Your ESO account is less secure during free to play events

Mesite

I hate passwords. It took me 4 attempts just to sign into this forum. Most of the time they are totally pointless. I think that its really annoying getting messages through emails when I use my old computer that I just used a couple of weeks ago.

JoeCapricorn

I literally got a new computer this week and I was a little curious as to why it let me right into the game without sending a code.

In the past, sometimes my computer would reset and the overclocking would be disabled by itself (it was just an annoying issue, the computer ran fine for 8 entire years) - each time it did that, or each time I turned on the overclock, ESO would consider my computer a new device. I would have to enter a code each time that happened.

It would also happen if I didn't play on my laptop for a long time.

ZOS_Kevin

Hey All. Sorry for the delay here. Have a bit going on today for High Isle. Just to follow up, we have resolved this issue and the security measure is back in place for the free play event. If you run into any issues, please reach out.

Woeler

ZOS_Kevin wrote: »

Hey All. Sorry for the delay here. Have a bit going on today for High Isle. Just to follow up, we have resolved this issue and the security measure is back in place for the free play event. If you run into any issues, please reach out.

Thanks a lot for taking this seriously. I'm glad it was resolved so quickly.

JoeCapricorn

Yep, it had me enter in a code this time around. So now at least my new computer is official

silvereyes

ApoAlaia wrote: »

EnKor wrote: »

BloodMagicLord wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

Sorry about my english!
I mean, It's more disturbing when everyone can see your ID. no? They "ignore" the first rule of security... hide Login information.

Dissociating the login ID from the in-game ID has been requested ad-nauseam.

This is like absolutely basic security

Nonsense. I don't know what world you live in, but account ids are not secrets. It isn't the secrecy of the account id that keeps things secure. It's the secrecy of the combination of that id with a secret strong password that keeps things secure. The account id itself adds very little security to the combination, and that can be easily recovered by just bumping up minimum password length a bit.

In almost every IT system I've ever worked with, account ids have very little entropy, and are either able to be easily iterated (e.g. numeric) or follow a simple pattern that can be easily guessed (e.g. first.last, first initial + last name, etc.). Even gamer tags are fairly susceptible to dictionary attacks, since the vast majority are just the combination of a couple dictionary words and maybe a number or three.

If Apple, Google and the vast majority of commercial and financial websites consider an email address to be an appropriate id - and they can afford security researchers far smarter than I and protect data arguably far more valuable than some pixels in a video game - then I think ZOS is fine using gamer tags as login ids.

Still, password stuffing and brute force attacks are real threats, and players do reuse gamer tags between games, so having some sort of protection against those attacks is extremely important, even if it's just a "fake 2fa" like an email confirmation code.

Destai

ZOS_Kevin wrote: »

Hey All. Sorry for the delay here. Have a bit going on today for High Isle. Just to follow up, we have resolved this issue and the security measure is back in place for the free play event. If you run into any issues, please reach out.

Thanks for resolving it quickly. Seems odd it was removed in the first place, why was that decision made?

ApoAlaia

silvereyes wrote: »

ApoAlaia wrote: »

EnKor wrote: »

BloodMagicLord wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

Sorry about my english!
I mean, It's more disturbing when everyone can see your ID. no? They "ignore" the first rule of security... hide Login information.

Dissociating the login ID from the in-game ID has been requested ad-nauseam.

This is like absolutely basic security

Nonsense. I don't know what world you live in, but account ids are not secrets. It isn't the secrecy of the account id that keeps things secure. It's the secrecy of the combination of that id with a secret strong password that keeps things secure. The account id itself adds very little security to the combination, and that can be easily recovered by just bumping up minimum password length a bit.

In almost every IT system I've ever worked with, account ids have very little entropy, and are either able to be easily iterated (e.g. numeric) or follow a simple pattern that can be easily guessed (e.g. first.last, first initial + last name, etc.). Even gamer tags are fairly susceptible to dictionary attacks, since the vast majority are just the combination of a couple dictionary words and maybe a number or three.

If Apple, Google and the vast majority of commercial and financial websites consider an email address to be an appropriate id - and they can afford security researchers far smarter than I and protect data arguably far more valuable than some pixels in a video game - then I think ZOS is fine using gamer tags as login ids.

Still, password stuffing and brute force attacks are real threats, and players do reuse gamer tags between games, so having some sort of protection against those attacks is extremely important, even if it's just a "fake 2fa" like an email confirmation code.

I live in a world where there is an important human element to security.

If someone has malicious intent and it already knows your login by default that is less social engineering required to achieve the goal.

You may not think twice about someone asking you for your email address, but you would probably raise an eyebrow if they asked you for your login.

Thing is, they don't have to, because they already know.

Munkfist

Woeler wrote: »

ZOS_Kevin wrote: »

Hey All. Sorry for the delay here. Have a bit going on today for High Isle. Just to follow up, we have resolved this issue and the security measure is back in place for the free play event. If you run into any issues, please reach out.

Thanks a lot for taking this seriously. I'm glad it was resolved so quickly.

Thank you for bringing this to light! A bit terrifying to think of with how much time is put into our accounts.

Jaimeh

Thanks Woeler for bringing this into ZOS' attention, and thanks ZOS_Kevin for relaying this to the appropriate team.

silvereyes

ApoAlaia wrote: »

silvereyes wrote: »

ApoAlaia wrote: »

EnKor wrote: »

BloodMagicLord wrote: »

EnKor wrote: »

lol. I dont understand at all...

You guys have scary of 2FA enable\disable when login ID is enable to every one. lol! Everyone can see our login ID and you're scary of 2FA?! lol

I think I felt some of my braincells die when I read that.

Sorry about my english!
I mean, It's more disturbing when everyone can see your ID. no? They "ignore" the first rule of security... hide Login information.

Dissociating the login ID from the in-game ID has been requested ad-nauseam.

This is like absolutely basic security

Nonsense. I don't know what world you live in, but account ids are not secrets. It isn't the secrecy of the account id that keeps things secure. It's the secrecy of the combination of that id with a secret strong password that keeps things secure. The account id itself adds very little security to the combination, and that can be easily recovered by just bumping up minimum password length a bit.

In almost every IT system I've ever worked with, account ids have very little entropy, and are either able to be easily iterated (e.g. numeric) or follow a simple pattern that can be easily guessed (e.g. first.last, first initial + last name, etc.). Even gamer tags are fairly susceptible to dictionary attacks, since the vast majority are just the combination of a couple dictionary words and maybe a number or three.

If Apple, Google and the vast majority of commercial and financial websites consider an email address to be an appropriate id - and they can afford security researchers far smarter than I and protect data arguably far more valuable than some pixels in a video game - then I think ZOS is fine using gamer tags as login ids.

Still, password stuffing and brute force attacks are real threats, and players do reuse gamer tags between games, so having some sort of protection against those attacks is extremely important, even if it's just a "fake 2fa" like an email confirmation code.

I live in a world where there is an important human element to security.

If someone has malicious intent and it already knows your login by default that is less social engineering required to achieve the goal.

I agree the human is the weak part to all of this. All the security in the world is worthless if you can convince someone to just hand over the keys. Even the best 2fa isn't proof against phishing.

I disagree that knowing your login ahead of time changes anything, though. If someone is being socially engineered, and they don't raise eyebrows at being asked for their password, then they aren't going to hesitate to hand over a username as well.

xaraan

I'm glad this is fixed. Though it's funny to see people saying "thanks for fixing it so fast." When the OP said he first reported it two years ago.