As noted above, OSRS client works differently to RS3 and the website.
In OSRS, it appears as above. 2FA is asked for even if the PW is wrong.
In RS3 and the Website, this is not the case.
Which method is better?
OSRS has advantages in that you will not know if the password you entered is correct. You only know that EITHER the password OR 2FA was wrong. You do not know which, or even if they were correct at all. This means in the situation of a brute force attack (which generally don't happen, but regardless), you will never know you got the correct password unless you ALSO got the correct 2FA at the time of entering it. This is actually preferable to knowing you got the correct password but not the correct 2FA, because the second you knew the password is correct you can stop brute forcing that particular bit, or use it in recovery requests, or in attempts to scam the owner ("i know your password, give me 100m or I'll macro on your account and get you banned" or something similar), or try use the same password on their email account and such.
In RS3 and the Website, if you do not get the 2FA prompt, you know the password was incorrect. If you do get the prompt, you know the password is correct, leading to the blackmail problems / appeal problems above.
IMO, the OSRS approach of asking for 2FA regardless of the password is better than the RS3/Website approach. However, Jagex fail on the fact they use both approaches anyway, and should stick to one or the other, not both.
While there's a small problem in using this to try and enumerate active accounts or accounts without 2FA at all, about 50% of all RS players have 2FA enabled and although the OSRS method is better IMO, I would personally say there's not much real threat about knowing if a single username exists or a whether it has 2FA because neither offers any real avenue to getting the password or 2FA anyway.
A username is not generally considered private information in most security systems.
15-Nov-2020 17:37:39
- Last edited on
15-Nov-2020 17:43:50
by
Hmm