MAJOR security breach after Wolfhunter DLC

SiegeMerchant · August 2018

you dont need access code anymore
you can login from any account to any new PC/IP and game will not ask you about access code
tested many times with few accounts and friends

i think its major issue because alot account will be easily stolen...

P.S. confirm in comments guys if you experience the same

DuskMarine · August 2018

SiegeMerchant wrote: »

you dont need access code anymore
you can login from any account to any new PC/IP and game will not ask you about access code
tested many times with few accounts and friends

i think its major issue because alot account will be easily stolen...

oh lord yea this is a huge issue. @ZOS_GinaBruno @ZOS_JessicaFolsom this is a giant problem that needs fix asap above all else. security should be priority 1 why was this taken out?

Raraaku · August 2018

What exactly do you mean when you say access code? If we're talking about login/account passwords then yes, that is worrisome. I don't follow you, I apologize if I'm wrong, but I'm guessing English is not your native language?

Could you elaborate further?

Also, if it's a serious security flaw/breach directly contacting customer support and/or direct e-mail with evidence (screenshots) and a detailed explanation of the vulnerability would be a much better route to go rather than a semi-cryptic public message on an official forum where anyone can read.

DuskMarine · August 2018

Raraaku wrote: »

What exactly do you mean when you say access code? If we're talking about login/account passwords then yes, that is worrisome. I don't follow you, I apologize if I'm wrong, but I'm guessing English is not your native language?

Could you elaborate further?

Also, if it's a serious security flaw/breach directly contacting customer support and/or direct e-mail with evidence (screenshots) and a detailed explanation of the vulnerability would be a much better route to go rather than a semi-cryptic public message on an official forum where anyone can read.

if someone attempts to log into your account on another computer you have to confirm whether its you or not through a email. this stopped people who just guessed your password from getting into your account by confirming if its you or not.

SiegeMerchant · August 2018

obvioisly im talking about only one access code game asked you when you login from new place/hardware
its not working after new dlc - you just can login now without this extra security check
smthing is very wrong

BuddyAces · August 2018

If someone gets your password and tries to login from their comp, an access code is emailed to you. Entering the code allows you to log into your account from a new comp.

He's saying there's no more access code. You can log into any account on any comp.

essi2 · August 2018

@Raraaku The Access Code is ESOs two-factor system, it sends a code to your email (very slowly!) when it detects you are logging in from a 'New' device.

Sovjet · August 2018

SiegeMerchant wrote: »

you dont need access code anymore
you can login from any account to any new PC/IP and game will not ask you about access code
tested many times with few accounts and friends

i think its major issue because alot account will be easily stolen...

I'm on vacation atm, and every time I login I use a VPN, thus a different IP when I restart the laptop. And every time I got a email with a access code.

SiegeMerchant · August 2018

Sovjet wrote: »

SiegeMerchant wrote: »

you dont need access code anymore
you can login from any account to any new PC/IP and game will not ask you about access code
tested many times with few accounts and friends

i think its major issue because alot account will be easily stolen...

I'm on vacation atm, and every time I login I use a VPN, thus a different IP when I restart the laptop. And every time I got a email with a access code.

and when was your last login attempt with access code? my bet before Wolfhunter

Raraaku · August 2018

essi2 wrote: »

@Raraaku The Access Code is ESOs two-factor system, it sends a code to your email (very slowly!) when it detects you are logging in from a 'New' device.

That's what I was thinking.

Has anyone tried to reset their two-factor and see if it works afterwards? It could be something overlooked during maintenance, particularly account/crown store maintenance.

SiegeMerchant · August 2018

easiest way to reset two-factor imho - swap your RAM sticks

Raraaku · August 2018

SiegeMerchant wrote: »

Sovjet wrote: »

SiegeMerchant wrote: »

you dont need access code anymore
you can login from any account to any new PC/IP and game will not ask you about access code
tested many times with few accounts and friends

i think its major issue because alot account will be easily stolen...

I'm on vacation atm, and every time I login I use a VPN, thus a different IP when I restart the laptop. And every time I got a email with a access code.

and when was your last login attempt with access code? my bet before Wolfhunter

I'm guess since he is currently on vacation right now chances are he's signed in since DLC dropped, and he's still obtaining the two-factor authentication code.

I could be wrong though.

Raraaku · August 2018

I just tested, and my two-factor authentication is working, prompts me for the authentication code.

SiegeMerchant wrote: »

easiest way to reset two-factor imho - swap your RAM sticks

Or just clear your caches...

SiegeMerchant · August 2018

Raraaku wrote: »

I just tested, and my two-factor authentication is working, prompts me for the authentication code.

SiegeMerchant wrote: »

easiest way to reset two-factor imho - swap your RAM sticks

Or just clear your caches...

PC NA or EU?

OrdoHermetica · August 2018

Raraaku wrote: »

I just tested, and my two-factor authentication is working, prompts me for the authentication code.

SiegeMerchant wrote: »

easiest way to reset two-factor imho - swap your RAM sticks

Or just clear your caches...

Or just unplug your monitor's power cable and then plug it back in. Seriously - it's super sensitive about hardware changes.

Raraaku · August 2018

SiegeMerchant wrote: »

Raraaku wrote: »

I just tested, and my two-factor authentication is working, prompts me for the authentication code.

SiegeMerchant wrote: »

easiest way to reset two-factor imho - swap your RAM sticks

Or just clear your caches...

PC NA or EU?

Website and PC NA. I don't believe it matters what servers you're logging into since the two-factor authentication is tied to your account and any device your account is attempting to login from rather than the client/server it's trying to access. Any time it detects the account trying to login from a different/unknown source it should trigger the two-factor authentication; not what particular server you're trying to use.

Basically, if it's broken, it shouldn't be only localized to a particular server such as NA/EU/Website. It should either recognize the attempt from any server it's trying to access or none of them.

SiegeMerchant · August 2018

Raraaku wrote: »

SiegeMerchant wrote: »

Raraaku wrote: »

I just tested, and my two-factor authentication is working, prompts me for the authentication code.

SiegeMerchant wrote: »

easiest way to reset two-factor imho - swap your RAM sticks

Or just clear your caches...

PC NA or EU?

Website and PC NA. I don't believe it matters what servers you're logging into since the two-factor authentication is tied to your account and any device your account is attempting to login from rather than the client/server it's trying to access. Any time it detects the account trying to login from a different/unknown source it should trigger the two-factor authentication; not what particular server you're trying to use.

Basically, if it's broken, it shouldn't be only localized to a particular server such as NA/EU/Website. It should either recognize the attempt from any server it's trying to access or none of them.

website
it explain everything
website codes is DIFFERENT
they coming with small letters and space

try ingame codes

Sheezabeast · August 2018

Yikes....

cheops · August 2018

I've always found this to be a bit hit and miss anyway. I often log in using previously unseen hotel wifi and by cellular means and get no prompt to enter the code.

Raraaku · August 2018

SiegeMerchant wrote: »

Raraaku wrote: »

SiegeMerchant wrote: »

Raraaku wrote: »

I just tested, and my two-factor authentication is working, prompts me for the authentication code.

SiegeMerchant wrote: »

easiest way to reset two-factor imho - swap your RAM sticks

Or just clear your caches...

PC NA or EU?

Website and PC NA. I don't believe it matters what servers you're logging into since the two-factor authentication is tied to your account and any device your account is attempting to login from rather than the client/server it's trying to access. Any time it detects the account trying to login from a different/unknown source it should trigger the two-factor authentication; not what particular server you're trying to use.

Basically, if it's broken, it shouldn't be only localized to a particular server such as NA/EU/Website. It should either recognize the attempt from any server it's trying to access or none of them.

website
it explain everything
website codes is DIFFERENT
they coming with small letters and space

try ingame codes

I've already stated I've tested both.

ajm1946 · August 2018

I've just tried logging into my account - PC NA and it asked for access code, tried 6 times every time access code was asked for.

Nestor · August 2018

With my gaming laptop, I dont have to do 2 Step when I go from place to place. Been that way for about a year.

burglar · August 2018

Raraaku wrote: »

What exactly do you mean when you say access code? If we're talking about login/account passwords then yes, that is worrisome. I don't follow you, I apologize if I'm wrong, but I'm guessing English is not your native language?

Could you elaborate further?

Also, if it's a serious security flaw/breach directly contacting customer support and/or direct e-mail with evidence (screenshots) and a detailed explanation of the vulnerability would be a much better route to go rather than a semi-cryptic public message on an official forum where anyone can read.

Quote for emphasis.

Radinyn · August 2018

maybe your IP doesnt change

Saturn · August 2018

I literally just today had to confirm my "new device" which has never changed. How exactly are you testing it? To my knowledge it's only if the IP is different or not already approved.

ADarklore · August 2018

Strange... I think only ONCE did I have to do the two-step authentication to access the GAME... but I have to do it every week or so when accessing my ACCOUNT. Think the Account has to do with cookies and when they expire... but as far as the PC, nope, haven't had to do the two step since the one time long ago. But I also haven't changed my hardware or anything that would warrant triggering a 'new device' issue.

Sylvermynx · August 2018

Saturn wrote: »

I literally just today had to confirm my "new device" which has never changed. How exactly are you testing it? To my knowledge it's only if the IP is different or not already approved.

This. My IP is infinitely variable, due to wildblue not allowing anything but business customers to have a static IP. I had to wait on the access code yesterday after downloading and installing the update - same computer, same mac addy, but wildblue changed my IP at some point yesterday and the game wouldn't let me log in without the access code.

PC/NA

Darcwolf · August 2018

Lol @ people thinking ip actually matters. There 2 step is a broken joke, I can use a VPN, or take my laptop to another city and it never triggers it, but I can overclock my PC and suddenly it wants a code and says I'm on a new IP. Apparently zenimax doesn't know what a ip address is.

ssorgatem · August 2018

Moved to a different town last week: no code required (before update 19)

Today: I reboot my PC: code required.

It seems to be working as always.

That is, quite randomly.