Uman.6150 Posted April 6, 2021 Share Posted April 6, 2021 Hi there,As a software engineer with interests in security, I am quite baffled with your current focus to showcase 2FA (Factor Authentication) SMS as the preferred solution.I see the following issue:I have a 2FA with TOTP (authy/google authentificator) enabled on my account.I regularly get advertised to update my 2FA to a SMS based one, to get a "free mini" in exchange.There has been a lot of press in the last few years that described the risk of targeted attack with SMS 2FA (this article from twillio explains it well).So in terms of security, I'd say:no 2FA < SMS 2FA < TOTP 2FA < USB security key 2FA (the last one isn't implemented in GW2)One would argue that promoting a less secure method of 2FA (and one that costs you money for each SMS sent) isn't great, which is why I'd suggest the following:Don't suggest TOTP users to switch to a SMS based 2FA.Give the same miniature for those with TOTP enabled.CheersNote: My understanding is that you feel SMS 2FA is safe enough, considering that what is at stake can probably be resolved through support, and doesn't bring any financial or privacy hit.SMS is also probably easier to setup for your customers vs having them use a 2FA app on their phone.For those who do get the most secure choice (and are fine with it), being encouraged to downgrade still feels off. Link to comment Share on other sites More sharing options...
Inculpatus cedo.9234 Posted April 6, 2021 Share Posted April 6, 2021 ArenaNet already suggests using an authenticator. And, offers a Mini-pet, as well.https://help.guildwars2.com/hc/en-us/articles/230672927-Securing-Your-Account-With-Authenticationhttps://wiki.guildwars2.com/wiki/Edit_account#Securityhttps://forum-en.gw2archive.eu/forum/info/news/Beta-Feature-Mobile-Two-Factor-Authenticationand, of course, there's this (my preference):https://help.guildwars2.com/hc/en-us/articles/201862858-E-mail-Authentication Link to comment Share on other sites More sharing options...
Healix.5819 Posted April 6, 2021 Share Posted April 6, 2021 They recommend SMS simply because it's the easier of the two to set up. The reason they push 2FA at all (email authentication was already enabled by default) is because back when it was first implemented, the various data breaches were happening and people were using the same logins everywhere, thus email authentication was easily bypassed. The other 2FA options in this case serve as a minor delay, as the attacker now has to phish support into giving them access (which will happen eventually).For those who know what they're doing however, email authentication (with a properly secured email) is the strongest option they offer. You can get the mini by temporarily enabling the other 2FA options and you can disable the warning with a script or using Gw2Launcher. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now