MFA: Using proper 2nd factors

[Sakata-WF]

Considering the years and years that this game has been around, and the amount of time and money has been invested into people's Warframe accounts, it's about time DE offered proper methods of securing users' accounts. I'd previously created a support ticket regarding this about a year ago, then life happened (to the world, ugh, COVID) and I ended up with a long hiatus from Warframe.

Since TOTP is still not offered as a means to secure the account I've invested over 1800 hours into (and I'm in the "Dad 1st, gamer 2nd" crew; I have a friend with 8864 hours) along with more money than many entire AAA franchises, I'd really, really like y'all to offer means for me to keep my investment secure.

Email is not a secure OTP delivery method.

• It is not tied to specific device and has weak security controls protecting that OTP access.
• Many people don't have MFA turned on for their email accounts -- assuming that the email service they use even has MFA.
• There is a high chance that they also used the same password for the email account.
  • People reuse passwords because we're not machines. Also, passphrases are MUCH better. xkcd says it best: 

And while SMS TOTP codes are better than nothing, they are far from secure. NIST specifically recommends against SMS-based OTP.

It would be best to offer TOTP instead.

Free code exists to implement TOTP codes, Google's being the most commonly used that I've seen: https://github.com/wstrange/GoogleAuth

If someone needs a fairly simple to follow guide with code included, here is a relatively easy to follow one I've seen (it references the GoogleAuth code as well) https://dzone.com/articles/enabling-two-factor-authentication-for-your-web-ap

 

Thanks for the read, if you made it this far. Hopefully I'll see an option for TOTP codes soon.

[sitfesz]

IDK man IHNP with the lIS because the 2FA works fine on MA with MP, so e-mail is NTO factor as you talk about, it is clearly 2FA if you E2FA and they made it kind of mandatory.
Keep up with the abbreviations, because IMES indeed and why much words when few do trick.

[RunningTreeMC]

Any updates on this?
I'd also prefer totp over email otp.

[Lutesque]

Are y'all just Stringing Random Letters together to mess with Me ? 😭

[(PSN)Reaper330011]

On 2021-09-26 at 9:08 AM, sitfesz said:

IDK man IHNP with the lIS because the 2FA works fine on MA with MP, so e-mail is NTO factor as you talk about, it is clearly 2FA if you E2FA and they made it kind of mandatory.
Keep up with the abbreviations, because IMES indeed and why much words when few do trick.

Please give us a terminology handbook so we can fathom what you typed out.

[RunningTreeMC]

On 2021-11-23 at 8:30 PM, Lutesque said:

Are y'all just Stringing Random Letters together to mess with Me ? 😭

totp: time based one time password (used in apps like authy and google authenticator)
otp: one time password (password sent by a server normally through sms and email)
2fa: two factor authentication (could be otp, totp, or a letter sent in the mail, any form of authenticatication that's not a password.)
e2fa: enterprise 2fa

I don't know the rest.