Pages: 1 2 [3] 4 :: one page |
|
Author |
Thread Statistics | Show CCP posts - 3 post(s) |
Mara Rinn
Cosmic Goo Convertor
5790
|
Posted - 2015.04.28 03:55:36 -
[61] - Quote
Sturmwolke wrote:GA? No thanks.
There are many authenticator applications out there which allow you to enter a new authentication code through QR as displayed by EVE 2FA. I use "1Password" on iOS and OS X for example.
https://agilebits.com/onepassword
Day 0 Advice for New Players
|
Mara Rinn
Cosmic Goo Convertor
5790
|
Posted - 2015.04.28 04:38:34 -
[62] - Quote
Axhind wrote:Mara Rinn wrote:Axhind wrote:Any chance of supporting something actually safe like Yubikey? E-mail and mobile apps can be hardly considered secure (better than nothing but that's about it). I am a security noob: how is Yubikey safer than a TOTP app like 1Password or Google Authenticator? It's separate hardware key (FOB) making it far less likely to get compromised. Something that can not be said for e-mail or phones that are probably the most insecure devices people use (well except smart TVs and co).
The most insecure device in this mode, is the Windows PC USB port the YubiKey is being plugged in to.
Given the choice of offering TOTP to customers using an existing toolset, or having to deliver Yubikeys to customers, I would go for the TOTP solution, especially since it is the easier technical implementation. No point investing in a security system the customers (as a group) are not going to actually use. I still have two RSA keyfobs from the last 2FA plans that CCP had. That RSA-based system went nowhere in a hurry!
If I lose my phone, I still have the TOTP seed on my iPad and desktop. This makes disabling the 2FA much easier for me and CCP, since we don't have to engage in telephone calls at odd hours of the day. I just log in, reset the TOTP seed, and continue on my way (along with the usual remote bricking of the phone).
Risk = Probability of event x Damage caused by event
The cost of a "lost my Yubikey" event is significantly higher to all parties than a "lost my TOTP device" event. The probability of TOTP seed being compromised is significantly lower than losing the physical token (both per individual and statistically over the population). Even with the phone being stolen by a malicious third party, they still have to decrypt the storage and then decrypt the key locker.
If I was trying to steal an account from, say, an alliance financial officer or someone else in charge of significant in-game resources, I would hope that they have a Yubikey since it is not protected from my using it in the same way a TOTP key might be. In addition the time it will take the victim to address the loss is significantly higher, meaning I have far more time to plunder the account both ingame and through any stored credit card details.
The only downside to the password locker on my phone is that loss of one token (the phone) means I have to process lost keys for almost a thousand accounts.
Then again, I don't fancy carrying a thousand Yubikeys in my pocket.
Day 0 Advice for New Players
|
Daniel Jackson
Liandri Sanctuary Corps Liandri Covenant
186
|
Posted - 2015.04.28 17:31:12 -
[63] - Quote
the "dont ask codes for this computer" option dosent do anything for client and the website i have to retype in the email code even when i check the box
I Vote YES! for Downloadable HI-RES Textures!!!!
|
Steve Ronuken
Fuzzwork Enterprises Vote Steve Ronuken for CSM
5209
|
Posted - 2015.04.28 18:31:16 -
[64] - Quote
Daniel Jackson wrote:the "dont ask codes for this computer" option dosent do anything for client and the website i have to retype in the email code even when i check the box
Did you log out, then log in with a different account? (it was working for me when I just stayed on one)
Woo! CSM X!
Fuzzwork Enterprises
Twitter: @fuzzysteve on Twitter
|
Eria Quint
Republic University Minmatar Republic
1
|
Posted - 2015.04.28 19:06:56 -
[65] - Quote
Hi,
Same issue here but I have the same thought it might have to do with multiple accounts and switching between them |
Daniel Jackson
Liandri Sanctuary Corps Liandri Covenant
186
|
Posted - 2015.04.28 19:48:21 -
[66] - Quote
Steve Ronuken wrote:Daniel Jackson wrote:the "dont ask codes for this computer" option dosent do anything for client and the website i have to retype in the email code even when i check the box Did you log out, then log in with a different account? (it was working for me when I just stayed on one) i tried both ways logging out and sign in with differnt account, i also tried logging out and logging in with same account.
i think it fixed the website issue but not with the actual game client
nvm i just logged out the website and tried logging back in and it asked me to put in a code again
note these are with the email codes as i do not have a smartphone to use an authenticator
I Vote YES! for Downloadable HI-RES Textures!!!!
|
Eria Quint
Republic University Minmatar Republic
1
|
Posted - 2015.04.28 20:10:13 -
[67] - Quote
It happens as well with the authenticator |
Raging Beaver
Wildly Inappropriate Goonswarm Federation
44
|
Posted - 2015.04.28 23:23:26 -
[68] - Quote
I happily enabled the feature on all accounts like 2 hours ago. Found out that I need to re-enter the authenticator code when logging different accounts in through the launcher despite the "Remember..." option being selected.
The way I want this to work is: 1. Login through the launcher 2. Enter the code once and "Remember on this computer" 3. Never ever see this prompt for this account on this computer again. Doesn't matter if the IP, CPU, mobo, ram, country, account, weather, whatever changes. Something like the "Authorize this device" in iTunes.
Currently it doesn't work that way. Try again. Let me know when it does. Disabled on all accounts. |
Leon Razor
Agony Unleashed Agony Empire
33
|
Posted - 2015.04.29 04:12:28 -
[69] - Quote
Raging Beaver wrote:I happily enabled the feature on all accounts like 2 hours ago. Found out that I need to re-enter the authenticator code when logging different accounts in through the launcher despite the "Remember..." option being selected.
The way I want this to work is: 1. Login through the launcher 2. Enter the code once and "Remember on this computer" 3. Never ever see this prompt for this account on this computer again. Doesn't matter if the IP, CPU, mobo, ram, country, account, weather, whatever changes. Something like the "Authorize this device" in iTunes.
Currently it doesn't work that way. Try again. Let me know when it does. Disabled on all accounts.
How is the Auth supposed to know it's the same computer (vs. an attacker) if any of these can change and still not prompt for the code: "the IP, CPU, mobo, ram, country, account, weather, whatever." Think about if what you are asking is a reasonable or logical demand for a minute and then get back to us. |
Daniel Jackson
Liandri Sanctuary Corps Liandri Covenant
186
|
Posted - 2015.04.29 04:36:32 -
[70] - Quote
i have the issue where its not remembered it on the same computer same everything
I Vote YES! for Downloadable HI-RES Textures!!!!
|
|
Leon Razor
Agony Unleashed Agony Empire
33
|
Posted - 2015.04.29 07:52:11 -
[71] - Quote
Daniel Jackson wrote:i have the issue where its not remembered it on the same computer same everything
Same issue. I'm assuming this is a bug as I have to enter a code on the launcher every time even though I check "Don't ask for codes again on this computer." |
Rachael Tyrelll
Dynatech Intergalactical Trading Ltd.
7
|
Posted - 2015.04.29 10:00:57 -
[72] - Quote
Guys, so glad you did this. Just activated for all acounts ... feeling so much safer now. Thanks!!!!! |
Qual
Infinity Engine Sleeping Dragons
64
|
Posted - 2015.04.30 12:09:17 -
[73] - Quote
Yeah, I am having the issue with Launcher not respecting the "Do not ask again on this computer" flag as well. |
Blinky3J
Two Nuts
4
|
Posted - 2015.04.30 12:33:17 -
[74] - Quote
Daniel Jackson wrote:the "dont ask codes for this computer" option dosent do anything for client and the website i have to retype in the email code even when i check the box
CCPlease. It's also, instead of it remembering the last account to log in, staying focused on one - not a huge problem, but an annoyance.
Is anyone not having this issue? Is it being worked on?
|
Eria Quint
Republic University Minmatar Republic
1
|
Posted - 2015.04.30 12:53:43 -
[75] - Quote
This issue has been reported at CCP Customer support and they acknowledged the issue for a group of users (but not for all).
So guess they will work on it and publish a fix when the problem is identified and they found a solution |
Oddsodz
The Ministry of Ungentlemanly Warfare.
152
|
Posted - 2015.04.30 19:35:01 -
[76] - Quote
Just posting to to say I have the same issue also. Things to note is that I have 2 accounts.
Hope this little bug is fix in good time.
As for having 2fA, I am very happy to have it. Thank you for filling my request ;-)
https://forums.eveonline.com/default.aspx?g=posts&t=304921 |
Daniel Jackson
Liandri Sanctuary Corps Liandri Covenant
187
|
Posted - 2015.05.01 04:02:40 -
[77] - Quote
i have 2 accouns as well but only really log on 1 most the time and even my 2 accounts are 2 different client installs, but still using just 1 just dosent remeber
I Vote YES! for Downloadable HI-RES Textures!!!!
|
Saisin
State War Academy Caldari State
245
|
Posted - 2015.05.02 16:03:20 -
[78] - Quote
Reporting that the "remember this computer" does not work either, on two different machines with the client/launcher installed. It does seem to wok on one machine where I only logs to the web site and not use the client.
It is really painful to have to get the codes every time I log into the game from my own machines. Looking forward to a fix soon, else I am going to be disabling two-step authentification...
"surrender your ego, be free". innuendo.
solo? There is a new hope...
|
Arkumord Churhee
Bavarian Unstressed Mining Mob Synergy of Steel
27
|
Posted - 2015.05.03 08:14:37 -
[79] - Quote
Same issue here. I use 3 different accounts regularly, and it's annoying that i have to re-authenticate every account every time despite me clicking the "Don't ask for codes again on this computer" checkbox.
In general, I'm very happy they finally did this.
Edit: It's be nice if the account name you are asked to authenticate for would be displayed when the code is asked for. |
Dyner
Midgard Protectorate
129
|
Posted - 2015.05.03 16:43:57 -
[80] - Quote
While I appreciate the effort. This isn't of much use.
"Yes. This does not prevent people from logging into the game client by circumventing the launcher. That is a legacy issue that we were unable to fix this time around."
So, how about doing what Trion did with RIFT and have a "Coin Lock", but have it extend beyond the currency and go into items. Make it so if the server doesn't recognize the IP it boots you out of the ship and prevents you from getting into a ship or access the Hanger Inventory until you unlock.
The server has already shown that it can boot people out of ships. All of my alts are in Capsules, even the ones that were in Rookie Ships (one of the major expansions did this).
---
Or
Add a third field to the game's login field: One-Time Password -or- One-Time Code
There. Done.
---
OR! Probably the easiest to do of all these...
For a quick fix. If the login server doesn't recognize the IP, have the game fail to login. Just pass it the same response you'd get if you entered the wrong password for a valid Login Name.
And fire off an email to the verified email address for said account.
With a validation link to authorize the new IP
En Masse does this for their accounts, Steam does it, Origin (EA) does this, YOUR WEBSITE does it. |
|
Steve Ronuken
Fuzzwork Enterprises Vote Steve Ronuken for CSM
5217
|
Posted - 2015.05.03 17:28:31 -
[81] - Quote
Dyner wrote:While I appreciate the effort. This isn't of much use.
"Yes. This does not prevent people from logging into the game client by circumventing the launcher. That is a legacy issue that we were unable to fix this time around."
So, how about doing what Trion did with RIFT and have a "Coin Lock", but have it extend beyond the currency and go into items. Make it so if the server doesn't recognize the IP it boots you out of the ship and prevents you from getting into a ship or access the Hanger Inventory until you unlock.
The server has already shown that it can boot people out of ships. All of my alts are in Capsules, even the ones that were in Rookie Ships (one of the major expansions did this).
---
Or
Add a third field to the game's login field: One-Time Password -or- One-Time Code
There. Done.
---
OR! Probably the easiest to do of all these...
For a quick fix. If the login server doesn't recognize the IP, have the game fail to login. Just pass it the same response you'd get if you entered the wrong password for a valid Login Name.
And fire off an email to the verified email address for said account.
With a validation link to authorize the new IP
En Masse does this for their accounts, Steam does it, Origin (EA) does this, YOUR WEBSITE does it.
People like you, are one of the reasons developers and support staff drink.
Quote:Add a third field to the game's login field: One-Time Password -or- One-Time Code
There. Done.
Then write the code behind it, to tie it into the authentication system. Because it doesn't use the same auth all the sites do.
Woo! CSM X!
Fuzzwork Enterprises
Twitter: @fuzzysteve on Twitter
|
Altirius Saldiaro
Royal Amarr Institute Amarr Empire
326
|
Posted - 2015.05.03 19:00:29 -
[82] - Quote
They really need to fix the bug with the option to not use authentication on this pc. |
Dyner
Midgard Protectorate
129
|
Posted - 2015.05.03 20:01:11 -
[83] - Quote
Steve Ronuken wrote:
People like you, are one of the reasons developers and support staff drink.
Why secure the website entry if you can still get into other peoples' game account? CCP's website offers even less information about the person than most other Video Game account pages. Most give partial Billing/Shipping Addresses and partial Payment Option information.
CCP gives you the person's name, DOB, and email. That's it. --You get more from Facebook or other Social Media site (assuming you didn't make up a fake identity )
...What they've said is: "We locked the front door, but left all the windows on the first floor open."
If my post came as cold. Then I apologize. I bluntly stated this does not do any good, because players can still easily have their accounts hijacked.
Steve Ronuken wrote:
Then write the code behind it, to tie it into the authentication system. Because it doesn't use the same auth all the sites do.
I don't have access to their login server.
I don't have their source code.
I did, however, offer several methods to accomplish the much-needed feature in the game client. The last one, I don't see requiring client-side changes. Because it would receive the same 'invalid login' response until the new IP address was validated. |
Azahar Ortenegro
Astromechanica Maxima Astromechanica Federatis
39
|
Posted - 2015.05.04 19:59:25 -
[84] - Quote
I was going to give it a try, and then saw that you rely solely on third-party authenticators. It makes the whole thing kinda useless. |
Ereshgikal
Strange Energy The Bastion
48
|
Posted - 2015.05.05 18:19:11 -
[85] - Quote
+1 on the "remember this computer" bug.
On top of it all, the launcher has started to ask me for a character's name on the account "since I haven't used this computer before". WTF? I have neither changed IP, nor changed anything on my computer. And if I provide a correct answer I am booted back to username/password. Provide a wrong character name, I at least get a nice red text stating what went wrong...
please...please...fix this
Security that inconveniences the proper user more than the attacker is of...uhm, very....limited use. I'll give 2FA one more week, then I am killing it off. |
Ereshgikal
Strange Energy The Bastion
48
|
Posted - 2015.05.05 18:26:45 -
[86] - Quote
Dyner wrote:
I did, however, offer several methods to accomplish the much-needed feature in the game client. The last one, I don't see requiring client-side changes. Because it would receive the same 'invalid login' response until the new IP address was validated.
Locking it down if a new IP-address if used is very bad design in the age of mobile data. Some users are sitting on connections that rotate IP-addresses like they are part of a minigun. They would be fed up quite quickly and leave (which is bad). |
Steve Ronuken
Fuzzwork Enterprises Vote Steve Ronuken for CSM
5219
|
Posted - 2015.05.05 21:25:30 -
[87] - Quote
Azahar Ortenegro wrote:I was going to give it a try, and then saw that you rely solely on third-party authenticators. It makes the whole thing kinda useless.
How so?
They're using an industry standard Timed One Time Pass. As far as I'm aware, there aren't any cryptographic weaknesses with it.
Woo! CSM X!
Fuzzwork Enterprises
Twitter: @fuzzysteve on Twitter
|
Tipper Trix
Dutch East Querious Company Phoebe Freeport Republic
1
|
Posted - 2015.05.07 01:48:45 -
[88] - Quote
Authenticator not remembering this PC bug here as well. First world problems.... |
Dyner
Midgard Protectorate
129
|
Posted - 2015.05.11 17:10:32 -
[89] - Quote
Ereshgikal wrote:Dyner wrote:
I did, however, offer several methods to accomplish the much-needed feature in the game client. The last one, I don't see requiring client-side changes. Because it would receive the same 'invalid login' response until the new IP address was validated.
Locking it down if a new IP-address if used is very bad design in the age of mobile data. Some users are sitting on connections that rotate IP-addresses like they are part of a minigun. They would be fed up quite quickly and leave (which is bad).
It's a temporary solution until the EVE exe can be patched to also require authentication.
Why wouldn't people want to be slightly inconvienced if it meant the likely hood of logging in to find you stuff missing is barely past 0%.
Plus, if they didn't want it. They don't have to enable it. |
Porucznik Borewicz
Love Squad Confederation of xXPIZZAXx
27
|
Posted - 2015.05.12 21:31:11 -
[90] - Quote
So CCP, when? |
|
|
|
|
Pages: 1 2 [3] 4 :: one page |
First page | Previous page | Next page | Last page |