I will confirm, yet again, that this system does NOT use your phone number. The application that you choose to use will register a QR code in it, then assign a frequently refreshing PIN to it. That way, when you go to log in, your application tells you what to type as your second authentication. Respectfully, I disagree with this: This isn't about loss of trust. This is about advancement in technology. We're still at the same level of trust as we were a hundred years ago. I assure you that there were crooks and thieves in that age as well. The difference is that technology makes the distance between us shorter and thus, we don't have just the people in our town to worry about. The world, and everyone in it, is at our fingertips. What was good 100 years ago with regards to security is no longer the case. Everyone wants the best that technology can deliver. 2FA is the current leading digital account protection, one that we have now made available for our players to use, if they choose to.
I hate 2 factor authentication. Not going to use it !, but read on. But there's another problem , and i did read the wiki twice. It seems to work only if you have a smartphone. Well, one of the rare persons that not have a smartphone because it's a useless device. But without smartphone you can never use 2 factor authentication if you want. So, if am right , only people that have a smartphone can use 2 factor authentication on EMC ?!
I have Authy Setup for my Cloudflare Login so when ever i sign in with a new IP to the site, it makes me enter the code provided on the App, Again this app does not take any of your info, just provides you with information that it is really you....
There are multiple versions of authentication apps available for you to use. If you do not have a smartphone, look into the alternative options that are available with Google. From just a cursory glance, I can tell that there is an alternative that includes the 16 digit manual key instead. Google authentication is also available for PC. This is the reasoning for the wording on the wiki to mention smartphone/device.
For those who do not have any other devices they could install an authenticator on, here is a desktop software: https://winauth.com/ I strongly recommend putting it on a USB key if you travel and want to login from someone else's computer. I'm not sure what you think 2FA does behind the scenes, but WHO do you see as getting insight into how often you login? 2FA doesn't change EMC's ability to see that. Do you mean some third party? If so, that also is not true. There is no "third party" with this form of 2FA. It's a revolving code on your device, and the device does not know if you used it or not. The only person who know's if you logged in is EMC, and we already know that even without 2FA. There is absolutely 0 privacy change in this feature.
There are two main mechanisms that regulate cheating - legal / punishments and social control. Both are part of the culture. How do they change with advances in technology? The differences that we notice - are that only temporary effects of fast technological advances or are there substantial changes in the culture? My personal experience in several countries: Can you trust, if you don't have personal connections - A big, well-known bank? No. A med. doctor in a big, well-known hospital? No. A med. doctor with a private practice? No. Telecommunications provider? No. Police? No. Public prosecution department? No. Construction company? No. House management? No. Lawyer? Hardly. Big, well-known insurance company? Somewhat. University? Mostly. Tax advisor? Mostly. Firefighters / Mountain Rescue? Yes. ... I would like to believe, that the fact that there is hardly a subject outside of a circle of persons bound by personal relations that you can trust not to cheat is not a sign of degrading culture. This reason makes it hard for me to believe that: success of an economy depends heavily on mutual trust - which includes the state, laws, legal system, police, media, etc. When we look at the differences between successful economies and unsuccessful ones, we can see that the success of an economy inversely correlates with corruption. Cheating can bring individual advantages, but it is too expensive overall, it does damage to the society. Society which is not able to control corruption won't be able to have a successful economy. Technology makes it easy for scammers to target people globally and to do that in many different and new ways, but at the same time, global media and global communications allow us to learn about that very fast and adapt. This in turn disrupts the business for the cheaters, but at the same time also rises expenses for everyone else. I don't think it is just technology, I think it is also decadence.
Yes - the provider of the 2FA app. Then who holds the private key, who stores the public key and how is it fetched? How is the identity and authenticity verified? EDIT: I see it could (?) work without interaction with the provider on every use: - The app holds the private key and a certificate - EMC stores the ID and the certificate chain on setup But EMC would still need to check if the certificate has been revoked on every use ... ? Or is it only like a second password?
^ My understanding is that it's more like this, where the second password is a seed number chosen by EMC. Instead of typing in the seed, players use the app to mash it with the current time, then type in the resulting 6-digit code. EMC mashes the seed in the same way to check if the codes match. The app itself should just be a dumb calculator and a clock. It might report normal app things like how many people have installed it and when it's run. Even so, the calculator has no way to know if a code is actually used, or where it was used. There isn't a way to revoke them really. EMC can just delete the seed number and generate a new one.
While I appreciate your thoughts on this matter, it doesn't really belong on this thread. I'll respond in a PM because I am interested in your point of thought regarding this hypothesis and would like to discuss more without a full derailment of the current topic here. What he said ^
Yes, 2FA simply takes the 16 character "Secret" (shown beside the QR code, the QR code simply registers that 16 char code + a "name for what the code logs you into" Your app constantly takes the secret and the current time, get the closest timestamp every 30s (9:21:00, 9:21:30), takes that time, and runs it through an algorithm with your secret and generates a number and displays it. Then when you submit it to EMC, EMC does the same calculation, with a "skew" window to account for time differences, so it generates all potential codes for now and up to the allowed drift. If your code matches an expected code, and has not been recently used, you are allowed in. EMC then stores the code in a temporary manner to avoid letting anyone else re-use that code (one time pass code) The one time aspect is important as if you are keylogged, it prevents the attacker from re-using that code real quick in real time. If your device is compromised, yes you would delete the key registered and generate a new one. If anyone has that 16 character secret, they can generate codes on your behalf. You may use the same secret over multiple devices as a way to get the code in multiple ways. But remember, that using it on a Desktop does lower security, as if you have malware, that malware could just then also steal your 2FA secret.
Finally! Been wanting 2FA on here for ages. Use with every site that has 2FA. I think it was mentioned above, but a good 2FA app is Authy. It has a good UI, app PIN protection, some sites (like CloudFlare and Discord) have their branding making it easy to see and it also has a backup option so you can swap to a new device without making new keys for every site.
That's cool! I won't be using this, but I like that it's there. At first I was afraid one would need an extra device with them at all times, but it sounds like you can use a 2 factor authentication app on the device you're wanting to access the forums on. That's good. And you'll probably hardly ever have to do this anyway, as XenForo doesn't log you out automatically.
There's a slight bit of humor to be found when Russian hackers constantly attempt (and constantly fail) to access your Twitter account because they have the password but not your phone due to 2FA. Hopefully that won't be reality for anyone. 2FA has long become my life, as is digital security in general due to sensitive material (materials under FERPA mainly) I'm having to handle on a regular basis as well as other items relevant to current research projects. The idea of data getting lost or compromised is unacceptable and too large of a risk for what I do. But I digress. I'll have an opportunity to show someone the wonders of data security later today when I attempt to recover a term paper he somehow lost. Short story: Use 2FA whenever possible. I get the hesitancy and I understand why some of you may not want to use it. However, when you're on the phone with your local bank for two hours and filling out affidavits because someone cracked your account and drained your savings, you'll be using it often.
Fingerprint unlocking has been a life saver on my phone. I use fingerprint to login to my Authenticator too. I wish I had it at work
How does this effect my personal PC that remembers my username and password. Will it automatically log me out after the 31 days? Right now I just click the bookmark and I'm logged in to the site.
Everyone beat me to it but as an ex 3rd party web developer for a major company, I can confirm google's 2 factor authentication does not give a phone number. Everyone else confirmed this as well. Its a great security feature as long as you have your phone number. Aikar, is there a way to have the 2fa reset if you lose your app by means of losing your phone or upgrading to a new device. - It'd be nice to set a pin or allow sms texts to reset 2fa. -There are some great sms gateways out there that can allow you to do this. As it stands now, would we contact staff via in game or something? Sidenote: This broke shavingfoam's shop keeper. Hope you guys can work together to remedy this.
That's up to him to fix it to support 2FA. But there is a "Lost Authenticator" link on the authenticator page that lets you unlink it by email (which, you also do have protected by 2FA too right?????)
If anyone at all reads this.... Google Authenticator is an APP. You scan the QR code from within Authenticator, and tada, you have codes generating for Empire Minecraft. I use it for my Google account too, so I have 2 different codes on the screen at one time. The app in no way gets your phone number. XenForo makes a QR code for Authenticator, and Authenticator scans it to enable you to get codes for EMC. Considering the year this is and how ridiculously affordable some smartphones are, I don't see this as a valid excuse