Thank you SE for adding Google Auth support

[Shialan]

Using 1Password with built-in 2FA defeats the purpose really hard. Now anyone would only need your account password and has everything he needs.

[Denzyl]

Hi All

As I have to use the Google Authenticator for Work and several other important websites.
I thought I would give it a whirl with FFXIV

Boy I am I glad I set an Emergency Password

Even after checking that both my PC & Mobile are synchronised on time, on average I have to enter at least 3 x 'One-Time Passwords' due to 'Wrong Password Error'

Twice I have been timed out of my account, though it is nice that SE send an email warning that multiple attempts at logging in have just taken place.

So why is FFXIV Launcher so un-reliable with 'One-Time Passwords' compared to Websites I have to log into multiple times per day???

[worldofneil]

why is FFXIV Launcher so un-reliable with 'One-Time Passwords' compared to Websites I have to log into multiple times per day???

Because it's very specific about the time and only allows the password for the 30 second window you are in. Technically it's more secure, but it doesn't allow for any time skew and increases the potential errors for clients if their clocks are slightly out.

Although other websites will have their own rules, in my experience it's common that anything requiring a one time password would accept the current password, but also the password before AND the password after (so increasing the login window size from 30 seconds to 1 minute and 30 seconds). This is why with other websites you can still submit as password as it's about to change, but with XIV as soon as the password changes, it's instantly denied.

It'd be nice if SE would change their system to do this as well, but I'm just happy they're using a standard authenticator now so I'll live with it. If your password is about to timeout, just wait for it to change first

Edit: Also just adding, whatever software you're using to generate the code might not be looking at the current time and rather generating the password right now and just showing a 30 second timer. The password should be changed at :00 and :30 seconds in the minute, but some software just ignores that.

You can check by loading up your software to generate a code and then also watching the clock. If it changes at anything other than :00 or :30 then the software is wrong and that's why you get the login problems. As mentioned above with other websites this isn't a problem as they accept the passwords that come before/after, but XIV is more picky.

[Seleni]

Although other websites will have their own rules, in my experience it's common that anything requiring a one time password would accept the current password, but also the password before AND the password after (so increasing the login window size from 30 seconds to 1 minute and 30 seconds). This is why with other websites you can still submit as password as it's about to change, but with XIV as soon as the password changes, it's instantly denied.

It'd be nice if SE would change their system to do this as well, but I'm just happy they're using a standard authenticator now so I'll live with it. If your password is about to timeout, just wait for it to change first

That.. sounds pretty dangerous. The longer the window the more likely that those phishing sites would get hold of the victims’ accounts, which defeats the part of the point of having 2FA.

I actually switched from the SE’s own app to Microsoft’s Authenticator in hopes of a shorter window, because SE’s own one felt pretty long.

[worldofneil]

That.. sounds pretty dangerous. The longer the window the more likely that those phishing sites would get hold of the victims’ accounts, which defeats the part of the point of having 2FA.

Absolutely, although this is only a problem when users copy/paste links and give their information out without actually checking if they're official... Maybe SE had enough of people of falling for this hence the made it only a very short window.

I actually switched from the SE’s own app to Microsoft’s Authenticator in hopes of a shorter window, because SE’s own one felt pretty long.

i can't remember how long the SE official app was for their OTP, but anything based on Google Authenticator's OTP system is in 30 second intervals so using another client doesn't make any difference as they're all still generating 30 second codes.

[Wildsprite]

honestly if you're going to use a google compatible authenticator I suggest Winauth on your PC and use it to add to Authy on your Cellphone/tablet. I haven't used the google garbage for years, it's old/clunky an has no way to backup incase something happens to your device. you can do a encrypted backup of Winauth and put it wherever you know you will have access to it should something happen and Authy is cloud based encrypted(if you lose your password for it you lose all the authenticators in it)

[Imora]

I didn't say the app you use, I said the Google token specifically.

And not requiring it on login is basically disabling it.

I see most people recommending Authy.

I believe the feature he wants is part of Blizzards launcher.

If your device and IP address do not change, you don't have to log in again. When I load the app I'm auto logged in and don't need to use my authenticator again until I manually log out of the app.

It's no less secure from outsiders, as a different IP or device throws up a "enter authenticator code" message, but it is less secure from inside. Like your pissed off sibling can log in your computer while you're not there just to screw with you for example.

If I didn't fully trust my husband, I'd not use that option, and if I had kids around I'd *certainly* not use it, but it is definitely convenient.

It's basically protection from brute force hacks. No more, no less.