One-time Password

[Jilisipone]

/facepalm

 

Its not cookie based security, it's using a cookie to track client uniqueness. There are many other controls in play. If all they were doing was storing a single cookie locally and trusting it, you might have half a leg to stand on here

 

 

I never stated that they were using ONLY cookie based security...but yes, using cookies even as an identifier of a "recognized" trusted authenicator is including cookies as part of your overall security profile.

 

There are many other ways to do this without using cookies, which are one of the biggest ways to steal information from computers out there. This is one of the reason most security standards of highly secured information mandates that storing cookies be disabled.

 

My point still stands however that there are many institutions that maintain much more important information than access to a group of virtual make believe characters that have much less cumbersome security processes. Use of security questions or any other data to "verify" I am who I claim to be based upon information I know vs a code I have to have access to and lookup each time would be more preferrable.

 

Am I a "hacker"...no. But I am a Computer Science major and work in computers for a living, so I do understand what I'm talking about. Is this process MORE secure than others? Potentially yes (afterall, all the hacker has to have access to is your e-mail and they can retrieve the "one-time" code themselves just as easily. But it's quite over the top for a online game in which it can clearly be expected that ppl will be accessing it from mulple IP addresses and/or locations.

 

As I stated (and maybe this is my own fault for not being able to find the information on this site). If BioWare woud provide the information on what site needs to be set as an exception to allow cookies in the browser, I'd be happy to configure that. I guess I could assume it's swtor.com......but I dont' like to assume things.

Edited April 11, 2013 by Jilisipone

[Laurreth]

There are many other ways to do this without using cookies, which are one of the biggest ways to steal information from computers out there. This is one of the reason most security standards of highly secured information mandates that storing cookies be disabled.

 

That is just blatantly false. Cookies by themselves are not a means to "steal information"; they don't magically come alive and rip data from your computer. They are primarily a means of recognising a previous visitor, maintaining session state, and generally storing small amounts of data necessary to keep a session or a transaction intact; to that end, a server tells a browser to store a static piece of information, which the browser sends back to the server with every request without ever evaluating it in any way. Think of them like one of those bracelets you get at a concert, and please look up the concept of "same origin policy".

 

Yes, they are abused (see the whole 3rd party brouhaha going on around Firefox right now, this site does not appear to be using those), yes there have been problems. But the problems have all been due to a bad implementation of the actual use of the cookies and previously unsafe handling on the browser side which has long since been fixed in all major browsers.

 

And yes, there are "other solutions", but for the purpose at hand, those are either way worse than using cookies (pure IP address tracking), obnoxious and insecure (session IDs passed on in every single page URL), opaque unaudited blackbox trickery (HTML5 storage, Flash storage). Apart from that, they would be perfectly isomorphic.

 

Of every single session maintenance solution there is, cookies are the best understood, the most secure, and the most open. Please don't go around asking people to go to darker places without need and understanding!

 

(Banks came up as an example how to do it right again. Please also stop saying that, people! Banks are horrible, and they have been educating their users to accept insecure practices forever.)

[MrSchmo]

We are tracking IP addresses. We are also checking (for the browser) a SWTOR site specific cookie. We are checking many things.

 

People who deliberately delete cookies from their computers will have to be sent an OTP as part of log in. That is a self-inflicted situation and knowledge of just the cookie (the fear at least one prevalent poster appears to have) is not enough to 'hack' into an account on our site at least, so it is an unfounded fear to start with.

 

We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.

 

Your system is flawed and frustrates more then helps. I surf this site at work on my phone all the time. I normally can stay signed in until you do maintaince and then it resets and I have to login again. At this time it always asks me for the 'One Time Code'. Even though I've been logged in and using the site for some time with out trouble, so why does it ask me at that time?

 

Then today I go to my account page to look at the security key setup. Then it asks me to login again, fine it's an account page I get that. But now it asks for another of these "One Time Codes." I get the email and use the code and login successfully to my account page. After looking at some stuff I return to surfing the forum, then decide to go back to my account page. What does it do? It asks me again for this 'One Time Code'.

 

How many times must I enter this code on one device in one day? The security key is just another barrier. Enter site, ask for code, back out to key app, copy code, back out of app, reload page and enter code.

 

I have never seen so many barriers to access an online game. If people are to dumb to create a strong password or keep their private info to themselves as not to get socially engineered then that's their issue.

 

I bet when I go home I'll have to get another 'One Time Code' to log into the game as I'm on my phone now and will be on my computer later. Why can't it save both locations? Refine your system or stop calling it a 'One Time Code'. Loading up my email just to check my account status everytime is a hinderance.

 

I'd appreciate a response to why this happens everytime when you stated that it remembers my locations.

 

Thank you.

[sanchito]

I'd like to add my voice to those that find it too much. I don't doubt it's secure, but i'd greatly appreciate an option to opt out, i'm absolutely willing to live with the increased risk to my account.

 

My main issue is that the core of my "internet privacy policy" is not giving my real email to anyone unless i know them and trust them, so every time you send me a one time password you force me to log into my spam email to go look for the password amidst hundreds and hundreds of random spam mail that want so sell me viagra or 5 inches more or whatever. That is obviously not your fault, but one could say our policies are not very compatible ;-)

Edited April 11, 2013 by sanchito

[ATAMIANM]

Well after disconnecting from a flashpoint, having to log back in and once again look in my email for a one time password, which resulted in my nearly getting kicked from the FP due to the lost time, I gave up and got the SWTOR Android App. Works great so far, it is free, and I no longer have to dredge through e-mail just to play a game..

 

By the way I looked at my settings and cookies were definitely enabled and not deleted on browser closing. I suspect the fact my ISP uses dynamic IP was the source of my particular problem.

 

I just deleted all the one time passwords I had gotten since 2.0 hit. It was around 15 or so, basically over 2 nights.

[Darth_Crasis]

My opinion, this must have been implemented poorly. Many websites use a form of cookie authentication, likely using persistent cookies. When I access my bank, It still recognizes my PC after using private browsing... Not so with this system. If EA wants to look for the cookie, fine, but it should only be part of the detection.

 

Also, not getting a security key, had one when the game came out, great, just wait until you get deployed and need to log into the forums and your key is back in your barracks room in the US...

[DreadzKaiser]

so can someone atleast explain to me *** IS THE POINT OF THIS GOD FORSAKEN SYSTEM

*** WAS WRONG WITH THE SECRUTIY QUESTIONS

also, WHERE THE FRIG IS MY FRIGGIN PASSWORD, IM LOGGED IN HERE, BUT IT WONT SEND ME THE PASSWORD FOR THE GAME LOGIN, IVE TRIED 4 FRIGGIN TIMES, NO FRIGGIN OTP

 

and yes, the all caps was needed. emphasis is important for ranting. and i cant emphasize enough how user-unfriendly this system is...if i could log in, i'd have unsubscribed already...oh wait, im in now...AFTER 9 *********** ATTEMPTS IT FINALLY SENT A OTP TO GET INTO THE SITE, STILL NOT THE GAME

[Heezdedjim]

My opinion, this must have been implemented poorly. Many websites use a form of cookie authentication, likely using persistent cookies. When I access my bank, It still recognizes my PC after using private browsing.

I don't have a problem with any computer "not being recognized." None of the websites I log into on a daily basis ever "recognize" any computer I use, and that's fine with me. However, none of these other sites rely on stupid klunk arounds like "one time passwords" that need to be entered every time and force me to log into a whole other separate system (thus becoming fatally dependent on the security of THAT system, as well as on their own native security). They all present me with the usual random "security question," I answer it, and everything goes on as usual. This site used to do the same, and it worked fine. It would still work fine, except they felt they needed to do something far stupider and more annoying, which adds nothing in terms of actual security.

[CaptRavenous]

That is a self-inflicted situation....

 

I've never had any of this trouble or this OTP crap from any other MMO site, game or forum. No, this isn't a self-inflicted situation. This is a situation inflicted upon us by you, inflicted on those of us who take our PC security seriously.

[Andryah]

I've never had any of this trouble or this OTP crap from any other MMO site, game or forum. No, this isn't a self-inflicted situation. This is a situation inflicted upon us by you, inflicted on those of us who take our PC security seriously.

 

Add a security key to your account... issue resolved. If you take PC security seriously, like you claim... why not avail yourself of the added security (and account ease of use) of a security key??

[AsheraII]

If we're talking passwords anyway..

How about an option to make passwords locally visible, instead of showing those dratted ************? I'm the only user of my computer, there's absolutely noone else in that room, the door behind me is closed, and I have a relatively strong password. I'd like to SEE what I'm typing, since typos DO happen, and I'd rather log in properly right away than discover after several tries that my keyboard for some reason decided to switch to a German layout or something, which I CAN'T see when those characters are replaced by stars..

 

For people using a private computer in a private area, those replacement stars are an extremely redundant annoyance.

[deltadt]

this is getting annoying that it keeps coming up.

[RuDarthPatrick]

http://torlol.ru/uploads/aa4c0fca0b6400031c801e17bdb0b561.jpg

[Laurreth]

No, this isn't a self-inflicted situation. This is a situation inflicted upon us by you, inflicted on those of us who take our PC security seriously.

 

No, it is inflicted on those who buy into FUD flying around without an understanding of security.

 

If you "take security seriously", you get an authenticator which actually introduces a measure of cryptographic security into the whole process.

[Trotskii]

This is my first post and first call to support.

 

I have to echo what an annoyance this has become. Today I was still unable to log in after entering the one-time password. I had the email with the OTP and site login side by side showing the correct OTP, including case sensitive. Still saying incorrect.

 

I work with mainframe computers for a living; I know a few things about security. Most people that care about security don't allow cookies and the like and IP addresses can change all the time. You have an ID, password and other security questions to confirm your ID. The fellow on the phone asked me those. If you feel the need to increase security, use those questions. Instead you're emailing a one-time password - since when is email secure anyway?!?!

 

This is the first time I have had to call support and I abused the poor fellow on the phone pretty badly for this policy (I did apologize to him as well; not his fault).

 

Apparently the OTP gets reset AGAIN each time you are incorrect! The login message does not let you know about that, so it doesn't matter that you may be re-typing slowly and carefully and/or cut/paste - it's changed again and you don't even know it!

 

You people need to realize this is just a GAME. I play to have fun and relax. If it requires too much effort, I'll play something else.

 

If this policy continues, you will not need to worry about security because you won't have any customers.

[Tarrako]

A little light here, after latest Windows7 update I had some issues with One-time PW system as the e-mail never arrives in time for validation, so I just raised IE from the dead (I use firefox) and there! Problems solved!

Anyway I agrre with peeps above this ain't a pratical system though

[ZeroPlus]

...

 

We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.

 

Any news on when we have more news about this?

 

The situation lately with the OTP has become very annoying. I personally have to wait on average 2-3 minutes to receive the e-mail with the OTP.

 

Unfortunately sometimes it takes much longer than that and I have had at least 2 occasions where I had to close the launcher and restart the process to get a new OTP sent because the other one had already expired by the time I received it.

 

As I stated in a previous post in this thread, I understand the need for security. But something needs to be done because this is becoming untenable.

 

Maybe something as "simple" as redimensioning your mail servers to handle the load so that between the request and the reception of the e-mail only a few seconds transpire and not a few minutes.

 

EDIT:

Found this thread:

http://www.swtor.com/community/showthread.php?p=6165076#edit6165076

after writing the above .

Edited April 17, 2013 by ZeroPlus

[MajikMyst]

I take it people that have an authenticator do not have this issue??? Just wondering??

[BlownSi]

Do you have a good way to determine client uniqueness without using cookies/javascript or anything else clientside in a world of dynamic IP addresses?

 

Lets hear your solution.

 

This is what I would like to know as well. The ISP provides a DHCP lease that expires after a certain amount of time, after which you receive a new lease, meaning a new IP. Granted, these times are usually decently long, as in 2-4 days depending on the ISP. of course, anyone with basic computer network knowledge will know this fact.

 

To be honest, the OTP thing does not really bother me. What is irritating is waiting 10-30 minutes for the email and then having the password not even work. This happens all the time to me. Even if it only takes 1-2 minutes for the email to get to my inbox, it still does not work. Sometimes I even receive double emails.

 

THIS is the issue I and I am sure many others have with this system. I will thank BW for finally acknowledging and commenting on this problem to the community.

 

Edit: I just received a OTP email after 2 minutes and the password did not work. Again, this is the main issue.

Edited April 17, 2013 by BlownSi

[macumba]

the regular lease time in germany is 24 hours. we call it the 24 hrs disconnect.

this means one time password every day and since the add-on launched the first few won't work and the wait time for the email increased a lot.

 

is it so hard to be kind to paying customers ?

I know you want to do good in increasing security, but at the moment (bottom line) you are not doing good at all.

Edited April 17, 2013 by macumba

[ZeroPlus]

This is what I would like to know as well. The ISP provides a DHCP lease that expires after a certain amount of time, after which you receive a new lease, meaning a new IP. Granted, these times are usually decently long, as in 2-4 days depending on the ISP. of course, anyone with basic computer network knowledge will know this fact.

...

 

Just a small note/correction.

 

The way DHCP works is actually like this (in simple terms):

1. Your device requests an IP address.
   
2. The ISP's DHCP server replies back with an IP address and the lease duration.
   
3. Your device acknowledges the IP address.
   
4. When the lease duration has hit the half-way mark, (eg: lease = 60 minutes, renew happens at 30 minutes mark), the device will request the renewal of the IP address.
   
   • If the DHCP server replies back with an "OK", the device will keep the IP address and the lease will again reset to the original duration (to use the example above, the lease duration will go back to 60 minutes).
     
   • If the DHCP server does not reply back with an "OK", the device will retry the renewal request at the next half-way mark, (eg: lease = 60 minutes, 1st renewal request at 30 minutes, 2nd at 45 minutes, 3rd at 52:30 minutes, etc), until the DHCP either responds (and the IP address is renewed and lease duration resets) or the lease expires. If the lease expires, your device will release the IP address and start again from step 1.
     

(For a complete explanation of how DHCP works, go here.)

 

Some ISPs will always honor "renewal requests" and so as long as your router/modem/whatever is powered on and connected to the network, the IP address it received when it was first turned on will be the IP address it keeps until it is turned off (or disconnected from the network) for longer than the duration of the lease. If the device is turned on again (or connected to the network) before the lease expires, the DHCP server will again assign the same IP address to the device. (In short: your IP address will never change.)

 

Some ISPs however, will not honor the "renewal requests" and so once the lease duration is over your device will release its IP address and request a new one.

 

If you turn off your router/modem/whatever during the night, it might not be your ISP that is resetting your IP address. You might be getting a new IP address because your device's lease expired while it was turned off.

 

To find out if your ISP is "force resetting your IP address", you can try the following:

• Never turn off, (or disconnect from the network), your router/modem/whatever.
  
• Visit http://www.whatismyip.com/ on a regular basis (every few hours, once a day, whatever) and take note of the IP address (xxx.xxx.xxx.xxx) that is displayed at the top of the page. (NOTE: This is your IP address as seen by other devices on the Internet (like the SWTOR servers), and not the IP address your computer is using (which you can see by executing the command "ipconfig" in a Command Prompt window).)
  
• If you see that the IP address displayed by http://www.whatismyip.com/ changes without you changing anything on your end, then your ISP is "force resetting your IP address".
  
• If the IP address displayed by http://www.whatismyip.com/ doesn't change, then your ISP is not "force resetting your IP address". In this case, any IP address change that you experienced before doing this test, will most likely have been "caused by you" (most likely because you turn off your router/modem/whatever at night).
  

 

Hmm... turns out that it wasn't a "small" note/correction after all.

 

Anyway, I hope that helps explain how DHCP works for some of you.

Edited April 17, 2013 by ZeroPlus

[Trushott]

We are tracking IP addresses. We are also checking (for the browser)

 

We are working on seeing what we can do for the players affected by ISP's that force a new IP address on a frequent basis. I don't have a definite date on when that will be, as we don't have a definite answer to give as yet. We are looking at various options and weighing them against other priorities the teams that do the actual 'work' also have.

 

how about working on something for people on the go with IPADs or similar devices hooked up to a cell provider that may be on the go in a vehicle as a passenger quite often on trips or what not ... i attached all our households accounts to one security key we keep on a keychain at the house in a way it cannot be lost ... you do not offer that service on the iphone app version of the security key thus to log in the website forums while on the road i would have to take chance of losing the little physical which i will not ... so i can only read on the road not post

[Trushott]

I've never had any of this trouble or this OTP crap from any other MMO site, game or forum. No, this isn't a self-inflicted situation. This is a situation inflicted upon us by you, inflicted on those of us who take our PC security seriously.

 

QFT .... albeit I already succumbed to the real intent of the one time passwords ... and added security key to our accounts which i didnt want to have to punch in each time the old way was better since i could do from memory

 

both ways now are just a PITA for me personally

[MilkMDN]

People say adding a security key will stop the OTP thing, but the problem is you need a OTP to set your security key up, and the OTP aren't even sending anymore. Been waiting at least 45 minutes for it to show up and still got nothing. It's frustrating beyond belief.

[Ki-Tau]

Amazing - 14 months after the OP and I just tried subscribing again after a few months break and guess what? the 1 time password is EVERYTIME I try to log into the game!

 

What a bunch of f'ktards that are supposed to be fixing this - my regret is that I paid for 3 months instead of 1 month. I should have checked if the security side was still being handled by semi-trained chimps before I parted with the cash - anyways last penny you will get from me - 14 months and no fix for a problem you introduced yourselves Bioware - disgraceful - you suck !