Suggestion: Account Security Improvements. — Guild Wars 2 Forums
Home

Suggestion: Account Security Improvements.

Aeon.4583Aeon.4583 Member ✭✭✭
edited September 14, 2020 in Account & Technical Support

Since recent incident with inability to receive email verification codes, i want to suggest better account security options. Add ability to add all possible 2FA methods and make them work simultaneously.

Some of us use Email verification method ( therefore disabled SMS and Code-Generator-App method ) because it is more comfortable to receive email on your desktop and simply copypaste it into launcher. But it is not first time when email delivering service here gets down and players are unable to log in and play.

Suggestion here is simple:

  • Ability to link all possible 2FA methods to account.
    Steam has it, Battle-net has it. You can choose method for you verification codes during your log-in attempt. For whaever reasons Arena-net decided to have only one method at the time. If something happened with your cellphone with Code-generator Application, you won't be able to log-in until ticket has been reviewed to unlink your 2FA. If something will happen with email-delivery service, you won't be able to log-in. If something will happen with your SIM or you operator will block arena-net's SMS, you won't be able to log-in.

Update your Client's Launcher with checkboxes which will determine verification code delivery method on log-in. And give us ability to simultaneously use them all. If one method won't work, other two will be active and present. Also it will help to unlink non-functional 2FA without sending a ticket. Maybe it will be ok to disable Email verification after adding SMS verification for better security, but simultaneous use of SMS + Code-Generator-App is atmost important.

  • Add ability to remember only one IP.
    It is very common now for all ISP to provide their clients with static IP. Means same ip everyday only for you. Your current method authorize vast amount of IPs, giving a chance for hacker, even if it is very unlikely, to enter your account using just your password and proper IP. Since static IP only assigned to one client, it will be less risky to authorize it into arena-net account as trusted.

Comments

  • Aeon.4583Aeon.4583 Member ✭✭✭

    Did a little bit updates to this thread. Sorry but i am still feel a little bit anrgy after yesterday's...

  • Ayrilana.1396Ayrilana.1396 Member ✭✭✭✭

    @Aeon.4583 said:

    • Add ability to remember only one IP.
      It is very common now for all ISP to provide their clients with static IP. Means same ip everyday only for you. Your current method authorize vast amount of IPs, giving a chance for hacker, even if it is very unlikely, to enter your account using just your password and proper IP. Since static IP only assigned to one client, it will be less risky to authorize it into arena-net account as trusted.

    There already is an option for this. I haven't had to use 2FA in over a year for any of my accounts.

  • Aeon.4583Aeon.4583 Member ✭✭✭
    edited September 14, 2020

    @Ayrilana.1396 said:

    There already is an option for this. I haven't had to use 2FA in over a year for any of my accounts.

    Neither game launcher nor site do not offer to remember SINGLE ip. It offer and remembers whole network, which consist of 255 IPs. Maybe in past there was an option to remember only one IP and you've been lucky enough to use it, but right now it is not present anywhere and i can't find it anywhere.

    There is a section in account security called Trusted Computers, but it does nothing, description is there but section itself gone.

  • Healix.5819Healix.5819 Member ✭✭✭✭
    edited September 14, 2020

    @Aeon.4583 said:
    because it is more comfortable to receive email on your desktop and simply copypaste it into launcher.

    You could also set up an authenticator to send you an email with your current code if that was the deciding factor. You could also have it as a macro or even fully automated. It's the only option where you are fully in control - you generate the code, and can backup and recreate it whenever you want. It's the fastest and most reliable option.

    As for offering alternatives, the whole point of 2FA is the assumption that your email is vulnerable, so they wouldn't allow using the email as a backup, or 2FA as a backup for email. When it's only a choice between SMS or an authenticator, it doesn't make any sense to use both, as SMS only makes an authenticator more vulnerable and an authenticator can already be recovered yourself.

  • Aeon.4583Aeon.4583 Member ✭✭✭
    edited September 14, 2020

    @Healix.5819 said:
    As for offering alternatives, the whole point of 2FA is the assumption that your email is vulnerable, so they wouldn't allow using the email as a backup, or 2FA as a backup for email. When it's only a choice between SMS or an authenticator, it doesn't make any sense to use both, as SMS only makes an authenticator more vulnerable and an authenticator can already be recovered yourself.

    And what will you do if you have only SMS and your provider will block arena-net's sms because they will think that this is spam? Or what will happen if SMS delivery server will get down just like Email server yesterday?
    What will happen if you will use only Authenticator app and something will happen with your cellphone and you won't be able to properly restore backup to that Authenticator and get right codes? (this is the most common problem with all Authenticator apps, i had that problem last year when Authify just stopped delivering right codes)
    You won't be able to log-in, this what will happen. You will write a ticket will wait for who knows how long, and only then if you are lucky you will get into the game.

    On Steam and Battle-net i have both SMS and Autheficator apps. If one doesn't work, other one does. One method is used to fix the other.
    In case with Google Account i have Autheficator and TWO Phone Numbers, if one number didn't get SMS other one does.

    In case with Arena-net account, it is major flaw. because only one can be used at time, if it doesn't work, you screwed. More to that you can only link one phone number, while we living in the world filled with 2-sim cellphones.

  • Healix.5819Healix.5819 Member ✭✭✭✭

    @Aeon.4583 said:
    And what will you do if you have only SMS and your provider will block arena-net's sms because they will think that this is spam? Or what will happen if SMS delivery server will get down just like Email server yesterday?

    If they offered alternatives, there would be no reason to use SMS. It's the most vulnerable option and is only recommended because it's intended for those who have no idea what they're doing.

    What will happen if you will use only Authenticator app and something will happen with your cellphone and you won't be able to properly restore backup to that Authenticator and get right codes?

    If you didn't save the original 16 character password, then you won't be able to recover it. Note that you can create as many copies of an authenticator as you want and can have them running on all of your devices simultaneously - it's not just a phone app.

    If they were going to offer a backdoor, it would likely be as a recovery code (one time use 32+ character password), but an authenticator already offers that, so...

    i had that problem last year when Authify just stopped delivering right codes

    Authenticators are basically just the password multiplied by the current time = code. If the generated code is wrong, the clock is most likely wrong (codes last 30 seconds), otherwise the app/password was corrupted.

  • Aeon.4583Aeon.4583 Member ✭✭✭
    edited September 14, 2020

    @Healix.5819 said:
    otherwise the app/password was corrupted.

    This is the main danger of only Authenticator method, because Cellphones have this habit of froce stopping your apps on certain stress thresholds, specially if that app is not tagged as 'system app'. You can review the comments about Authenticators in Google store, backup codes or device synchronizations not always works.

  • Healix.5819Healix.5819 Member ✭✭✭✭

    @Aeon.4583 said:
    You can review the comments about Authenticators in Google store, backup codes or device synchronizations not always works.

    This is what a password looks like to create an authenticator:

    abcdefghijklmnop

    Anyone who copy/pastes that password will be able to create the same authenticator at any time whenever they want. See how easy it is to back it up, and it will always work for as long as that password (authenticator) is attached to your account. A problem with an app is just that - a problem with the app - and it in no way affects your ability to use this backup.

  • Aeon.4583Aeon.4583 Member ✭✭✭
    edited September 14, 2020

    @Healix.5819 said:

    This is what a password looks like to create an authenticator:

    abcdefghijklmnop

    Anyone who copy/pastes that password will be able to create the same authenticator at any time whenever they want. See how easy it is to back it up, and it will always work for as long as that password (authenticator) is attached to your account. A problem with an app is just that - a problem with the app - and it in no way affects your ability to use this backup.

    You just missing a point here in trying to convince me that single linked 2FA method is good. Yesterday proved that it is not. With arena-net account, if your current 2FA method will be broken, corrupted or blocked, thats it. You will be blocked from two games for unknown period of time, without any option to receive code via alternative method.

    And it is funny to say right know that my account got suspended, for possible hacked attempt after i've added Authenticator instead of email, at same time for whatever reasons i wasn't able to add my phone number as 2FA method with this error

    Now i am again blocked from two games for unknown period of time until my ticket will be reviewed.
    Adding more than two 2FA methods also will help avoid that.