Pages: [1] 2 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
chriz
Volition Cult The Volition Cult
14
|
Posted - 2013.04.21 09:47:00 -
[1] - Quote
One thing that I feel is missing in Eve is def. an option to have a higher security authentication process like Google Authenticator or Battle.nets Authenticator. 3 minute one time security pins thats unique for every player. And have this as an option to add it to its account to authenticate and download a mobile phone application to hold the software and the authentication generation process on.
if that would be possible it would be awesome as you invest a lot of time and effort into this game and dont want your account to be stolen or taken over. With this type of authenticator it would be really really hard to get thru the regular way.
/chriz
|
Pak Narhoo
Splinter Foundation
934
|
Posted - 2013.04.21 10:01:00 -
[2] - Quote
(Non working) authenticators where once given out to fanfest attendees, if I'm not mistaken that was prior to the incarna riots. Never read or heard anything about them since.
Cannot say I miss it. |
Deladian
Terrorist On Top No.1
1
|
Posted - 2013.04.21 10:01:00 -
[3] - Quote
Ccp gave us one at fastest still waiting for it to be usable. |
Dave Stark
2713
|
Posted - 2013.04.21 10:05:00 -
[4] - Quote
there's not really a need for such a thing.
common sense is already enough to stop your account getting "stolen" or whatever. |
Klymer
Hedion University Amarr Empire
197
|
Posted - 2013.04.21 10:20:00 -
[5] - Quote
Stop using password as your password. |
Tau Cabalander
Retirement Retreat Working Stiffs
1729
|
Posted - 2013.04.21 10:39:00 -
[6] - Quote
Klymer wrote:Stop using password as your password. http://xkcd.com/936/ |
James Amril-Kesh
4S Corporation RAZOR Alliance
4636
|
Posted - 2013.04.21 10:44:00 -
[7] - Quote
I wonder how many people subsequently used "correct horse battery staple" as their actual password. Malcanis for CSM 8 Module activation timers are buggy - CCP please fix |
Wodensun
ZeroSec
89
|
Posted - 2013.04.21 10:46:00 -
[8] - Quote
Dave Stark wrote:there's not really a need for such a thing.
common sense is already enough to stop your account getting "stolen" or whatever.
Bullshit with signature/heuristic based AV your always running after the facts. This means a virus/trojan/keylogger has to be known for it to be detected. |
Dave Stark
2713
|
Posted - 2013.04.21 10:51:00 -
[9] - Quote
Wodensun wrote:Dave Stark wrote:there's not really a need for such a thing.
common sense is already enough to stop your account getting "stolen" or whatever. Bullshit with signature/heuristic based AV your always running after the facts. This means a virus/trojan/keylogger has to be known for it to be detected.
enjoying a decade and counting of not having any of my accounts stolen. regardless of what the account is for.
feels good. |
|
Chribba
Otherworld Enterprises Otherworld Empire
7819
|
Posted - 2013.04.21 10:55:00 -
[10] - Quote
For myself I'd just be happy if I could lock my accounts to IP (yes won't work for everyone I know)
/c
|
|
|
Wodensun
ZeroSec
89
|
Posted - 2013.04.21 11:03:00 -
[11] - Quote
Dave Stark wrote:Wodensun wrote:Dave Stark wrote:there's not really a need for such a thing.
common sense is already enough to stop your account getting "stolen" or whatever. Bullshit with signature/heuristic based AV your always running after the facts. This means a virus/trojan/keylogger has to be known for it to be detected. enjoying a decade and counting of not having any of my accounts stolen. regardless of what the account is for. feels good.
And thats your counter argument? Haaaahahaahahahaaha no wait for it... Whaaaahaahahahaa now be gone noob.
Chribba wrote:For myself I'd just be happy if I could lock my accounts to IP (yes won't work for everyone I know)
/c
Chribs that can be defeated as wel the thing with the authenticator is the hacker wont know the next key in sequence and he cant generate it.
Consider ARP spoofing/poisoning ;-) |
Turelus
Caldari Independent Navy Reserve The Fourth District
363
|
Posted - 2013.04.21 11:11:00 -
[12] - Quote
I would always support an authenticator, it's another layer of security and they're normally optional. Haters don't have to use them those who want to can. Lieutenant Turelus
Caldari Independent Navy Reserve
The Fourth District |
Lord Haur
Grim Determination Nulli Secunda
56
|
Posted - 2013.04.21 11:12:00 -
[13] - Quote
Deladian wrote:Ccp gave us one at fastest still waiting for it to be usable. Here's a pic of mine.
Still got it lying about somewhere. |
James Amril-Kesh
4S Corporation RAZOR Alliance
4636
|
Posted - 2013.04.21 11:17:00 -
[14] - Quote
I still don't get how these things actually work, anyway.
It took me a while just to understand the basic concepts behind public key cryptography.
Edit: Oh, nevermind, that was actually not that bad. Malcanis for CSM 8 Module activation timers are buggy - CCP please fix |
Wodensun
ZeroSec
89
|
Posted - 2013.04.21 11:24:00 -
[15] - Quote
James Amril-Kesh wrote:I still don't get how these things actually work, anyway.
It took me a while just to understand the basic concepts behind public key cryptography.
Okay you login as normal then your prompted to provide a 6 digit key which has been generated with the authenticator the server knows which key to expect if the key matches the expected 6 digit key your login is successfull thats it in a nutshell.
http://en.wikipedia.org/wiki/Multi-factor_authentication |
chriz
Volition Cult The Volition Cult
14
|
Posted - 2013.04.21 11:30:00 -
[16] - Quote
Just imagine going to fanfest and sitting down at one of their terminals and login to find out later that for some reason that computer had a keylogger ?
And as I said I would like to be given an option to choose how I want to secure my valuable subscription time.
/chriz
|
chriz
Volition Cult The Volition Cult
14
|
Posted - 2013.04.21 11:31:00 -
[17] - Quote
Pak Narhoo wrote:(Non working) authenticators where once given out to fanfest attendees, if I'm not mistaken that was prior to the incarna riots. Never read or heard anything about them since.
Cannot say I miss it.
Well maybe you miss it if and when it will happen, but then again then its when it its kinda to late.
/chriz
|
Lord Haur
Grim Determination Nulli Secunda
56
|
Posted - 2013.04.21 11:33:00 -
[18] - Quote
James Amril-Kesh wrote:I still don't get how these things actually work, anyway.
It took me a while just to understand the basic concepts behind public key cryptography. Long story short, these run an algorithm with two inputs. The first is easy enough, the authenticator's UniqueID. The second is a little more complicated, usually either the current time or the previous result. These inputs are manipulated to produce a auth token. The server can run the same algorithm, using the authenticator's ID associated with the account. If the two results match, then authentication is successful.
The token distributed at FF2011 appears to use the timestamp method - the result only updates every 30s or so. |
Obsidian Dagger
Nitrus Nine
91
|
Posted - 2013.04.21 12:15:00 -
[19] - Quote
I would support an authenticator. Physical (easy to lose/break, but unique to your account) or an android (or iOS) app, which at least would be easy to get (instead of paying three PLEX and waiting 28 days for delivery).
Blizzard have the right idea (I use my android app version for Starcraft 2), with their authenticators. |
James Amril-Kesh
4S Corporation RAZOR Alliance
4636
|
Posted - 2013.04.21 12:24:00 -
[20] - Quote
Lord Haur wrote:James Amril-Kesh wrote:I still don't get how these things actually work, anyway.
It took me a while just to understand the basic concepts behind public key cryptography. Long story short, these run an algorithm with two inputs. The first is easy enough, the authenticator's UniqueID. The second is a little more complicated, usually either the current time or the previous result. These inputs are manipulated to produce a auth token. The server can run the same algorithm, using the authenticator's ID associated with the account. If the two results match, then authentication is successful. The token distributed at FF2011 appears to use the timestamp method - the result only updates every 30s or so. Yeah, the part I was confused about is how the server knows which input to expect. But that makes sense. Malcanis for CSM 8 Module activation timers are buggy - CCP please fix |
|
|
Chribba
Otherworld Enterprises Otherworld Empire
7821
|
Posted - 2013.04.21 13:24:00 -
[21] - Quote
Wodensun wrote:Dave Stark wrote:Wodensun wrote:Dave Stark wrote:there's not really a need for such a thing.
common sense is already enough to stop your account getting "stolen" or whatever. Bullshit with signature/heuristic based AV your always running after the facts. This means a virus/trojan/keylogger has to be known for it to be detected. enjoying a decade and counting of not having any of my accounts stolen. regardless of what the account is for. feels good. And thats your counter argument? Haaaahahaahahahaaha no wait for it... Whaaaahaahahahaa now be gone noob. Chribba wrote:For myself I'd just be happy if I could lock my accounts to IP (yes won't work for everyone I know)
/c Chribs that can be defeated as wel the thing with the authenticator is the hacker wont know the next key in sequence and he cant generate it. Consider ARP spoofing/poisoning ;-) Except I wouldn't have to carry around another device... plus for anyone attempting at spoofing they would need to know which IP to spoof to begin with, plus to add to the fact that since it's TCP it will be a hell lot harder to get working sessions unless they actually manage to spoof at routers in CCP's datacenter - in which case I doubt a spoofed IP for an account is the biggest problem they have.
/c
|
|
Tau Cabalander
Retirement Retreat Working Stiffs
1730
|
Posted - 2013.04.21 14:00:00 -
[22] - Quote
James Amril-Kesh wrote:Lord Haur wrote:James Amril-Kesh wrote:I still don't get how these things actually work, anyway.
It took me a while just to understand the basic concepts behind public key cryptography. Long story short, these run an algorithm with two inputs. The first is easy enough, the authenticator's UniqueID. The second is a little more complicated, usually either the current time or the previous result. These inputs are manipulated to produce a auth token. The server can run the same algorithm, using the authenticator's ID associated with the account. If the two results match, then authentication is successful. The token distributed at FF2011 appears to use the timestamp method - the result only updates every 30s or so. Yeah, the part I was confused about is how the server knows which input to expect. But that makes sense. There is one more part you are all missing.
There isn't a single valid code, rather there is a short list of valid codes.
Example: Generate a new code every 30 seconds, so make a new list of codes in the sequence, say 20 of them, and that will cover a time mismatch of up to 10 minutes. As soon as you use a valid code from the list, the validating computer knows where in the sequence the authenticator is, which synchronizes both ends.
When you first start using the authenticator, you enter a code printed on the back which is used to create the numeric sequence (it isn't one number, but rather a bunch of constants that control a complex math function), as well as the current code on the authenticator. This synchronizes the authenticator and validating computer.
If they get too far out of sync, you have to contact customer support and re-initialize the process. This typically takes many months of not being used. |
Wodensun
ZeroSec
89
|
Posted - 2013.04.21 14:45:00 -
[23] - Quote
Chribba wrote: Except I wouldn't have to carry around another device... plus for anyone attempting at spoofing they would need to know which IP to spoof to begin with, plus to add to the fact that since it's TCP it will be a hell lot harder to get working sessions unless they actually manage to spoof at routers in CCP's datacenter - in which case I doubt a spoofed IP for an account is the biggest problem they have.
/c
Currently using a forum of any kind? Then they know your IP, accepting skype calls or even using skype then they know your IP, Using torrent on your home machine to download patches in the future then your IP is being broadcast. It really isnt rocket science to find out which IP your using mate (( see what I did there )) and hijacking a TCP session isnt that hard to. ISPs do it all the time.. oh wait I didnt say that its called lawfull intercept and surveilance.
Ps, Don't get me wrong I think your awesome and all but hey seeing the trap is the first step in avoiding it
/TinFoilHatOff |
Angelique Duchemin
Serenity Prime Kraken.
490
|
Posted - 2013.04.21 14:51:00 -
[24] - Quote
Optional layer of protection. I like it and there's no reason to oppose it. We miss you Saede. |
|
Chribba
Otherworld Enterprises Otherworld Empire
7824
|
Posted - 2013.04.21 15:20:00 -
[25] - Quote
Wodensun wrote:Chribba wrote: Except I wouldn't have to carry around another device... plus for anyone attempting at spoofing they would need to know which IP to spoof to begin with, plus to add to the fact that since it's TCP it will be a hell lot harder to get working sessions unless they actually manage to spoof at routers in CCP's datacenter - in which case I doubt a spoofed IP for an account is the biggest problem they have.
/c
Currently using a forum of any kind? Then they know your IP, accepting skype calls or even using skype then they know your IP, Using torrent on your home machine to download patches in the future then your IP is being broadcast. It really isnt rocket science to find out which IP your using mate (( see what I did there )) and hijacking a TCP session isnt that hard to. ISPs do it all the time.. oh wait I didnt say that its called lawfull intercept and surveilance. Ps, Don't get me wrong I think your awesome and all but hey seeing the trap is the first step in avoiding it /TinFoilHatOff You assume that the IP I use to browse the random forum is the IP I use to connect to EVE, if it was then yes an ISP (wonder why they would need to intercept though) could try and hijack and then bruteforce or something lol
Of course not saying IP-lockdown is a fullproof thing, just said I would rather have that (or the possibility) for myself since it would rule out most (if not all then) attempts to access my accounts.
/c
|
|
chriz
Volition Cult The Volition Cult
14
|
Posted - 2013.04.21 15:38:00 -
[26] - Quote
Ok this is a nice discussion but it got out from its initial discussion and that is sometimes good and sometimes not as good :)
I am still saying that an iOS or Android application that uses the same authentication mechanism as Google Authenticator or Battlenet.nets Authenticator methods is a very secure way of having Eve account privacy.
And to ensure that you are you.... you first had to login and select the new authentication method the server gives you a sequence to type into your mobile handset device and that in return gives you a "private" access code / string that shall be entered in return. What you have done now is to setup a private key that is assigned to your account.
The validation process is something else it still uses information regarding your handset (at least I would) and your private key and some other information to have as a base for the alghorithm the code being presented on the authentication application in your handset will give you a numbered sequence that is valid for lets say 2-3 minutes. That sequence is valid on the server side because the server has the same "base" information and can use "the same" algorithm on its side to translate that into a security code that will match the initial setup.
This setup its really really tough to break and works in the same way as a hardware one-time-password device does. Like for your internet bank authentication or other. The setup isnt that hard and I wouldnt worry going online in any internet cafe around the globe cause after I have logged the old password has been useless for hours.
At least I would feel secure if it was implemented.
/chriz
|
Relth Draron
Republic Military School Minmatar Republic
0
|
Posted - 2013.04.21 18:00:00 -
[27] - Quote
Angelique Duchemin wrote:Optional layer of protection. I like it and there's no reason to oppose it.
Pretty much this.
An app for the smartphones would be nice too. |
Eurydia Vespasian
Nova Insula Mining and Industrial
2334
|
Posted - 2013.04.21 18:14:00 -
[28] - Quote
i used one with WoW for ages. i didn't believe i would get hacked. but it happened. and for no reason i can recall. i never entered my password anywhere but the game and battle.net. no suspicious emails. only thing i can think of is picking up a random keylogger...somewhere. no clue.
anyhow...it happened. i caught it pretty early. tried to log in and could not. i called blizzard and spoke to a very nice guy for a while. he told me someone in korea had gotten in somehow and changed my password. probably to spam RMT for gold. he told me about authenticators and how i could d/l it free as an app for my phone and i was like "awesome!"
so i did that. and never had a problem after. i would totally support CCP authenticators. a mobile chat program would be fun too |
Hamatitio
Aperture Harmonics K162
102
|
Posted - 2013.04.21 18:50:00 -
[29] - Quote
DIdn't one of the CCP guys just go into the new mobile division of CCP?
Perhaps they will actually do one now. |
Sturmwolke
400
|
Posted - 2013.04.21 19:05:00 -
[30] - Quote
They might be balking from the cost model studies (long term/short term) and system effectiveness . The whole layered authentication infrastructure costs money in licenses, hardware, staff and integration efforts. As an MMO, there's no real pressing need for heavy IT sec protocols similar to large multi-national companies. Hence the feet dragging.
The hardware token itself, although some (on a personal level) may think it's cheap, isn't as cost effective as an issued software token. Then you need to consider how many real players will be buying these tokens, despite the favorable view, the pool probably won't exceed 100K at the most optimistic level. If I was betting, maybe within the 10-20K range.
Don't really know if other MMOs is making any profit, loss or is just breaking even on secondary authentication. Doubt they can profit considering the long live tokens vs capital and ongoing support costs that they will incur. Break even? Depends on how much discount they get for the tokens from the manufacturer and how much profit they tack on it when they resell it.
|
|
|
|
|
Pages: [1] 2 :: one page |
First page | Previous page | Next page | Last page |