I searched the forums but didn't see anything related so forgive me if this has been asked and answered.
Will Pantheon provide 2FA Authentication that supports the use of Google Authenticator or Authy or other third party apps? It seems to me that alot of MMO's these days are trying to push their own key fobs or 2FA products as an add on that you have to pay extra for and I just see it as an annoying stance on security. We shouldn't have to pay extra for decent security. With the rate at which game accounts get hacked these days 2FA should be the standard, you shouldn't have to pay extra and you should be able to do it with industry standard tools.
/soapbox off
Kilsin said:This is something we can definitely discuss more as development progresses but it would be more for discussing towards the end of testing phases in preparation for launch.
Thanks for the response, Kilsin. I kinda figured it might be a little early in the process for you guys to have an answer to this one. Call it a pre-emptive question then and toss it in the suggestion box :)
Mornroc said:Kilsin said:This is something we can definitely discuss more as development progresses but it would be more for discussing towards the end of testing phases in preparation for launch.
Thanks for the response, Kilsin. I kinda figured it might be a little early in the process for you guys to have an answer to this one. Call it a pre-emptive question then and toss it in the suggestion box :)
You're welcome and definitely a good suggestion that we will keep in mind for later :)
Hieromonk said:
...(Just give us a better option than using anything google.)
Google just supports some standard protocals like TOTP and others. So if it supports google you don't have to use google... you could really use anything. I personally prefer Authy as it let's me securely sync my tokens across multiple devices such as my chrome browser and cell phone. So I can be anywhere and still login and I'm not dependent on having one specific device like my phone with me and working to access things.
I realize this topic is oldish, but I read it and wanted to give my 2 cents. So glad to see this is being talked about already for this game. This will be key for the continued success of this game I am certain. I think games in general but specifically MMOs and other games that have unique, highpowered items that not everyone will necessarily get are going to be targeted alot more in the future. They already are granted, but I see it becoming alot more significant. A kind of follow up to this topic would also include what type of encryption you are going to use on your payment and userid/password databases as well as part of the game client communications, specifically for purposes where a user account and password are going to be transferred. All of these topics should be discussed signficantly at some point well before release. If you dont protect your user base, you will likely lose at least a good number of them. Ask some of the companies who have been involved in the major breaches over the years. Once you lose that trust it is very hard to get back. Just my 2 cents or so.
Rykus
Kilsin said:This is something we can definitely discuss more as development progresses but it would be more for discussing towards the end of testing phases in preparation for launch.
I was wondering if this phase had made any headway as we near closer to Alpha testing? Will the 2 step authentication be applicable to the website & launcher?
Mornroc said:I searched the forums but didn't see anything related so forgive me if this has been asked and answered.
Will Pantheon provide 2FA Authentication that supports the use of Google Authenticator or Authy or other third party apps? It seems to me that alot of MMO's these days are trying to push their own key fobs or 2FA products as an add on that you have to pay extra for and I just see it as an annoying stance on security. We shouldn't have to pay extra for decent security. With the rate at which game accounts get hacked these days 2FA should be the standard, you shouldn't have to pay extra and you should be able to do it with industry standard tools.
/soapbox off
I actually asked this question to the support e-mail a couple of months back. Here is the response from them:
Hello Frank,
We are aware of the issues with the SMS authentication. Currently, we are using a system that works with an app on your phone. I don't know if that will be the system we use at launch.
Thanks for contacting Pantheon Support
Kilsin said to open a feedback ticket about this.
A little background. I am a systems and network engineer that works in the InfoSec department of a large non-profit healthcare system.
Question/Comment... If you guys are going to implement 2FA for accounts, please please please please do not tie it into SMS/texting. Please tie it into a real 2FA token (either physical or phone app) like RSA/Symantec VIP Access/Duo/etc. If you need a semi-detailed explanation of why SMS based 2FA is bad, I can provide one.....hehehe
Google, today, offers 2FA via Text/SMS as well as Google Authenticator.
vjek said:Google, today, offers 2FA via Text/SMS as well as Google Authenticator.
SMS authentication is crap and extremely (and inherently) insecure. SMS being transmitted plaintext aside, it is trivial to clone someone's phone, or even have happen what happened to me. There is a common scam going around, that I was a victim of, where "badguys" are porting your phone number from your carrier to another out from under you and then changing your passwords to your bank accounts if they use SMS based 2FA and stealing your money. I know this first-hand. Unfortunately, for them, I was on top of it and the only thing I truly lost ouf og it was a cell phone number I had for 20 years. As far as I know, my case is still open with the FBI and FTC.
Unfortunately, when doing a carrier to carrier number port, the carrier that is "sending" the number doesn't do any verifications that the receiving carrier actually did any checking to make sure it was legit. In my case, I was on T-Mobile. The thief bought a pre-paid Verizon phone and initiated a transfer of my number. VZW does not do any verification if you are porting a number to a pre-paid phone. THey just do it. This allowed the thief to steal my number. Once he had it, it was just a matter of trying a few banks until he figured out which one was mine. Unfortunately for him, I had a crapload of alerts set up on everything and was on the phone with my bank as he was trying to draw out the money.
Turns out that this particular scam got its start over in eastern Europe and has spread throughout Europe and finally to the US. I have, since, taken my cell phone off of every account that I have and won't put my new cell phone on them. For the banks that require 2FA, if they don't have an app for it, I have closed down my banking with them.
Kalok said:vjek said:Google, today, offers 2FA via Text/SMS as well as Google Authenticator.
SMS authentication is crap and extremely (and inherently) insecure. SMS being transmitted plaintext aside, it is trivial to clone someone's phone, or even have happen what happened to me. There is a common scam going around, that I was a victim of, where "badguys" are porting your phone number from your carrier to another out from under you and then changing your passwords to your bank accounts if they use SMS based 2FA and stealing your money. I know this first-hand. Unfortunately, for them, I was on top of it and the only thing I truly lost ouf og it was a cell phone number I had for 20 years. As far as I know, my case is still open with the FBI and FTC.
Unfortunately, when doing a carrier to carrier number port, the carrier that is "sending" the number doesn't do any verifications that the receiving carrier actually did any checking to make sure it was legit. In my case, I was on T-Mobile. The thief bought a pre-paid Verizon phone and initiated a transfer of my number. VZW does not do any verification if you are porting a number to a pre-paid phone. THey just do it. This allowed the thief to steal my number. Once he had it, it was just a matter of trying a few banks until he figured out which one was mine. Unfortunately for him, I had a crapload of alerts set up on everything and was on the phone with my bank as he was trying to draw out the money.
Turns out that this particular scam got its start over in eastern Europe and has spread throughout Europe and finally to the US. I have, since, taken my cell phone off of every account that I have and won't put my new cell phone on them. For the banks that require 2FA, if they don't have an app for it, I have closed down my banking with them.
Tmobile also used to allow a non authenticated party to add credit card to an account, and then the scammer would just call back and use the CC # they JUST provided to verify themselves as the owner of the account.
Microsoft also has an authenticator. I like it because when i am logging in, I don't have to copy or paste any key codes, I just answer, Yes this is me logging in and it authenticates.
I will take any extra security. Like SWTOR sends and email when you try to log it in any computer/IP outside the norm AND also offers a key code via SWTOR App.
if you do it via app. do it right like Blizzards where I can get a new phone and iCloud sets it back up and authenticates automatically.
Keno Monster said:Kalok said:vjek said:Google, today, offers 2FA via Text/SMS as well as Google Authenticator.
SMS authentication is crap and extremely (and inherently) insecure. SMS being transmitted plaintext aside, it is trivial to clone someone's phone, or even have happen what happened to me. There is a common scam going around, that I was a victim of, where "badguys" are porting your phone number from your carrier to another out from under you and then changing your passwords to your bank accounts if they use SMS based 2FA and stealing your money. I know this first-hand. Unfortunately, for them, I was on top of it and the only thing I truly lost ouf og it was a cell phone number I had for 20 years. As far as I know, my case is still open with the FBI and FTC.
Unfortunately, when doing a carrier to carrier number port, the carrier that is "sending" the number doesn't do any verifications that the receiving carrier actually did any checking to make sure it was legit. In my case, I was on T-Mobile. The thief bought a pre-paid Verizon phone and initiated a transfer of my number. VZW does not do any verification if you are porting a number to a pre-paid phone. THey just do it. This allowed the thief to steal my number. Once he had it, it was just a matter of trying a few banks until he figured out which one was mine. Unfortunately for him, I had a crapload of alerts set up on everything and was on the phone with my bank as he was trying to draw out the money.
Turns out that this particular scam got its start over in eastern Europe and has spread throughout Europe and finally to the US. I have, since, taken my cell phone off of every account that I have and won't put my new cell phone on them. For the banks that require 2FA, if they don't have an app for it, I have closed down my banking with them.Tmobile also used to allow a non authenticated party to add credit card to an account, and then the scammer would just call back and use the CC # they JUST provided to verify themselves as the owner of the account.
It's not just TMO that doesn't check for "authorization" before porting away a number. Both TMO and VZW said that it's common to almost all of them.