Jump to content

Please allow us to not need "one time" passwords


Azoton

Recommended Posts

Well then if you're outside the US and do not have a smart phone then I guess you have no choice.

Even then you can use an emulator of a smartphone to run on the very same computer as your game does.

 

Everyone who wants to use a security app or token is able to.

Link to comment
Share on other sites

I'm not really sure what the problem is.

 

Usually I have a smartphone, but I am changing phones so I am currently without a security key. Every so often I get prompted for a one-time password. It usually arrives instantly, but can take up to 2 mins. I copy, I paste, I'm done. It's really not a hassle.

 

What am I missing?

Link to comment
Share on other sites

I'm not really sure what the problem is.

 

Usually I have a smartphone, but I am changing phones so I am currently without a security key. Every so often I get prompted for a one-time password. It usually arrives instantly, but can take up to 2 mins. I copy, I paste, I'm done. It's really not a hassle.

 

What am I missing?

 

If you don't use a reliable email client then you'll be missing your OTP =p That's usually the issue that comes up for many.

Link to comment
Share on other sites

What would be good is to be able to authorize the client on my side, similar to Steam. So I only need a code once.

The other option would be to authorize the hostname, instead of the IP. I get a new IP each day ( DSL ), so this is kinda bothersome. (For those who don't know, hostname is your network provider, in my case it would be something.dip0.t-ipconnect.de)

Link to comment
Share on other sites

I'm not really sure what the problem is.

Maybe just a boot time question ?

 

When I need a coffee, I just insert a capsule and press the button. Hmm... what else ?

In my car ? Insert and turn the key. Vrrrmmmm..... vrrrrmmm....

My PC ? Well, I just press one button... perhaps a password ? That all. And windows made serious efforts to reduce the boot time during several years. Better with Ubuntu ? Maybe.

In the supermarket ? Hello, give my card and... thank you.

Starting my phone ? A little more difficult... Button... PIN code ! That's all.

 

I know, I know, IRL gives you such a bad habits !

Everything is done to simplify everything. It's just boring.

Hopefully, when you come back to your MMO you know it will not be so childish.

 

You have to click to start the launcher. It asks you for user/password. And then a code is requested, you go to email... [copy], come back to launcher, [paste] and press [enter]. To avoid that, lazy players have a token : they launch the token on the smartphone and wrote the 8-digit code. Anyway, then the launcher starts the verification/initialization... after that, beautiful yellow screen to wait the list of characters... select with the mouse (no space or enter key to select the last one) and click play, new screen... loading... loadin... yes ! You're in !

Patience is blessed with success and everything has an end.

 

IRL sucks.

Why don't we have more players in game ?

Edited by Umbura
Link to comment
Share on other sites

What would be good is to be able to authorize the client on my side, similar to Steam. So I only need a code once.

The other option would be to authorize the hostname, instead of the IP. I get a new IP each day ( DSL ), so this is kinda bothersome. (For those who don't know, hostname is your network provider, in my case it would be something.dip0.t-ipconnect.de)

 

So...I'm not sure what you mean by hostname. Do you mean the actual hostname that anyone can change at any time or do you mean the reverse lookup that changes with your IP? Either way that doesn't seem viable and/or just as troublesome as using an IP as validation.

Link to comment
Share on other sites

Maybe just a boot time question ?

 

When I need a coffee, I just insert a capsule and press the button. Hmm... what else ?

In my car ? Insert and turn the key. Vrrrmmmm..... vrrrrmmm....

My PC ? Well, I just press one button... perhaps a password ? That all. And windows made serious efforts to reduce the boot time during several years. Better with Ubuntu ? Maybe.

In the supermarket ? Hello, give my card and... thank you.

Starting my phone ? A little more difficult... Button... PIN code ! That's all.

 

I know, I know, IRL gives you such a bad habits !

Everything is done to simplify everything. It's just boring.

Hopefully, when you come back to your MMO you know it will not be so childish.

 

You have to click to start the launcher. It asks you for user/password. And then a code is requested, you go to email... [copy], come back to launcher, [paste] and press [enter]. To avoid that, lazy players have a token : they launch the token on the smartphone and wrote the 8-digit code. Anyway, then the launcher starts the verification/initialization... after that, beautiful yellow screen to wait the list of characters... select with the mouse (no space or enter key to select the last one) and click play, new screen... loading... loadin... yes ! You're in !

Patience is blessed with success and everything has an end.

 

IRL sucks.

Why don't we have more players in game ?

 

I have no real idea of the point you're making but I'm going to assume some level of sarcasm.

 

Lets take your store purchase. To make a purchase you need to do two things: firstly you need to present your card (something you have) and then either enter a PIN (something you know) or sign (a signature is more a contract rather than authentication, but its still a second factor of validation before they let you leave) something.

 

Now when we contrast that to SWTOR, it needs to validate that it is you on your computer because who knows, you could have an open wireless AP and someone could be on that using your IP or your little brother/sister could decide to mess with you by using your computer. Either one of those things leads to more support BW has to provide to fix a problem that is negated by two-factor authentication. If they have to provide more support, they have less money to provide new experiences in the game. So, moving on to logging in, you put in your username and password (something you know) and then you get an email with a OTP (this would be considered something you have). Effectively no different than making that purchase at a store except you might be using a bad email client/service.

 

For me, your inconvenience in using a OTP is worth the money that BW saves by not having to support a ton of people who let their accounts get broken into.

Link to comment
Share on other sites

For me, your inconvenience in using a OTP is worth the money that BW saves by not having to support a ton of people who let their accounts get broken into.

I'm sorry but I guess, in case of attack, my email will be the first thing hacked. And then...

But ok, I understand the paranoia, the lack of resources and the need of a two-factor authentication.

 

I just pointed the fact that the time between the first click and the first move of my jedi/sith is too long.

Each action that makes it longer is a pain for thousands of players. Do you understand that ?

And this the case with the OTP, specially for all the players that don't understand why their password is not enough to protect their account. And why they still need a password if it does not protect their account ? And why BW needs an OTP one day and not the day after ?

All of that makes the player impatient, as a dog waiting for his master after a long day enclosed.

 

I mean, it's not really a security problem. Azoton does not complain about the security level. He takes this as a spam (his own words) and wants an option to erase it because for him, it's just a waste of time.

 

And patch problems or several loading screens or whatever that makes this time longer, reinforce this feeling.

BW has still plenty of scope for further development in this area.

 

 

 

PS: one of my friend stopped swtor after a problem of launcher stuck at 99%. And BW did not waste resources to manage this. No hack, no additional cost with support. Just one more player account in F2P.

Edited by Umbura
Link to comment
Share on other sites

So...I'm not sure what you mean by hostname. Do you mean the actual hostname that anyone can change at any time or do you mean the reverse lookup that changes with your IP? Either way that doesn't seem viable and/or just as troublesome as using an IP as validation.

 

I mean this: http://whatismyhostname.com/

It shows you the name of your provider associated with your IP. If you save the top level of it, there is no more validation each day necessary. It is unlikely, that someone with the same hostname tries to hack you. Not impossible, but very improbable. Most attempted, and also unsuccessful I might add, hacks on my EMail or MMO Accounts originated from Asia.

Link to comment
Share on other sites

I mean this: http://whatismyhostname.com/

It shows you the name of your provider associated with your IP. If you save the top level of it, there is no more validation each day necessary. It is unlikely, that someone with the same hostname tries to hack you. Not impossible, but very improbable. Most attempted, and also unsuccessful I might add, hacks on my EMail or MMO Accounts originated from Asia.

Yeah...that's not a hostname that's a PTR record and changes with your IP so it holds no more consistency than checking someone's IP.

Link to comment
Share on other sites

Yeah...that's not a hostname that's a PTR record and changes with your IP so it holds no more consistency than checking someone's IP.

 

Not true. My hostname today is p57BCE4C4.dip0.t-ipconnect.de. So if you save *.dip0.t-ipconnect.de as authorized, it is only necessary one time. Because that part never changes.

 

Or take my other advice and authorize the client locally with a SHA-Key or something like that. Each user gets an unique SHA256 Key. Private part is stored on the PC, public part is stored in the game directory when you authorized via EMail.

Edited by Kortio
Link to comment
Share on other sites

Not true. My hostname today is p57BCE4C4.dip0.t-ipconnect.de. So if you save *.dip0.t-ipconnect.de as authorized, it is only necessary one time. Because that part never changes.

 

Or take my other advice and authorize the client locally with a SHA-Key or something like that. Each user gets an unique SHA256 Key. Private part is stored on the PC, public part is stored in the game directory when you authorized via EMail.

 

If that is what your actual hostname is set to, it's because you allow DHCP to change your hostname and then it still changes when your IP changes. Literally anyone in the world could switch their hostname to exactly the one you have at any time. That also implies to me that you aren't behind a firewall because if you were your firewall would have the hostname and your internal NAT'd computer would have whatever you set it to.

Link to comment
Share on other sites

If that is what your actual hostname is set to, it's because you allow DHCP to change your hostname and then it still changes when your IP changes. Literally anyone in the world could switch their hostname to exactly the one you have at any time. That also implies to me that you aren't behind a firewall because if you were your firewall would have the hostname and your internal NAT'd computer would have whatever you set it to.

Ehm, this name is set by your ISP. You cannot change it, unless you are one.

Link to comment
Share on other sites

  • 2 weeks later...
I never get one time passwords because I have a security key. Maybe, you should consider the same.

 

Hell no. I removed the security key from my account almost immediately after getting it. Eight digit security tokens? Give me a break.

 

If I'm forced to choose between manually typing in eight numbers or copy-and-pasting a password every time I log in, you better believe that it's going to be the copy-and-paste.

Edited by jakler
Link to comment
Share on other sites

I'm sorry but I guess, in case of attack, my email will be the first thing hacked. And then...

But ok, I understand the paranoia, the lack of resources and the need of a two-factor authentication.

 

I just pointed the fact that the time between the first click and the first move of my jedi/sith is too long.

Each action that makes it longer is a pain for thousands of players. Do you understand that ?

And this the case with the OTP, specially for all the players that don't understand why their password is not enough to protect their account. And why they still need a password if it does not protect their account ? And why BW needs an OTP one day and not the day after ?

All of that makes the player impatient, as a dog waiting for his master after a long day enclosed.

 

I mean, it's not really a security problem. Azoton does not complain about the security level. He takes this as a spam (his own words) and wants an option to erase it because for him, it's just a waste of time.

 

And patch problems or several loading screens or whatever that makes this time longer, reinforce this feeling.

BW has still plenty of scope for further development in this area.

 

 

 

PS: one of my friend stopped swtor after a problem of launcher stuck at 99%. And BW did not waste resources to manage this. No hack, no additional cost with support. Just one more player account in F2P.

 

How exactly attackers will link your your game account to your mail if they don't know your mail ID and provider?

If you go to real paranoia ... you never use your primary mail for gaming authentication, so there is no way to do it backward too :)

Slap 1 really good password over this mail (password generator with master password and copy pass option) and system become too high for majority and not possible for script kiddies and lul hackerz that tend to attack game accounts.

Link to comment
Share on other sites

How exactly attackers will link your your game account to your mail if they don't know your mail ID and provider?

If you go to real paranoia ... you never use your primary mail for gaming authentication, so there is no way to do it backward too :)

Slap 1 really good password over this mail (password generator with master password and copy pass option) and system become too high for majority and not possible for script kiddies and lul hackerz that tend to attack game accounts.

 

Well you're assuming that a significant portion of account compromises come from brute-forced or guessed passwords. This might have been true in 1995. The primary point of compromise at this point is backdooring keylogging malware, so it doesn't matter how good your password is, it'll register SWTOR launching and intercept the next few keystrokes. Now, of course this means that the attacker has access to your email too assuming you've typed your password in while you were infected. That sucks, but most account mining operations will just try the username and password and give up if that doesn't work. They operate in high volume, they don't have the time or inclination to go back through the logs, find your email password, login to your email and then use the OTP sent to it while logging into your SWTOR account. Its just not profitable enough for all those steps.

Link to comment
Share on other sites

Hell no. I removed the security key from my account almost immediately after getting it. Eight digit security tokens? Give me a break.

 

If I'm forced to choose between manually typing in eight numbers or copy-and-pasting a password every time I log in, you better believe that it's going to be the copy-and-paste.

 

Man, you are right! One time someone asked me to type in eight digits and I was like "man...how is this humanly possible!" but I gave it the ol' college try. By numeral five my joints were screaming in pain. Numeral six and my vision was blurring, I was sweating and my pulse was through the roof. On numeral seven my body gave out and I slumped over in my chair with blood coming out of my ears and eyes. Fortunately my wife was near to call 911 or I wouldn't have made it. The doctors told me that if I had typed in that eighth numeral my heart would have simply exploded and I'd be dead.

 

You're right to not want to manually type in eight numerals, the strain could literally kill you.

Link to comment
Share on other sites

Man, you are right! One time someone asked me to type in eight digits and I was like "man...how is this humanly possible!" but I gave it the ol' college try. By numeral five my joints were screaming in pain. Numeral six and my vision was blurring, I was sweating and my pulse was through the roof. On numeral seven my body gave out and I slumped over in my chair with blood coming out of my ears and eyes. Fortunately my wife was near to call 911 or I wouldn't have made it. The doctors told me that if I had typed in that eighth numeral my heart would have simply exploded and I'd be dead.

 

You're right to not want to manually type in eight numerals, the strain could literally kill you.

The only thing going through the roof right now is my sarcasm detector :D.

Link to comment
Share on other sites

×
×
  • Create New...