Login Page 2FA + Removing .account password
Posted: Sat Jun 27, 2015 4:10 pmAs I stated in earlier posts:
Hopefully this won't stray away from the main topic too much.
The only thing that needs to be done to suit better account security is to remove the ".account password" command in-game and add another column to the mangos db -> accounts table. The developers don't need to have much work to put in another factor of authentication really. If the developers don't wish to reinvent the wheel on this, github and other websites have libraries to easily implement 2FA such as https://github.com/eloquent/otis (PHP).
I understand where you're coming from when you want them to focus their time on bugs rather than a user control panel, but they have already reinvented the wheel with creating their own home page (https://en.nostlarius.org) so I believe they don't mind the time spent with creating modules for the user's security. Just look at the password reset function. It may not be the best, but it's something
.
As for users not enabling 2FA on their accounts, people in the information security business would argue that even 1 user benefiting from this would mean it has shown some use. Assuming Viper or Daemon would put out an announcement for this just like the new features on the main page, I'm sure there would be more than 1 user enabling 2FA on their account(s). This is also beneficial for privileged users such as admins, developers, ISVV, staff, and any other group above user rank. If Viper and Daemon don't have their account(s) IP-restricted, I'm sure this will come in handy in case a real security threat comes into play such as the databases being dumped (hacked).
Malware on a user's computer eliminates privacy, but this allows players to be more secure if they use the same username/email and password for everything. A second password, key, etc may not be available on another site -- especially a phishing site that cannot determine whether or not you have a second password, key, secret, etc on your account at the time you "login" to a phishing website. Nostalrius knows because they own the database and the code allows only 1 of the options to be selected for the second factor.
The rest of your post that openly states that people are ignorant and the less ignorant users should not wait to be assisted as their problems are seemingly higher priority than the ignorant users. My reply to this is that not everyone has the same knowledge. Customer support, public relations, 'tech support', ambassadors of any sort, and any other field that deals with passing knowledge on to someone else for support are all important fields if you think about it. Let me dig up an example here:
[...]
To conclude, a new module is not that hard to create and implement. Time can be saved if the developers implement a library for two-factor authentication instead of reinventing the wheel. The less ignorant users are not a higher priority than any ignorant users. I'm ignorant about cars.
Some knowledge to read up on:
https://github.com/blog/1614-two-factor-authentication
https://help.github.com/articles/about- ... ntication/
https://security.stackexchange.com/ques ... entication
(Google for more)
Aunstic wrote:djwood84 wrote:It's not like Blizz where you can fax in your driver's license.
Honestly, you could implement something like this though. It's pretty simple too.
First, remove the ability to change your email/password in-game.
Second, implement two-factor authentication (2FA) through a private key (crypto), second password, secret question, one-time password (OTP), IP-Lock, etc.
This allows the admins to safely tell the players that they are at fault for any security breaches on a single account because there's a vast majority of software that still hasn't implemented anything beyond a username+password or email+password combo. What's even better is that adding a column to the end of the accounts table in the emulator's db shouldn't affect anything in-game wise. All that needs to be done is add a check whether or not an account has 2FA enabled or not in order to use it.
tl;dr having 2 types of passwords for 1 account allows players to be fully liable for their account as many services only have 1 type of password.
AverageJoe wrote:While I support the concept of stronger security and better account recovery for this server, realistically the dev pool is very limited and I'd rather the devs' time be spent focusing more on delivering upcoming game content and fixing game breaking bugs. Honestly, any effort put into developing a good security setup is wasted if the user either doesn't take advantage of it or just flat out does stupid stuff like downloading malware and uses the same password for all their accounts and e-mail addresses.
I never have to worry about my account being stolen because I know what sites to avoid browsing, programs to avoid installing, never get infected with any kind of malware, and never share my credentials with others. Meanwhile there's users in the Support forum who openly admit to getting hacked on a frequent basis and losing access to their accounts for WoW, Rift, Tera, Guild Wars, etc. crying about how the staff needs to bend to their will and restore access, items, gear, gold, characters, etc. the way it was before they got hacked because "Blizzard and other companies do it."
So why should cautious, experienced players who know how to protect their data have to sit out and wait because the staff are busy babysitting those who forgot their password for the 100th time or cry they got hacked again because they don't know how to avoid scams and malware?
Hopefully this won't stray away from the main topic too much.
The only thing that needs to be done to suit better account security is to remove the ".account password" command in-game and add another column to the mangos db -> accounts table. The developers don't need to have much work to put in another factor of authentication really. If the developers don't wish to reinvent the wheel on this, github and other websites have libraries to easily implement 2FA such as https://github.com/eloquent/otis (PHP).
I understand where you're coming from when you want them to focus their time on bugs rather than a user control panel, but they have already reinvented the wheel with creating their own home page (https://en.nostlarius.org) so I believe they don't mind the time spent with creating modules for the user's security. Just look at the password reset function. It may not be the best, but it's something
.As for users not enabling 2FA on their accounts, people in the information security business would argue that even 1 user benefiting from this would mean it has shown some use. Assuming Viper or Daemon would put out an announcement for this just like the new features on the main page, I'm sure there would be more than 1 user enabling 2FA on their account(s). This is also beneficial for privileged users such as admins, developers, ISVV, staff, and any other group above user rank. If Viper and Daemon don't have their account(s) IP-restricted, I'm sure this will come in handy in case a real security threat comes into play such as the databases being dumped (hacked).
Malware on a user's computer eliminates privacy, but this allows players to be more secure if they use the same username/email and password for everything. A second password, key, etc may not be available on another site -- especially a phishing site that cannot determine whether or not you have a second password, key, secret, etc on your account at the time you "login" to a phishing website. Nostalrius knows because they own the database and the code allows only 1 of the options to be selected for the second factor.
The rest of your post that openly states that people are ignorant and the less ignorant users should not wait to be assisted as their problems are seemingly higher priority than the ignorant users. My reply to this is that not everyone has the same knowledge. Customer support, public relations, 'tech support', ambassadors of any sort, and any other field that deals with passing knowledge on to someone else for support are all important fields if you think about it. Let me dig up an example here:
[...]
To conclude, a new module is not that hard to create and implement. Time can be saved if the developers implement a library for two-factor authentication instead of reinventing the wheel. The less ignorant users are not a higher priority than any ignorant users. I'm ignorant about cars.
Some knowledge to read up on:
https://github.com/blog/1614-two-factor-authentication
https://help.github.com/articles/about- ... ntication/
https://security.stackexchange.com/ques ... entication
(Google for more)
