Improvement: Password-less Login on trusted devices.

[dandeloreon]

This is more of a convenience change to match how a lot of other games handle game installations from market places. Also, there is a few other changes that are required to improve security with the ease of access introduced by automatic logins. The added security will help all platforms since this will help users with preventing drastic losses caused by casual account access.

 

• Change 1: Add Account linking between Warframe Account and Marketplace Account.
• Change 2: Add Automatic Login when launching from Supported Marketplace launcher.
• Change 3: Add Account Health automated Login script.
• Change 4: add user-defined code for trades
• Change 5: Add in-game History.

 

 

Change 1: Add Account linking between Warframe Account and Marketplace Account.

Spoiler

 

The general process for account linking here should follow the process currently used by warframe when linking to a Twitch Account. The general limitation here is that the game will only allow a one to one link. The end result of this limit is that you can link a single warframe account to all viable install methods, but you cannot link multiple warframe accounts to a single marketplace account.

• Steam Account
• Epic Games Account
• Discord - There is no direct link to this, but it is part of the official warframe discord channel.
•  GoG ( Good old Games ) - I know this is not a supported install method, but still worth mentioning

 

 

Change 2: Add Automatic Login when launching from Supported Marketplace launcher.

Spoiler

 

The end user experience here is that you can completely skip the login screen because you have already authenticated your system to a valid Marketplace version of the game. The login sequence should follow what the console versions of warframe already does. As for a few PC game examples of how this works, You can look at the following....

• Rockstar Games (Steam and epic games copies of their games)- I know that this company has it's share of issues on the online scene, but the handling of the marketplace versions of their games is generally spot on. Once I link my Rockstar Social Club Account to a marketplace, I never see any login requests when trying to start their games.
• Rockstar Games (Rockstar Games launcher) - In general you will never get asked for a login here. The main time you get asked for the password is when you sign in on the rockstar games launcher from a different location. Examples of this are as follows...
  • Fresh Install of Rockstar Games launcher
  • Sign into the launcher on a different computer.
  • Sign into the launcher on the same computer, and same rockstar account, but different user account on the system.
  • You reset your password.
  • Sign out of the Rockstar Games Launcher.
• Ubisoft - I do not get asked for logins after I link my Ubisoft Connect Account to the marketplaces. This makes for a very good user experience.
• Sega Games (Phantasy Star Online 2) - This is new to North America, but the general system used here for account login and linking is spot on. This game has three main install methods for north america, and once your fully linked up it never asks for a login once. (Note: This game offers full cross-platform play/progression ).
  • Xbox
  • Windows 10 App Store
  • Steam
  • Epic Games Store

 

Change 3: Add Account Health automated Login script.

Spoiler

 

This is a client side script that will aid DE with the task of identifying accounts ahead of time that may have been compromised. The biggest tell-tale hint is that the user will find themselves with a massive loss of items unexpectedly. A few examples of things that could be indicators are the following..

• Massive Clearance of Arsenal items - The biggest thing here is a complete loss of all weapons/warframes/companions/etc
• Massive Clearance of Ranked Mods - Going from a dozen or so maxed out mods to nothing is a great example of something that is abnormal behavior.
• Massive Clearance of Blueprints - This is mostly the selling of all blueprints leaving you with almost nothing left.
• Massive Clearance of Prime Parts/blueprints
• Massive gifting/trading of platinum to other players.
• Massive trade off of ranked mods.
• Massive trade off of prime parts

There is probably a few other hints as well, but the end result is generally the same...

• Only one weapon
• Only one warframe
• no mods
• no prime parts
• no prime blueprints
• almost no blueprints
• most other inventories are also thoroughly drained.

 

Change 4: add user-defined code for trades

Spoiler

This is a minor change, but the general idea is this code that is entered to enable trading for 5 minutes before needing to be reentered again. can be entered once per session to unlock trading. it works a lot like two factor authentication, but works in a lot more casual. If a user forgets their user defined code, they can go to the website to reset the code, but the result of this reset is they will be unable to trade for 48 hours.

 

Change 5: Add in-game History.

Spoiler

 

This should be combined with change 3 since the idea is the same, but the main purpose is to give all players access to a short 60 day server-side event log that logs some in-game actions to aid in the restoration of a user who is effected by unauthorized account access of any type.

• All in-game trades ( what you traded and what you got in return)
• All in-game market purchases ( Especially gifting)
• Selling arsenal items
  • What item is being sold
  • How many of each forma type the item has
  • what rank the item is.
  • Other improvements the item has.
• Consigning Companions
• Helminth Subsuming
• Dissolving of ranked mods
• Dissolving of Unique Mods - last copy of any mod
• Dissolving of Riven Mods

 

 

 

 

 

[KriLL3]

-1 from me, giving anyone with access to the same PC as you instant access to your WF account is a massive security hole that DE would have to devote a lot more support staff to manage.

[dandeloreon]

I should probably mention as a postt update that integrating WebAuthn ( https://en.wikipedia.org/wiki/WebAuthn ) for authentication should work as well. You can find some key documentation on this at microsoft...

• Microsoft Blog over Passwordless technology: https://www.microsoft.com/security/blog/2020/12/17/a-breakthrough-year-for-passwordless-technology/
• WebAuthN api documentation: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/webauthnapis
• Windows Header for WebAuthn: https://github.com/microsoft/webauthn/ ( Easy link for the Warframe devs to look at )