SQEX TOKEN should replicate Google 2-step encyption.

[RyanW]

The requirement to enter a one-time password each time users log in makes the SQEX TOKEN app less appealing as a security solution.

SQEX has incorrectly flagged my account as compromised three times, usually when I play outside of a normal time (like the occasional all-night session). I downloaded the SQEX Token to try and prevent this inconvenience.

After using it for a few days, I would rather change my password every months when SQEX incorrectly thinks I've been hacked and locks my account.

Suggest that SQEX attempt to replicate the user experience of Google's "2-step encryption."

1. User registers phone and links to account.
2. User logs in for first time and enters one-time code.
3. Users computer is securely synced to account
4. No further "one-time password" is necessary unless unsafe activity is detected.

[Andrewzz]

I wholeheartedly agree with this.

[KraggyKor]

Um, what is "Google's 2-step encryption" and how does that relate to the security problem the Token system SE and many other MMOs and other types of organisation solves?

[Andrewzz]

He's speaking of Google Authenticator. You require to enter the one time code only once on your PC, so you mark it as "safe"

https://play.google.com/store/apps/d...ticator2&hl=en

[worldofneil]

Users computer is securely synced to account

On your local computer the Google identifier is stored in a cookie. If you clear your browser cookies (or even use a different browser), it won't know who you are and you'll have to use the one-time-password again the next time you login to Google.

If SE were to replicate that behaviour (and mark a computer as safe), they'd have to store that information on your computer somewhere which automatically makes it a target for would-be hackers (like they did with the autosave password file that FFXI used).

SE probably don't want the headache of people screaming about their accounts being compromised, even though they used one-time-passwords, because it makes the whole system sound insecure so they don't give us the option to register a particular computer as "safe".

Personally I'd rather they did use Google Authenticator, but as it is right now I have it on my home-screen of my phone and opening it gives me a code straight away so it couldn't really be much simpler.

[Andrewzz]

It could be implemented using IP, so while your modem doesn't reset or if you're using a static IP you won't require to input the code again.

[worldofneil]

It could be implemented using IP, so while your modem doesn't reset or if you're using a static IP you won't require to input the code again.

True and to be fair that is how Guild Wars 2 does it. I have to wonder how many people forget they have a security token added (and lose/change their phone etc) if they use it so infrequently.

The launcher uses an internet explorer frame, so they can probably its cookies.

Yes that's true, I didn't think of that. I had a look and sure enough there's a cookie for ffxiv-login.square-enix.com.

[Andrewzz]

I have to wonder how many people forget they have a security token added (and lose/change their phone etc) if they use it so infrequently.

Is not like that, your modem will reset itself every week or so, so you would have to input the code on a weekly basis.

[worldofneil]

Is not like that, your modem will reset itself every week or so, so you would have to input the code on a weekly basis.

Only if you get a new IP when that happens. I have a static IP with my current provider and forgot that I even had an authenticator on GW2 until this topic came up. I've only had my GW2 account for a year, but in that time I've never had to use the authenticator. If I login somewhere else (or change provider), I'll have a new IP and will need the authenticator, which luckily I still have setup, but my point was that I wondered how many people have static IPs (or virtually static) and forget they have an authenticator on their account so when they come to use it, they're out of luck if since change phone/forgot about it etc.

[Kitai]

Is not like that, your modem will reset itself every week or so, so you would have to input the code on a weekly basis.

I have dynamic IP, but I've had the same IP for over a year now. It all depends on how your ISP does it, and how stable your router is.