One-Time Password

[theroyalminx]

I am not sure where something like this should go, but I have an issue with the one-time password authentication.

I believe this to be beneficial in theory, but there are some improvements that are needed to adequately "protect" an account holder. The fact that all you need to effectively lock someone out of their account is an account name/password is an issue that needs to be addressed. There has to be some sort of checks and balances system in play when signing up for the "one-time password" setting. There is not an email that is sent to the account holder outside of one notifying that this setting has been applied. There is not an email sent that says, "if you did not do this, please follow this link to reset...." etc. It is just an automatic setting that is done, and there is no way to combat someone from taking over your account and locking you out if they have somehow hacked your username/password.

Someone I know - and who has had an account for YEARS - has had their account stolen from them so easily that it is distressing. This should have been prevented. There should be some sort of warning or work around when a setting like this has been applied. As with some other websites, a notification is sent asking if a password has been intentionally changed and if not, one can take corrective action. But with this one-time password setting, this is nigh impossible. All the time he has put into this game has effectively been ripped away because there isn't a system in play to stop a hacker from doing this. Please incorporate something into the one-time password setting to prevent this horrible situation from happening. This is upsetting and distressing to both him and myself, and something that should be preventable.

Thank you.

[AngelCheese77]

Does your friend have the OTP? If so, the only way I can reasonably see their account being taken over is if they fell for one of the phising websites that mimic the Square Enix account log in.

There, you put in your Account name and PW, and the OTP code. Just that once allows the hackers to grab the info and log in quickly. Though it makes me wonder, if someone uses their OTP on a false SE website, how could the hackers then change their password? You need to use the OTP once to log into the account website as a whole, and do you also need to put it in again to change anything about your account settings?

The way I've seen SE handle things is that they expect account owners to be very careful with their information. Their added protection is the OTP, and if that is given out (freely or accidentally), it isn't SE's problem.