ESO needs authenticators NOW!

Ravage

While I understand that zeni believes their current IP logging system to be flawless, like every MMO developer in history, the choice to show ACCOUNT NAMES for pretty much every in game social action is beyond foolish to me. You have given away 50% of our initial security to anyone who happens to own a pencil and a game client.

I was very surprised, and quite frankly, disturbed, when the account-name-for-everything system went into full effect. Any guild member, friend, or mail recipient/sender that any of us come into contact with has the potential to store our account name....

You know, those account names where you offer no other form of protection except a password.... and we all know how easy passwords are to break these days...

Please, please, please! Give us authenticators, or embed a system to use the google authenticators, or anything! Something!

The number of 'gold sellers' alone currently ingame is enough reason to make any experienced MMO player want to run for the hills. It's only a matter of time until they start targeting guild leaders and high volume traders.

Zeni.... Handle this!

Laerrus

I've been thinking about this too and I really wish TESO would have have had an open beta, many of the problems people are now having could have been solved with the additional feedback.

Displaying my account name for all to see makes me not want to play. I've got good security measures in place with my password but that probably won't stop a brute-force attack.

JeffKnight

Agreed 100%. I asked on reddit, Facebook, and Twitter about authenticators, and got no response. This is a MUST for any MMO these days, even if you don't give away the account name.

When, in the first week of launch, you've had to /ignore over 1000 gold spammers, you NEED to get this in. It needed to be in for launch. It MUST be in the next patch, unless you want to spend 100% of your time investigating account breaches and restoring items. It doesn't take forever to build in dual-authentication and an iphone/android app for it. Everything else aside, this should be priority number one.

CaptainFishSticks

Laerrus wrote: »

I've been thinking about this too and I really wish TESO would have have had an open beta, many of the problems people are now having could have been solved with the additional feedback.

Displaying my account name for all to see makes me not want to play. I've got good security measures in place with my password but that probably won't stop a brute-force attack.

Past experience has shown me that open betas do little else to fix a game's stability. If anything, people take it as an opportunity to try the game and judge if whether or not they would want to play it when it's fully released.

Not that they don't do the same with a closed beta, but open betas make it more obvious.

Princess_Leia

I so totally agree with OP. I think it was very foolish of them to display our Login names all over the chat system. Games like WOW that have their username and passwords hidden along with authenticators have STILL GOTTEN HACKED! My hubby was a victim of that. And in ESO, we are ALL just sitting ducks. Its not a matter of IF we get hacked. Its WHEN we get hacked. I seriously hope they will do something about this. Some of my friends used their real names as their logins. This is VERY concerning indeed.

spartycus

I don't want an authenticator, its all hassle. If you have a decent password nobody will be able to hack your account, unless you have a key logger on your system. But if you have your password hacked I'd worry about more than an MMO.

Saerydoth

I agree that authenticators should be made available. An Android/IOS app would be sufficient. Ironically though, the people who get authenticators are usually the ones who don't need them (they already know how to handle security). But they still do a lot of good.

Laerrus

CaptainFishSticks wrote: »

Laerrus wrote: »

I've been thinking about this too and I really wish TESO would have have had an open beta, many of the problems people are now having could have been solved with the additional feedback.

Displaying my account name for all to see makes me not want to play. I've got good security measures in place with my password but that probably won't stop a brute-force attack.

Past experience has shown me that open betas do little else to fix a game's stability. If anything, people take it as an opportunity to try the game and judge if whether or not they would want to play it when it's fully released.

Not that they don't do the same with a closed beta, but open betas make it more obvious.

Aw come'on... that's like saying everyone does it.

I have participated in an open beta and I was a participant in the reporting process. For the record, I did go on to buy time on the game when it was released.

Elsonso

They need to add a :panic: emoticon to the forums...

SuperCahouete

I agree 100%. I was shocked to see that our account name is accessible to anyone. The first thing i learned in MMOs is that you NEVER EVER use your login as your character name.

Moreover, it is totally killing roleplay for guilds. I dont get why Zenimax built it like this.

spartycus wrote: »

I don't want an authenticator, its all hassle. If you have a decent password nobody will be able to hack your account, unless you have a key logger on your system. But if you have your password hacked I'd worry about more than an MMO.

BruteForce ? 20millions accounts ? still looks safe to you ?

JeffKnight

spartycus wrote: »

I don't want an authenticator, its all hassle. If you have a decent password nobody will be able to hack your account, unless you have a key logger on your system. But if you have your password hacked I'd worry about more than an MMO.

Not exactly true. Even the best passwords can be cracked with time and effort. The fact isn't that "I have a secure password, why don't you?" It's about overall security of the game and the fact that the game, by its very design, has given 50% of the required login info. Let's at least try and cut it down to 1/3, with another 1/3 left up to some kind of one-time use key generator locked to the account in question that will be nearly impossible to crack, unless you steal the device generating the login key.

http://xkcd.com/936/

Schlumpit

They already have 2 part authentication. If someone trys to log into your account from different IP address, then they need the code that is emailed to you. If they have access to your email then you have more security issues than an authenticator can fix.

Saerydoth

Schlumpit wrote: »

They already have 2 part authentication. If someone trys to log into your account from different IP address, then they need the code that is emailed to you. If they have access to your email then you have more security issues than an authenticator can fix.

Unfortunately, a lot of people have a bad habit of using the same password on their email that they do in other places. But yes, this is not something that Zenimax or an authenticator can fix.

d.zid.816b16_ESO

I was a little taken aback when i realised my account name was visable in game as well.
Very disturbing lack of foresight there.

raykai12000b16_ESO

thay do have a AUTHENTICATOR in the back-end if your IP changes you will need to send a code that you get from a e-mail.... works like other MMOS like Tera online it also locks up if you enter a wrong password to many times

SuperCahouete

I dont understand why we shouldn't have authenticator, i see only benefits and it's easy to set up.

Fenbrae

An authenticator doesn't sound like a bad idea.
I personally don't feel unsafe because both my account and my e-mail address have very different passwords (both of them a slur of letters and numbers), but people who don't want an authenticator can just...not buy one.
I would definately get one if they decide to create one.

Loxy37

I've gotta say that I feel a little uneasy over it even though I've played MMOs since ultima online and never been hacked. STO and neverwintee both use the @username formula and I've never had issue in 4 years of STO but like I say, I have a very uneasy feeling because ESO is a much bigger fish than the aforementioned games.

Edit: we wouldn't need a physical authenticator although I would buy one, would settle for android or apple.

JeffKnight

Schlumpit wrote: »

They already have 2 part authentication. If someone trys to log into your account from different IP address, then they need the code that is emailed to you. If they have access to your email then you have more security issues than an authenticator can fix.

Incorrect. I logged in at my church last night, and it didn't ask.

Krekko

I mean, pretty much every large player has an authenticator at this point. I can't imagine why they'd intentionally launch without one. Even if it's just for added security and is redundant, it still is one of the best methods of keeping account safe, it was really... ridiculous to launch with none.

dysphorya

Completely agree. I see only benefits of an authenticator, too.

@Fenbrae, unfortunately this practice (separate passwords) among us security-minded folks is dismally in the minority.

Ravage

Bump, because this needs an answer from a ZOSy.

bwilson.homeb16_ESO

1) Harvest account names
2) Test those account names against common passwords (password, 123456, etc,)
3) Profit

Ravage

Bump again.

chris.g.mcewanb16_ESO

I disagree with everyone hating on the account name being visible. I believe it adds ease of use I find it all too ridiculous in mmos that require you to play within the game as separate characters needing to join guilds and alts etc. What I do believe is that even with ip logging the game client can be fooled with the authentication system. Authenticators in mmos are a must and add a tertiary layer of security that will in most cases remove a large portion of stolen accounts breached by key loggers and password crackers. The option to have this added layer of security just reinforces the other systems and makes account targeting nearly impossible without raising flags preventing the breach. It's a matter of implementation. However this being said we as the player don't have the numbers and don't know how much of a problem this has been or will be.

liquid_wolf

The lack of an authenticator has caused two questions for players:

1. Is my password strong enough?
2. Is my email secure enough?

Good questions to ask, and good things to take into account.

SuperCahouete

Hiding account login doesn't mean you can't have an account name. It's just a name added BETWEEN your login and your character name. It will be similar for all your characters and it will share guilds, chat, etc... It just needs to be different from the login.

Najah

I would actually like an authenticator as well. I don't feel this system is quite secure enough, nor do I feel that the account name should be openly displayed like that. It seems unsafe. So I too am adding a voice for another stage of security...and that's even though I'm cautious about my passwords not being the same on different sites.

A paid for keychain authenticator like WoW or SWTOR had, or even the addition of a mobile app, would be one more step toward peace of mind.

Hopefully there's a response that this is in the works.

Noth

JeffKnight wrote: »

Schlumpit wrote: »

They already have 2 part authentication. If someone trys to log into your account from different IP address, then they need the code that is emailed to you. If they have access to your email then you have more security issues than an authenticator can fix.

Incorrect. I logged in at my church last night, and it didn't ask.

Funny, I've logged in from my school, my parents place, a friend's place, and others and they all locked me out until I put in teh code sent to my email.

maholi

Yeah, it seems fairly secure since every IP change means a trip to your e-mail.

Mace

chris.g.mcewanb16_ESO wrote: »

I disagree with everyone hating on the account name being visible. I believe it adds ease of use I find it all too ridiculous in mmos that require you to play within the game as separate characters needing to join guilds and alts etc. What I do believe is that even with ip logging the game client can be fooled with the authentication system. Authenticators in mmos are a must and add a tertiary layer of security that will in most cases remove a large portion of stolen accounts breached by key loggers and password crackers. The option to have this added layer of security just reinforces the other systems and makes account targeting nearly impossible without raising flags preventing the breach. It's a matter of implementation. However this being said we as the player don't have the numbers and don't know how much of a problem this has been or will be.

What concerned me equally was the user names on the forums.

I wasn't a huge fan of the "assigned" forum names from beta.

Do you want a bunch of random people knowing who you are IRL?