Printable View
Due to all the phishing attempts and people getting hacked due to suspicious links even those with a security token I recommend incorporating a system like World of Warcraft's mobile authenticator has.
When someone logs in from an unknown ip address or a computer they have not been on even with a Security Token a message sound be sent to the persons email, phone, or SQEX Token for a third part verification.
This would limit the number of people getting tricked by this phishing attempts.
This is already a thing but only if you don't have 2FA active. If you try to login on a new device/place you'll get a email to change your password.
Vast majority of the time the people getting phised are the ones who have massive holes in online security knowledge so unfortunately no matter how many layers of security you have the most vulnerable will still fall for it. Phising scams have evolved so much they can circumvent different types of 2FA pretty easily nowadays. And even worse, early FFXIV scams apparently even asked you to disable 2FA and people still fell for it.
Not if you are using a security token.
Even if you have OTP/2FA, the phishing links send you to a page where they ask you to put it in. So the instant you do, the bot on the other end immediately logs into your account, forcing you offline. And it works because the OTP code is still active for a bit before it expires.
From what I've read from other people, this is all done on the same page.
Whereas when you log into a legit Square Enix site, say Lodestone/Mogstation/Online Store, the OTP/2FA code is asked for on the NEXT webpage after you enter your login/password.