[UPDATE] Two-Factor Authentication on Forums

Discussion in 'Empire Updates' started by Krysyy, Nov 14, 2016.

  1. Two-Factor Authentication is now available on the Empire Minecraft forums.

    We've spoke about password security many times before on EMC. A password is only as good as you make it. Non-repeating random character strings that are 16+ long are often the most secure, but there is always a safer method. The leading method at the moment for increasing security is the two-factor authentication system.

    How it works (this is in non-tech terms):
    Two-factor authentication works by using your smartphone or other device as a second 'checkpoint' of sorts before you gain access to the site. So when I enter my password from my computer, I have to also type in an additional code that my phone generates (and changes every 30 seconds). This means that in order for someone to hack my account, they would need to know my password AND have access to my phone. Since many of us live with our phones within reach 24/7, that's not an easy feat for said hacker to accomplish.

    What does this mean for EMC?
    Player privacy is of the utmost concern for us on EMC. This two-factor authentication helps to make your forums access safer and removes the issues that we have had in the past with regards to password security. This is an optional feature, but it is one that we strongly recommend for all players to use. To activate, please see below for the embedded wiki page with instructions:

    Two-Factor Authentication
    EMC supports two-factor authorization (sometimes referred to as 2FA) for our forum accounts. It will add an extra layer of protection for your account by requiring you to type in a code generated by an app on your phone/device when you try and login, as well as your password. Typically, anyone trying to breach your account would not have access to your physical belongings, thus your account is likely to be more secure.

    This feature is optional, but we strongly recommend that you utilize it alongside good password practices.

    To enable it, follow the steps below:

    1) Go to your user preferences and go to the Two-Factor Authentication section. The screen looks like this:

    2) Check the box to use two-factor authentication, and click "Add a New Key."
    3) When you are using a smartphone or another device with an authentication app on it, scan the QR barcode that appears on the screen.
    4) Type in the authentication code that your device will generate for you.
    5) Click the "Attach" button.

    When you log in, the screen below will appear after you input your normal forums password.

    Use the code that your authentication app generates for you to log in.

    There is an option for you to ignore entering in this code from your device for 31 days. By default, this system supports 2 devices. Supporters have access to register 4 devices. EMC Staff members, who are required to use two-factor authentication for their accounts, have unlimited device registration.

    You are not required to utilize one particular authentication app. Shown in the example above is Google Authenticator, which is free and available on both iOS and Android devices. Consult your device's app store for more information.

    Did we miss something?

  2. Yay a new thing :D

    Thanks Dev and Staff :)
    Equinox_Boss likes this.
  3. 3rd! thanks devs.
    Equinox_Boss and Themoglover like this.
  4. Woohoo! No more #ChinBrokeIt :D

    Edit: Apparently from the post below, I stand corrected. There is still 1 ChinBrokeIt.
    Equinox_Boss, Patr1cV, 607 and 10 others like this.
  5. 'scuse me?
  6. Awesome, now we can be safer!
    Equinox_Boss and Themoglover like this.
  7. Steam does this kind of thing when I access Steam from my laptop or login with steam through a different site, their codes consist of numbers and letters, our codes only consist of numbers, but that doesn't take away from the upgrade in security! This is something my red eyes like to see :D!
  8. SuperDuperSpecialPasswordMixedWithSUperDuperGollyWollyWoodLettersAndNumbers.....
  9. Just so we're clear here: I'm not trying to be overly negative. It is a good thing to add more protection and make it harder for attackers to (try to) log on.


    This installation also means that EMC / Starlis will get access to some player's phone numbers. And that does raise an important question with me: what do you guys plan on doing with that extra data?

    I've gone over the privacy policy which basically tells us that the information which EMC/Starlis collects from us can be used to (quote):
    • personalize your experience
    • optimize advertising
    • improve our website
    • improve customer service
    • process transactions
    • administer a contest, promotion, survey or other site feature
    • send periodic emails
    The policy also tells us that: "We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.".

    As such my question. I wouldn't mind you guys to have access to my phone number, but I would have a serious problem with it if you'd sell that information to a 3rd party, no matter how much you trust them not to disclose it any further. I'm not worried about a 3rd party disclosing it, I'm worried about them abusing it :p

    Just so we're clear here... I obviously recognize the legal approach there and quite frankly I also don't really think you'd actually sell information like that. But when it comes to legal terms my personal opinion isn't important. What is important is what the legal document(s) (dis)allows, and right now, the way I read this, EMC/Starlis reserves themselves the legal right to sell this kind of information.

    So yeah, that makes me curious.
  10. This is a direct quote from MrSocks:

  11. You can give my number out all you want too.
  12. But it's also not EMC I'm worried about ;)
  13. I understand your concerns, because I would have the same concerns too. Rest assured though, that EMC never gets your phone number when using the 2fa method Aikar has put in place.

    The authenticator apps that you install on your phone to use this option never send EMC your phone number. Unlike the services that send you a text message with the code you use, these apps hold the codes "inside" the app, and as the post states, they change every 30 seconds. So neither the app nor EMC ever need your phone number. In fact, this service would work if you used a tablet device, which doesn't have a cellular service or phone number. (You just need an internet connection when originally setting the app up).
  14. Confirming that 2FA does not reveal your phone #.

    When you scan the code, it's EMC sending data to your phone (That secret key thats printed beside the code)

    The QR code just makes it so you dont have to manually type that value in.

    2FA usually doesn't even use the internet outside of synchronizing time.

    Also, you could even setup 2FA to an ipod, that doesn't even have a phone #!
  15. As we promised in the last staff breach, this will be mandatory for staff members.

    (And now I'm conveniently getting YubiKey advertisements on this page! I would add YubiKey as an option for the forums too, but it requires me to own one first to even get an API key to use them)
  16. +1 for reading the privacy policy

    I'm also concerned with privacy, but in another way. Here you have an option to increase your security while actually giving out more information. The 2FA provider can easily collect information about where and how frequently you log in.

    The damage that a hacker can do can be very unpleasant. The damage that "big players" can do can be life threatening. Unfortunately, based on what happened more and more during last few years, we are forced to assume that many people and many organizations of all sizes cheat.

    BTW, this is really a big step back in our culture, the top one that worries me. Loss of mutual trust overall leads to disintegration of society and culture. And, btw, damages the economy.

    I'm not saying don't use 2FA apps.
    I'm saying know how it works, evaluate side effects and risks and decide where to use it.

    Think about how to improve privacy, think about how to improve mutual responsibility, dependability and trust on all levels.
  17. Nice feature added! I have already set mine up.Thanks for all the staff that was involved in making this :)
    Equinox_Boss and AnonReturns like this.