Guild Wars 2

If you’re also using Google Authenticator for your Google account, make sure you enter the secret manually and choose a different name. Otherwise, your Google account’s secret will get overwritten and you will have to set everything up again, including application-specific passwords.

Using the QR Code, I received a “Secret Saved” message but no account showed up. I proceeded to entering the account in manually and when it updated, my previous accounts were now linked to the same Secret for GW2.

After removing all accounts from Authenticator, I scanned the QR Code for GW2 FIRST which worked perfectly. I then proceeded to using the QR Code for my Google Account and I now have both accounts working perfectly without one overwriting the other.

To avoid potential account name conflicts, I’d like to recommend that the QR code be updated to use something like
gw2-emailaddress

Some of us already have multiple mobile authentication entries and in its current state, the one that the QR code creates is neither descriptive nor guaranteed to be unique.

For Google authenticator you can long click to rename after the add.

will the google authentication over write the IP/location based filtering? or is in addition to

Working great so far and I agree can you add something to the client to remember this pc for say 30 days or so? Even a week would work too. Thanks!

Working great for me so far. The only problem I’ve had is when using the -email, -password and-nopatchui command line arguments (so mumble overlay can be enabled). Since the login window is never displayed there is no way to be prompted for the authenticator code. All I get is a black screen.

Higher security is better than mumble overlay. However, if there is a way of having both, it would be even better.

From what I read it will not longer send you e-mails about unauthorized attempts when you have this set up. Would it be possible to allow us to have both security settings at the same time?

Worked perfectly first time, I’m using an iPhone with Google Authenticator. I used the QR scanner, and it worked immediately. Very pleased.

I agree that a “Remember this computer for X days” would be a welcome feature, or only require authentication for a new IP address. Something to keep the utility of the authentication, but cut down on the annoyance. Regardless, great feature and thanks!

I already use the Google authenticator for my personal email address account. When I scanned the QR code and the Guild Wars 2 code was added to the list, it said it was for my personal email address instead. So now I have two codes that say they’re for my email account and none that say they’re for Arena.net or Guild Wars 2.

And, of course I guessed wrong on the verification step and the QR code was reset. Now, after re-scanning I have THREE codes that say they’re for my email account. Which one in my list is expired and needs to be deleted? Which one do I use to verify the code works? Which one belongs to my email account?

(I finally guessed right and learned that the newer codes are at the bottom of the list and older codes at the top. This was entirely un-fun as I was threatened with being locked out of my personal email account if I had deleted the wrong one)

Also, please have your system expire “trusted” IP addresses / locations after 30 days.

I have a question. Is it possible to set up the system so that you only have to use the authenticator PIN if you are logging in from a new IP address instead of having to use it every time? It is not a huge deal, but since e-mail auth is locations dependent, it would be more convenient if the Mobil Auth worked the same way.

Clobbered my Google 2-step verification account when I used to QR code to set this up. Definitely need to have a different account name in the code, because it is really a pain to fix this.

I didn’t have Google accounts set up with this system prior to this. That sounds like that may be an issue. But in my case, it was as easier to set up and easier to use than expected. The extra level of security gives me a degree of comfort.

Is there any way to use this on multiple devices? I installed it on my phone, but I think I might like it on my tablet instead. I suppose I could unlink, and then set it up again on the tablet; but it seems like it would be nice to be able to just set it up from multiple devices.

To use it on multiple devices, you need to set them all up at the same time I believe – enter the secret code on each of them before putting the 6-digit verification in at the bottom of the page.

I’ve used multiple devices for something else that used Google Authenticator, and that worked fine – they just all have to have the same Secret Code.

Once the code has been verified, the accounts section for GW2 doesn’t display the Secret Code again. So you’d have to have entered that code on all desired devices right at the beginning before completing the link. Unlinking and relinking is probably the only way to get it set up on more than one device if you’ve already done the link.

^ Thanks Melana, that worked actually. I can now authenticate with both devices

It appears to be working just fine for me with just a couple logins. I’ve actually never used an authenticator for any game to this point. Thankfully I’ve never had any “issues” so it hasn’t been something I’ve thought as a requirement. Although, the more time I have invested in a game the more I worry, just because it’s more to lose. A question I have on this particular system; does using this make it extremely unlikely that a person’s account will be hacked? Without any experience with it, from an initial look it certainly seems like it.

JonasV.4209:

I have a question. Is it possible to set up the system so that you only have to use the authenticator PIN if you are logging in from a new IP address instead of having to use it every time? It is not a huge deal, but since e-mail auth is locations dependent, it would be more convenient if the Mobil Auth worked the same way.

I disagree. There is no sense making them work the same way. The email is for confirmation and the authenticator is another layer of security. Making it only ask you sometimes undermines the two-factor authentication.

If they are going to add a 30 day timer, it should be in email settings.

My Wow account was constantly hacked so I like it this way. Thanks Anet.

the phone authentictor is a step in the right direction.but i was wondering if theres thoughts of getting a physical one as well soon?

Clobimon.9652:

A question I have on this particular system; does using this make it extremely unlikely that a person’s account will be hacked? Without any experience with it, from an initial look it certainly seems like it.

I’ve worked with this style of system on a a few other MMO’s. In short, when you log it, you will still put in your user name and password…THEN the system will ask you for the 6 digit (in this case) magic code. The cycle time for the codes looks to be about 30 seconds or so. This means that BadGuyBot has to figure out which code out of one million combinations it could be before that 30 seconds is up and it has to start ALL over again.

I’m not going to say it makes an account un-hackable…but it’s as close as I think we can come, until we start shipping bio-metric eyeball lasers with every computer.

Please do not replace the current IP/Email authentication with this Mobile 2 Factor Auth system. As a privacy professional who has been fighting against Google’s attempts to turn every person on the planet into a product at the expense of their privacy I do not use any Google products and if you require us to use this service in order to play I will simply stop playing.

Looks like it works very good.
If it stays in the air when 800k+ players use this, it is a great addition to the game security

Should’ve read this thread before scanning the code into my already installed Google authenticator
I already had 3 Google accounts setup in it, one of them being the email adres that my GW2 account is registered with.
This email address got overwritten with the GW2 QR codes so isn’t working anymore on Google but the other 2 accounts still work.
So I agree that a “GW2” prefix to the account entry in Google authenticator would be great.
Other than that I’m very happy you chose to use Google authenticator, I already have in total 4 different authenticator android apps installed for other games so adding it to an existing one is helping reduce clutter.

holska.4127:

Should’ve read this thread before scanning the code into my already installed Google authenticator
I already had 3 Google accounts setup in it, one of them being the email adres that my GW2 account is registered with.
This email address got overwritten with the GW2 QR codes so isn’t working anymore on Google but the other 2 accounts still work.
So I agree that a “GW2” prefix to the account entry in Google authenticator would be great.
Other than that I’m very happy you chose to use Google authenticator, I already have in total 4 different authenticator android apps installed for other games so adding it to an existing one is helping reduce clutter.

^This.

This needs to be fixed ASAP.

For security purposes everything should be unique and I am surprised this hasn’t been thought of. This places my account at risk.

This works B-E-A-UTIFUL! No issues at all setting it up. Thank you, ArenaNet. Thank you, thank you, thank you, thank you, thank you, thank you. showers with rose petals I have my two accounts linked to the thing and it works so awesome. This is why I love AreaNet. They give a kitten about their players. Kudos to you guys.

It seems to be working very well. I do hope how ever that we get an ANet only one. Like the Blizzard one for there games. I’d feel a lot happier with that than a 3rd party app.

To be honest, I would rather they use Google Authenticator then to waste their time and resources attempting to make one for themselves.

At this way, near everyone has access to it. They reduce costs and just have to fix a few things.

Google Authenticator for Android is open source and based on publicly documented tech.

There is no reliance on Google’s servers or services for this.

http://tools.ietf.org/html/rfc6238

No need to be paranoid about this. If you don’t like Google then use another implementation.

Paladine.6082:

Please do not replace the current IP/Email authentication with this Mobile 2 Factor Auth system. As a privacy professional who has been fighting against Google’s attempts to turn every person on the planet into a product at the expense of their privacy I do not use any Google products and if you require us to use this service in order to play I will simply stop playing.

It’s compatible with any OATH-TOTP device or app, though, so you wouldn’t be required to use Google Authenticator. You could, for example, use a YubiKey: http://yubico.com/totp

Works perfectly! Looking forward to the day where the system “learns” my preferred locations, since I always log on from the same place!

Worked perfectly so far on my android phone.

Jalie.1356:

If you’re also using Google Authenticator for your Google account, make sure you enter the secret manually and choose a different name. Otherwise, your Google account’s secret will get overwritten and you will have to set everything up again, including application-specific passwords.

OH kitten

sigh

Yet ANOTHER reason not to ever, EVER use e-mail addresses as account names.

MikeLewis.7496:

Setting the account name in the QR code to something more readily associated with GW2 is a great idea. I’ll make sure we do that, thanks!

Yeah… Thanks for getting right on that -_-

hello Mike, I love the 2 step authentication. Please consider adding the key fob authenticator; I live in a no-reception area for phones, so the app will not do for me. The email authentication is great, but please keep the key fob idea on the back burner…thanks

Will this work with gauth4win (Google Authenticator for Windows)? Has anyone tried it?

If I understand correctly, this would let me use my PC instead of a smartphone, and prevent anyone (including me) logging into my account from any other computer than my gaming PC. Which would suit me fine.

KeikoTerada.1963:

Will this work with gauth4win (Google Authenticator for Windows)? Has anyone tried it?

If I understand correctly, this would let me use my PC instead of a smartphone, and prevent anyone (including me) logging into my account from any other computer than my gaming PC. Which would suit me fine.

I thought this at first when I read the install instructions, but I think t’is just a 2 step install: your computer (with proper software) would need to ding their code server that would then send a code to your phone(with proper app); however, I am not sure.

OK, well I tried gauth4win.

1. Download (https://code.google.com/p/gauth4win/downloads/list)
2. Install.
3. Run.
4. Ignore error message, it sits in Windows system tray.
5. Go to the GW authenticator page.
6. Ignore links for installing smartphone software.
7. Get secret code from GW2 setup page.
8. Right-click gauth4win in system tray, select Modify Key.
9. Enter Secret Code as the gauth4win key, click Save Key.
10. Right-click gauth4win in Windows system tray, select Copy
11. Paste copied code into the verification box on the GW2 setup page.
12. Success!

13. Start up GW2, log in.
14. When prompted for code, right-click gauth4win in Windows system tray, select Copy, then paste code into GW2.
15. Success!
16. Play game with a warm fuzzy security glow.

Only hiccup was I needed 3 tries to log into my account on guildwars2.com. Seems like I got the wrong 30sec window or something. Perhaps because my PC date/time was a bit off? (I’ve corrected that now). If so… this could trip a lot of people up. I can be sure of the correct time because I have a watch that synchronises with the radio time signals every night. A better idea might be to get NetTime and schedule it to run in Windows every day, to keep the time correct.

Warning: If other people use your PC… or your PC is not physically secure… THEN DON’T TRY THIS AT HOME, KIDS! Because I heard that gauth4win puts your secret key in the Windows registry in plain text. Edit: I have now verified this, it is true. Not that you need to look in the registry, because gauth4win will show you the Secret Key anyway, if you right-click it in the system tray and select Modify Key :-P

Warning: I assume you will also only be able to play on the PC with gauth4win installed (or at least physically near it), although I guess in theory you could install gauth4win wherever you need it, and enter the same key in each.

Edit: I logged into game again (no problem). Came back to this page, hit refresh, and I appeared to be logged out. Is that normal behaviour after logging into the game? Also, the authenticator code to log back into here (guildwars2.com)… was again not accepted… until the next 30 second window and a new code was created. (Before you ask, I’m using “Copy” from gauth4win to get the current code, every single time – not simply pasting the same code I previously used to log into the game, which would of course be out-of-date)

Edit2: Hover the mouse over gauth4win in the Windows system tray, and it shows you the current 6-digit code, and the number of seconds that code will remain valid for. Best to Copy the code when it still has plenty of seconds remaining, for reliable game login.

Kudos on this… really loving it in Guild Wars 2. Glad we have the option available.

Has anybody tried to get into their Guild Wars account since this update? I seem to be unable to get into the original Guild Wars since adding this to my account.

I do worry about that gauth4win program’s security. Especially if it gets more popular and malware/keyloggers adapt to collect its registry settings along with keylogs.

Though KeikoTerada? The problem from the codes sounds like the time is slightly out of sync. I use the actual Android Authenticator and a Third-party Authenticator app on my Windows Mobile Phone, and while the Android Authenticator App is synced for the right time, the Third Party one is slightly off by 7 seconds ahead (Showing the next key early).
From what it sounds like, your codes update some number of seconds late. So that you need to wait for a new code to know it will work, as an older one may have already expired. I have no clue how to sync the time for the third party apps, though. Much less nudge the time to be correct.

That said, I feel much more comfortable now that I’ve got the Authenticators on both my phone and ebook. It took a bit of work to setup on both at the same time, but I no longer worry about miss placing one and needing to go through the hassle of trying to recover my accounts linked with the Authenticator.

I’m not exactly in a financial disposition that allows me to purchase a smartphone and the phone I currently use is not capable of OATH or TOTP. However, I have Google Authenticator enabled on my Google account already, is it possible for me to link Guild Wars 2 with Google Authenticator and eliminate the middleman as it were?

I do wish that ArenaNet would provide physical authenticators for users without smartphones.

If you use Keepass Password Safe as password manager (free, open source and full of awesome features), please note that there is a plugin named KeeOtp which automatizes the use of a OTP key. It also uses a custom placeholder for auto-typing the key.

It is RFC6238 compliant so it should work perfectly with GW2.

MLieBennett:
Yes, gauth4win could use more work, and is definitely the poor relative for 2-factor authentication: It will likely be on the same PC as the game, rather than on a separate device, OS and net connection; it’s not convenienty portable; the Secret Key is not protected except by physical PC security; it only uses/stores one Secret Key at a time, so if you use several keys for different purposes/accounts, you have to keep manually re-entering them when needed.

But regardless, it’s better than nothing:
It’s usable without a smartphone. If a player’s PC is infected with malware… they are no worse off by having gauth4win. Any malware that is not gauth4win-aware, will be blocked. It will block the unsophisticated “usual” attacks that rely on social engineering, or stealing re-used logins/passwords from weak sites etc. If an account thief gets your GW2 email and GW2 password that way, they’d then need to identify your specific PC, and infect or directly hack it.

In my case, I can improve matters somewhat: my PC security software allows me to block any interaction with gauth4win by other Windows processes, and also protect its registry keys. And if I feel super-paranoid, I can run gauth4win in a Virtual PC which has its virtual hard drive stored in an encrypted container eg. TrueCrypt. I also have a laptop that never leaves the house and has never been (and never will be) connected to the internet – I could use that for gauth4win.

Possible Bug
This is a minor issue, and not critical… but it is possible for codes to be generated that have less than 6 digits. I have seen 5 and 4-digit codes. These do not seem to be accepted by the authentication, unless leading zeroes are added to make it up to 6 digits. At least not on this site, guildwars2.com – I didn’t test in the actual game login.

(I had a suspicion this is what caused my authentication hiccups described above, so I deliberately waited for such codes to be generated and then tried to use them).

This may be specific to gauth4win – perhaps other generators add the leading zeroes automatically or something. But really, I think the authentication should assume leading zeroes itself, if the code is less than 6 digits – just for bomb-proofing and future-proofing against new Smartphone apps etc.

MyQly: I am still able to login to GW1 with no problems. Either they fixed your issue already, or its something more specific and/or unrelated.

@Keiko, thanks for the feedback.

Went ahead and changed my password through Edit Profile and I can access my Guild Wars account again. Not sure what was wrong though since that same password worked on my Guild Wars 2 account.

I’m not being prompted for the code at login. Also there is no indication on the account page that this is attached.

@RLD
Then it sounds like it wasn’t setup then. Its still asking/needing the code for me.

So far it works GREAT. I have multiple accounts and it keeps them separate and tidy all in one screen.

I have a suggestion for those who are having issues with this thing messing with your already established Google account set up. Instead of the “Use a different email address” idea, just add a “+” suffix to your current registered email. Any mail sent to it will still come to your original email box, but the game/website/whatever will see it as a unique email address.You can make as many as you want and most email providers – gmail, hotmail, yahoo – recognise it just fine. I found this WAY easier to handle multiple accounts.

For example – I use “myemail+gw@gmail.com” for one account, “myemail+gw2@gmail.com” for a second account, “myemail+tsw@gmail.com” for The Secret World account, “myemail+wow@gmail.com” for WoW, etc etc etc.

They ALL redirect back to “myemail@gmail.com” but they are viewed as unique email addresses by those programs.

You can just continue to make up things like this for every thing you sign up for on the internet and it will all redirect to the same inbox.

My 2c. Works for me.