RuneScape Forum Archive | blog:Account Security Features

Mod Poerkie

Jagex Moderator Forum Profile Posts by user

A link to our blog about account security features can be found here . Community Manager! @JagexPoerkie

24-Oct-2019 14:04:27

Jan

2003

Tuffty

Forum Moderator Posts: 152,160 Ruby Posts by user Forum Profile RuneMetrics Profile

It's an awesome read and great news from Jagex on protecting our Forum Accounts.

I love this update that the Community has asked for for years and years.

It's here now and loving it. Feels safer now.

Well worth reading it too.

Great job Jagex.

Thank you for this update. Comprehensive Account Security

What do snowmen have for breakfast? Snowflakes!

24-Oct-2019 14:20:38

Nov

2011

Applejuiceaj

Forum Moderator Posts: 44,941 Sapphire Posts by user Forum Profile RuneMetrics Profile

A good set of changes; looking forward to using the backup code system when it’s released and thanks for adding auth to all website logins too.

24-Oct-2019 14:22:33

Jul

2004

Ms Toxicity

Forum Moderator Posts: 78,320 Emerald Posts by user Forum Profile RuneMetrics Profile

Very pleased to see the changes being made.

•

Forum Help

•

24-Oct-2019 14:28:49

Jan

2008

Samora Kiba

Posts: 9,252 Rune Posts by user Forum Profile RuneMetrics Profile

Lol, it's nice to see the first replies are 3 happy Fmods that the forums are more secure now

I'm actually very much in favour of these changes. The forums are a safer place now (and considering display names can be changed through the site, so are names). The backup code combines good old JAG and Authenticator ~~in a way that doesn't inconvenience the player.~~

Edit:
I'd say the email auth vs backup code boils down to:
Email:
- Auth can be disabled by anyone with access to your email from anywhere.
- You can put auth on your email as well, making auth the barrier for your email.
- If your email is recovered by the hijacker, your account is wide open.
- If you lose your phone, you can hopefully still access your email through a trusted device.
- If you lose your phone and email access, you can immediately submit an appeal -> Email changed -> regain access.

Code:
- Auth can only be disabled by people with the backup code
- You can get a back-up code every time you enter your Auth code succesfully.
- If you lose your phone, you can disable Auth without worrying about email access.
- If you lose your phone and forget your code, (or if a hijacker sets up this auth), you're locked out for at least 72 hours, potentially longer if you have issues providing enough information.

Wait. What prevents troll hijackers from putting an Auth with Code on an account, thereby locking players out for at least 72 hours? I mean, setting up auth does NOT require email access, so any hijacker who gets into an account without Auth can troll it that way. Hell, it'd even allow the hijacker about 3 days time to steal items and use the account to spam phishing links or bot.

With this backup code update, the players who get hijacked while *not* having Authenticator (and that's quite a large part of all hijacks!) are locked out for 3 days+. Wasn't the entire theory to ensure a delay could not be abused by hijackers? Setting auth with code should require email access.

~Samo

Community Helper

Member of the godless. It's not that I don't want to devote my soul to an RS god, the problem is that I can't find it.

24-Oct-2019 15:05:40 - Last edited on 24-Oct-2019 15:45:37 by Samora Kiba

Jan

2023

Fritzki

Posts: 33 Bronze Posts by user Forum Profile RuneMetrics Profile

Will it still be possible after the security changes go live, for someone to not be using an authenticator? Can we just continue with how things are done?

24-Oct-2019 15:15:11

Jan

2011

Roddy Piper

Posts: 13,751 Opal Posts by user Forum Profile RuneMetrics Profile

Just reading about it has increased my stress level by 10%. I am already not thrilled about the fuzzy pictures I need to occasionally click to login to the forum. It feels like soon I will need to get a robot to remember all the passwords and other various ways of accessing my accounts on the internet. And then someone might come steal my robot.

I could maybe send you a letter with verifiable information but someone might steal the mail truck. It's like: whatever. I'm normally just trying to get through a day and I gotta worry about clowns who feel the need to steal from others? The bottom line is I cannot worry. I have no energy for it. If someone takes my account I will just play Nintendo or go in the backyard with a stick.

24-Oct-2019 15:20:55

Oct

2015

Orcrist9

Posts: 7,183 Rune Posts by user Forum Profile RuneMetrics Profile

Samora Kiba said :

You can get a back-up code every time you enter your Auth code succesfully.

You’ll receive a Backup Code during Authenticator setup that you'll need to write this down and keep in a safe place.

From this, Jagex is saying you are only getting one Back-up Code upon Authenticator setup that you need to store in a safe location. Basically, it's the password for your Authenticator. You will not be getting multiple Authenticator Back-up Codes (especially every time you use it successfully) because then you would have to overwrite the old code with the new one.

Samora Kiba said :
Wait. What prevents troll hijackers from putting an Auth with Code on an account, thereby locking players out for at least 72 hours? I mean, setting up auth does NOT require email access, so any hijacker who gets into an account without Auth can troll it that way. Hell, it'd even allow the hijacker about 3 days time to steal items and use the account to spam phishing links or bot.

With this backup code update, the players who get hijacked while *not* having Authenticator (and that's quite a large part of all hijacks!) are locked out for 3 days+. Wasn't the entire theory to ensure a delay could not be abused by hijackers?

What prevents players from having a troll hijacker lock them out of their account is having a secure account with an Authenticator, whether they choose to use it with the Back-up Code or the current e-mail process. That's the point of the Authenticator: to keep the account secure, and if someone is lacking in their security, well, they were warned so they're going to have to go through the 72 hour process.

That being said, Jagex, not making an action on a support help request for 72 hours is simply ridiculous, and it would be helpful if you had identified what information players would need to provide to regain access to their accounts.

Here, I'll give you this strawberry if you keep it a secret!

24-Oct-2019 16:06:19

Oct

2015

Orcrist9

Posts: 7,183 Rune Posts by user Forum Profile RuneMetrics Profile

Roddy Piper said :
Just reading about it has increased my stress level by 10%. I am already not thrilled about the fuzzy pictures I need to occasionally click to login to the forum. It feels like soon I will need to get a robot to remember all the passwords and other various ways of accessing my accounts on the internet. And then someone might come steal my robot.

I could maybe send you a letter with verifiable information but someone might steal the mail truck. It's like: whatever. I'm normally just trying to get through a day and I gotta worry about clowns who feel the need to steal from others? The bottom line is I cannot worry. I have no energy for it. If someone takes my account I will just play Nintendo or go in the backyard with a stick.

I mean, you can get a password manager and just remember the main password for that if you're really struggling that bad.

Here, I'll give you this strawberry if you keep it a secret!

24-Oct-2019 16:08:04

Jan

2008

Samora Kiba

Posts: 9,252 Rune Posts by user Forum Profile RuneMetrics Profile

Orcrist9 said :
Samora Kiba said :

You can get a back-up code every time you enter your Auth code succesfully.

You’ll receive a Backup Code during Authenticator setup that you'll need to write this down and keep in a safe place.

From this, Jagex is saying you are only getting one Back-up Code upon Authenticator setup that you need to store in a safe location. Basically, it's the password for your Authenticator. You will not be getting multiple Authenticator Back-up Codes (especially every time you use it successfully) because then you would have to overwrite the old code with the new one.

'

If you lose your backup code you can get a new one when you log-in and pass your Authenticator check.

'

It's in the news post.
It's fairly easy to say 'well, someone who didn't set up Authenticator had a bad security anyways so why care if they get locked out an additional 72 hours?'.

Here's the thing: many people don't use Authenticator, they only start using it after getting hijacked. Most hijacks I see are players who didn't have Authenticator. These players would be locked out for 72+ hours, and that is in my opinion too much. There's a reason Jagex had this as reason to avoid setting a delay: '

If a hijacker gets into your account and sets their own Authenticator Delay, it would keep you out of the game for even longer.

'. Getting hijacked is bad enough by itself, but not being able to recover for a few days is even worse.

Like I said, a lot of this would be prevented if setting up Authenticator with a code would require email access. If the hijacker got access to the email, it requires in most cases a full recovery anyways, as the hijacker tends to change the registered email.

~Samo

Community Helper

Member of the godless. It's not that I don't want to devote my soul to an RS god, the problem is that I can't find it.

24-Oct-2019 16:18:26

Forums

blog:Account Security Features