Security Key: I think it's a waste

[Zarrot]

Security Key: I think it's a waste

 

Everyone does until they get hacked. As for the rest of your post, well, it seems you have little clue at all about security.

[cipher_nemo]

Everyone does until they get hacked. As for the rest of your post, well, it seems you have little clue at all about security.

 

Funny how random person on the Internet is telling me, with a background of IT and software engineering, that I don't have a clue about security. Typical forum attacks.

[iain_b]

Sorry, I grew up in an era before everyone felt naked without their phone. You'd be surprised what us Gen X people do sometimes. And no, I don't own an iPad/tablet/Kindle, nor do I want one.

 

Why are you so foolish to assume that I'm not a Gen X'er? I'm 33 years old, I certainly remember what life was like before cell phones.

 

The only thing you've done is avoided answering my question while trying to take a dig at me.

Edited February 15, 2012 by iain_b

[Sotaudi]

I've recently seen other threads related to the security key, but all of them were too specific for my overarching issues with them or in customer service threads that sadly get no attention from the community as a whole. In other words, sorry if this is duplicated somewhere.

 

Since my security key came bundled with the CE, I used it for a while. But now I have it disabled due to many issues. Here's why I think the security key is a total waste of time both for us a customer and for EA/Bioware...

 

1.) Bioware won't (or can't?) let us use multiple keys on the same account, nor can we use a mobile key and their mobile device app on the same account. I don't want to carry my key around with everything, so locking my account into one mobile key is a huge inconvenience.

 

It would be nice to be able to have the ability to use the security key from multiple devices. Is it a "huge inconvenience"? No. You can carry the key device with you. You just don't want to, and for those who have the mobile app, we generally have the needed device with us. So, no, its a minor inconvenience.

 

Either way, having multiple devices that can serve the key that you don't keep with you makes access less secure as one of the methods could be lost or stolen, and you might not even notice it. One device that you will likely always know if it goes missing is far more secure.

 

2.) If we have it enabled, we need to use the key to get to the forums. Why can't we just have login approvals from pre-set devices (eg: we could easily authorize specific IPs/devices we want to use with the forums and the client). After all, if I connect to the client from another IP address, the launcher will ask me to answer one of my security questions.

 

The reason the key is needed when logging into the forums is that your forum account is the same account you are logging into when you log into the game. If someone can hack your forum account, they can hack your character, and, worse, they can access your subscription/payment information and everything associated with your account. That includes the ability to lock you out by changing your password, your security questions, and your security key. Having less security on your forum account is actually the exact opposite of what you want.

 

Either way, the whole point of having the key is to tighten access to your account. Having multiple ways to authenticate only introduces additional holes in the authorization process. If you want convenience over security, then simply don't use the key.

 

3.) There were issues with people getting locked out when switching from mobile key to mobile device app. Is that fixed yet? And since they even had this issue in the first place would I ever trust Bioware to keep it from locking me out in the future? Nope.

 

First, this is a new game. It takes time to work out the kinks in the system. Second, if it were easy to simply switch authorization devices, it would be easy for an unauthorized person to switch it. Can the process be improved? No doubt. But, then, you asking for them to add all sorts of additional layers, which would only make administering this kind of system worse. So, again, if you don't trust them, then don't use it.

 

4.) The only way to change my key or disable it is to contact phone support. There should be a way to do this online with the original key and security questions to verify. The whole point of a security key is to make account access both secure and convenient for the end user. If I have to waste time phoning your support, the convenience is nullified. I might as well just call you first before launching the client each time, since that's roughly just as convenient.

 

I have had the security key setup since the beginning. I have not once had to call phone support. The only possible reason this would be an issue is if you were trying to alter the security setup. Since this is something the average user may have to do once or twice during the life of the game, the whole suggestion that you may "as well just call you first" is extraordinarily disingenuous.

 

Either way, no, the whole point of having additional layers of security are to make it exceedingly inconvenient for someone other than you to be able to disable it or access your account. Making someone actually talk to a person to get security changed once it is setup is a perfectly reasonable way to ensure that. If you are doing this often enough for a phone call to be an issue, you are doing something wrong.

 

5.) The in-game vendor for current Key users sells near-worthless junk. And it's not unlocked permanently for those who once used the key. It's only unlocked while you continue to use your security key. No incentive there to keep using it.

 

Why in the world should it be unlocked permanently for those who once used the key? The whole point of the vendor is to ensure that people use the security key. It is a fairly simple concept. If you want access to the vendor, use the key. If you don't, you don't get access to the vendor.

 

The incentive to use the key is to secure your account. The vendor is only there for added incentive. If the only reason you are using the key is to get access to a vendor, then you need to examine your priorities.

 

Besides, if the stuff on the vendor is "junk," then what is the issue? Everything you have said above indicates you are not really interested in the added security of the key because you want all sorts of ways around it. If that is the case and if you think the vendor gives you no incentive to keep using it, then why bother even posting this. It seems that your best course of action would be to simply stop using the key altogether.

 

What's your opinion on this security key?

 

My opinion is that the key is doing its job. It makes it so that my account is more secure. It would be nice to be able to have a physical key as well as my mobile device, but that also makes things less secure. I can live without the extra convenience.

[Noon]

I can usually punch in my security key in about 2 seconds, and I haven't had a single issue with it, so...

 

Not sure how this is a big inconvenience.

[Sotaudi]

Funny how random person on the Internet is telling me, with a background of IT and software engineering, that I don't have a clue about security. Typical forum attacks.

 

I have been in IT since data was stored on punch cards, and I am still in it running an IT department. I will say flat out that the points you make in your OP indicate you really don't have a clue about security.

[JustTed]

Funny how random person on the Internet is telling me, with a background of IT and software engineering, that I don't have a clue about security. Typical forum attacks.

 

That's funny, because you sound exactly like every executive I've ever spoken to that can't deal with the fact that I just enabled strong passwords on the domain.

 

Security.

 

Convenience.

 

Now pick one, you silver haired knucklehead, you.

Edited February 15, 2012 by JustTed

[duritz]

suckered into buying yet another piece of technology.

[Zarrot]

Funny how random person on the Internet is telling me, with a background of IT and software engineering, that I don't have a clue about security. Typical forum attacks.

 

I've been in IT and Programming 20 years. So, I feel totally secure telling you that you are clueless when it comes to security.

[Thunder-God]

Security is awkward and inflexible by nature, that is part of what makes it secure. It is a series of events that take place in a strictly controlled manner, anything outside of those narrow confines is deemed invalid. The more "flexible" a security feature is the less secure it is, to a point that it isn't a security feature but a vulnerability.

 

I will also blow your mind a little......

 

No matter how secure you think you are when browsing, no matter how many commercial options for security you have in place, you aren't as secure as you think you are. Remember, in most cases security software is playing catchup to the threat....not the other way around.

 

Couldn't have said this any better myself

 

The whole point to a security key is that it adds a second form of authentication for your account. Your Username/Password combo being something you know, and the security key being something you have. Creating multiple copies of a security key partially defeats it's purpose. It's purpose is that only the person who has access to that security key can access that account. Linking the physical key to the app key by somehow entering a code to enable the app key to provide the same login code would compromise the security of the system....lowering it for all.

 

Having to call Phone support for managing removing the keys is a minor inconvenience that happens only as often as you change security keys. Equating it to having to call every time you login is extreme hyperbole and does a disservice to those who don't know about security.

 

Fine...you don't want to make your account more secure by adding a security key...you do that...but please don't encourage others to sidestep this handy security feature. Most users aren't as security conscious as you (I would not, however, put you on the same level as me...what you have posted here shows you do not know as much about security as you claim)...and most users will have their security dramatically upgraded by using one of these.

Edited February 15, 2012 by Thunder-God

[VertisReaper]

I don't like typing in all those numbers when I log in, so I just leave swtor minimized. It logs you out of the server, but next time you want to play you can just click on your server. Edited February 15, 2012 by VertisReaper

[Holden_Dissent]

I updated the Rom on my Android and (like always) it broke the security key. I was able to get into my account by calling customer service. However, I can't readd my android to my account. I tried a month ago and I tried a few days ago. Still can't. Which they did tell me over the phone that I probably wouldn't be able to and it's something they're working on. That's my short story long now go hack my account!

[cipher_nemo]

The only thing you've done is avoided answering my question while trying to take a dig at me.

 

I've already answered your question: I don't always have my phone with me whenever I'm at computer X, Y, or Z. The only step left for you to do is believe me or not. And you've already made it clear you don't, so there's no question left to answer. Time to move on... but I see you just like to argue for the sake of arguing.

 

One device that you will likely always know if it goes missing is far more secure.

 

Possible outcome: one of my authenticators is lost. The person picking it up in my local area probably has no clue what it's for, much less what "Star Wars The Old Republic" is. Worse, they have no clue what account it's tied to. It's useless to them.

 

The reason the key is needed when logging into the forums is that your forum account is the same account you are logging into when you log into the game. If someone can hack your forum account, they can hack your character, and, worse, they can access your subscription/payment information and everything associated with your account. That includes the ability to lock you out by changing your password, your security questions, and your security key. Having less security on your forum account is actually the exact opposite of what you want.

 

That is why some developers give you a different forum account than your game account. But alas, EA/Bioware does not.

 

First, this is a new game. It takes time to work out the kinks in the system.

 

And you've just answered why I'm posting this. It gets the community talking about and it gives EA/Bioware feedback from all viewpoints. More user control/options is always a good thing. If you want your mobile authentication to be as secure as possible, then you keep one key. For me, no thank you, I'd like multiple keys.

 

The whole point of the vendor is to ensure that people use the security key. It is a fairly simple concept. If you want access to the vendor, use the key. If you don't, you don't get access to the vendor.

 

Exactly. It's a carrot on a stick. It's like saying, "here here, little gamer, we know you suck at securing your account, so we're going to tempt you into using this security key". But the only problem with this is that the security vendor just has trash and vanity items that are also sort of trashy compared with other virtual items. As far as I'm concerned, Bioware can do whatever they like with this. I'm just letting them and the community know that this is a rotten carrot for me (ie: it provides no incentive for me).

 

It would be nice to be able to have a physical key as well as my mobile device, but that also makes things less secure. I can live without the extra convenience.

 

Exactly, my point. I don't want to live with the inconvenience. Having both a physical key and the mobile app work for the same account might get me to start using it again because that gives me the convenience I want.

[JustTed]

Exactly, my point. I don't want to live with the inconvenience.

 

Too bad. Now type your strong password, Mr. CFO, because I'm not changing the policy.

 

See how security works now?

[iain_b]

I've already answered your question: I don't always have my phone with me whenever I'm at computer X, Y, or Z. The only step left for you to do is believe me or not. And you've already made it clear you don't, so there's no question left to answer. Time to move on... but I see you just like to argue for the sake of arguing.

 

Not particularly, I just believe you're being stubborn about it for the sake of it.

[cipher_nemo]

Too bad. Now type your strong password, Mr. CFO, because I'm not changing the policy.

 

See how security works now?

 

It's funny, I'm not a "CFO", but I am usually the one circumventing the policies as a admin for my local entity with other domain admins out there above me in privs. I'm the one going into registries, editing the security on specific registry keys, and locking them out of applying broad domain group policies to my PCs and my "customers" within my entity.

[J_Five]

Funny how random person on the Internet is telling me, with a background of IT and software engineering, that I don't have a clue about security. Typical forum attacks.

 

 

Really? Really?!?!?

 

Seriously, if you had a background in IT and software engineering, you would completely comprehend the reasons behind what you call an inconvenience.

 

Your argument that it's not on your droid because you don't carry your phone around you everywhere is also ridiculous. You say you don't carry your phone because you are an older, more mature adult who isn't tied down to technology? Let me ask you this. Do you have a wallet? Or do you simply just leave wads of cash everywhere in several strategic places?

 

You argue that there is no need to protect your SWTOR account because its importance is below that of accounts you deem more valuable, such as your bank account. Another point of yours that shows your lack of intelligence in the IT security world. Any account / login combination is valuable. People use the same login names and the same passwords all the time in different places. You're a liar if you say you have never repeated a password, or a small variation of one.

 

The security key is a very valuable security option. As mentioned earlier, its an extra layer of security. It's an extra locked door to which there is only one key. It's a simple concept to understand and grasp. If it's inconvenient to you and you don't want to use it because you deem the inconvenience to be too large, then don't use it.

Edited February 15, 2012 by Paralassa
rude

[InnateOne]

The only thing that I really hate about the Security Key is that it constantly crashes on the android... I have to open the ap 2-3 times every time I wan't to log into the game.

[Zarrot]

Your argument that it's not on your droid because you don't carry your phone around you everywhere is also ridiculous. You say you don't carry your phone because you are an older, more mature adult who isn't tied down to technology? Let me ask you this. Do you have a wallet? Or do you simply just leave wads of cash everywhere in several strategic places?

 

He's too sexy for his phone and his money is stuffed in his mattress. Shhhhh....

Edited February 15, 2012 by Zarrot

[Thunder-God]

How is multiple authenticators on one account not "additional security"? And again people making straw man arguments.

 

Multiple authentication METHODS offer increased security. Duplicating the way you get the code produced by something you have (your security key) offers decreased security for the entire system. That means your key is less secure...my key is less secure. I do not want the ability to tie multiple authenticators to my account as it makes my account less secure.

 

The more ways you add to access an authentication method the less secure it is....like if you added multiple usernames and passwords...all of which can access the account without requiring the knowledge of the others....the account becomes less secure...works the same way for multiple security keys. It's convenience to you...it's a lower level of security to everyone else using the keys. If they make it possible for you, then they have to make it possible for everyone else using the system...which means that lowers the security of the system as a whole.

Edited February 15, 2012 by Thunder-God

[cipher_nemo]

Seriously, if you had a background in IT and software engineering, you would completely comprehend the reasons behind what you call an inconvenience.

 

I don't ever need to reply to that directly, because I could really care less what you believe. But I will make a poignant statement: SWTOR is a game, not a bank account. Should TSA frisk you every time you get into a personal vehicle like they do at public airports?

Edited February 15, 2012 by Paralassa
rude quote

[PostalTwinkie]

The only thing that I really hate about the Security Key is that it constantly crashes on the android... I have to open the ap 2-3 times every time I wan't to log into the game.

 

That is the feature I love the most! Because you get the option to "Force Close" it, makes me feel like a Sith!

[cipher_nemo]

That is the feature I love the most! Because you get the option to "Force Close" it, makes me feel like a Sith!

 

Oh the puns! lol

[Magnijung]

Don't get me wrong, I'd welcome the extra layer of security. But when Bioware doesn't let you have multiple keys for one account it severely hampers the convenience for me.

 

And you didn't seem to get the overall gist of the thread. It's not about me caring if other members use it. It's about how unflexible and awkward the security key implementation is for SWTOR.

 

 

My phone is with me 24/7. My phone has blizzard, rift and TOR authenticators. I have access to all 3 authenticators 24/7.

 

Physical authenticator is basically there only if you do not have iOS or Android.

[cipher_nemo]

Physical authenticator is basically there only if you do not have iOS or Android.

 

Or in my case, if I do not carry my phone around with me all the time. It's sort of comical how many forum posters can't imagine a scenario that's so different than their own little bubble in life.