PDA

View Full Version : Mandatory Authenticators? Yah or Nah?



OutlandishMatt
06-23-2013, 03:26 AM
I've always been a proud supporter of Authenticators ever since I was first introduced to them as MMO protection in 2008 with Blizzard and World of Warcraft. I cannot tell you how important I think Authenticators are to this industry with all the ways someone can get your personal information.

I propose the question, should Cryptozoic make Authenticators mandatory for online trading/selling? Does it hurt the community? Would requiring players to sign up for an Authenticator push people away? Maybe the game works fine but when trying to trade or post an auction they get instructions on how to sign up for an Authenticator in order to use those features. I just hate hearing about people getting hacked in an age when the majority of people have access to an iOS or Android device.

Edit:

I feel I should add that the authentication would just be at login, not for each transaction. Also, they could incorporate a different form of authentication if you do not have a smartphone such as a phone number you call of receive a code via text.

Zoelef
06-23-2013, 03:37 AM
As soon as I can order a physical authenticator for Hex, I'm snap-buying it.

I propose the question, should Cryptozoic make Authenticators mandatory for online trading/selling?

I personally don't believe in attaching any 'mandatory' costs to people without a smartphone or overseas (shipping authenticators takes time/money), but I think it's prudent to have a tootlip regarding trading, account safety, and authenticators.

Chiany
06-23-2013, 03:53 AM
It should not be mandatory, but highly recommended.
I will be getting one, physical or the app version.

DreamPuppet
06-23-2013, 04:02 AM
I'm hoping for a physical one as soon as possible and for a reasonable price like blizzards. I'm not into mobile authenticators, phones these days get hacked as much as computers if not more, hell, cell phones have always been easy to compromise even when they weren't smart and connected to the net...lol

I use to play WoW with a guy who always laughed at authenticators and bragged about how special and hack proof he was on his MAC until his account was compromised and he had to go through the hoops of getting all his crap restored.

MrSeriousBsns
06-23-2013, 04:47 AM
They could split the difference and say that you can use the gold auction house without an authenticator, but the platinum auction house requires a linked authenticator.

Personally, while some people might huff and puff about it, doing something like that will go a long way to improve the security of the real money side of this game.

Banquetto
06-23-2013, 05:30 AM
I just hate hearing about people getting hacked in an age when the majority of people have access to an iOS or Android device.

Or a Windows phone. Just sayin'. I know I'm in a minority but I have Battle.net, Rift and GW2 authenticator apps on here and I hope to have one for Hex also!

;)

Wombat
06-23-2013, 05:54 AM
Please keep in mind that the world is not only 'Murica. Without at least one office in Europe and Asia, shipping of authenticators could be very cost intensive for international players. Plus, we have to be more precise what level of authentification we are talking about. Authenticator to log into the game? -> easy. Authenticator to cash out platinum and other transactions? -> harder (might vary from country to country, also might require knowledge of how transactions are handled in different countries) Physical Authenticators?-> harder. Apps for your phone? -> easy

personally i am for being able to register one account you want to cash money out to. To verify you have sent id and creditcard copy and a photo of you with mail to crypto. If you want to change the account, you have to do it again and stuff has to match. So you simply make it not worth to steal an account in the first place, because you can not cash out with it + selling has too many cons for a possible buyer.

I dont think we need physical authenticators to log into the game. PSA: Get yourself some anti virus program and just watch your porn without clicking on the adds of horny naked women in your area and how to grow your thing by 5'' a week on the side. Also download your music and movies from reliable illegal sources and you should be fine.

Rydavim
06-23-2013, 05:56 AM
I don't believe Cryptozoic should make having an authenticator mandatory.

That being said, my assumption is that they will be free or cheap (physical), and accessible to everyone. Anyone who doesn't take advantage of that is an idiot. Hex is something many people will invest a great deal of time and money into. Having common sense, good computer security habits, a decent password, and an authenticator, makes your account more or less hack-proof.

Why would anyone not want one?

Mr.Funsocks
06-23-2013, 06:01 AM
Fuck. No.

Some of us can manage our password security without the unnecessary layers that require buying a smartphone or another physical thing we can just lose. Some of us don't fall for phishing scams, or use easy-to-guess passwords, or download keyloggers. If you are a person who does these things, then having the authenticator available is a good idea, but making it mandatory? Uh uh. No.

jai151
06-23-2013, 06:11 AM
Yes, authenticator should be mandatory. You don't need a smartphone to have an authenticator, you don't need a physical authenticator either. Authentication can be done through any cell phone or home phone just as easily, look to Google for a model.


Some of us don't fall for phishing scams, or use easy-to-guess passwords, or download keyloggers.

Having done none of those, I had a WoW account compromised. It was long after I cancelled, I had removed my authenticator as during the cancellation I had switched from iPhone to Android. About two months after I dropped the authenticator, having never even looked at anything WoW since I quit (and certainly never responding to any "From Blizzard" emails, downloading anything that could have been questionable, or using an easy pass before or after) I got notification from one of my still playing friends that my account was logged in. Contacted Blizz, got it straightened out, got the android authenticator.

Apparition
06-23-2013, 06:14 AM
It should not be mandatory. People should have a choice. If people want extra protection, they can get it. If they don't, they won't have to go through the extra hassle.

Malicus
06-23-2013, 06:21 AM
Requiring an authenticator to use the AH won't stop anything since anyone without one who gets compromised would just have one added for them to enable the transaction since there is no cost associated with an app version.

I do not believe they should be mandatory but some limitations on account restoration maybe, or something to encourage usage of them because in the long run it is the Crypto and the rest of the market who benefit most from authenticator usage since it reduces the amount of correction necessary.

blakegrandon
06-23-2013, 07:05 AM
Fuck. No.

Some of us can manage our password security without the unnecessary layers that require buying a smartphone or another physical thing we can just lose. Some of us don't fall for phishing scams, or use easy-to-guess passwords, or download keyloggers. If you are a person who does these things, then having the authenticator available is a good idea, but making it mandatory? Uh uh. No.

Let me tell you a really quick story, you probably won't actually read it, but I'm going to tell you it anyway.

Diablo 3 had just come out, I had ordered my authenticator but it did not arrived yet. My account was set up on a clean computer(brand new built specifically for Diablo 3), my account was set up on a throwaway Gmail.com account, the email account had a random 16 letter/number randomized password, the battlenet account had a 16 letter/number randomized password; and I only used the computer for Diablo 3. I'm on a wired Internet line, built the computer myself, and was not phished, did not download ANYTHING or browse ANY websites other than Battle.net and the actual game.

Between the day the game came out and the day my authenticator came my account was compromised. Believe it or not compromises to companies happen and even the largest and most secure companies can have data breaches on massive levels.

Credit card info can get stolen, login and password info can get stolen, and identifying info can get stolen; sometimes without the company knowing for weeks,months, or even years.

Of course, this is where you come back and tell me it couldn't have been Blizzard, it had to have been me, and dismiss any arguments for authenticators.

Frankly I've never seen a reason NOT to purchase or use a cell phone authenticator, and implying that it's the victim's fault for not being "secure" enough is bullshit.

I just hope we can actually have an authenticator at launch instead of having to wait for it to ship, they add another layer of protection to the entire system.

I'm not sure how I feel about mobile authenticators simply because if my phone gets stolen it's probably a pain to switch it out and also I like having a dongle next to my computer that I know I won't leave at work or in a bar somewhere.

Mr.Funsocks
06-23-2013, 07:25 AM
I love how every time I point out that security is your own responsibility a few people pipe up with "I didn't do anything wrong and got compromised!"

Quite simply: I have your word on it, and I don't believe it. I believe you THINK you didn't get compromised, but there was probably a keylogger you didn't know was downloaded, a phishing scam you're SURE was right, or something. Occasionally companies themselves have login info compromised, but if that happens more than once or twice in any game, especially one with digital items holding real world value, I can assure you there won't be many players left.

If you have problems with your own security, if other people than you use your computer, or if you just like the padding, then go for it, it's a great extra level of security. Me? I don't have (nor want) an extra dongle or smart phone that I need to have on my person to get into my account.

jai151
06-23-2013, 07:31 AM
I love how every time I point out that security is your own responsibility a few people pipe up with "I didn't do anything wrong and got compromised!"

Quite simply: I have your word on it, and I don't believe it. I believe you THINK you didn't get compromised, but there was probably a keylogger you didn't know was downloaded, a phishing scam you're SURE was right, or something. Occasionally companies themselves have login info compromised, but if that happens more than once or twice in any game, especially one with digital items holding real world value, I can assure you there won't be many players left.

I always thought exactly the same until it happened in WoW. Even taking every precaution, compromises DO happen.


If you have problems with your own security, if other people than you use your computer, or if you just like the padding, then go for it, it's a great extra level of security. Me? I don't have (nor want) an extra dongle or smart phone that I need to have on my person to get into my account.

And you need neither of them for an authenticator.

blakegrandon
06-23-2013, 07:34 AM
I love how every time I point out that security is your own responsibility a few people pipe up with "I didn't do anything wrong and got compromised!"

Typical response.

History has shown corporations to get compromised ALL the time.

Sony has been compromised.

Microsoft has been compromised.

Blizzard has been compromised.

Living Social has been compromised.

The list goes on and on, but you're going to insist it was on my end even though I installed NOTHING except Diablo 3, even though I don't share my computers, even though I use a throwaway email for major games, and even though others were reporting the EXACT same situations.

Yes, it's so hard to believe that corporations can't be compromised and blaming the victim is clearly the way to go.

Blizzard HAS been compromised more than once, and still has a lot of players BECAUSE of attitudes like yours that blames the victim and essentially calls them liars because they "had" to be compromised.

I sincerely hope your account never gets compromised due to a data breach at the company level, so that you don't have to know what it feels like to get dismissed and blamed for the company getting attacked.

Punk
06-23-2013, 07:39 AM
No one should be forced into 2-step authentication as it may not be applicable to all players.. but there is no reason why someone shouldn't use this additional layer of security if it is available to them.

blakegrandon
06-23-2013, 07:41 AM
No one should be forced into 2-step authentication as it may not be applicable to all players.. but there is no reason why someone shouldn't use this additional layer of security if it is available to them.

I'm not saying people should be forced to use it, but it's a great tool to help make a game more secure and it should be strongy recommended. Especially when it comes to a MMOTCG, there will be a lot of incentive to protect accounts in every way possible.

OutlandishMatt
06-23-2013, 07:41 AM
Some of us can manage our password security without the unnecessary layers that require buying a smartphone or another physical thing we can just lose.

Some people get malicious software just through ads on websites without ever clicking. I really don't understand how someone can be so opposed to an EXTRA layer of security. That is stupid to me.

Corpselocker
06-23-2013, 07:47 AM
I'm thrilled to be able to protect my investment with another layer of security.

blakegrandon
06-23-2013, 07:48 AM
Some people get malicious software just through ads on websites without ever clicking. I really don't understand how someone can be so opposed to an EXTRA layer of security. That is stupid to me.

Also when Diablo 3 came out there were thousands of people with identical stories saying their accounts got compromised. I was one of them and I sure as hell didn't download anything or get exposed to a keylogger or malicious software. Anyone not wanting to protect their account in the event the company is compromised is silly to me.

"Password security" means nothing when there is a man in the middle and you have no control over the security of the other end or the connection on their end.
Any "Security Specialists" that advocate blaming the victim need to be retrained in today's world where corporate break-ins are an almost daily occurrence.
http://www.heavy.com/tech/2013/03/a-timeline-of-companies-that-have-been-hacked-in-2013/

Hacks that they "know" about in 2013, it's only June and there have been a ton of REPORTED hacks, this isn't including the ones that hackers get away with.

OutlandishMatt
06-23-2013, 07:54 AM
This is why I believe Authenticators should be mandatory.


Me? I don't have (nor want) an extra dongle or smart phone that I need to have on my person to get into my account.

It may not be in one day, a week, a month, or even a year but at some point you will get compromised and you will be crying to get your account back and I would love for Cryptozoic to have a policy in place that makes it so you can't recover your account because you didn't accept the many forms of extra security because you didn't want one.

Even if you didn't have a smartphone they could make it so you could call a phone number or text you a code. I would also assume their security would e-mail you if ANY info was changed so you'd know if your cell phone number or e-mail address was changed.

Mr.Funsocks
06-23-2013, 07:54 AM
Some people get malicious software just through ads on websites without ever clicking. I really don't understand how someone can be so opposed to an EXTRA layer of security. That is stupid to me.

http://adblockplus.org/en/chrome

https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en

I'm not opposed to it existing. I'm opposed to it being MANDATORY for those of us who know how to avoid security breaches.

Mr.Funsocks
06-23-2013, 07:58 AM
This is why I believe Authenticators should be mandatory.



It may not be in one day, a week, a month, or even a year but at some point you will get compromised and you will be crying to get your account back and I would love for Cryptozoic to have a policy in place that makes it so you can't recover your account because you didn't accept the many forms of extra security because you didn't want one.

Even if you didn't have a smartphone they could make it so you could call a phone number or text you a code. I would also assume their security would e-mail you if ANY info was changed so you'd know if your cell phone number or e-mail address was changed.

A) I very often (ie now) don't know where my cell phone is. And for some reason it neither sent nor received texts for a while, though I dunno (or care) why because I don't use it for texting.

B) If my account gets compromised, I assume it's my fault, and I'll be taking steps on my own to handle it (such as setting up an extra dummy email and thoroughly scanning my computer). I'll get my account back, then take responsibility.

Punk
06-23-2013, 08:06 AM
Typical response.

History has shown corporations to get compromised ALL the time.

Sony has been compromised.

Microsoft has been compromised.

Blizzard has been compromised.

Living Social has been compromised.

The list goes on and on, but you're going to insist it was on my end even though I installed NOTHING except Diablo 3, even though I don't share my computers, even though I use a throwaway email for major games, and even though others were reporting the EXACT same situations.

Yes, it's so hard to believe that corporations can't be compromised and blaming the victim is clearly the way to go.

Blizzard HAS been compromised more than once, and still has a lot of players BECAUSE of attitudes like yours that blames the victim and essentially calls them liars because they "had" to be compromised.

I sincerely hope your account never gets compromised due to a data breach at the company level, so that you don't have to know what it feels like to get dismissed and blamed for the company getting attacked.

A majority of what peoples issues are with their accounts being "Hacked" is that they use their same email address and password at a different website. Doesn't matter which website.. even websites that have nothing to do with the game you are playing. That fan website that you signed up for to post on their forums could of become compromised and their usernames/passwords could of been stolen. Once this list is out there, it is sold hundreds of times within a week and tried at every single login page that could potentially earn the "hacker" money.

Actually, while I was writing this, I decided to go dig through 70 pages of old posts on the Path of Exile forums for these following two posts that were made by Chris of Grinding Gear Games. Some of the information in these posts pertain to Path of Exile, but he covers lots of very good points. The first post was made initially with basic information regarding how to prevent your account from being compromised. The second post was a few weeks later after there was an influx in compromised accounts and the actions that Chris was going through during this time. There was a third post by Chris that I was unable to find where he states (after the first two posts) that he went online and bought a list of usernames and passwords and there was quite a few of them that were the current login information for many users!

Anyway, a lot of what Chris has to say is very good information:


In any online game with an economy, in-game items have value. These items are often sold on external real-money trading sites, and weíre doing what we can to stop these affecting Path of Exile. We're attacking their spam and the way that they get items to sell.

Unfortunately, one of the ways these shops obtain items is by stealing them from other Path of Exile players. We have received several reports of people losing items, and we can see from our logs that these end up on accounts (generally accessed by Chinese IPs) that are used to supply RMT item sites.

After several days of painstakingly investigating these cases, we've identified quite a few ways that players are having their passwords stolen. I'd like to go through them one by one and explain how players can keep themselves safe and what we can do on our end to make these attacks more difficult.

I should stress that these problems are common to most online games and that they're problems that players can prevent with good internet security practices.

Phishing Links/PMs
A phishing site is one that is set up to look just like pathofexile.com but instead sends your password to the attacker. We see people sending links to these sites in PMs or posting the links on the forum (these are often disguised as legitimate looking links). As soon as we discover these, we immediately delete them. We are probably going to change the forum and PM system so that external links either carry heavy warnings or just donít work at all. To keep yourself safe from phishing links in the meantime, only enter your email/password on the official www.pathofexile.com site! You can tell itís the official one by going to the login page and checking to see that your browser has a lock icon that says "Grinding Gear Games Limited" when you click it (i.e. is connecting via SSL and has a certificate proving it is us).

Malware in Cheat Programs
If you use a maphack tool (or other cheat program), we will ban you. If we donít ban you in time, your account will be stolen due to the keyloggers that the program probably has. All maphacks that we have investigated currently have keyloggers. If you want to keep yourself safe, donít try to cheat.

Posting Config Files
Your password (hashed, not in plaintext) is stored in your Path of Exile configuration file. Do not post this file online or allow other people access to this file. In the very near future we will make it so that this information does not allow other people to log into your account. If you want to be completely safe, untick the option that makes the game client save your password.

Non-unique Password
Donít use the same password that you use on other services. Itís extremely common for fansites to be compromised, leaking a list of their users' email/passwords. Many of these can be used to log in to Path of Exile because people re-use passwords. Choose a new password! Make it long!

Already Compromised PC or Email account
A decent percentage of users have computers or email addresses that are already compromised and are part of a botnet. Thereís nothing we can do about this. Please keep your computer clean and practice safe internet security.

Power-levelling Services
If you give someone your account details so that they can power-level your character, theyíll probably steal your items. We will ban people who accept real money for Path of Exile items and services, so itís likely your account will be banned if they have accessed it. Do not cheat!

In addition to the above steps, weíre also planning on having access to accounts from strange IP addresses require email or cellphone verification. This will hopefully mean that even if your password is stolen, the attacker needs access to your phone or email in order to log in.

Unfortunately, we cannot restore any items lost to theft. One of the most important things about Path of Exile is its online economy, and if we performed restorations on demand then the economy would be flooded with duplicated items. We've seen this in other games (where the game companies restore compromised items and create a massive economic problem in the game).

If someone compromises your account and deletes your characters, weíre currently unable to restore these characters. We are working on changing the game so that deletions are "soft" rather than "hard", which will allow us to restore deleted characters easily. If their items are stolen, however, then the character will be empty. This feature will be available in the future but is not ready yet!

I am very sorry that our policy is no help if you've lost items or characters. I sincerely wish that I could restore them for you, but to do so would undermine one of the most important aspects of the game. If you have been compromised, I strongly suggest:
First, make sure your computer is malware free. A reformat would be the best bet. If you follow the following steps but still have malware, the attacker will just take your password again.
Make sure that your email account is secure. Change its password! Set up two-factor (i.e. cellphone) authentication with your email provider. If the email is not secure, the attacker can still steal your account
Set a Path of Exile password that is different from any other password you have used before. Make it long and complex.
Donít enter your password anywhere except the official site and the game client. Make sure the site says "Grinding Gear Games Limited" when you click the lock icon next to the address.
Donít download untrusted software or click untrusted links.


We take security very, very seriously. The website and game client both use secure encrypted sessions to handle logins. We donít store credit card information on our servers. Passwords are stored hashed and salted. Even the backups of your data are encrypted so that thieves can't get anything if they steal the backups.

Please take steps to make sure your accounts are safe. It pains me greatly every time I read about lost items that we can't replace. With some development time on our end (as outlined above) and good security on the part of our users, your accounts will be much more secure and the item sales sites won't be able to steal our items.

blakegrandon
06-23-2013, 08:07 AM
http://adblockplus.org/en/chrome

https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en

I'm not opposed to it existing. I'm opposed to it being MANDATORY for those of us who know how to avoid security breaches.

Plesae tell me how to avoid corporate security breaches.

Your arrogance in assuming I don't take all the necessary steps and in assuming that you're the only one here being honest is breathtaking.

I use ad block plus, I use dummy throwaway email accounts, I use AVG and Microsoft Security essentials, I don't open up websites and emails unless I know absolutely where I'm going. I use one time passwords and change them frequently using 16 number/letter/random word combinations.

Please stop victim blaming, companies are broken into every single day and they're a lot juicier of a target than one individual at a time.

Punk
06-23-2013, 08:08 AM
Second post:


A couple of weeks ago I posted here explaining the common ways that users are having their passwords compromised by attackers.

We're now seeing an increase in the rate at which the attackers are stripping these accounts of their valuable items. As soon as we had the realm stability issues sorted out, we started work on new account security measures that should make it difficult for attackers to use stolen passwords to access your accounts.

I want to be completely clear - our security has not been breached. If our database had been compromised, the accounts that attackers would target first would be the most wealthy players, the high profile streamers or the developers. Imagine how much it'd be worth to compromise my account? Kripparrian's? The top people on the ladder? These people have not lost their passwords. There has been a 0% rate of developer accounts being accessed by overseas IPs. The accounts that are being targeted are generally mid-low playing accounts, typically associated with the usage of hack software. We often have users write into support complaining about side effects of their maphacks, only to later report the same day that their items have been stolen. It is worth pointing out that these hack programs are bannable, and while we haven't yet done a banwave, the thousands of people who use them will lose their accounts due to it if they are still running them as we turn on our countermeasures.

I've spent massive amounts of time going through logs of IP usage and talking to people who have been compromised. In almost every case, it was due to violating one of the security practices we've outlined in the post I mentioned at the top of this one. Players have been using the same passwords on insecure community sites, running malware, clicking phishing links and have pre-compromised machines that are part of botnets. Now that the attackers who have these passwords have some degree of automation, they appear to be stripping accounts more quickly than before, resulting in a big increase in the reports of hacking. We are mass-banning IP addresses that are used for this theft, but due to the use proxies, it's very hard to stop it in this way.

I'm not claiming that everyone that has lost items has run an illegal hack program. Many users have merely re-used passwords, had an insecure version of Java when browsing infected community sites, or accidentally clicked a bad link and logged into a fake version of our site. These are very easy mistakes to make unless you are extremely careful.

This situation is exactly why games have security systems in place to prevent people accessing accounts in this way. Path of Exile does not yet have such a system, but it will do very soon. We're a very small team of developers and have been working long hours for the last month to address these issues and other stability ones (that are now thankfully much better). Within a week we expect to launch the account security improvements which would mean that even if you do have your password compromised, it's still hard for people to access your account. We may be able to deploy the first improvements that help with in the next 48 hours.

People have asked us why we don't restore accounts when they are hacked. The reason is that the outcome of this would be far, far worse for the game. I understand it's hard to see that perspective when you're staring at an empty stash where your items were, but please consider what would happen to the economy if players could request their items to be restored due to theft. It would be very easy to fake an account theft - just ask a friend from elsewhere to log in and take your items before contacting support and asking for a restoration.

If our policy was to restore in a way that duplicated the items, this would be a free duplication method that people could easily use. If our policy was to take the items back from the attacker without duplicating them, then this would result in a free tradehack that anyone could use. In either case, the economy would be destroyed.

It's currently taking our staff the entire day just to process our existing volume of support requests. Not only would thoroughly investigating each claim take far too long, but the very fact we were doing it would encourage people to abuse it as hard as they can. For all of those reasons, it is not an option to restore items under any circumstances.

This whole situation is a lesson in why it is inadequate to assume that passwords are sufficient security. I am very, very sorry that we did not have better security measures to make stolen passwords useless when we entered Open Beta. Thankfully there are improvements to this coming very soon so that it won't be a problem in the future. I will work every evening and through the weekend to make sure that these fixes are deployed as soon as humanly possible. Although people will probably still lose their passwords, the attackers will hopefully not be able to actually get any items from it and then they'll stop bothering.

This is also a lesson in how many users are running infected software. Although we have an active community of over a million monthly users, we're seeing thousands and thousands of accounts running software that is known to be infected with keyloggers. Even if our security measures mean that this software doesn't result in your items being stolen, it will still result in your account being banned for trying to cheat.

If you're worried about having your items stolen and you have not run any strange software, just change your password, don't click weird links and don't use the same password on other sites. That's what I do and no one has hacked my account yet.

One thing that Chris mentions for Path of Exile is that if your account gets hacked, you cannot get your items restored. He explains his standpoint behind this and if Diablo 3 has shown us anything, it would be that restoring lost items is a scam all within itself. The reason why I point this out, is because I am strongly assuming Hex will be this same way. So, if someone doesn't want to use the 2nd layer of security, they shouldn't be forced into this much like what Mr.Funsocks has stated. It is the users responsibility to keep this information safe. If they do not need additional assistance, don't force them. As I stated before, I don't see why you wouldn't use it if you had it available. More security obviously makes things.. more secure.

OutlandishMatt
06-23-2013, 08:09 AM
If my account gets compromised, I assume it's my fault...

But at the end of the day, you want Cryptozoic to recover your account for you not protecting your account.

OutlandishMatt
06-23-2013, 08:15 AM
Those two long posts could have been avoided and the need to tell people how to protect themselves and all of that trouble if only they made Authenticators mandatory from the launch of the game.

Mr.Funsocks
06-23-2013, 08:21 AM
But at the end of the day, you want Cryptozoic to recover your account for you not protecting your account.

If my account is broken into, it's their fault. Literally. Because I won't allow my account to be compromised myself, and if they're compromised so badly that hackers get access to my account on more than one occasion, I'M FUCKING LEAVING THE GAME, OK?

The corporations you cited that got hacked? Yeah, I don't trust them with my CC or personal info. Facebook? Oh hell no, their record is terrible. MS? Can't think of any reason I'd have an account with them, but again, their record is terrible. Companies that actually put effort into that don't get compromised, or if they do they know how to deal with it quickly and effectively. When PSN got breached, it was a big deal, and that's the only major gaming one I can think of, and they took massive measures against it.

Mr.Funsocks
06-23-2013, 08:22 AM
Those two long posts could have been avoided and the need to tell people how to protect themselves and all of that trouble if only they made Authenticators mandatory from the launch of the game.

Orrrrr they could just laugh at people who download malware... Authenticators could be mandatory for people who get their account broken into 3-4 times.

Brumby66
06-23-2013, 08:31 AM
An authenticator would help with security, but it also has other functions. It can be used as a tool to track accounts being sold and reduce the amount of them being sold. It could also help against people using multiple accounts depending on the type of authenticator. With that said, people who have multiple accounts or plan on selling their account in the future probably won't like this idea. I could go either way on this one.

keroko
06-23-2013, 08:36 AM
mutli-factor auth better than not. simple as that.

give an option to work with one of the pre-made apps such as 'google authenticator' and you've really no excuse for not being able to obtain one. Does not require dedicated hardware device if not desired.

Potential application isolation issues for consideration where virtual otp generator is on same mobile device as hex client.

As to people worried about 'being hacked' etc. as individuals. You likely possess insufficient resource of value to risk exposure of attack infrastructure to detection mechanisms which exist.

Punk
06-23-2013, 08:59 AM
Those two long posts could have been avoided and the need to tell people how to protect themselves and all of that trouble if only they made Authenticators mandatory from the launch of the game.

Those two long posts also had a lot of very valid points regarding security and restoring lost items on "hacked" accounts. Also, not everyone has a Smartphone and Physical Authenticators will cost money. If this is mandatory, then Cryptozoic cannot say that this is a F2P game in any definition of the term.


If my account is broken into, it's their fault. Literally. Because I won't allow my account to be compromised myself, and if they're compromised so badly that hackers get access to my account on more than one occasion, I'M FUCKING LEAVING THE GAME, OK?

The corporations you cited that got hacked? Yeah, I don't trust them with my CC or personal info. Facebook? Oh hell no, their record is terrible. MS? Can't think of any reason I'd have an account with them, but again, their record is terrible. Companies that actually put effort into that don't get compromised, or if they do they know how to deal with it quickly and effectively. When PSN got breached, it was a big deal, and that's the only major gaming one I can think of, and they took massive measures against it.

Mr.Funsocks, I really hope that you are not forced into using a 2nd layer of security, but at the same time I would not feel sorry for you one bit if your account got compromised. Being stubborn enough to decline any additional security and expect your items to be restored if your account does get compromised is just being plain arrogant. Having the mentality that "if my account gets hacked it was that company who had a security breach" may be one of the stupidest things I have ever heard. I have worked on the Helpdesk for one of (it not the) largest IPS (Intrusion Prevention System) out there and I can safely assure you that everyone in those companies use a minimum of a 2nd layer of security.

I by no way am saying "you're going to get hacked if you don't use one," but this is like saying your car has a seat belt so you do not want to use air bags and if you get hurt then it is the car manufacturer's fault.

Yoss
06-23-2013, 09:08 AM
+1 for physical authenticators! I'll gladly pay $5 for the increased security.

Also, if they made them mandatory to use the proposed RMAH then it would go a long way towards stopping abuse.

blakegrandon
06-23-2013, 09:10 AM
If my account is broken into, it's their fault. Literally. Because I won't allow my account to be compromised myself, and if they're compromised so badly that hackers get access to my account on more than one occasion, I'M FUCKING LEAVING THE GAME, OK?

I love your attitude.

You blame everyone but yourself, blame the companies if your account was to be hacked, but blame individuals when their accounts get hacked.

You don't see anything wrong with your logic?

I took every precaution possible to avoid my battle.net account getting compromised and it was still compromised.

Cryptozoic has a better track record than every other large company out there? Cryptozoic has a great track record BECAUSE they have yet to be compromised because this is their first large online game.

You've already admitted corporations get compromised, so why are you saying Cryptozoic is any different? Why are you victim blaming when you admit that companies get compromised and the victim may have been as secure as possible short of an authenticator?

You seem to have a serious problem when it comes to believing anyone except you secures their stuff, I hope that never comes to bite you in the ass and I hope you never get compromised, but if you do I'm not going to have a shred of sympathy for you.

jai151
06-23-2013, 09:11 AM
Those two long posts also had a lot of very valid points regarding security and restoring lost items on "hacked" accounts. Also, not everyone has a Smartphone and Physical Authenticators will cost money. If this is mandatory, then Cryptozoic cannot say that this is a F2P game in any definition of the term.

You don't have to have a smartphone. Any cell phone or home phone could be used with an authenticator service. Look at how google runs their two-step for an example.

Yoss
06-23-2013, 09:13 AM
-1 for cellular authentication. Physical dongle is the way to go for best results.

Gridian
06-23-2013, 09:22 AM
Mandatory? Nah.

Recommended? Definitely. Also, by choosing a password different from "password" an account will be quite secure even without an authentificator. :cool:

EDIT:
Ah yes: I of course will get one - preferrably physical (to join my WoW and LoTRO authentificators), but I also have a smartphone (by necessity, my cellphone retired itself this winter). :-)

Hibbert
06-23-2013, 09:23 AM
If my account is broken into, it's their fault. Literally. Because I won't allow my account to be compromised myself, and if they're compromised so badly that hackers get access to my account on more than one occasion, I'M FUCKING LEAVING THE GAME, OK?

The corporations you cited that got hacked? Yeah, I don't trust them with my CC or personal info. Facebook? Oh hell no, their record is terrible. MS? Can't think of any reason I'd have an account with them, but again, their record is terrible. Companies that actually put effort into that don't get compromised, or if they do they know how to deal with it quickly and effectively. When PSN got breached, it was a big deal, and that's the only major gaming one I can think of, and they took massive measures against it.

Zero day attacks exist. I had a drive by download of something from a bad ad on a trusted website. I noticed a weird slowdown, and some weird stuff in my task manager. My antivirus and antimalware didn't recognize it, but it got me worried enough that I reformatted and reinstalled.

Since then I've been even more paranoid. In addition to ad blockers I run a javascript blocker. It's a pain to set up every website I visit, but I can be sure that random 3rd party websites don't get to run scripts through ads.

I also set up authenticators on my battle.net account and my gmail account. I have some email verification(which isn't as safe as traditional two factor authentication, but passable with my hardened email account) set up for various other accounts.

I did all this because I realized I wasn't as safe as I thought. I've never actually had an account hacked and I had pretty much the same attitude you had. I wasn't an idiot with passwords, ran anti virus/malware, and didn't visit dodgy sites. When I had that scare with the virus/keylogger/whatever that was injected through a flash ad, I realized I had just barely missed the bullet. Another zero day exploit (router hack, dsl modem hack, windows security bug, flash exploit) could get me, and I might not notice it right away like I did last time.

That's why I feel a bit safer with an authenticator on my battle.net account(one of the biggest targets for these people) and my email account(which could provide access to many of my other accounts). I'm definitely signing up for a Hex authenticator.

keroko
06-23-2013, 09:36 AM
You blame everyone but yourself, blame the companies if your account was to be hacked, but blame individuals when their accounts get hacked.

This is a common misconception, in fact one perpetuated by the security industry - that the user is at fault.

They are not, they are human. Design systems that rely upon humans with failure in mind.

We cannot yet properly perform constant biometric authentication / auth level control in a way tied to your body in a civilian scenario on a distributed network cost effectively.

passwords for now, multi-factor a big help.

Access normalization also, auth from connecting IP block etc. Troublesome with mobile client use but still can be reduced to access map for particular user.

PLEASE CZE - track the hell out of me. I'm asking for it. Keep my stuff safe.

regomar
06-23-2013, 09:43 AM
Fuck. No.

Some of us can manage our password security without the unnecessary layers that require buying a smartphone or another physical thing we can just lose. Some of us don't fall for phishing scams, or use easy-to-guess passwords, or download keyloggers. If you are a person who does these things, then having the authenticator available is a good idea, but making it mandatory? Uh uh. No.

THIS. For the love of god THIS.

I dont want to have to use some stupid physical POS just to log into my game. If you're not a complete idiot, your login info should be safe. Unfortunately, there are SO many idiots out there. If you need something like that to keep yourself safe because you don;t know how to use the Internet, thats fine, make it optional, but mandatory? BS.

keroko
06-23-2013, 09:57 AM
oh @regomar - we are doomed to disagree. There's only one thing for it come access to hex you know :)


http://www.youtube.com/watch?v=lXX7dRULFaE&list=PLWzBnBSeMSzmvgPjGok93-9YW5d30KN2R

grey0one
06-23-2013, 09:59 AM
THIS. For the love of god THIS.

I dont want to have to use some stupid physical POS just to log into my game. If you're not a complete idiot, your login info should be safe. Unfortunately, there are SO many idiots out there. If you need something like that to keep yourself safe because you don;t know how to use the Internet, thats fine, make it optional, but mandatory? BS.


This is why we can't have nice things. Or more on topic, why we can't have mandatory authentications. There will be a minority of people who think that the way they do it is correct. Even if it has been luck/anonomacy before. Forcing people will not be worth the effort on Cryptozoic's part.

Lowering the learning/price barriers to using an authenticator will be worth every dollar. People who have certain flags, like KS accounts and high level Turnament wins, that will be actively seeked out by hackers. You need to stick to the security triumvirate of Who You Are, What You Have, What You Know. Do use that authenticator! If you think you'll have some worthy account flags, get it yesterday!

Punk
06-23-2013, 10:24 AM
You don't have to have a smartphone. Any cell phone or home phone could be used with an authenticator service. Look at how google runs their two-step for an example.

I am very familiar with the 2-step and app specific passwords for gmail, but actually spaced this was even still a thing since it never gets brought up. Unfortunately, I have used numerous other 2-step authentication methods over the course of their existence, and not one of them have this type of backup method. They are all the same: Type in the generated code that is constantly changing.

jai151
06-23-2013, 10:27 AM
I am very familiar with the 2-step and app specific passwords for gmail, but actually spaced this was even still a thing since it never gets brought up. Unfortunately, I have used numerous other 2-step authentication methods over the course of their existence, and not one of them have this type of backup method. They are all the same: Type in the generated code that is constantly changing.

Guild Wars 2 actually uses an email system, where if someone tries to use your account outside of a PC you've authorized it shoots you an email that you have to click a link and approve to let them in. No one on CZE's side has said the authenticator would be dongle/smartphone only.

Mr.Funsocks
06-23-2013, 10:38 AM
This is why we can't have nice things. Or more on topic, why we can't have mandatory authentications. There will be a minority of people who think that the way they do it is correct. Even if it has been luck/anonomacy before. Forcing people will not be worth the effort on Cryptozoic's part.

A) anonymity - most browsers do spellcheck for ya now.

B) Yes, anonymity is why I haven't given away my password... I guess? If I were in some fashion famous, and might actually be a target (which no one here in this thread is or will be) I might go for the 2-step authentication, but fame and bad luck aren't why y'all are giving away your passwords...

Punk
06-23-2013, 10:45 AM
THIS. For the love of god THIS.

I dont want to have to use some stupid physical POS just to log into my game. If you're not a complete idiot, your login info should be safe. Unfortunately, there are SO many idiots out there. If you need something like that to keep yourself safe because you don;t know how to use the Internet, thats fine, make it optional, but mandatory? BS.

There will definitely be people who are more familiar with every single security standpoint you should have when dealing with computers, but even someone who is not a "complete idiot" can have security issues as well. For example, did you know that a majority of all security issues are solely because they used the same credentials at two locations (Let's say WoW and a WoWfan site) and the fan site gets hacked. Now all of that fan sites usernames and passwords are being sold over and over and is trying to be logged in at every place that they "hacker" can gain something from.

Even though you setup some mad phat, superfly, platinum, dope shit password to use that no one could guess, you used it in two places on the internet and can potentially have your account stolen because of this. This does not make you a "complete idiot" nor is your computer at risk.

Punk
06-23-2013, 10:49 AM
Guild Wars 2 actually uses an email system, where if someone tries to use your account outside of a PC you've authorized it shoots you an email that you have to click a link and approve to let them in. No one on CZE's side has said the authenticator would be dongle/smartphone only.

Yes! I loved this feature. NC Soft, Guild Wars 2 and.. I know at least one other that I am spacing.. has this functionality and I thought it was simply the best thing ever. I would still want a true authenticator as an option as well as this. If someone hacks my email then they could probably just do a password reset for the game client login as well as clicking the link in the email to approve their "non approved location" access.

Mr.Funsocks
06-23-2013, 10:50 AM
This is a common misconception, in fact one perpetuated by the security industry - that the user is at fault.

They are not, they are human. Design systems that rely upon humans with failure in mind.

We cannot yet properly perform constant biometric authentication / auth level control in a way tied to your body in a civilian scenario on a distributed network cost effectively.

passwords for now, multi-factor a big help.

Access normalization also, auth from connecting IP block etc. Troublesome with mobile client use but still can be reduced to access map for particular user.

PLEASE CZE - track the hell out of me. I'm asking for it. Keep my stuff safe.

See, the authenticators are like the airport security: They give the illusion of security but are an inconvenience to customers. The other things you mentioned are the ones that should just be standard. Steam checks my IP when I try to log on on a different computer, and while a one-time pain sometimes, it's very welcome because it does prevent someone else from logging in.

jai151
06-23-2013, 10:50 AM
A) anonymity - most browsers do spellcheck for ya now.

Contumacy is what comes up from spellcheck on "anonomacy." Word choice, even a non-existent word, is not spellcheck.


B) Yes, anonymity is why I haven't given away my password... I guess? If I were in some fashion famous, and might actually be a target (which no one here in this thread is or will be) I might go for the 2-step authentication, but fame and bad luck aren't why y'all are giving away your passwords...

I really think you think you're far more secure than you really are. Not everyone is compromised through their own fault. It's as impossible to prove they are as it is to prove they aren't, but in my own personal experience the case is there are those who get hit through no fault of their own.

Finally, I really think all you "No authentication" folks think it's way more of a hassle than it really is. EDIT: In fact right above my post, you mentioned mandatory authentication that you don't mind and think "should be standard." Why shouldn't something you think should be standard be, well, standard?

Mr.Funsocks
06-23-2013, 10:55 AM
I really think you think you're far more secure than you really are. Not everyone is compromised through their own fault. It's as impossible to prove they are as it is to prove they aren't, but in my own personal experience the case is there are those who get hit through no fault of their own.

And in my own personal experience, it is ALWAYS user error, except in those exceptionally rare cases of the actual game companies being hacked. Just downloaded MBAM and Avast! since I don't bother installing them any more: What a surprise, no malware or viruses! I AM as secure as I think I am. My passwords are fine on my end.


Finally, I really think all you "No authentication" folks think it's way more of a hassle than it really is.

Having to check my email/smartphone (which I don't own) EVERY TIME I log in, especially on my tablet (changing apps on a tablet is slooowwwwwww) is a pretty big hassle, yes. Adding another physical device is an even bigger hassle as I tend to lose things like that.

jai151
06-23-2013, 11:00 AM
And in my own personal experience, it is ALWAYS user error, except in those exceptionally rare cases of the actual game companies being hacked. Just downloaded MBAM and Avast! since I don't bother installing them any more: What a surprise, no malware or viruses! I AM as secure as I think I am. My passwords are fine on my end.

And both of those were installed and showed me clean when my account on WoW was hit. In every possible way, I had myself covered.


Having to check my email/smartphone (which I don't own) EVERY TIME I log in, especially on my tablet (changing apps on a tablet is slooowwwwwww) is a pretty big hassle, yes. Adding another physical device is an even bigger hassle as I tend to lose things like that.

That's not how an authenticator has to work. It only needs to check on devices or in locations you haven't authenticated. I have two step on every account that has it, and far more often than not I don't have to do anything when I log in. EDIT: In fact, I can't think of any authenticators that still work the way you describe.

Mr.Funsocks
06-23-2013, 11:02 AM
And both of those were installed and showed me clean when my account on WoW was hit. In every possible way, I had myself covered.

Don't fall for phishing scams? :-P


That's not how an authenticator has to work. It only needs to check on devices or in locations you haven't authenticated. I have two step on every account that has it, and far more often than not I don't have to do anything when I log in.

That doesn't need to be an "authenticator" then. That's just an email that they send you when you log in from an unfamiliar location, and is default on most services (ie Steam).

jai151
06-23-2013, 11:06 AM
Don't fall for phishing scams? :-P

Didn't. Never used my password outside of WoW. Come on man, try harder.


That doesn't need to be an "authenticator" then. That's just an email that they send you when you log in from an unfamiliar location, and is default on most services (ie Steam).

Authentication makes it a bit more secure at practically no more effort.

Gwaer
06-23-2013, 11:14 AM
Difference between airport security and authenticators? Authenticators are actually good at what they do.
Go ahead add mandatory 2 factor authentication in a variety of forms and let people choose which they use. It's worth the inconvenience.

grey0one
06-23-2013, 11:20 AM
A) anonymity - most browsers do spellcheck for ya now.

B) Yes, anonymity is why I haven't given away my password... I guess? If I were in some fashion famous, and might actually be a target (which no one here in this thread is or will be) I might go for the 2-step authentication, but fame and bad luck aren't why y'all are giving away your passwords...


Do you have an argument there? The topic is mandatory authenticators.

We should have them, but it'll be not worth the effort to enforce because of people like Mr. Unfunsocks here. We will have to just deal with compromised accounts of others.

People research, hope that you've left some password on an unsecured system. If not, they try to guess on what kind of personal information you've left around. A targeted attack is much harder to stop than a password spam.

Also, they key word is valuable, not just famous. There's a fair percent of $250+ pledgers currently reading the forums. There's defiantly a higher price for these on the secondary market.

Also, I stress "Who You Are, What You Have, What You Know." The more of these elements you have securing you account, the better.

Mr.Funsocks
06-23-2013, 11:27 AM
250$ that you probably aren't going to get to keep (if Hex has half as good of a anti-theft mechanism as Cory says) is not gonna be much of a target, considering the effort it'd take to research it.

Gwaer
06-23-2013, 11:31 AM
Just make 2 factor authentication enabled by default, let people opt out, make it clear that opting out removes the possibility of having their account rolled back in the event of a breach.

grey0one
06-23-2013, 11:32 AM
250$ that you probably aren't going to get to keep (if Hex has half as good of a anti-theft mechanism as Cory says) is not gonna be much of a target, considering the effort it'd take to research it.

Oh? Cory's anti-theft mechanisms, one of them being the authenticators. I'm glad we can agree that they're integral for a secure account. Big of you to come to the same conclusion.

blakegrandon
06-23-2013, 11:38 AM
Didn't. Never used my password outside of WoW. Come on man, try harder.



Authentication makes it a bit more secure at practically no more effort.

You shouldn't even bother, according to Mr. Funsocks the only people that get hacked are people that don't know how to secure their stuff.

Because even though companies are hacked every single day, it'll never happen to funsocks and if it does he'll blame the company that got hacked, but when it happens to anyone else it's ALWAYS their fault.

I see his type every single day, victim blaming as long as they're not the victim and then crying victim when it happens to them.

Hibbert
06-23-2013, 11:39 AM
Mr. Funsocks, what's your plan for zero day exploits? These are bugs in software/hardware that allow access to someone's computer that are used before a company has a chance to issue a security patch. There's simply no way to guard against them. They can be mitigated by using more secure software, but even some really hardened security focused OS's have been hit with them. Assuming you are using either Windows or OSX and use any sort of web browser(which I think is a pretty safe assumption unless you are manually parsing all the html/javascript on this page :) ), you are definitely open to a possible malware/keylogger attack. I know the majority of zero day exploits are probably used for things more nefarious than stealing game account information, but the possibility exists.

Game accounts are such a popular target for theft since there are basically no penalties for stealing virtual goods. If a bad guy gets my bank account password, I'm protected by all sorts of laws in addition to my bank's policies. With WoW accounts, they can siphon off gold and sell it for real life cash with fewer legal implications than stealing a bank account.

Authentication, even as simple as Steam's email system, is really a must for any online game account you care about.

majin
06-23-2013, 11:44 AM
TL;DR; version. Physical and App Authenticators => NOT Mandatory, Email Authenticator, Sure but might be a hassle on players playing on mobile device

------------------------


Please keep in mind that the world is not only 'Murica. Without at least one office in Europe and Asia, shipping of authenticators could be very cost intensive for international players. Plus, we have to be more precise what level of authentification we are talking about. Authenticator to log into the game? -> easy. Authenticator to cash out platinum and other transactions? -> harder (might vary from country to country, also might require knowledge of how transactions are handled in different countries) Physical Authenticators?-> harder. Apps for your phone? -> easy

Physical Authenticators? Sure, but NEVER mandatory

Apps on your phone? Sure, but NEVER mandatory. This might seem easy to most of us but I live in a third world country, Philippines and there's a lot of gamers here who will love the F2P PvE side of the game. Sadly, most of these gamers don't have an iPhone or Android and things like that. This will alienate gamers like this if this is Mandatory.

Sure you can argue that if they can't afford one, they shouldn't be playing this type of game but there is a F2P model of the game which means they can enjoy PvE for FREE. Requiring this kind of authentication will prevent gamers who can't afford the finer things in life to enjoy the game.

To give you an example, my Pro Tier and my wife's King's tier cost almost TWICE the minimum wage here and more than what regular employees make and I want my other countrymen to be able to enjoy the F2P PvE side of the game.


Guild Wars 2 actually uses an email system, where if someone tries to use your account outside of a PC you've authorized it shoots you an email that you have to click a link and approve to let them in. No one on CZE's side has said the authenticator would be dongle/smartphone only.

Email Authenticators like this? Hell Yeah, you can even make it mandatory. The game is online so no reason why this won't be easy to do (BIG DRAWBACK: non-tablet users like ipod, android phones assuming the game can be played there. I find it hard to browse emails on my iPod)



Some of us can manage our password security without the unnecessary layers that require buying a smartphone or another physical thing we can just lose. Some of us don't fall for phishing scams, or use easy-to-guess passwords, or download keyloggers. If you are a person who does these things, then having the authenticator available is a good idea, but making it mandatory? Uh uh. No.

Totally agree


Just make 2 factor authentication enabled by default, let people opt out, make it clear that opting out removes the possibility of having their account rolled back in the event of a breach.

well said, let people choose, don't make it a requirement

TheHangedMan
06-23-2013, 11:45 AM
I want mandatory authenticators for all. Trying to assign blame is pointless. What matters is the impact of stolen accounts have on the game community and economy, and when the scammers can actively influence either the game experience suffers for all. There will always be players who don't take adequate steps to protect their accounts (or those whose accounts are hacked regardless of them taking precautions), and I don't want my experience and investment in the game to suffer because of that.

Think of mandatory authenticators as a vaccine. Occasionally they are a hassle to the individual getting them, but the community as a whole benefits if everyone is protected. With a TCG I want security to be as tight as possible, and authentication, while not 100% effective, makes it much more difficult for hackers to proliferate.

ShadowTycho
06-23-2013, 11:49 AM
game should be free to play as advertised
that means no initial investment required
that means no required authentication.
should Cryptozoic offer an app or purchasable FOB? yes.

Gwaer
06-23-2013, 11:53 AM
game should be free to play as advertised
that means no initial investment required
that means no required authentication.
should Cryptozoic offer an app or purchasable FOB? yes.
Mandatory 2 factor authentication can be free as long as there are free email services. Granted that's not as secure as a dedicated app or fob. But it'll do.

OutlandishMatt
06-23-2013, 11:56 AM
Just make 2 factor authentication enabled by default, let people opt out, make it clear that opting out removes the possibility of having their account rolled back in the event of a breach.

^^^This.

I am fine with the arrogant losing their accounts. And people with signatures displaying what tier(s) they have are painting a target on their back.

sckolar
06-23-2013, 11:57 AM
I played WOW, and that thing on my phone gave me a comforting feeling. It makes you feel as though your account is safe. One thing that I'm sure anyone with an insecure account worries about is if someone has been on their account. An Authenticator would be awesome. Especially considering this game is becoming very popular!

Punk
06-23-2013, 12:03 PM
Just make 2 factor authentication enabled by default, let people opt out, make it clear that opting out removes the possibility of having their account rolled back in the event of a breach.

There should be no account roll backs or restoration of lost items that are not bound on account items. There was tons of "scamming" done in Diablo 3, who allow full recovery of all items on the account upon request, and people would do the following steps:

1.) Login from a public wireless network.
2.) Setup "Mock" auctions and sell all of your gear and have your friend (on one or more accounts) buy it all super quick for extremely cheap. Doesn't matter if someone else gets some of these items, but highly unlikely if done right.
3.) Go back home and contact Customer Support stating your account was hacked.
4.) Get all of your items back.
5.) Your friend resells all of the items and splits the money with you.

This is WAY to easy to execute and was done all over the place with Diablo 3. Some people were saying "limit the restorations to 1 or 2 times!!" This makes no difference to the issue at hand. If I have two restoration that I can use and then decide to do the steps above a year after the game comes out to essentially duplicate my entire collection of cards, I just made a ton of money. Now there is thousands of extra cards in existence. If everyone does this, there will be millions of extra cards in existence out of nowhere and will crush any possibility of an economy.

I definitely agree with you that it should be enabled by default and to let users opt out of it if they do not want it.

OutlandishMatt
06-23-2013, 12:04 PM
Please note, I am not saying it's mandatory to have an Authenticator to play but to do any kind of exchange, whether it's person to person or via the auction house.

But now that I think about it, I would probably want it to be mandatory from the start. Think of how much resources it would free up if there was never a hacked account. How much time and money is wasted by MMO companies having to recover hacked accounts?

Wombat
06-23-2013, 12:06 PM
So people use online banking, paypal, online betting services, amazon, other online payment services like webmoney or clickandbuy and safe their creditcard and current account number in their online shopping accounts because its easier.

But jea, i guess we need several mandatory hurdles to log into a computer game, that prevent me from sharing my game with friends, because it might not be safe enough.

If my computer is infected with anything that communicates my PWs to third parties, my HEX account is the last thing i am worried about, so should you.

Xintia
06-23-2013, 12:34 PM
While it can be argued that any online game has real world value due to account trading, gold selling, and other "services," I think Hex is a bit of a different beast. It is seeking to emulate real world items in a much more tangible way. That said, I think that a little more robust security is prudent. I would support something like:

A) Offer both physical and mobile authenticator options.
B) Do not make them mandatory for game access BUT...
C) If a player declines the added layer of security, then CZE is under no obligation to provide account recovery services to a compromised player.

In other words, if a player declines the added security, then they cannot expect to get "bailed out." If they can demonstrate the circumstances of the breach and provide information to CZE, then perhaps they can evaluate on a "case by case" basis, but the default position would be "No authenticator, no recovery."

Gwaer
06-23-2013, 12:53 PM
So people use online banking, paypal, online betting services, amazon, other online payment services like webmoney or clickandbuy and safe their creditcard and current account number in their online shopping accounts because its easier.

But jea, i guess we need several mandatory hurdles to log into a computer game, that prevent me from sharing my game with friends, because it might not be safe enough.

If my computer is infected with anything that communicates my PWs to third parties, my HEX account is the last thing i am worried about, so should you.
Sharing your game is against the tos anyway.


As to rollbacks, they are tracking every single item in a chain. All transactions involving those items would be rolled back. Including the cheap sale to your friend, and your friend reselling them. At least according to Cory.

Niedar
06-23-2013, 12:56 PM
There will be a ton of pissed people if that rollback stuff is the case, I don't expect that policy to last long.

I doubt it will be a thing though. So I buy a pack of the AH and then go draft with it. What are they going to do put my packs owned into negative territory or remove all my draft winnings etc etc.

Gwaer
06-23-2013, 12:59 PM
There will be a ton of pissed people if that rollback stuff is the case, I don't expect that policy to last long.
Maybe. I think if you got your stuff from someone getting hacked, too bad for you. It never would have been available without the hack, so you don't have it. You didn't lose anything. You got your money back. Cry more.

Punk
06-23-2013, 01:02 PM
But jea, i guess we need several mandatory hurdles to log into a computer game, that prevent me from sharing my game with friends, because it might not be safe enough.


This whole conversation is about spending on average 15 extra seconds (for myself) when logging into the game to make sure everything is extra secure. Everyone who has any standpoint against Authenticators is really fighting 15-30 seconds of their day to ensure their account doesn't get compromised.

Is it really that big of a deal?

Kietay
06-23-2013, 01:04 PM
Jai always seems to be on the side of forcing people to do things.

There will never be a mandatory authenticator. They would not even consider it. It is a smart thing to do but it is definitely not necessary if you are careful and some people simply don't care. Those people should be allowed to risk losing their accounts. It is their account. They will have to accept the consequences if they are hacked.

Gwaer
06-23-2013, 01:04 PM
This whole conversation is about spending on average 15 extra seconds (for myself) when logging into the game to make sure everything is extra secure. Everyone who has any standpoint against Authenticators is really fighting 15-30 seconds of their day to ensure their account doesn't get compromised.

Is it really that big of a deal?

He's actually arguing that it would make account sharing hard. Which is honestly a mark in the pro mandatory for CZE since they're against all forms of account sharing.

Punk
06-23-2013, 01:15 PM
Maybe. I think if you got your stuff from someone getting hacked, too bad for you. It never would have been available without the hack, so you don't have it. You didn't lose anything. You got your money back. Cry more.

Let's break this down a little more. Let's say one of the items stolen is a super rare chase card. That card is sold on the AH for plat. Now Random Person A has that card (potentially). That plat is spent on booster packs, so now Random Person B has that money. Those packs are transferred to another account and then sold to Random Person C who opens the packs and pulls a very expensive card. This can all be done in the matter of minutes. Think about them tracing everything down over the course of an hour. What if that account wasn't reported "hacked" until a few days after it had allegedly happened?

You are telling me, as a legitimate player, that I just bought a booster pack from the Auction house, pulled an expensive chase card and Cryptozoic is going to come by hours later and say "oh, hey, about 20 transactions ago something was stolen which eventually turned into this booster pack. We are removing these cards from the game so here is your $2 back. Have fun losing that awesome card you just pulled.

The amount of "hacks" that will be reported with such an easily abused system to duplicate items will be astronomical after accounts have accumulated a ton of stuff. The amount of time and man power it would take to track down every single card if a thousand cards are stolen would be absolutely ridiculous.

Item Restoration has been around for numerous years and the only time I have ever seen it not completely mess up an economy is when they would only restore account bound items that were missing.

You know what would prevent all of this from happening? Spending 15 seconds to use an authenticator when you first login.

OutlandishMatt
06-23-2013, 01:16 PM
I definitely don't see that rollback feature working long. Like what was said, at what point do you quit rolling back? If you get a booster from a hacked account, draft with it, does everyone in that draft get affected? Do all the cards from that one booster get rolled back?

Zomnivore
06-23-2013, 01:16 PM
Hacking in mmos has never deprived me of much.

I think with something as well tracked as cards and money spent there's even less chance that items I have get stolen.

That being said, I hate authenticators because I view them as a companies dis-incentive to invest in good security monitoring methods. Wow pushed authenticators and then suddenly I started getting hacked... not before, but after they start marketing em...

I don't like that, and I think its another under the table sort of way for them to gyp players.

Punk
06-23-2013, 01:18 PM
He's actually arguing that it would make account sharing hard. Which is honestly a mark in the pro mandatory for CZE since they're against all forms of account sharing.

You know, I had interpreted his statement about sharing his game with his friends as in playing with them, not as sharing an account with another person. I guess it could be taken either way.

If he is talking about sharing accounts, then he should just have that other person setup a separate account (it's free) and then be in the same guild so you can use the guild-card-sharing thing they had referenced in a previous article.

Account sharing never ends well.

Shadowelf
06-23-2013, 01:21 PM
I'm in for authenticators; i don't want it however to be mandatory. Let ppl decide whether they need/want that extra security and not force it on them.

blakegrandon
06-23-2013, 01:25 PM
It is a smart thing to do but it is definitely not necessary if you are careful and some people simply don't care.

I was careful, my account got compromised. I did everything by the books to prevent my account from getting compromised. Telling me I wasn't careful enough and it's my fault when the company gets compromised is ludicrous.

We need day 1 authenticators and we need to stop blaming victims for the actions of hackers and malicious douchenozzles.

maniza
06-23-2013, 01:30 PM
As long as there is an app il use that. Dont think making them mandatory for a f2p game is a good idea at all. Its better to leave it up to the individual

Yoss
06-23-2013, 01:44 PM
There will be a ton of pissed people if that rollback stuff is the case... So I buy a pack of the AH and then go draft with it. What are they going to do put my packs owned into negative territory or remove all my draft winnings etc etc.

Let's break this down a little more. Let's say one of the items stolen is a super rare chase card. That card is sold on the AH for plat. Now Random Person A has that card (potentially). That plat is spent on booster packs, so now Random Person B has that money. Those packs are transferred to another account and then sold to Random Person C who opens the packs and pulls a very expensive card. This can all be done in the matter of minutes. Think about them tracing everything down over the course of an hour. What if that account wasn't reported "hacked" until a few days after it had allegedly happened?

You are telling me, as a legitimate player, that I just bought a booster pack from the Auction house, pulled an expensive chase card and Cryptozoic is going to come by hours later and say "oh, hey, about 20 transactions ago something was stolen which eventually turned into this booster pack. We are removing these cards from the game so here is your $2 back. Have fun losing that awesome card you just pulled.

The amount of "hacks" that will be reported with such an easily abused system to duplicate items will be astronomical after accounts have accumulated a ton of stuff. The amount of time and man power it would take to track down every single card if a thousand cards are stolen would be absolutely ridiculous.

Item Restoration has been around for numerous years and the only time I have ever seen it not completely mess up an economy is when they would only restore account bound items that were missing.

I definitely don't see that rollback feature working long. Like what was said, at what point do you quit rolling back? If you get a booster from a hacked account, draft with it, does everyone in that draft get affected? Do all the cards from that one booster get rolled back?

To all those worried about how the roll-back would work, fear not. It can be done simply and without hassle. If it's a card, then it's easy to roll back. A booster pack seems harder (as the quotes here have pointed out), but it's actually not much harder. When you roll back a pack, you just increment or decrement the booster count in the right accounts, along with the currency returns and a note or email of notification to all parties. You don't worry about the cards that were in the pack. Yes, this means someone might go into negatives for boosters, but all that means is that they need to go rebuy a pack with the same money they used the first time (or just wait for the next pack to show up from VIP or whatever). Simple, effective.

Also, I'm in favor of mandatory authenticators for any account with a link to $US through a credit card (or whatever method). F2P should have optional authentication.

jai151
06-23-2013, 02:29 PM
By the way, everyone saying "You have to have an authenticator, so that's not free to play!"

You also need:

An internet connection.
A Computer or tablet.
Electricity to run those items.

None of those are free.

keroko
06-23-2013, 02:53 PM
do you people not wanting authenticators have an actual reason for not wanting to add additional security to your account?

If you cannot handle input of a one time password in addition to your user name and pw how on earth will you communicate in game?

Punk
06-23-2013, 02:53 PM
By the way, everyone saying "You have to have an authenticator, so that's not free to play!"

You also need:

An internet connection.
A Computer or tablet.
Electricity to run those items.

None of those are free.

I think you are trolling.. but just in-case you are not, the difference is that the Authenticator is something you will have to buy from Cryptozoic to use Hex. This is only used for Hex, from the people that create Hex to be able to use Hex. If this is mandatory, then there is a prerequisite cost to Cryptozoic before they provide you with access to the game. At this point, it would no longer be free to play.

All of your examples would not need to pay money to Cryptozoic to use.

Punk
06-23-2013, 03:03 PM
To all those worried about how the roll-back would work, fear not. It can be done simply and without hassle. If it's a card, then it's easy to roll back. A booster pack seems harder (as the quotes here have pointed out), but it's actually not much harder. When you roll back a pack, you just increment or decrement the booster count in the right accounts, along with the currency returns and a note or email of notification to all parties. You don't worry about the cards that were in the pack. Yes, this means someone might go into negatives for boosters, but all that means is that they need to go rebuy a pack with the same money they used the first time (or just wait for the next pack to show up from VIP or whatever). Simple, effective.

Also, I'm in favor of mandatory authenticators for any account with a link to $US through a credit card (or whatever method). F2P should have optional authentication.

What if the account is not reported as Hacked until a week after it happens, meanwhile the cards are sold on the Auction House, then traded between friends/guild members, traded with their friends and then sold on the Auction House again? This could easily happen in an afternoon. Tracking down where those cards went over 7 days would be near impossible and there would be no way to correctly assess the damages to the community since trading cards only has a personal value, not a monetary value.

I seriously doubt Cryptozoic wants to explain to all of these people referenced above (maybe more) that they have to trade their cards back or get refunded for their purchase through the AH because someone said their account was hacked. They would have to do this same process for every single card. If thousands of cards get "stolen," how much time and affected players do you think this will affect?

Again, if Cryptozoic provides you with an option to add an Authenticator, you opt out of using it and then you have your account compromised, you should get nothing returned to you. If they do this, by any means, there will be people abusing this and duplicating their entire collections all over the place.

Shadowelf
06-23-2013, 03:08 PM
@Punk Blizzard is doing rollbacks since 2005 (;p) why would that be so difficult for cze to do the same? My friends' account got hacked three times and he still got his stuff back, regardless of what happened to his (original) items

keroko
06-23-2013, 03:10 PM
@shadowelf they mess up too, sometimes you get your stuff back twice.

its 2013 people, you have hundreds of passwords. do you cycle them every n days max etc?

even if you do your mind likely uses patterns in their generation, or you use a program to store them which becomes an ever concentrating resource of value for compromise?

do you have any inkling as to the complexity of validation of proper access in a massively multi-user scenario? Even inspection of the traffic past the broadest cursory glance is EXPENSIVE in real time.

CZE are well within their rights to firmly encourage you to properly secure your account.

What's odd is the draconian password users decrying use of multi-factor auth. Don't get that angle.

I'd like to see OTP token as a requirement of access, virtual or otherwise. email a la GW2 works too at a push. Along with user approval of non-self-known IP blocks accessing a given account.

Shadowelf
06-23-2013, 03:18 PM
@shadowelf they mess up too, sometimes you get your stuff back twice

So u might end up with ur stuff and an extra pair to sell as a compensation?

Punk
06-23-2013, 03:27 PM
@Punk Blizzard is doing rollbacks since 2005 (;p) why would that be so difficult for cze to do the same? My friends' account got hacked three times and he still got his stuff back, regardless of what happened to his (original) items

Blizzard (regarding WoW) does roll backs and the items are bound to your account, and even this was getting exploited. This used to be abused in Vanilla WoW where people would "accidentally" vendor their Arcanite Reaper axe, open a ticket to have it restored, and then the item gets mailed to you. When they were mailing the item back to you, the item was unbound. Essentially, they were doing this to to sell the item when they were done with it since it was one of the most valuable items for quite some time at the start of the game.

In this case, we are not talking about items that are bound to your account.

In Diablo 3, someone had a godly Wizard Offhand item to drop with near perfect stats. He ended up duping this item on his account by these same means two times, transferred the item to another account he opened and duped it there twice, so on and so forth. He ended up selling this item on the Real Money AH for $250 each and the last I heard he had made almost $10,000 off of this one item and abusing Blizzards system. Once he sold all of them, the buyers started duping them as well until the market was flooded with them. This destroyed the economy for Wizard Offhand items. If you would look at the top 100 Wizards, 50% or more of them all had this offhand weapon. When multiple people in the top 100 players started showing the same exact offhand weapon, this is when people figured out their scam and started doing it for every item that was worth any value. If you could duplicate your inventory twice and have that add up to more than $60, they would do this and buy a new copy of Diablo 3 to do it all over again to gain net worth.

In this case, accounts for Hex are free. Nothing is to stop you from duplicating your inventory, getting it restored, transferring it to a new free account and duplicating it again by these same means.

Initially, this was a very cool thing for Blizzard to do for people, but it was taken advantage of and has destroyed games because of its abuse.

Yoss
06-23-2013, 03:33 PM
In a game like Hex where every item has a unique ID, I see no reason why a roll-back would create duplicates. Your previous post (90) was better, which pointed out that while it might work to roll-back a big mess, it would be a lot of work.

Shadowelf
06-23-2013, 03:46 PM
@Punk yeah it sucked that there were ppl taking advantage of Blizzard's willingness to compensate its customers, but they could have solved this issue just like cze is proposing; by giving any item a unique id, u will be able to trace it (assuming they will also have a search id option available and not run through blocks of coding), and detect the scam.

Punk
06-23-2013, 03:54 PM
In a game like Hex where every item has a unique ID, I see no reason why a roll-back would create duplicates. Your previous post (90) was better, which pointed out that while it might work to roll-back a big mess, it would be a lot of work.

Unless they rolled back everyone back to when the account was allegedly compromised, then it would create duplicates. If I hack your account and steal your Kraken card (Unique ID 100100), for example, and sell it on the AH. After this card changes hands between the AH and trades numerous, you contact support and get your account rolled back. Now you have either a duplicate of the Kraken card with Unique ID 100100, or maybe you are given a new Kraken card with Unique ID 200200.

There is two resolutions:

1.) All of the AH transactions and trades are reversed and you get your card back. This totally screws all of these players involved who were just using the AH and trade functionality how they were intended.

2.) You are given a new Kraken card so Unique ID 100100 and 200200 are now in existence when you only had the Unique ID 100100 one. This 200200 card is now a duplicate.

Repeat step 1 or 2 for every single card that is compromised.

Hopefully this help clears any confusion regarding this point. This is a complicated scenario with lots of possible outcomes, and lots of important points to consider.

jai151
06-23-2013, 03:55 PM
I think you are trolling.. but just in-case you are not, the difference is that the Authenticator is something you will have to buy from Cryptozoic to use Hex. This is only used for Hex, from the people that create Hex to be able to use Hex. If this is mandatory, then there is a prerequisite cost to Cryptozoic before they provide you with access to the game. At this point, it would no longer be free to play.

All of your examples would not need to pay money to Cryptozoic to use.

Neither would an authenticator. Only a physical authenticator would cost money, and no MMOs use those exclusively

Shadowelf
06-23-2013, 04:03 PM
Unless they rolled back everyone back to when the account was allegedly compromised, then it would create duplicates. If I hack your account and steal your Kraken card (Unique ID 100100), for example, and sell it on the AH. After this card changes hands between the AH and trades numerous, you contact support and get your account rolled back. Now you have either a duplicate of the Kraken card with Unique ID 100100, or maybe you are given a new Kraken card with Unique ID 200200.

There is two resolutions:

1.) All of the AH transactions and trades are reversed and you get your card back. This totally screws all of these players involved who were just using the AH and trade functionality how they were intended.

2.) You are given a new Kraken card so Unique ID 100100 and 200200 are now in existence when you only had the Unique ID 100100 one. This 200200 card is now a duplicate.

Repeat step 1 or 2 for every single card that is compromised.

Hopefully this help clears any confusion regarding this point. This is a complicated scenario with lots of possible outcomes, and lots of important points to consider.

You know what ur saying absolutely makes sense and begins to worry me. Supposing that they trace the sale, return the card to the rightful owner and the plat/gold to the buyer ? Won't that be possible ?

Punk
06-23-2013, 04:09 PM
Neither would an authenticator. Only a physical authenticator would cost money, and no MMOs use those exclusively

This was in reply to the scenario that an Authenticator is required and the user does not have a Smart Phone. Their alternative is a Physical Authenticator, which costs money.

Some people referenced the email notification when your account is trying to be accessed from outside your IP address, but that is only good as a notification and not a preventative measure. If your email account was the one that got compromised, then they can just reset your Hex password along with clicking the link in the email you receive to allow them into your account.

Outside of the Mobile Authenticator, Physical Authenticator and GW2 Email Notification, I did not see any other Authenticators thatreferenced.

Punk
06-23-2013, 04:17 PM
You know what ur saying absolutely makes sense and begins to worry me. Supposing that they trace the sale, return the card to the rightful owner and the plat/gold to the buyer ? Won't that be possible ?

Yes, it most certainly can be possible, but may not be applicable in a lot of scenarios.

Hacker takes a card and sells on AH.
Player A buys this card.

This is pretty straight forward and can be refunded very easily in this sense. But now look at it if more time had passed and more actions were taken:

Hacker takes a card and sells on the AH.
Player A buys this card.
Player A trades this card to Player B.
Player B sells this card on the AH.
Player C buys this card.
Player C trades this over to Player D.
Player D gifts this card to Player E.

Now the chain of events affects Player A -> Player E. If the card is taken from Player E and given to Player A, what happens to all of the transactions between Player B and Player D?

That is really what I wanted people to be aware of. I had a 60 page discussion on this same practice on the Blizzard forums regarding their practices with other members of that community.

jai151
06-23-2013, 04:18 PM
This was in reply to the scenario that an Authenticator is required and the user does not have a Smart Phone. Their alternative is a Physical Authenticator, which costs money.

Some people referenced the email notification when your account is trying to be accessed from outside your IP address, but that is only good as a notification and not a preventative measure. If your email account was the one that got compromised, then they can just reset your Hex password along with clicking the link in the email you receive to allow them into your account.

Outside of the Mobile Authenticator, Physical Authenticator and GW2 Email Notification, I did not see any other Authenticators thatreferenced.

There are also versions which send a text to your cell phone (not requiring a smartphone) and ones which call a phone number for authorization (not requiring a cell phone at all)

Aradon
06-23-2013, 04:21 PM
You know what ur saying absolutely makes sense and begins to worry me. Supposing that they trace the sale, return the card to the rightful owner and the plat/gold to the buyer ? Won't that be possible ?

Having your transactions rolled back is still a major slap in the face, so even though they could undo most things about a hack, players who weren't at all related to the hack would be punished. Furthermore, if you got a pack from a hacked account and drafted with it, what to do about that? It'd mess with the tournament. It's too complicated to roll back, and the economy's based too much on real money to live with the duplicates that Blizzard's restoration process uses.

I don't think mandatory authenticators are a good idea, especially since they'd only cut down, not eliminate, the hacking issue. I wonder what MtGO did in the event of hacks.

I also strongly disagree that you can avoid being hacked just by being 'not stupid.' To tell someone that's been hacked that you are 100% sure it is their fault and you're pretty sure they just downloaded a keylogger or got phished is incredible arrogance.

JaFa
06-23-2013, 04:32 PM
Authenticators aren't the end-all solution a lot of people make them out to be. I had my Diablo 3 account compromised last year, even with an authenticator attached. A trojan found its way onto my computer, even though I thought I had all the protections in place. Unique 16 character alphanumeric passwords for each and every app and website stored on a piece of paper by my computer. Two anti-virus, anti-malware monitoring tools. No mysterious exe's downloaded. No phlishing emails... although phlishing emails usually only get the computer novice.

To this day I still don't know how the trojan got on my system. My best guess is a flash game was compromised with a zero day trojan, since I run a few flash gaming sites I play a lot of flash games. The moral of the story is don't think your authenticator is a 100% secure solution.

Someone mentioned Steam and how they email you if you login from a new IP address. That is a pretty good solution as it forces any computer breach to access your email account as well as your game client. IP tracking with an authenticator would be a solid combination to protect an account.

Punk
06-23-2013, 04:43 PM
Authenticators aren't the end-all solution a lot of people make them out to be. I had my Diablo 3 account compromised last year, even with an authenticator attached. A trojan found its way onto my computer, even though I thought I had all the protections in place. Unique 16 character alphanumeric passwords for each and every app and website stored on a piece of paper by my computer. Two anti-virus, anti-malware monitoring tools. No mysterious exe's downloaded. No phlishing emails... although phlishing emails usually only get the computer novice.

To this day I still don't know how the trojan got on my system. My best guess is a flash game was compromised with a zero day trojan, since I run a few flash gaming sites I play a lot of flash games. The moral of the story is don't think your authenticator is a 100% secure solution.

Someone mentioned Steam and how they email you if you login from a new IP address. That is a pretty good solution as it forces any computer breach to access your email account as well as your game client. IP tracking with an authenticator would be a solid combination to protect an account.

Out of date Java could cause your computer to be compromised. Java has had a few instances with bad updates over the last 12 months.

Another way would be if you watched any of the high rated players of Diablo 3 on their live streams. Long story with this one, but viewers of this stream, regardless of the stream being through Twitch, were getting hacked.

Lastly, would be downloading user content through game clients. The last significant issue of this type would be back when Dota was popular and people would create their own content for Warcraft 3. When you connect to their game, you would download the "map" which was actually a virus. This spread like wildfire for everyone who played Warcraft 3 multiplayer or any Mod. Blizzard had to bring down all of their servers for an entire day and put their "Legacy" team on the case to solve this.

Here are a few unorthodox methods off the top of my head.

Lafoote
06-23-2013, 04:43 PM
Fuck. No.

Some of us can manage our password security without the unnecessary layers that require buying a smartphone or another physical thing we can just lose. Some of us don't fall for phishing scams, or use easy-to-guess passwords, or download keyloggers. If you are a person who does these things, then having the authenticator available is a good idea, but making it mandatory? Uh uh. No.

I said that once upon a time. Then, my WoW account got hacked. I'm not going to name names, but I know with 100% certainty that a "trusted" raid add on site was responsible.

I wouldnt suggest making them mandatory, but I'll take an auenticator, and if you're smart, you'll trust me and get one for yourself.

TheHangedMan
06-23-2013, 04:52 PM
I don't think mandatory authenticators are a good idea, especially since they'd only cut down, not eliminate, the hacking issue.

This and all the posters employing this argument are falling prey to the perfect solution fallacy. There is no, and will never be, a perfect solution to eliminating hacking. That doesn't mean we should use every option at our disposal to reduce it however.

After reading all 11 pages none of the posters against authenticators have offered a logical reason to not have them. They always have free options available, use no more time than a password, and help protect your account. It just represents another unique layer of identification along with your password. So...why not?

true
06-23-2013, 04:56 PM
Required no. You should be able to play the game without it.

But
One you should be able to tell if the person your trading/selling to is using one (Kinda how wow dose it) to protect you from getting rolled back because someone else is being hacked.

Two some sort of spending limit like $20 bucks per week or something without one to protect someone running up $10,000 credit card bill on a stolen account.

Three a physical authenticator and a mobile version are needed, I would prefer if they used the Google authentication standard so i don't need a new app and they don't need to make a version for every phone type since its a standard and there are already apps for all phones.

DreamPuppet
06-23-2013, 05:01 PM
Mr.Funsocks sounds like the old wow friend from my story on page 1...lol. Never going to happen because i'm smarter than everyone.

XagoTrunk
06-23-2013, 05:01 PM
Two some sort of spending limit like $20 bucks per week or something without one to protect someone running up $10,000 credit card bill on a stolen account.
yea Im sure CZE would love that idea

Yoss
06-23-2013, 05:10 PM
Yes, it most certainly can be possible, but may not be applicable in a lot of scenarios.

Hacker takes a card and sells on AH.
Player A buys this card.

This is pretty straight forward and can be refunded very easily in this sense. But now look at it if more time had passed and more actions were taken:

Hacker takes a card and sells on the AH.
Player A buys this card.
Player A trades this card to Player B.
Player B sells this card on the AH.
Player C buys this card.
Player C trades this over to Player D.
Player D gifts this card to Player E.

Now the chain of events affects Player A -> Player E. If the card is taken from Player E and given to Player A, what happens to all of the transactions between Player B and Player D?

That is really what I wanted people to be aware of. I had a 60 page discussion on this same practice on the Blizzard forums regarding their practices with other members of that community.
I will answer this and your other post (link) simultaneously. First off, no duplicates (item 2 in the linked post), therefore we just have to deal with item 1 (which is also what your quote above goes into in more detail).

Here's the rollback for your scenario:
Player H (hacked) gets Card H back from E, gives money back to A.
Player A gets money back from H, gives Card B back to B.
Player B gives money back to C, gets Card B back from A.
Player C gets money back from B, gives Card D back to D.
Player D gets Card D back from C.
Player E gives card back to H.
Players A, B, C, D, E, and H all receive notification.

Will anyone in the chain be mad? Probably, but no one is "totally screwed" by it. At worst they lost the time associated with their transactions. Crime costs the community, and here you see the effect.


if you got a pack from a hacked account and drafted with it, what to do about that?
I already answered this in post 86 (linked). Short story: you just roll back the booster, nothing else.

EDIT:
By the way, I expect the CZE programmers to be smart enough to automate scenarios like the one above to the point where a CZE rep just has to enter an account number and time/date into a script and all transactions for that account after that time and date get rolled back. I would also expect said action to only occur during server reset.

OutlandishMatt
06-23-2013, 05:45 PM
If I am not mistaken, doesn't Diablo 3 have unique identifiers associated with each item?

Hibbert
06-23-2013, 05:48 PM
A booster pack seems harder (as the quotes here have pointed out), but it's actually not much harder. When you roll back a pack, you just increment or decrement the booster count in the right accounts, along with the currency returns and a note or email of notification to all parties. You don't worry about the cards that were in the pack. Yes, this means someone might go into negatives for boosters, but all that means is that they need to go rebuy a pack with the same money they used the first time (or just wait for the next pack to show up from VIP or whatever). Simple, effective.

I don't think it would be that simple. What if it was an out of print pack? It would effectively "print" a new booster if it was rolled back.

Plus, I'd be pretty upset if I ended up with negative boosters. It's entirely possible I purchased those packs at fair market price and had zero indication they were "hot". Sure I would get my plat back, but that might not be enough. If the price of boosters went up between the time I purchased the "hot" pack and the time I purchased more packs, I'd be down money just getting my account back to zero boosters.

Gwaer
06-23-2013, 06:06 PM
I don't think it would be that simple. What if it was an out of print pack? It would effectively "print" a new booster if it was rolled back.

Plus, I'd be pretty upset if I ended up with negative boosters. It's entirely possible I purchased those packs at fair market price and had zero indication they were "hot". Sure I would get my plat back, but that might not be enough. If the price of boosters went up between the time I purchased the "hot" pack and the time I purchased more packs, I'd be down money just getting my account back to zero boosters.
Crime hurts the entire community, you should be upset at the hackers for losing that couple of cents.

Punk
06-23-2013, 06:21 PM
I will answer this and your other post (link) simultaneously. First off, no duplicates (item 2 in the linked post), therefore we just have to deal with item 1 (which is also what your quote above goes into in more detail).

Here's the rollback for your scenario:
Player H (hacked) gets Card H back from E, gives money back to A.
Player A gets money back from H, gives Card B back to B.
Player B gives money back to C, gets Card B back from A.
Player C gets money back from B, gives Card D back to D.
Player D gets Card D back from C.
Player E gives card back to H.
Players A, B, C, D, E, and H all receive notification.

Will anyone in the chain be mad? Probably, but no one is "totally screwed" by it. At worst they lost the time associated with their transactions. Crime costs the community, and here you see the effect.


I already answered this in post 86 (linked). Short story: you just roll back the booster, nothing else.

EDIT:
By the way, I expect the CZE programmers to be smart enough to automate scenarios like the one above to the point where a CZE rep just has to enter an account number and time/date into a script and all transactions for that account after that time and date get rolled back. I would also expect said action to only occur during server reset.


Yes, technically all the steps you posted would fix the issue at hand. Unfortunately, there are two major points that I have referenced previously for when this is "fixed:"

1.) This series of steps just inconvenienced 6 players in the community.

2.) This series of steps just fixed 1 card. If a rollback system is set in place, you will see this type of system attempt to be abused multiple times a day for all cards on the account.

Let's break this down even further now. We will say only two accounts are reported compromised per day (extremely low variable), and those accounts have 1,000 (extremely low variable) cards on them. This is 2,000 cards per day that are reported compromised. Potentially, this is 12,000 players inconvenienced per day.

There are even more factors to take into effect for the inconvenience:


What about the player that has been watching the price of a super rare card on the AH that normally goes for $25 and was able to get it for $20 when the prices were at a low! That is the deal they were holding out for. They end up buying this card and it is taken away from them and they get their $20 back. This is a scenario that they had specifically waited for that may never come again.
Another example would be spending a good amount of time finding cards you want to trade for and working out the trade with this person. I know personally I have spent upwards of an hour finding a good trade value on MTGO. If they came back and reversed this trade the next day, I would be extremely frustrated.


Even with these minimum variables used, this would be an extreme frustration to all players, PvE and PvP, every day.

So really, in conclusion, there is three options here that I can see:

1.) Frustrate people every day with rollbacks.
2.) Have duplicated items exist and destroy the economy.
3.) Do not allow anything on an account to be restored that is not account bound (mercenaries, etc.). No cards, no booster packs, nothing.

djlowballer
06-23-2013, 06:27 PM
http://adblockplus.org/en/chrome

https://chrome.google.com/webstore/detail/scriptsafe/oiigbmnaadbkfbmpbfijlflahbdbdgdf?hl=en

I'm not opposed to it existing. I'm opposed to it being MANDATORY for those of us who know how to avoid security breaches.

Those who claim they "know" how to avoid security breaches usually don't know much about information security. The most elementary concept in infosec is accepting your accounts or servers will be breached at some point. You mitigate this reality by making it harder for attackers to gain access to the data (2FA, Certificate based auth, etc...) and rationally segregate data as much as possible to contain the damage of any breach.

You are free to say that you don't want the inconvenience of 2FA but don't try to say its for anything other than personal preference. There is absolutely no security reason to forgo 2FA when it is so cheap to implement.

Aradon
06-23-2013, 06:41 PM
This and all the posters employing this argument are falling prey to the perfect solution fallacy. There is no, and will never be, a perfect solution to eliminating hacking. That doesn't mean we should use every option at our disposal to reduce it however.

Just to clarify, I think my argument's been a bit misunderstood. If authentication systems could stop hacking altogether, and therefore remove the need to have a rollback system, then I'd understand a mandatory authentication system; the game requires it to maintain its integrity. However, in reality, we need a system to handle hacked accounts anyways, so I don't believe that mandatory authenticators is a good idea. Sure, I definitely agree that authenticators are great, and will absolutely be using one on my account, but I don't think that there is any sufficient reason to push it on people who don't want the second layer to go through.

I'm not saying that just because it doesn't solve the problem 100% we shouldn't bother with it, I'm saying that because it doesn't eliminate the need for a whole other system, it's not necessary for proper function, and therefore shouldn't be mandatory. I'm more interested in a strong rollback/hack support system being in place as a better solution than mandatory authenticators.

Yoss
06-23-2013, 06:43 PM
@Hibbert:
I hadn't thought about the "out of print" issue for packs. Maybe those would not be recoverable if they've been opened. I'm open to hearing ideas for this.

@Hibbert & Punk:
I'd vote for item 1 (daily roll-backs), and yeah, it would suck, but it would suck less than the other two options. Crime hurts the whole community, IRL and online. That's why we should have mandatory authentication for any account that wants to transact in Platinum or $US (user choice of various methods to suit their needs maybe), and offer optional authentication for free-to-play. It's why we as a community should do our best to prevent and report all malicious behavior. Also, if someone declines authentication, they would not be allowed to request rollbacks.

blakegrandon
06-23-2013, 06:53 PM
Those who claim they "know" how to avoid security breaches usually don't know much about information security. The most elementary concept in infosec is accepting your accounts or servers will be breached at some point. You mitigate this reality by making it harder for attackers to gain access to the data (2FA, Certificate based auth, etc...) and rationally segregate data as much as possible to contain the damage of any breach.

You are free to say that you don't want the inconvenience of 2FA but don't try to say its for anything other than personal preference. There is absolutely no security reason to forgo 2FA when it is so cheap to implement.

This, a second layer of protection that takes 10 seconds or less to input is absolutely worth it.

I am kind of curious if the authenticator will be available during beta, after all there is no wipe after beta so the risk is there that you could lose your kickstarter packs to hacks if there is a compromise.

Punk
06-23-2013, 07:36 PM
@Hibbert & Punk:
I'd vote for item 1 (daily roll-backs)...

You're off my birthday party list.


@Hibbert & Punk:
...and yeah, it would suck, but it would suck less than the other two options. Crime hurts the whole community, IRL and online. That's why we should have mandatory authentication for any account that wants to transact in Platinum or $US (user choice of various methods to suit their needs maybe), and offer optional authentication for free-to-play. It's why we as a community should do our best to prevent and report all malicious behavior. Also, if someone declines authentication, they would not be allowed to request rollbacks.

I think option 3 would be the best on the overall since it is Cryptozoic's job to make sure that their system does not get breached and to assist in any way possible so the login process does not get compromised. It is not their responsibility for me to maintain my computer or what I do with that login information.

Even though I do not agree with your choice, I do respect your opinion, Yoss.

Two ideas that I thought of on the way home regarding authenticators was:

1.) Final Fantasy XI's unique login. Their login process definitely helped prevent key loggers. When you went to the login screen on the PC version, you typed in your username like normal, but when you got to your password, they had every applicable character that you can use in a password as a button you could click on. Instead of typing in your password with your keyboard, they allowed you to click the letters that you wanted to use so there were no keystrokes to detect. I thought this was super innovative!

2.) This one is somewhat unique, but whenever you login with your password successfully, you are prompted with a random security question from your account information. If you get the security question correct, you are logged in. If you get it wrong, then you are emailed to notify you that someone has logged in with your password but they failed to answer a security question. Maximum login attempts would be 3 before you have to wait 5-10-15 minutes. Every 30/60/90 days when you successfully login, you have a box pop up that lets you change your security question/answers. This would not only add a little more security on top of an authenticator, but it would also notify you when someone knows your password! Maybe mix in the GW2 login notifications for outside IP address's as well and this could be a pretty cool implementation. Of course, something you can opt out of.

Cryptozoic,

I will take 1 of each of your securities, please.

Sincerely,
Punk

Yoss
06-23-2013, 10:08 PM
For the purposes of the Requests to CZE thread, since Mr.Funsocks called me out as a liar, I present to you all the full tally of votes on this, overwhelmingly in favor.

(http://forums.cryptozoic.com/showthread.php?t=25844)

In favor of authenticators
Banquetto (post 6)
blakegrandon (post 13)
Brumby66 (post 32)
Chiany (post 3)
Corpselocker (post 20)
djlowballer (post 116)
DreamPuppet (post 4)
grey0one (post 44)
Gwaer (post 56)
Hibbert (post 40)
JaFa (post 104)
jai151 (post 10)
keroko (post 33)
majin (post 63)
maniza (post 85)
MrSeriousBsns (post 5)
OutlandishMatt (post 1)
Rydavim (post 8)
sckolar (post 68)
TheHangedMan (post 64)
Yoss (post 35)
Zoelef (post 2)

In favor, prefer optional, even for real money
Apparition (post 11)
Gridian (post 39)
Lafoote (post 106)
Malicus (post 12)
Punk (post 17)
Shadowelf (post 83)
ShadowTycho (post 65)
true (post 108)

Uncertain / Mixed feelings / Other
Wombat (post 7)
Xintia (post 72)

Against, ok if it's optional
Aradon (post 103)
Kietay (post 77)
Mr.Funsocks (post 9)
regomar (post 42)
Zomnivore (post 81)

wildcard
06-23-2013, 10:23 PM
Props for tallying, but that also means only 37 people have voiced an opinion on this subject, and that leaves 99.8% of the 17,765 backers out of the conversation. I think we should leave these as open suggestions to CZE without making claims about majorities or consensus.

Gwaer
06-23-2013, 10:26 PM
as I said in the primary thread it doesn't matter what the majority is, CZE will look at the threads and take from them what they will. There's no need to defend it.

Yoss
06-23-2013, 10:34 PM
Right, and as I also said over there, we can only crunch data we have. It's a sample. Though imperfect, it does supply useful information.

jai151
06-24-2013, 05:49 AM
Just pointing out you have me as for, but I do not support the opinions as put forth in the "request" thread.

You have on that thread,"


Account authentication should be optional for free-to-play.
Account authentication should be required for all Platinum and real money transactions.
Account authentication sould have options to streamline based on user situation and preference. Examples: only for the first time on a given device versus every log-in; email versus text message versus physical dongle versus phone call.


"

However I would not support that setup. I would support mandatory authentication. I would not support optional with a mandatory on Platinum/RM transactions as it wouldn't accomplish anything. Since the authenticator is free, all that would mean is the person gets hacked and then the hacker throws a free authenticator on to do the plat/RM transactions. In fact, that's what would happen in any optional situation, as it throws roadblocks in front of the real owner of the account in their attempts to reclaim it.

ZeroCool
06-24-2013, 06:49 AM
Mandatory? No. I think it should be highly recommended, but nothing should be Mandatory.

Give me the choice.

Viziroth
06-24-2013, 06:52 AM
Only if they offer physical authenticators AND e-mail authentication: I don't have a smart phone and I don't pay for texts on my phone o.O texting is evil and destroying the English language and society as a whole.

Vomitlord
06-24-2013, 07:17 AM
Not mandatory but I will certainly use a physical authenticator. no smart phone crap. I'm way behind the times phone wise

OutlandishMatt
06-24-2013, 07:23 AM
Everyone keeps talking about physical authenticators but I haven't heard they were doing those.

H3avyM3talH3r0
06-24-2013, 07:28 AM
Using authenticators is a good idea. I use them on all my accounts that allow them. Is it a hassle when I need to go into the other room to grab my phone so I can log in? Sure, but it's also a hassle to get my keys to open my front door when I have groceries. I still lock my door when I leave. I never had an account hacked. Is that because of the authenticator or luck? I don't know. Because of this I never had to go through the steps to recover a compromised account but I'm sure it's more trouble than using an authenticator.

With that said I believe it should not be mandatory even if it is a good idea. Just like it's not required to lock your door. I probably have been spending just as much money on F2P games recently than I have in WOW or other retail games so I will take the extra steps, and inconveniences, to help protect those investments. I would rather CZE spent time and resources to better the game than restore accounts.

Gwaer
06-24-2013, 08:20 AM
This whole thing comes down to security, it's a free option to have email authentication. It's honestly like asking if passwords should be mandatory, things are moving towards everything having authenticators, there are literally 0 reasons not to do it, it's best for everyone.

ZeroCool
06-24-2013, 08:25 AM
This whole thing comes down to security, it's a free option to have email authentication. It's honestly like asking if passwords should be mandatory, things are moving towards everything having authenticators, there are literally 0 reasons not to do it, it's best for everyone.

You're foolish not to opt in for some type of authenticator, may it being physical/text/e-mail; however, shouldn't be mandatory. If someone is dumb enough not to opt in for the added security, this should be taken into consideration when they file a report/ticket after they're hacked.

Pro: Authenticator Option
Con: Authenticator Mandatory

jai151
06-24-2013, 08:29 AM
You're foolish not to opt in for some type of authenticator, may it being physical/text/e-mail; however, shouldn't be mandatory. If someone is dumb enough not to opt in for the added security, this should be taken into consideration when they file a report/ticket after they're hacked.

Pro: Authenticator Option
Con: Authenticator Mandatory

The issue is it being optional is a direct detriment on the community as a whole, as support staff will be tied up with issues from people who didn't use the protection in place. It's easier on everyone involved to make some level of authentication mandatory.

ZeroCool
06-24-2013, 08:34 AM
The issue is it being optional is a direct detriment on the community as a whole, as support staff will be tied up with issues from people who didn't use the protection in place. It's easier on everyone involved to make some level of authentication mandatory.

The protection will be in place for those who want to use it. Like I said, you're an idiot if you don't take advantage of it. However, if you don't take advantage of it, people will take advantage of you. That's the people's choice. Doesn't concern me, nor should it concern you what others do.

jai151
06-24-2013, 08:37 AM
The protection will be in place for those who want to use it. Like I said, you're an idiot if you don't take advantage of it. However, if you don't take advantage of it, people will take advantage of you. That's the people's choice. Doesn't concern me, nor should it concern you what others do.

It concerns me when it affects me. When I am forced to wait longer for a response to a ticket because someone didn't use the security options, I have to wonder why the options aren't mandatory. If only an idiot wouldn't use the option, why should we cater to the whims of idiots?

ZeroCool
06-24-2013, 08:42 AM
It concerns me when it affects me. When I am forced to wait longer for a response to a ticket because someone didn't use the security options, I have to wonder why the options aren't mandatory. If only an idiot wouldn't use the option, why should we cater to the whims of idiots?

People like options. I like options. I'm also intelligent enough to know its worth the extra steps to authenticate my account. I don't cater to idiots nor should Hex, but I let idiots be idiots as should Hex.

Like I suggest earlier, maybe those who refuse to use an authenticator shouldn't get priority in the queue for a security issue?

Punk
06-24-2013, 08:48 AM
People like options. I like options. I'm also intelligent enough to know its worth the extra steps to authenticate my account. I don't cater to idiots nor should Hex, but I let idiots be idiots as should Hex.

Like I suggest earlier, maybe those who refuse to use an authenticator shouldn't get priority in the queue for a security issue?

The more I have been thinking about it, the more I like the idea that you cannot add Plat to your account (or any other real money type transactions) unless you have an authenticator enabled.

Also, I must say, I dig the username. One of my favorite movies ever. (assuming it is from Hackers and not in reference to the novel)

ZeroCool
06-24-2013, 08:53 AM
The more I have been thinking about it, the more I like the idea that you cannot add Plat to your account (or any other real money type transactions) unless you have an authenticator enabled.

Also, I must say, I dig the username. One of my favorite movies ever. (assuming it is from Hackers and not in reference to the novel)

I like this idea too. I can't imagine why people wouldn't want to protect their accounts. A lot of silly folks out there. I live in Jersey, and after Sandy destroyed everything people started to rebuild. In some shore towns, it was recommended to people to allow the town to build dunes to prevent their houses from getting destroyed again. Believe it or not, there are several dozen people who are not allowing the dunes to be built in front of their houses. Just goes to show, people can be idiots.

Thank you, it is easily my favorite movie.

jai151
06-24-2013, 09:34 AM
People like options. I like options. I'm also intelligent enough to know its worth the extra steps to authenticate my account. I don't cater to idiots nor should Hex, but I let idiots be idiots as should Hex.

Like I suggest earlier, maybe those who refuse to use an authenticator shouldn't get priority in the queue for a security issue?

While it's nice in theory to not give priority ro hacked accounts without authenticators, you can't exactly kick them to the back when the ticket is in process. Aside from some people who don't want to be bothered not being bothered, what benefit is gained from it being an optional system?

And while it's nice to say "X can only be done with an authenticator," as the authenticator is free, nothing is stopping the hackers from sticking one on an account after they get in. And that alone adds significant time and work to every incident.

Xenavire
06-24-2013, 10:13 AM
I have read the entire thread, and I have something to say. I think it SHOULD be mandatory, but with multiple options.

Option one: Low level security (Desktop authenticator). Obviously open to everyone to use, works from your desktop. Small download, unique key attached to your account.

Option 2: Meduim level security (Smartphone app). Requires a smartphone (or something with the correct OS). Works the same as you would expect. Only lower than physical due to the nature of the OS and the higher chance to lose it while you are out, but that is more likely going to be inconvenient, rather than getting the account stolen.

Option 3: High level security: (Physical authenticator). Speaks for itself, only better than the smartphone for people who tend to lose phones etc.

Automatic: Steam style login checker. Every new PC/Tablet etc needs to be authorised via email.

So you simply pick one of the authenticators and authorise the systems you want to play it on. If you have PC and no smartphone/do not want to buy a physical authenticator, you get the desktop version. Added security, if not completely foolproof, and completely free. Otherwise you take the smartphone/physical authenticator. Tablet versions use the smartphone version (perhaps with an autofill function for ease of use?)

Seems simple enough, everyone is more secure, no-one is forced to pay a cent.

Punk
06-24-2013, 10:33 AM
While it's nice in theory to not give priority ro hacked accounts without authenticators, you can't exactly kick them to the back when the ticket is in process. Aside from some people who don't want to be bothered not being bothered, what benefit is gained from it being an optional system?

And while it's nice to say "X can only be done with an authenticator," as the authenticator is free, nothing is stopping the hackers from sticking one on an account after they get in. And that alone adds significant time and work to every incident.

Rift makes you call them if you want to remove an authenticator from your account. They also have you verify normal account information along with a few pieces of information that are not viewable or changeable. I lost my phone and had to call them to take it off as I was using a Mobile Authenticator. This may be a solution to your concern. It may be a lot more work for Cyptozoic if they have to have someone call in whenever they change authenticator methods.

Hopefully, this Fridays update will shed some light on what they have planned for security.

Yoss
06-24-2013, 10:55 AM
I have read the entire thread, and I have something to say. I think it SHOULD be mandatory, but with multiple options.

Option one: Low level security (Desktop authenticator). Obviously open to everyone to use, works from your desktop. Small download, unique key attached to your account.

Option 2: Meduim level security (Smartphone app). Requires a smartphone (or something with the correct OS). Works the same as you would expect. Only lower than physical due to the nature of the OS and the higher chance to lose it while you are out, but that is more likely going to be inconvenient, rather than getting the account stolen.

Option 3: High level security: (Physical authenticator). Speaks for itself, only better than the smartphone for people who tend to lose phones etc.

Automatic: Steam style login checker. Every new PC/Tablet etc needs to be authorised via email.

So you simply pick one of the authenticators and authorise the systems you want to play it on. If you have PC and no smartphone/do not want to buy a physical authenticator, you get the desktop version. Added security, if not completely foolproof, and completely free. Otherwise you take the smartphone/physical authenticator. Tablet versions use the smartphone version (perhaps with an autofil function for ease of use?)

Seems simple enough, everyone is more secure, no-one is forced to pay a cent.
This seems like a good plan. I'm curious what the various nay-sayers think of it.

ZeroCool
06-24-2013, 12:20 PM
This seems like a good plan. I'm curious what the various nay-sayers think of it.

I don't think their should be tiered authentication. It's either you have it, or you don't.

Gwaer
06-24-2013, 12:23 PM
I don't think there should be tiered authentication. It's either you have it, or you don't.
Why?

Xenavire
06-24-2013, 12:50 PM
It isn't technically tiered - just what is advised to have. Anything stored on your PC is at risk, so it wouldn't be advised to use the desktop authenticator if you had other options - however it is a LOT safer than nothing. Having it means the company being breached will not risk your account as quickly or easily as having nothing, but it is at risk to someone hacking your PC directly (which means you would need to keep tabs on where you browse etc.)

It does protect against simple things like keyloggers however, so it is somewhat hack-protected.

Anything not on the PC will be inherently better as long as you don't lose it.

But the main idea is to have protection for everyone, for free.

sckolar
06-24-2013, 02:52 PM
Optional Authenticators? -yes
Mandatory? - NO

Gwaer
06-24-2013, 02:53 PM
Optional Authenticators? -yes
Mandatory? - NO
Why?

Xenavire
06-24-2013, 03:46 PM
To be fair, I don't see why mandatory authentication is a big issue if it is free. Look at Captcha. The stuff is frigging everywhere. It takes about 2 seconds to deal with.

Several games have similar mandatory things (usually to stop bots, but the concept is more or less the same) like Maplestory and Ragnarok Online 2: Legend of the second. Both use pincodes as an extra layer of login, both have large playerbases in multiple countries, and no-one bats an eye.

It would be purely beneficial (barring the 10 second it takes you to get your code and type it in). If it is a once a week per PC thing like you can do with WoW, that becomes 10 seconds per week, adding up to 550 seconds per year. How horrible!

I see some people being annoyed, but when it is free and protects your account, they will get over it pretty quick.

sckolar
06-24-2013, 03:53 PM
Why?

Not everyone like the authenticators. I personally do, but Some people prefer not to have it. I don't think it should be up to someone else whether or not an individual should have one or not. Just the freedom of choosing is more comforting, I would think.

Xenavire
06-24-2013, 04:03 PM
I agree that choice is usually the way I would go - freedom to choose is important. But Hex is going to have a large secondary market, and will be HUGE target for theft. When someone can steal an entire accounts worth of cards and sell them all for out of game currency (which will be untrackable, and unrefundable) Cryptozoic can only return the cards back to the rightful owner, leaving someone short a few bucks (or a few hundred).

Authentication is step one to stopping theft (and safer than leaving it up to the individual, as a majority do not know how), and when it is free protection it hurts no-one. If you could have a bodygaurd day and night when you travel in the dangerous part of town, completely free, would you turn it down? A free home security system? Free fire alarms? The principle is the same.

Having optional authenticators is fine, but how many people would be ignorant enough to not get one? Or choose not to, thinking they are safe? Cryptozoic could protect themselves and their players. I don't see that as being negative in any way, even if it takes away the choice. It shouldn't become commonplace to force things on consumers, but this is a case where I would support it (when there are no drawbacks compared to the large benefits).

TheHangedMan
06-24-2013, 04:04 PM
Not everyone like the authenticators. I personally do, but Some people prefer not to have it. I don't think it should be up to someone else whether or not an individual should have one or not. Just the freedom of choosing is more comforting, I would think.

Not everyone likes passwords either but they are mandatory. How many people these days refuse to participate online because they are required to use a password? Probably right around zero. People still balk at authenticators, and other second tier forms of security, mainly because they are new. However, passwords are quickly becoming an obsolete and ineffective form of protection, and I for one welcome our new security overlords.

Punk
06-24-2013, 04:08 PM
Not everyone like the authenticators. I personally do, but Some people prefer not to have it. I don't think it should be up to someone else whether or not an individual should have one or not. Just the freedom of choosing is more comforting, I would think.

Throughout this thread, there have been a few people who do not want authenticators to be mandatory even after stating scenarios that they are free. Not one person who has stated that they do not want to use authenticators has given one valid reason why. Specifically, we are trying to determine if this push back is from ignorance, which can be resolved by information, or if the push back is from unwillingness to learn.. or another reason that no one has been able to pinpoint as of yet, such as rational thought neglect.

Until someone gives a good reason why a free, mandatory and easy to use Authenticator or 2-step authentication method would be a bad thing, I think we are going to continue to question it. If there are only pro's and no con's, why would people say no?

Xenavire
06-24-2013, 04:13 PM
Like I said, I read every post here, and the only logical argument against was simply the cost (either of smartphone or a physical dongle) which I effectively answered. Anything else so far has been people claiming they are flawless and can never be hacked, and while that MIGHT be true, they are not all going to be flawless 24/7, and will be at risk. We should save them from themselves! (But seriously, there is no reason to refuse free extra protection - if you are that paranoid you should be frothing at the mouth for MORE.)

MoikPEI
06-24-2013, 04:28 PM
I think we shouldn't under-estimate the power of laziness over time.
I have the Blizzard iOS Authenticator for my iPod which has since been restored. All I need to do is take five minutes, re-install the app, and punch the serial code back in then I can play D3 again.
Haven't done that.
So, it shuts down my urges to play D3 each time. I just go and play Path of Exile instead, because no inhibitors, immediate satisfaction.

I feel that manditory authenticators, especially if they use an intermediary device, could exacerbate attrition.

Personally, I'd be happiest with e-mail authentication such as Guild Wars 2 does each time I'm on a new IP. I'm unlikely to lose acces to my email.

sckolar
06-24-2013, 04:48 PM
Throughout this thread, there have been a few people who do not want authenticators to be mandatory even after stating scenarios that they are free. Not one person who has stated that they do not want to use authenticators has given one valid reason why. Specifically, we are trying to determine if this push back is from ignorance, which can be resolved by information, or if the push back is from unwillingness to learn.. or another reason that no one has been able to pinpoint as of yet, such as rational thought neglect.

Until someone gives a good reason why a free, mandatory and easy to use Authenticator or 2-step authentication method would be a bad thing, I think we are going to continue to question it. If there are only pro's and no con's, why would people say no?

Perhaps it is an extra step. Through working at a doctor's office, I have found that people hate taking extra steps during their appointment. Questions that made the appointment take longer annoyed them. I'm not sure if this the reason, but possible.

Aradon
06-24-2013, 04:53 PM
Quick and easy: because some people don't want it, so it shouldn't be mandatory. Some people are lazy, but it's their own stuff at risk, so they can be as lazy as they like with it.

Xenavire
06-24-2013, 04:59 PM
Well, I mentioned using an autofill feature for tablets - what if the desktop version did the same? You just boot up your game, it autofills your authenticator information, done.

Would that satisfy the lazy player? This line of thought has me interested, as I have a dongle for WoW and it hasn't ever stopped me playing if I felt like it (although it has delayed me on days I am sick or otherwise tired.)

Gwaer
06-24-2013, 05:32 PM
I think we shouldn't under-estimate the power of laziness over time.
I have the Blizzard iOS Authenticator for my iPod which has since been restored. All I need to do is take five minutes, re-install the app, and punch the serial code back in then I can play D3 again.
Haven't done that.
So, it shuts down my urges to play D3 each time. I just go and play Path of Exile instead, because no inhibitors, immediate satisfaction.

I feel that manditory authenticators, especially if they use an intermediary device, could exacerbate attrition.

Personally, I'd be happiest with e-mail authentication such as Guild Wars 2 does each time I'm on a new IP. I'm unlikely to lose acces to my email.

OR, path of exile is just a better game, and you don't want to play d3 as much. 'cause it is so much better.

Xenavire
06-24-2013, 05:38 PM
I also don't play diablo that much. That has nothing to do with my authenticator. I think that just shows the quality of the game (or the replay factor) more than laziness winning over. I enjoy WoW despite needing to grind, I dislike Diablo3 sometimes for those exact reasons. I do like my monk, and I enjoy bashing demons and undead, but it just isn't compelling.

I see myself playing Hex daily even if I have to input 6 passwords.

Kietay
06-24-2013, 05:39 PM
Quick and easy: because some people don't want it, so it shouldn't be mandatory. Some people are lazy, but it's their own stuff at risk, so they can be as lazy as they like with it.

Freedom is the best.

Gwaer
06-24-2013, 05:45 PM
Quick and easy: because some people don't want it, so it shouldn't be mandatory. Some people are lazy, but it's their own stuff at risk, so they can be as lazy as they like with it.
Some people don't want to mess with passwords, they still have to, it's not their own stuff at risk, you get hacked, i buy stuff that was from you, it inconveniences me if that gets rolled back, it's better for everyone to spend negligible time to be more secure.

MoikPEI
06-24-2013, 06:07 PM
OR, path of exile is just a better game, and you don't want to play d3 as much. 'cause it is so much better.

Blizzard's actually done some content patches recently that I kinda wanna czech out. Probably gonna give it another shot between now and Hex alpha access. Gave Path another shot after they redid loot (I'm one of the casuals who complained at length for instanced loot). Both cases I put about 300 hours into the game. Doesn't match the 500ish I'm coming up on in GW2. So much new content so often! If CZE can match ArenaNet for pace and polish, I'd put up with manditory authentication.

Yoss
06-24-2013, 06:19 PM
Quick and easy: because some people don't want it, so it shouldn't be mandatory. Some people are lazy, but it's their own stuff at risk, so they can be as lazy as they like with it.
Except it's not just their stuff at risk, because their account is enabled to trade with other accounts. Why should I suffer for someone else's laziness? Make them authenticate, I say! If authentication is only once per device/IP combination, it's hardly an intrusion at all.

OutlandishMatt
06-24-2013, 08:08 PM
It is a little sad that some people don't think of the rest of the community when it comes to using an authenticator and how it will affect everyone else if they do not.

Pech
06-24-2013, 09:37 PM
I do not think mandatory authenticators is necessary maybe as a side product or feature that we can select to add on, but I for one am not a fan of having to punch in 2 passwords as it were, but I understand those who want to remain extra cautious cause of the Hackers.

keldrin
06-24-2013, 10:04 PM
I like and want a authenticator, since there are so many issues of account getting hacked, etc.
BUT, it should be highly recommended and available, but not mandatory.
If I got in the game with a free account, and was going to spend a limited amount on the game, a mandatory authenticator might steer me away from even trying the game.
I do run good internet security software (Norton). And I also run Malware Bytes professional. I know how to make a good password as well. But extra protection to me, considering my investment into the game, seems quite reasonable.
For some people in certain parts of the world, having to have a physical authenticator shipped to them would be expensive. And not everyone can afford cellular phones.

Yoss
06-24-2013, 10:12 PM
There are other options besides cell phone and physical dongle that others have listed. For example, email authentication for each new device/IP combination.

Punk
06-25-2013, 12:56 AM
OR, path of exile is just a better game, and you don't want to play d3 as much. 'cause it is so much better.

So. Much. Better.

Tinuvas
06-25-2013, 02:05 AM
OK, I will have an authenticator. That is not a question for me regardless of my perceived security level. But to require others to authenticate on the off chance that the transaction you are going to be involved with will be rolled back because on that day someone hacked that particular person's account? Really? You consider that to be more of a threat than the bad vibes it will give folks who wander into our little game (because it is f2p) and have to stare down MANDATORY authentication? Really?

How about let's step back a little and not try to force our points of view on others. Let's let people make stupid decisions about their own security if they want. Recommend. Warn. Don't FORCE. If on the off chance you lose out on a card trade or some such, suck it up and move on. The idea of mandatory authenticators is using an elephant gun to kill a fly.

madar
06-25-2013, 02:15 AM
edit: nevermind
but this forum goin to the way of Blizzard forum, and it's not a good thing

Punk
06-25-2013, 02:28 AM
OK, I will have an authenticator. That is not a question for me regardless of my perceived security level. But to require others to authenticate on the off chance that the transaction you are going to be involved with will be rolled back because on that day someone hacked that particular person's account? Really? You consider that to be more of a threat than the bad vibes it will give folks who wander into our little game (because it is f2p) and have to stare down MANDATORY authentication? Really?

How about let's step back a little and not try to force our points of view on others. Let's let people make stupid decisions about their own security if they want. Recommend. Warn. Don't FORCE. If on the off chance you lose out on a card trade or some such, suck it up and move on. The idea of mandatory authenticators is using an elephant gun to kill a fly.

Hey, I am not for forcing anyone to use an authenticator if their choice does not affect my game in any way. I am also not going to force someone to lock their house when they leave it, but when I leave mine, I lock both locks.


edit: nevermind
but this forum goin to the way of Blizzard forum, and it's not a good thing

A Blizzard forum? I don't see 20 kids flaming each other over a ridiculous argument. I do see multiple people having strong, yet different standpoints on a subject which is resulting in a healthy and civil conversation. This subject does affect many different topics so you may see quite a few different references.

Xenavire
06-25-2013, 03:10 AM
Considering there are free to play MMO's with hackshields and pincodes etc, a mandatory free authenticator (especially if it autofills the code for you) is not very different.

The naysayers are blowing it a little out of proportion - I mean I understand the concern, but when F2P already has this sort of second layer protection active (mandatory and free) and still have respectable sized playerbases, the idea doesn't seem so bad. Protected accounts for everyone for very little effort.

Gwaer
06-25-2013, 08:11 AM
I feel like we're having some problems with reading comprehension here. Let me lay it out. No one is saying that you have to buy an authenticator

We are saying mandatory two step authentication. You do not need an authenticator for that, just a free email address. You can be more secure by buying an optional authenticator to carry around. But just an email address will do.

Mandatory 2 step authentication, does not cost anyone anything, unless they want it to.

Hatts
06-25-2013, 08:27 AM
It is a little sad that some people don't think of the rest of the community when it comes to using an authenticator and how it will affect everyone else if they do not.

It's like parents who refuse to vaccinate their kids. If we can't make 2 factor authentication mandatory for all, I hope we can quarantine the 2FA deniers, hackers, bots and gold farmers in the gold auction house and keep the integrity of the platinum auction house relatively intact.

jai151
06-25-2013, 08:31 AM
It's like parents who refuse to vaccinate their kids. If we can't make 2 factor authentication mandatory for all, I hope we can quarantine the 2FA deniers, hackers, bots and gold farmers in the gold auction house and keep the integrity of the platinum auction house relatively intact.

I can't think of an effective way to do that though. Require authentication to use the Plat AH? The hackers will just sign up for an authenticator. Require authentication plus a delay before you can use the PAH? Way too big a strain on the normal population, and the hackers could get around it by sending the cards to an already authenticated account. I really can't think of a good way to go about it.

Gwaer
06-25-2013, 08:36 AM
I can't think of an effective way to do that though. Require authentication to use the Plat AH? The hackers will just sign up for an authenticator. Require authentication plus a delay before you can use the PAH? Way too big a strain on the normal population, and the hackers could get around it by sending the cards to an already authenticated account. I really can't think of a good way to go about it.
I can, mandatory 2FA on every account, let people upgrade to physical authenticators if they want to buy them, otherwise just use email/text/voice calls/whatever other options that people can select when they sign up.

TheWrathofShane
06-25-2013, 08:44 AM
I have never been hacked on MTGO, and never heard of anyone getting hacked. They do not have authenticators.

At the same time, my world of Warcraft account got hacked a few times without authenticator. Even though I was an on and off casual wow player, never hitting max level, I would come back to find my password changed and random toons on my account.

jai151
06-25-2013, 09:07 AM
I can, mandatory 2FA on every account, let people upgrade to physical authenticators if they want to buy them, otherwise just use email/text/voice calls/whatever other options that people can select when they sign up.

Yes, mandatory 2FA would work (and is what I support), but the question was how to quarantine people without 2FA if it weren't mandatory.

OutlandishMatt
06-25-2013, 09:36 AM
I have never been hacked on MTGO, and never heard of anyone getting hacked. They do not have authenticators.

I have heard of plenty of MTGO accounts getting hacked. Even more so for people trying to setup card bots.

Nekojin
06-25-2013, 09:42 AM
I read about half of this thread before I got bored with the fight between Mr. Funsocks and everyone else.

Two-factor authentication is a good thing. Link an email address to the account, verify that email account, and have a call-back any time the account is accessed from a new computer. That's easy enough, and doesn't inconvenience anyone to any greater degree than most people already expect.

Those people who are calling for mandatory authenticators, however, are forgetting one of the most important details here. This is a free-to-play game. The barrier to entry is set extremely low in order to coax as many people as possible into giving it a try. If you add an additional barrier to getting into the game, that becomes a deterrent to playing that will cause some people to decide not to play, after all.

The moment that someone has some skin in the game - the first time they try to use the Auction House, or buy anything with real money - then insist on that third factor of authentication. Not before. Get them in, get them hooked, and then that inconvenience will seem far less important than it might for someone who hasn't even finished registering their account yet.

Edit: For those who keep score, I'm one of those people who uses "best practices," and has never had an account compromised. But that doesn't mean that I'm somehow perfect, or that my accounts can't be compromised. I'm not a fool, and I know that I don't necessarily have to make a mistake in order for someone to get into my account.

And, for the record, accusing the hacked of being stupid is blame-the-victim mentality, akin to telling a woman who was raped that her skirt was too short. Get a grip, and realize that the blame lies entirely on the shoulders of the people trying to break into accounts.

Gwaer
06-25-2013, 09:44 AM
I read about half of this thread before I got bored with the fight between Mr. Funsocks and everyone else.

Two-factor authentication is a good thing. Link an email address to the account, verify that email account, and have a call-back any time the account is accessed from a new computer. That's easy enough, and doesn't inconvenience anyone to any greater degree than most people already expect.

Those people who are calling for mandatory authenticators, however, are forgetting one of the most important details here. This is a free-to-play game. The barrier to entry is set extremely low in order to coax as many people as possible into giving it a try. If you add an additional barrier to getting into the game, that becomes a deterrent to playing that will cause some people to decide not to play, after all.

The moment that someone has some skin in the game - the first time they try to use the Auction House, or buy anything with real money - then insist on that third factor of authentication. Not before. Get them in, get them hooked, and then that inconvenience will seem far less important than it might for someone who hasn't even finished registering their account yet.
I haven't seen anyone calling for a mandatory requirement to purchase authenticators, just for it to be mandatory that some form of 2FA was set up.

Nekojin
06-25-2013, 09:48 AM
I haven't seen anyone calling for a mandatory requirement to purchase authenticators, just for it to be mandatory that some form of 2FA was set up.
And I didn't say anything about buying authenticators. I'm just pointing out that for an F2P game, you want to keep the barrier to entry as low as possible.

Gwaer
06-25-2013, 09:50 AM
And I didn't say anything about buying authenticators. I'm just pointing out that for an F2P game, you want to keep the barrier to entry as low as possible.
...if it's a free requirement... how is there a barrier to entry increase?

Pretty much every f2p game in the world, if not every one of them requires an email address to be attached to the account. You can use that as your 2fa... I don't see how there's an argument to be made here.

Nekojin
06-25-2013, 09:54 AM
...if it's a free requirement... how is there a barrier to entry increase?

Jumping through hoops to set up an account can be a psychological deterrent for some people. There's no need to put a stumbling block in right at the start; wait until there's actually something to protect before requiring higher security.

Xenavire
06-25-2013, 09:55 AM
There is no barrier to entry if it is part of making the account, the app is downloaded alongside the client, and it autofills for you, but is unique to your PC (and PC's you specifically authorise). You wouldn't even notice it, and you could set up a bunch of options to deal with it (like the autofill - less safe but far easier. It would be almost as easy as not having one at all.)

Overall, it just makes things more secure, and is no more annoying than a pincode (required as part of account creation in Maplestory and Ragnarok online 2, and plenty of others). It isn't some draconian practice insisting that you input a 24 digit code within 3 seconds every time you log in, its just meant to be an extra barrier to stop hackers. The people who care about it simply add to the security by getting a more secure version (smartphone of physical).

Yoss
06-25-2013, 10:33 AM
I'll update the Hot Topics thread to clarify that we're voting for mandatory 2FA, not mandatory physical dongles.

Tinuvas
06-25-2013, 11:16 AM
Considering there are free to play MMO's with hackshields and pincodes etc, a mandatory free authenticator (especially if it autofills the code for you) is not very different.

The naysayers are blowing it a little out of proportion - I mean I understand the concern, but when F2P already has this sort of second layer protection active (mandatory and free) and still have respectable sized playerbases, the idea doesn't seem so bad. Protected accounts for everyone for very little effort.
I don't agree with your assessment of who is blowing things out of proportion. Cory has already stated his intention to aggressively deny game breakers from the game and stated he has designed the system with the tools to do so. There will be game breakers regardless, but once again, I think the MANDATORY authentication requirement is shooting a fly with an elephant gun.

My understanding of the reasons that people are requesting this feature is that they don't want the possibility of having to lose a transaction because of a roll back that occurred off of a hacked account. Once again, because of the tools...................

Well, it happened. I get it now. Mind opened, consciousness expanded. IF the authentication tools are free, and IF they are only required once you start accessing say the platinum AH (giving newbs a chance to dip their toes in) or some other higher tier activity, I won't complain if CZE implements this. I could even see the newbs benefiting from having the importance of security impressed upon them in that way. I have a knee jerk reaction against forcing anyone to do anything (You don't want a password for your account? great, just don't whine to me when it's compromised), but I can see this being handled appropriately and the game benefiting from it. If handled badly...but that's true of anything.

MoikPEI
06-25-2013, 11:26 AM
I think the MANDATORY authentication requirement is shooting a fly with an elephant gun.

So.... mandatory authentication is... the most awesome and fun thing to do ever?
Makes me kinda think that the mandatory authentication step could be the best part of the experience.

jai151
06-25-2013, 11:34 AM
IF the authentication tools are free, and IF they are only required once you start accessing say the platinum AH (giving newbs a chance to dip their toes in) or some other higher tier activity, I won't complain if CZE implements this. I could even see the newbs benefiting from having the importance of security impressed upon them in that way. I have a knee jerk reaction against forcing anyone to do anything (You don't want a password for your account? great, just don't whine to me when it's compromised), but I can see this being handled appropriately and the game benefiting from it. If handled badly...but that's true of anything.

The problem with forcing authentication after the fact is the hacker can just toss an authenticator on and do anything he was locked out of without one, therefore it is not only ineffective, it's actually detrimental to the person trying to get their account back.

Yoss
06-25-2013, 11:35 AM
*readies elephant gun*

Who's with me? :p

Punk
06-25-2013, 11:54 AM
*readies elephant gun*

Who's with me? :p

I'm ready to go fly hunting.

Xenavire
06-25-2013, 01:08 PM
Well, I agree that if it was handled badly it would be a huge turnoff - which is why I suggested as many ways to make it unobtrusive. We might have missed something, so I am sure the ideas here would be mere building blocks, but I do believe that mandatory authenticators being core to the game (and nearly unnoticable) would work well. Think of it as DRM the way steam handles it - you do it every so often and then don't have to worry about it. Newbs play steam, they play pincode 2FA MMO's - if you do it right, they will barely know it's happening.

As a result we should (I say should just in case of the worst possible outcome) prevent hackers being widespread. It would take someone very careless to lose their information in anything but a targetted attack, meaning the more value an account has, the more likely they are to be targeted, which logically means that person would have a better version (lowering the risk.)

Hatts
06-25-2013, 01:20 PM
The problem with forcing authentication after the fact is the hacker can just toss an authenticator on and do anything he was locked out of without one, therefore it is not only ineffective, it's actually detrimental to the person trying to get their account back.

In this scenario an account without 2FA doesn't have a lot to go after, at best they have a few PvE chase rares. Having the hacker add an authenticator isn't that big of a deal for CS to resolve, they are going to need to be involved anyways.

CZE could build in nags to encourage people with higher value PvE gear to set up 2FA.

Xenavire
06-25-2013, 01:30 PM
In this scenario an account without 2FA doesn't have a lot to go after, at best they have a few PvE chase rares. Having the hacker add an authenticator isn't that big of a deal for CS to resolve, they are going to need to be involved anyways.

CZE could build in nags to encourage people with higher value PvE gear to set up 2FA.

Should they need to nag though? In that scenario, the owner of the account would be finding it a little hard to prove they own the account - not impossible but still difficult. Had the player protected themselves, it wouldn't have happened - should crypto bother solving the issue? (They should if they want to stay true to the fans, but theres no guarantee they would.)

Now, this would be completely avoided by having at least one kind of minor mandatory authentication. If one thing could prevent a hacker logging in, mission accoplished - and it is less messy for crypto to clean up. And they don't annoy people with nagging (which would be more of a turnoff for other people, if it really is nagging. People HATE nagging.)

There are a lot of pros with mandatory (and some things in life are mandatory that benefit us. Well, at least depending on country, like innoculations.) There are few cons, although they shouldn't be ignored - if the cons can be resolved, I think it would be worthwhile to implement. And even a few cons if they pros really outweigh the cons (which it seems they do with the information we have now.)

majin
06-25-2013, 01:30 PM
I think a lot of people (assuming they didn't back read everything) thinks that "authenticator" is for something you need to purchase to play the game

there are different authenticators like what's discussed here like email authenticators, phone or sms authenticators (very unlikely that a person don't have a cel that can't receive an sms) / dongle (need to buy) / app authenticators (you need to have an iphone or android capable of this).

The ones that is being pushed to be mandatory is the ones that don't cost anything like an email or sms authenticators as most they already factor in the part that this game will be F2P

**not an argument but i just notice that this maybe the reason why people who post recently are reasoning why they don't want one as this is an F2P game**