Login Page 2FA + Removing .account password

[billys1337]

BUMP
This is important I believe. Hope this happens. Love everything about Nostalrius except feeling unsecured from account threats.

Thanks too everyone involved with nostalrius for all the great work!

[Aunstic]

bump.

BUMP
This is important I believe. Hope this happens. Love everything about Nostalrius except feeling unsecured from account threats.

Thanks too everyone involved with nostalrius for all the great work!

Thanks guys. Glad I brought some attention to this again.

[Syleynna]

bumpage

i recently had a malware scare ... I fixed it (I hope) but it makes me wonder about people who are not aware that they have malware on their computers.

Hackers should not be rewarded by giving them a simple means to change the original password in game. Honestly, I find it extremely odd that the devs would give them an additional tool to keep the original account owner out.

Please change this

[Aunstic]

bumpage

i recently had a malware scare ... I fixed it (I hope) but it makes me wonder about people who are not aware that they have malware on their computers.

Hackers should not be rewarded by giving them a simple means to change the original password in game. Honestly, I find it extremely odd that the devs would give them an additional tool to keep the original account owner out.

Please change this

The devs actually had nothing to do with this command being allowed in game. Account level 0 (all player accounts) should have .account password on it, but since the server has such a large population and level 60s are being sold for over $400, I believe anyone will try to get their hands on an account no matter what.

[Mopar]

This is partially a BUMP and partially a question to Aunstic.

Bump portion: because people who's accounts are compromised are just SOL and pretty much have to abandon it - the recovery mechanism in place is clumsy and easily defeated. You can see thread after thread of people who have lost their account. "You should be more careful" is not a valid approach; in fact it's blaming the victim.

Question portion: Wouldn't the 2FA scheme you've outlined require some kind of modification of the client to work? Where would you enter in the 2nd authentication factor? If it's just concatenated somehow into the password field, then that is not actually 2FA - all you have in that case is just a single, more complex password. That is, unless you use a time-sensitive key generator or an OTP approach, but that would require external software.

I'd be thrilled if they just added 2FA to the web password reset capability, removed the looney 10 day inactivity requirement, and removed the ability to change password in game. This could be done with zero changes to Mangos (except a configuration change), and just changes to the website approach.

[Aunstic]

Question portion: Wouldn't the 2FA scheme you've outlined require some kind of modification of the client to work? Where would you enter in the 2nd authentication factor? If it's just concatenated somehow into the password field, then that is not actually 2FA - all you have in that case is just a single, more complex password. That is, unless you use a time-sensitive key generator or an OTP approach, but that would require external software.

I'd be thrilled if they just added 2FA to the web password reset capability, removed the looney 10 day inactivity requirement, and removed the ability to change password in game. This could be done with zero changes to Mangos (except a configuration change), and just changes to the website approach.

Honestly, I should clarify this a bit more in the main OP. I'm thinking about rewriting it while keeping the old OP in a pastebin or something along those lines. What I meant to say is to add a 2FA to the login page on https://en.nostalrius.org/login and remove .account password (in-game command). This would allow people to have security both on the login page where nobody can request a password change and a compromised account cannot have its password changed in-game so the owner still retains the account even if a login wasn't from the owner.

You made a valid point on 2FA in-game though. There's another approach to it beyond the login page if you wanted to make sure characters are not played, but can still be deleted/accessed. Login => Character selection => 2FA challenge upon entering the server; time-based -- at this point you're only creating a second password though since a key isn't exactly viable in this situation.

OTP also doesn't require third-party software at all. There's implementations in C that can easily be used here. I don't expect OTP to be implemented as much as keys are though.

For your last paragraph, I'm glad we see eye-to-eye. The password reset they have is quite odd and can swing in favor of the person stealing an account. This would basically hinder them from stealing the account and only allow them to damage characters at this point.

[PriestInOurTime]

Just wanted to show my support for this suggestion. No more, no less.

[Aunstic]

Just wanted to show my support for this suggestion. No more, no less.

Support shown. Love has been given. <3