An update on the One-Time-Password system (April 16th 2013)

[ZeroPlus]

Over 12 minutes to be able to login.

 

The first OTP arrived already expired. The second one took 5 minutes to arrive.

 

You have my username. Check your logs. You'll see I'm not lying.

 

This is getting ridiculous.

 

I don't mind the OTP. I really don't.

 

What I do mind is WAITING AND WAITING AND WAITING for it to arrive and then when it FINALLY does it is already not valid forcing me to restart over from scratch!

 

Seriously. Fix this!

[Zadtro]

I want this game to be so much more but at every attempt to improve it is a massive fail. This one time password wouldn't be an issue if we had a security key but i am from the UK so anyone in the Europe band can't order because they have never been stocked. Either remove this one time password because waiting is getting annoying or if it takes too long you have to re-login to get another email.

 

Make security keys available to Europe so we don't have to deal with the one-time password waiting time or get rid of it. Its only £2.99 but they have never been in stock.

[RowanThursday]

A wider range of security key apps would be handy. For example, I'd use one if there was one for the Kindle Fire. My phone's smart 'enough' for me- basic web browsing, decent e-mail access, but not, I don't think, smart 'enough' for a security key programme.

[Boufsa]

Here is the trick to get it in two emails max:

 

As you may have seen by looking at the incoming hours in your mailboxe, OTP emails are sent every five minutes. So here is the trick

1) try to log on the site swtor.com (since game client is ever more buggy and don't let you see the OTP as you type it)

2) wait for the OTP to arrive and look at the incoming hour h.

3) You know that next OTP will be sent at h+5min, so if you want to maximize your chances of getting a non exprired OTP, you should ask the next one at h+4min.

 

Once you are logged onto the website and your IP is registered, the game client won't ask you for the OTP.

[Galru]

Why the change to a OTP? I gave you 5 security questions that no one but me knows the answers to... And all of a sudden you decide to change to this OTP method that no one cares for... but hey its your product if you want to piss off your customer base be my guest, this is just another notch in the belt telling me I just need to find another game.

[Ivan-Drago]

I was finally tried of waiting for OTP so I am now using the security key app. It's not the way I prefer logging in but it works and I don't have to wait. Still hoping they return to the old method.

[ZeroPlus]

Strangely enough I was able to logon almost instantly today:

- Logged into the launcher.

- Opened my e-mail.

- OTP was there!

 

All of 15 seconds to logon! This is the way it should be always. This I can live with.

 

Hopefully something was fixed with the delays between the OTP being requested and us finally receiving it.

 

EDIT: Philip_BW's post below seems to confirm my experience. Good stuff!

Edited April 22, 2013 by ZeroPlus

[Phillip_BW]

A quick update today the 22nd of April.

 

After diagnosing a couple of places where the slowdown of outbound OTP emails became evident on the 13th April, the teams have written and implemented another hotfix in addition to increasing the amount of infrastructure handling the outbound emails. We will of course be monitoring the situation carefully as usual to see how effective this latest change is. And to think my original post that started this thread was based on data that ended on 12th April! I'm still kicking myself over that! As usual with these things, timing is everything...

 

As mentioned previously there are also some other pieces of work I've called out which are still being worked on, so expect more news as those progress.

[Bartdewd]

Hi,

 

Well I've been trying to log in for over an hour now, the emails take a minimum of 10 mins each to come through. I can't even log into the website to get the smartphone security key, so feel i'm just wasting my time here.

 

You guys need to sort this out and fast. Not only are your long time subscribers jumping ship, you've made it impossible to generate any new players as they cannot log into your game.

[Nevarr]

I tried changing over to my phone's email address.

 

The good news: the emails arrive almost instantly on my phone.

 

The bad news: My phone won't display the email, just giving me a message that says <Cannot display because mail cannot be recognized>

 

I can't get a one (every time you log in) time password because it won't display on my phone, so I can't log in. I also can't log into my account to change the email back to my gmail, which arrived late more than half the time it was sent, even after the changes. (Clicking on the "account" tab under my login name requires a on-time password).

 

Completely locked out of my account. Thanks, "security".

[LydMekk]

Deleted the browser cache on one of my PCs the other night, it took over 2HRS trying expired email passwrods from your end to get me logged into the forums again...

 

If this had happened to my client access I would have cancelled my sub faster than Philip can say "But..."

 

Go back to my 5 security questions. I'm the only one knowing the answers to those. Security on that solution is more than enough.

 

I fppl are stupid enough to forget the answers to their own security questions they deserve to have to call CS. (I'm guessing that was the reason for introducing this one-time PW piss...)

[oakamp]

A quick update today the 22nd of April.

 

After diagnosing a couple of places where the slowdown of outbound OTP emails became evident on the 13th April, the teams have written and implemented another hotfix in addition to increasing the amount of infrastructure handling the outbound emails. We will of course be monitoring the situation carefully as usual to see how effective this latest change is. And to think my original post that started this thread was based on data that ended on 12th April! I'm still kicking myself over that! As usual with these things, timing is everything...

 

As mentioned previously there are also some other pieces of work I've called out which are still being worked on, so expect more news as those progress.

 

seriously suggest u,

roll back to ask customers' security question system,

stop fix that annoy one time password sux system,

or prepare to lose sub customers.

[Boufsa]

I have confirmed my theory: currently emails are sent every five minutes starting from 00h01 (but there is a small derive it depends on the day)

 

had to restart my box three times since yesterday, each time asked the password 1min before an hour of typology XXhX2 or XXhX7 and each time instantly received it and successfully logged in at first attempt.

 

But maybe it had something to do with the hotfix? I will try at a random hour this evening to confirm it.

[macumba]

Since yesterday the emails seem to arrive much faster now ( < 1 min).

Thank you.!

[zTheBoo]

I can't login to my SWTOR account in the game client, it asks for a password, I get one after a while but it always expired. I don't want to switch email provider just yet. I'm paying to play this game and I expect it to work without having me to change my email.

 

EDIT: I created a filet for SWTOR emails, I get the OTP instantly, but it still says it is invalid for some reason.

Edited April 27, 2013 by zTheBoo

[Max_Killjoy]

This one-time password thing is nonsense.

 

I try to log in, and It asks me for the OTP, and says that I requested it. I did not request anything of the sort. It says that it was emailed to me. There was no email.

 

TEN MINUTES LATER, after I have scoured the SWTOR website looking for a way to request an OTP, after I have changed my regular password in case someone has been messing with my account, I receive an email saying it has the OTP that I "requested".

 

The OTP in the email is "invalid" according to the launcher.

 

EDIT: I just received another email, after another 10 minutes, with another OTP. It is also invalid.

 

EDIT2: And then I received another email a minute after that one, with a valid OTP.

 

I should not randomly have to go log into my email and wait for 10 minutes to receive an email with an OTP that might not work, to log into a game that I am paying for. Go back to the security questions.

Edited April 27, 2013 by Max_Killjoy

[Zhiroc]

Until a ubiquitous biometric authentication system is available, expect more and more services to switch to some sort of 2-factor system (of which the OTP is one, the security key system is another).

 

That's not to say it couldn't be improved though, perhaps by extending it to SMS messages at the least. I'm not a fan of needing my cell phone or a dedicated security key though, so I'll just stick with the OTP.

 

BTW, Google's 2-factor system has the capability to generate a number of one-time-use passwords too, so that might be another alternative.

[zTheBoo]

I got a solution: if your launcher says that the OTP is invalid, run FixLauncher in your SWTOR directory! That fixes it for me.

[TW-Cool]

I dont like having the need of the One time password, however I'm happy to see that it is now emailed to my account right away. Thankfully I only have to do this when I'm using a public computer at my college. I always make sure to not delete my SWTOR cookies on my home computer and I try to never turn off my DSL modem.

[GAULSTON]

I was a happy paying subscriber...not any more...you lost me along with countless others due to this one-time password nonsense. There is nothing "one-time" about it. Do you really expect clients to open up their emails every time they want to play your product? The answer is No. No, I won't be inconvenienced by you...I refuse to log into my email EVERY time I want to play your game...I won't even play for free...No, I won't jump through extra hoops to play a game which I subscribe to and pay for.

Did you all test this genius idea outside of your controlled environment before you decided to implement it? Did you take into consideration static vs dinamic IP addresses from providers?

I don't need to hear your sorry excuses about deleting cookies and IP addresses...all you have to do is reinstitute the old security questions...in fact...this should have been done weeks ago. It worked fine the way it was...it was secure enough the way it was.

I don't doubt there were security issues before...but who were those having their accts hacked? I'm guessing some were too stoned to remember their own security question answers...or...those morons putting their passwords on a post-it note, and displayed on their desk for their teenage son's friends to steal...just two of many possible scenarios. The point is...why punish those who secure their password because of the mouth-breathing zombies who ruin it for the rest of us?

For my resubscription, I will require two things. 1-roll back the security to the way it was...and 2- insentive to return for my inconvenience due to the rediculous one-time password idea. You may be asking yourself what would be sufficient insentive go get our loyal subscribers back...so I will help you come up with a solution. You can start with an apology letter to my email address with an offer of several thousand cartel coins...not a couple thousand...not a few thousand...several thousand cartel coins. This should be sufficient enough to get some of us back....~DISCLAIMER~other lost loyal subscribers may require greater insentive. Should be very simple since you have record of those who unsubscribed due to one-time password idiocy...I'm SURE you have someone reading all those surveys from unsubscribers.

Good luck getting your subscribers back...and tell the new hire in the mail room that I hope he doesnt get layed off due to the poor decision from captain security.

[TW-Cool]

As long as I never turn off my DSL modem, I wont have to enter a "one-time" password. Security can be annoying, can't it?

[Orbyious]

G'day

 

I'm not sure what happened last week but every time I log in to SWTOR or the web page I now get a one time password every time. I have work my way through all the fixes I can find on the forums but still get this problem any advise on how to stop this?

 

Regards Orbyious

[Omarzon]

HI all.

 

Please, customer server, STOP USING OR IMPROVE the OTP system, is more than annoying.

 

Is terryble to logon and... WAIT! use the OTP send to your mail ¿why? ¿why should i check my e-mail for a OTP?, and the alternatives pass trought security keys wich are worst than the actual situation

 

But the worst of all, while you are assure be concerned about security I CANT BLOCK COOKIES TO AVOID OTP ¿Are you kidding me?

 

I work eith security and i know 2 things:

 

1.-A user will complain to any change in protocol or process until they get used to, but u can get used to ramdonly be asked for a annoyng OTP.

 

2.- IT security should be transparent for the final user. Authentication is a different question, ¿how do i assure u that im who i say to be? ¿using a e-mail account? uhm... i dont think so. Sorry.

 

At this point u got 2 options:

 

A.- Improve One-time Passwords according to RFC 6238.

B.- Improve the Key generators systems.

 

Best regards

[Artrii]

As a Computer Information Systems student, one of the first things I've learned in regards to online security is that a lot of people will use the same password for all their accounts so they only have to remember one. I knew people were stupid, but this still blew me away.

 

This also made me wonder why the hell EA/BW would implement this OTP as a means of account security. Some people who play this game are first time MMO gamers. I've ran into people in game that admit to not knowing much about computers and that they play this just because it is Star Wars.

 

So, why the heck would you send a One Time Password to someone's email when a lot of people are stupid enough to use the same password for their account and email?! If one was compromised, then so was the other. The security questions was far and above better than this OTP ever was.

 

Note: I use a security key and don't have to deal with this OTP issue. Also, recommended passwords should contain at least 8 characters with at least one capital letter, one number, and one alternate character such as an exclamation point.

 

Seriously though, the old security questions were never as much of a hassle as this OTP setup is. Even if you happened to forget one of your security question answers and had to call customer service to get the question reset by answering one of your other questions.

[Max_Killjoy]

I have to go through a 5-15 minute wait for the email to show up with the OTP, whether it's logging in here or logging into the game. The only way to avoid having to do this every single time is to leave my computer on all the time, which is of course not going to happen.

 

I have limited time on weeknights to play games. There are more and more nights when I give up and go play something else, rather than waste my time on this OTP nonsense.

Edited May 11, 2013 by Max_Killjoy