One time password /sigh

[Jonny_Tapas]

Well now then:

I just re-registered and here are all of the instructions:

Software Token Registration Page: In the Mog Station

A registration password has been sent to your registered e-mail address.
To complete Software Token registration, please launch the application, select the language you wish to use, and enter your Square Enix ID, date of birth, and registration password.

* Please be aware that you cannot complete the registration procedure without entering your Square Enix ID, date of birth, and registration password. Furthermore, the password will expire 60 minutes after the confirmation mail was sent.
* Once registration is completed the system will automatically log you out from all online services that are currently in use. Please make sure to log out from any such services before starting the Software Token registration procedure.


Select language

Please enter the following to complete registration:

・ Your Square Enix ID
・ Your date of birth
・ Your registration password

A One-Time Password will be displayed, and the application will become available for subsequent use.

The E-mail I was Sent:

Square Enix Account Management System
http://account.square-enix.com/
-------------------------------------------------------

Thank you for using the Square Enix Account Management System. This is an automatically generated notification sent for the purpose of Square Enix Software Token registration.

Please enter the following registration password into the Software Token application.

Registration password:
xxxxxxxxxxxxxxxxxxxxxxxx

* The password contained within this mail is only valid for a period of 60 minutes after being sent. Make sure to enter the password within the valid time period.

-------------------------------------------------------
For inquiries regarding products and services, please visit the Square Enix Support Center.

And then I am fully registered and free to use my security token with absolutely 0 mention of an Emergency Removal Password. I kept my eyes open just like the Service Rep said and it does not appear anywhere.

So if you all would be so kind as to tell me where do I find this number so I don't have to post this rant again.

The Answer:

After you are registered you are sent a 2nd email that tells you to log into your Mog Station and retrieve this number! It is there!

Herein lies the problem. The moment people are registered and the software is activated, the logical next step is to log in and play the game.

It is not uncommon for people to then purge their e-mail accounts of the Square Enix e-mails they received and this step can be easily overlooked.

A simple recommendation would be to provide this Emergency Removal Key during the registration process rather than after the software is registered or force users to acknowledge this Emergency removal information before the software works. A very simple adjustment.

[Alukah]

Odd, this is what they sent to me when I registered it.

Square Enix Account Management System
http://account.square-enix.com/
-------------------------------------------------------

Thank you for using the Square Enix Account Management System. The procedure to register the Software Token application to your account is complete. Please take a few moments to check over your registration details.

Square Enix ID:
***
Serial number for the registered Software Token:
***

Please access the URL below and confirm that One-Time Passwords are now activated. The Emergency Removal Password that will be required if your phone is lost or damaged will be shown on screen after logging in.
https://secure.square-enix.com/account/app/svc/login?cont=account

-------------------------------------------
The serial number above is required to remove the application's settings, so be sure to store it safely.

-------------------------------------------------------
For inquiries regarding products and services, please visit the Square Enix Support Center.

http://support.na.square-enix.com/main.php?la=1&id=496
-------------------------------------------------------

[Jonny_Tapas]

Odd, this is what they sent to me when I registered it.

Correct this is the 2nd e-mail you receive after your product is already registered. I made the mistake of disregarding it as a "Thank you for registering blah blah" email that you get from absolutely everything you register for... The first time around.

I would have disregarded it again if I wasn't actively looking for the Emergency Removal Password. It would solve many issues if this step was forced before the software would access the game.

I hope this topic helps others learn from my mistake. If you haven't recorded your Emergency Removal Key... it's a good idea to do that now. In my case my phone app just happened to reset for no reason.

[Taylor-MadeAK]

Well now then:

I just re-registered and here are all of the instructions:

<SNIP>

I've re-registered my software token several times due to reimaging my phone, and every time - including the first time - the emergency removal code has been displayed on the web page that is displayed upon login immediately after linking the additional authentication token (AAT) to my account:



I keep that key, along with the rest of my account information, in a Keepass 2 database for easy retrieval for situations exactly like this.

I've never had to contact SE support for this, but in their defense the reason you got the "I'm not sure, keep your eyes open" answer can be explained in two words: outsourced support. Clearly their training doesn't include going through the user experience of linking an AAT to an account. This is something that maybe we can suggest to SE that they feed back to their outsourcing provider to fine-tune their support.

[Rennah]

I definitely didn't remember anything about an emergency removal password, so I looked into it...and nothing. It seems those are ONLY for the phone app token, not the physical security token, like the kind that came with the CE. I'm a bit confused by that, seeing as a security token, small as it is, is a lot easier to lose than your phone, but...

[Gilraen]

It is not uncommon for people to then purge their e-mail accounts of the Square Enix e-mails they received and this step can be easily overlooked.

Who does this? Who purges emails related to things they have done that involve real money that aren't a.) receipts or b.) shipping notifications. I keep everything but Ebay emails because eff Ebay, like I need to keep 5 emails telling me about something I received in the mail already and have found to be satisfactory (though if it's not what I ordered I'm definitely going to have a use for those 5 emails). I have email files with email going back as far as 2003. Not because I'm hoarding them but because they all have information pertaining to things I still use to this day. It makes sense to archive old emails. This thing you say is like burning your bridges, nothing good ever comes of it.

[Noahlimits]

Wow, they actually expect you to write down an emergency removal password? How dare they? It's like they want us to have secure accounts or something!

Considering they usually take 2+ months to get someone's hacked account back, it is definitely worth using a security token.

[kidvideo]

Seeing as we're forced to manually log in, it's worth the free teleports to use the onetime password.

But I do wish the FFXIV login was tied to the PSN network like all the other playstation games.

[Taylor-MadeAK]

I've never even taken my little keyfob out of the wrapper from my CE. Being that I'm on PS4 and don't give out/use my log in info on strange sites/areas, I see it as an absolutely useless extra step that I have no desire to take.

Even the free teleport benefit is not even close to enough incentive for me to be bothered with using it.

"Not giving out information" doesn't protect you from brute-force, dictionary, or man-in-the-middle attacks. It's not difficult to brute-force or assemble usernames with a dictionary. After that, it's just a matter of time before they crack your password. How much time depends on the strength of your password, and quite frankly the odds are in the hackers' favor.

I had the same attitude as you, once. It only took losing one account to a hacker to teach me that lesson. Use the two-factor login feature, the slight inconvenience is a small price to pay for the huge gain in the security of your account.

[kidvideo]

"Not giving out information" doesn't protect you from brute-force, dictionary, or man-in-the-middle attacks. It's not difficult to brute-force or assemble usernames with a dictionary. After that, it's just a matter of time before they crack your password. How much time depends on the strength of your password, and quite frankly the odds are in the hackers' favor.

All to get, what? That chub my retainer brought back today? No trade/spirit bonded equipment that might sell for 10gil to an NPC? I don't fear any hackers.

Take my chub, please!