SQEX TOKEN should replicate Google 2-step encyption.

[RyanW]

The requirement to enter a one-time password each time users log in makes the SQEX TOKEN app less appealing as a security solution.

SQEX has incorrectly flagged my account as compromised three times, usually when I play outside of a normal time (like the occasional all-night session). I downloaded the SQEX Token to try and prevent this inconvenience.

After using it for a few days, I would rather change my password every months when SQEX incorrectly thinks I've been hacked and locks my account.

Suggest that SQEX attempt to replicate the user experience of Google's "2-step encryption."

1. User registers phone and links to account.
2. User logs in for first time and enters one-time code.
3. Users computer is securely synced to account
4. No further "one-time password" is necessary unless unsafe activity is detected.

[Andrewzz]

I wholeheartedly agree with this.

[KraggyKor]

Um, what is "Google's 2-step encryption" and how does that relate to the security problem the Token system SE and many other MMOs and other types of organisation solves?

[Andrewzz]

He's speaking of Google Authenticator. You require to enter the one time code only once on your PC, so you mark it as "safe"

https://play.google.com/store/apps/d...ticator2&hl=en

[worldofneil]

Users computer is securely synced to account

On your local computer the Google identifier is stored in a cookie. If you clear your browser cookies (or even use a different browser), it won't know who you are and you'll have to use the one-time-password again the next time you login to Google.

If SE were to replicate that behaviour (and mark a computer as safe), they'd have to store that information on your computer somewhere which automatically makes it a target for would-be hackers (like they did with the autosave password file that FFXI used).

SE probably don't want the headache of people screaming about their accounts being compromised, even though they used one-time-passwords, because it makes the whole system sound insecure so they don't give us the option to register a particular computer as "safe".

Personally I'd rather they did use Google Authenticator, but as it is right now I have it on my home-screen of my phone and opening it gives me a code straight away so it couldn't really be much simpler.

[Andrewzz]

It could be implemented using IP, so while your modem doesn't reset or if you're using a static IP you won't require to input the code again.

[ZohnoReecho]

The launcher uses an internet explorer frame, so they can probably its cookies.

[gadzi_h]

This happened to me today, SQEX KB documents even say the token is there to prevent the need to change your password and your account will not be flagged if you used the token. But for some reason they flag your account.

[worldofneil]

It could be implemented using IP, so while your modem doesn't reset or if you're using a static IP you won't require to input the code again.

True and to be fair that is how Guild Wars 2 does it. I have to wonder how many people forget they have a security token added (and lose/change their phone etc) if they use it so infrequently.

The launcher uses an internet explorer frame, so they can probably its cookies.

Yes that's true, I didn't think of that. I had a look and sure enough there's a cookie for ffxiv-login.square-enix.com.

[Andrewzz]

I have to wonder how many people forget they have a security token added (and lose/change their phone etc) if they use it so infrequently.

Is not like that, your modem will reset itself every week or so, so you would have to input the code on a weekly basis.