OTP for people who use the security key.

Link to comment
Share on other sites

I really wish you would switch to time-based One-time Passwords according to RFC 6238.

 

Then we could use apps like the Google Authenticator (and many others) which is available for iPhone, Android and Blackberry for free instead of having to install yet another app for authentication.

 

Would be cheaper for you too, I guess.

 

And the best thing for me: If I have to switch my phone for any reason, I just use the same initial code, which I have printed and stored in my drawer, to activate code generation on my new phone without having to unlink the old phone or to call customer support to do it (in case it is lost or broken).

Edited by Verita
Link to comment
Share on other sites

i had to call customer service cause I lock myself out of the game by entering too many wrong passwords back when the game first came out. I asked if it is worth downloading the security app and I was told not to because if I lost my phone getting account access could be a hassle. So i never downloaded it.

But if I can avoid this one time password business, I would download it.

Link to comment
Share on other sites

Deleting cookies in a browser forces a new OTP every time

Again you have not explained why you cannot manage to secure your site without relying on this mechanic or forcing users to enable cookies. Literally thousands of sites with more critical data and more robust security than yours manage to do this day in and day out, every day. Yet you alone cannot.

Edited by Heezdedjim
Link to comment
Share on other sites

I was told not to because if I lost my phone getting account access could be a hassle. So i never downloaded it.

But if I can avoid this one time password business, I would download it.

 

Ahh...well I think its pretty easy to do if you lost your phone, I know in the "Set up your Key" section of your account page has one click "Replace my Security Key" button, but I have not used it to know how easy it is to do.

Link to comment
Share on other sites

Ahh...well I think its pretty easy to do if you lost your phone, I know in the "Set up your Key" section of your account page has one click "Replace my Security Key" button, but I have not used it to know how easy it is to do.

 

If I remember correctly (and otherwise the security key wouldn't make much sense), this will ask you for a code from your linked phone, which, of course, is impossible in case of a lost, stolen or broken phone.

Edited by Verita
Link to comment
Share on other sites

i had to call customer service cause I lock myself out of the game by entering too many wrong passwords back when the game first came out. I asked if it is worth downloading the security app and I was told not to because if I lost my phone getting account access could be a hassle. So i never downloaded it.

But if I can avoid this one time password business, I would download it.

 

Old and outdated.

 

Please don't use year old feedback from a customer service rep when discussing something in the present. All you are doing is injecting worry and doubt based on something that is not true today.

Link to comment
Share on other sites

Old and outdated.

 

Please don't use year old feedback from a customer service rep when discussing something in the present. All you are doing is injecting worry and doubt based on something that is not true today.

 

So if I lost my phone with the security app on it, I would have no problem accessing the game and my account? And would having a security key bypass the one time password email?

Link to comment
Share on other sites

If I remember correctly (and otherwise the security key wouldn't make much sense), this will ask you for a code from your linked phone, which, of course, is impossible in case of a lost, stolen or broken phone.

 

Well I was assuming that I had replaced the phone already downloaded the app on my new replaced phone and followed the "Remove your Security Key" function in your account page allowing you to use the new code provided by new phone and app to use the "Replace you Security Key" function.

Link to comment
Share on other sites

So if I lost my phone with the security app on it, I would have no problem accessing the game and my account? And would having a security key bypass the one time password email?

 

Did you receive a new phone yet? If so go to "My Account"/"Security Key"/"Replace your Security Key", then once on "Replace your Security Key" page you will see a link that says, "Remove you current security key", click on it and follow instructions. This should allow you to enter a new app code to replace your old one.

Edited by Wodaz
Link to comment
Share on other sites

So if I lost my phone with the security app on it, I would have no problem accessing the game and my account? And would having a security key bypass the one time password email?

 

They have added a self serve process for keys.. so you don't need Customer Support to remove keys anymore.

 

You are able to add/delete security keys on your own now. If you lost the key.... you would need to go through the one time password process to log in and remove the key.

 

Anyone with a key does not get one time passwords unless they fail to use a valid key for account login and/or get locked out.

Edited by Andryah
Link to comment
Share on other sites

And I'll just add this in again...

 

Please create a mobile security key for Windows Phone (7/8) so we don't have to carry around the keychain fob thingy.

 

I've yet to add the security key to my account because it's a PITA to carry it around with me, and with the recent changes to how you've set security, I know I'm going to run into issue at some point (changing IP address, wanting to log into the forums away from home, etc.).

 

I asked this once and you responded with a statement equivalent to "there's not enough money in it for us" (your real answer was about the marketshare with Windows phones, but still equates to the same), but you have to realize that if you're giving people options - saying "For subscribers, there is the option to use the Mobile Security Key..." yet you don't actually provide us one, you're doing nothing but causing more of an inconvenience to people that support you.

 

I'd love nothing more than to be able to use the security key, but for some reason you just won't let me. Does it really cost that much (seriously asking because I don't know) to create a mobile app for Win phones?

Link to comment
Share on other sites

So if i have the security key app on my phone ( which I was discouraged to use by a Bioware customer service representative), i don't have to wait for a email?

 

That has to be a misunderstanding, or not the whole story. They want you to use it. It's the safest thing you can use.

Link to comment
Share on other sites

Deleting cookies in a browser forces a new OTP every time

This is specific to using a web browser and our website. The game launcher is not affected by this behaviour.

 

There is a very small number of people that are using what Chrome calls 'Incognito' browsing, AKA 'Private' in Firefox. This is where no browser cookies are available or persist. There are also settings within browsers for turning off cookies for all sites as a blanket setting.

 

I realize that this provides some level of protection from browsing activity being associated and cross-referenced by ad agencies and the like, however this has a side effect for SWTOR - we rely on the presence of a web cookie as one of the many security checks we have in place to identify a machine. This is primarily due to ensuring security is maintained where a number of players share the same Internet connection - University networks, progressive companies that allow people to play SWTOR from work as well as Internet Cafe's or shared Wi-Fi hotspots. The cookie is not the only check we have in place, but it is treated with a high enough weight behind it that if it is not present, there will be an OTP sent.

 

So, that leaves us with a few ways to not get prompted each and every time:

  • Enable cookies for specific sites, and include SWTOR (usually swtor.com, but also sometimes starwarstheoldrepublic.com)
  • Enable cookies for 'all the sites', and use plugins such as NoScript and Ghostery to stop 3rd party cookies that aren't site specific (this is my personal approach, and that is the only reason I mention it)
  • Use a Mobile or Physical Security Key. I mention this not because we are trying to get everybody to use a Security Key (the OTP is also a form of dual-factor security so in the end everybody has increased security), but because it is one of the ways of avoiding having to be sent an OTP every time

ETA: up to you as the person affected and which way you want to go. Or not at all if you don't mind the OTP message every time you log in.

A side note on the Mobile Security Key topic - I have seen some people recommend using a mobile phone emulator and using the Mobile Security Key application that way, and while this technically works, it does break one of the reasons the Security Key is considered dual-factor in that your username, password and security key generator are all on the same machine. Putting the emulator on a separate machine would be more sensible, but we do not support the Mobile Security Key application if it is used within an emulator.

 

The SW:TOR website says Physical Security Keys are out-of-stock, so I can't buy one from you guys until they are back in stock. When will this be?

I tried finding one from a store, such as EB games, but no one will sell me one unless I buy another copy of the game with it!

I have no mobile devices, so getting a Mobile Security key is right out.

 

I have to say, this is getting ridiculous.

Link to comment
Share on other sites

I have no mobile devices, so getting a Mobile Security key is right out.

 

google "android emulator" pick one of your choosing... load it on PC... load the security app.. improve your quality of life.

 

This suggestion as been offered in every thread about the topic in this forum. Why is it you are unaware of it??

 

Yes they say they don't support it (because putting it on the same PC you run the game on breaks two-factor, so Philip is obligated to recommend against it)... but the point is.. it gives you the user choices when you feel you have none.... until you have a mobile device (which does not have to be a phone btw) OR the hardware security key. OR... live with the one time passwords.

Edited by Andryah
Link to comment
Share on other sites

google "android emulator" pick one of your choosing... load it on PC... load the security app.. improve your quality of life.

 

This suggestion as been offered in every thread about the topic in this forum. Why is it you are unaware of it??

 

Yes they say they don't support it (because putting it on the same PC you run the game on breaks two-factor)... but the point is.. it gives you the user choices when you feel you have none.... until you have a mobile device OR the hardware security key. OR... live with the one time passwords.

 

A side note on the Mobile Security Key topic - I have seen some people recommend using a mobile phone emulator and using the Mobile Security Key application that way, and while this technically works, it does break one of the reasons the Security Key is considered dual-factor in that your username, password and security key generator are all on the same machine. Putting the emulator on a separate machine would be more sensible, but we do not support the Mobile Security Key application if it is used within an emulator.

 

I was aware of it, and I'm not getting one for the reasons Philip_BW stated.

 

I will never own a mobile device.

 

All that aside, the way security keys are being handled is ridiculous.

Link to comment
Share on other sites

All that aside, the way security keys are being handled is ridiculous.

 

The way you are handling the issue is ridiculous IMO.

 

Many people are working just fine without a security key, and NOT getting OTPed to death either. So explore your options on that end of things then.

Link to comment
Share on other sites

I will never own a mobile device.

 

Wow!!! simply WOW!! :eek:

 

I'm not trying to be rude but you own this game and a internet based computer, but wont ever own a moblie device!?!? Hrmm!?!? I'm smelling a troll! :p

Edited by Wodaz
Link to comment
Share on other sites

The way you are handling the issue is ridiculous IMO.

 

Many people are working just fine without a security key, and NOT getting OTPed to death either. So explore your options on that end of things then.

 

I tried to get a physical key. They are not available.

I don't own mobile devices, because I have a health condition that leaves me sensitive to strong electromagnetic signals, such as Wi-Fi. I have NO wireless devices in my home, and therefore, no mobile devices.

I tried enabling cookies for this site. That isn't working, either.

I don't get OTP when logging into the game, ONLY on the forums. Every. Single. Time.

 

My complaint is legitimate. Why you feel the need to attack this, is beyond me.

Consider your opinion read, and rejected.

Link to comment
Share on other sites

Interesting because the described system behaviour doesn't match with my experience :rolleyes:

 

- I'm a subscriber

- I have a dynamic IP (that changes everytime I reboot the computer) confirmed.

- With the previous system I've set 3 security questions. Like 90% of the times I logged I had to enter one of the answers.

- I didn't have a security key

- I use IE and I have cookies enabled

 

Since the OTP implementation:

 

- I have never been asked to enter an OTP before (or the security answers), not in MySWTOR nor the launcher. Which is strange because the dynamic IP.

- Today I set a security key so I had to enter an OTP in MySWTOR. (which is expected)

 

Anyways, I'm fine with it so please don't include me in the black list (cueck cueck). :)

Link to comment
Share on other sites

I really wish you would switch to time-based One-time Passwords according to RFC 6238.

 

Then we could use apps like the Google Authenticator (and many others) which is available for iPhone, Android and Blackberry for free instead of having to install yet another app for authentication.

 

Would be cheaper for you too, I guess.

 

And the best thing for me: If I have to switch my phone for any reason, I just use the same initial code, which I have printed and stored in my drawer, to activate code generation on my new phone without having to unlink the old phone or to call customer support to do it (in case it is lost or broken).

 

Yup, I use Google Authenticator for Gmail, LastPass and Guild Wars 2. You could have saved a load of time, money and hassle for yourselves and us by just implementing this open source standard instead of creating your own.

Link to comment
Share on other sites


×
×
  • Create New...