Jump to content
Dante Unbound: Share Bug Reports and Feedback Here! ×

2FA Questions and Feedback

VenomousValentine

By VenomousValentine,
in General

 Share

Recommended Posts

Oreades

Oreades

Posted
Posted
1 minute ago, MagPrime said:

Isn't 2FA just DE sending you an email with a special code whenever you log in from a strange network or computer?

I can understand their ire if it was a 2FA that requires a cellphone/cellplan. Sometimes that's what companies mean when they say 2FA but yeah this is just email so its a total non issue IMHO. 

  • Like 1
Link to comment
Share on other sites
MagPrime

MagPrime

Posted
Posted (edited)
6 minutes ago, Oreades said:

I can understand their ire if it was a 2FA that requires a cellphone/cellplan. Sometimes that's what companies mean when they say 2FA but yeah this is just email so its a total non issue IMHO. 

I just took my account through the process and, well...

I went to Warframe.com, account management, clicked "Enable" for 2FA and got nI4cQIJ.png

Followed by

adCulRk.png 

In my email and that was it.  

I think my only complaint with this system is that it doesn't give clear information on what exactly is going to happen next.  Like, what do I expect upon logging in from now on?  

Ok, Viv posted a link to the FAQ that answers my question but I'd like it actually present during the verification process for clarity. 

HZCtnBy.png

 

Edited by MagPrime
Words are hard, ok?
  • Like 2
Link to comment
Share on other sites
Sonicbullitt

Sonicbullitt

Posted
Posted (edited)
10 minutes ago, Ivalyth said:

It literally was one email after logging in the main website, did not require phone number or app like steam did.

Perhaps, but again it is still an extra step, I have to do before logging in and I dislike that, even if only email verification is required.

9 minutes ago, (PS4)Viveeeh said:

Yup, it's just a verification through email. Don't have to be upset 🙂

https://www.warframe.com/2fa-faq

Thanks for the heads up, I won't lie my first post was a bit of a knee jerk reaction, because I thought I needed a phone number, nevertheless I still don't like it. As stated in my response to the quote above, it adds an unnecessary extra step to logging in, this may be me complaining about something small and insignificant to others, but for me it is an issue. I do not the feeling of being forced to do something I am uncomfortable with doing and this feels like that, me being forced to use 2FA, just so I can trade with clan mates,friends and others.

11 minutes ago, Oreades said:

inb4 OP bought their account and doesn't have access to the actual Email :clem:

srsly tho it's just email 2FA and it means that IF your account manages to end up compromised they can't trade with it, whithout also compromising your Email account as well. Since most of the reason people hack accounts is to gut them via trade for plat. So 2FA not only removes that incentive by adding another wall that they have to hurdle. It also takes some stress off DE because most of those fraudulent trades are going to be preemptively blocked. 

I do own by account legally, never bought an account for anything.

Edited by Sonicbullitt
Link to comment
Share on other sites
MagPrime

MagPrime

Posted
Posted
4 minutes ago, Sonicbullitt said:

Perhaps, but again it is still an extra step, I have to do before logging in and I dislike that, even if only email verification is required.

It's a one time thing.  You only do it again if you login from someplace new.  

HZCtnBy.png

Yes, it does seem insignificant to me but mainly because your posts are giving the impression that you think this is a every time you log in thing when it's not.  You're coming across as upset over something you don't know anything about because of that. 

Link to comment
Share on other sites
(PSN)Viveeeh

(PSN)Viveeeh

Posted
Posted
1 minute ago, Sonicbullitt said:

Thanks for the heads up, nevertheless I still don't like it, as stated in my response to the quote above it adds an unnecessary extra step to logging in, this may be me complaining about something small and insignificant to others, but for me it is an issue. I do not like being forcd to do something i do not want to and this feels like that. me being forced to use "FA just so i can trade with clan mates,friends and others.

You're welcome 😊

As I hear you have to do this only once / device you log in from, so it's an extra step the first time, but not a hassle later.

Nobody likes to do things they feel like being forced, there's nothing to do about that. But the 2FA is really something prevents accounts being robbed, and I regularly read posts from desperate players whose accounts were stolen, so it's a real issue. Reading your posts, I assume you're a person who is careful with handling their login information, so you're probably safe without 2FA, and if all players were like this, 2FA wouldn't be needed in the first place. But not everyone is that careful, and this is a security measure had to be carried out.

Link to comment
Share on other sites
Sonicbullitt

Sonicbullitt

Posted
Posted
9 minutes ago, MagPrime said:

It's a one time thing.  You only do it again if you login from someplace new.  

HZCtnBy.png

Yes, it does seem insignificant to me but mainly because your posts are giving the impression that you think this is a every time you log in thing when it's not.  You're coming across as upset over something you don't know anything about because of that. 

So it works like steam then I take it ?  I do not have to check my email every time ? I see, that said I still think it's unnecessary, but I digress, sometimes you have to compromise and this seems to be one of those times.

6 minutes ago, (PS4)Viveeeh said:

You're welcome 😊

As I hear you have to do this only once / device you log in from, so it's an extra step the first time, but not a hassle later.

Nobody likes to do things they feel like being forced, there's nothing to do about that. But the 2FA is really something prevents accounts being robbed, and I regularly read posts from desperate players whose accounts were stolen, so it's a real issue. Reading your posts, I assume you're a person who is careful with handling their login information, so you're probably safe without 2FA, and if all players were like this, 2FA wouldn't be needed in the first place. But not everyone is that careful, and this is a security measure had to be carried out.

I am careful with my information,at least i try to be anyway. I do not share passwords with anyone and I am very stingy when it comes to giving away personal info. I have never had accounts hacked on any account whether that be for online video games, or email addresses. I don't like 2FA and never will, but I will have conceded the point here. This form of 2FA is not as bad as I thought. I really was thinking along the lines of Phone number 2FA

  • Like 1
Link to comment
Share on other sites
cmacq

cmacq

Posted
Posted

Boy talk about a lot of fuss over nothing. They send you an email, you verify and that's it period. There are no extra steps when you login, there is no difference at all in how you approach the game. Took me less than a minute and I have not had to even think about it since. I'm sure we all have bigger things to worry about people this is a complete non-issue

Link to comment
Share on other sites
Numerikuu

Numerikuu

Posted
Posted
40 minutes ago, Knight_Ex said:

Its only an email and confirmation, nothing major

This. That's literally all it is. There's no extra layer for logging in on top of the game, no mobile txt code stuff or anything like that. I've had 2FA for Warframe since it dropped and have had zero issues.

Link to comment
Share on other sites
MagPrime

MagPrime

Posted
Posted (edited)
5 minutes ago, Sonicbullitt said:

So it works like steam then I take it ?  I do not have to check my email every time ? I see, that said I still think it's unnecessary, but I digress, sometimes you have to compromise and this seems to be one of those times.

It's unnecessary for players like you or I, because we take measures and are aware to not share information but, it's necessary for other players and they apparently out number players like us.

It's fairly painless and bonus, you get an Ephemera you don't have to grind for or craft.

gFfptK7.png

Edited by MagPrime
Link to comment
Share on other sites
Sonicbullitt

Sonicbullitt

Posted
Posted
2 minutes ago, cmacq said:

Boy talk about a lot of fuss over nothing. They send you an email, you verify and that's it period. There are no extra steps when you login, there is no difference at all in how you approach the game. Took me less than a minute and I have not had to even think about it since. I'm sure we all have bigger things to worry about people this is a complete non-issue

I apologise, I am an overly cautious person sometimes, I do not just do things without thinking about it beforehand first, which can be both a boon and downside.

  • Like 1
Link to comment
Share on other sites
cmacq

cmacq

Posted
Posted
1 minute ago, Sonicbullitt said:

I apologise, I am an overly cautious person sometimes, I do not just do things without thinking about it beforehand first, which can be both a boon and downside.

Ah no need for an apology. You sound like a good guy and you are right for being cautious about this kind of thing in this day and age. I am still trying to get Facebook to stop sending me email notification for the same reason. The need to protect your privacy is very real but I think this step taken by DE is a good one.

  • Like 2
Link to comment
Share on other sites
(NSW)Sniperfox47

(NSW)Sniperfox47

Posted
Posted
22 minutes ago, Sonicbullitt said:

So it works like steam then I take it ?  I do not have to check my email every time ? I see, that said I still think it's unnecessary, but I digress, sometimes you have to compromise and this seems to be one of those times.

I am careful with my information,at least i try to be anyway. I do not share passwords with anyone and I am very stingy when it comes to giving away personal info. I have never had accounts hacked on any account whether that be for online video games, or email addresses. I don't like 2FA and never will, but I will have conceded the point here. This form of 2FA is not as bad as I thought. I really was thinking along the lines of Phone number 2FA

How careful you are with your information really doesn't matter. People can brute Force your password. People can use login keys to get around your password. Passwords are not secure.

 

This minimal form of 2FA should be required on every single site since it *drastically* improves security as long as you keep your email secure, and realistically you should have a much stronger 2FA on your email itself to keep it secure.

 

On that note DE, can we please get like fullblown 2FA with OAUTH? Preferably on both PC and console? I know it's not a huge priority but it would drastically improve account security for those who care enough to use it.

Link to comment
Share on other sites
(NSW)Sniperfox47

(NSW)Sniperfox47

Posted
Posted
12 hours ago, VenomousValentine said:

I have already had 6 people in the last hour try to trade me, and can't because they didn't do the authentication.

This is absolutely unnecessary and ridiculous to limit something as crucial as trading behind something like this.

I won't be able to buy the new weapons like I had in mind because I cant make any plat.

It is absolutely necessary to lock trading behind this since this is mostly being implemented for trading safety. That's why 2FA is required for trading on everything from WoW to Steam. It's so people who break into your account can't just immediately trade away all your goods.

11 hours ago, GinKenshin said:

I don’t understand what it does. Can you explain it, it’s general use, how it works and why it doesn’t work and shouldn’t be added in this specific case? 

 

   You sure this is not the first-day mild inconvenience talking anyway? 

It requires you to go into your email and confirm that it's you before logging in from a new device. This means that if an attacker who wants to steal your account finds your password, bypasses it with stolen/forged login keys, or brute forces their way through it they still can't get access to your account.

 

It is being implimented specifically *for* trading, trading isn't just being locked behind it arbitrarily. It's part of their steps to reduce account theft and fraud in game and reduce service calls of "someone traded away my Ember Prime! It wasn't me! I swear!".

 

11 hours ago, bubbabenali said:

Using 2FA with the Email address you use as your login name... I think you meant that as a joke. 

I mean it's way better than nothing. Even if they have the email account name they need to compromise both your Warframe account *and* your email account. Assuming you're not an idiot who uses the same password for both, that should be harder than compromising the one.

 

I still want OAUTH, but that's a far more complicated problem than a basic authentication system like this and is something we may get down the road.

Link to comment
Share on other sites
Chromegypsy

Chromegypsy

Posted
Posted

Having two factor authentication forced upon us and having to check my email every time I want to login is starting to hit my tolerance for hoops I am willing to jump to play your game. If there is some reason that a verified account with a password is incapable of securing my access to your game why have a login at all? why not just have a player selection screen, no password that just makes me go check my email so I can log in? the way its being forced onto the players I feel that there is some shady stuff going on to sell ad spam to my email or my info to marketing. simply put, if your coding is so insecure that having a password is meaningless, I have less than confidence in your team moving forward. For the record, you do not have permission to use or trade my personal information, and I am not signing up for ads.

Link to comment
Share on other sites
(NSW)Sniperfox47

(NSW)Sniperfox47

Posted
Posted

The 2FA authentication that you have now is a good first step, but it's just that a really rough first step. If a users email is compromised it really does nothing to slow down a potential attacker.

Can we please get a proper OAuth implimentation of login keys for use with external authenticators like Google Authenticator, Authy, LastPass, etc? You could even fairly trivially implement an OAUTH authenticator into the Warframe app since there are prebuilt libraries that you can drop in for it.

Making this an optional replacement for the email authentication would allow security minded individuals to take their account a step further, as well as allow older players with more to lose to effectively lock down their accounts if they choose.

In an ideal world I'd also love to see an additional option requiring a code at every login, rather than just the first time per device just to reduce the chances of such an authentication being bypassed.

Link to comment
Share on other sites
MagPrime

MagPrime

Posted
Posted
15 minutes ago, Chromegypsy said:

Having two factor authentication forced upon us and having to check my email every time I want to login is starting to hit my tolerance for hoops I am willing to jump to play your game. If there is some reason that a verified account with a password is incapable of securing my access to your game why have a login at all? why not just have a player selection screen, no password that just makes me go check my email so I can log in? the way its being forced onto the players I feel that there is some shady stuff going on to sell ad spam to my email or my info to marketing. simply put, if your coding is so insecure that having a password is meaningless, I have less than confidence in your team moving forward. For the record, you do not have permission to use or trade my personal information, and I am not signing up for ads.

...did you really make a post about something you don't know about?

https://www.warframe.com/2fa-faq

1 hour ago, MagPrime said:

It's a one time thing.  You only do it again if you login from someplace new.  

HZCtnBy.png

Yes, it does seem insignificant to me but mainly because your posts are giving the impression that you think this is a every time you log in thing when it's not.  You're coming across as upset over something you don't know anything about because of that. 

Image result for search forum .gif

Link to comment
Share on other sites
(NSW)Sniperfox47

(NSW)Sniperfox47

Posted
Posted
38 minutes ago, Chromegypsy said:

Having two factor authentication forced upon us and having to check my email every time I want to login is starting to hit my tolerance for hoops I am willing to jump to play your game. If there is some reason that a verified account with a password is incapable of securing my access to your game why have a login at all? why not just have a player selection screen, no password that just makes me go check my email so I can log in? the way its being forced onto the players I feel that there is some shady stuff going on to sell ad spam to my email or my info to marketing. simply put, if your coding is so insecure that having a password is meaningless, I have less than confidence in your team moving forward. For the record, you do not have permission to use or trade my personal information, and I am not signing up for ads.

This is not new. This is not unique to Warframe. Steam has this, WoW has this, Eve Online has this, many *many* other games have this exact same system to help secure trades.

A password is not secure because it's a single unchanging token that can be but forced, found out, bypassed, etc. An email is not secure because it too is protected by a password. Layering the security drastically improves security since it means a potential attacker needs to bypass two accounts instead of one.

Also how do you figure this is them fishing for ad revenue? First of all they're based in Canada and we actually have consumer privacy protections up here. Second of all this is the exact same email they already had from you to make the account in the first place.

Calm yourself and think rationally. Please.

Link to comment
Share on other sites
(NSW)Sniperfox47

(NSW)Sniperfox47

Posted
Posted
1 hour ago, MagPrime said:

It's unnecessary for players like you or I, because we take measures and are aware to not share information but, it's necessary for other players and they apparently out number players like us.

Please don't spread this misinformation. Even if you're careful with your passwords they can be bypassed. A password is not particularly secure no matter how careful you are with it.

If you use the same password in multiple places a data leak elsewhere can compromise you.

But even if you use unique passwords, the fact that it's a largely unchanging token means that with enough time anyone can crack it. 

Even assuming you use long unwieldly passwords that you change regularly though there's still login tokens and other vulnerable points to attempt targeted attacks to get into your account.

And even assuming you run a machine that's totally locked down and have no risk of local secrets leaking, there's always concerns about someone gaining access on the remote side since server security is never guaranteed no matter how much effort you put in.

Having your account accessed solely by a "secret known" like a password is not a secure way to protect an account no matter how careful you are with said secret.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...