Apologies for not getting this posted sooner - we have verified that there is no 'fix' for the application that will allow for the Security Key to continue working through an upgrade to iOS version 7. The application itself does work in iOS7 (tested back in June on the developer beta Apple provided), however something inside the upgrade breaks the keystore being used internally within the phone. Any technical fix would take a longer time to get released (probably weeks), and by then the vast majority of Apple iPhone customers will have already upgraded. Not the best place to be, but that is where we are. Below is a list of steps you can use to get your Security Key working again if you do upgrade. If you already upgraded and currently have a broken Security Key application: Upgrade to iOS version 7 Uninstall/Delete the SWTOR SK application (Re)Install the SWTOR SK application again Visit swtor.com Do not enter a Security Key Code while logging in - this will show you the page with the link on for the 'Lost your Security Key?' process - follow the process for de-registering your Security Key This will involve reading an email sent to your verified email address which will let you move on to being able to register a Mobile Security Key once again Visit your account page on swtor.com and register the Security Key once more using the registration process If you are reading this before upgrading: Before upgrading iOS to version 7, visit your account page on swtor.com and disassociate the Security Key This will involve reading an email sent to your verified email address which will let you move on to being able to register a Mobile Security Key once again Upgrade to iOS version 7 Uninstall/Delete the SWTOR SK application (Re)Install the SWTOR SK application again Visit your account page on swtor.com and register the Security Key once more using the registration process If you do get stuck on the steps above, you can call our customer service team who can help, however please do try to use the website processes first as they are there to help you get back to logging in as quickly as possible without having to make a phone call.

Interesting approach there funkiestj. I thought I was pretty clear that one input action must equal only one action in game, but obviously not - so please find below red X's next to the correct answers. Enjoy!

So a number of people have asked about text macros. A couple of others (even on reddit!) have mentioned 'colour detection to determine which action to take' systems. I even saw a questions about sequence clicking... I even saw claims that we can't detect anything and won't do a thing about this issue. I'll address all four... Text Macros Strictly speaking, text macro's are against the ToS. If its for emotes etc and isn't being used as a way to advise others of an impending attack in a Warzone (inc snow! for example), then we will turn a blind eye to an extent. If you fire off emotes too many times in quick succession of course then you will get evaluated for if you are spamming. One click 'enter chat, type 'inc snow!', hit enter' text macros designed to warn others is completely against the ToS. You need to make a decision - do I take the time to type 'inc snow' to the ops group, or do I just keep fighting this person... Think of it as an evaluation on if you are using a tool that gives you an unfair advantage over somebody not using that same tool. Colour detection and evaluated action macros The very act of determining a colour of a pixel on screen and as a result then using a specific action is one of the easy to understand examples of what we call automation. As soon as you have two things happening based on one key press, then its against the ToS. Sequence clicking If you have a system set up so that if you hit the same key 4 times likes so: '1, 1, 1, 1' and instead of just firing off whatever 1 is bound to it fires off '1, 2, 3, 4', then as long as you keep it to 'one key == one other key hit' its in that grey area of not true automation. There is a caveat - you can't have the macro determine a minimum time between clicks to work around the global cool down timing and only fire the next button in sequence if the GCD has expired. If you instead have a system that when you hit 1, it fires of 1, 2, 3, 4 in quick succession or all at once (i.e. one click == many actions) in order to try and fire something that isn't currently in a cool down state then yes, that is against the ToS. Again, one click must always equal one action and only one action within the game. Detection of abuse There are many claims based on guesswork that we can't tell when a person is running automation for systems like field respeccing within seconds. Every time you interact with the server we log either the specific event or an aggregate of similar events firing multiple times. We can (and do!) look through those logs using analytic engines. If you want to know more about the concept, look up 'big data' in google - we strive to make all decisions on making changes to the game based on the data we have, and we have a lot of data. We also use that data for game forensics - we may not react in a real-time manner for most things, but as people foolish enough to speedhack know, we can and do act based on irrefutable data. Now, all that said, what are we going to be doing going forwards now that this issue is very much in the limelight? Expect changes to the ability to field respec in Warzones. We were already working on this as part of some upcoming PvP updates (Bruce detailed some of that this week I believe), and we may bring the field respec changes forward - or we may just keep them where they are so to not impact the game update schedules and instead update our existing Warzone game forensic reporting to include inhumanly fast field respec events. Either way my advise if you are currently macroing within Warzones is to stop.

Chiming in.... I'll be as clear as I can be. Automation of the game in any way is against the ToS. This includes macro'ing in order to respec during Warzone matches. Remapping keys on a keyboard (or Nostromo or Logitech) device so that one key press == one click or ability cast within the game is fine. Using a programmable keyboard or software macro so that one key press == multiple clicks or ability casts in the game is not. Hopefully that doesn't leave room for 'interpretation'. If it does, ask a binary question and I'll give a yes/no

Speedhacking is a real thing. So are suspensions and bans... We treat each report of speedhacking seriously and by using game data cull speed hackers from the game as they are detected. We have some awesome game engineers who have provided our Terms of Service team with a great set of tools to help in this area. These tools of course are not fool-proof, and while we do have to constantly develop our tools to keep up with 'bad' player ingenuity, we do catch up with people eventually if they do manage to avoid being detected in the first instance. Speedhacking and other exploits are bad. We will action any type of account including subscribers, so for those inclined to speedhack, please take that into account before giving into temptation. We also get a number of player reports when speedhackers come into game. A lot of these sadly are misunderstandings of other class abilities, but occasionally we do get a great report and we do take appropriate action. We don't have a 'name and shame' policy and as such will only ever say appropriate action will be taken if warranted. In case it isn't well known, its best not to post speedhackers character names and/or YouTube links in the forums - we also have a strict set of rules here as well as to what cannot be posted. The right thing to do if you see somebody speedhacking is to submit an in-game ticket by clicking the '?' and reporting harassment and in the text area typing in a short description of what occurred and when (including time-zone!). If you do fraps something and publish it, please only put that link in the ticket, and never in the forums. I don't want good people actioned for accidently breaking a completely different section of the ToS when they have good intent I appreciate everybody (including myself) would love to see a speedhacker actioned within minutes of being reported. It will take us hours or even occasionally days to get each confirmed reported account actioned appropriately (we do err on the side of caution as you should expect us to), so please bear with us while we work through our process.

Apologies for the delays we have had in getting the Physical Security Key made available once more within Europe. What I'm sure looks like an 'easy' thing to do is actually quite complicated internally. While the keys have been available in the Origin Store for the last couple of weeks, they were put up with prices that were different to what was advertised on the SWTOR website. You will be happy to hear that the prices agreed on are the lower of the two, and not the larger of the two I'm happy to announce that for most of Europe, the Physical Security Key is once more available. For the rest of Europe we are still working on making the Physical Security Key available once more in the following countries: Czech Republic Germany Poland Switzerland As soon as I have an update on these countries I will be posting another update. As each link is country specific for finding the key within the Origin Store, and as we can't guarantee that the links won't change over time, the easiest way to find the item in the store is to open the Origin Store in a browser ( http://store.origin.com ) and in the upper right-corner, type "Star Wars Physical Security Key" in the search box.

I hadn't given an update that the Physical Security Key is available again in the EU Origin Store just yet as we are still working with our partners in Europe on the pricing due to the mismatch which is causing confusion. As soon as we sort out what the pricing is, I'm sure we will post an update.

A quick update today the 22nd of April. After diagnosing a couple of places where the slowdown of outbound OTP emails became evident on the 13th April, the teams have written and implemented another hotfix in addition to increasing the amount of infrastructure handling the outbound emails. We will of course be monitoring the situation carefully as usual to see how effective this latest change is. And to think my original post that started this thread was based on data that ended on 12th April! I'm still kicking myself over that! As usual with these things, timing is everything... As mentioned previously there are also some other pieces of work I've called out which are still being worked on, so expect more news as those progress.

That was the answer we were looking for. The majority of the studio play on the 'official' servers on pretty much a daily basis. We aren't allowed to say what our character names are or even that we work here to our guild-mates, but we do play... Some of us more than others of course! We even have mini competitions between ourselves to see who can play the most of the most things.

A few responses... The Security Key entry means that you will not be sent an OTP message at any time unless you are trying to remove the Security Key from your account. While I've seen a number of people try to say that we are wanting to force people into using a Security Key, that is not correct - we are making changes to alleviate the issues for the people affected by the issues being talked about on the forums as it was never the plan to force people to use a Security Key on their account. I'm also not sure how long ago you had a CS agent discourage you to use the Mobile Security Key. The application is working well (apart from an Android glitch with font colours which can be fixed by going to the main menu in the app and back in to the code page again), and it does prevent the OTP message being required for normal authentication. We have also implemented a self-service system for lost/remove/replace scenarios which means you no longer have to call CS to fix a Security Key issue. I have this on my list of 'nice to have' and one day we may get there. No promises though as the cost associated with our Security Key implementation (the time-based system we already have) was covered a couple of years ago. I don't mind you asking again - I'm still asking for it myself! Still no news on if or when this might happen. If you are seeing the Physical Security Key in North America showing as out of stock, please press Ctrl-F5 to force a refresh of the page. There was a caching issue with some browsers that for some reason isn't automatically fixing itself even though we refreshed the cache associated with the /buy page last week. Simply removing the OTP system also means we would be removing the self-service for Security Key system, forcing people to have to call CS once more when they had a Security Key issue. That was a constant source of new threads before we launched the self-service options, and I don't think we want to go back there.... While the number of posts on this topic indicates there are some issues, you have to remember that people without the issue are not posting as they don't have a reason to (unless they are bored and actually read these posts). While we are working on solving the issues people are posting about, you have to keep in mind that the vast majority (and I do mean vast!) are not having the issues people are posting about. Don't get me wrong here - I'm not trying to say there is not a problem or that we are trying to dimiss the issues. Reality is very much the opposite when it comes to the seriousness that we are taking on ensuring all players can log in to the game when and where they want to as quickly as possible without also creating an account take over issue. You are spot on with both sides of this. We are using Dynect as our outbound mail service, and we have identified that there is sometimes a delay here as well. I've been monitoring the times between the generation of the OTP, the mail hitting Dynect,the mail successfully being delivered and then the next attempt at authentication using the code. We have identified a couple of places that might cause the slow-down when it does happen (my original analysis didn't cover a time period where we had internal delays at all and I was covering an entire week) and there are teams working on hotfixes already. I don't have an ETA and will update once I do. Given the impact not getting the email on time has we are not ignoring this issue at all. Regardless of the protestations otherwise, if we did allow people to choose their own level of security, and then they did have their account taken over by an attacker while set to the minimum (no password for the win right?), they would still expect their account to be restored to its original glory. Choice is all well and fine right up until a compromise happens, especially if you just lost multiple level 55's. Sadly there are a number of groups attacking MMO's for a multitude of reasons, and we have a duty to protect players accounts from their attacks. To counter some of the more advanced attacks, we have to provide advanced security as mitigation. To even consider providing some of the self-service options, we have had to move to the OTP model. TL;DR: Personal preference on levels of security of your SWTOR account is not an option. I mentioned you can allow 'swtor.com' as we use multiple sub-domains for the cookies. I don't want to say the sub-domain needed is 'account.swtor.com' even though I think that is the right specific sub-domain to allow, as I'm not 100% on which cookies are associated with which sub-domain of swtor.com. Allowing 'swtor.com' should allow all sub-domains, so being specific with the www at the front could stop the right cookies from being stored. Apologies for the confusion there. As for Mordac, I've been called worse, but usually as a joke given security related roles are hardly ever seen as ones where positive news is given out... IMO Mordac would go for the 'pint of blood needed to log in' approach. OTP in the end doesn't actually prevent information services. We have two people in the office who have a Galaxy S2, and the application is working for both of them. Neither are jailbroken if that is important... I don't know how to troubleshoot Android phones (my preference is still Windows Mobile), but I'm hoping uninstalling the app and installing it again from scratch may help. We protect all accounts in the same way, so yes, this setting change applies to everybody who is receiving OTP emails. As I get more updates on other work we have ongoing I'll be sure to post - I'll see if I can get more answers to questions posted again in the next couple of days if I have time...

A very quick update - we have just rolled out a change in the expiry time for the OTP message which allows it to be valid for a longer period of time, and we will be monitoring how effective the change is for if we need to tweak it further or not. I may even get a chance to answer some of the questions raised in this thread in a bit if I'm lucky...

Apologies for the lack of direct replies. Given the number of different threads, I've posted a new thread covering the different issues, and an update can be found at: http://www.swtor.com/community/showthread.php?t=626829

Now that things have settled in a bit since the changes we made with the authentication system, and also now that Rise of the Hutt Cartel is launched, I thought it best that we update you on some upcoming pieces of work we have around the One-Time-Password (OTP) system. No ducks involved! We have a number of topics that need addressing (in no particular order - they are all equally important!): OTP messages sometimes expire before they can be used IP address changes are very annoying Deleting cookies in a browser forces a new OTP every time Mobile Security Keys are only available to Subscribers Physical Security Keys are still out of stock in Europe OTP messages sometimes expire before they can be used There are quite a few reasons why there can be a delay in the email getting delivered in time, and not all of them on the SWTOR side of the fence. While we all expect email to instantaneously arrive, this is not always the case, and as a result we are changing how quickly the OTP code expires before it can be used successfully. Now the expiry isn't being changed dramatically (we are adding a number of minutes, not hours). But it is being increased based on analysis of the data we are seeing around when an OTP is sent, and how quickly those players affected by a delay in getting their email are able to attempt to enter in the OTP code. Needless to say the vast majority of the edge-cases are being catered for without dramatically reducing the security aspects associated with the expiry of the OTP message itself. I know a lot of people have many theories on why the message can be delayed, so let me go into what we are seeing based on logs. A small number of mail providers have an anti-spam measure called 'Greylisting' turned on regardless of the content of a different anti-spam system called 'SPF'. This has been the biggest cause of the delayed emails, and it is also why subsequent emails are making it through in a timelier manner. We tried to alleviate greylisting concerns by providing a valid SPF record, but if it's ignored as a bypass, then there isn't much we can do about that given we don't provide the mail service itself. This accounts for the bulk of the forum threads I have seen and researched are affected by this anti-spam system Some mail providers are taking just a really long time to process an incoming mail message. I can think of a few other anti-spam systems such as 'tarpitting' which can cause this sort of behavior, but to be honest, we don't know why some are taking longer to process mail messages than others. To make this more complicated, some 'good' mail providers can randomly delay incoming mail for no visible reason we can decipher The time delay from receiving the trigger to generate an OTP and actually completing sending the email itself to our mail sending provider is measured in seconds. Usually between 1 and 2, and sometimes less than 1. Delays between hops from that point onwards isn't something we have visibility into When all is said and done, if you don't get your OTP code fast enough, it becomes invalid. To cater for the small number of mail providers causing consistent issues, we are changing the expiry time appropriately, and we will be keeping a close eye on how that affects the players currently affected by this issue and if necessary we will tweak the value again. ETA: Within the next 7 days. If we can get away with a rolling hotfix to cover all the various servers involved we will, otherwise we will have to wait till next Tuesday's maintenance. This isn't a guarantee, and things are looking good for 7 days being the maximum, and not the minimum time for this change to be deployed. IP address changes are very annoying I have to wholeheartedly agree that having to enter a new OTP every time the IP changes is very annoying. We actually have pieces of the long-term fix already deployed, and the delay in being able implement the additional pieces to reduce the IP check's importance in our weighting of the various controls in place is two-fold. Firstly we have to prioritize this work alongside other clearly important pieces of work. Delaying work needed for the release of Rise of the Hutt Cartel for example was discussed and understandably getting the expansion out on time took precedence. Secondly, we have limited resource. As much as it would be nice if we could have lots more people on each of the teams involved in making the required changes, we are running a business... I can't give an ETA on when we will have the remaining pieces of work completed. I know its not what people want to hear, but as soon as we have an ETA for this, I will post a better timeframe for the change to be deployed. Deleting cookies in a browser forces a new OTP every time This is specific to using a web browser and our website. The game launcher is not affected by this behaviour. There is a very small number of people that are using what Chrome calls 'Incognito' browsing, AKA 'Private' in Firefox. This is where no browser cookies are available or persist. There are also settings within browsers for turning off cookies for all sites as a blanket setting. I realize that this provides some level of protection from browsing activity being associated and cross-referenced by ad agencies and the like, however this has a side effect for SWTOR - we rely on the presence of a web cookie as one of the many security checks we have in place to identify a machine. This is primarily due to ensuring security is maintained where a number of players share the same Internet connection - University networks, progressive companies that allow people to play SWTOR from work as well as Internet Cafe's or shared Wi-Fi hotspots. The cookie is not the only check we have in place, but it is treated with a high enough weight behind it that if it is not present, there will be an OTP sent. So, that leaves us with a few ways to not get prompted each and every time: Enable cookies for specific sites, and include SWTOR (usually swtor.com, but also sometimes starwarstheoldrepublic.com) Enable cookies for 'all the sites', and use plugins such as NoScript and Ghostery to stop 3rd party cookies that aren't site specific (this is my personal approach, and that is the only reason I mention it) Use a Mobile or Physical Security Key. I mention this not because we are trying to get everybody to use a Security Key (the OTP is also a form of dual-factor security so in the end everybody has increased security), but because it is one of the ways of avoiding having to be sent an OTP every time ETA: up to you as the person affected and which way you want to go. Or not at all if you don't mind the OTP message every time you log in. A side note on the Mobile Security Key topic - I have seen some people recommend using a mobile phone emulator and using the Mobile Security Key application that way, and while this technically works, it does break one of the reasons the Security Key is considered dual-factor in that your username, password and security key generator are all on the same machine. Putting the emulator on a separate machine would be more sensible, but we do not support the Mobile Security Key application if it is used within an emulator. Mobile Security Keys are only available to Subscribers This was a decision made before we launched the new Free to Play model SWTOR now works within. There is a substantial cost we absorb by providing the Mobile Security Key solution (even ignoring the 100 cartel coins per month you get as a side-benefit), and until we could provide a self-service model for losing or replacing a Mobile Security Key, we could not consider providing it to everybody. We are currently looking at providing the Mobile Security Key additionally to 'Preferred' status players as an authentication option in addition to Subscribers. The idea is that once you put a real dollar value against your account in the form of cartel coin purchases or even a subscription, we will acknowledge that trust in us as a studio and at that point provide the option to you as player. ETA: I don't have definite approval or even an estimated date for when this can go live, so I'm going out on a limb here and telling you far earlier in the process than we would normally do so. I blame Eric, Courtney and Amber for leading the way here and ruining my natural desire to be secretive. Physical Security Keys are still out of stock in Europe We are almost there with the logistics surrounding getting the Physical Security Key made available within Europe again. I'm expecting to have news on their availability back in the store sometime in the next couple of weeks. There is an ongoing internal issue with getting the Physical Security Key made available for Germany, Poland, Switzerland and the Czech Republic. I totally understand that the majority of the ISP's in Europe that require an IP change on a daily basis are located in Europe and you can be sure that we have the SWTOR Executives helping prioritize that issue internally to ensure we get the keys made available as soon as is possible. I will try to answer any questions as soon as I see them when time permits. I apologize in advance if helping organize all the above (in addition to my 'normal' job!) means I don't post quite as often as you might desire...

I've noted people read a lot more into the specific words that we use than we might actually be meaning regardless of intent, so of course you can...

We are tracking IP addresses. We are also checking (for the browser) a SWTOR site specific cookie. We are checking many things. People who deliberately delete cookies from their computers will have to be sent an OTP as part of log in. That is a self-inflicted situation and knowledge of just the cookie (the fear at least one prevalent poster appears to have) is not enough to 'hack' into an account on our site at least, so it is an unfounded fear to start with. We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.

I've been looking into this, and while your game authentications (10+ times logged in) are working as expected without you getting prompted for an OTP, you are indeed getting prompted too often when logging on to the website. From what we are seeing in the logs, it appears you are using 'incognito' mode, or disallowing cookies to be saved within the browser. This could be something you have done on purpose to stop being tracked by ad trackers (I do something similar using a NoScript addon in conjunction with a Ghostery addon), or something an addon in your browser is doing for you without you realizing. Either way, stopping cookies from being able to be saved for the SWTOR website will mean that you get prompted every time you open the browser and go to the website. You could use a different browser that hasn't been customized as a test (log in once to create cookie, close browser and go to SWTOR again to see if you get prompted again). I'd be interested in the results.

There is an official word on this... We are in process of restocking the European Origin Store with the Physical Security Key, and as soon as I have an exact date I will post it. For answers around the changes made on the 2nd with regards to Display Name, OTP and Self Service options, please check the following two threads: Second announcement I recommend reading through as it has 'moar things' explained: http://www.swtor.com/community/showthread.php?t=612230 Current thread we want new questions to go into: http://www.swtor.com/community/showthread.php?t=618148

I thought I'd pop into this older thread and request people post on the 'new' thread. I'd also recommend reading through the posts I made in the second iteration of the 'upcoming information' thread. Second iteration I recommend reading through as it has 'moar things' explained: http://www.swtor.com/community/showthread.php?t=612230 Current thread we want new questions to go into: http://www.swtor.com/community/showthread.php?t=618148

For all those posting about the game crash, it looks like I need to be a bit clearer on 'authentication' vs Launcher and Game crashes: If you get to the point where you can click 'Play' in the Launcher, you are past 'logging in' and have moved into loading the game client. The changes we made to authentication (Display Name only, OTP, Self Service) have nothing to do with those game crashes. If you can't get to the point where you can type in your authentication credentials and click the Login button, then you have an issue with the Launcher itself. The changes we made to authentication were back-end changes, and while other pieces were also modified on the 2nd, those weren't to do with the Display Name, OTP and Self Service features. There are other threads (mainly in the Customer Service forum area) about those issues if you have them, and please move questions about the game client issue over there - I won't respond to them as I'm not involved. I do wish I could help, but my expertise is elsewhere. I'm also only answering new questions about authentication that haven't already been answered in this or previous threads. Those threads are: http://www.swtor.com/community/showthread.php?p=5954106 http://www.swtor.com/community/showthread.php?t=612230 Actually that wasn't me specifically - I think that may be the case, and I hope so, as I too collect the pets. I'm not involved in that side of things though, so don't know for sure. The change in IP addresses by certain ISP's is a great inconvenience for those that use those ISP's. We totally understand that. The problem we face is that we have to take into account a lot more than just changing IP addresses, and have to set the level of security around 'all the players'. This means that some (in this case people that use changing IP ISP's) are going to be inconvenienced more than others. We also have to consider what attacks can be run against the system, and ignoring IP and changing to MAC address instead would actually open up quite a few attack vectors which you don't want us to allow. In reality we pay attention to a lot more than just the IP address, but that's a different conversation which I won't go into detail on 'for security reasons'. Authentication is one of the most complex systems we have as we try to balance security with user inconvenience. In the end to have adequate security, some inconvenience is required. Believe me, if we could trust everybody to stick to their own account and just have people log in with an auto-saved username, we would. Reality is that there are a few 'bad' people out there that mean we have to treat authentication seriously. And we do. To alleviate the problem we do have two options on our side: For subscribers, there is the option to use the Mobile Security Key (and ex-subscribers can continue to use it after they stop subscribing up until they remove the Security Key from their account). This will mean you do not get an email every time your IP changes, and instead have to type in the Mobile Security Key Code. For all players, there is the option to buy the Physical Security Key to achieve the same thing. Yes, I totally understand the Physical Security Key is currently out of stock in Europe, and we are working diligently with the European Origin Store staff to get that restocked ASAP. I have a tentative date for sometime in the next few weeks, but I'm not going to say exactly when until they confirm that date to the point where I feel comfortable posting it. I do not want to give false hope there!

The link to Origin hasn't changed at all - there is a promotion happening across some other EA games that you must have hit the criteria for, which meant that you have been sent the pet. I'm jealous, I don't have the pet myself! This question (and others) are covered in my post from a couple of weeks ago: http://www.swtor.com/community/showthread.php?t=612230 The game crashing bugs are covered in other threads - please keep this thread specific to the authentication changes.

More answers to new questions... We have discussed this option internally a few times, and the current thinking is we will let the change on April 2nd settle in before making further changes to how the Security Key itself works. Technically it's possible, but we wouldn't want people to forget to take the key with them if they are intendning to play - the reasons behind our system thinking you might be playing from a 'new' location are complicated to say the least and it could prompt when least expected... Thanks for the reference - TIL Ducks are a SWTOR thing too I've mentioned this a few times - we are working on getting the physical security keys made available in Europe and as soon as I have a better estimate on the date other than 'soon', I'll be sure to post. My team does not work on the servers. There are many teams here, and we all have different abilities and jobs and my team is in no way qualified or tasked with working on the servers... I've seen a lot of players ask for self-help service for Security Key. Without these changes we would not be able to provide the service with the same level of security, so in order to make self-service possible, we had to change other aspects as a result. So yes, people did actually ask for something that was a key consideration in making this change happen Not all posts stay sticky forever. Not all posts get answers. This post will continue to get answers even if it isn't sticky - if I post a brand new thread I might stop reading this one at that time though... It's possible we will re-sticky this post soon as well given the change is going live in a few days time. Confirmed. You are tempting my 'wall of text' responses to get longer Self-service for Lost my Security Key: This will require you to access to your email as proof of ownership of your account - this is tied in to why we are removing the link between your login and the email address. Self-service for Remove my Security Key: Similar in that we want to make sure you can still log in afterwards by making sure (while your Security Key is still active) that you can still receive emails. Self-service for Move my Security Key: No emails required - you will literally move between two devices and stay at the same level of security the entire time. This will all make much more sense when you see the 'wizard' style dialogs our web team have created for the different options.

Initial answers below! For those of you wondering why MrYellowDuck surfaced, you will find there was a theme hiding in the answers to the original posts a couple of weeks ago when I mentioned I was lining up some ducks. It was meant as a bit of humour in what is otherwise a very boring topic, so please don't get too side tracked by MrYellowDuck himself... One of the aspects of the current (pre-April 2nd) implementation is that it is possible to get in to a state where you are asked a Security Question every time you log in. The changes on April 2nd will eliminate that state, and from April 2nd onwards you will only be prompted if we detect a change that warrants revalidation. I won't go into detail on all the aspects that we use to determine a change has occured other than to say IP address is indeed one of the aspects. I realise that will be very annoying for those people with an ISP that changes out IP addresses on a regular basis, but that frequency of being asked for an Email Security Code based on just IP address change will not change from how often it does get asked today. As a number of people have pointed out the solution there would be to get a Security Key which while it does ask you every time you want to log in, does not have the small delay in waiting for an email to arrive. The frequency you are describing does appear to be the state issue I originally described however, and that will stop happening going forwards. Yes, if you have a Security Key, that trumps everything else and you will not have to additionally enter an Email Security Code. ISP's that change IP address every day on their customers was taken into consideration, but sadly we can't eliminate the IP address out of the equation and still stay at a reasonable level of security within the authentication process. For the direct question on how we determined changed location, there are many factors taken into account, and this is one of those pieces where it isn't quite straight forward to figure out for an attacker. So I'll leave the attackers with work to do... For the side note, I'm anything but making fun of customers - my intent was to make fun of a ficticious yellow duck as an attempt to bring a bit of humour into what is otherwise a very boring topic. That and continue a theme from the previous answers to the thread from a couple of weeks ago. No offense intended! Sadly the answer is not what you wanted to hear. There is a certain point where keeping security at an acceptable level has to outweigh the inconvienence - if that were not the case, we would gladly do away with passwords and their ilk without a second thought! There are bad people out there that would love to take over other peoples accounts - and our authentication system (and all its complexities) are what stops them. I do have many unsafe email addresses - I'm not actually asking for donations though, so no email address should be given Our system is not designed that way - currently an 'account' is directly related to a set of characters, and there are no plans to have yet another layer of (master?) account that links several accounts together. We are working on getting the Security Key back in stock within EU as quickly as we can - I'm in constant contact with the people who run the EU side of the Origin Store where the keys are sold, and as soon as I have a better date than 'soon' I'll be sure to get a post up. It was more of a theme based on my previous comments about getting ducks lined up - I don't actually have a bathtub duck, but am now thinking of getting one! This made me litearlly laugh out loud. I'd not seen that link before, but it was well worth the read! Thanks! It's the reason I'm thinking of getting a rubber duck now... I'd have had to go with 'droid references and single-file bantha's, and it wouldn't have made as much sense. I'll try to pick something more Star Wars oriented for next time perhaps. I've no idea if the name is taken in-game as a character. If it is, it's nothing to do with BioWare. I did however register the account name while writing up the post, so the only MrYellowDuck posts you might see will be mine... Yes - the bug referenced will be fixed as part of this implementation on April 2nd. It didn't affect many players, but it sure is annoying for them and I'm all for a better login experience (as long as it stays secure!).

*** Some text changes below to indicate finalized wording used on the website and dates *** On April 2nd, we are changing some aspects of our Authentication system. In our first notification of the most visible of the changes on March 5th (http://www.swtor.com/community/showthread.php?p=5954106) we were still waiting on the last few background systems to be confirmed as ready. Now that they are ready, today's notification also includes those changes as well. email On April 2nd, the following changes are going live: Display Name only login One-Time Password (via email) replacing Security Questions and Answers during Authentication Self-service for Forgot my Display Name Self-service for Lost my Security Key Self-service for Remove my Security Key Self-service for Move my Security Key As a result of the original announcement of the initial overall change, there were a lot of questions raised. I'm going to try and give as much detail as I can here to try and answer any questions you might otherwise have, and that way we can focus on anything missed. Here are some of the questions I expect might get asked. Accordingly I'm going to let one of my ducks do the asking so I can make a first go at answering them... Lots of companies do use email address as the username. Lots don't. Both approaches have risks as well as rewards. One of the key risks for using email address is that an attacker who gets a valid email address and password will then know for certain that the account is associated with the website (or game!). For SWTOR this does not mean that the attacker could then take over an account, but it would give them the knowledge of who to craft a phishing attack against and have a higher rate of success in gaining access to information such as Answers to Security Questions. Without the link to email address, they also won't know the needed information in order to target the email account itself for a take-over in order to gain access to SWTOR and anything else linked to that email account. This change will remove the ability to link (based on knowledge of the correct password) to your SWTOR account. Even today if an attacker gets the right password they will not be able to gain access to your account, and with this change they will not be able to figure out which email address to send a phishing attack at, or which email account to try and take over. This allows us to place more trust in the ownership of the email account as being validation that we are (electronically) talking to the owner of the account. OK, that wasn't a question. Lets just presume you are actually asking if using the publicly visible Display Name increases the chance you will be hacked... We put in other controls before the launch of the game during 2011 such as the existing Security Questions and Answers system in order to protect your account even if an attacker managed to get the correct username and password. That security control aspect is not going away (although the 'remember' part is for the website and game launcher). In reality we are making it harder for an attacker, and giving you more control on the security of your account. Lets look at the different pieces needed to successfully log in today: Display Name or Email Address Password Security Key or Authorized Location Non-Authorized Location via Security Question and Answer Then lets look at the different pieces needed to successfully log in from April 2nd onwards: Display Name Password Security Key or Authorized Location Non-Authorized Location via One-Time Password (via email) Access to your Email Account From the get-go, we have never considered the username to be 'hidden' or 'secret'. It never factored into our security model as something to secure, as we have worked on the basis that the attacker already knows it. This is also why we have not provided a self-service system for Security Key's as while the email address is easy (for an attacker) to associate with a SWTOR account. We have had to presume they will phish or attack the email account itself. De-linking the email account means that an attacker who knows the username has no knowledge of who to phish or attack. This means they continue to be unable to take over your account. There are hundreds of millions of known username/password data rows available on the Internet. Well over 100 million unique email addresses. Most of these compromised details use email address as the username... It is this fact that dictates that attackers will know the username for at least some accounts regardless of any secrecy we may try to implement. You can check your own email address at http://pwnedlist.com/ for instance as one of the posts on the previous thread indicated. So no, we have not given away 50% of the security. Half the battle is not lost. You should not care that anybody else knows your username. You should instead think they may have it already. That said, you should care about your password, both on SWTOR as well as on your email account. It is especially important to use a unique password on your email account if nowhere else. I would recommend looking at a two-factor solution for your email account and will give the 2-Step authentication feature on GMail as an example. Google 2-Step today We are working on a new 'Forum Display Name' capability so that people will at some point in the future be able to change the name used on the forums. Which way we go about that (choose a character name? let you write whatever you want?) is still being decided and that will impact the amount of work required and therefore the 'when'. This is not something that is planned for April 2nd. It is also not something that can be easily implemented in a matter of minutes. Regardless of if the change would be as simple as adding a column in a database, there is still getting that data presented to the website securely, providing the ability to input data into the column itself (again securely), and that is before we have our awesome QA team make sure the functionality works as expected. We won't say 'soon' on this feature, as it is too early to be able to predict when this could be rolled out. We will send you a 'One-Time Password', via email, whenever we determine you are attempting to log on from a non-authorized location. This is similar to how we prompt for the Security Questions and Answers today, except instead of having to remember an Answer, you will be provided it via email instead. With the Security Question and Answer system in place today, it is sometimes possible for an attacker to research a person well enough to be able to have a chance of guessing the correct Answer if they have already got the correct username and password. It is also possible to phish for the Answer if you know the email address. By changing to a One-Time Password system, this actually decreases the chance an attacker would be able to guess the correct 'answer', as not only will the One-Time Password be randomized each time it is set, there will only be a small number of chances to guess the correct code before the randomization reoccurs and a new password is sent. This keeps a concept called 'entropy' (as applied outside of thermodynamics and instead focusing on 'the degree of disorder or uncertainty in a system') at an extremely high level. If you want an example as applied to passwords, I highly recommend reading XKCD (http://xkcd.com/936/). If anybody ever does actually guess the One-Time Password, they should immediately go out and buy a single-line lottery ticket. Actually they would have far more chance winning the lottery in the first place. Far, far more chance... No. No it will not. As soon as we detect an attempt to log in from a new 'location', we prompt that location for a One-Time Password which will be delivered to your Email Account (or Security Questions and Answers today). It is only after that prompt is verified that we will move the new location into an Authorized Location status. We do not remove your current Authorized Location as soon as a new location is detected. We keep a number (no I won't say how many) of Authorized Location's in the system, so an attacker can try to lock you out, but they will never succeed as they first have to validate themselves using the One-Time Password. Once the person with access to the Email Account validates using a One-Time Password, from that point forward you will be able to log in from that new Authorized Location and as a result there is no point where an attacker actually lock you out. Actually the Origin authentication system is not changing as a result to the changes within SWTOR. You will still be able to log in to Origin with either your email address or your Origin Display Name. In the background we will still update your Origin password if you change your password on the SWTOR website. Rather than force everybody to get revalidated, we will be grandfathering in existing approved locations, which are based on the existing Security Questions and Answers. If you have a Security Key, that functionality will not change and you will continue to only be required to enter the next Security Key code when you log in. So there are two alternatives here I would recommend. The first is to get a Security Key that you can take with you. This will protect you from any potential key-loggers or other malware on the temporary computer you use. Just don't type your email account password in at the same time unless it is also protected by a two-factor system. The second alternative is to change your password as soon as possible (from your smartphone or tablet perhaps?) after playing, as that will remove the existing Authorized Locations. I may indeed just have told some amateur hackers a small portion of our security model. You'll be (happy?) to know that the professional hackers figured out these pieces well before launch of the game in 2011 and it hasn't helped them. Additionally there are certain aspects that we can talk about (a variant of Shannon's maxim as applied to overall security systems rather than just cryptography - see Kerckhoffs's principle if you want a more technical view of the background of this maxim). Relying on Security by Obscurity (assuming a username can be kept secret for example) is not a direction we aim towards. No. We will not be requiring you to log on with a character name. What you need to use is your Display Name. At any time before April 2nd, you will be able to log on to http://www.swtor.com (or http://www.starwarstheoldrepublic.com for those that like typing lots), log in and your Display Name will appear in the upper-right of the website. Starting April 2nd, you will be able to have your Display Name sent to you via email as part of our first self-service option. Well, to be fair if you only know your email address, we have to let you type it in somewhere. Unless you have access to the email account though, you won't be able to read any emails that are sent to that email address. Regardless of if a particular email address is associated with a SWTOR account, you won't know if there is a link unless you do have access to the email account. It is that principle that continues to de-link the email address from the SWTOR account by purely just using the website (or game launcher) itself. I actually like email addresses and don't think they are bad. They just don't always suit being used as a username based on how we implement the different aspects of authentication. At any time a Free To Play account holder can register and validate an email address. Once you get to level 15 in-game, or want to purchase something from us, you will be required to register and validate an email address at that point in time. No. We are keeping the Security Questions and Answers in place and will be using them as a form of verification on the telephone if you ever need to call our Customer Services team. A lot of the changes going into place on April 2nd are to help enable self-service systems so that you will not need to call CS as often. We appreciate that when there is a holding queue that it is very annoying, and if calling internationally also not free. We would like to reduce costs where we can both for our players as well as ourselves. Of course, we want to keep your accounts secure, so we are not reducing security to try and save costs and instead changing security slightly. For the Free To Play accounts, Security Questions and Answers are also required when you want to purchase something from us. Yes. Yes there is. As we transition from relying on Answers to Security Questions to sending a One-Time Password to you via email when authenticating, the security of your own Account becomes something you can impact directly by also making sure your Email Account is also secure. I would recommend you look at the following or get a more computer savvy friend to help: Use a unique, complex and as lengthy as you can password (stressing it is used nowhere else) on your email account Where possible add a two-factor system to your email account - 2-Step on GMail is a great example Make sure your connections to email are secured by SSL or similar. Basic SMTP (sends email in plain text) can easily disclose your password to somebody watching your network as can unsecured POP3 or IMAP Ensure you have a good AV program installed and kept up to date. Microsoft Security Essentials for example is free on Windows and is one of many great choices Don't visit hacker websites (or for that matter most adult-entertainment sites). A lot of them have virus attacks included in viewing the pages Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop... Don't click links you don't know inside emails. Go to the website you think you need to go to and type the url in the hard way. Takes longer, but helps protect you... There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can! I have to say I am constantly amazed at what our artists can do. Lets just say I'm artistically challenged and my stick figures are pathetic and quite ugly to behold... I'm also not one of the server or game engineers and I don't think any of us want me messing around with code that could create full-scale blackouts across entire shards if it is written incorrectly. Basically we have many teams here and my specific team will continue to focus on the security aspects as that is what we are actually here for. Think of it as an added bonus. I'm going to copy/paste most of an answer I gave in the previous thread. In the security field, when waffling on about authentication we talk of two-factor quite a bit. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are: Something I know (e.g. password) Something I am (e.g. biometrics) Something I have (e.g. security key) I have often thought that putting all three factors in place would be awesome, but nobody liked my 'pint of blood in order to play' suggestion, so we haven't moved into biometrics as a requirement. As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system. The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key. One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery... Why thank you! My email address is ph..... Oh hang on, I see what you did there. Naughty duck! OK, enough monologue from me! If you have questions or comments, please don't hesitate to reply. I can't promise an immediate turn-around, but we will be watching this thread and there will be replies when we can get them posted. I would however ask that you refrain from being too descriptive if you feel the need to say I'm wrong anywhere - the forum rules still apply.

Personally I didn't realize /follow had been removed from WoW. It’s an interesting move on Blizzard’s part and (now that I ask internally) we are already looking at any possible negative aspects that might occur if multi-boxing within SWTOR was to become a ‘thing’. I'll be clear that certain ways of technically implementing multi-boxing are very much against the Terms of Service, so I would suggest erring on the side of caution and not depend on existing functionality staying static...

We had a minor issue with uploading one of my posts yesterday, and it lost the 'Next BW Post' link as a result. So just in case you missed it, here is a list of the posts thus far! http://www.swtor.com/community/showthread.php?p=5954106#post5954106 (Courtney's starting post) http://www.swtor.com/community/showthread.php?p=5955636#post5955636 (First reply) http://www.swtor.com/community/showthread.php?p=5961316#post5961316 (Second reply - this is the one with the missing link) http://www.swtor.com/community/showthread.php?p=5961675#post5961675 (Third reply) OK - pages 31 to 37 answers... We have Security Key applications for Windows Phones (and Blackberry even) on the list of 'would be really nice to have', but there is no current development plans for those at this time. That is a business decision based on market share - the development effort is not trivial, and until the percentages change significantly (which they could!) we probably will not get funding for the work involved. I've used Windows Phones most of my life, so this is a topic near and dear to my heart as well :jawa_grin: I will have that functionality tested again - the time period for being able to reuse the same key successfully (and this relates to the Mobile version only) should stop that after a certain number of authentications. It's possible the configuration changed when we consolidated some of our back-end systems, so I'll get the configuration validated for sure. I'll make sure if we do have a configuration change there that we only change it after the self-service options are available (your next question is actually related after all). As part of the April 2nd release or later? I can't say just yet on April 2nd, but this is one of the ducks I'm lining up. It's no coincidence that the change we are making is related to that (among other) self-service implementations. One of the ducks even has 'move' in it's name. The removal of email address as a username option is a change to our out-of-game authentication system only. No in-game name changes will result. I thought it best to clear that up... Also squashing this before it becomes a rumour - we aren't splitting off SWTOR from EA. The change in our authentication system is an enabler for modifications or additional systems associated with authentication only. Relying purely on IP Address indeed would be ridiculous. Imagine a university dorm and everybody being able to play each others accounts. That would be horrific if you valued your account at all in that scenario. All these scenarios (and many many more) have been considered and mitigated. We aren't relying solely on one control (such as an IP Address) to protect an account, just as we have never relied on just username/password in the live game. We rely on many controls that work together to protect the account. Yes we are changing some of those controls, but only so we can put additional systems in place without removing security. The upshot is that accounts will be in an even more secure state as of April 2nd. Even today, hackers can browse the SWTOR forums for Display Names. It doesn't give them anywhere near half of a players login credentials though, and we have built our security based on the knowledge that some players use the same username and even the same password on multiple websites. With the number of compromises of those credentials at other companies in the last few years, the concept that 'username' is something to try and protect is a foolish concept indeed. It's why we have so many other controls in place to make knowledge of the username in of itself irrelevant. You are right that two of the ways of being 'hacked' is phishing and keyloggers. And these are things that you as a player (indeed, all the players!) can and should control. There are some very simple ways to protect yourself: * Ensure you have a good AV program installed and kept up to date * Use a unique password on your email account * If possible put a two-factor system around your email account (Two-Step for GMail is the most obvious/easy to get of the solutions out there) * Don't visit hacker websites, or for that matter most **** sites - a lot of them have virus attacks included in viewing the pages * Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop... * There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can! The maximum length of 16 characters is an EA restriction due to a lot of other systems across EA that cannot handle more than 16 characters still. One day that may change (and I continually push for that work to be completed!), so in the meantime we have many other controls in place to make a shorter password not as important as it otherwise could have been. Being forced to have a shorter password has meant we have placed more controls than we otherwise would have, which is why you don't see thousands of 'my account was hacked' posts on a daily basis. Sometimes being restricted in specific instances on what security we can implement has created better security overall due to the other controls we put in place. That has to be one of the best posts in this entire thread! I would love to care more about peoples feelings when it comes to security, however the attackers/hackers out there don't. Not one bit. Personally I do care, but professionally I also have to deal with the attackers, so I have to cater for their level of caring and look at security from the point of view of boring concepts such as logic. If that focus on preventing zero-feeling attacks has bled over into my answers, then I can only apologize - my ambition is to ensure we continue to keep accounts secure at a reasonable level of cost. That, and nobody likes my idea of requesting a pint of blood for DNA verification every time a player logs in. I actually like people being vocal btw. It helps ensure we haven't missed anything (there are a lot more of you than us working here!), and I can safely say that nobody has brought up a concern with regards to the change to Display Name only that we haven't already planned for or mitigated by ensuring we have other controls in place. I'm just trying to alleviate (or even educate) people with regards to better security, as it is a very complicated subject that most people take for granted without fully understanding. Perceptions based on less than full understanding are something I'm trying to get to perceptions based on better understanding... OK - you caught me. I'm only spending a few minutes on each answer. The reason there has usually been a day delay in answering the questions is that I'm writing up the answers out of office hours most of the time. Both are true as we have other controls in place which we don't talk about, and from a players perspective you will never see in action as you aren't trying to 'hack' your own account. Attackers on the other hand trigger the other controls and are dealt with accordingly - that's why those other controls exist to protect your legitimate usage of your account. Within SWTOR we will not be changing the system to allow custom questions. More options than there are currently has been looked at a few times already, and I'm sure it will come up as a topic internally again. With regards to the custom questions, while most people are very polite with the answers, the questions themselves are also used as voice verification for Customer Services, and impolite custom questions are something we would like to protect our CS staff from when a disgruntled player could otherwise be impolite. I too don't answer the answers truthfully! To prevent myself from forgetting the answers though, I keep them locked up in a little program called Password Safe (sourceforge project). There are quite a few similar programs out there such as KeePass, and I highly recommend using one to avoid that 'forgot!' moment. I use a different answer on every site as well, so would never be able to remember the answers if I wanted to... Just never ever use that 'master password' anywhere else! OK, finished with page 39 now...