Your ESO account is less secure during free to play events

Woeler

Hello everyone,

I would like to share some information with you all, as I think you deserve to know and I also think this issue should be fixed asap.

When logging into ESO from a new machine, a friend's PC or basically any device from which you haven't logged in before, ESO will require your username and password as well as an 8 character code that is sent to the email address associated with your account.

One can debate if this is true two factor authentication or not, but at least it is an extra security measure so that someone with access to your password can not just hijack your account.

This applies to the game itself as well as the account page on the website (the one where you purchase your upgrades, eso+, crowns etc).

Here's the deal: This "two factor" email security measure is deactivated across the board during free to play events. I do not know why, and it definitely is a problem in my opinion. Because, if it is deactivated during some events, then why have it at all.

I have reported this issue to Zenimax Online more or less a year ago edit (I just checked, I reported it on the 10th of April 2020, I also got a personal confirmation that the issue would be escalated), but it seems that with this free to play event, it is still here.

You can try this for yourself, simply log into your account on the elder scrolls online account page website with an incognito window. You will not need any email code. You can also log in to the game via a PC that has never logged into your account before (for instance a friend's pc). You will not need a code.

Once the free to play event is over, you will see that the emails with the codes return, and everything works as it should.

So yea, that's it from me. Cheers for reading. Maybe this will be the wake-up call that'll get it fixed.

EDIT

Update from this morning. I am receiving reports from people that since this morning they are receiving 2fa codes again. So it could be that they fixed it just now.

Sylvermynx

Hmm. Interesting. Thanks for bringing this up....

perfiction

*laughs in Steam 2FA*

Real talk tho - this sucks. In order to give better experience for potential new players ZOS is putting current players at risk.
Why did they do it? Disabled security emails -> lower load on mail server -> shorter wait time for new account activation emails?

Oreyn_Bearclaw

Wow, kinda scary TBH. I mostly view 2FA as an annoyance, but deep down, I am thankful it is there.

Tandor

@ZOS_Kevin Could we have a response to this report please? It's disturbing enough to know that ZOS are introducing login queues for existing players in order to enable free access to new players but the idea that they're also disabling "two factor" email security during this period definitely requires confirmation and explanation.

BloodMagicLord

perfiction wrote: »

*laughs in Steam 2FA*

It really sucks, in order to give better experience for potential new players (shorter wait time for account activation emails?) ZOS is putting current players at risk.

I'd guess that it's to reduce the number of actions that their login server has to perform, but who knows.

blue_peaceful_Manticore

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

BloodMagicLord

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

wolfie1.0.

I have confirmed that 2 factor is in fact disabled currently. This is concerning

blue_peaceful_Manticore

BloodMagicLord wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

Sorry about my english!
I mean, It's more disturbing when everyone can see your ID. no? They "ignore" the first rule of security... hide Login information.

K9002

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

Normally we're notified when anyone tries to access our accounts by brute force, it's alarming also for other accounts not related to ESO. With 2FA disabled anyone is free to test databases of stolen passwords against all PC/Mac accounts except those bound to Steam.

Oreyn_Bearclaw

EnKor wrote: »

BloodMagicLord wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

Sorry about my english!
I mean, It's more disturbing when everyone can see your ID. no? They "ignore" the first rule of security... hide Login information.

Fair point. You have half the info you need to login into anyone's account that you encounter in game. Never thought about it, but its true. Lets say I know @Player is super rich, seems someone that knows what they are doing could brute force his password right now. That is really darn scary.

If there is no 2FA currently, is there any safeguard on number of attempts before the account is locked?

Way to start a panic, @Woeler LOL.

wolfie1.0.

EnKor wrote: »

BloodMagicLord wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

Sorry about my english!
I mean, It's more disturbing when everyone can see your ID. no? They "ignore" the first rule of security... hide Login information.

Login ids are going to get out for most systems one way or another. The items you protect are your password and the features you use to change your password. (Email)

Your email account should always be locked behind as high a security MFA as you can have. Mainly the something you have and something you know method.

That zos is bypassing it altogether is not good because now I get no notification if an unauthorized device gains access to my account. With it on I can go in and block them.

blue_peaceful_Manticore

K9002 wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

Normally we're notified when anyone tries to access our accounts by brute force, it's alarming also for other accounts not related to ESO. With 2FA disabled anyone is free to test databases of stolen passwords against all PC/Mac accounts except those bound to Steam.

And like i say b4. All start with your ID, and noone care about that!

1º Hide your ID
2º Use strong Password
3º Enable 2FA
if you break this order... you're at risk!

ZoS enable\disable 2FA... np at all cuz everyone can see my ID

Treeshka

Well the idea of someone seeing my account name during the normal game play is not good. Since my in game account is tied to Steam and it does not allow me to log in to the game without Steam so i feel extra safe with that.

ApoAlaia

EnKor wrote: »

BloodMagicLord wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

Sorry about my english!
I mean, It's more disturbing when everyone can see your ID. no? They "ignore" the first rule of security... hide Login information.

Dissociating the login ID from the in-game ID has been requested ad-nauseam.

This is like absolutely basic security; I cannot possibly comprehend how they can ask us to be very mindful of account safety while forcing us to broadcast our login ID to the entire server.

wolfie1.0.

EnKor wrote: »

K9002 wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

Normally we're notified when anyone tries to access our accounts by brute force, it's alarming also for other accounts not related to ESO. With 2FA disabled anyone is free to test databases of stolen passwords against all PC/Mac accounts except those bound to Steam.

And like i say b4. All start with your ID, and noone care about that!

1º Hide your ID
2º Use strong Password
3º Enable 2FA
if you break this order... you're at risk!

ZoS enable\disable 2FA... np at all cuz everyone can see my ID

Brute force attacks can find login ids. Hiding them is really only a delaying tactic.

ApoAlaia

wolfie1.0. wrote: »

EnKor wrote: »

K9002 wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

Normally we're notified when anyone tries to access our accounts by brute force, it's alarming also for other accounts not related to ESO. With 2FA disabled anyone is free to test databases of stolen passwords against all PC/Mac accounts except those bound to Steam.

And like i say b4. All start with your ID, and noone care about that!

1º Hide your ID
2º Use strong Password
3º Enable 2FA
if you break this order... you're at risk!

ZoS enable\disable 2FA... np at all cuz everyone can see my ID

Brute force attacks can find login ids. Hiding them is really only a delaying tactic.

Brute force attacks can decrypt hashed passwords, setting a password is only a delaying tactic.

blue_peaceful_Manticore

wolfie1.0. wrote: »

Brute force attacks can find login ids. Hiding them is really only a delaying tactic. [/quote]

Brute force attacks can bypass 2FA, setting a 2FA is only a delaying tactic.

ApoAlaia

EnKor wrote: »

wolfie1.0. wrote: »

Brute force attacks can find login ids. Hiding them is really only a delaying tactic.

Brute force attacks can bypass 2FA, setting a 2FA is only a delaying tactic.[/quote]

Solution: no account security whatsoever, why delay the inevitable? everything open to everyone! \o/

ZOS_Kevin

Thanks for the tag, @Tandor. We are looking into this now and checking in with the appropriate parties. We'll follow up once we have more info.

Gaeliannas

EnKor wrote: »

BloodMagicLord wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

Sorry about my english!
I mean, It's more disturbing when everyone can see your ID. no? They "ignore" the first rule of security... hide Login information.

Actually no, seeing someones login is pretty normal across most applications. Seeing their password, not normal, but some allow you to reveal it. 2FA or MFA are the single best protection you can have on an account, as it stops anyone who isn't you from getting in. Over 90% of all account breaches worldwide, could have been stopped cold had the person been using 2FA or MFA on their account.

Anyhow, no single thing will keep you protected, but 2FA or MFA make it near impossible or more trouble than it is worth to hack. So unless you are a very rich and they are after your bank account, probably not worth it, especially not for some near worthless game account. Most targeted game hacks are actually from relatives (ticked off brother/sister/parents), a friend, or in rare cases, someone you ticked off online who happens to be a hacker, or you made your password so easy they guessed it or your rest answers off your social media posts.

Arunei

EnKor wrote: »

K9002 wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

Normally we're notified when anyone tries to access our accounts by brute force, it's alarming also for other accounts not related to ESO. With 2FA disabled anyone is free to test databases of stolen passwords against all PC/Mac accounts except those bound to Steam.

And like i say b4. All start with your ID, and noone care about that!

1º Hide your ID
2º Use strong Password
3º Enable 2FA
if you break this order... you're at risk!

ZoS enable\disable 2FA... np at all cuz everyone can see my ID

The thing you aren't considering is the second part of 2FA, which is needing both your email username and password to get into your email account. Normally a person trying to hack your ESO account isn't going to also conveniently know what your email username is. If the code isn't being mailed out at all, that means people don't need to even try to get into your email.

Sure, it would be more secure if our usernames in-game also weren't our user IDs to log in with, but its not at much of a problem when 2FA is actually working.

AzuraFan

Since one half of our login credentials is already given away (which is mind boggling in this day and age), 2FA is essential. Yes, a determined hacker can still bypass it, but it eliminates the 99.9% going for low-hanging fruit.

Pevey

It’s not really 2FA in best of times. If someone has access to your email, they have access to your account. Game over. The second factor should never be the same as what is used for password reset. That makes the second factor the only factor, in practice.

Whatever email you use for ESO and any other account that is important to you, make it obscure, non-public (not on business cards, not given to friends, not used for everyday correspondence), and be sure to enable 2FA on THAT account.

Edit: also don’t store old emails in that account. When you get various confirmation emails, delete them. If someone compromises that email, you don’t want to give them a road map of what other accounts that address is linked to.

aaisoaho

When reading the title I did not expect to see what I saw here. This doesn't sound good at all. Usually the end-user should be the weakest link in cybersecurity, but this stripping of 2FA is kinda alarming. As a kid would say: "Give it back!"

Woeler

Update from this morning. I am receiving reports from people that since this morning they are receiving 2fa codes again. So it could be that they fixed it just now.

ApoAlaia

I have just been 'challenged' when logging into my account via the website and received the relevant code via email.

Not sure about the game.

Pevey

coletas wrote: »

I doubt anybody would try to bruteforce a server that takes even minutes for reply. And once inside, what is the problem? They destroy all your sets? Well, like Zos in every chapter/dlc. Have fun in the lag fest!!

People do target high value eso accounts. They sell them. There are shady sites for such things.

ApoAlaia

Pevey wrote: »

coletas wrote: »

I doubt anybody would try to bruteforce a server that takes even minutes for reply. And once inside, what is the problem? They destroy all your sets? Well, like Zos in every chapter/dlc. Have fun in the lag fest!!

People do target high value eso accounts. They sell them. There are shady sites for such things.

Pretty much this.

Without entering 'thou shalt not discuss such matters here!' territory one's account's security is a perfectly valid and genuine concern; if compromised it has the potential to be a very distressing event with very few guarantees of a satisfactory resolution.

Woeler

@ZOS_Kevin So, is there an update?