🔓 Why does ESO not have proper 2FA options after 6+ years?

scorpius2k1

This is a PSA, a bit of a rant, and also a glaring question for Zenimax.

Why doesn't ESO have a proper implementation for 2FA (Two Factor Authentication) as an option? The current implementation of a code sent to your email seems a quite lazy way of 2FA, if it can even be called that. Before I go any further, please note that my personal email account has always had strong 2FA authentication and was ensured to not be compromised in any way (private email, access to system logs, etc). Email password was also changed immediately as a preventative when the issue was found but issues still persisted on the ESO side of things. I also use the standalone ESO client on PC and not through Steam/Stadia (even though the error message referenced it).

Today, I tried to login to ESO and was given a login error. I visited the website and also could not login there. Upon checking my email, there were 20+ emails regarding password reset and also a successful login to my account as I also had a code to allow login from another device. Keep in mind here that I use a very secure password and had logged onto my account just yesterday less than 24h ago without issue on the same machine and Internet connection. What is more concerning is my password WAS actually changed by someone. I changed my password and attempted to login to the game and received the same message. Not even a minute later, another password reset email had come in and yet another code confirmation with a successful login and I was even locked out of my account via the website. No one else has ANY access to my email, ESO acount, etc. whatsoever. This smells like a huge security breach or major bug to me. I was finally able to gain access to my account again after changing my password not once, but twice within the same hour to finally login. I should also note here that I had submitted a ticket with detailed information only to get back the vanilla copy pasta "we will assume your issue is resolved if we do not hear back" email. Ridiculous.

I have had my ESO account for years and never have experienced this so it is a bit concerning why this happened in the first place, and to the extent it did, and out of nowhere. What is even worse is literally EVERYONE'S account login name is exposed to every single player while in-game with our @account_names so that just leaves password attempts. Please everyone, keep an eye on your account just to be on the safe side. I don't understand why Zenimax has not taken measures like an authenticator app, mobile verification, etc as a 2FA to give users options to further secure their accounts, a frequently used practice online. This isn't the first time this topic has been discussed, even one here way back from 2015! Not surprisingly, nothing has ever been addressed and no acceptable solution has been implemented in that time.

It's 2020. Security is and has always been a big deal to many of us. Things like this shouldn't be happening nor should they be a topic especially with the amount of time and money potentially spent on just a single ESO account being put at risk due to lackluster security options, simple ones at that. Bethesda/Zenimax is a large and established company, there isn't an excuse for this imho.

@ZOS_MattFiror @ZOS_RichLambert @ZOS_GinaBruno @ZOS_JessicaFolsom

MashmalloMan

Edit: nvm.

Swordancer

Isn't game account secured with e-mail address 2FA? I mean I rememebr getting codes on e-mail when Im logging in from different IP address or device.

Tandor

I agree about 2FA - as an option - and also about the absurdity of having to show your account name in public. ZOS do, of course, have the protection system of sending alerts when the account is accessed from a different location and that seems to have worked pretty well for both ESO and a number of other games.

In my experience the number of posts about suspected or actual hacks of accounts in ESO has been miniscule in comparison with other game forums, and where such things occur elsewhere they tend either to relate to players sharing their accounts with e.g. housemates or guildmates, or to stem from some other hack/malware on their computer including email accounts. I strongly recommend that you review your own circumstances in these respects with particular reference to the prudence of changing any other passwords - especially if you are one of many users who use a simple password or the same one on multiple sites/applications etc. Doubtless you don't, but what's beyond doubt is that many still do!

Pevey

Your email account HAS been compromised. That sucks. Secure it asap.

scorpius2k1

Swordancer wrote: »

Isn't game account secured with e-mail address 2FA? I mean I rememebr getting codes on e-mail when Im logging in from different IP address or device.

That is a VERY weak form of it, not an acceptable solution but a lazy one.

linuxlady

See when you purchase and login through steam you can have an email log in different from your eso login account email and so even if you get your login stolen from eso, the most they can do is unlink your account so no one can play.

Your email account is compromised and so you need to secure that first.

scorpius2k1

Pevey wrote: »

Your email account HAS been compromised. That sucks. Secure it asap.

linuxlady wrote: »

See when you purchase and login through steam you can have an email log in different from your eso login account email and so even if you get your login stolen from eso, the most they can do is unlink your account so no one can play.

Your email account is compromised and so you need to secure that first.

It is easy to think that but definitely not the case here, I thought it was a possibility too when it happened so changed my email password immediately when I noticed the login issue. I also have 2FA on my email address so it would be next to impossible without anyone else having access to my secondary method, I also had no notification on that end. Same things were still happening with ESO however, as I described in my post. Hard to say what happened here, but it is concerning to say the least.

@linuxlady I also don't have ESO through Steam, I have the standalone client and always have. That login error above mentioning Steam/Stadia must be a generic reference.

Pevey

Often hackers will set your email to forward to another address, without changing anything else. Check those settings. You can change your password, and the email keeps getting forwarded. You are definitely compromised. I really am sorry. ESO may be the least of your concerns but instead an early warning. Check any financial accounts linked to that email for sure.

scorpius2k1

Pevey wrote: »

Often hackers will set your email to forward to another address, without changing anything else. Check those settings. You can change your password, and the email keeps getting forwarded. You are definitely compromised. I really am sorry. ESO may be the least of your concerns but instead an early warning. Check any financial accounts linked to that email for sure.

While true and good advice, and I appreciate it my email is definitely not compromised as mentioned in my prior reply regarding two others suggesting the same. I am fully aware how email systems work, especially the industry I work in.

Swordancer

It's not weak solution but lazy one definitely. If you don't use the same password for your e-mail box and game account, you got 2FA on your mailbox then there shouldn't be any problem until your gaming device is hacked. That way hacker might use your network and device to get around it. I agree that there should be third party 2FA using smartphone but such thing works similarly to mailbox solution and mailbox can be usually secured with better 2FA.

I don't also like that you can't remember your password in game becouse it is such a waste of time and also doesn't make game any safer.

scorpius2k1

Swordancer wrote: »

It's not weak solution but lazy one definitely. If you don't use the same password for your e-mail box and game account, you got 2FA on your mailbox then there shouldn't be any problem until your gaming device is hacked. That way hacker might use your network and device to get around it. I agree that there should be third party 2FA using smartphone but such thing works similarly to mailbox solution and mailbox can be usually secured with better 2FA.

I don't also like that you can't remember your password in game becouse it is such a waste of time and also doesn't make game any safer.

Agreed on all of the above. I take my own personal security very seriously and always have. Never reusing the same passwords, changing frequently, and using complex passwords, properly implemented 2FA, etc. I get why others might pass it off with something as simple as an email compromise, but the level of access I have to my own private email (and logs therein) as well as 2FA already on my email, I can ensure that wasn't the case here. It is what it is at this point however, and I was able to resolve the issue on my own before even making this post, but I would also hope ZoS' could be better responsible to ensure we can secure our accounts properly if all other measures have been taken and issues still arise.

My biggest reason for creating a topic on this (yet another one by another user), is to spread awareness of what I experienced today.

Thanks all for your time and responses. ESO community is the best.

.

code65536

Swordancer wrote: »

Isn't game account secured with e-mail address 2FA? I mean I rememebr getting codes on e-mail when Im logging in from different IP address or device.

And every time there is a free play event, that system gets disabled for the duration of the free play event. For everyone. LOL.