My suggestion is that when a user logs in to a GW2 account, but either provides the incorrect authentication code, the login attempt is cancelled, or the client times out waiting for the authentication code that a user should be sent an email warning them that this has happened.
In the case of email authentication, it’s clear when the account credentials for a GW2 account are compromised. We know that because we receive emails for logins from locations we were not aware of.
For the two-factor authentication method however, even if the hacker successfully logs into an account, but fails at the mobile authentication stage, we never know that this happened.
In my opinion, even if the hacker is prevented, it’s still important for the user to know that their account details may have been compromised. I say this because despite advice, there are a lot of people that will re-use passwords, and the majority likely will not read ArenaNet’s advice regarding account security either.
For that reason I think it’s important to notify a user so that they can take action, either by providing an extra layer of security on their GW2 account, or so they can change passwords for any other accounts that share the same details when this happens.
Not affiliated with ArenaNet or NCSOFT. No support is provided.
All assets, page layout, visual style belong to ArenaNet and are used solely to replicate the original design and preserve the original look and feel.
Contact /u/e-scrape-artist on reddit if you encounter a bug.