Pages: [1] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 0 post(s) |
Queloor Zefram
Star Explorers Reckoning Star Alliance
29
|
Posted - 2017.06.05 11:31:44 -
[1] - Quote
Hello,
I'd like to use 2FA, but not on a mobile phone.
Could CCP please implement a Yubikey for 2FA of the eve login ?
Best regards
|
Donnachadh
United Allegiance of Undesirables
1258
|
Posted - 2017.06.05 12:39:28 -
[2] - Quote
I do not really care one way or the other just curious.
Why do we need 2FA for a game?
Why Yubikey and not one of the other systems on the market?
What if I do not want to use a Yubikey? |
Do Little
Virgin Plc Evictus.
1258
|
Posted - 2017.06.05 17:14:17 -
[3] - Quote
2 factor authentication does not require a mobile phone (unless you choose to use Google authenticate). If you login from a new computer, CCP will send an authentication code to the email address associated with the account. You can tell the game to trust the computer - so it's a 1 time thing and makes it a lot more difficult for people to hack your account.
If your account is hacked and you aren't using 2FA, don't expect much sympathy. |
Old Pervert
Perkone Caldari State
99
|
Posted - 2017.06.05 17:57:55 -
[4] - Quote
Why would you not want to use it on a smartphone, tablet, or other existing device?
I completely agree with 2FA, it was the first thing I turned on when I subbed my alt accounts. I also think that a valid 2FA code should be valid for only a single login attempt.
In this regard, if you end up getting keylogged, they cannot punch the same 2FA in after you've used it (before it expires).
If they wanted to go seriously overboard, it wouldn't be too terribly difficult to build an encryption mechanism similar to PKI where both the server and the client know what the 2FA code SHOULD be, and do their handshake based on a hashed value from the expected 2FA code.
Client sends a greeting to Server when the user types their stuff in Server sends an encrypted hash Client decrypts the hash with expected 2FA code, if hash doesn't compute, it drops the connection and warns user Client sends user/password using regular TLS Server authorizes credentials Client gets ready to party and blow up space hookers.
Doing this would make it impossible for a malicious MITM person to spoof the connection, as they would not be able to complete a handshake with the client prior to relaying credentials to the CCP server. Of course "trusting this computer" would invalidate such a technique. But for the ultraparanoid, it would certainly be an option.
Because email recovery exists, it is easy enough to get around if you lose or damage your mobile device. |
|
|
|
Pages: [1] :: one page |
First page | Previous page | Next page | Last page |