Jump to content

An update on the One-Time-Password system (April 16th 2013)

Phillip_BW

By Phillip_BW
in General Discussion

 Share

Recommended Posts

Andryah

Andryah

Posted
Posted (edited)
And what about an option allowing to chose between the OTP and the good old security questions? You could set up the OTP as the default, and for people who have troubles with it and are smart enough to correctly remember their security questions with correct spelling and accentuation, symbols and such, they could resort to it.

 

Philip actually answered this already.. but not directly. So let me expand on it a bit.

 

The security questions are controlled and changable within your account. The OTPs are not... they are one time security keys issued directly from Bioware.

 

Why is that an important distinction? Because the main reason they went to the OTP process is to enble more self service features for the users. Like the ability to self add/change/delete a Security Key. The OTP is issued by Bioware when you want access to your account and do not meet their security thresholds to do so. It is unique and only issued through your email address tied to your account. It is true two factor authentcation.

 

The security questions... while they add an additional level of security to your account... they do not protect your account from compromise in a strong manner because they are carried inside your account and are managed there. OTP through email prevents anyone from altering anything in your account (including your email address) unless your email is also compromised.

Edited by Andryah
Link to comment
Share on other sites
  • Replies 231
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

BellatrixKreuzer

BellatrixKreuzer

Posted
Posted

The level of rage among the players is above ceiling now. I assume this is the end of this game soon.

People are usubscribing en masse! In one guild I am (was?) in, 10 main players left. My two friends usubscribed yesterday (and I will because we was playing only together).

Serious players are angry because this is impossible to play operations. Casual players will not spend half day with one time passwords. Remember Bioware - this is not only one game in the world, not last MMORPG!

And it should be your priority now! This is disaster in my opinion.

Security better than on my bank account common. We want to login and play and not be in fear if we will have luck this time!

Link to comment
Share on other sites
CaptRavenous

CaptRavenous

Posted
Posted (edited)

If you are seeing the Physical Security Key in North America showing as out of stock, please press Ctrl-F5 to force a refresh of the page. There was a caching issue with some browsers that for some reason isn't automatically fixing itself even though we refreshed the cache associated with the /buy page last week.

 

Tried page refresh, using right-click menu refresh method AND ctrl-F5, still shows as out-of-stock.

Edited by CaptRavenous
Link to comment
Share on other sites
Fuctifino

Fuctifino

Posted
Posted

I'm all for having a secure account and I actually think one time passwords are quite a smart idea.

But the system really needs to work properly from day 1 and if there's evidence that it doesn't then it needs to be withdrawn until it does.

 

I began trying to log on this evening at 17:30BST the OTP mail arrived at 17:37 - I cut'n'pasted the password from it to avoid error - it didn't work. I have since received OTP mails at 17:47 18:07 18:38 18:58 19:08 & 19:13 [ALL BST] None of them have worked. it is now 19:32 and I'm about ready to go and do something else less boring instead.

 

I have experienced similar problems this morning at 07:30BST and over the past two evenings and have eventually given up without being able to log in. The e-mail account associated with SWTOR also goes to my mobile phone which chimes when an e-mail arrives. I can be quite confident that I've attempted to use the password within 2 minutes of receiving it on every occasion but without success.

 

Since i was last able to log in I have now received in excess of 15 OTP mails which don't work - I've deleted some so I can't be sure exactly how many.

 

I'm able to post here because I haven't cleared the cookie but I can't access my account online without another OTP request.

 

PLEASE turn the OTP system OFF until a proper review of why it doesn't work and a large scale test has been conducted then implement.

 

Oh and for the record I can't buy a security key just now - I live in the U.K

I do have a smart phone - it's a Nokia I like it so I'm not gonna change it for an I-phone or an android device because I don't like the way that they work.

Link to comment
Share on other sites
RazzerKFG

RazzerKFG

Posted
Posted

A very quick update - we have just rolled out a change in the expiry time for the OTP message which allows it to be valid for a longer period of time, and we will be monitoring how effective the change is for if we need to tweak it further or not.

 

I may even get a chance to answer some of the questions raised in this thread in a bit if I'm lucky... :jawa_wink:

 

Phillip

 

When this OTP started, the emails were arriving relative fast to my inbox - it was mere a annoyance that I had to do it al lthe time (Why can't you lads borrow steam/valve code? :) )

 

HOWEVER - for the last 2 days I've been needing several attemps/emails before being abel to login - your statement that the lenght has been increased doesn't feel right in my case - the timer is around 1 minute before the password expire - that's what I'm experienceing here. Hotmail user.

 

Razzer

Link to comment
Share on other sites
Keenator

Keenator

Posted
Posted (edited)
Are you saying it isn't? Do you KNOW what is causing the problem?

 

Otherwise, just don't speak.

don't know if troll or serious...

i SUSPECT that their servers are at fault, not google's. this is quite reasonable. people with countless different email providers have reported delays.

 

edit:

i looked over the whole thread now, an official admitted that their servers might be at fault. i also saw your ranting... wow. consider this my last post adressed at you.

Edited by Keenator
Link to comment
Share on other sites
FuryoftheStars

FuryoftheStars

Posted
Posted
(Why can't you lads borrow steam/valve code? :) )

 

I've seen many people ask similar things, so I'm not commenting on just your asking it.

 

The most likely reason why they don't borrow/share code with anyone else? Because everyone else won't share such things with their competitors.

Link to comment
Share on other sites
denisabc

denisabc

Posted
Posted

It got worse for me the last 2 days. Im needing 4 or 5 , sometimes 6 passwords to have it working now. I don't know what you did, but the deleting the launcher file (which i dont remember the name now) and using Fix Launcher is not working.

 

THE PROBLEM GOT WORSE !

Link to comment
Share on other sites
Bomyne

Bomyne

Posted
Posted

If you are seeing the Physical Security Key in North America showing as out of stock, please press Ctrl-F5 to force a refresh of the page. There was a caching issue with some browsers that for some reason isn't automatically fixing itself even though we refreshed the cache associated with the /buy page last week.

Any idea when those of us outside the US and EU will be able to buy them?

Link to comment
Share on other sites
LamiaKan

LamiaKan

Posted
Posted

I HATE this one-time password thing. When it arrive promptly, it's mildly annoying. But these last 2 days it seems to arrive later than usual. I'm lucky that up until now it never took me more than 2 OTPs to log in to the game(which is still too long for logging in a game). I can't imagine how frustrating it must feel to sitting there for 30 mins+ just to try to play a game!

We shouldn't jump through so many hoops just to relax and play. And me and hubby have already jumped through hoops to play this one game(due to the country we live in isn't the targeted market). That security key app I'm not even sure would work for me,since I can't go to this website or log in the game without using proxy/vpn. I just hope we can go back to the security questions or have that as an option along side the OTP.

Link to comment
Share on other sites
Prysha

Prysha

Posted
Posted (edited)

Bioware you cannot undo what youve done.. no matter what you will do in the future.. some of us will never forgive you ...especially not those who have paid for this game and still get lots of trouble....

 

Your SWTOR product feels pretty much like a BETA game.. really.. i wonder how a gaming company can be so incompetent....especially when they earm massive amounts of money.. like you do...

 

i wil leave this game when my sub ends... why? here is why:

http://www.swtor.com/community/showthread.php?p=6178923#post6178923

 

 

deal with it .. many people will follow.. especially when TESO and other games will release...

 

 

@ Phil BW

 

NO .. ive been playing online games for 10 years or more.. my accounts never got hacked..why?

because MOST of the hacked accounts you hear of have not ben hacked...they simply shared their accounts.. then they get mad at eachother ( sister mate or whoever they shared their account with ) and then the mad person logged and deleted...or whatever...

 

there is no further need of security than just a password ... i speak of experience... only fools can get hacked...

 

in my past i knew many people... many MMORPGers... how can it be that noone of them got hacked?

because there is no hacking at all...

 

stop sharing your account.. = win

 

no need for security features that make your login almost impossible...or causing so much trouble...

Edited by Prysha
Link to comment
Share on other sites
Boufsa

Boufsa

Posted
Posted (edited)
Philip actually answered this already.. but not directly. So let me expand on it a bit.

 

The security questions are controlled and changable within your account. The OTPs are not... they are one time security keys issued directly from Bioware.

 

Why is that an important distinction? Because the main reason they went to the OTP process is to enble more self service features for the users. Like the ability to self add/change/delete a Security Key. The OTP is issued by Bioware when you want access to your account and do not meet their security thresholds to do so. It is unique and only issued through your email address tied to your account. It is true two factor authentcation.

 

The security questions... while they add an additional level of security to your account... they do not protect your account from compromise in a strong manner because they are carried inside your account and are managed there. OTP through email prevents anyone from altering anything in your account (including your email address) unless your email is also compromised.

 

No. The real reason they dropped the security questions is that customer service got too much call from users who didn't remember what were the answers or how to spell it. What you are explaining is how they officially present it because they wouldn't admit they just wanted to save money on the customer service.

 

But from my opinion of subscribed client, there was a system that worked perfectly well for about 16 monthes without presenting significantly security risks (otherwise they would have changed it earlier), and they suddently switched for a new system a little more annoying that worked perfectly for about one week, and suddently became totally buggy around last tuesday, and I just want them to revert back to the system where I can log in my game in 2 min rather thant about 20 min like it is currently the case.

 

BTW and like I stated it before, I have a master degree in engineering, I work on the authentication system of the website of a big telecom company that have about 1000 authentication request per second at peak, and I perfectly know what is technically possible or not.

 

You should have already noticed that swtor.com provides two levels of authentication: a weak level (probably cookie based) that allow you to keep posting on the forum without ever having to log in again until they restart their servers, and a strong level (probably session based with an expiration policy) that allow you to manage your account. An IP change has no effect on the weak authent, in fact, you can even have multiple sessions from mutiples IPs at the same time. My point is: if they want to "enable more self service features for users", they can require a OTP based authent just for those operations while accepting to rely on a secret questions based authent for the user that just want to log into his game. Since they already have two level of security, setting up a third one wouldn't be that painful, especially if they are using a standard security framework like spring-security (for example).

 

TLDR: just revert to the previous system for login into the game from the game client, and for additional features they can set up whatever they want in swtor.com. The top priority should be customer satisfaction.

Edited by Boufsa
Link to comment
Share on other sites
BellatrixKreuzer

BellatrixKreuzer

Posted
Posted
No. The real reason they dropped the security questions is that customer service got too much call from users who didn't remember what were the answers or how to spell it. What you are explaining is how they officially present it because they wouldn't admit they just wanted to save money on the customer service.

 

Thank you for this opinion Boufusa, That is what I am suspecting also.

And for me it says: cancel subscription...

If they have you in a..s you should do the same. Sorry, level of pay to cash plus ignoring customers is close to the end.

And I always was so eager to give you next chance... I loved this game. But I am pis..ed off. As my friends.

Sayonara.

I remember playing on private WoW server. Customer service was heavenly.

ALWAYS GM on general chat, tickets answerde in 10 minutes tops, after delay or technical problems - free bonuses in mail.

Shame Biaware/EA. Very bad PR.

Link to comment
Share on other sites
Xerihae

Xerihae

Posted
Posted

We have two people in the office who have a Galaxy S2, and the application is working for both of them. Neither are jailbroken if that is important... I don't know how to troubleshoot Android phones (my preference is still Windows Mobile), but I'm hoping uninstalling the app and installing it again from scratch may help.

 

Just thought I'd post to substantiate this. I have a Galaxy S2 as well, no jailbreaking, and the app has worked fine for me since I first installed it the back end of last year. Never had an issue at all :)

Link to comment
Share on other sites
Radzkie

Radzkie

Posted
Posted (edited)

I hate the one-time password.

 

Everytime the game asks me for one, I scream, "NNNNNNNNOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!"

 

Anyway, extending the expire time will be really nice....because I have to go through two to five emails before one works for me. :/

Edited by Radzkie
Link to comment
Share on other sites
Tannee

Tannee

Posted
Posted
"I know a lot of people have many theories on why the message can be delayed, so let me go into what we are seeing based on logs.

 

•A small number of mail providers have an anti-spam measure called 'Greylisting' turned on regardless of the content of a different anti-spam system called 'SPF'. This has been the biggest cause of the delayed emails, and it is also why subsequent emails are making it through in a timelier manner. We tried to alleviate greylisting concerns by providing a valid SPF record, but if it's ignored as a bypass, then there isn't much we can do about that given we don't provide the mail service itself. This accounts for the bulk of the forum threads I have seen and researched are affected by this anti-spam system

•Some mail providers are taking just a really long time to process an incoming mail message. I can think of a few other anti-spam systems such as 'tarpitting' which can cause this sort of behavior, but to be honest, we don't know why some are taking longer to process mail messages than others. To make this more complicated, some 'good' mail providers can randomly delay incoming mail for no visible reason we can decipher

•The time delay from receiving the trigger to generate an OTP and actually completing sending the email itself to our mail sending provider is measured in seconds. Usually between 1 and 2, and sometimes less than 1. Delays between hops from that point onwards isn't something we have visibility into

When all is said and done, if you don't get your OTP code fast enough, it becomes invalid. To cater for the small number of mail providers causing consistent issues, we are changing the expiry time appropriately, and we will be keeping a close eye on how that affects the players currently affected by this issue and if necessary we will tweak the value again."

I hate to say this but this is just wrong. I am with Telekom in Germany and they have actually very reliable exchange servers. I use many forums which send emails to me for verification. These mails I receive within seconds, not minutes. This OTP is fine by me, IF you would get your servers set up properly to send mail. The delay isn't from my Provider, the delay is in getting to my provider. This delay isn't from "delays between hops", that's just a sad excuse for not knowing what you're doing. If this were the case, I would be having this same issue with random other instances, which I don't. So far I've been through 4 OTPs while writing this, each with a 5 minute delay or more. It's NOT my provider and it's NOT the hops, if you implement something, test it first.

Link to comment
Share on other sites
Whitedolphyn

Whitedolphyn

Posted
Posted
Remove the damn one time password thing! I dont want to wait 10 mins just so I can log into the game! And its happening very often that I need a one time password.

 

:mad: Well just to say goodbye guys, I just cannot spend 15 minutes each day to log into my game. Today after many attempts it does not accept my one time password e-mailed to me. I am going to cancel my sub and play another game. Byeeeee :mad:

Link to comment
Share on other sites
Merras

Merras

Posted
Posted
I hate to say this but this is just wrong. I am with Telekom in Germany and they have actually very reliable exchange servers. I use many forums which send emails to me for verification. These mails I receive within seconds, not minutes. This OTP is fine by me, IF you would get your servers set up properly to send mail. The delay isn't from my Provider, the delay is in getting to my provider. This delay isn't from "delays between hops", that's just a sad excuse for not knowing what you're doing. If this were the case, I would be having this same issue with random other instances, which I don't. So far I've been through 4 OTPs while writing this, each with a 5 minute delay or more. It's NOT my provider and it's NOT the hops, if you implement something, test it first.

 

 

Exactly.

 

For example Steam also asks me sometimes to type in a one time code sent in e-mail. Steam codes are arriving INSTANTLY. And Steam codes are always working.

 

So, the short term solution: get rid of this OTP junk, revert back to the old and working login system. Next time BW should test a login change before it goes live.

Link to comment
Share on other sites
Prysha

Prysha

Posted
Posted

well today it worked for me .. but not for my wife...

 

she get the one tiem pwasword.. copy and paste ? not accepted.. ***?

 

Bioware... i will happiliy dance of the grave of this game when it dies because **** yeah you destroyed it....

Link to comment
Share on other sites
TW-Cool

TW-Cool

Posted
Posted
I rarely log onto the forum to post a reply just because I dont want to wait for the one time password to arrive in my email. I read the forums on a public computer so my cookies are not saved after the day is over. I miss the opportunity of entering in my favorite item, etc.
Link to comment
Share on other sites
gabriel_popescu

gabriel_popescu

Posted
Posted

So I too have the same problem with the one time password. It arrives too late relative oft and i can't log in. Of course there is the solution with the security key but I live in Europe soo the only one available is the one on a smartphone. I would prefere not to use it. So the main problem is that the passwords come in too late for them to bei usable.

I would suggest that you send an one time mail to everyone's account with a link to a code generator. You would have this generator on swtor.com and it would only be accessable from this link within you e-mail. The user would have to save this e-mail in his favorites and access it every time he logs in. So you would still have two levels of security (normal password and e-mail but without a third party - mail delivering service). It would be practicly the same thing. If a user deletes by mistake his one time e-mail (many will probably do) then the next time they try to log in they will have the opportunity to ask for a new e-mail with a fresh link. Probably it will take about as much as the OTP to get there but at least it won't expire. One would still have to log in to his e-mail everytime the game is started but one would at least be able to play the game.

I'm not a computer specialist by far so I don't know if such a thing is possible to implemment but take it as a suggestion and not as criticysm. I can imagine that you have too few people and these people have probably a lot of overtime, but if you would work this out than you wouldn't have a lot of angry players pressuring you. For me for example I have very little playtime available so if it takes me too long to log in then it simply defeats the purpose.

If you find my idea good and you would implemment it or something simillar than I would find it a gesture of good will on your side if you would reward me and a lot of other RP-Players with the possibility to wear Kallig's Countenance with a hood. I play an assassin on a pvp server but rp is still important and i thik Kallig's mask looks awesome especially with a hood. And if you're there on the Phantom chest Piece leave the hood, remove the funny looking collar and leave the little shoulder pads that you can spot underneath the collar (i emphasize funny too ridicolous looking) - it would look great trust me.

Please excuse my spelling english is neither my main or my seccond language.

 

Thank you

 

A fan

Link to comment
Share on other sites
 Share
Go to topic listing
×
×
  • Create New...