I think its time we get an update to the security token and launcher.

[worldofneil]

Blizzard, that has a 12 year old MMO much more successful than this one has terrible security.

I never said terrible. I said weaker.

doesn't require you to type it in EVERY single time you log out

Stop condescending people when you don't even do your research!

Please do YOUR research. Any system that caches your authentication is inherently weaker that one that requires it every single time. I'm not really sure how you can disagree with that.

While the risk of someone coming from the same IP address during that time period is extremely minimal (unless you're somewhere public or in a building where everyone uses the same Internet connection/IP address...), my point is it's still a weakness that SE does not have because they require you to type in a code every time. Blizzard are doing it simply to make it more convenient with a risk they probably consider acceptable.

Great as push notifications like you're describing are (and yes I have the Blizzard one too), the advantage is that code generation does not require an active Internet connection, receiving a notification does. Amazing as it sounds there are still people that don't have mobile data on their phones and aren't always in areas with Wi-Fi.

Yes I'm aware that you can generate a code manually using the Blizzard app, and sure SE could support both codes and push, but from their point of view, why bother. What they have works and it integrates well with their physical token solution.

[enthauptet]

physical token solution.

Might want to ask RSA if you think keyfobs and software tokens are actually secure. Theoretically producing fewer keys is actually more secure by reducing your attack surface.

Anyway if you are really this worried about the security of your token then your token would not be your primary concern anyway tbh as your authentication is only as secure as how it is transmitted. Without being privy to any of the details of their system architecture talking about it doesn't mean anything.

[worldofneil]

Might want to ask RSA if you think keyfobs and software tokens are actually secure.

That's not really the topic at hand, but SE aren't using tokens from RSA, they're using rebranded Vasco DIGIPASS GO 6's.

Theoretically producing fewer keys is actually more secure by reducing your attack surface.

I'll be completely honest, I don't know if that's the case or not. I'll take your word for it!

your authentication is only as secure as how it is transmitted.

It's transmitted over HTTPS to ffxiv-login.square-enix.com. Their server could be locked down a bit more, but given that we have to provide the OTP each time, personally that's good enough for me. Your mileage may vary.