I have been considering (and already testing and will probably implement) a method to send text messages from our servers. I am going to start requiring all eqemu forum accounts to be tied to a phone number that will be used as a method to verify authenticity of accounts, as well as provide a method for resetting passwords of loginserver accounts.

The lack of a method of resetting loginserver accounts has been a problem for quite some time, and we have never had a real method to do so that wouldn't put other accounts in danger of being compromised at the same time.

We may also optionally allow the numbers to be used in a securid sort of way, for those that decide to enable it on their account. This would mean that in order to even log into the account on the loginserver and to connect to P99, you would need to enter both your account password as well as the pin number generated on the spot. This is much like the World of Warcraft Authenticator and the key fob that SoE will be coming out with also. This would be purely optional though (however mandatory for any staff gm/guide accounts on P99, and any other servers that request it).

I'm fairly confident that many of you in one way or another have access to a cell phone, even if it's not directly yours. I will also be providing verification via a phone call to US Based numbers, if you do not have access to an SMS capable device. This does however mean that people playing from outside the US will need to have a SMS-Enabled phone, or use a friend's. I have done a lot of testing for non-US numbers and most of them have succeeded using our system.

I am opening this for discussion as I want to hear people's opinions on this and possibly voice any concerns that we have overlooked.

This is amazing. Please do this.

Also, WB papi.

I think its a great idea! Good work.

Great news.

How will it be implemented? Do we just log into our EQEmu account and fill in a new form field with our phone number when it's made available?

Sounds great. Would stop a lot of the "He hacked my account" fights that go on.

This is an awesome idea!

Will this also allow causal use? Like, for example, sending a text to someone's account so they can log in to a raid without having to give people your phone number?

Good idea.

I will not be having a phone anytime soon nore will I be using a friends phone... sorry, but I hope it works out for you, it definitely wont for me. But I'm not even active here hardly.

All the account sharers will cry.

Good Idea.

We may also optionally allow the numbers to be used in a securid sort of way, for those that decide to enable it on their account. This would mean that in order to even log into the account on the loginserver and to connect to P99, you would need to enter both your account password as well as the pin number generated on the spot. This is much like the World of Warcraft Authenticator and the key fob that SoE will be coming out with also.

So...this would mean getting a text or something every time you chose to log in or am I misunderstanding?

Absolutely hate texting. I use my phone for making phone calls and have disabled the sending/receiving of texts via my wireless company. Call me or send me an email.

That being said, I think Google Voice is free for anyone and will give you a US-based number that can receive texts for free. I have one that I guess I'd use for this if you insist on implementing it.

What's wrong with email though?

I don't have a cell phone but my wife has one through work. Would this mean I need to have access to her phone every time I log in, or is this just a "do the first time and forget about it" kind of thing?

Some of you need to learn to read.

The requirement is only for a one time verification and would only be required again if you need to reset a loginserver password.

*OPTIONALLY* you can enable it to send you a text every time you log in as a secondary authentication.

OK, didn't see a reference to one time only - thanks for the clarification and it doesn't seem like a hardship to me.

Seems like a good idea but I'm sure it will be burdensome for some of the players.

All the account sharers will cry.

Good Idea.

I'm confused. I thought that account sharing, while not recommended, was still allowed. I always just figured it was a "do at your own risk" sort of deal, which is why I don't share info for accounts with characters I'm really concerned about.

Some of you need to learn to read.

The requirement is only for a one time verification and would only be required again if you need to reset a loginserver password.

*OPTIONALLY* you can enable it to send you a text every time you log in as a secondary authentication.

(I mean to say what your asking) Is a very reasonable request in today's society and people like me might have an alternative in Google voice. I didn't even know such a thing existed. I even totally respect the need for it, there's no way you can protect peoples accounts, this might be the only feasible way.

To me personally it is frightening that more and more "stuff" permits less anonymity these days. I know its just EQ ... but a phone number is highly personal stuff to me. Also I really hate the phone companies, I will likely never "lease" a phone-line again, sadly the internet depends on them. So the first thing I feel when someone wants my license, phone number, or credit information is utter and absolute dread.

Simply fucking amazing.

Not sure if I will use it, but to have the choice is stellar.

Much kudos.

(I mean to say what your asking) Is a very reasonable request in today's society and people like me might have an alternative in Google voice. I didn't even know such a thing existed. I even totally respect the need for it, there's no way you can protect peoples accounts, this might be the only feasible way.

To me personally it is frightening that more and more "stuff" permits less anonymity these days. I know its just EQ ... but a phone number is highly personal stuff to me. Also I really hate the phone companies, I will likely never "lease" a phone-line again, sadly the internet depends on them. So the first thing I feel when someone wants my license, phone number, or credit information is utter and absolute dread.

Understandable, but all things considered, a phone number is still one of the least personal things we can collect while still remaining something unique to you and able to identify you. Most people hand out their phone number to anyone that asks or post it up on pages like facebook etc. It's not like anyone can commit identity theft by just having a phone number.

Most people hand out their phone number to anyone that asks or post it up on pages like facebook etc.

People who do this aren't very bright.

It's not like anyone can commit identity theft by just having a phone number.

Probably not just with a phone number, but its certainly a starting point when you want to profile someone for ID theft. Also, you'd be surprised how easy it is to have someone else's mobile phone number ported to another mobile phone, new service, new provider, etc in Australia.

People who do this aren't very bright.



Probably not just with a phone number, but its certainly a starting point when you want to profile someone for ID theft. Also, you'd be surprised how easy it is to have someone else's mobile phone number ported to another mobile phone, new service, new provider, etc in Australia.

Last post I make in this thread I swear, I stand by whatever Rogean decides to do to solve this issue in regards to account security.

But to tell you the truth I'm less worried about my ID being stolen then megacorp U.S.A. Inc profiling me and having more links to my real identity out of my direct control, yup I'm a hippy.

Honestly after investigating Google voice to, I seriously recommend it to anyone balking at having their real number out there. It gives you one free, you still have to tie it to yours or a friends number, but it provides one layer of obfuscation which I feel is pretty legit, Google has been known to stand up on occasion against government agents without warrents, as well as lawsuits from other corporations.

I'm a bit concerned because not too long ago someone was able to hack into the database and start deleting characters... what if someone hacked into eqemu and was able to find out my phone number? Sorry if I don't fully understand how it works.

I have been considering (and already testing and will probably implement) a method to send text messages from our servers. I am going to start requiring all eqemu forum accounts to be tied to a phone number that will be used as a method to verify authenticity of accounts, as well as provide a method for resetting passwords of loginserver accounts.

The lack of a method of resetting loginserver accounts has been a problem for quite some time, and we have never had a real method to do so that wouldn't put other accounts in danger of being compromised at the same time.

We may also optionally allow the numbers to be used in a securid sort of way, for those that decide to enable it on their account. This would mean that in order to even log into the account on the loginserver and to connect to P99, you would need to enter both your account password as well as the pin number generated on the spot. This is much like the World of Warcraft Authenticator and the key fob that SoE will be coming out with also. This would be purely optional though (however mandatory for any staff gm/guide accounts on P99, and any other servers that request it).

I'm fairly confident that many of you in one way or another have access to a cell phone, even if it's not directly yours. I will also be providing verification via a phone call to US Based numbers, if you do not have access to an SMS capable device. This does however mean that people playing from outside the US will need to have a SMS-Enabled phone, or use a friend's. I have done a lot of testing for non-US numbers and most of them have succeeded using our system.

I am opening this for discussion as I want to hear people's opinions on this and possibly voice any concerns that we have overlooked.

I will have your babies.

Let's find a way to tie this in somehow with our forums and not allowing anonymous accounts to access more than a select section of our forums without being verified first.

I'm a bit concerned because not too long ago someone was able to hack into the database and start deleting characters... what if someone hacked into eqemu and was able to find out my phone number? Sorry if I don't fully understand how it works.

Hehe, more then likely if you do have a phone number it is listed and has your name tied to it anyway. My issue is with having any accounts I use tied to a phone number tied to someone in relation to me, so you are safe.

Disagree. I prefer not to give out my phone number to anyone. The assumption that everyone gives out their number is false. You have 100 other methods of verifying who I am -- so please don't make this mandatory.

I will pay for a fob or a software based key gen if needed.

most of the issue with hacking/stealing/whatev accounts is (1) item theft and (2) character deletion.. or so I just now arbitrarily assigned. under the less invasive option, this still can't be stopped, correct?

maybe make another option that you must confirm character deletion (or any character above some level, or specifically flagged characters chosen by the owner, or whatever) via text or whatev you decide.

for item theft idk. I guess the only thing would be the invasive every-time thing.


yeah and I'd prefer like, an email instead of a text message? I kinda skimmed the responses and saw that but not sure if there's a problem with emailing over texting.

I like the idea of an authentication #, I used one for WoW.

But this is a free EMU, account security shouldnt be such an extreme procedure as to giving out your cell#.

I'm a bit concerned because not too long ago someone was able to hack into the database and start deleting characters... what if someone hacked into eqemu and was able to find out my phone number? Sorry if I don't fully understand how it works.

False Statement. Nobody hacked the database. You're talking about an injection that let someone delete characters via an exploit that was originally designed to erase only reserved names. Don't you think if someone really had access to the database that they would have done far worse than that?

Disagree. I prefer not to give out my phone number to anyone.

You aren't giving it out to just anyone. You are entering it into a private database so that we can verify who you are.


The assumption that everyone gives out their number is false.

I never said "everyone". I said most people. If you are hanging out with friends of friends and they want to grab your number to contact you, you're telling me you won't give it to them? In some ways that's less secure than what I am proposing to do, what's to stop your friends from giving your number out to others? At least here you have some guarantee that we won't divulge that information.


You have 100 other methods of verifying who I am

None of which are unique enough to you or secure enough.

I will pay for a fob or a software based key gen if needed.

Are you going to pay the $1,000+ it costs for the backend system required to operate the key fobs?


It has become clear to us that email is inadequate. People lose email addresses easily, whether they lose it because they forget the login or it was with a provider or business that no longer exists. Phone numbers are much more likely to stay with someone.

maybe make another option that you must confirm character deletion (or any character above some level, or specifically flagged characters chosen by the owner, or whatever) via text or whatev you decide.

Character deletions aren't even permanent, and are very easy to restore. It's far more damaging to wreak havoc on your inventory giving your items away than it is to simply delete a character.

Are you going to pay the $1,000+ it costs for the backend system required to operate the key fobs?


It has become clear to us that email is inadequate. People lose email addresses easily, whether they lose it because they forget the login or it was with a provider or business that no longer exists. Phone numbers are much more likely to stay with someone.

I lied and am posting again. I have to back rogean on this one it is seriously expensive to get those systems running, almost as much as running what he's got going already. And someone made the argument that phone#'s are the least invasive method. I still don't like it one bit but there are ways around giving your number directly to rogean as mentioned in this thread already. Honestly my first posts were coming from a Draconian understanding of the phone system. There are VOIP services, and as one has pointed out one is free.

Honestly I would love an alternative... fancy PGP keys that everyone generates themselves and sends in via email would be an alternative perhaps. There is allot of FOSS software out there to do this simply which would even give people choices how to generate their PGP keys.

False Statement. Nobody hacked the database. You're talking about an injection that let someone delete characters via an exploit that was originally designed to erase only reserved names. Don't you think if someone really had access to the database that they would have done far worse than that?

Thanks for the response Rogaine, I just wanted to know that my phone number would remain private.

I'm a bit concerned because not too long ago someone was able to hack into the database and start deleting characters... what if someone hacked into eqemu and was able to find out my phone number? Sorry if I don't fully understand how it works.

No one hacked into any database. L2packet.

If its really that upsetting to you to give out a cell number , sign up for Google chat. It's free.

You sign up, and are asked to chose a phone number based on your area code, it works as a proxy, give P99 that number and any verification code gets washed through Google Chat and passed on to the actual cell number. All the sender knows is the 10-digit number provided. Google won't blink if you enter Mickey Mouse or Horatio Hornblower as your personal info.

I've actually coordinated a few in-game spawns for other people via this, i.e. Hasten pop or Targin the Rock. They pop, I send a text to them via google chat and it gets proxied and delivered, they log in. We profit.

I object from a privacy standpoint, but at the same time I bet this would cut down the number of spam and grief accounts as well as make account hacking less damaging... Hmm, tough choice.

People who do this aren't very bright.



Probably not just with a phone number, but its certainly a starting point when you want to profile someone for ID theft. Also, you'd be surprised how easy it is to have someone else's mobile phone number ported to another mobile phone, new service, new provider, etc in Australia.

Scary.

I don't like the idea.

Texting from the servers to international cell numbers could incur quite a cost, couldn't it? I know from England if I want to text a friend in Sweden it's almost £1 ($1.60), and despite the fact that I'm not on a great calling plan - international costs never seem cheap.

I'd go along with it, I just hope that implementing it wouldn't mean that donations were mandatory.

Trying to think how often I get a client crash and have to log in again (+1 text message). If costs stay low, it can't fail I guess... the goal is a noble one, I've never been hacked but I wouldn't wish it on anyone :)

EDIT: And for anyone with privacy concerns, your passport contains a tracking chip in it (that thick page)... I think giving out your cell this one time is a minor grievance :P

So as I tried to ask in-game.. Why doesnt EQemu have some sort of failed login attempt lockout ? Pretty much every game online I've played had this system in place, and it doesn't seem like a hard thing to put in place for a little extra added security. This would cut down on the brute-force hack attempts would it not ?

The Sms thing is okay i guess..but like the general consensus of the thread so far, "my phone number for a free game, really?"

I will not be having a phone anytime soon nore will I be using a friends phone... sorry, but I hope it works out for you, it definitely wont for me. But I'm not even active here hardly.

Word I have multiple accounts I use since I 6 boxed on PEQ before joining here in march 2010. Doesn't sound like this works well for me either at first read.

I like the idea and don't see any problems. Go with it.

Texting from the servers to international cell numbers could incur quite a cost, couldn't it? I know from England if I want to text a friend in Sweden it's almost £1 ($1.60), and despite the fact that I'm not on a great calling plan - international costs never seem cheap.

I'd go along with it, I just hope that implementing it wouldn't mean that donations were mandatory.

Trying to think how often I get a client crash and have to log in again (+1 text message). If costs stay low, it can't fail I guess... the goal is a noble one, I've never been hacked but I wouldn't wish it on anyone :)

EDIT: And for anyone with privacy concerns, your passport contains a tracking chip in it (that thick page)... I think giving out your cell this one time is a minor grievance :P

Wait woah, everytime my client crashes/I go LD I have to pay to get back in? Hope I'm reading that wrong, at international rates it would be cheaper for me to go back to live or WoW :(

If you're only going to choose one random paragraph to read, try starting with Rogean's. Not only has that already been answered, the tinfoil hats are strong here.

There are some epic level idiots with reading comprehension problems in here lmfao

This is a fine idea, but can we have an option of playing completely at our own risk, i.e not having to supply a phone number at all? I would be happy to relinquish any rights to support in the event of loss of my account. I can't receive calls or text messages from outside of my country. I totally see the merit in offering players the opportunity of increased account security, but there's a fundamental problem with requiring it. Beyond the practical issues, such as for foreigners like myself, there's also a variety of ethical problems. A game shouldn't demand the player's personal information. I don't know the people who will have access to this database of phone numbers, and while I have no doubt that they'll be trustworthy about it, they're still complete strangers who don't do this professionally. Also, if I give out my phone number online, my provider no longer has to waive excess fees in the event of a billing problem - even if the two turn out to be completely unrelated. Since I can't receive the account verification message, that's not hugely relevant for me, but it's still a point. I could (and might) change providers if this turns out to be necessary, but I don't like that I have to. It's not as if we get spambots and gold farmers, so why can't we opt out? I don't foolishly share my account information and I run a retail computer protection package, so I've had no problems since the server launched. I'd opt out of the login authenticator anyway, so I don't see the purpose of having to essentially confirm that a human owns the account. I see the point of a randomly generated login number, but not the point of a one-time verification.

TL;DR: what purpose does the required one-time account verification serve, and why can't we opt out of that as well? I'd be fine with giving up the opportunity for support as a consequence.

If you think we don't get spam bots or gold farmers, you're mistaken. If we wanted your personal info, we could already have it - just ask anyone who's threatened the server. It's a phone number for a text, not a social security number, and as has already been pointed out, you don't even have to have a real phone to get the text. Anyone who can take the amount of effort to type an entire paragraph, should first take the same amount of time to read the entire thread and find all of the paranoia has already been addressed.

Sounds like a fine plan. Google voip ftw.

Awesome idea, will it work for euros?

Awesome idea, will it work for euros?

yes

Would the system as planned permit more than one EQEmu account to have the same phone number attached?

not classic, you're ruining my immersion bros

not classic, you're ruining my immersion bros

EQEMU needs a "secret question"

Sounds good.

If you think we don't get spam bots or gold farmers, you're mistaken. If we wanted your personal info, we could already have it - just ask anyone who's threatened the server. It's a phone number for a text, not a social security number, and as has already been pointed out, you don't even have to have a real phone to get the text. Anyone who can take the amount of effort to type an entire paragraph, should first take the same amount of time to read the entire thread and find all of the paranoia has already been addressed.

I did read the thread, every post of it, and I still don't see why this has to be required with no opt-out. It's not paranoia, it's a practical issue. I'm just worried about not being able to play. I can't receive texts from outside my country. I'm not being a whiny bitch, it's shit like this:

http://i15.photobucket.com/albums/a358/Tershek/Unavngivet.png

You don't realize how common that sort of thing is when you're not subjected to it. I'd seriously rather play without account security than having to go through the considerable trouble of verifying my RL existence to strangers across the globe. It's awesome that you're willing to go to these lengths to provide a security service to your players, but I just don't see why it has to be mandatory, or why it can't be conducted in a way that doesn't rule out certain people. I guess I could go ask one of my colleagues if I can use his phone to make a call from Denmark to the United States so some people will let me play on their emulated Everquest server, but I'm not loving that idea either. Isn't there a less awkward alternative? Skype or something?

I think its a great idea! Good work.

I think its a great idea! Good work.

I think it's an awesome idea provided it works for everyone across the globe, if not then make it an optional (but recommend) feature and require an alternative method of verification like a personalized security question if the person chooses to opt out. It would defeat the purpose if people use some obscure service to get the initial authentication text and then have no means to reset their password later.

im just worried that this database can be hacked and informations could be made public . its not like that has not been the case lately with credit card informations and such . see sony and blizzard and whatnot . so i dont want to get spam sms or prank calls or whatever cause someone sold all this phone numbers to a company .
all just theroy but how will u be able to prevent ppl from hacking into this database if even multi billion dollar companies cant offer security with private infos ?

btw i did participate in the cellphone testing also my guild has my phone number as well . i just want to get this statement above cleared for all .

im just worried that this database can be hacked and informations could be made public . its not like that has not been the case lately with credit card informations and such .number as well .

This is my only concern as well. Otherwise I think its a fantastic idea.

You people worry too much. Quit being so paranoid and stop living in fear of everything.

I currently do not have text service on my phone, nor do I intend to get it in the near future. If I do, my work and "friends" will be texting me non-stop with worthless things I don't want to know about. It's a level of connectivity that I want to avoid.

If I were to create a new account with P99, how would this new setup affect someone like me?

What would the workaround be for those that do not have txt messaging?


Thanks,
-Alex

Sorry if I missed this, but who exactly will have access to the phone numbers?

Also,


Character deletions aren't even permanent, and are very easy to restore.

How easy? :p

Thumbs down. I don't get reception in grandma's basement.

How easy? :p

Setting a 0 to a 1. Or something of the sort. "Deleted" is as simple as a flag on a character in the db.

Restoring all your gear, on the other hand... is a serious pain in the ass. You'd have to manually recreate all of the items as items are unique per instance.

I would even let you guys probe me.

I currently do not have text service on my phone, nor do I intend to get it in the near future. If I do, my work and "friends" will be texting me non-stop with worthless things I don't want to know about. It's a level of connectivity that I want to avoid.


<3 iBlacklist

Setting a 0 to a 1. Or something of the sort. "Deleted" is as simple as a flag on a character in the db.

Restoring all your gear, on the other hand... is a serious pain in the ass. You'd have to manually recreate all of the items as items are unique per instance.

Back on live there was an instance where someone got ahold of a character/account, deleted the high level characters and started new ones with the same name. Not to give anyone ideas, but is this nastier to recover from?

This would be purely optional though

My bad, I really need to actually pay attention and stop skimming. Carry on.

Setting a 0 to a 1. Or something of the sort. "Deleted" is as simple as a flag on a character in the db.

Restoring all your gear, on the other hand... is a serious pain in the ass. You'd have to manually recreate all of the items as items are unique per instance.

Everything stated here is incorrect. It's not a flag and inventory is part of the character in a separate table. When a character is undeleted, anything that was on it at the time is unchanged, so there is no additional work and no exploit potential.

was just curious =3

were is red99

... I am going to start requiring all eqemu forum accounts to be tied to a phone number ....

Any chance of making this optional?

We may also optionally allow the numbers to be used in a securid sort of way, for those that decide to enable it on their account. This would mean that in order to even log into the account on the loginserver and to connect to P99, you would need to enter both your account password as well as the pin number generated on the spot.

Can someone explain how this works? Does the server generate a PIN and text it to you when you're logging in?

Back on live there was an instance where someone got ahold of a character/account, deleted the high level characters and started new ones with the same name. Not to give anyone ideas, but is this nastier to recover from?

I'd guess it hardly makes a difference, mostly based on this: http://www.project1999.org/forums/showthread.php?t=36026

i have 1 question, currently 1 of my characters who i leveled up completely is on a friends eqemu account, would i have to get the eqemu info to add my cell phone or i wouldnt be able to play that character?

Cool in theory, but some of us just plain don't have a phone. I exist purely by email/net right now (long story). Any way to make it a web thing, not a phone thing? If not my only option is going to be to pick a random phone booth and give you that number lol.

No one hacked into any database. L2packet.

hot pocket?!

What about people without cell phones? Just curious. Will I be unable to play any more just because I dont have one?

edit: nevermind. I just read that rogean will physically call the US numbers that dont have cell phones. Although.. this seems like a LOT of work.

Sooo if I say I don't have a cell phone, I get to talk to Rogean?

omg let's trade cupcake recipes!~

while i think the idea is cool..

i wouldnt implement it. just because it would dissuade new players from joining the server.

if i stumbled upon the EQEMU project and was considering firing up a 11 year old game for a nostalgia kick (little do they know their soul will belong to Rogean for the next 2 years) i wouldn't want to start out by giving my phone number to some random guys i don't know.

seriously... what's the problem with using email? make it OPTIONAL to even use this phone # password-reset-system. then only the ppl who are afraid of losing their account will sign up (which will admittedly be not many ppl) and then they can cry about it if it actually does happen.

maybe make a reminder for ppl every once in awhile, or each time their character dings levels between 50 and 60, it could give a message suggesting they do it. This will give new players some time to play and build trust in the server and the project. (i guess this could only apply to the servers you run yourself rogean, but still..)


SO: please make it optional and not mandatory. in the interest of getting new players into the game. (maybe you could make it mandatory just for p1999/red99 to have a character over level 50 or something)

Seeing how difficult it is currently to get a password reset on a stolen account I fully support this SMS account authentication.

Some of us are serving overseas and don't have access to cell phones.... Hopefully some type of exception can be made in the unlikely event that a password reset ends up being needed.

Thanks!

Disagree. I prefer not to give out my phone number to anyone. The assumption that everyone gives out their number is false. You have 100 other methods of verifying who I am -- so please don't make this mandatory.

I will pay for a fob or a software based key gen if needed.


This right here

This right here

People are acting like Rogean and crew are asking for their SSN. Every MMO requires name, address and phone number at a minimum. You can even make a free Google Voice account (USA only I think) and use that number.

What is the big deal?

The big deal is people without cell phones. I'd gladly give my name and address, but I cant give a cell phone number.

Also, any new people coming to the server will see they have to provide their cell phone and decide its not worth it. This will decimate the future of p1999 by not only excluding those who choose not to have cell phones, but with the amount of people already who would rather not give out their personal information to a emu server I could only imagine that would add up to hundreds of potential new players in the future lost if not more.

I know for a fact if p1999 had this system in place before I joined here I would of never signed up.

Sounds good, except a phone alternative would be nice..

Lol so many crybabies...wow.

The idea is solid simply to add another layer of security to an account for those that want it. The people that opt-in for that sort of thing generally aren't the ones that cry about their accounts getting "hacked" in the first place however.

While I personally would use this system on my accounts for login verification, just for peace of mind, I can understand the objections to it. The EQEmu community isn't, in my opinion, very "noob" friendly in terms of setting up to play here. Adding this in will surely dissuade some new/current players. Just look at all of the people crying about not having a cell phone because they couldn't make it through reading an entire post first.

Now, that brings me to another point. If people are simply going to use free VoIP alternatives, such as throw-away Google voice accounts, it really defeats the original purpose of personal identification and password recovery. Quite simply, it will be just as likely someone loses their account information for the VoIP as it was them losing their email info, which in Google's case, is one in the same.

I still think it's a solid idea, though I'm going to have to side with the people that want it to be entirely optional. Putting in an opt-out option on the account creation process with a disclaimer warning that it's not advised and that the account will likely be unrecoverable if passwords are lost is a better alternative to this being mandatory.

So much reading failure in this thread.

The idea is solid simply to add another layer of security to an account for those that want it. The people that opt-in for that sort of thing generally aren't the ones that cry about their accounts getting "hacked" in the first place however.

While I personally would use this system on my accounts for login verification, just for peace of mind, I can understand the objections to it. The EQEmu community isn't, in my opinion, very "noob" friendly in terms of setting up to play here. Adding this in will surely dissuade some new/current players. Just look at all of the people crying about not having a cell phone because they couldn't make it through reading an entire post first.

Now, that brings me to another point. If people are simply going to use free VoIP alternatives, such as throw-away Google voice accounts, it really defeats the original purpose of personal identification and password recovery. Quite simply, it will be just as likely someone loses their account information for the VoIP as it was them losing their email info, which in Google's case, is one in the same.

I still think it's a solid idea, though I'm going to have to side with the people that want it to be entirely optional. Putting in an opt-out option on the account creation process with a disclaimer warning that it's not advised and that the account will likely be unrecoverable if passwords are lost is a better alternative to this being mandatory.
this

I'm kind of shocked at how many people are paranoid about using their phone number. I'm pretty paranoid about posting shit online that can ID me, but I don't see the issue here. Hell, I'd almost not even be concerned about posting my phone number on this forum for everyone to see. Almost.

I wouldn't be surprised if some of the people acting paranoid use the same password for P99 as they do for their e-mail or some other important stuff, lol.

Maybe we can all be texting buddies ~

I'm in favor of this. My fiancee and I quit playing about a year ago and I just recently came back. I gave most of my stuff away when I quit (oops), but she did not. She had intended to, but the person she was going to give her stuff to never logged on.

At any rate, she has no idea what her password was, and the lack of a password recovery system is disheartening. She put in a lot of work gearing her main and alt (as did I) and we can no longer access any of it.

I don't personally care about giving my cell phone number away (except when Karsten uses it to call me at 4am, which HAS happened), but I am sympathetic to those that do care or don't have one to give, as well as people abroad. Opt-in seems like a swell idea to me if it would work.

Has the "what if you get a new cell phone number" question been asked/answered yet? I'm browsing on my droid so maybe I just missed it. Is there a way to change the number set to your account? If so, how would a "hacker" be prohibited from replacing your number with theirs?

i also only have a land line QQ

I also do not own a phone and don't plan on getting one. However it seems you are definitely trying to offer options for those that don't have one. So my hat is off to you, unfortunately I don't think I own a hat either.

one easy thing, would be to make a program that is hardware locked.
And that program connect to a server and let you reset your password for the account(s) thats locked to the hardware id.
And any atempt from another hardware to reset someone else account, get banned for 24h (after 3 tryes)for trying to reset someone else account.
Could do this in many possible ways

I'm only going to be in the country for a little while longer and then I'm moving overseas again, will I need to verify this more than once? I have access to a cell currently, but in about 3 weeks I'll be in Peru for a year.

This may be a dumb question because I only kind of understand how things work. Will this have an effect on account sales or when folks do this are they actually selling an EQMU account?

Just curious on whether this is still going to be implemented, when, and how will we give your our phone #? through a new form input field on eqemulator.org, or internally through the EQclient? like a #SMSnumber command in EQ's chat.

Oh ya, and I was also wondering if this was gonna effect just project 99 or all servers on eqemulator.org, like PEQ, the EZ server, and Hidden forest.

any update on retrieving login server passwords?

Is the login password recovery possible yet?

Thanks much...eagerly awaiting...

I understand you want to make stuff easier for yourself, but its a privacy nightmare.

Don't people already have an email address registered to the account? If they get their account and email hacked, then they are pretty much retards to begin with and can't be helped.

You worry too much about people whining about hacked accounts.
People aren't paying for this and you have no Service level agreement with the users.
If you catch someone hacking, perma ban account and related IPs.
Otherwise ban the accounts that were "hacked" and accounts accessed on same IP if they can provide the relevant account information, and tell them they should be more careful in the future.

Account security isn't rocket science and maybe if people lose a game account that costs them nothing, they might actually smarten up instead of learning to expect other people to fix shit for them.

Dear Rogean,

Did you test your SMS LS password recovery? Was it a success?
I had account last year and played for 4 months. I cant remember my password now though...

Thanks

Long as its a optional thing that seems fine. But I will always opt to give as little information to the internet as humanly possible. I don't use face book, don't own a cellular phone, other than having an email for being able to do stuff like this that is it. Perhaps a secret question could be implemented or some such similar method using your email address, or just continue playing at your own risk like before.

It strikes me that you're solving two problems at once: The first is an "identification" problem. You want to tie a username to a person (in the end, that's what it boils down to). The second is "secure communication," for things such as password resets.

Secure communication has a ton of alternate solutions, especially those suggested in earlier posts such as PGP encrypted communications. Many of them would require less work than the SMS thing you're working on.

The former is what I think is bothering people. While I'd give you my phone number now, after playing for a month or two and seeing just how much pride you have in your work, I second the sentiments of an earlier poster: I would probably not have signed up if I had to give ANYTHING personally identifying. Hell, I was wary giving you my real email address, and considered using a spam address instead. One has to know just how awesome the work you guys put in is before feeling comfortable giving you data, and you wouldn't find that out until AFTER you authenticate.

As a hobbyist security "expert" (isn't it great when people put "hobbyist" and "expert" in the same sentence), I'd like to see a threat model of what you perceive the threats to be, and why that threat model mandates something like a phone number.

I have a feeling the threat model will indicate that the threats are to individual accounts, not to the server on a whole. If so, then authentication should be optional according to each individual's risk thresholds. The only effect I see on the server as a whole is the load on you guys when you have to replace hacked characters. Perhaps, instead of mandating authentication, you should set your terms such that those who don't authenticate get the same support after being hacked than you give those who do authenticate.

I don't know what the copyright issues regarding EQ's IP has to say about donations, but if it was legal, I wouldn't be opposed to you guys declaring "If you don't authenticate, and your account is hacked, we wont restore your data unless you provide a $10 donation to help keep the servers running." In my (very capitalist) opinion, that would be an excellent way to make up for the fact that they're making you spend your time helping one person (rather than helping us all by doing the development you enjoy) by making them help pay for the server bandwidth that we all enjoy! Even in the FOSS world, its common to give the software for free, and make them pay for support!

--

Slightly related, if someone's account was hacked and a unique item (say, rubicite) was taken and sold to me for plat, what would be the policy for restoring the item? Do you guys add additional rubicite to the world, or do you undo as many transactions as you can, trying to make it seem like the hack never occurred. The policy on items like this would appear to have a significant effect on how much time it costs you guys to undo a hack.

If its really that upsetting to you to give out a cell number , sign up for Google chat. It's free.

You sign up, and are asked to chose a phone number based on your area code, it works as a proxy, give P99 that number and any verification code gets washed through Google Chat and passed on to the actual cell number. All the sender knows is the 10-digit number provided. Google won't blink if you enter Mickey Mouse or Horatio Hornblower as your personal info.

I've actually coordinated a few in-game spawns for other people via this, i.e. Hasten pop or Targin the Rock. They pop, I send a text to them via google chat and it gets proxied and delivered, they log in. We profit.

As little as I trust P99 to keep my personal information from getting into the wrong hands, I trust Google even less.

As little as I trust P99 to keep my personal information from getting into the wrong hands, I trust Google even less.

then try text free from pinger (pinger.com/textfree) you can sign up using throw away email from sites like 10minutemail.com

The 29 countries now supported by Pinger include: American Samoa, Australia, Bahamas, Bangladesh, Barbados, Belize, British Virgin Islands, Canada, Cayman Islands, China, Costa Rica, Ecuador, El Salvador, Germany, Guam, Guatemala, Guyana, Honduras, Israel, Jamaica, New Zealand, Nicaragua, Northern Mariana Islands, Panama, Peru, Puerto Rico, Sri Lanka, United States, and Venezuela.

no more excuse although this pretty much defeats the purpose. there's always going to be a way to get around something and reason why i feel this new authentication method should be optional.

Any word on this Rogean?

then try text free from pinger (pinger.com/textfree) you can sign up using throw away email from sites like 10minutemail.com

The 29 countries now supported by Pinger include: American Samoa, Australia, Bahamas, Bangladesh, Barbados, Belize, British Virgin Islands, Canada, Cayman Islands, China, Costa Rica, Ecuador, El Salvador, Germany, Guam, Guatemala, Guyana, Honduras, Israel, Jamaica, New Zealand, Nicaragua, Northern Mariana Islands, Panama, Peru, Puerto Rico, Sri Lanka, United States, and Venezuela.

no more excuse although this pretty much defeats the purpose. there's always going to be a way to get around something and reason why i feel this new authentication method should be optional.

you are using the internet, your ip is connected to your isp, your isp has your phone number, credit card number, address...

fact is your phone number is the least of your worries... the worst that could happen is someone rings you...

Just wondering if this option is still on table? And if there have been any developments on possible implementation?

There must be other ways to go about...personally I don't like the idea of giving out my cell phone number. As crazy as the World today, people can find out a lot of info on a person just by knowing their phone number.

I don't have a cell phone, because I don't need one. As long as there is an alternate method that doesn't require me to maintain a cell phone account to play, or keep borrowing one from a friend which would be annoying, it's fine.

Google Authenticator *cough*

Any update on this from the staff?

Any update on this from the staff?

I would honestly say, don't even think about this being implemented any time soon.

To those who fear IDtheft by SMS feature.

I dought anyone is going to IDtheft anyone here. Most of us play EQemu servers because Sony does not provide particular servers we want. As to the rest .. to poor or cheap to dish out cash for a monthly sub over at Sony or any other MMO/game.

The net is mainly gathering information to build a profile around the meat and bones.

Meat and bones? thats done by actually going out and gathering. There are a variety of ways and majority is common knowledge. Now, I know a guy who can gather directly from the 'air' and can ensure that information is from people who have a lot of money. He is the reason I have multiple bank accounts, all restricted to walk-in only, except one for card use (walk-in to tranfer small amounts to card account). He parks near high end, gated communities during QVC/dinner hours and records all phone conversations within a one mile radius of his location due to the device range. Uses his computer to isolate the voices and focuses on those who had made purchases with their cards. From there .. the net to build profiles around the meat and bones. As to the device that allows this, a cheap modification to a certain product which can be bought nearly anywhere.

Phone information does nothing but perhaps contribute to a profile that is being built around the meat and bones. If you actually think email and or phone number is going to open up your bank accounts for the taking .. your an idiot, if you bank online .. aye, same thing. Next time your standing in line within at a store .. look over your shoulder, someone could be electronically extracting information from your cards buried deep in YOUR pocket. Next time your in a bank and filling out those little forms .. cover up better, person next to you with the glasses, which has a built in HD camera, could be recording all your information. Next time you use a phone to make a purchase ...

Anyways, the SMS feature should be a choice. If you do not want to provide a phone number then nothing changes for you, everything remains in its current state as you see it when you login now. Those who do choose to provide their phone number, gain new features to their account, thus access to higher levels of security like LS information.

Bump.

I just want to get back into my LS account. Will you tinfoil hat pricks just get out? Nobody cares if Rogean has your phone #. Just you. Nobody is trying to call you or text you or steal your ID.

I VOTE YES LETS DO IT!

Does this work on account's we lost the password to already? I have been bothering GM's for a while trying to recover my old accounts. With this new service would I be able to get my account back?!?!?!?!? If so, hell yes!

I believe so Evictionnotice, it should allow us to reset LS passwords.

I don't see how it would. You'd need to log into the account to set the phone number first since there's no phone # info in old accounts. And since the account doesn't have a phone number how would it know where to SMS to help you recover it?

You login to EQEmu account. Go under LS Login Accounts and reset. Bam. At least I believe it would work in similar fashion.

yes please yes please bump bump. If your worried about P99 saving your phone number, dont use this service! How about that?

bump

This doesnt seem to be neccesary...u shouldnt make it required only recommened

Rogean when can we expect to see this? I haven't been able to log into my shaman for over a year, I have access to the eqemu account, and I can't log into the world server, I forgot that password.

What's the status on this?

who is going to pay for the txt message?

who is going to pay for the txt message?

Shit bill me! I just want my password to get recovered.

who is going to pay for the txt message?

It's called a job. Get with the times and get a proper phone plan that most modern day people should already have. I know, I know, living in the past is a hard thing to get over, hence the constant vegetation over this server.

It'd be cool if this could be used to stop account sales and sharing altogether.

I also do not own a phone and don't plan on getting one. However it seems you are definitely trying to offer options for those that don't have one. So my hat is off to you, unfortunately I don't think I own a hat either.
I hear ya.

Frackin' hipsters!

Well, I'm glad there's the Google option, else it would end my free fun.

It's called a job. Get with the times and get a proper phone plan that most modern day people should already have. I know, I know, living in the past is a hard thing to get over, hence the constant vegetation over this server.
Screw that. Texting is evil.

I hear ya.

Frackin' hipsters!

Well, I'm glad there's the Google option, else it would end my free fun.


Screw that. Texting is evil.

Glad they are working on an alternate plan for those without phones.

I miss the days of paper...

Would be awesome to see this completed and functioning for password recovery and/or extra login security. Any progress to report or is it just a pipe dream?

Would be awesome to see this completed and functioning for password recovery and/or extra login security. Any progress to report or is it just a pipe dream?

As long as theres an option besides text message im all for it. If it cant be done and it moves forward with text only. WTS Account

It'd be cool if this could be used to stop account sales and sharing altogether.

My son and I both play on here, and swap accounts to play. Why is account sharing such a evil thing in your eyes?? What is even the big deal about account sales if it is plat not RMT??

So, still no way to recover LS password? :( I forgot mine.. sucks having to start over when I spent all that time building up already. arg. I would pay to have that account access :(

oh well

Call me mean, but I really like where this is headed.

i like the idea of account authentication, and limiting accounts, etc..

but the bar to entry is too high. if you never heard of p1999 before, would you give them your cell phone # just so you could log in and see if the server was worth playing? i wouldn't have. until i played other emu servers and heard by word of mouth.. but if someone is playing on a server other than p99, he/she probably doesnt think very highly of it

I think this should be opt-in only.

If there were ever a pvp teams server, maybe requiring a number would be acceptable at some point? (in order to have a toon over level 55 or something?) then again, ppl are gonna find awys around that shit to get what they want. so it shoudl only be for account re-acquisition purposes, imo. it would curb the account selling and RMT in that regard

I think this should be opt-in only.

Fortunate for you, the entire server is opt-in or opt-out!

No contracts here! If you don't like text messages, you are free to leave with NO PENALTY FEES!

This server is all about the free!


Hey Rogean....

I just met you

and this is crazy

but here's my number,

so call me, maybe?

step 1 READ what Rogean posted

step 2 READ two more times COUNT to 20 and think about what he posted.


USING PHONE NUMBER TO AUTHENTICAT EACH TIME YOU LOG INTO YOUR ACCOUNT IS OPTIONAL.


optional meaning a choice you make to use or not use.

------------------------------------------------------------------------------------------------------

FINALY ROGEAN thank you for this feature it well help a ton of use out.

I have a phone now and since the NSAFBICIA is watching all of us this is a great idea in case one of those letters hacks my account and I need to get back in.

It's called a job. Get with the times and get a proper phone plan that most modern day people should already have. I know, I know, living in the past is a hard thing to get over, hence the constant vegetation over this server.

whatafuckinmoran

whatafuckinmoran

little bit...


I choose to not have a phone, I hate it I HATE IT SOOOO MUCH!!

thats kind of a lie, i have a shitty little tracphone that i keep in my care in case of emergencies.

but yeah, cell phones..who needs em

I think it is not going to work if you can have it either way. What good is half the people giving phone numbers and half none. 50% of the people smart and 50% stupid??

That means the NSA will know we play EQ...

My point was they already do and have all your toons cherished codes. So the tinfoil hatters is a moot point. Might as well get with the times. A full 180 on my original position. Irony intended, but not necessarily as a criticism.

Sorry I had to explain my little inside joke.