Phillip_BW
-
Posts
31 -
Joined
Content Type
Forums
Blogs
Events
Articles
Downloads
Gallery
Posts posted by Phillip_BW
-
-
Interesting approach there funkiestj.
I thought I was pretty clear that one input action must equal only one action in game, but obviously not - so please find below red X's next to the correct answers.
Enjoy!
Use case 1
- keycode to ability bindings (guardian class)
- 1 - dispatch
- 2 - guardian slash
- 3- strike
[*]user presses the '1' key on his device
[*]macro system (in response to the '1' key press) sends the keycodes 1, 2, 3 with no significant delay between keycodes
[*]ability bound to 2 is cast, no other abilities are cast
- 1 - dispatch
[ ] allowed by ToS
[X] prohibited by ToS
[ ] example to clear enough to give a ruling
Use case 2
- keycode to ability bindings (guardian class)
- 1 - riposte (off GCD)
- 2 - guardian slash
- 3 - strike
[*]user presses the '1' key on his device
[*]macro system (in response to the '1' key press) sends the keycodes 1, 2, 3with no significant delay between keycodes
[*]ability bound to 1 is cast (off GCD), ability bound to 2 is cast.
- 1 - riposte (off GCD)
[ ] allowed by ToS
[X] prohibited by ToS
[ ] example to clear enough to give a ruling
Use case 3
- user positions mouse over huttball spawn
- user presses '1' on his keyboard
- macro system sends a steam of <right click> events for approximately the next 2 seconds
- user successfully picks up the huttball (a single action, n'est-pas?)
[ ] allowed by ToS
[X]prohibited by ToS
[ ] example to clear enough to give a ruling
Use case 4
- keycode to ability bindings (guardian class)
- 1 - riposte (off GCD)
- 2 - guardian slash
- 3 - strike
[*]user presses the '1' key on his device, macro system sends keycode 1, riposte is executed
[*]as quickly as possible (0.011 seconds later?), user presses '1' again, macros system sends keycode 2, guardian slash is not executed because it is on cooldown
[*]as quickly as possible (0.011 seconds later?), user presses '1' again, macro system sends keycode 3, strike ability is executed (it is never on cooldown, riposte did not trigger a GCD, it requires no mana)
- 1 - riposte (off GCD)
[X] allowed by ToS
[ ] prohibited by ToS
[ ] example to clear enough to give a ruling
----
- keycode to ability bindings (guardian class)
-
So a number of people have asked about text macros. A couple of others (even on reddit!) have mentioned 'colour detection to determine which action to take' systems. I even saw a questions about sequence clicking... I even saw claims that we can't detect anything and won't do a thing about this issue.
I'll address all four...
Text Macros
Strictly speaking, text macro's are against the ToS. If its for emotes etc and isn't being used as a way to advise others of an impending attack in a Warzone (inc snow! for example), then we will turn a blind eye to an extent. If you fire off emotes too many times in quick succession of course then you will get evaluated for if you are spamming.
One click 'enter chat, type 'inc snow!', hit enter' text macros designed to warn others is completely against the ToS. You need to make a decision - do I take the time to type 'inc snow' to the ops group, or do I just keep fighting this person... Think of it as an evaluation on if you are using a tool that gives you an unfair advantage over somebody not using that same tool.
Colour detection and evaluated action macros
The very act of determining a colour of a pixel on screen and as a result then using a specific action is one of the easy to understand examples of what we call automation. As soon as you have two things happening based on one key press, then its against the ToS.
Sequence clicking
If you have a system set up so that if you hit the same key 4 times likes so: '1, 1, 1, 1' and instead of just firing off whatever 1 is bound to it fires off '1, 2, 3, 4', then as long as you keep it to 'one key == one other key hit' its in that grey area of not true automation. There is a caveat - you can't have the macro determine a minimum time between clicks to work around the global cool down timing and only fire the next button in sequence if the GCD has expired.
If you instead have a system that when you hit 1, it fires of 1, 2, 3, 4 in quick succession or all at once (i.e. one click == many actions) in order to try and fire something that isn't currently in a cool down state then yes, that is against the ToS. Again, one click must always equal one action and only one action within the game.
Detection of abuse
There are many claims based on guesswork that we can't tell when a person is running automation for systems like field respeccing within seconds. Every time you interact with the server we log either the specific event or an aggregate of similar events firing multiple times. We can (and do!) look through those logs using analytic engines. If you want to know more about the concept, look up 'big data' in google - we strive to make all decisions on making changes to the game based on the data we have, and we have a lot of data.
We also use that data for game forensics - we may not react in a real-time manner for most things, but as people foolish enough to speedhack know, we can and do act based on irrefutable data.
Now, all that said, what are we going to be doing going forwards now that this issue is very much in the limelight?
Expect changes to the ability to field respec in Warzones. We were already working on this as part of some upcoming PvP updates (Bruce detailed some of that this week I believe), and we may bring the field respec changes forward - or we may just keep them where they are so to not impact the game update schedules and instead update our existing Warzone game forensic reporting to include inhumanly fast field respec events. Either way my advise if you are currently macroing within Warzones is to stop.
-
Hey guys I had a question, and hopefully a developer can chime in as well. There is a guild on my server, who shall go unnamed, that uses macros in warzones both regs and rateds in order to respec in literally 3-4 seconds, speed click the huttball on the pit, and other things. I was under the impression this wasnt in compliance with the TOS, but one of the members linked a message where he interpreted Bioware saying its ok for quality of life to mean he can do these things in pvp. Obviously this gives them huge advantages in warzones. Doesn't matter how many people you have at mid if one of them are there they will always grab the ball, and as I said, and did not exaggerate, they can switch between dps and heals, or tank and dps within a matter of 3-4 seconds while walking through a warzone.
So basically, is this against TOS or is it ok to do these things? One of the reasons we are hesitant to do rateds with them is because of the huge advantage this brings, and we don't want to do it as well to simply end up banned, just for the sake of being on equal footing. So please let me know, and if a Bioware employee could shed some light on it I would greatly appreciate it.
Chiming in....
I'll be as clear as I can be.
Automation of the game in any way is against the ToS. This includes macro'ing in order to respec during Warzone matches.
Remapping keys on a keyboard (or Nostromo or Logitech) device so that one key press == one click or ability cast within the game is fine. Using a programmable keyboard or software macro so that one key press == multiple clicks or ability casts in the game is not.
Hopefully that doesn't leave room for 'interpretation'. If it does, ask a binary question and I'll give a yes/no
-
Speedhacking is a real thing. So are suspensions and bans...
We treat each report of speedhacking seriously and by using game data cull speed hackers from the game as they are detected. We have some awesome game engineers who have provided our Terms of Service team with a great set of tools to help in this area. These tools of course are not fool-proof, and while we do have to constantly develop our tools to keep up with 'bad' player ingenuity, we do catch up with people eventually if they do manage to avoid being detected in the first instance.
Speedhacking and other exploits are bad. We will action any type of account including subscribers, so for those inclined to speedhack, please take that into account before giving into temptation.
We also get a number of player reports when speedhackers come into game. A lot of these sadly are misunderstandings of other class abilities, but occasionally we do get a great report and we do take appropriate action. We don't have a 'name and shame' policy and as such will only ever say appropriate action will be taken if warranted.
In case it isn't well known, its best not to post speedhackers character names and/or YouTube links in the forums - we also have a strict set of rules here as well as to what cannot be posted.
The right thing to do if you see somebody speedhacking is to submit an in-game ticket by clicking the '?' and reporting harassment and in the text area typing in a short description of what occurred and when (including time-zone!). If you do fraps something and publish it, please only put that link in the ticket, and never in the forums. I don't want good people actioned for accidently breaking a completely different section of the ToS when they have good intent
I appreciate everybody (including myself) would love to see a speedhacker actioned within minutes of being reported. It will take us hours or even occasionally days to get each confirmed reported account actioned appropriately (we do err on the side of caution as you should expect us to), so please bear with us while we work through our process.
-
Apologies for the delays we have had in getting the Physical Security Key made available once more within Europe. What I'm sure looks like an 'easy' thing to do is actually quite complicated internally. While the keys have been available in the Origin Store for the last couple of weeks, they were put up with prices that were different to what was advertised on the SWTOR website. You will be happy to hear that the prices agreed on are the lower of the two, and not the larger of the two
I'm happy to announce that for most of Europe, the Physical Security Key is once more available.
For the rest of Europe we are still working on making the Physical Security Key available once more in the following countries:
- Czech Republic
- Germany
- Poland
- Switzerland
As soon as I have an update on these countries I will be posting another update.
As each link is country specific for finding the key within the Origin Store, and as we can't guarantee that the links won't change over time, the easiest way to find the item in the store is to open the Origin Store in a browser ( http://store.origin.com ) and in the upper right-corner, type "Star Wars Physical Security Key" in the search box.
- Czech Republic
-
I hadn't given an update that the Physical Security Key is available again in the EU Origin Store just yet as we are still working with our partners in Europe on the pricing due to the mismatch which is causing confusion. As soon as we sort out what the pricing is, I'm sure we will post an update.
-
A quick update today the 22nd of April.
After diagnosing a couple of places where the slowdown of outbound OTP emails became evident on the 13th April, the teams have written and implemented another hotfix in addition to increasing the amount of infrastructure handling the outbound emails. We will of course be monitoring the situation carefully as usual to see how effective this latest change is. And to think my original post that started this thread was based on data that ended on 12th April! I'm still kicking myself over that! As usual with these things, timing is everything...
As mentioned previously there are also some other pieces of work I've called out which are still being worked on, so expect more news as those progress.
-
They've said before that devs play on the same servers as everyone else. They are however not allowed to tell players that they are devs, so it is true that some are in guilds and no one knows who they are.
That was the answer we were looking for.
The majority of the studio play on the 'official' servers on pretty much a daily basis. We aren't allowed to say what our character names are or even that we work here to our guild-mates, but we do play... Some of us more than others of course!
We even have mini competitions between ourselves to see who can play the most of the most things.
-
A few responses...
So if i have the security key app on my phone ( which I was discouraged to use by a Bioware customer service representative), i don't have to wait for a email?The Security Key entry means that you will not be sent an OTP message at any time unless you are trying to remove the Security Key from your account. While I've seen a number of people try to say that we are wanting to force people into using a Security Key, that is not correct - we are making changes to alleviate the issues for the people affected by the issues being talked about on the forums as it was never the plan to force people to use a Security Key on their account.
I'm also not sure how long ago you had a CS agent discourage you to use the Mobile Security Key. The application is working well (apart from an Android glitch with font colours which can be fixed by going to the main menu in the app and back in to the code page again), and it does prevent the OTP message being required for normal authentication. We have also implemented a self-service system for lost/remove/replace scenarios which means you no longer have to call CS to fix a Security Key issue.
I really wish you would switch to time-based One-time Passwords according to RFC 6238.Then we could use apps like the Google Authenticator (and many others) which is available for iPhone, Android and Blackberry for free instead of having to install yet another app for authentication.
I have this on my list of 'nice to have' and one day we may get there. No promises though as the cost associated with our Security Key implementation (the time-based system we already have) was covered a couple of years ago.
And I'll just add this in again...Please create a mobile security key for Windows Phone (7/8) so we don't have to carry around the keychain fob thingy.
I don't mind you asking again - I'm still asking for it myself! Still no news on if or when this might happen.
The SW:TOR website says Physical Security Keys are out-of-stock, so I can't buy one from you guys until they are back in stock. When will this be?If you are seeing the Physical Security Key in North America showing as out of stock, please press Ctrl-F5 to force a refresh of the page. There was a caching issue with some browsers that for some reason isn't automatically fixing itself even though we refreshed the cache associated with the /buy page last week.
First of all, Thank you Bioware for the reply. I have to say though, that I have a feeling there's something you're not telling us: why is it that difficult to simply remove this feature? No need to worry about making sure emails are sent on time, etc. Simply removing the one time password and bringing back the security questions shouldn't be that difficult, right?Simply removing the OTP system also means we would be removing the self-service for Security Key system, forcing people to have to call CS once more when they had a Security Key issue. That was a constant source of new threads before we launched the self-service options, and I don't think we want to go back there....
While the number of posts on this topic indicates there are some issues, you have to remember that people without the issue are not posting as they don't have a reason to (unless they are bored and actually read these posts). While we are working on solving the issues people are posting about, you have to keep in mind that the vast majority (and I do mean vast!) are not having the issues people are posting about.
Don't get me wrong here - I'm not trying to say there is not a problem or that we are trying to dimiss the issues. Reality is very much the opposite when it comes to the seriousness that we are taking on ensuring all players can log in to the game when and where they want to as quickly as possible without also creating an account take over issue.
The mail headers I see are interesting. The mail appears to come from Dynect (216.146.40.12) who I guess you are using as a mail service. The mail headers indicate ~1 second from there to my mailbox. It usually arrives too late for me to use the OTP. I will be very glad to see the time limit increase, but I'd also recommend you look at the process between the OTP generation and Dynect sending the mail. It varies greatly in performance. Sometimes if can take seconds, other times it can take 10-15 minutes repeatably.You are spot on with both sides of this. We are using Dynect as our outbound mail service, and we have identified that there is sometimes a delay here as well. I've been monitoring the times between the generation of the OTP, the mail hitting Dynect,the mail successfully being delivered and then the next attempt at authentication using the code. We have identified a couple of places that might cause the slow-down when it does happen (my original analysis didn't cover a time period where we had internal delays at all and I was covering an entire week) and there are teams working on hotfixes already. I don't have an ETA and will update once I do. Given the impact not getting the email on time has we are not ignoring this issue at all.
Why is there no discussion of an option to opt out of two way authentication? Clearly, some value the extra security. Clearly, some are experiencing frustration with the barriers two way authentication presents in logging into the game. If I were offered the option of having password only login under the 'scary' condition that I would receive no support from customer service if my account was hacked and resulted in the loss of virtual items, I would gladly take it. Two way authentication is a resource burden for SWTOR -- having the option to not use it is a win for the service provider and a win for customer satisfaction.Regardless of the protestations otherwise, if we did allow people to choose their own level of security, and then they did have their account taken over by an attacker while set to the minimum (no password for the win right?), they would still expect their account to be restored to its original glory. Choice is all well and fine right up until a compromise happens, especially if you just lost multiple level 55's. Sadly there are a number of groups attacking MMO's for a multitude of reasons, and we have a duty to protect players accounts from their attacks. To counter some of the more advanced attacks, we have to provide advanced security as mitigation. To even consider providing some of the self-service options, we have had to move to the OTP model.
TL;DR: Personal preference on levels of security of your SWTOR account is not an option.
I run firefox and, in general, I do not like cookies. I put an exception for "www.swtor.com" and that does not help. I have third party cookies disabled, first party enabled. Still no love. I don't know what to do here. I am not going to simply enable all cookies just so that I don't have to jump through these hoops every time. Instead, I will just minimize the number of times I post on these forums. But this time, I logged in specifically to say how much I hate, with a fiery passion, the million time password system.EDIT: By the way, for anyone who is into Dilbert comic strips, this OTP system very much makes me think of Mordac the preventer of information services. Mordac is their IT guy and he takes a special pleasure in making it impossible for users to do anything. This OTP system is, in my opinion, so over the top in terms of security that it is most definitely something that Mordac would be in favor of.
I mentioned you can allow 'swtor.com' as we use multiple sub-domains for the cookies. I don't want to say the sub-domain needed is 'account.swtor.com' even though I think that is the right specific sub-domain to allow, as I'm not 100% on which cookies are associated with which sub-domain of swtor.com. Allowing 'swtor.com' should allow all sub-domains, so being specific with the www at the front could stop the right cookies from being stored. Apologies for the confusion there.
As for Mordac, I've been called worse, but usually as a joke given security related roles are hardly ever seen as ones where positive news is given out...
IMO Mordac would go for the 'pint of blood needed to log in' approach. OTP in the end doesn't actually prevent information services.Is any work going to be done as far as making sure that the mobile security key is compatible with more android cell phones? I have a galaxy s2 and it doesn't work. I would love to use it but I can't.We have two people in the office who have a Galaxy S2, and the application is working for both of them. Neither are jailbroken if that is important... I don't know how to troubleshoot Android phones (my preference is still Windows Mobile), but I'm hoping uninstalling the app and installing it again from scratch may help.
Cool.Are you able to share any specifics? Is it the same setting for everyone?
We protect all accounts in the same way, so yes, this setting change applies to everybody who is receiving OTP emails.
As I get more updates on other work we have ongoing I'll be sure to post - I'll see if I can get more answers to questions posted again in the next couple of days if I have time...
-
A very quick update - we have just rolled out a change in the expiry time for the OTP message which allows it to be valid for a longer period of time, and we will be monitoring how effective the change is for if we need to tweak it further or not.
I may even get a chance to answer some of the questions raised in this thread in a bit if I'm lucky...
-
Apologies for the lack of direct replies. Given the number of different threads, I've posted a new thread covering the different issues, and an update can be found at: http://www.swtor.com/community/showthread.php?t=626829
-
Now that things have settled in a bit since the changes we made with the authentication system, and also now that Rise of the Hutt Cartel is launched, I thought it best that we update you on some upcoming pieces of work we have around the One-Time-Password (OTP) system. No ducks involved!
We have a number of topics that need addressing (in no particular order - they are all equally important!):
- OTP messages sometimes expire before they can be used
- IP address changes are very annoying
- Deleting cookies in a browser forces a new OTP every time
- Mobile Security Keys are only available to Subscribers
- Physical Security Keys are still out of stock in Europe
OTP messages sometimes expire before they can be used
There are quite a few reasons why there can be a delay in the email getting delivered in time, and not all of them on the SWTOR side of the fence. While we all expect email to instantaneously arrive, this is not always the case, and as a result we are changing how quickly the OTP code expires before it can be used successfully.
Now the expiry isn't being changed dramatically (we are adding a number of minutes, not hours). But it is being increased based on analysis of the data we are seeing around when an OTP is sent, and how quickly those players affected by a delay in getting their email are able to attempt to enter in the OTP code. Needless to say the vast majority of the edge-cases are being catered for without dramatically reducing the security aspects associated with the expiry of the OTP message itself.
I know a lot of people have many theories on why the message can be delayed, so let me go into what we are seeing based on logs.
- A small number of mail providers have an anti-spam measure called 'Greylisting' turned on regardless of the content of a different anti-spam system called 'SPF'. This has been the biggest cause of the delayed emails, and it is also why subsequent emails are making it through in a timelier manner. We tried to alleviate greylisting concerns by providing a valid SPF record, but if it's ignored as a bypass, then there isn't much we can do about that given we don't provide the mail service itself. This accounts for the bulk of the forum threads I have seen and researched are affected by this anti-spam system
- Some mail providers are taking just a really long time to process an incoming mail message. I can think of a few other anti-spam systems such as 'tarpitting' which can cause this sort of behavior, but to be honest, we don't know why some are taking longer to process mail messages than others. To make this more complicated, some 'good' mail providers can randomly delay incoming mail for no visible reason we can decipher
- The time delay from receiving the trigger to generate an OTP and actually completing sending the email itself to our mail sending provider is measured in seconds. Usually between 1 and 2, and sometimes less than 1. Delays between hops from that point onwards isn't something we have visibility into
When all is said and done, if you don't get your OTP code fast enough, it becomes invalid. To cater for the small number of mail providers causing consistent issues, we are changing the expiry time appropriately, and we will be keeping a close eye on how that affects the players currently affected by this issue and if necessary we will tweak the value again.
ETA: Within the next 7 days. If we can get away with a rolling hotfix to cover all the various servers involved we will, otherwise we will have to wait till next Tuesday's maintenance. This isn't a guarantee, and things are looking good for 7 days being the maximum, and not the minimum time for this change to be deployed.
IP address changes are very annoying
I have to wholeheartedly agree that having to enter a new OTP every time the IP changes is very annoying. We actually have pieces of the long-term fix already deployed, and the delay in being able implement the additional pieces to reduce the IP check's importance in our weighting of the various controls in place is two-fold.
Firstly we have to prioritize this work alongside other clearly important pieces of work. Delaying work needed for the release of Rise of the Hutt Cartel for example was discussed and understandably getting the expansion out on time took precedence.
Secondly, we have limited resource. As much as it would be nice if we could have lots more people on each of the teams involved in making the required changes, we are running a business...
I can't give an ETA on when we will have the remaining pieces of work completed. I know its not what people want to hear, but as soon as we have an ETA for this, I will post a better timeframe for the change to be deployed.
Deleting cookies in a browser forces a new OTP every time
This is specific to using a web browser and our website. The game launcher is not affected by this behaviour.
There is a very small number of people that are using what Chrome calls 'Incognito' browsing, AKA 'Private' in Firefox. This is where no browser cookies are available or persist. There are also settings within browsers for turning off cookies for all sites as a blanket setting.
I realize that this provides some level of protection from browsing activity being associated and cross-referenced by ad agencies and the like, however this has a side effect for SWTOR - we rely on the presence of a web cookie as one of the many security checks we have in place to identify a machine. This is primarily due to ensuring security is maintained where a number of players share the same Internet connection - University networks, progressive companies that allow people to play SWTOR from work as well as Internet Cafe's or shared Wi-Fi hotspots. The cookie is not the only check we have in place, but it is treated with a high enough weight behind it that if it is not present, there will be an OTP sent.
So, that leaves us with a few ways to not get prompted each and every time:
- Enable cookies for specific sites, and include SWTOR (usually swtor.com, but also sometimes starwarstheoldrepublic.com)
- Enable cookies for 'all the sites', and use plugins such as NoScript and Ghostery to stop 3rd party cookies that aren't site specific (this is my personal approach, and that is the only reason I mention it)
- Use a Mobile or Physical Security Key. I mention this not because we are trying to get everybody to use a Security Key (the OTP is also a form of dual-factor security so in the end everybody has increased security), but because it is one of the ways of avoiding having to be sent an OTP every time
ETA: up to you as the person affected and which way you want to go. Or not at all if you don't mind the OTP message every time you log in.
A side note on the Mobile Security Key topic - I have seen some people recommend using a mobile phone emulator and using the Mobile Security Key application that way, and while this technically works, it does break one of the reasons the Security Key is considered dual-factor in that your username, password and security key generator are all on the same machine. Putting the emulator on a separate machine would be more sensible, but we do not support the Mobile Security Key application if it is used within an emulator.
Mobile Security Keys are only available to Subscribers
This was a decision made before we launched the new Free to Play model SWTOR now works within. There is a substantial cost we absorb by providing the Mobile Security Key solution (even ignoring the 100 cartel coins per month you get as a side-benefit), and until we could provide a self-service model for losing or replacing a Mobile Security Key, we could not consider providing it to everybody.
We are currently looking at providing the Mobile Security Key additionally to 'Preferred' status players as an authentication option in addition to Subscribers. The idea is that once you put a real dollar value against your account in the form of cartel coin purchases or even a subscription, we will acknowledge that trust in us as a studio and at that point provide the option to you as player.
ETA: I don't have definite approval or even an estimated date for when this can go live, so I'm going out on a limb here and telling you far earlier in the process than we would normally do so. I blame Eric, Courtney and Amber for leading the way here and ruining my natural desire to be secretive.
Physical Security Keys are still out of stock in Europe
We are almost there with the logistics surrounding getting the Physical Security Key made available within Europe again. I'm expecting to have news on their availability back in the store sometime in the next couple of weeks.
There is an ongoing internal issue with getting the Physical Security Key made available for Germany, Poland, Switzerland and the Czech Republic. I totally understand that the majority of the ISP's in Europe that require an IP change on a daily basis are located in Europe and you can be sure that we have the SWTOR Executives helping prioritize that issue internally to ensure we get the keys made available as soon as is possible.
I will try to answer any questions as soon as I see them when time permits. I apologize in advance if helping organize all the above (in addition to my 'normal' job!) means I don't post quite as often as you might desire...
- OTP messages sometimes expire before they can be used
-
Can we note that you said 'when' not 'if'?
I've noted people read a lot more into the specific words that we use than we might actually be meaning regardless of intent, so of course you can...
-
Wow. I thought they were tracking IP addresses. I don't know what to say now.
We are tracking IP addresses. We are also checking (for the browser) a SWTOR site specific cookie. We are checking many things.
People who deliberately delete cookies from their computers will have to be sent an OTP as part of log in. That is a self-inflicted situation and knowledge of just the cookie (the fear at least one prevalent poster appears to have) is not enough to 'hack' into an account on our site at least, so it is an unfounded fear to start with.
We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.
-
Then how come i have to get that code of yours EVERY time i log out of the forum and want to log back in? I just tried it - and i have the same IP now as i had before i logged out, and even so i still had to get the code. Why?
EDIT: And fyi, being forced to spend around 28h per year just login into my email if i wanna make 5 separate posts on your forum each day, thats not an inconvenience - It's insane.
I've been looking into this, and while your game authentications (10+ times logged in) are working as expected without you getting prompted for an OTP, you are indeed getting prompted too often when logging on to the website.
From what we are seeing in the logs, it appears you are using 'incognito' mode, or disallowing cookies to be saved within the browser. This could be something you have done on purpose to stop being tracked by ad trackers (I do something similar using a NoScript addon in conjunction with a Ghostery addon), or something an addon in your browser is doing for you without you realizing.
Either way, stopping cookies from being able to be saved for the SWTOR website will mean that you get prompted every time you open the browser and go to the website.
You could use a different browser that hasn't been customized as a test (log in once to create cookie, close browser and go to SWTOR again to see if you get prompted again). I'd be interested in the results.
-
The problem is that the physical security key fobs are out of stock from official site, and there has been no official word (to my knowledge) on when they will become available again. And not everyone has Android or Apple device
There is an official word on this...
We are in process of restocking the European Origin Store with the Physical Security Key, and as soon as I have an exact date I will post it.
For answers around the changes made on the 2nd with regards to Display Name, OTP and Self Service options, please check the following two threads:
Second announcement I recommend reading through as it has 'moar things' explained:
http://www.swtor.com/community/showthread.php?t=612230
Current thread we want new questions to go into:
http://www.swtor.com/community/showthread.php?t=618148
-
I thought I'd pop into this older thread and request people post on the 'new' thread.
I'd also recommend reading through the posts I made in the second iteration of the 'upcoming information' thread.
Second iteration I recommend reading through as it has 'moar things' explained:
http://www.swtor.com/community/showthread.php?t=612230
Current thread we want new questions to go into:
http://www.swtor.com/community/showthread.php?t=618148
-
For all those posting about the game crash, it looks like I need to be a bit clearer on 'authentication' vs Launcher and Game crashes:
If you get to the point where you can click 'Play' in the Launcher, you are past 'logging in' and have moved into loading the game client. The changes we made to authentication (Display Name only, OTP, Self Service) have nothing to do with those game crashes.
If you can't get to the point where you can type in your authentication credentials and click the Login button, then you have an issue with the Launcher itself. The changes we made to authentication were back-end changes, and while other pieces were also modified on the 2nd, those weren't to do with the Display Name, OTP and Self Service features.
There are other threads (mainly in the Customer Service forum area) about those issues if you have them, and please move questions about the game client issue over there - I won't respond to them as I'm not involved. I do wish I could help, but my expertise is elsewhere.
I'm also only answering new questions about authentication that haven't already been answered in this or previous threads. Those threads are:
http://www.swtor.com/community/showthread.php?p=5954106
http://www.swtor.com/community/showthread.php?t=612230
But you DID say Subscribers will be getting those pets too, right?Actually that wasn't me specifically - I think that may be the case, and I hope so, as I too collect the pets. I'm not involved in that side of things though, so don't know for sure.
Trying to bring this back onto the topic of new authentication method and problems associated with it (black screens and crashes are being solved elsewhere, really guys). Some reply from Philip_BW or some other responsible "yellow" would be great.It seems that people without security keys and with ISPs that rotate dynamic IPs like crazy are the most affected by this problem.
-
I am assuming that the One Time Password occurs only when the launcher does not recognize your current IP. This creates problem with Dynamic IPs, as mentioned above. If I am mistaken, please discount the suggestion.
-
Given the apparent problems this otherwise great security upgrade caused, are there any plans to maybe make the check for MAC address instead of IP address? If I understand the system correctly, it would solve the problem of launcher not recognizing the current machine, and using One-Time Password would add the current machine to a "verified" list.
The change in IP addresses by certain ISP's is a great inconvenience for those that use those ISP's. We totally understand that. The problem we face is that we have to take into account a lot more than just changing IP addresses, and have to set the level of security around 'all the players'. This means that some (in this case people that use changing IP ISP's) are going to be inconvenienced more than others. We also have to consider what attacks can be run against the system, and ignoring IP and changing to MAC address instead would actually open up quite a few attack vectors which you don't want us to allow. In reality we pay attention to a lot more than just the IP address, but that's a different conversation which I won't go into detail on 'for security reasons'.
Authentication is one of the most complex systems we have as we try to balance security with user inconvenience. In the end to have adequate security, some inconvenience is required. Believe me, if we could trust everybody to stick to their own account and just have people log in with an auto-saved username, we would. Reality is that there are a few 'bad' people out there that mean we have to treat authentication seriously. And we do.
To alleviate the problem we do have two options on our side:
For subscribers, there is the option to use the Mobile Security Key (and ex-subscribers can continue to use it after they stop subscribing up until they remove the Security Key from their account). This will mean you do not get an email every time your IP changes, and instead have to type in the Mobile Security Key Code.
For all players, there is the option to buy the Physical Security Key to achieve the same thing. Yes, I totally understand the Physical Security Key is currently out of stock in Europe, and we are working diligently with the European Origin Store staff to get that restocked ASAP. I have a tentative date for sometime in the next few weeks, but I'm not going to say exactly when until they confirm that date to the point where I feel comfortable posting it. I do not want to give false hope there!
-
Just a question... are logins now also linked to Origin accounts in a different manner? I suddenly had a pet for BF P4F ahvent done anything with that account in ages
The link to Origin hasn't changed at all - there is a promotion happening across some other EA games that you must have hit the criteria for, which meant that you have been sent the pet. I'm jealous, I don't have the pet myself!
Well there's one less step for the hackers to deal with. Stupid idea imo.This question (and others) are covered in my post from a couple of weeks ago: http://www.swtor.com/community/showthread.php?t=612230
Anyone having trouble with their game crashing as soon as its about to hit the character screen? Its bein doin this all morning and im not sure if its happening for anyone else.The game crashing bugs are covered in other threads - please keep this thread specific to the authentication changes.
-
More answers to new questions...
Is there any plan to allow the saved locations to apply to the Security Key?ie after you've logged in with the Security Key at a particular location, you no longer need to use it at that location (at least for the day/week/month etc)
We have discussed this option internally a few times, and the current thinking is we will let the change on April 2nd settle in before making further changes to how the Security Key itself works. Technically it's possible, but we wouldn't want people to forget to take the key with them if they are intendning to play - the reasons behind our system thinking you might be playing from a 'new' location are complicated to say the least and it could prompt when least expected...
NOOOOO, keep the duck reference.Plus ducks are Star Wars oriented...
starwars.wikia.com/wiki/Duck
Thanks for the reference - TIL Ducks are a SWTOR thing too
Hi Phillip, in response to this, is anything being done to make Physical Security Keys available to European customers?Currently, the only way to obtain one was via the Collectors Edition, which are now very rare. The European version of the Origin store does not sell them, and we can not purchase them from the US version.
Yes, we have the Android/iOS versions, but these are buggy to say the least. I have had to have mine removed soo many times, that I am know running without it. The calls to CS can take anywhere between 5-90 minutes. Many other people have to have theirs removed also.
So yeh, can we expect Bioware to do anything in order to get Origin EU selling the physical keys, or are we SOOL?
I've mentioned this a few times - we are working on getting the physical security keys made available in Europe and as soon as I have a better estimate on the date other than 'soon', I'll be sure to post.
This sounds so "fail" to me! Why not fix server stability first and log in screens last?My team does not work on the servers. There are many teams here, and we all have different abilities and jobs and my team is in no way qualified or tasked with working on the servers...
It's a nice attempting trying to calm people but we never asked for or wanted this "Bonus" in the first place.I've seen a lot of players ask for self-help service for Security Key. Without these changes we would not be able to provide the service with the same level of security, so in order to make self-service possible, we had to change other aspects as a result. So yes, people did actually ask for something that was a key consideration in making this change happen
Why is this no longer a sticky? Does this mean questions will no longer be answered here?Not all posts stay sticky forever. Not all posts get answers. This post will continue to get answers even if it isn't sticky - if I post a brand new thread I might stop reading this one at that time though... It's possible we will re-sticky this post soon as well given the change is going live in a few days time.
Could you confirm that SWTOR is Linked to the Origin Account?Confirmed.
can you go into further detail of said features.like how do they work? would 1 allow me to remove the key but first i have to input my correct password and answer all my security questions along with an email confirmation?
You are tempting my 'wall of text' responses to get longer
Self-service for Lost my Security Key: This will require you to access to your email as proof of ownership of your account - this is tied in to why we are removing the link between your login and the email address.
Self-service for Remove my Security Key: Similar in that we want to make sure you can still log in afterwards by making sure (while your Security Key is still active) that you can still receive emails.
Self-service for Move my Security Key: No emails required - you will literally move between two devices and stay at the same level of security the entire time.
This will all make much more sense when you see the 'wizard' style dialogs our web team have created for the different options.
-
Initial answers below!
For those of you wondering why MrYellowDuck surfaced, you will find there was a theme hiding in the answers to the original posts a couple of weeks ago when I mentioned I was lining up some ducks. It was meant as a bit of humour in what is otherwise a very boring topic, so please don't get too side tracked by MrYellowDuck himself...
So every time I have to answer a security question now, I will have to check my email and copy-paste a code?That is a major annoyance for me, as everytime I restart my PC the game and the website ask for a security question.
Please tell me, that that is not true!
One of the aspects of the current (pre-April 2nd) implementation is that it is possible to get in to a state where you are asked a Security Question every time you log in. The changes on April 2nd will eliminate that state, and from April 2nd onwards you will only be prompted if we detect a change that warrants revalidation.
I won't go into detail on all the aspects that we use to determine a change has occured other than to say IP address is indeed one of the aspects. I realise that will be very annoying for those people with an ISP that changes out IP addresses on a regular basis, but that frequency of being asked for an Email Security Code based on just IP address change will not change from how often it does get asked today. As a number of people have pointed out the solution there would be to get a Security Key which while it does ask you every time you want to log in, does not have the small delay in waiting for an email to arrive.
The frequency you are describing does appear to be the state issue I originally described however, and that will stop happening going forwards.
This leaves two questions open for me:1. How do you determine "changed location" ? before I got a authenticator, I was prompted my security question every day I logged in, simply cause my ISP hands me a different IP every day. The chance, that I will ever reuse the same IP is very low, even though I am always using the same computer. I would obviously not be pleased, if I would have to wait for a mail and enter some security code very single day in the future. Or is this security measure void, if there is an authenticator used ?
2. Since this information is obviously important enough that the security chief does post himself, how long will it take to get this information translated into the two other languages, that this forum supports ? (This time it is not "just before the weekend")
Oh and on a side note... Maybe I am just not getting the joke or it is lost in translation, but if I were making fun of customers, who are weary about security issues, by comparing them with a hysterical duck, my boss would likely lock me up in the companies basement and deny me any access to public channels.. .and he would do right.
Yes, if you have a Security Key, that trumps everything else and you will not have to additionally enter an Email Security Code. ISP's that change IP address every day on their customers was taken into consideration, but sadly we can't eliminate the IP address out of the equation and still stay at a reasonable level of security within the authentication process.
For the direct question on how we determined changed location, there are many factors taken into account, and this is one of those pieces where it isn't quite straight forward to figure out for an attacker. So I'll leave the attackers with work to do...
For the side note, I'm anything but making fun of customers - my intent was to make fun of a ficticious yellow duck as an attempt to bring a bit of humour into what is otherwise a very boring topic. That and continue a theme from the previous answers to the thread from a couple of weeks ago. No offense intended!
This apparently is issue many players will have, so I'm really hoping for some reasonable reply(meaning not "I'm sorry but you'll have to suck it up and deal with email or authenticator").Also.
Oh, come on, everyone should have at least one 'unsafe' email for such things.
Sadly the answer is not what you wanted to hear.
There is a certain point where keeping security at an acceptable level has to outweigh the inconvienence - if that were not the case, we would gladly do away with passwords and their ilk without a second thought! There are bad people out there that would love to take over other peoples accounts - and our authentication system (and all its complexities) are what stops them.I do have many unsafe email addresses - I'm not actually asking for donations though, so no email address should be given
Is there anything being developed that will merge multiple licenses into one account?The names I had to select for the other accounts aren't necessarily as easy to remember.
Our system is not designed that way - currently an 'account' is directly related to a set of characters, and there are no plans to have yet another layer of (master?) account that links several accounts together.
Do you know where Security Keys are for sale in the EU and/or generally outside of the US? As far as I'm aware, Security Keys are not currently for sale outside of the US.Perhaps Mr. Philip_BW could help with this?
We are working on getting the Security Key back in stock within EU as quickly as we can - I'm in constant contact with the people who run the EU side of the Origin Store where the keys are sold, and as soon as I have a better date than 'soon' I'll be sure to get a post up.
Considering how many people asked pretty much the same question in various different guises of language, the use of Mr. YellowDuck was warranted. Yellow ducks are adorable, but real ducks are the most terrifying things to be behold. Would have rather he used "Generic SWTOR Player #7789"?*peck*
Maybe Mr. Phillip_BW talks to his yellow bathtub duck a lot, to share his security ideas and secrets.
It was more of a theme based on my previous comments about getting ducks lined up - I don't actually have a bathtub duck, but am now thinking of getting one!
This is a legitimate coding strategy.This made me litearlly laugh out loud. I'd not seen that link before, but it was well worth the read! Thanks!
It's the reason I'm thinking of getting a rubber duck now...My question is this:What's with everything being duck related?
Shouldn't you be getting all your Jawas in a row?
I've never seen a duck round these parts till you showed up.
I'd have had to go with 'droid references and single-file bantha's, and it wouldn't have made as much sense. I'll try to pick something more Star Wars oriented for next time perhaps.
I bet that name is now taken in game if it wasn't already.I've no idea if the name is taken in-game as a character. If it is, it's nothing to do with BioWare. I did however register the account name while writing up the post, so the only MrYellowDuck posts you might see will be mine...
My brother has that problem, too. He needs to answer the security question every single time he logs in, even when he does it from the same PC. According to phone support, some accounts are bugged that way and need to answer the question every time and "they are working on it". He was told that back in June, though. Hopefully that won't mean the people that suffer from that bug will get spammed by these new security question e-mails every single time he logs into the game or forums.Yes - the bug referenced will be fixed as part of this implementation on April 2nd. It didn't affect many players, but it sure is annoying for them and I'm all for a better login experience (as long as it stays secure!).
-
*** Some text changes below to indicate finalized wording used on the website and dates ***
On April 2nd, we are changing some aspects of our Authentication system. In our first notification of the most visible of the changes on March 5th (http://www.swtor.com/community/showthread.php?p=5954106) we were still waiting on the last few background systems to be confirmed as ready. Now that they are ready, today's notification also includes those changes as well.
email
On April 2nd, the following changes are going live:
- Display Name only login
- One-Time Password (via email) replacing Security Questions and Answers during Authentication
- Self-service for Forgot my Display Name
- Self-service for Lost my Security Key
- Self-service for Remove my Security Key
- Self-service for Move my Security Key
As a result of the original announcement of the initial overall change, there were a lot of questions raised. I'm going to try and give as much detail as I can here to try and answer any questions you might otherwise have, and that way we can focus on anything missed.
Here are some of the questions I expect might get asked. Accordingly I'm going to let one of my ducks do the asking so I can make a first go at answering them...
Why can't we use our email address? It's awesome! Quack! All the best companies use email address as username!
Lots of companies do use email address as the username. Lots don't. Both approaches have risks as well as rewards. One of the key risks for using email address is that an attacker who gets a valid email address and password will then know for certain that the account is associated with the website (or game!). For SWTOR this does not mean that the attacker could then take over an account, but it would give them the knowledge of who to craft a phishing attack against and have a higher rate of success in gaining access to information such as Answers to Security Questions. Without the link to email address, they also won't know the needed information in order to target the email account itself for a take-over in order to gain access to SWTOR and anything else linked to that email account.
This change will remove the ability to link (based on knowledge of the correct password) to your SWTOR account.
Even today if an attacker gets the right password they will not be able to gain access to your account, and with this change they will not be able to figure out which email address to send a phishing attack at, or which email account to try and take over. This allows us to place more trust in the ownership of the email account as being validation that we are (electronically) talking to the owner of the account.
Using Display Name is insane! I will be hacked! *ruffle feathers* You have given the bad guys my username! Half the battle is now lost! I'm 50% less secure!
OK, that wasn't a question. Lets just presume you are actually asking if using the publicly visible Display Name increases the chance you will be hacked...
We put in other controls before the launch of the game during 2011 such as the existing Security Questions and Answers system in order to protect your account even if an attacker managed to get the correct username and password. That security control aspect is not going away (although the 'remember' part is for the website and game launcher). In reality we are making it harder for an attacker, and giving you more control on the security of your account.
Lets look at the different pieces needed to successfully log in today:
- Display Name or Email Address
- Password
- Security Key or Authorized Location
- Non-Authorized Location via Security Question and Answer
Then lets look at the different pieces needed to successfully log in from April 2nd onwards:
- Display Name
- Password
- Security Key or Authorized Location
- Non-Authorized Location via One-Time Password (via email)
- Access to your Email Account
- Non-Authorized Location via One-Time Password (via email)
From the get-go, we have never considered the username to be 'hidden' or 'secret'. It never factored into our security model as something to secure, as we have worked on the basis that the attacker already knows it. This is also why we have not provided a self-service system for Security Key's as while the email address is easy (for an attacker) to associate with a SWTOR account. We have had to presume they will phish or attack the email account itself. De-linking the email account means that an attacker who knows the username has no knowledge of who to phish or attack. This means they continue to be unable to take over your account.
There are hundreds of millions of known username/password data rows available on the Internet. Well over 100 million unique email addresses. Most of these compromised details use email address as the username... It is this fact that dictates that attackers will know the username for at least some accounts regardless of any secrecy we may try to implement. You can check your own email address at http://pwnedlist.com/ for instance as one of the posts on the previous thread indicated.
So no, we have not given away 50% of the security. Half the battle is not lost. You should not care that anybody else knows your username. You should instead think they may have it already.
That said, you should care about your password, both on SWTOR as well as on your email account. It is especially important to use a unique password on your email account if nowhere else. I would recommend looking at a two-factor solution for your email account and will give the 2-Step authentication feature on GMail as an example. Google 2-Step today
I don't want my Display Name to be public! I disagree with everything you are saying!
We are working on a new 'Forum Display Name' capability so that people will at some point in the future be able to change the name used on the forums. Which way we go about that (choose a character name? let you write whatever you want?) is still being decided and that will impact the amount of work required and therefore the 'when'.
This is not something that is planned for April 2nd.
It is also not something that can be easily implemented in a matter of minutes. Regardless of if the change would be as simple as adding a column in a database, there is still getting that data presented to the website securely, providing the ability to input data into the column itself (again securely), and that is before we have our awesome QA team make sure the functionality works as expected. We won't say 'soon' on this feature, as it is too early to be able to predict when this could be rolled out.
What is this 'One-Time Password' you speak of?
We will send you a 'One-Time Password', via email, whenever we determine you are attempting to log on from a non-authorized location. This is similar to how we prompt for the Security Questions and Answers today, except instead of having to remember an Answer, you will be provided it via email instead.
With the Security Question and Answer system in place today, it is sometimes possible for an attacker to research a person well enough to be able to have a chance of guessing the correct Answer if they have already got the correct username and password. It is also possible to phish for the Answer if you know the email address.
By changing to a One-Time Password system, this actually decreases the chance an attacker would be able to guess the correct 'answer', as not only will the One-Time Password be randomized each time it is set, there will only be a small number of chances to guess the correct code before the randomization reoccurs and a new password is sent. This keeps a concept called 'entropy' (as applied outside of thermodynamics and instead focusing on 'the degree of disorder or uncertainty in a system') at an extremely high level. If you want an example as applied to passwords, I highly recommend reading XKCD (http://xkcd.com/936/).
If anybody ever does actually guess the One-Time Password, they should immediately go out and buy a single-line lottery ticket. Actually they would have far more chance winning the lottery in the first place. Far, far more chance...
Your new system will allow anybody to lock me out! *peck!* This is pathetic!
No. No it will not.
As soon as we detect an attempt to log in from a new 'location', we prompt that location for a One-Time Password which will be delivered to your Email Account (or Security Questions and Answers today). It is only after that prompt is verified that we will move the new location into an Authorized Location status. We do not remove your current Authorized Location as soon as a new location is detected. We keep a number (no I won't say how many) of Authorized Location's in the system, so an attacker can try to lock you out, but they will never succeed as they first have to validate themselves using the One-Time Password. Once the person with access to the Email Account validates using a One-Time Password, from that point forward you will be able to log in from that new Authorized Location and as a result there is no point where an attacker actually lock you out.
You don't know what you are doing! You will break my Origin account with all my EA games! I won't be able to log on there with my email address any more!
Actually the Origin authentication system is not changing as a result to the changes within SWTOR. You will still be able to log in to Origin with either your email address or your Origin Display Name. In the background we will still update your Origin password if you change your password on the SWTOR website.
But what about my current location? Will I need to be sent a One-Time Password on April 2nd along with everybody else???
Rather than force everybody to get revalidated, we will be grandfathering in existing approved locations, which are based on the existing Security Questions and Answers. If you have a Security Key, that functionality will not change and you will continue to only be required to enter the next Security Key code when you log in.
Hang on, if I migrate and have to play from an Internet Cafe while flying to my summer home, will anybody be able to take over my account?
So there are two alternatives here I would recommend. The first is to get a Security Key that you can take with you. This will protect you from any potential key-loggers or other malware on the temporary computer you use. Just don't type your email account password in at the same time unless it is also protected by a two-factor system.
The second alternative is to change your password as soon as possible (from your smartphone or tablet perhaps?) after playing, as that will remove the existing Authorized Locations.
You just told the hackers all your secrets! What the? Are you mad? No security 'professional' would ever do that!
I may indeed just have told some amateur hackers a small portion of our security model. You'll be (happy?) to know that the professional hackers figured out these pieces well before launch of the game in 2011 and it hasn't helped them. Additionally there are certain aspects that we can talk about (a variant of Shannon's maxim as applied to overall security systems rather than just cryptography - see Kerckhoffs's principle if you want a more technical view of the background of this maxim). Relying on Security by Obscurity (assuming a username can be kept secret for example) is not a direction we aim towards.
Do I have to log in with my character name? It has weird and wonderful characters in it that I can't type easily! What do I have to do?
No. We will not be requiring you to log on with a character name. What you need to use is your Display Name.
Well I don't know my Display Name! What do I do?
At any time before April 2nd, you will be able to log on to http://www.swtor.com (or http://www.starwarstheoldrepublic.com for those that like typing lots), log in and your Display Name will appear in the upper-right of the website.
Starting April 2nd, you will be able to have your Display Name sent to you via email as part of our first self-service option.
You just said you would use my email address to recover my Display Name? I thought you said email addresses are bad?
Well, to be fair if you only know your email address, we have to let you type it in somewhere. Unless you have access to the email account though, you won't be able to read any emails that are sent to that email address. Regardless of if a particular email address is associated with a SWTOR account, you won't know if there is a link unless you do have access to the email account. It is that principle that continues to de-link the email address from the SWTOR account by purely just using the website (or game launcher) itself.
I actually like email addresses and don't think they are bad. They just don't always suit being used as a username based on how we implement the different aspects of authentication.
Hang on, I'm a new Free To Play account. I have no email address. What can I do?
At any time a Free To Play account holder can register and validate an email address. Once you get to level 15 in-game, or want to purchase something from us, you will be required to register and validate an email address at that point in time.
Are you getting rid of all my Security Questions and Answers? I liked them. Lots.
No. We are keeping the Security Questions and Answers in place and will be using them as a form of verification on the telephone if you ever need to call our Customer Services team. A lot of the changes going into place on April 2nd are to help enable self-service systems so that you will not need to call CS as often. We appreciate that when there is a holding queue that it is very annoying, and if calling internationally also not free. We would like to reduce costs where we can both for our players as well as ourselves.
Of course, we want to keep your accounts secure, so we are not reducing security to try and save costs and instead changing security slightly.
For the Free To Play accounts, Security Questions and Answers are also required when you want to purchase something from us.
Is there anything I should do? I'm but a simple duck and computers and stuff are not my strong point.
Yes. Yes there is.
As we transition from relying on Answers to Security Questions to sending a One-Time Password to you via email when authenticating, the security of your own Account becomes something you can impact directly by also making sure your Email Account is also secure.
I would recommend you look at the following or get a more computer savvy friend to help:
- Use a unique, complex and as lengthy as you can password (stressing it is used nowhere else) on your email account
- Where possible add a two-factor system to your email account - 2-Step on GMail is a great example
- Make sure your connections to email are secured by SSL or similar. Basic SMTP (sends email in plain text) can easily disclose your password to somebody watching your network as can unsecured POP3 or IMAP
- Ensure you have a good AV program installed and kept up to date. Microsoft Security Essentials for example is free on Windows and is one of many great choices
- Don't visit hacker websites (or for that matter most adult-entertainment sites). A lot of them have virus attacks included in viewing the pages
- Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop...
- Don't click links you don't know inside emails. Go to the website you think you need to go to and type the url in the hard way. Takes longer, but helps protect you...
- There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can!
Why are you wasting all this time on changing something that I don't think needs changing? Make better graphics! Put in more flashpoints! We want more content, not more security! *peck!*
I have to say I am constantly amazed at what our artists can do. Lets just say I'm artistically challenged and my stick figures are pathetic and quite ugly to behold... I'm also not one of the server or game engineers and I don't think any of us want me messing around with code that could create full-scale blackouts across entire shards if it is written incorrectly. Basically we have many teams here and my specific team will continue to focus on the security aspects as that is what we are actually here for. Think of it as an added bonus.
You keep mentioning two-factor. What does that mean?
I'm going to copy/paste most of an answer I gave in the previous thread.
In the security field, when waffling on about authentication we talk of two-factor quite a bit. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are:
- Something I know (e.g. password)
- Something I am (e.g. biometrics)
- Something I have (e.g. security key)
I have often thought that putting all three factors in place would be awesome, but nobody liked my 'pint of blood in order to play' suggestion, so we haven't moved into biometrics as a requirement.
As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system.
The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key.
One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery...
OK, you have convinced me! Quack Quack! What is your email address so I can send you money via PayPal as thanks for all you have done?
Why thank you! My email address is ph..... Oh hang on, I see what you did there. Naughty duck!
OK, enough monologue from me! If you have questions or comments, please don't hesitate to reply. I can't promise an immediate turn-around, but we will be watching this thread and there will be replies when we can get them posted. I would however ask that you refrain from being too descriptive if you feel the need to say I'm wrong anywhere - the forum rules still apply.
- Display Name only login
-
Personally I didn't realize /follow had been removed from WoW. It’s an interesting move on Blizzard’s part and (now that I ask internally) we are already looking at any possible negative aspects that might occur if multi-boxing within SWTOR was to become a ‘thing’. I'll be clear that certain ways of technically implementing multi-boxing are very much against the Terms of Service, so I would suggest erring on the side of caution and not depend on existing functionality staying static...
-
We had a minor issue with uploading one of my posts yesterday, and it lost the 'Next BW Post' link as a result. So just in case you missed it, here is a list of the posts thus far!
http://www.swtor.com/community/showthread.php?p=5954106#post5954106 (Courtney's starting post)
http://www.swtor.com/community/showthread.php?p=5955636#post5955636 (First reply)
http://www.swtor.com/community/showthread.php?p=5961316#post5961316 (Second reply - this is the one with the missing link)
http://www.swtor.com/community/showthread.php?p=5961675#post5961675 (Third reply)
OK - pages 31 to 37 answers...
When will we get an authentication app for (don't hate) Windows 7/8 phones? I'm not going to carry my keyfob with me everywhere just so I can login to the website, so I've yet to activate it...but I would activate if I had an app I could access from my phone.We have Security Key applications for Windows Phones (and Blackberry even) on the list of 'would be really nice to have', but there is no current development plans for those at this time. That is a business decision based on market share - the development effort is not trivial, and until the percentages change significantly (which they could!) we probably will not get funding for the work involved. I've used Windows Phones most of my life, so this is a topic near and dear to my heart as well :jawa_grin:
This is going to be blunt but you are wrong. I'm sorry. How do i know? Last week i upgraded from my iPhone 4 to an iPhone 5. Upon restoring my backup via iTunes, I found the app was crashing. Security feature, maybe? Anyway, i grabbed the details i saved and removed and restored the app from the app store. I input the saved information and I now have a working security app for my account. Been using it ever since i got the iPhone5.I will have that functionality tested again - the time period for being able to reuse the same key successfully (and this relates to the Mobile version only) should stop that after a certain number of authentications. It's possible the configuration changed when we consolidated some of our back-end systems, so I'll get the configuration validated for sure. I'll make sure if we do have a configuration change there that we only change it after the self-service options are available (your next question is actually related after all).
Unrelated note but both blizzard and Sony have a way for me to remove an authenticator my self incase of upgrading the device/changing the keyfob. Any chance of that here?As part of the April 2nd release or later? I can't say just yet on April 2nd, but this is one of the ducks I'm lining up. It's no coincidence that the change we are making is related to that (among other) self-service implementations. One of the ducks even has 'move' in it's name.
I wonder if this might be a prelude to using Display Names as handles attached to character names... like STO does it. I know a lot of people have been upset over losing character names in the server merges, so this would be a way to let them have their names back (not saying this is a good thing... it just sticks out as a possibility). So instead of having a character named Mara and being the only Mara on the server, I'd be "Mara@InvinciBelle". It'd only display "Mara" in the game world, but when you click to friend or chat it'd clarify with the "@InvinciBelle" added to it. And that way there would be no more unique names and everyone who lost their original names could have them back.Again, I'm not saying this is a good idea (I kinda like having a unique identity, even if it's not the one I wanted)... just that this seemed like a possible direction after I read the announcement.
The removal of email address as a username option is a change to our out-of-game authentication system only. No in-game name changes will result. I thought it best to clear that up...
ok tin foil hat time, this change is due to splitting off swtor ,to in effect create different account.Also squashing this before it becomes a rumour - we aren't splitting off SWTOR from EA. The change in our authentication system is an enabler for modifications or additional systems associated with authentication only.
Way it was done previously:login using email, (which someone would have to guess), and password . More secure
Way it will be done now:
Login using username (which EVERYONE knows) and password. LESS secure
Because an IP ADDRESS is not a form of 'security.
limiting logins based on IP address is just the most ridiculous thing I've ever heard of (well, almost as ridiculous as just giving users 1/2 the login credentials to get to my account, or anyone's for that matter). What about individuals who travel frequently, but want to play? What if someone moves? There are HUNDREDS of variables here, and limiting logins by IP on an MMO is just RIDICULOUS.
Relying purely on IP Address indeed would be ridiculous. Imagine a university dorm and everybody being able to play each others accounts. That would be horrific if you valued your account at all in that scenario.
All these scenarios (and many many more) have been considered and mitigated. We aren't relying solely on one control (such as an IP Address) to protect an account, just as we have never relied on just username/password in the live game. We rely on many controls that work together to protect the account. Yes we are changing some of those controls, but only so we can put additional systems in place without removing security. The upshot is that accounts will be in an even more secure state as of April 2nd.
I completely agree with this assessment.Starting with 2nd April, all the hackers have to do is browse the SWToR forum for display names in order to get half of people's login credentials.
Incorrect. There are two main ways of hacking into ones account - the phishing and the keylogger virus.
1) The phishing hacker already knows your email, since he already sent you a phishing e-mail. As you go to the page linked by the phishing e-mail and use your display name to log in, he will have both the e-mail and the display name.
2) If you have a key-logger virus on your computer, the hacker will get both the email address (as you log into origin) and the display name (as you log into SWToR) in order to play the game.
Even today, hackers can browse the SWTOR forums for Display Names. It doesn't give them anywhere near half of a players login credentials though, and we have built our security based on the knowledge that some players use the same username and even the same password on multiple websites. With the number of compromises of those credentials at other companies in the last few years, the concept that 'username' is something to try and protect is a foolish concept indeed. It's why we have so many other controls in place to make knowledge of the username in of itself irrelevant.
You are right that two of the ways of being 'hacked' is phishing and keyloggers. And these are things that you as a player (indeed, all the players!) can and should control. There are some very simple ways to protect yourself:
* Ensure you have a good AV program installed and kept up to date
* Use a unique password on your email account
* If possible put a two-factor system around your email account (Two-Step for GMail is the most obvious/easy to get of the solutions out there)
* Don't visit hacker websites, or for that matter most **** sites - a lot of them have virus attacks included in viewing the pages
* Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop...
* There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can!
I tried to strengthen my password in TOR. I tried to generate a long complex password with KeePass. Even after I do a random gen in KeePass I go in and change a few around. And TOR wouldn't accept it unless I shortened it CONSIDERABLY. Like cut it to 1/3 the length. What kind of "superior security" is that?The maximum length of 16 characters is an EA restriction due to a lot of other systems across EA that cannot handle more than 16 characters still. One day that may change (and I continually push for that work to be completed!), so in the meantime we have many other controls in place to make a shorter password not as important as it otherwise could have been. Being forced to have a shorter password has meant we have placed more controls than we otherwise would have, which is why you don't see thousands of 'my account was hacked' posts on a daily basis. Sometimes being restricted in specific instances on what security we can implement has created better security overall due to the other controls we put in place.
Forget about security for a second. You are not giving us control over whether the username is hidden or visible, and lack of control is obviously what's making us "vocal." It doesn't matter whether a hidden username actually increases security or not; in our minds it does. Consider the cost of implementing a hidden username or non-login forum name solely against the benefit of shutting us the hell up and having happier customers.It's what you're doing with your posting, anyway, trying to get us to be less vocal. It's not working for some of us. You're using reason and logical explanations to argue agains how we feel. It's not working.
That has to be one of the best posts in this entire thread! I would love to care more about peoples feelings when it comes to security, however the attackers/hackers out there don't. Not one bit. Personally I do care, but professionally I also have to deal with the attackers, so I have to cater for their level of caring and look at security from the point of view of boring concepts such as logic. If that focus on preventing zero-feeling attacks has bled over into my answers, then I can only apologize - my ambition is to ensure we continue to keep accounts secure at a reasonable level of cost. That, and nobody likes my idea of requesting a pint of blood for DNA verification every time a player logs in.
I actually like people being vocal btw. It helps ensure we haven't missed anything (there are a lot more of you than us working here!), and I can safely say that nobody has brought up a concern with regards to the change to Display Name only that we haven't already planned for or mitigated by ensuring we have other controls in place. I'm just trying to alleviate (or even educate) people with regards to better security, as it is a very complicated subject that most people take for granted without fully understanding. Perceptions based on less than full understanding are something I'm trying to get to perceptions based on better understanding...
I call BS. This level of detail and attentiveness requires a much larger time commitment.Don't stop the sass, Phillip. These guys need to know that
1. British people are the funniest.
2. Amateurs and arm-chair analysts are not qualified to weigh in on internet security
OK - you caught me. I'm only spending a few minutes on each answer.
The reason there has usually been a day delay in answering the questions is that I'm writing up the answers out of office hours most of the time.Ok. With the change of login from email to user name, there are a lot of concerns. In Developer forum BW says "An attacker will not be able to 'lock out' a players account, and at the same time will not be able to 'brute force' getting into the account."How are both true?
They also say that this will be more secure. Nothing they are saying about this seems to make sense. If someone can attempt to log in without locking out the account, how is that more secure? If the account can be locked out, then why give all of our user names to the world?
Both are true as we have other controls in place which we don't talk about, and from a players perspective you will never see in action as you aren't trying to 'hack' your own account. Attackers on the other hand trigger the other controls and are dealt with accordingly - that's why those other controls exist to protect your legitimate usage of your account.
I do have a question. Is there any chance we'll be able to write our own security questions? Or get more options than what's there currently? The current ones don't seem particularly secure.Within SWTOR we will not be changing the system to allow custom questions. More options than there are currently has been looked at a few times already, and I'm sure it will come up as a topic internally again. With regards to the custom questions, while most people are very polite with the answers, the questions themselves are also used as voice verification for Customer Services, and impolite custom questions are something we would like to protect our CS staff from when a disgruntled player could otherwise be impolite.
Because it IP bans them. You will still be able to log in from your IP address.You can put anything you like in those answers. You don't have to answer truthfully
As long as you remember what your answers are.What is your favorite color?
Broomticket
I too don't answer the answers truthfully! To prevent myself from forgetting the answers though, I keep them locked up in a little program called Password Safe (sourceforge project). There are quite a few similar programs out there such as KeePass, and I highly recommend using one to avoid that 'forgot!' moment. I use a different answer on every site as well, so would never be able to remember the answers if I wanted to...
Just never ever use that 'master password' anywhere else!
OK, finished with page 39 now...
As long as you remember what your answers are.
iphone Autenticator Users Beware!
in General Discussion
Posted
Apologies for not getting this posted sooner - we have verified that there is no 'fix' for the application that will allow for the Security Key to continue working through an upgrade to iOS version 7. The application itself does work in iOS7 (tested back in June on the developer beta Apple provided), however something inside the upgrade breaks the keystore being used internally within the phone. Any technical fix would take a longer time to get released (probably weeks), and by then the vast majority of Apple iPhone customers will have already upgraded. Not the best place to be, but that is where we are.
Below is a list of steps you can use to get your Security Key working again if you do upgrade.
If you already upgraded and currently have a broken Security Key application:
If you are reading this before upgrading:
If you do get stuck on the steps above, you can call our customer service team who can help, however please do try to use the website processes first as they are there to help you get back to logging in as quickly as possible without having to make a phone call.