If developing Two Factor Authentication system is going to take too long,
then SSG should consider at least using e-mail authentication when changing the address in myaccount.standingstonegames.c om.
I know it will increase workload because of players who lost their previous e-mail account, however it will alleviate damage from hacking, scam and phishing.
Because then the hacker should know an account password and also an e-mail password to completely rob someone's account.
The account authentication is way too vulnerable now.
If someone just got your account password by any means, then she can change password and e-mail address at once, and the recovery procedure will be tough for many players.
Last edited by LuminasND; Apr 27 2023 at 10:28 AM.
Reason: typo and others
Star Wars the old repiblic, "One time verification" is what drove me to quit it ( that and losing character names )
I woudl try to play with my nephew, on sketchy internet, which kept dropping the game, and reloading... was another "one time verification" ... over and over and over....
I dont want it, so if it is ever added, it needs to be optional.
then SSG should consider at least using e-mail authentication when changing the address in myaccount.standingstonegames.c om.I know it will increase workload because of players who lost their previous e-mail account, however it will alleviate damage from hacking, scam and phishing.Just like this one.https://forums.lotro.com/forums/show...tivity-in-gameBecause then the hacker should know an account password and also an e-mail password to completely rob someone's account.The account authentication is way too vulnerable now.If someone just got your account password by any means, then she can change password and e-mail address at once, and the recovery procedure will be tough for many players.
Originally Posted by Hoppa_Joel
Star Wars the old repiblic, "One time verification" is what drove me to quit it ( that and losing character names ) I woudl try to play with my nephew, on sketchy internet, which kept dropping the game, and reloading... was another "one time verification" ... over and over and over....I dont want it, so if it is ever added, it needs to be optional.
E-mail verification is good, but I think that app verification is better:
1. You open the launcher, do the log-in and press "phone link" or something, a code appears (or a QR code to be scanned by using the phone camera, extra security and far more simple!).
2. You keep the launcher open and the code has a timer. Also there is a "server code" that changes randomly.
3. You install an app in a phone. Open the app and asks the code. The window asking the code ALSO HAS the "server code" somewhere (so you can avoid fake apps).
4. When the code is sent (with the phone number), the timer in the launcher disappears and says "OK".
5. User is added to the app, you can have multiple users in the app (by setting the same phone number).
6. Phone number is verified each time the app is used (so in case of illegal phone image mirroring with a simple SIM code replacement can be avoided).
7. After an app is linked to an account it is needed for accessing to your SSG profile ( https://myaccount.standingstonegames.com/index.php ), also you get a restore unique set of codes (8 of 8 characters each) to keep written down somewhere if the phone is no longer available. Not as a photo in that phone!
Later SSG can add things to that app that enhances the game (lotro store, manage characters, kinship options, satellite worldmap, hobbit presents...).
EDIT: Added a bit more of security in case of fake apps appearing as LOTRO's one.
Last edited by Carallot; May 01 2023 at 03:29 PM.
Dear reader, I tend to edit my posts A LOT, sorry. Please don't be hasty, thank you!
Believe it or not, some people do not have phones, so 2FA would effectively lock them out of their accounts.
Also, I'd assume that you wouldn't be able to use the same phone for multiple accounts - and there are people with 6+ accounts.
Believe it or not, some people do not have phones, so 2FA would effectively lock them out of their accounts.
Also, I'd assume that you wouldn't be able to use the same phone for multiple accounts - and there are people with 6+ accounts.
1. Is optional (you can have what we have now: none) plus you may also use the e-mail one (but I discourage it, is unnerving how many people leave their email accounts open in the wild).
2. Please read the point 5 of my previous post .
Dear reader, I tend to edit my posts A LOT, sorry. Please don't be hasty, thank you!
I don't know the proper terminology because it's been a while but the authenticators I know (and like) are those where a phone can scan a QR code, or a code can be typed in, which then sets some kind of system where an authentication code frequently changes and the other side knows it because it is based on system time.
There is also some standardised system among those so the apps can be different but the same codes work, so one does not have to use a specific app.
No SMS, no sim card required, with those. I wouldn't really like using a phone number for authentication purposes for a game, or anything else really. I don't use a lot of things on the internet so I don't know what is going on these days but to me a two factor auth is the QR code thingy.
About constantly logging in:
I have played a game where every time logging in, or even if something happened to connection one had to always authenticate again. This gets frustrating.
Another game lets an IP range to be remembered so one can just log in if the IP remains same, or at the same range. I don't know if there are other methods but I hope there will be something that lets authentication be remembered.