SMS Account Authentication - Page 3

runlvlzero · #21 07-18-2011, 09:18 PM

Quote:

Originally Posted by Heebee [You must be logged in to view images. Log in or Register.]

People who do this aren't very bright.

Probably not just with a phone number, but its certainly a starting point when you want to profile someone for ID theft. Also, you'd be surprised how easy it is to have someone else's mobile phone number ported to another mobile phone, new service, new provider, etc in Australia.

Last post I make in this thread I swear, I stand by whatever Rogean decides to do to solve this issue in regards to account security.

But to tell you the truth I'm less worried about my ID being stolen then megacorp U.S.A. Inc profiling me and having more links to my real identity out of my direct control, yup I'm a hippy.

Honestly after investigating Google voice to, I seriously recommend it to anyone balking at having their real number out there. It gives you one free, you still have to tie it to yours or a friends number, but it provides one layer of obfuscation which I feel is pretty legit, Google has been known to stand up on occasion against government agents without warrents, as well as lawsuits from other corporations.

Lazortag · #22 07-18-2011, 09:21 PM

I'm a bit concerned because not too long ago someone was able to hack into the database and start deleting characters... what if someone hacked into eqemu and was able to find out my phone number? Sorry if I don't fully understand how it works.

Harrison · #23 07-18-2011, 09:27 PM

Quote:

Originally Posted by Rogean [You must be logged in to view images. Log in or Register.]

I have been considering (and already testing and will probably implement) a method to send text messages from our servers. I am going to start requiring all eqemu forum accounts to be tied to a phone number that will be used as a method to verify authenticity of accounts, as well as provide a method for resetting passwords of loginserver accounts.

The lack of a method of resetting loginserver accounts has been a problem for quite some time, and we have never had a real method to do so that wouldn't put other accounts in danger of being compromised at the same time.

We may also optionally allow the numbers to be used in a securid sort of way, for those that decide to enable it on their account. This would mean that in order to even log into the account on the loginserver and to connect to P99, you would need to enter both your account password as well as the pin number generated on the spot. This is much like the World of Warcraft Authenticator and the key fob that SoE will be coming out with also. This would be purely optional though (however mandatory for any staff gm/guide accounts on P99, and any other servers that request it).

I'm fairly confident that many of you in one way or another have access to a cell phone, even if it's not directly yours. I will also be providing verification via a phone call to US Based numbers, if you do not have access to an SMS capable device. This does however mean that people playing from outside the US will need to have a SMS-Enabled phone, or use a friend's. I have done a lot of testing for non-US numbers and most of them have succeeded using our system.

I am opening this for discussion as I want to hear people's opinions on this and possibly voice any concerns that we have overlooked.

I will have your babies.

Let's find a way to tie this in somehow with our forums and not allowing anonymous accounts to access more than a select section of our forums without being verified first.

runlvlzero · #24 07-18-2011, 09:27 PM

Quote:

Originally Posted by Lazortag [You must be logged in to view images. Log in or Register.]

I'm a bit concerned because not too long ago someone was able to hack into the database and start deleting characters... what if someone hacked into eqemu and was able to find out my phone number? Sorry if I don't fully understand how it works.

Hehe, more then likely if you do have a phone number it is listed and has your name tied to it anyway. My issue is with having any accounts I use tied to a phone number tied to someone in relation to me, so you are safe.

Felwithemagi · #25 07-18-2011, 09:33 PM

Disagree. I prefer not to give out my phone number to anyone. The assumption that everyone gives out their number is false. You have 100 other methods of verifying who I am -- so please don't make this mandatory.

I will pay for a fob or a software based key gen if needed.

Ektar · #26 07-18-2011, 09:35 PM

most of the issue with hacking/stealing/whatev accounts is (1) item theft and (2) character deletion.. or so I just now arbitrarily assigned. under the less invasive option, this still can't be stopped, correct?

maybe make another option that you must confirm character deletion (or any character above some level, or specifically flagged characters chosen by the owner, or whatever) via text or whatev you decide.

for item theft idk. I guess the only thing would be the invasive every-time thing.

yeah and I'd prefer like, an email instead of a text message? I kinda skimmed the responses and saw that but not sure if there's a problem with emailing over texting.

Phallax · #27 07-18-2011, 09:43 PM

I like the idea of an authentication #, I used one for WoW.

But this is a free EMU, account security shouldnt be such an extreme procedure as to giving out your cell#.

**Rogean** · #28 07-18-2011, 09:49 PM

Quote:

Originally Posted by Lazortag [You must be logged in to view images. Log in or Register.]

I'm a bit concerned because not too long ago someone was able to hack into the database and start deleting characters... what if someone hacked into eqemu and was able to find out my phone number? Sorry if I don't fully understand how it works.

False Statement. Nobody hacked the database. You're talking about an injection that let someone delete characters via an exploit that was originally designed to erase only reserved names. Don't you think if someone really had access to the database that they would have done far worse than that?

Quote:

Originally Posted by Felwithemagi [You must be logged in to view images. Log in or Register.]

Disagree. I prefer not to give out my phone number to anyone.

You aren't giving it out to just anyone. You are entering it into a private database so that we can verify who you are.

Quote:

Originally Posted by Felwithemagi [You must be logged in to view images. Log in or Register.]

The assumption that everyone gives out their number is false.

I never said "everyone". I said most people. If you are hanging out with friends of friends and they want to grab your number to contact you, you're telling me you won't give it to them? In some ways that's less secure than what I am proposing to do, what's to stop your friends from giving your number out to others? At least here you have some guarantee that we won't divulge that information.

Quote:

Originally Posted by Felwithemagi [You must be logged in to view images. Log in or Register.]

You have 100 other methods of verifying who I am

None of which are unique enough to you or secure enough.

Quote:

Originally Posted by Felwithemagi [You must be logged in to view images. Log in or Register.]

I will pay for a fob or a software based key gen if needed.

Are you going to pay the $1,000+ it costs for the backend system required to operate the key fobs?

It has become clear to us that email is inadequate. People lose email addresses easily, whether they lose it because they forget the login or it was with a provider or business that no longer exists. Phone numbers are much more likely to stay with someone.

**Rogean** · #29 07-18-2011, 09:51 PM

Quote:

Originally Posted by Ektar [You must be logged in to view images. Log in or Register.]

maybe make another option that you must confirm character deletion (or any character above some level, or specifically flagged characters chosen by the owner, or whatever) via text or whatev you decide.

Character deletions aren't even permanent, and are very easy to restore. It's far more damaging to wreak havoc on your inventory giving your items away than it is to simply delete a character.

runlvlzero · #30 07-18-2011, 09:58 PM

Quote:

Originally Posted by Rogean [You must be logged in to view images. Log in or Register.]

Are you going to pay the $1,000+ it costs for the backend system required to operate the key fobs?

It has become clear to us that email is inadequate. People lose email addresses easily, whether they lose it because they forget the login or it was with a provider or business that no longer exists. Phone numbers are much more likely to stay with someone.

I lied and am posting again. I have to back rogean on this one it is seriously expensive to get those systems running, almost as much as running what he's got going already. And someone made the argument that phone#'s are the least invasive method. I still don't like it one bit but there are ways around giving your number directly to rogean as mentioned in this thread already. Honestly my first posts were coming from a Draconian understanding of the phone system. There are VOIP services, and as one has pointed out one is free.

Honestly I would love an alternative... fancy PGP keys that everyone generates themselves and sends in via email would be an alternative perhaps. There is allot of FOSS software out there to do this simply which would even give people choices how to generate their PGP keys.