I think its time we get an update to the security token and launcher.

[Fyana]

No... they're using a similar implementation, but with weaker security that they probably consider acceptable for their product.

Oh yes, the incredibly successful company, Blizzard, that has a 12 year old MMO much more successful than this one has terrible security. /rolls eyes

Their security is so much better that they've created an authentication system that doesn't require you to type it in EVERY single time you log out - from the same IP, within 3 minutes of you last entering it. In fact, they have one tap authentication for the mobile app, where it shows both the number and a button that you can press to be let into your account when the client asks for authentication. Stop condescending people when you don't even do your research!

[Seig345]

Gotta admit I love just tapping "Approve" with Blizzard's authentication app, dont even have to unlock my phone.

[worldofneil]

Blizzard, that has a 12 year old MMO much more successful than this one has terrible security.

I never said terrible. I said weaker.

doesn't require you to type it in EVERY single time you log out

Stop condescending people when you don't even do your research!

Please do YOUR research. Any system that caches your authentication is inherently weaker that one that requires it every single time. I'm not really sure how you can disagree with that.

While the risk of someone coming from the same IP address during that time period is extremely minimal (unless you're somewhere public or in a building where everyone uses the same Internet connection/IP address...), my point is it's still a weakness that SE does not have because they require you to type in a code every time. Blizzard are doing it simply to make it more convenient with a risk they probably consider acceptable.

Great as push notifications like you're describing are (and yes I have the Blizzard one too), the advantage is that code generation does not require an active Internet connection, receiving a notification does. Amazing as it sounds there are still people that don't have mobile data on their phones and aren't always in areas with Wi-Fi.

Yes I'm aware that you can generate a code manually using the Blizzard app, and sure SE could support both codes and push, but from their point of view, why bother. What they have works and it integrates well with their physical token solution.

[Zfz]

I would prefer any relaxation of the security on OTP to be limited to the same IP. This is risk-based security that is gradually being promoted in the business world as well. It's fine to relax a security measure if and only if the risks associated with the relaxation is insignificant.

[Felis]

if it is saved on the PC then it is hackable.
That is the whole point of the One Time Password. To have a password that change everytime and that is not hackable by keylockers. Or a normal 2nd password, where the player is forced to change it once a month, would do the same.

[BigRed5392]

It doesn't even come close though. Blizzard has the same dual-factor authentication and unless you log in from a new machine or IP address your account is flagged to skip it. If someone attempts a login from somewhere else they can't get in without you accepting it on whatever device you use for the authenticator or if you input the code given by the key fob.

my WoW account was hacked a few time already I no longer play.. but i keep getting e-mails about cash shop purcheses. I had a token on it............. just saying. someone even bought the silly sparkle pony that was on the cash shop around early cata/mists of pandara age.
i never bought money, never gave my account info out, had a random password that no one would understand.

i never had my SE account hacked.

[enthauptet]

physical token solution.

Might want to ask RSA if you think keyfobs and software tokens are actually secure. Theoretically producing fewer keys is actually more secure by reducing your attack surface.

Anyway if you are really this worried about the security of your token then your token would not be your primary concern anyway tbh as your authentication is only as secure as how it is transmitted. Without being privy to any of the details of their system architecture talking about it doesn't mean anything.

[Mikki]

I disabled the token for housing and just got a new one afterward. With the software token, it's super easy to do. Although I was salty about the fact that when I moved and left my token in America by accident I had to remove the token to play and it was the limited collector's edition token and I could never use it again after that. Bleh. But with software tokens, it's no big deal.

[dotsforlife]

Using Blizzard as your primary example is a poor choice given the extensive hacking issues they've had over the length of WoW's lifetime thus far.

[worldofneil]

Might want to ask RSA if you think keyfobs and software tokens are actually secure.

That's not really the topic at hand, but SE aren't using tokens from RSA, they're using rebranded Vasco DIGIPASS GO 6's.

Theoretically producing fewer keys is actually more secure by reducing your attack surface.

I'll be completely honest, I don't know if that's the case or not. I'll take your word for it!

your authentication is only as secure as how it is transmitted.

It's transmitted over HTTPS to ffxiv-login.square-enix.com. Their server could be locked down a bit more, but given that we have to provide the OTP each time, personally that's good enough for me. Your mileage may vary.