forums.rs

Forums

Cncl memb bcus authentication?

Quick find code: 317-318-506-66287823

U R Panned
Oct Member 2022

U R Panned

Posts: 8 Bronze Posts by user Forum Profile RuneMetrics Profile
It's 2023, and you still limit the title length so severely? Enjoy the headache of shortened titles then...

The way Jagex has set up the Jagex account authentication system is a complete mess. Are you ever going to fix this? It's 2023, and you are still attempting to authenticate via code sent to email?

I'm playing on osrs mobile, and due to the utter mess that the jagex accounts and their authentication are, I'm starting to consider cancelling my membership subsriptions, since logging on to my alt accounts is not a matter of two-step verification, but closer to a 10-step verification, and EACH TIME I WANT TO CHANGE ACCOUNT, I NEED TO RUN THE TEDIOUS MARATHON OF REAUTHENTICATING EVERY SINGLE TIME, EVEN IF I JUST AUTHENTICATED THAT ACCOUND 5 MINUTES EARLIER.

If you are too lazy to fix this mess, you're not worth the money I'm paying you monthly.

25-Sep-2023 13:24:55

Tenebri
Jan Member 2015

Tenebri

Posts: 39,236 Sapphire Posts by user Forum Profile RuneMetrics Profile
U R Panned said :
It's 2023, and you still limit the title length so severely? Enjoy the headache of shortened titles then...

The way Jagex has set up the Jagex account authentication system is a complete mess. Are you ever going to fix this? It's 2023, and you are still attempting to authenticate via code sent to email?



you can have as an app.

ive had auth for years. and not once has been one that has to be sent via email.
200m all RS3 on 7/3/19
1.2Billion overall Slayer xp / Ultimate slayer title

OSRS 2277/2277 Untrim slayer cape
Hail Satan, He loves for who you are.

25-Sep-2023 15:11:54

U R Panned
Oct Member 2022

U R Panned

Posts: 8 Bronze Posts by user Forum Profile RuneMetrics Profile
If you have made the terrible mistake of switching to using Jagex account, you no longer have a choice. You are forced to use the more insecure way of using email-delivered authentication code instead of time-based app-delivered authentication code.

Let me quote Kelley Robinson (Developer & Security Advocate at Twilio)

"Like everything in security, whether or not it’s safe to use email as a delivery channel for two-factor authentication (2FA) will depend on who your users are and what you're trying to protect.

That said, email based 2FA is usually going to protect your users more than it is going to hurt them, especially if it's offered as an option alongside more secure channels like TOTP . Much like SMS based 2FA, which can protect 96% of bulk phishing attacks and 76% of targeted attacks, any 2FA is going to be better than no 2FA at all."

"TOTP stands for Time-based One-Time Passwords and is a common form of two factor authentication (2FA). Unique numeric passwords are generated with a standardized algorithm that uses the current time as an input. The time-based passwords are available offline and provide user friendly, increased account security when used as a second factor."

Why email-based authentication is more insecure?

Jagex account login is your email. Authentication code is delivered to same email. Only your email needs to be compromised, and this can be done from around the globe with ease. If your email is compromised, say bye bye to ALL your accounts that are now behind this Jagex account, you can't even take any preventative actions if you notice that your email is compromised, as all your login attempts are now delivered through the email verification.

While if you are using TOTP as a means of authenticating, what needs to be compromised in order to access your accounts? Your physical device that you're using for authenticating. While this is possible, the likelihood of it happening is significantly smaller, and it's traceable.

05-Oct-2023 14:26:35

U R Panned
Oct Member 2022

U R Panned

Posts: 8 Bronze Posts by user Forum Profile RuneMetrics Profile
To deliver my point here, ask yourself this: how often have you heard about someone's email being compromised due to database leaks etc?

Then ask this, how often have you heard of someone's phone getting hijacked (sim-swapped) or their phone stolen to access their in-game account?

While the latter ones are also possible, sim-swapping is ineffective and does nothing if you're using offline-authenticator like Google Authenticator (not to mention, it requiring hijacker to know your phone number, and it being traceable), and if your phone gets stolen, it requires physical access to you, and by that time in-game account being compromised is probably the least of your concerns.

But the main issue here is, that Jagex account offers no choice, but to use email-based 2FA, those who made the unfortunate choice of switching to Jagex account are trapped to a lower-quality security.

05-Oct-2023 14:46:09

Applejuiceaj
Nov
fmod Member
2011

Applejuiceaj

Forum Moderator Posts: 44,957 Sapphire Posts by user Forum Profile RuneMetrics Profile
U R Panned said :
If you have made the terrible mistake of switching to using Jagex account, you no longer have a choice. You are forced to use the more insecure way of using email-delivered authentication code instead of time-based app-delivered authentication code.

Incorrect - You just need to go into your Jagex Account settings and change it to using a time based authenticator. At that point you can actually disable email based authentication (which is what I personally did).



With that in mind - Jagex did say when Jagex Accounts were announced and going into beta that they were aware that the mobile flow wasn't the greatest (needing to fully log out and back into your Jagex Account on Mobile to change characters, which requires re-entering 2 factor auth), but that it was on their list of things to review in the future. I suspect that is still on their radar.

05-Oct-2023 16:35:07

Tenebri
Jan Member 2015

Tenebri

Posts: 39,236 Sapphire Posts by user Forum Profile RuneMetrics Profile
U R Panned said :
If you have made the terrible mistake of switching to using Jagex account, you no longer have a choice. You are forced to use the more insecure way of using email-delivered authentication code

ive had jagex account since its launch. you can have it as an app. and not once in those many months was my code sent to me via email

ive always used the one thats an app on my mobile.

U R Panned said :


But the main issue here is, that Jagex account offers no choice, but to use email-based 2FA, .

this is 100% wrong
200m all RS3 on 7/3/19
1.2Billion overall Slayer xp / Ultimate slayer title

OSRS 2277/2277 Untrim slayer cape
Hail Satan, He loves for who you are.

05-Oct-2023 17:20:22 - Last edited on 05-Oct-2023 17:21:08 by Tenebri

Quick find code: 317-318-506-66287823 Back to Top