Should we have two-factor authenticators?

SheepdogPaladin

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

Juju_beans

Knowledge wrote: »

Most major MMORPGs offer an authenticator app for your phone or even a physical authenticator. This makes me feel more secure and I like using them. Even some titles that wouldn't be considered "AAA" like RIFT and ArcheAge have these apps.

Should we have two-factor authenticator apps?

Nope cause I don't have a smartphone..just a regular cell phone I use to make phone calls.

swippy

where is the "told" button?

Knowledge

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

DocFrost72

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

I care a lot less about my eso account than the pentagon tho

Knowledge

DocFrost72 wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

I care a lot less about my eso account than the pentagon tho

So do I just dislike it when people make false statements about internet security.

DocFrost72

Knowledge wrote: »

DocFrost72 wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

I care a lot less about my eso account than the pentagon tho

So do I just dislike it when people make false statements about internet security.

But what I'm saying is I care so much less about it comparatively that I wouldnt even pay the extra 20$ or whatever if I didn't have a smart phone. So...optional or bust

Knowledge

DocFrost72 wrote: »

Knowledge wrote: »

DocFrost72 wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

I care a lot less about my eso account than the pentagon tho

So do I just dislike it when people make false statements about internet security.

But what I'm saying is I care so much less about it comparatively that I wouldnt even pay the extra 20$ or whatever if I didn't have a smart phone. So...optional or bust

Most two-factor authenticators are optional in games. Some do offer benefits in the game when they are used. I believe Blizzard gives you a mount, pet, and some bag space but never forces you to use it.

PlagueSD

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

No matter how secure you think your system is, there's always the "user". They are targeted the most when trying to breech networks. Social Engineering is MUCH MORE effective than trying to brute-force your way in.

Knowledge

PlagueSD wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

No matter how secure you think your system is, there's always the "user". They are targeted the most when trying to breech networks. Social Engineering is MUCH MORE effective than trying to brute-force your way in.

The user is only one component to several. It is not the most exploited option in high profile breaches like the Sony breach.

RinaldoGandolphi

Two factor authentication is not necessarily more secure. In fact it could be less secure. As you are now shifting the security burden of your account from your email to your smart phone...a mobile device that could easily be stolen.

Two factor Authentication weakness lies not ply how physically secure they keep their phone, but how often it’s updated, how often they let others use it,and how secure they keep the device.

In the case of ESO I thinks it’s a poor choice that adds unnecessary complexity. I know the DOD and US government agencies sometimes use Authenticators, Biometrics, Etc to two factor, but our game accounts are not classified government data.

I’d rather they spend the resources fixing the lag

Lake

Even ancient dying F2P MMOs have 2FA. Time for them to get with the times.

Asmael

Relevant XKCD on password security:



Since 2-factor authentification is not something I have seen in that many MMOs, gotta do with what we got sometimes.

And a small extra to check whether one of your account has been compromised (if it shows red, you better change your password ASAP, if not... you still probably should ): https://haveibeenpwned.com/

jedtb16_ESO

Gythral wrote: »

jedtb16_ESO wrote: »

it's fine as it is.

No it is not, it is better than nothing but only just, but I guess those than think otherwise have no clue how laughably easy it is to get compromised

ok... tell me how you are going to compromise me.

my system is about as secure as it could be.... plus i do not share passwords etc.

Knowledge

Lake wrote: »

Even ancient dying F2P MMOs have 2FA. Time for them to get with the times.

This.

SheepdogPaladin

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

You're one of those people on the internet that thinks you know better than everyone else and you're trying to make people think what they need based on what YOU need. I am not trying to flame you or offend you, I'm merely trying to communicate how others will see you and may get turned off when you talk like that.

Nowhere in my words did I ever claim myself or anybody is completely safe. Even if you take extraordinary precautions, there is always the possibility anyone can get hacked. Even I could get hacked. I know this very well and I am certainly not naive to the subject matter. I could easily spend days writing a book on this, but for what? All the information is already out there and is freely accessible.

Have I personally ever been hacked? Honestly, no. This is because online privacy and internet security are great passions of mine, I made a career out of this, and I extensively practice the very things that most people unfortunately don't. Could I still get hacked? Again, yes, I could. Anybody who believes that getting hacked won't happen to them is foolish.

In your last reply to me, you're talking about the government where security is paramount on a grand scale. But I've been talking about a silly online game that I really couldn't care much about. My very hard to guess password is enough for me. I stand firm, and I am only speaking for myself, I don't "need" an authenticator. I just want to be able to log into the game with very little hassle. I already have to wait through the loading screens.

When I originally posted in this thread, I showed support of the OP as long it was not mandatory. So you already have me (as well as others) on your side. But it's not necessary to school people on what they need or don't need. I don't want to get in a heated debate in a petty online game forum and I don't want this thread to get locked, so I'm done here. Thanks for reading.

Knowledge

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

You're one of those people on the internet that thinks you know better than everyone else and you're trying to make people think what they need based on what YOU need. I am not trying to flame you or offend you, I'm merely trying to communicate how others will see you and may get turned off when you talk like that.

Nowhere in my words did I ever claim myself or anybody is completely safe. Even if you take extraordinary precautions, there is always the possibility anyone can get hacked. Even I could get hacked. I know this very well and I am certainly not naive to the subject matter. I could easily spend days writing a book on this, but for what? All the information is already out there and is freely accessible.

Have I personally ever been hacked? Honestly, no. This is because online privacy and internet security are great passions of mine, I made a career out of this, and I extensively practice the very things that most people unfortunately don't. Could I still get hacked? Again, yes, I could. Anybody who believes that getting hacked won't happen to them is foolish.

In your last reply to me, you're talking about the government where security is paramount on a grand scale. But I've been talking about a silly online game that I really couldn't care much about. My very hard to guess password is enough for me. I stand firm, and I am only speaking for myself, I don't "need" an authenticator. I just want to be able to log into the game with very little hassle. I already have to wait through the loading screens.

When I originally posted in this thread, I showed support of the OP as long it was not mandatory. So you already have me (as well as others) on your side. But it's not necessary to school people on what they need or don't need. I don't want to get in a heated debate in a petty online game forum and I don't want to this thread to get locked, so I'm done here. Thanks for reading.

I doubt you can write books on the subject. It's very strange for anyone in the infosec industry to actually state they "don't need a two-factor authenticator". It's concerning to say the least if the individual works IT or Infosec.

No one in the field would be against adding additional layers of security it doesn't make sense. The only down side to a 2FA is inconvenience. The following statements are fact.

• 2FA can greatly improve your security
• 2FA adds an additional layer of security
• 2FA is only a minor inconvenience.

PlagueSD

Knowledge wrote: »

PlagueSD wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

No matter how secure you think your system is, there's always the "user". They are targeted the most when trying to breech networks. Social Engineering is MUCH MORE effective than trying to brute-force your way in.

The user is only one component to several. It is not the most exploited option in high profile breaches like the Sony breach.

It sure is...The Sony breech was a result of Malware getting installed. I wonder how that could have happened? Users clicking on a link in an email perhaps?

Enemoriana

Knowledge wrote: »

PelinalWhitestrake wrote: »

I'm not gonna spend $400 on a measly phone to just to make some calls or send texts just because it has a shiny touch pad and it's the "best new thing" of the year.

They usually sell a physical authenticator for $20.

Would be much more funny in my country.
If they'll ever do such thing, we'll have it a year later, with no announcement and it will end in few days. Or we'll be able pay twice more for delivery, yeah.
Not saying $20 isn't "nothing", at least in our currency.

BelleSorciere

I'm a fan of optional two factor authentication. Let me download an authenticator to my smartphone, but everyone doesn't have to do it.

Or heck, text me a code.

The current system with e-mail works okay for me (the e-mail always arrives fairly quickly).

Sweetpea704

Knowledge wrote: »

Most major MMORPGs offer an authenticator app for your phone or even a physical authenticator. This makes me feel more secure and I like using them. Even some titles that wouldn't be considered "AAA" like RIFT and ArcheAge have these apps.

Should we have two-factor authenticator apps?

As much as I crash while in trials.... or Cyro.... or walking around in a big city....can we not do that?

Pea

Knowledge

BelleSorciere wrote: »

I'm a fan of optional two factor authentication. Let me download an authenticator to my smartphone, but everyone doesn't have to do it.

Or heck, text me a code.

The current system with e-mail works okay for me (the e-mail always arrives fairly quickly).

It's strange that people keep emphasizing that the authenticator has to be optional when there's no game in existence that requires one or ever made it mandatory.

If it were mandatory it would prevent a large number of individuals from accessing the game. Those of you without smart phones or the ability to acquire the optional authenticator key would be unable to log in and therefore unwilling to give Zenimax any money.

No one in their right mind would make it mandatory and I don't think it should even have to be stated.

Knowledge

Sweetpea704 wrote: »

Knowledge wrote: »

Most major MMORPGs offer an authenticator app for your phone or even a physical authenticator. This makes me feel more secure and I like using them. Even some titles that wouldn't be considered "AAA" like RIFT and ArcheAge have these apps.

Should we have two-factor authenticator apps?

As much as I crash while in trials.... or Cyro.... or walking around in a big city....can we not do that?

Pea

No one is going to make it mandatory there's no game in existence that has mandatory authenticators. Why do you guys think it has to be mandatory or that anyone would even consider that?

MLGProPlayer

We already do. Any time you log in from a new IP address, you are sent a confirmation code via email that you need to use.

I don't like mobile authenticators because it's a headache to regain access to your account if you ever lose your phone.

Knowledge

MLGProPlayer wrote: »

We already do. Any time you log in from a new IP address, you are sent a confirmation code via email that you need to use.

I don't like mobile authenticators because it's a headache to regain access to your account if you ever lose your phone.

So, if they implement it don't add one.

DieAlteHexe

BelleSorciere wrote: »

I'm a fan of optional two factor authentication. Let me download an authenticator to my smartphone, but everyone doesn't have to do it.

Or heck, text me a code.

The current system with e-mail works okay for me (the e-mail always arrives fairly quickly).

*has terrible flashback*

Sometimes that text bit doesn't work. I spent over a year trying to get an MMO company to understand that despite them sending it, it never arrived. We can tell this as we run our own ISP. Just never hit. Probably a bunch of emails floating around out there, lost...sad. Happily, this is a rare occurrence.

Enemoriana

Knowledge wrote: »

BelleSorciere wrote: »

I'm a fan of optional two factor authentication. Let me download an authenticator to my smartphone, but everyone doesn't have to do it.

Or heck, text me a code.

The current system with e-mail works okay for me (the e-mail always arrives fairly quickly).

It's strange that people keep emphasizing that the authenticator has to be optional when there's no game in existence that requires one or ever made it mandatory.

If it were mandatory it would prevent a large number of individuals from accessing the game. Those of you without smart phones or the ability to acquire the optional authenticator key would be unable to log in and therefore unwilling to give Zenimax any money.

No one in their right mind would make it mandatory and I don't think it should even have to be stated.

Problem is when somebody becomes paranoid about security, it can make full access much more difficult. Like Steam, where you have to wait 15 days between placing and actually selling some stupid smile or something.

Sigtric

2FA should definitely be an option.

ZOS_Mika

We have recently removed some unnecessary back and forth from this thread. This is a reminder to keep this discussion civil and constructive.

fierackas

ZOS_MikaS wrote: »

We have recently removed some unnecessary back and forth from this thread. This is a reminder to keep this discussion civil and constructive.

Quel surprise, threads would run a lot smoother if people weren't so dismissive of others opinions