Security Issues

[Quinton]

It's been common for years now, I think largely because it solves a number of common issues:
- no need to separately enter an email address to verify (email verification is a useful security measure as well as a useful anti-account-creation-spam friction point)
- reduces collision issues with usernames (most people have at least one unique email address)
- easier for users to remember their one email address than some random username

I often use myself-foo@example.com, myself+foo@example.com, or foo@myself.example.com type email addresses (all of which deliver to myself@example.com) with a different foo for each thing to avoid using the same email address as a login token for many different things.  Of course you still want to avoid reusing passwords, but every thing you do to make it harder for brute force attempts on your credentials helps a little.

[Tmon]

I'm sure it seemed like a good idea at the time.  "Hey lets use something we know most of the players will remember and that is guaranteed unique." 

[Amaron]

Yesterday, three malicious users each changed the account names of their own Guild Wars 2 accounts thousands of times, scanning through lists of email addresses stolen from other games and web sites, presumably to determine which email addresses were available (not already used for a Guild Wars 2 account) and which were taken. It obviously shouldn't be possible to change your own account name so frequently. We temporarily disabled account name changes and have now restored but limited them to prevent this.

Looks like I was right.   Kind of face palm worthy.

[ajax34i]

It's been common for years now, I think largely because it solves a number of common issues.

Actually, if I remember correctly, it was forced on the users by Blizzard, and it was because they wanted RealID / "account friend" features.

[Kageru]

Yes on both counts. It was massively unpopular at the time and purely for the convenience of Blizzard.

[DraconianOne]

So I was hit by the email authentication last night because, apparently, I'd changed IP address (my ISP doesn't provide static IP addresses). Took ages for the email to come through and after finally getting through to the webpage that let me authorise the new IP address, it failed dismally and threw code errors.  The word "clownshoes" comes to mind.

Have disabled email authentication.

[Sky]

It's been common for years now, I think largely because it solves a number of common issues:
- no need to separately enter an email address to verify (email verification is a useful security measure as well as a useful anti-account-creation-spam friction point)
- reduces collision issues with usernames (most people have at least one unique email address)
- easier for users to remember their one email address than some random username

I often use myself-foo@example.com, myself+foo@example.com, or foo@myself.example.com type email addresses (all of which deliver to myself@example.com) with a different foo for each thing to avoid using the same email address as a login token for many different things.  Of course you still want to avoid reusing passwords, but every thing you do to make it harder for brute force attempts on your credentials helps a little.

It's funny, you sound similar to the google apps trainer who deflected every issue we had with 'going to google' with, well, just do it this way instead, where this way just ignored the issue. I like you, Q, but on this issue, you reek of the ivory tower.

Separately stating an email = another layer of security.

Collision issues = unique login IDs, mmo users especially are used to this, hell we all are from just trying to find a valid email address (jdoe1969 etc).

Easier to remember = bullocks. See collision issues.

But hey, keep on pushing that simple to remember and use google procedure, I'm sure someone who has trouble developing a login scheme will have no problem with it.

[Ingmar]

Believe I had to use an email address as my logon for GW1 long before Real ID came along.

[KallDrexx]

still not sure what the big deal is about emails as usernames though.

I mean, yes it is clownshoes that users were able to change their email address thousands of times to find email addresses already in use but that's not really hard to prevent (timeouts in between points).  Other then that what are the issues?  Other places use usernames and they get hacked, and if people aren't smart enough to change passwords for different site then they sure as hell aren't going to change their usernames so therefore hackers already have the usernames AND emails (and probably passwords) through hacking of fansites and other games. 

[Venkman]

It increases customer service expenses and generates bad PR. If we were talking private game forusm, eh, who gives a shit? And even with subs, the worst that happens is someone's account was gutted for an IGE/eBay sale.

But these days, where there's dollars flowing all over the place in f2p games, large companies shouldn't really take chances needlessly. Because companies do become victims when enough individual stupidity affects them.

I woulda thought we'd have long since gone to double-passwords or even the authenticator # thing.

[Sky]

I'm definitely in favor of token authenticators for any online service, though that can get onerous unless you have a smart phone. But for a game or two, given how much hackers seem to go after their users, yeah. I don't think it should be optional.

[Ingmar]

I suspect it actually reduces customer service expenses, for the game company, otherwise they would never have changed in the first place. I'm sure it increases them for the email provider, but that probably doesn't matter from the game company's perspective.

[KallDrexx]

It increases customer service expenses and generates bad PR. If we were talking private game forusm, eh, who gives a shit? And even with subs, the worst that happens is someone's account was gutted for an IGE/eBay sale.

I don't understand how it increases customer service expenses or generates bad PR as compared to usernames?  The bad PR was because Anet's systems didn't account for certain security aspects, but most of those would still be valid with username authentication.

[Quinton]

It's funny, you sound similar to the google apps trainer who deflected every issue we had with 'going to google' with, well, just do it this way instead, where this way just ignored the issue. I like you, Q, but on this issue, you reek of the ivory tower.
...
But hey, keep on pushing that simple to remember and use google procedure, I'm sure someone who has trouble developing a login scheme will have no problem with it.

Not trying to sell anyone on Google anything here -- just pointing out a way one could avoid having to use the same email address as your login for multiple services in a world where services insist on logins being email addresses -- and I'm pretty sure a similar workaround is possible with other webmail providers (foo+bar@ aliasing dates back to sendmail at the dawn of internet email after all), but I happen to use gmail for webmail so it's the only thing I'm familiar with off the top of my head.

Upthread there were complaints that companies force users to use an email address as a login, exposing them to additional risk from hackers.  It's not in my power to prevent random companies from deciding that your login must be an email address, but I can suggest a workaround using readily available tools (which I know to be available to gmail users and suspect are available to most other webmail users in one form or another) -- not sure how that qualifies as "Ivory Tower" thinking.

Total agreement that two-factor authentication would be a massive win in most cases.  I wish my frickin' bank would use two-factor auth for online banking.

It would be nice if I didn't have to install a different proprietary auth app for every site doing two-factor authentication, though.

At the risk of once again being written off as a Google shill, Google Authenticator supports RFC standard two factor formats (HOTP/TOTP), a number of ways of provisioning the shared secret, as well as allowing for multiple account support.  It's good stuff, supports Android, iOS, Blackberry, and a serverside implementation for Linux, is open source, yadda yadda: http://code.google.com/p/google-authenticator/

[Venkman]

I don't understand how it increases customer service expenses or generates bad PR as compared to usernames?  The bad PR was because Anet's systems didn't account for certain security aspects, but most of those would still be valid with username authentication.

I have no numbers, so this is all speculation. But, I'm guessing this increases customer service and potential bad PR because of the higher probability of users getting account hacked due to all reasons mentioned in this thread. So that's more accounts to address, and if a sufficient number of them are hacked, a louder volume of complaints. Not nearly everyone is as transparent as Anet, but we all saw Reddit last week.

At the same time, I would guess there's probably little difference between using the same email address everywhere and the same account name. Except someone probably doesn't have AnalEmoGaymer as their bank account name 

[KallDrexx]

At the same time, I would guess there's probably little difference between using the same email address everywhere and the same account name. Except someone probably doesn't have AnalEmoGaymer as their bank account name 

Honestly, that wouldn't surprise me if someone did :P

[Quinton]

Dammit, now I need to change my account name for online banking.

[ajax34i]

Blizzard probably no longer wanted to deal with "I forgot my account name" cases.  Must have been a high percentage of their tech support calls.

[Cadaverine]

At the same time, I would guess there's probably little difference between using the same email address everywhere and the same account name. Except someone probably doesn't have AnalEmoGaymer as their bank account name 

Honestly, that wouldn't surprise me if someone did :P

Given some of the user ids I had people give me at TD Ameritrade, I can say with pretty fair certainty that someone out there has that, or something like it, as their bank account id.

[Venkman]

Yeesh. Try and come up with an absurd scenario and end up needing to reset my bar on humanity...

[Tmon]

They have a beta version of two stage authentication up.

https://forum-en.guildwars2.com/forum/info/news/Beta-Feature-Mobile-Two-Factor-Authentication

[Phred]

Doesnt really matter at this point as there is a serial code generator out there now. So they can generate all the spam/bot accounts they want for free. Guess it will be nice to stop them stealing all your lootz though.

[KallDrexx]

Wow, I don't think I've ever seen a serial key generator that works for an MMO before.  The comments seem to suggest that the generator does indeed work heh, though I'm not stupid enough to try it out.

[Trippy]

Wow, I don't think I've ever seen a serial key generator that works for an MMO before.  The comments seem to suggest that the generator does indeed work heh, though I'm not stupid enough to try it out.

That's cause you still need a subscription for most NA MMORPGs so the incentive to create a serial code generator for a game like, say World of Warcraft, is a lot less than a game like Guild Wars or Guild Wars 2.

[KallDrexx]

True

[rk47]

[Phred]

Wow, I don't think I've ever seen a serial key generator that works for an MMO before.  The comments seem to suggest that the generator does indeed work heh, though I'm not stupid enough to try it out.

That's cause you still need a subscription for most NA MMORPGs so the incentive to create a serial code generator for a game like, say World of Warcraft, is a lot less than a game like Guild Wars or Guild Wars 2.

Ya I think basic serial code cracking has been a solved issue for a few years now in the cracking scene. Odd that anet didnt know about that.

edited to add basic. As steam codes don't appear to be hackable or I haven't heard of them being hacked yet.

[Zetor]

In theory, a serial number is not any less secure than an auth token. It could be as simple as having the first x characters be randomly-generated, and the rest being a cryptographically strong digital signature of the first x characters - which couldn't be recreated or falsified without the vendor's secret key, and brute-forcing would be ineffective if the serial was sufficiently long.

In theory.

(I'm also not sure customers would like entering 256/512/1024... hexadecimal characters even once -- even if base64-encoded for keyboard-friendliness  )

[PalmTrees]

I just hope they get rid of this email authentification stuff. It's such a nuisance to have to log into GW then log into my email and click on their link. Odd that the confirm access page that shows city/region used to have that info but now it displays 'unknown'.

[Fordel]

I haven't had to do that since the very first time. Do other people need to do that every time?

[Sjofn]

I haven't had to do it since the first time either.

[Ingmar]

Pretty sure there was a 'remember this location' checkbox or something to avoid that coming back every time.

[Numtini]

I got a notice a few weeks ago that someone had logged into my account from Beijing, so I'm rather happy about the mail validation.

What I'm not happy about is I had already moved the account to an email I use only for game logins and never ever on forums or other places. Nevermind where they got the password.

[Fabricated]

I got a notice a few weeks ago that someone had logged into my account from Beijing, so I'm rather happy about the mail validation.

What I'm not happy about is I had already moved the account to an email I use only for game logins and never ever on forums or other places. Nevermind where they got the password.

They probably have some sort of workaround for the password; kinda like how I think RIFT had accounts broken into without the perpetrators actually ever getting the password.

[Ingmar]

I keep getting in-game spam from characters with real sounding character names. Hacked accounts, definitely happening.