PSA: You don't need the Token app to enable 2FA anymore.

[Zfz]

It's called adaptive authentication, or risk-based authentication: the system determines your login circumstances and selects an appropriate level of authentication depending on the risk. When circumstances indicate there's a high risk of you not being you, then it pulls out the whole show and forces you through 2FA, maybe even email/mobile verification. When low risk is indicated, it skips certain steps. This whole concept is based on the fact that streamlined and simplified authentication helps to stop users from working around authentications (some even turn off 2FA altogether).

For games, though, it really doesn't make much of a big difference because the vast majority of players aren't loggin in every 20 minutes. Most of us log in maybe once or twice a day, perhaps 3-4 times a day during weekends, so incentives like a free teleport generally are more effective than adaptive authentication at attracting players to implement stronger authentication protocols, i.e. 2FA.

The main obstacle with implementing adaptive authentication is of course its cost. Considering how user friendliness has never never been a strength of Japanese IT development, I doubt if they'll ever consider it over the cost.

[Dzian]

Very happy about this and already added it to my Fitbit watch (and my phone!)



(This is using the Auth app by Tejas Patel in the Fitbit app gallery)

Although I have to say the "window" to enter your password doesn't seem to be very big. So if you find you're getting told you've typed in an invalid code, check the time AND timezone on your device to make sure they're correct.

For like the last 6+ years I've been used to loading the app THEN loading the game, but now I'm finding that means the code it generated 20+ seconds earlier will have actually expired by the time I type it in due to the very short window. Not a problem though, just load the app when you're actually ready to type it in. I'm just mentioning this in case anyone else gets caught out by it!

While I cant speak for specifically how se does it. Software authenticator the codes are typically valid for 60 seconds.

Hardware authenticators such as security tokens a code will often work for upto 10 minutes.

The reason is basically due to time. Hardware authenticators will typically fall out of sync with the time as they age. This might only be 2 or 3 seconds a week but over a few years that can easily become several minutes. Software based ones. Pull the time from the device so they can be much more precise.

[Krojack]

I am very torn about this. On my phone, I currently have two authenticator apps: one for FFXIV and another for all of my other accounts that support 2FA.

On the one hand, it's nice to have just one app.

On the other hand, I love, love, love how I never have to wait with SE's app. I type slowly, and if I open the other app and it's about to reset, I have to wait, and that happens often enough that it becomes annoying to use.

Plus, I have enough room on my phone, so it's not like I can't afford to have two apps, but it is visually nicer to me with less app.

It honestly depends on how SE coded their side of the "check". With the open source Google system, the code you see on your phone could expire but SE can make their system still accept that code for 30 seconds or even 60 seconds after it expired. There is no telling what they set this to though. Last time I added this system to some of the systems at my job, Google recommended a 30 second leeway.

IMO I like the new way because I can have my code on more than once device AND also backup the system. I use Authenticator Pro on my Android devices. It's 100% free, open source and doesn't have any code which lets it connect to the internet in it. This is why the app can't do auto-backups to cloud services.

[technole]

This kind of flew under my radar, but having options now to be able to use the many 2FA apps that work on an Apple Watch is nice.

[Catwho]

I would be happy if they asked for it JUST one time at this point. I've found myself entering the 2FA password three or four times trying to buy something from the Mogstation lately.