Make the SMS login reminder go away
So, use one of the non-phone number options. Problem solved! =)
The downloadable windows authenticator app is very quick and painless. It doesn’t even need installing. Recommended.
I want “none of the above”.
I don’t want “two factor authentication” in my games.
Paranoid much? It’s there so it’s less likely you’ll get your account swiped.
We are heroes. This is what we do!
RIP City of Heroes
RIP City of Heroes
/shrug
They’re not going to give you this option.
Ever.
At this point essentially the only accounts that are getting hacked are the accounts that don’t install some sort of 2 factor authorization. Hacked accounts cost them money, real actual money out of their pockets since they have to pay for support personell’s time in answering threads about hacked accounts and fixing the situation. Any time you ask a company to do something that will cost it money just because the situation is annoying to you, then your request is unlikely to be allowed. There is no benefit to ANet in granting your request, only additional costs when the accounts that opt out get hacked.
Be careful what you ask for
ANet may give it to you.
ANet may give it to you.
(edited by Just a flesh wound.3589)
Soo you don’t want your game to be as secure as possible?
This doesn’t sound very logical, especially as there are ways to protect your system without! using a phone.
Especially if you plan to play it for the long term.
So why soo against it?
We are heroes. This is what we do!
RIP City of Heroes
RIP City of Heroes
Soo you don’t want your game to be as secure as possible?
This doesn’t sound very logical, especially as there are ways to protect your system without! using a phone.
Especially if you plan to play it for the long term.So why soo against it?
Security codes are actually easier to break than passwords. Two-stage authentication is a myth, as you can find on several security sites. Companies usually ask you to do it so they can sell your phone number to a third party for profit.
I’m not saying ArenaNet does this, I’m just saying its the norm.
The only time two-stage auth is secure is when the website requires both the password and the security code, not just one or the other. And even then the security gain from it is marginal at best; in tests it has been found that you are much more likely to get locked out of your own account than it is to be hacked if your password is already randomly generated and of a decent length.
The biggest factors of security are password quality and server salting.
Daisuki [SUKI] LGBT-Friendly Guild Leader | NA – Jade Quarry
I’m usually really sweet… but this an internet forum and you know how it has to be.
/i’m a lesbiab… lesbiam… less bien… GIRLS/
I’m usually really sweet… but this an internet forum and you know how it has to be.
/i’m a lesbiab… lesbiam… less bien… GIRLS/
(edited by Hannelore.8153)
Security codes are actually easier to break than passwords. Two-stage authentication is a myth, as you can find on several security sites. Companies usually ask you to do it so they can sell your phone number to a third party for profit.
I’m not saying ArenaNet does this, I’m just saying its the norm.
The only time two-stage auth is secure is when the website requires both the password and the security code, not just one or the other. And even then the security gain from it is marginal at best; in tests it has been found that you are much more likely to get locked out of your own account than it is to be hacked if your password is already randomly generated and of a decent length.
The biggest factors of security are password quality and server salting.
You have no idea what you are talking about. Learn something about security before you speak on the subject.
Two factor authentication (2FA) is far FAR more secure than one-factor, if it’s done correctly. GW2’s 2FA isn’t done perfectly, but it’s far better than a simple password could ever be. (True 2FA requires both elements be 100% independent of each other. GW2’s implementation allows you to store both on the same computer.)
In the not-too-distant future, all Internet transactions will require true 2FA. Credit cards and banking are already moving that direction. Get used to the idea, because it’s coming whether you approve or not.
I already have to deal with email verification. I absolutely refuse to give them my phone number. Anet is likely already selling my data, i’d rather not give them more.
I would like an option to never see this prompt again.
Bristleback can’t hit anything? Let’s fix the HP bug instead.
I already have to deal with email verification. I absolutely refuse to give them my phone number. Anet is likely already selling my data, i’d rather not give them more.
I would like an option to never see this prompt again.
They said they would never sell. If you think they are then you also think they lied to your face. Why would you play a game where you believe they are outright lying to you? Shows lack of common sense to stay in a game where you believe they are lying to you.
Be careful what you ask for
ANet may give it to you.
ANet may give it to you.
I already have to deal with email verification. I absolutely refuse to give them my phone number. Anet is likely already selling my data, i’d rather not give them more.
I would like an option to never see this prompt again.
They said they would never sell. If you think they are then you also think they lied to your face. Why would you play a game where you believe they are outright lying to you? Shows lack of common sense to stay in a game where you believe they are lying.
lol
Bristleback can’t hit anything? Let’s fix the HP bug instead.
I already have to deal with email verification. I absolutely refuse to give them my phone number. Anet is likely already selling my data, i’d rather not give them more.
I would like an option to never see this prompt again.
They said they would never sell. If you think they are then you also think they lied to your face. Why would you play a game where you believe they are outright lying to you? Shows lack of common sense to stay in a game where you believe they are lying.
lol
Sooo, you believe you’re being lied to, but you’re still staying for more. /shrug. I hope you don’t apply this way of acting to your personal life as it’s going to make that…. interesting.
Be careful what you ask for
ANet may give it to you.
ANet may give it to you.
Sooo, you believe you’re being lied to, but you’re still staying for more. /shrug. I hope you don’t apply this way of acting to your personal life as it’s going to make that…. interesting.
Sooo, you’re saying you only take part in things that don’t or have never lied to you? Because if you are, that would also lack common sense and make for an interesting personal life given the nature of the world we live in.
Sooo, you believe you’re being lied to, but you’re still staying for more. /shrug. I hope you don’t apply this way of acting to your personal life as it’s going to make that…. interesting.
Sooo, you’re saying you only take part in things that don’t or have never lied to you? Because if you are, that would also lack common sense and make for an interesting personal life given the nature of the world we live in.
/shrug.
Anyone who continues to do business with a company that flagrantly lies to them when they have numerous other options is asking for trouble. Anyone who stays in a relationship where the person flagrantly lies to them may have reasons not to leave, but they are in a troubled relationship.
You can’t and don’t need to avoid all lies, but some lies go beyond the surface and indicate there are serious problems and that hanging around for more is not in your best interests.
Be careful what you ask for
ANet may give it to you.
ANet may give it to you.
I already have to deal with email verification. I absolutely refuse to give them my phone number. Anet is likely already selling my data, i’d rather not give them more.
I would like an option to never see this prompt again.
They said they would never sell. If you think they are then you also think they lied to your face. Why would you play a game where you believe they are outright lying to you? Shows lack of common sense to stay in a game where you believe they are lying to you.
It wouldn’t be the first time a game company has lied to their customers. (Or, changed their mind on the subject.)
But ANet has consistently shown for over a decade that they really prefer sticking to their statements. On occasion, they’ve made mistakes that they had to correct (like the “free character slot with HoT pre-purchase” issue). But, they’ve always made the best out of it when they made mistakes. And, when I say “made the best out of it”, I mean from the players’ perspectives.
ANet has issues, but I trust them more than any other game company.
Security codes are actually easier to break than passwords. Two-stage authentication is a myth, as you can find on several security sites. Companies usually ask you to do it so they can sell your phone number to a third party for profit.
I’m not saying ArenaNet does this, I’m just saying its the norm.
The only time two-stage auth is secure is when the website requires both the password and the security code, not just one or the other. And even then the security gain from it is marginal at best; in tests it has been found that you are much more likely to get locked out of your own account than it is to be hacked if your password is already randomly generated and of a decent length.
The biggest factors of security are password quality and server salting.
You have no idea what you are talking about. Learn something about security before you speak on the subject.
Two factor authentication (2FA) is far FAR more secure than one-factor, if it’s done correctly. GW2’s 2FA isn’t done perfectly, but it’s far better than a simple password could ever be. (True 2FA requires both elements be 100% independent of each other. GW2’s implementation allows you to store both on the same computer.)
In the not-too-distant future, all Internet transactions will require true 2FA. Credit cards and banking are already moving that direction. Get used to the idea, because it’s coming whether you approve or not.
A few things:
1) As you say, “if done correctly”. Most sites do not do it correctly, they allow you to login using only a security code by default, bypassing your password.
2) Security codes are usually just a string of numbers, which is far easier to brute force with current hardware than a randomly generated password. This may not be a problem when logging into a game or website (due to throttling), but it is a problem if the company experiences a data breach after which the security of all information is reduced to how well it can either be exploited or just brute forced.
3) If the server hash and salt algorithms are sufficiently secure, a randomly generated password of a proper length is impossible to break. Most methods of obtaining these passwords revolve around creating collisions, and weaknesses in the hashing and salting algorithms that allow for superfluous collisions to occur.
4) Even when done properly, two-factor authentication presents a significant real life security risk since anyone with access to the confirmation device (typically a phone), will be able to get into your account without the use of a password.
5) Certain third-party services, such as Google voice, have proven to have security issues when used with two-factor authentication.
Knowing about security is not enough, you must also know about programming, and the reason that security issues exist to begin with. Understanding how security holes apply to software helps to know the real risks. Most of the time, the risk is in the software being used, and in these cases it usually bypasses any precautions that a user takes to protect themselves from security-related attacks.
NOTE: This post does not discuss GW2, but two-factor auth in general.
Daisuki [SUKI] LGBT-Friendly Guild Leader | NA – Jade Quarry
I’m usually really sweet… but this an internet forum and you know how it has to be.
/i’m a lesbiab… lesbiam… less bien… GIRLS/
I’m usually really sweet… but this an internet forum and you know how it has to be.
/i’m a lesbiab… lesbiam… less bien… GIRLS/
(edited by Hannelore.8153)
A few things:
1) As you say, “if done correctly”. Most sites do not do it correctly, they allow you to login using only a security code by default, bypassing your password.2) Security codes are usually just a string of numbers, which is far easier to brute force with current hardware than a randomly generated password. This may not be a problem when logging into a game or website (due to throttling), but it is a problem if the company experiences a data breach after which the security of all information is reduced to how well it can either be exploited or just brute forced.
3) If the server hash and salt algorithms are sufficiently secure, a randomly generated password of a proper length is impossible to break. Most methods of obtaining these passwords revolve around creating collisions, and weaknesses in the hashing and salting algorithms that allow for superfluous collisions to occur.
4) Even when done properly, two-factor authentication presents a significant real life security risk since anyone with access to the confirmation device (typically a phone), will be able to get into your account without the use of a password.
5) Certain third-party services, such as Google voice, have proven to have security issues when used with two-factor authentication.
Knowing about security is not enough, you must also know about programming, and the reason that security issues exist to begin with. Understanding how security holes apply to software helps to know the real risks. Most of the time, the risk is in the software being used, and in these cases it usually bypasses any precautions that a user takes to protect themselves from security-related attacks.
NOTE: This post does not discuss GW2, but two-factor auth in general.
#1: Companies that allow the use of just the code are not using 2FA. 2FA’s definition requires 2 independent authentication methods.
#2: That’s why 2FA requires that the two factors be independent of each other. You can’t brute force something that uses another path to get to the customer, because you have to make an attempt which generates a text message to the customer. The customer should realize that a hack attempt is being made and take appropriate action.
Also, if properly implemented, the second factor follows the similar rules as passwords, in terms of number of attempts per time period. So, you can’t brute force it at all. However, you are quite correct that most companies don’t use good second-factor rules (i.e. they typically send short pure numbers).
#3: This paragraph is mostly correct, but doesn’t apply. It would apply to crack attempts made against the security infrastructure at ANet, not just to one account (unless they stole the security database). ANet seems to have a handle on this part.
#4: Same reply as #1. It’s only true if the second factor of authentication is allowed to stand alone, which means, by definition, it’s not 2FA.
#5: I don’t know about this, so I can’t comment on it.
I am both a programmer and a security pro (although, I’ve done more security work than programming).
I’ll say it again: ANet’s implementation of 2FA is pretty good. The flaw is that the same computer stores both the password and the IP address that allows passage into the game. If you can break into my (for example) network/computer, you can access my computer’s disk, including both the hashed main password and the IP address structure (possibly a certificate) that allows me to not have to get a code each time I log in.
So, they’ve allowed for two ease-of-use functions, each of which marginally reduces security, and together allows an common attack vector (my PC). But, it’s a much more secure system than a simple password unless one uses long, extremely strong, and never reused (for other entities) passwords.
There’s one more hole that neither of us has mentioned: the use of IP address as a way of authentication. ANet allows us to check a box to “remember this computer”. However, unless they’re generating a certificate to validate (I can’t find one), they’re using the simple IP address. Since this web site uses the same internal account name, the IP address of players can be determined by hacking this forum site to gain those IP addresses.