SMS Account Authentication

[Kasaga]

Long as its a optional thing that seems fine. But I will always opt to give as little information to the internet as humanly possible. I don't use face book, don't own a cellular phone, other than having an email for being able to do stuff like this that is it. Perhaps a secret question could be implemented or some such similar method using your email address, or just continue playing at your own risk like before.

[cmdrrickhunter]

It strikes me that you're solving two problems at once: The first is an "identification" problem. You want to tie a username to a person (in the end, that's what it boils down to). The second is "secure communication," for things such as password resets.

Secure communication has a ton of alternate solutions, especially those suggested in earlier posts such as PGP encrypted communications. Many of them would require less work than the SMS thing you're working on.

The former is what I think is bothering people. While I'd give you my phone number now, after playing for a month or two and seeing just how much pride you have in your work, I second the sentiments of an earlier poster: I would probably not have signed up if I had to give ANYTHING personally identifying. Hell, I was wary giving you my real email address, and considered using a spam address instead. One has to know just how awesome the work you guys put in is before feeling comfortable giving you data, and you wouldn't find that out until AFTER you authenticate.

As a hobbyist security "expert" (isn't it great when people put "hobbyist" and "expert" in the same sentence), I'd like to see a threat model of what you perceive the threats to be, and why that threat model mandates something like a phone number.

I have a feeling the threat model will indicate that the threats are to individual accounts, not to the server on a whole. If so, then authentication should be optional according to each individual's risk thresholds. The only effect I see on the server as a whole is the load on you guys when you have to replace hacked characters. Perhaps, instead of mandating authentication, you should set your terms such that those who don't authenticate get the same support after being hacked than you give those who do authenticate.

I don't know what the copyright issues regarding EQ's IP has to say about donations, but if it was legal, I wouldn't be opposed to you guys declaring "If you don't authenticate, and your account is hacked, we wont restore your data unless you provide a $10 donation to help keep the servers running." In my (very capitalist) opinion, that would be an excellent way to make up for the fact that they're making you spend your time helping one person (rather than helping us all by doing the development you enjoy) by making them help pay for the server bandwidth that we all enjoy! Even in the FOSS world, its common to give the software for free, and make them pay for support!

--

Slightly related, if someone's account was hacked and a unique item (say, rubicite) was taken and sold to me for plat, what would be the policy for restoring the item? Do you guys add additional rubicite to the world, or do you undo as many transactions as you can, trying to make it seem like the hack never occurred. The policy on items like this would appear to have a significant effect on how much time it costs you guys to undo a hack.

[Divarin]

Quote:

Originally Posted by quellren [You must be logged in to view images. Log in or Register.]

If its really that upsetting to you to give out a cell number , sign up for Google chat. It's free.

You sign up, and are asked to chose a phone number based on your area code, it works as a proxy, give P99 that number and any verification code gets washed through Google Chat and passed on to the actual cell number. All the sender knows is the 10-digit number provided. Google won't blink if you enter Mickey Mouse or Horatio Hornblower as your personal info.

I've actually coordinated a few in-game spawns for other people via this, i.e. Hasten pop or Targin the Rock. They pop, I send a text to them via google chat and it gets proxied and delivered, they log in. We profit.

As little as I trust P99 to keep my personal information from getting into the wrong hands, I trust Google even less.

[Epictroll]

Quote:

Originally Posted by Divarin [You must be logged in to view images. Log in or Register.]

As little as I trust P99 to keep my personal information from getting into the wrong hands, I trust Google even less.

then try text free from pinger (pinger.com/textfree) you can sign up using throw away email from sites like 10minutemail.com

The 29 countries now supported by Pinger include: American Samoa, Australia, Bahamas, Bangladesh, Barbados, Belize, British Virgin Islands, Canada, Cayman Islands, China, Costa Rica, Ecuador, El Salvador, Germany, Guam, Guatemala, Guyana, Honduras, Israel, Jamaica, New Zealand, Nicaragua, Northern Mariana Islands, Panama, Peru, Puerto Rico, Sri Lanka, United States, and Venezuela.

no more excuse although this pretty much defeats the purpose. there's always going to be a way to get around something and reason why i feel this new authentication method should be optional.

[Harrison]

Any word on this Rogean?

[William Henry Harrison]

Quote:

Originally Posted by Epictroll [You must be logged in to view images. Log in or Register.]

then try text free from pinger (pinger.com/textfree) you can sign up using throw away email from sites like 10minutemail.com

The 29 countries now supported by Pinger include: American Samoa, Australia, Bahamas, Bangladesh, Barbados, Belize, British Virgin Islands, Canada, Cayman Islands, China, Costa Rica, Ecuador, El Salvador, Germany, Guam, Guatemala, Guyana, Honduras, Israel, Jamaica, New Zealand, Nicaragua, Northern Mariana Islands, Panama, Peru, Puerto Rico, Sri Lanka, United States, and Venezuela.

no more excuse although this pretty much defeats the purpose. there's always going to be a way to get around something and reason why i feel this new authentication method should be optional.

[Ikonoclastia]

you are using the internet, your ip is connected to your isp, your isp has your phone number, credit card number, address...

fact is your phone number is the least of your worries... the worst that could happen is someone rings you...

[twill713]

Just wondering if this option is still on table? And if there have been any developments on possible implementation?

[EQUSA]

There must be other ways to go about...personally I don't like the idea of giving out my cell phone number. As crazy as the World today, people can find out a lot of info on a person just by knowing their phone number.

[GretchenRPH]

I don't have a cell phone, because I don't need one. As long as there is an alternate method that doesn't require me to maintain a cell phone account to play, or keep borrowing one from a friend which would be annoying, it's fine.