Login Page 2FA + Removing .account password

[Aunstic]

Admins, I know you'd agree with me on this suggestion <3

[Aunstic]

Yeah I guess it only assists hackers in the long run.

Didn't see this one underneath my bumps. I'd like to know how this would assist people stealing your account.

Phishers: They don't know what 2FA option you chose so all they can get out of you is the 1st method of authentication (your password). They would have to ask you which factor of authentication was your 2nd one in order to steal it. On Nostalrius, the server handles everything and presents the form for your 2nd method of authentication. There's no need to ask the users which one they had.

Leaked username:password combos from other site: If you use the same username and password on another site, this protects against it. They still only have your password ... not your 2FA option.

Keyloggers and other malware: Whether you have 1 method of auth or 100, if your system is compromised then you are ultimately shit of out luck.

[Aunstic]

Nobody chiming in at all?

[shiraz]

+1 for 2FA please

[Aunstic]

Bumping past the threads that will never get implemented either.

[r00ty]

As for 2FA method. It's possible to use the existing mobile authenticator in theory. Otherwise any method is possible.

The issue in my mind is how to have the user enter this? Reject first login, and second password is expected to be the 2FA code?

Have an addon which will prompt in game and kick after 1 minute if not suppied via .2fa command or similar?

Only use 2FA on website, in order to release/establish an IP lock?

I could be wrong, but I'm quite sure the standard authenticator popup wasn't in the client until 3.x some time.

[Aunstic]

As for 2FA method. It's possible to use the existing mobile authenticator in theory. Otherwise any method is possible.

The issue in my mind is how to have the user enter this? Reject first login, and second password is expected to be the 2FA code?

Have an addon which will prompt in game and kick after 1 minute if not suppied via .2fa command or similar?

Only use 2FA on website, in order to release/establish an IP lock?

I could be wrong, but I'm quite sure the standard authenticator popup wasn't in the client until 3.x some time.

I wasn't suggesting any in-game additions to this. Removing .account password in game so any person that has your first password can harm your character, but not your account integrity by changing the password in-game.

As for the implementation on the login page of https://en.nostalrius.org/, any incorrect fields are still rejected as always.

[Aunstic]

Aaaaand we're bumping.

[Aunstic]

Aaaaaand we're bumping again.

If someone would like some information regarding this, feel free to reply.

[Bioness]

bump.