Forums

Jagex Accounts

Quick find code: 317-318-300-66279278

Honor Knees
Aug Member 2021

Honor Knees

Posts: 2 Bronze Posts by user Forum Profile RuneMetrics Profile
Started looking into Jagex Accounts
Decided to try
Am I wrong in assuming, if they can hack your Jagex Account, then basically they have access to any accounts you link? Since they do not have individual passwords or authenticator statuses it seems?

So now 1 email and 2FA and a hacker could access ~10 linked accounts?... How is that more secure? Or am I missing something?

And there's no way to un-link your accounts once you import them?

29-Apr-2023 21:20:52

Lelouch Vi B
Jan Member 2017

Lelouch Vi B

Posts: 2,111 Mithril Posts by user Forum Profile RuneMetrics Profile
It really isn't all that much safer. I mean, you get an email when someone logs in, but personally, I don't have my email perpetually up where I can see that notification; I check maybe once a day, which gives someone hours of access to my account before I even know.

Not only this, but the way Jagex Accounts now require authentication to log into the website makes phishing way easier. It used to be that you could easily tell something was a phishing scam when it asked for your authenticator, because that's something the website never used to do. But now, no one will question if they're asked for both their PW and authenticator. So the convincing phishing scams will be significantly more successful after this change.

Would be pretty cool if you could add an IP Lock to your account, where only IP addresses you've added to your account can log into the game with it, and adding new IPs could only be done from one of the addresses already on the list. Obviously you'd need a way to disable this lock in the event that something happens, but make it similar to Bank pins where you ask for it to be removed, and it takes a week to actually unlock, meanwhile it reminds you in big bold text every time you log in that you have initiated the lock removal, so it's very obvious if someone is trying to remove it when you log in.
Now with added
[SARCASM]
Warnings for those less astute!

Archaeology Elite Skill Suggestion

29-Apr-2023 21:34:21

Honor Knees
Aug Member 2021

Honor Knees

Posts: 2 Bronze Posts by user Forum Profile RuneMetrics Profile
My thoughts exactly. I used to do everything through the main RS website but now it seems I have to access my acc/info through 3 separate sites and an additional program to even play on the account. Much easier for phishing like you pointed out, and if they can phish that 1 email and auth then they get access to any acc you have linked. That seems like an awful "security" feature.

29-Apr-2023 21:38:05

Applejuiceaj
Nov
fmod Member
2011

Applejuiceaj

Forum Moderator Posts: 44,957 Sapphire Posts by user Forum Profile RuneMetrics Profile
Honor Knees said :
So now 1 email and 2FA and a hacker could access ~10 linked accounts?... How is that more secure? Or am I missing something?


The point of Jagex Accounts is that they are harder to be hijacked in the first place. Additionally, all logins go through one portal only (the website), which allows better protections against things like brute force attacks, etc. That's where the main security benefits comes from.

Mandatory 2 factor means that you have to prove you both know the email address/password and have access to whatever that second factor is, be it access to your email account, your authenticator app, or one of your backup codes (in the event that you need to re-set your authenticator). Of course, for the best security, you should have 2 factor on your email too.

If you had access to the registered email account, you could disable the authenticator enabled on a RuneScape account. That is not possible with a Jagex account. If you have access to the registered email, you can reset the password, however if the account is set up to not allow email verification codes, you still aren't able to log in.

If you change your registered email, that changes the email you use to log in with. That was not the case with a RuneScape account, where the login email or username never changed.

Jagex accounts cannot be recovered via the old RuneScape account recovery system, which had a 'human review' element to it. There have been times where people with a lot of information about contested accounts could 'trick' Jagex to giving the account back to the wrong person. That is no longer possible with the new system.

Passwords have had their max length and complexity increased.

29-Apr-2023 23:52:01 - Last edited on 30-Apr-2023 00:03:10 by Applejuiceaj

Applejuiceaj
Nov
fmod Member
2011

Applejuiceaj

Forum Moderator Posts: 44,957 Sapphire Posts by user Forum Profile RuneMetrics Profile
No matter what improvements you do, there is only so much you can do about phishing (since you're basically giving someone your account info in a phishing attack) - however, the best way to prevent phishing is with knowledge. Given the Jagex Launcher remembers your info, even needing to enter your information should cause you to double check whether you actually need to enter your info.

Jagex Accounts are the future - while they are in an early access beta now, they (along with the launcher) will become mandatory going forward. RuneScape accounts as we've known them will be required to be imported to a Jagex Account to play when that happens.

30-Apr-2023 00:01:41

Lelouch Vi B
Jan Member 2017

Lelouch Vi B

Posts: 2,111 Mithril Posts by user Forum Profile RuneMetrics Profile
Applejuiceaj said :
No matter what improvements you do, there is only so much you can do about phishing (since you're basically giving someone your account info in a phishing attack) - however, the best way to prevent phishing is with knowledge. Given the Jagex Launcher remembers your info, even needing to enter your information should cause you to double check whether you actually need to enter your info.

Jagex Accounts are the future - while they are in an early access beta now, they (along with the launcher) will become mandatory going forward. RuneScape accounts as we've known them will be required to be imported to a Jagex Account to play when that happens.


I fully believe Jagex Accounts will improve and become far more secure. I just wish they would launch with a few more features. We already know some games can do hardware bans by banning specific serial numbers on motherboards and other components; why not a voluntary component whitelist that works the opposite way? Maybe I only want the motherboard in my desktop to be able to log into the game. Let me add/remove whitelisted pcs from my account settings on the website; make it a process that takes 7 days to add/remove a device and emails you and screams at you every time you log in during those 7 days that it is being done so there's no way it could happen without you noticing. If security is such a huge priority, why are there so few options to actually secure our accounts? Is it a bit over the top for an online medieval tree chopping simulator? Sure. But so is asking me to pull out my authenticator every 5 freaking minutes when I just want to refresh the forums...
Now with added
[SARCASM]
Warnings for those less astute!

Archaeology Elite Skill Suggestion

30-Apr-2023 00:19:31 - Last edited on 30-Apr-2023 00:20:13 by Lelouch Vi B

Applejuiceaj
Nov
fmod Member
2011

Applejuiceaj

Forum Moderator Posts: 44,957 Sapphire Posts by user Forum Profile RuneMetrics Profile
Lelouch Vi B said :
We already know some games can do hardware bans by banning specific serial numbers on motherboards and other components; why not a voluntary component whitelist that works the opposite way? Maybe I only want the motherboard in my desktop to be able to log into the game. Let me add/remove whitelisted pcs from my account settings on the website; make it a process that takes 7 days to add/remove a device and emails you and screams at you every time you log in during those 7 days that it is being done so there's no way it could happen without you noticing.


That sounds very much over the top - if a player's computer experiences a hardware failure, should they be fully locked out of their account unable to play, having to jump through hoops to change that? Probably not... there are already players who have found themselves unable to play because they lost their authenticator and misplaced their backup codes so they are unable to reset it. If possible, the ways someone could 'lose' their account should be kept low.

The goals of Jagex Accounts are to provide security while also not getting in the way of the player's gaming experience. In an ideal world, no one has your Jagex Account credentials, and therefore can't log into your account. With mandatory 2FA in the mix, it should be extremely difficult for a Jagex Account to be hijacked without that other party having all of your info.

Lelouch Vi B said :
Is it a bit over the top for an online medieval tree chopping simulator? Sure. But so is asking me to pull out my authenticator every 5 freaking minutes when I just want to refresh the forums...


Log in at the RS homepage - that one seems to properly remember you so you only need to enter your info every 2 weeks or so. If you get logged out of the forums, just go back to the homepage first before clicking 'Log In' and it should let you back in without needing to reenter your details.

30-Apr-2023 01:29:32

Lelouch Vi B
Jan Member 2017

Lelouch Vi B

Posts: 2,111 Mithril Posts by user Forum Profile RuneMetrics Profile
Applejuiceaj said :


That sounds very much over the top - if a player's computer experiences a hardware failure, should they be fully locked out of their account unable to play, having to jump through hoops to change that? Probably not... there are already players who have found themselves unable to play because they lost their authenticator and misplaced their backup codes so they are unable to reset it. If possible, the ways someone could 'lose' their account should be kept low.

The goals of Jagex Accounts are to provide security while also not getting in the way of the player's gaming experience. In an ideal world, no one has your Jagex Account credentials, and therefore can't log into your account. With mandatory 2FA in the mix, it should be extremely difficult for a Jagex Account to be hijacked without that other party having all of your info.


Hence the "Voluntary" part and the ability to remove/add new hardware after 7 days. Small chance of being locked out for 7 days if my computer explodes but effectively impossible to get hijacked? I'd take that. Besides, most people I know play on at least 2 devices. So you wouldn't even be locked out unless you managed to lose both at the same time. And how common are hardware failures that result in permanent loss of the motherboard? Will it really result in a significant uptick in lockouts compared to the loss of authenticator you bring up? Like I said, it could be voluntary, for those who are willing to take the extra steps to ensure maximum security. Just like how 2FA is now. I bet that 3 combat, 99 Slayer pure wishes they just had a 7 day lock-out instead of permanent destruction of their account.

Sure 2FA makes it difficult to hijack, but we already had 2FA accounts getting hijacked. So making the Jagex account also need 2FA doesn't solve the problem that already existed. So Jagex accounts don't appear to actually solve any problems that the original 2FA didn't.
Now with added
[SARCASM]
Warnings for those less astute!

Archaeology Elite Skill Suggestion

30-Apr-2023 01:59:10 - Last edited on 30-Apr-2023 02:03:20 by Lelouch Vi B

Lelouch Vi B
Jan Member 2017

Lelouch Vi B

Posts: 2,111 Mithril Posts by user Forum Profile RuneMetrics Profile
Jagex is already willing to make compromises that result in an increase in players being locked out of their accounts. With 2FA mandatory on all logins, including the site to alter account settings, you are now even more screwed if you lose your authenticator than you were before Jagex Accounts. Lets consider fatal hardware failure in my scenario and yours:

In my scenario, the player just has to log in to the website on a new device, go into account settings, and add it as a new device, and after 7 days they will be able to log into the game on that device. If the player has 2 devices, they aren't locked out for any period of time as they add a new device. If both devices suffer a fatal failure (house fire or something) Then the player has to get their new device, add it, and wait 7 days.

In the current Jagex account systems, if the player has a major hardware failure, odds are they kept their back-up codes/authenticator on that device, meaning they're now locked out entirely. If they keep them on a separate device? Well then again, no issues because they have a second device. But if both devices are lost in a major event, then that player is completely locked out with no recourse.

Jagex accounts as they are now are just as likely to lock you out of your account as my suggestion. Both only permanently lock you out if you lose your authenticator/back-up codes. Jagex accounts appear to increase security, but they do so by adding steps that hijackers were already getting around. It's like having your front door lock picked open, so your solution is to add another lock, when you already know the criminal can pick locks. We already see 2FA compromised on a regular basis with RS accounts. Adding another 2FA to the homepage doesn't change that. And now that all of my accounts are accessible behind a single password and authenticator? I honestly feel less secure than I did before. It's why I never use those password keychains. Consolidation is inherently less secure.
Now with added
[SARCASM]
Warnings for those less astute!

Archaeology Elite Skill Suggestion

30-Apr-2023 02:16:19 - Last edited on 30-Apr-2023 02:19:19 by Lelouch Vi B

Applejuiceaj
Nov
fmod Member
2011

Applejuiceaj

Forum Moderator Posts: 44,957 Sapphire Posts by user Forum Profile RuneMetrics Profile
Lelouch Vi B said :
Hence the "Voluntary" part and the ability to remove/add new hardware after 7 days.
[...]
I bet that 1 Def, 99 Slayer pure wishes they just had a 7 day lock-out instead of permanent destruction of their account.


Appreciate it being voluntary, but even then, it sounds very much an extreme. At some point, its up to players to keep their information safe and secure. If players can't keep their information safe, no amount of protection will ultimately be enough. Besides, as it is right now, players don't like waiting out changes to existing security measures. :P

One thing I think would be interesting would be seeing stats on how many people with Jagex Accounts have been hijacked vs. those with RuneScape accounts who have yet to upgrade. That may in itself be telling enough about how well the system is working.

Lelouch Vi B said :
Sure 2FA makes it difficult to hijack, but we already had 2FA accounts getting hijacked. So making the Jagex account also need 2FA doesn't solve the problem that already existed. So Jagex accounts don't appear to actually solve any problems that the original 2FA didn't.


RuneScape Account 2FA could be disabled just with access to the email account. If you had access to the email account, you could disable 2FA and log in, without having the current authenticator.

That isn't possible with Jagex Accounts, you need to be able to pass verification to log in and change the authenticator. That in itself makes Jagex Account 2FA more secure, especially if email verification is not re-enabled after setting up a mobile authenticator. Jagex has also said that it is possible that additional 2FA options (such as hardware based keys like YubiKeys) may also be added in the future.

The only security hole that still exists is linked accounts (Steam, Google, Facebook, etc) - those expect that you have top notch security on THOSE, which many who link them don't.

30-Apr-2023 02:17:24

Quick find code: 317-318-300-66279278 Back to Top