Should we have two-factor authenticators?

Knowledge

Sigtric wrote: »

2FA should definitely be an option.

Agree.

Raraaku

I'd love to see a 2-factor authentication, particularly when it comes to accounts that contain possible saved credit card numbers.

jedtb16_ESO

Raraaku wrote: »

I'd love to see a 2-factor authentication, particularly when it comes to accounts that contain possible saved credit card numbers.

zos do not retain credit/debit details

Knowledge

jedtb16_ESO wrote: »

Raraaku wrote: »

I'd love to see a 2-factor authentication, particularly when it comes to accounts that contain possible saved credit card numbers.

zos do not retain credit/debit details

How do they charge recurring subscriptions if they don't save your details?

Raraaku

jedtb16_ESO wrote: »

Raraaku wrote: »

I'd love to see a 2-factor authentication, particularly when it comes to accounts that contain possible saved credit card numbers.

zos do not retain credit/debit details

Your browser does though, and if the email you used to create your account is linked to say, chrome, and if you ever saved your billing information the autofill feature will retain that information to your linked email account.

Sure, there's the CCV, but that's not much protection.

Runefang

In SWTOR you used to get free 100 credits/coins whatever if you used the authenticator.

I'd used an authenticator only if I got the same. I'm not concerned about somebody stealing my ESO account otherwise.

Ojustaboo

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

You're one of those people on the internet that thinks you know better than everyone else and you're trying to make people think what they need based on what YOU need. I am not trying to flame you or offend you, I'm merely trying to communicate how others will see you and may get turned off when you talk like that.

Nowhere in my words did I ever claim myself or anybody is completely safe. Even if you take extraordinary precautions, there is always the possibility anyone can get hacked. Even I could get hacked. I know this very well and I am certainly not naive to the subject matter. I could easily spend days writing a book on this, but for what? All the information is already out there and is freely accessible.

Have I personally ever been hacked? Honestly, no. This is because online privacy and internet security are great passions of mine, I made a career out of this, and I extensively practice the very things that most people unfortunately don't. Could I still get hacked? Again, yes, I could. Anybody who believes that getting hacked won't happen to them is foolish.

In your last reply to me, you're talking about the government where security is paramount on a grand scale. But I've been talking about a silly online game that I really couldn't care much about. My very hard to guess password is enough for me. I stand firm, and I am only speaking for myself, I don't "need" an authenticator. I just want to be able to log into the game with very little hassle. I already have to wait through the loading screens.

When I originally posted in this thread, I showed support of the OP as long it was not mandatory. So you already have me (as well as others) on your side. But it's not necessary to school people on what they need or don't need. I don't want to get in a heated debate in a petty online game forum and I don't want to this thread to get locked, so I'm done here. Thanks for reading.

I doubt you can write books on the subject. It's very strange for anyone in the infosec industry to actually state they "don't need a two-factor authenticator". It's concerning to say the least if the individual works IT or Infosec.

No one in the field would be against adding additional layers of security it doesn't make sense. The only down side to a 2FA is inconvenience. The following statements are fact.

• 2FA can greatly improve your security
• 2FA adds an additional layer of security
• 2FA is only a minor inconvenience.

The only real safe 2FA is with a separate hardware token. There’s many ways to get around ones on smartphones if you know what you are doing.

I personally use a very very long jumble of random letters numbers and other characters, the longest whatever software, game etc will allow me to use.

If every bit of computing power on the planet was used to try to brute force my eso password, well both the game and probably the planet would be gone before they are likely to succeed.

I use keepass to generate and store my passwords in. So all I have to do once a day is type in my long keypass password from my book, insert extra characters at certain points that I remember (so should I get burgled and both my pc and book is stolen, they can’t get into keepass) and all is fine.

And my router password and my wireless password are both along the same lines.

Sure in theory someone might get lucky with a brute force attack, but no more likely ( probably less likely) than someone rightly guessing your token etc.

You can argue as much as you like about 2FA being safer, but for me, you are arguing that 2FA is safer than the many many many years it would take a huge cluster of say high end GPUs working 24/7 to get anywhere near any of my passwords I care about.

Maybe a load of the latest supercomputers could cut the time down a bit, but knowing how expensive these are, I doubt very much they are interested in hacking into my eso.

I do have a mobile, I have my wife, son, daughter, three friends, vet, Doctors in it. No other number is ever answered. And in the home it’s usually no where near my PC. Being forced to use it would be a pain in my bum that would achieve nothing but inconvenience.

Raraaku

@Ojustaboo

The vast majority of people do not practice proper security "hygiene" like you though. Hell even I'm not that stringent and infosec/networking is my area of concentration in my major. I should be, but I'm lazy and use a program to create, map, and store randomly generated passwords and upload it to an encrypted USB drive. But for most people, 2-factor is a good thing to have.

Erelah

One password I have used in the past (to annoy a friend) meets all the criteria for a secure password, while being a horrible to use password. S3cr3tPa$$w0rd

It meets the requirement of length, upper and lower case, with the mixture of numbers and symbols included. Sadly I had to stop using the password when I forgot what I set it to.

Knowledge

Ojustaboo wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Oh?

And how is it that you know what I need or don't need?

Because whether you like it or not there are security threats out there that make having a 2FA something everyone needs on the basis of vulnerability.

Ah, but you assume that I personally have this need without even knowing who or what I am in real life.

There are truly numerous and significant threats on the internet that unfortunately, most people underestimate or are unaware of. A majority of internet users are clueless when it comes to securing their own personal computers, home networks, portable devices (i.e. smartphones and tablets), and accounts of any kind (i.e. bank, social, gaming). I am not such a person.

First, any internet security professional knows how most people use easy to crack passwords. Two-factor authentication can help alleviate this significant worldwide problem, but it is not absolutely needed if the user always uses very strong and unique passwords for all of their accounts. Passwords should always be at least 10 to 15 characters in length (the longer, the better) and also be a random mixture of characters that include all of the following: numbers, both lower and uppercase letters, and special characters. Passwords should never be based on any personal information such as your name, address, phone number, SSN, birthdate, or anything a bad guy may easily learn of. One should never use the same password for multiple accounts because if just one of your accounts is compromised, then all of your other accounts that use the same password would then become compromised.

A password manager is a more useful tool than a two-factor authenticator. A good password manager, such as Keepassx, can not only store all of your unique passwords for all the accounts you have in existence, it can also randomly generate strong and unique passwords for you. Unfortunately, many people don't do this.

To be clear, I am not saying that an authenticator would be useless. Many people do need an authenticator but this need is individual. Again, I personally don't need such a thing, especially for an online game. Have I ever used two-factor authenticators? Oh, yes. I've used them when they were mandatory and I have also chosen to use them when they were optional. But I know very well what I need and nobody else knows what I need.

On a similar note, why doesn't ZOS allow us to use a different login username that is not the same as the displayed username to log into the game? When it comes to security, this is a mistake on the game company's part. When everyone can see your username that is used to log into the game, then the bad guys have one half of your login information. My forum username is not the same as my game username, by the way.

Another thing that many companies fail at are the so-called security questions that are supposed to help you recover your password should you ever lose your password or if the company must verify your identity. Have you seen these security questions? Many of them would use answers that would be easy for a bad guy to figure out. I've always felt that security questions should be entirely made up by the user so that the user can create unique questions and pair them with answers that nobody else knows or could possibly find out.

I've already written way too much and I don't want to get into a debate in a silly online forum, so I'll stop here. I have a long IT professional career that extensively includes the various aspects of internet security, so I know exactly what I need or don't need when it comes to a subject like this.

If you knew about internet security as much as you claim to you wouldn't think your home network, email, or game account are completely safe just because you practice safe computing and take precautions above the average user. Networks, algorithms, and databases that are ten thousand times more secure than whatever you utilize have been breached.

The department of defense and many government agencies use physical two-factor authenticators and sometimes several. Cracking your password is not the only method nor even the most common method for stealing your account.

You're one of those people on the internet that thinks you know better than everyone else and you're trying to make people think what they need based on what YOU need. I am not trying to flame you or offend you, I'm merely trying to communicate how others will see you and may get turned off when you talk like that.

Nowhere in my words did I ever claim myself or anybody is completely safe. Even if you take extraordinary precautions, there is always the possibility anyone can get hacked. Even I could get hacked. I know this very well and I am certainly not naive to the subject matter. I could easily spend days writing a book on this, but for what? All the information is already out there and is freely accessible.

Have I personally ever been hacked? Honestly, no. This is because online privacy and internet security are great passions of mine, I made a career out of this, and I extensively practice the very things that most people unfortunately don't. Could I still get hacked? Again, yes, I could. Anybody who believes that getting hacked won't happen to them is foolish.

In your last reply to me, you're talking about the government where security is paramount on a grand scale. But I've been talking about a silly online game that I really couldn't care much about. My very hard to guess password is enough for me. I stand firm, and I am only speaking for myself, I don't "need" an authenticator. I just want to be able to log into the game with very little hassle. I already have to wait through the loading screens.

When I originally posted in this thread, I showed support of the OP as long it was not mandatory. So you already have me (as well as others) on your side. But it's not necessary to school people on what they need or don't need. I don't want to get in a heated debate in a petty online game forum and I don't want to this thread to get locked, so I'm done here. Thanks for reading.

I doubt you can write books on the subject. It's very strange for anyone in the infosec industry to actually state they "don't need a two-factor authenticator". It's concerning to say the least if the individual works IT or Infosec.

No one in the field would be against adding additional layers of security it doesn't make sense. The only down side to a 2FA is inconvenience. The following statements are fact.

• 2FA can greatly improve your security
• 2FA adds an additional layer of security
• 2FA is only a minor inconvenience.

The only real safe 2FA is with a separate hardware token. There’s many ways to get around ones on smartphones if you know what you are doing.

I personally use a very very long jumble of random letters numbers and other characters, the longest whatever software, game etc will allow me to use.

If every bit of computing power on the planet was used to try to brute force my eso password, well both the game and probably the planet would be gone before they are likely to succeed.

I use keepass to generate and store my passwords in. So all I have to do once a day is type in my long keypass password from my book, insert extra characters at certain points that I remember (so should I get burgled and both my pc and book is stolen, they can’t get into keepass) and all is fine.

And my router password and my wireless password are both along the same lines.

Sure in theory someone might get lucky with a brute force attack, but no more likely ( probably less likely) than someone rightly guessing your token etc.

You can argue as much as you like about 2FA being safer, but for me, you are arguing that 2FA is safer than the many many many years it would take a huge cluster of say high end GPUs working 24/7 to get anywhere near any of my passwords I care about.

Maybe a load of the latest supercomputers could cut the time down a bit, but knowing how expensive these are, I doubt very much they are interested in hacking into my eso.

I do have a mobile, I have my wife, son, daughter, three friends, vet, Doctors in it. No other number is ever answered. And in the home it’s usually no where near my PC. Being forced to use it would be a pain in my bum that would achieve nothing but inconvenience.

Brute force attacks are the least likely to be used. Using a password manager of any kind, even Keepass, is actually making you more susceptible to having your password stolen. Remember they do not need to brute force anything to get your password it's much simpler if that is their goal.

LastPass a popular password manager was once attacked successfully leaving all of your eggs in one basket is not a good idea. In fact, Lastpass has been breached twice in the span of four years.

You can read about password managers here: https://gizmodo.com/am-i-an-idiot-for-still-using-a-password-manager-1711673486

A quote from the article:

It’s an imperfect reality, but to play it safe, it’s crucial to use two-factor authentication whenever you can—including in your password managers—and to choose a really complex master password. You can also bulk up your protections by using LastPass with a flash drive set up as a authentication device, which Lifehacker has written about in the past. Don’t be an idiot, do it.

Enemoriana

Yes, yes, we already understood you are two-factor-authentication-fanatic and can hear nothing aside.
Exactly such people make this things terrible for those who have no possibility or don't want use it.

Knowledge

Enemoriana wrote: »

Yes, yes, we already understood you are two-factor-authentication-fanatic and can hear nothing aside.
Exactly such people make this things terrible for those who have no possibility or don't want use it.

If you play World of Warcraft you have the OPTION of having an authenticator. If you play RIFT, ArcheAge, FFXIV, any modern MMO you have an OPTION of using it.

No one makes it "mandatory." It hurts no one but helps those that want to use it. You would never have to use it.

xbobx

there should be 2 step verification, period. Anyone that says otherwise needs to have their head exam. The fact this game doesn't have one shows how backward Zenimax are and how little they give a *** about their customers

its 2018, there is no excuse.

Enemoriana

Knowledge wrote: »

Enemoriana wrote: »

Yes, yes, we already understood you are two-factor-authentication-fanatic and can hear nothing aside.
Exactly such people make this things terrible for those who have no possibility or don't want use it.

If you play World of Warcraft you have the OPTION of having an authenticator. If you play RIFT, ArcheAge, FFXIV, any modern MMO you have an OPTION of using it.

No one makes it "mandatory." It hurts no one but helps those that want to use it. You would never have to use it.

Be honest to yourself: you'll never stop on option that affects absolutely nothing. Even here you are trying to prove that everybody needs it and it is the only possible way!

JWKe

Much needed. It'll be good for both ZoS CS as well as the players.

Anotherone773

Enemoriana wrote: »

Knowledge wrote: »

It's strange that so many people in this thread don't want or never had a smart phone...

Because they don't need it?
For example, I spend most part of my time at home, where I have computer. Phone is needed only for rare urgent calls, confirmation of orders/delivery in some stores and watching time when outside. Outside I don't use internet, I listen music on separate mp3 player, I take photos with separate camera, I read books on e-ink reader (more items, but thet will not discharge in few hours). Also I have tablet, one with attachable keyboard, it is just like small weak computer, only with touchscreen.
Why do I need smartphone?

You know a smartphone does all those for the price of one of those devices and you dont have to have a special device for each thing. One device every task. I also use the GPS on mine, accept credit/debit cards, deposit checks without ever setting foot in a bank. In fact i can do all my banking on my phone, the only thing it wont do is spit out cash. I can place orders, use it to compare prices, start my car and lock the doors from anywhere in the world with an inet connection, I can open and close my garage door from anywhere in the world. My phone can be used as a tv remote. It also makes phone calls and it goes whereever i am. So im not restricted to a certain range. I can start a conversation at work, continue it while i drive and finish it in my house while im going through my mail. I also have handsfree phone calls while driving and while not driving. I can send stuff to my printer, upload pics and have them delivered to my door all from my phone. No device transfers, processing at the store going to pick them up.

In fact there is not a whole lot you cant do with a smartphone if it normally takes another electronic item. I was of the crowd " i dont need a smartphone, i just make phone calls." and then i got one and its like having your own personal slave ... i mean khajiit assistant.

Knowledge

JWKe wrote: »

Much needed. It'll be good for both ZoS CS as well as the players.

Very much agreed.

Armatesz

Gythral wrote: »

They already use a 'crappy' two factor system,
if your IP address changes to one not seen before, you have to go through the email 4 step:
login
wait for email
open ticket to get email resent
use code

so a true 2 factor would be nice & probably cost ZoS far less than the CS needed atm

Ip spoofing is a real thing. If someone can figure out your ip then they can spoof it and you are sol.

Knowledge

Armatesz wrote: »

Gythral wrote: »

They already use a 'crappy' two factor system,
if your IP address changes to one not seen before, you have to go through the email 4 step:
login
wait for email
open ticket to get email resent
use code

so a true 2 factor would be nice & probably cost ZoS far less than the CS needed atm

Ip spoofing is a real thing. If someone can figure out your ip then they can spoof it and you are sol.

Exactly, people don't realize how much more security we could have with a 2FA.

Enemoriana

Anotherone773 wrote: »

Enemoriana wrote: »

Knowledge wrote: »

It's strange that so many people in this thread don't want or never had a smart phone...

Because they don't need it?
For example, I spend most part of my time at home, where I have computer. Phone is needed only for rare urgent calls, confirmation of orders/delivery in some stores and watching time when outside. Outside I don't use internet, I listen music on separate mp3 player, I take photos with separate camera, I read books on e-ink reader (more items, but thet will not discharge in few hours). Also I have tablet, one with attachable keyboard, it is just like small weak computer, only with touchscreen.
Why do I need smartphone?

You know a smartphone does all those for the price of one of those devices and you dont have to have a special device for each thing. One device every task. I also use the GPS on mine, accept credit/debit cards, deposit checks without ever setting foot in a bank. In fact i can do all my banking on my phone, the only thing it wont do is spit out cash. I can place orders, use it to compare prices, start my car and lock the doors from anywhere in the world with an inet connection, I can open and close my garage door from anywhere in the world. My phone can be used as a tv remote. It also makes phone calls and it goes whereever i am. So im not restricted to a certain range. I can start a conversation at work, continue it while i drive and finish it in my house while im going through my mail. I also have handsfree phone calls while driving and while not driving. I can send stuff to my printer, upload pics and have them delivered to my door all from my phone. No device transfers, processing at the store going to pick them up.

In fact there is not a whole lot you cant do with a smartphone if it normally takes another electronic item. I was of the crowd " i dont need a smartphone, i just make phone calls." and then i got one and its like having your own personal slave ... i mean khajiit assistant.

Yes, I know. Also I know a lot of people who often have troubles with their smartphone discharged in less then one day. I can spend all day taking photos and listening music - and I still will have active phone. My mp3 player can be used as USB flash drive without any adapter, which is often usefull. And e-ink is much more comfortable than smartphone screen. Plus using smartphone will be more expensive than my actual phone, where I spend less then $1 a month. It is stupid without internet, free wi-fi is not everywhere, and internet costs money.

Also I know that with smartphone one lost, broken or simply discharged device - quite possible and usual situations - will close access to all functions instead of one. And there is high chances that smartphone, as any complex device, will serve me for a less time than more simple (my mp3 player is 8 years old, camera 6, book 4, phone 10. In last 5 or 6 years my mother have already third smartphone, and my brother - seventh, I think. Not because of cool new models.)

Even if one day I'll have smartphone (more chances that reason will be "damned smartphones everywhere, my phone is completely broken and I can't find another like this!" than "Oh, I want it!"), I'll still use all my separate devices.

Beardimus

Knowledge wrote: »

SheepdogPaladin wrote: »

As long as two-factor authentication is not mandatory, I have no problem with it being offered as an option for those who want such a thing. I personally have no need for it. If this is ever implemented for TESO, it must not be mandatory.

You do need it though...

Totally disagree, i for one don't 'need' it nor would i want it. Why on earth do I need two factor authentication for a Computer Game how absurd.

As for App, can you guarantee support across all platforms even if everyone did have a smart phone which they won't.

But seriously of all the online services in my life that need additional security a game sure a heck isn't one of them

Beardimus

Prof_Bawbag wrote: »

Knowledge wrote: »

It's strange that so many people in this thread don't want or never had a smart phone...

Can only speak for myself. Whilst i do have a smart phone, I very rarely use it. Why? Because when push comes to shove, most are simply a lump of useless plastic in my experience and I've been through a lot of makes (Sony, Apple, Samsung, the usual manufacturers).

I do a lot of hill walking here in Scotland and step 3ft outside of civilisation and smart phones cease to work. It's a dead weight i could do without. Instead I use a trusty old Nokia that keeps its charge for 2 weeks at the very least, is very robust when dropped or bashed and actually works 3ft outside of civilisation. Call me old fashioned, but it's also a lot better doing what a phone was primary once created to do, make a damn phone call. Not everyone has a charging source on tap, not everyone lives in an urban area or an area that has ample coverage and so on.

Something i learnt years ago, never assume everyone's lifestyle and circumstances mirror that of your own. Once you realise that, you'll stop assuming your life is representative of the majority.

Spot on, and also that not everyone plays ESO in NA or on PC as this seems frequently forgotten on here

Aesthier

If they do this it should be "optional".


I don't like cell phones and I don't like authenticators... had bad personal experiences.

The_Protagonist

ZiRM wrote: »

Retinal scanning to login would be awesome.

Add blood DNA analysis along with finger print scan and facial recognition and you have a deal.

Beardimus

Asmael wrote: »

Relevant XKCD on password security:



Since 2-factor authentification is not something I have seen in that many MMOs, gotta do with what we got sometimes.

And a small extra to check whether one of your account has been compromised (if it shows red, you better change your password ASAP, if not... you still probably should ): https://haveibeenpwned.com/

@Asmael that's brilliant!!!

Radinyn

I've never had a smartphone so.. no.

Knowledge

Radinyn wrote: »

I've never had a smartphone so.. no.

It would be optional.