Please upgrade your browser for the best possible experience.

Chrome Firefox Internet Explorer
×

An update on the One-Time-Password system (April 16th 2013)

STAR WARS: The Old Republic > English > General Discussion
An update on the One-Time-Password system (April 16th 2013)
First BioWare Post First BioWare Post

Phillip_BW's Avatar


Phillip_BW
04.16.2013 , 02:36 PM | #1 Click here to go to the next staff post in this thread. Next  

Now that things have settled in a bit since the changes we made with the authentication system, and also now that Rise of the Hutt Cartel is launched, I thought it best that we update you on some upcoming pieces of work we have around the One-Time-Password (OTP) system. No ducks involved!

We have a number of topics that need addressing (in no particular order - they are all equally important!):
  • OTP messages sometimes expire before they can be used
  • IP address changes are very annoying
  • Deleting cookies in a browser forces a new OTP every time
  • Mobile Security Keys are only available to Subscribers
  • Physical Security Keys are still out of stock in Europe

OTP messages sometimes expire before they can be used
There are quite a few reasons why there can be a delay in the email getting delivered in time, and not all of them on the SWTOR side of the fence. While we all expect email to instantaneously arrive, this is not always the case, and as a result we are changing how quickly the OTP code expires before it can be used successfully.

Now the expiry isn't being changed dramatically (we are adding a number of minutes, not hours). But it is being increased based on analysis of the data we are seeing around when an OTP is sent, and how quickly those players affected by a delay in getting their email are able to attempt to enter in the OTP code. Needless to say the vast majority of the edge-cases are being catered for without dramatically reducing the security aspects associated with the expiry of the OTP message itself.
I know a lot of people have many theories on why the message can be delayed, so let me go into what we are seeing based on logs.
  • A small number of mail providers have an anti-spam measure called 'Greylisting' turned on regardless of the content of a different anti-spam system called 'SPF'. This has been the biggest cause of the delayed emails, and it is also why subsequent emails are making it through in a timelier manner. We tried to alleviate greylisting concerns by providing a valid SPF record, but if it's ignored as a bypass, then there isn't much we can do about that given we don't provide the mail service itself. This accounts for the bulk of the forum threads I have seen and researched are affected by this anti-spam system
  • Some mail providers are taking just a really long time to process an incoming mail message. I can think of a few other anti-spam systems such as 'tarpitting' which can cause this sort of behavior, but to be honest, we don't know why some are taking longer to process mail messages than others. To make this more complicated, some 'good' mail providers can randomly delay incoming mail for no visible reason we can decipher
  • The time delay from receiving the trigger to generate an OTP and actually completing sending the email itself to our mail sending provider is measured in seconds. Usually between 1 and 2, and sometimes less than 1. Delays between hops from that point onwards isn't something we have visibility into
When all is said and done, if you don't get your OTP code fast enough, it becomes invalid. To cater for the small number of mail providers causing consistent issues, we are changing the expiry time appropriately, and we will be keeping a close eye on how that affects the players currently affected by this issue and if necessary we will tweak the value again.
ETA: Within the next 7 days. If we can get away with a rolling hotfix to cover all the various servers involved we will, otherwise we will have to wait till next Tuesday's maintenance. This isn't a guarantee, and things are looking good for 7 days being the maximum, and not the minimum time for this change to be deployed.

IP address changes are very annoying
I have to wholeheartedly agree that having to enter a new OTP every time the IP changes is very annoying. We actually have pieces of the long-term fix already deployed, and the delay in being able implement the additional pieces to reduce the IP check's importance in our weighting of the various controls in place is two-fold.

Firstly we have to prioritize this work alongside other clearly important pieces of work. Delaying work needed for the release of Rise of the Hutt Cartel for example was discussed and understandably getting the expansion out on time took precedence.
Secondly, we have limited resource. As much as it would be nice if we could have lots more people on each of the teams involved in making the required changes, we are running a business...

I can't give an ETA on when we will have the remaining pieces of work completed. I know its not what people want to hear, but as soon as we have an ETA for this, I will post a better timeframe for the change to be deployed.

Deleting cookies in a browser forces a new OTP every time
This is specific to using a web browser and our website. The game launcher is not affected by this behaviour.

There is a very small number of people that are using what Chrome calls 'Incognito' browsing, AKA 'Private' in Firefox. This is where no browser cookies are available or persist. There are also settings within browsers for turning off cookies for all sites as a blanket setting.

I realize that this provides some level of protection from browsing activity being associated and cross-referenced by ad agencies and the like, however this has a side effect for SWTOR - we rely on the presence of a web cookie as one of the many security checks we have in place to identify a machine. This is primarily due to ensuring security is maintained where a number of players share the same Internet connection - University networks, progressive companies that allow people to play SWTOR from work as well as Internet Cafe's or shared Wi-Fi hotspots. The cookie is not the only check we have in place, but it is treated with a high enough weight behind it that if it is not present, there will be an OTP sent.

So, that leaves us with a few ways to not get prompted each and every time:
  • Enable cookies for specific sites, and include SWTOR (usually swtor.com, but also sometimes starwarstheoldrepublic.com)
  • Enable cookies for 'all the sites', and use plugins such as NoScript and Ghostery to stop 3rd party cookies that aren't site specific (this is my personal approach, and that is the only reason I mention it)
  • Use a Mobile or Physical Security Key. I mention this not because we are trying to get everybody to use a Security Key (the OTP is also a form of dual-factor security so in the end everybody has increased security), but because it is one of the ways of avoiding having to be sent an OTP every time
ETA: up to you as the person affected and which way you want to go. Or not at all if you don't mind the OTP message every time you log in.
A side note on the Mobile Security Key topic - I have seen some people recommend using a mobile phone emulator and using the Mobile Security Key application that way, and while this technically works, it does break one of the reasons the Security Key is considered dual-factor in that your username, password and security key generator are all on the same machine. Putting the emulator on a separate machine would be more sensible, but we do not support the Mobile Security Key application if it is used within an emulator.

Mobile Security Keys are only available to Subscribers
This was a decision made before we launched the new Free to Play model SWTOR now works within. There is a substantial cost we absorb by providing the Mobile Security Key solution (even ignoring the 100 cartel coins per month you get as a side-benefit), and until we could provide a self-service model for losing or replacing a Mobile Security Key, we could not consider providing it to everybody.

We are currently looking at providing the Mobile Security Key additionally to 'Preferred' status players as an authentication option in addition to Subscribers. The idea is that once you put a real dollar value against your account in the form of cartel coin purchases or even a subscription, we will acknowledge that trust in us as a studio and at that point provide the option to you as player.

ETA: I don't have definite approval or even an estimated date for when this can go live, so I'm going out on a limb here and telling you far earlier in the process than we would normally do so. I blame Eric, Courtney and Amber for leading the way here and ruining my natural desire to be secretive.

Physical Security Keys are still out of stock in Europe
We are almost there with the logistics surrounding getting the Physical Security Key made available within Europe again. I'm expecting to have news on their availability back in the store sometime in the next couple of weeks.

There is an ongoing internal issue with getting the Physical Security Key made available for Germany, Poland, Switzerland and the Czech Republic. I totally understand that the majority of the ISP's in Europe that require an IP change on a daily basis are located in Europe and you can be sure that we have the SWTOR Executives helping prioritize that issue internally to ensure we get the keys made available as soon as is possible.

I will try to answer any questions as soon as I see them when time permits. I apologize in advance if helping organize all the above (in addition to my 'normal' job!) means I don't post quite as often as you might desire...

Phillip Holmes
SWTOR Head of Security

Ivan-Drago's Avatar


Ivan-Drago
04.16.2013 , 03:42 PM | #2
So if i have the security key app on my phone ( which I was discouraged to use by a Bioware customer service representative), i don't have to wait for a email?

Wodaz's Avatar


Wodaz
04.16.2013 , 03:47 PM | #3
Quote: Originally Posted by Ivan-Drago View Post
which I was discouraged to use by a Bioware customer service representative
Really?!?! Why?!?! Kinda curious if there's some type of security issue with the app.
"Wodaz here! I'm all about havin' fun. You know, get a couple cocktails in me, start a fire in someone's kitchen. Maybe go to SeaWorld, take my pants off. Anyway, I'm kinda known for my catch phrase WHAMMY!!!!!"
Free Character Transfer and stuff -----> http://www.swtor.com/r/f39w6v

MillionsKNives's Avatar


MillionsKNives
04.16.2013 , 03:47 PM | #4
Quote: Originally Posted by Ivan-Drago View Post
So if i have the security key app on my phone ( which I was discouraged to use by a Bioware customer service representative), i don't have to wait for a email?
A BioWare rep told you not to use the phone security key app? What?!

But yes, no OTP for people who use the security key.

Verita's Avatar


Verita
04.16.2013 , 03:47 PM | #5
I really wish you would switch to time-based One-time Passwords according to RFC 6238.

Then we could use apps like the Google Authenticator (and many others) which is available for iPhone, Android and Blackberry for free instead of having to install yet another app for authentication.

Would be cheaper for you too, I guess.

And the best thing for me: If I have to switch my phone for any reason, I just use the same initial code, which I have printed and stored in my drawer, to activate code generation on my new phone without having to unlink the old phone or to call customer support to do it (in case it is lost or broken).

Ivan-Drago's Avatar


Ivan-Drago
04.16.2013 , 03:58 PM | #6
i had to call customer service cause I lock myself out of the game by entering too many wrong passwords back when the game first came out. I asked if it is worth downloading the security app and I was told not to because if I lost my phone getting account access could be a hassle. So i never downloaded it.
But if I can avoid this one time password business, I would download it.

Heezdedjim's Avatar


Heezdedjim
04.16.2013 , 03:58 PM | #7
Quote: Originally Posted by Phillip_BW View Post
Deleting cookies in a browser forces a new OTP every time
Again you have not explained why you cannot manage to secure your site without relying on this mechanic or forcing users to enable cookies. Literally thousands of sites with more critical data and more robust security than yours manage to do this day in and day out, every day. Yet you alone cannot.

Blackavaar's Avatar


Blackavaar
04.16.2013 , 04:01 PM | #8
Why can't you just go back to asking the randomly selected Security Questions? Why is this One Time Password BS even necessary?

Only the meek get pinched. The bold survive.(███████████████████████████████████║║█[Θ]█]◙◙◙◙◙◙◙◙[█]

Wodaz's Avatar


Wodaz
04.16.2013 , 04:04 PM | #9
Quote: Originally Posted by Ivan-Drago View Post
I was told not to because if I lost my phone getting account access could be a hassle. So i never downloaded it.
But if I can avoid this one time password business, I would download it.
Ahh...well I think its pretty easy to do if you lost your phone, I know in the "Set up your Key" section of your account page has one click "Replace my Security Key" button, but I have not used it to know how easy it is to do.
"Wodaz here! I'm all about havin' fun. You know, get a couple cocktails in me, start a fire in someone's kitchen. Maybe go to SeaWorld, take my pants off. Anyway, I'm kinda known for my catch phrase WHAMMY!!!!!"
Free Character Transfer and stuff -----> http://www.swtor.com/r/f39w6v

Verita's Avatar


Verita
04.16.2013 , 04:06 PM | #10
Quote: Originally Posted by Wodaz View Post
Ahh...well I think its pretty easy to do if you lost your phone, I know in the "Set up your Key" section of your account page has one click "Replace my Security Key" button, but I have not used it to know how easy it is to do.
If I remember correctly (and otherwise the security key wouldn't make much sense), this will ask you for a code from your linked phone, which, of course, is impossible in case of a lost, stolen or broken phone.