Jump to content
  • 8
Roundabout

Make multi-factor authentication optional

Question

14 answers to this question

Recommended Posts

razimove   

Although it should be your own responsability, and with that I agree with you, I believe having it forced, is a nice way to prevent younger people who are less informed of disabling it and risking their accounts.

Share this post


Link to post
Kite   

Honestly, I won't bother logging into the game as long as it is mandatory. Too much work for me to try to log in to go to my email and input some code thing. 

Share this post


Link to post
IDKPRO   
1 hour ago, Kizhaz said:

Stop downloading mmo on every pc in the school and you should be ok

So true.. 

Share this post


Link to post

The 2FA was wierd/buggy.
It locked me out of my account for a bit, then I logged in (and no e-mail received?) then randomly a few mins later it let me login.
As odd as it seems I'd actually support being able to disable this 2FA system until a more reliable improvement can be implemented.

We're always responsible for our own accounts even if we have 2FA so not much to change.  Use a strong password and a password manager instead of reusing passwords.

Share this post


Link to post
Desu   
46 minutes ago, Daedalus007 said:

The 2FA was wierd/buggy.
It locked me out of my account for a bit, then I logged in (and no e-mail received?) then randomly a few mins later it let me login.
As odd as it seems I'd actually support being able to disable this 2FA system until a more reliable improvement can be implemented.

We're always responsible for our own accounts even if we have 2FA so not much to change.  Use a strong password and a password manager instead of reusing passwords.

Your account is not yet enforcing 2fa. Are you sure you were actually prompted for 2fa? Did the prompt include your email address?

Share this post


Link to post
Posted (edited)
On 3/14/2018 at 1:36 AM, Desu said:

Your account is not yet enforcing 2fa. Are you sure you were actually prompted for 2fa? Did the prompt include your email address?

I'd greatly prefer an option to not be bothered with '2FA' at all unless it can be done through a proper method (TOTP aka Time-Based One Time PassCode).

 

My previous post was referring to a 'glitch' involving 2FA.  I wasn't prompted for anything during the time the glitch occurred.  I was merely unable to login (stuck in a logging in stuck-loop and unable to login) and I was worried I'd been stealth-banned (which I wasn't) or had internet issues (which I didn't).  Eventually it resolved itself after a few minutes so I wasn't terribly worried about it overall.

 

The idea of 2FA is admirable, however the implementation leaves much to be desired.

Having it enabled by default is acceptable as a precautionary security measure, however the end-user should have the option (at their own risk) to disable 2FA.

 

I want to give both you and @Kyu kudos on the password system though.  Being able to use (at least) 100+ character passwords with not just the typical alphanumeric stuff but also any symbols on the keyboard, any brackets, both forward AND backslashes in addition to both underscore AND spaces (!); having a password system this flexible is quite uncommon to see.

 

I'm uncertain whether PokeMMO stores a hash of the password or the password itself.  I've expressed deep concerns about underlying core security issues such as storing the username and password in PLAIN TEXT in the Windows Registry when enabling the 'Save Password' option.  Java as a framework also presents some troubling aspects, however that is an issue that I'm confident that you and @Kyu can work out.

 

So I'd hope that the 2FA system can be default-enabled and also allow the end-user the option to disable it completely while accepting the risks inherent with such a decision.

Perhaps something like those who disable 2FA are ineligible for 'hacked' account support or something.

Edited by Daedalus007

Share this post


Link to post
Desu   
45 minutes ago, Daedalus007 said:

I'd greatly prefer an option to not be bothered with '2FA' at all unless it can be done through a proper method (TOTP aka Time-Based One Time PassCode).

You're unlikely to be bothered by it unless you change devices super frequently.

 

45 minutes ago, Daedalus007 said:

I'm uncertain whether PokeMMO stores a hash of the password or the password itself.  I've expressed deep concerns about underlying core security issues such as storing the username and password in PLAIN TEXT in the Windows Registry when enabling the 'Save Password' option.  Java as a framework also presents some troubling aspects, however that is an issue that I'm confident that you and @Kyu can work out.

We store all passwords hashed with a strong hash function (bcrypt)

 

45 minutes ago, Daedalus007 said:

So I'd hope that the 2FA system can be default-enabled and also allow the end-user the option to disable it completely while accepting the risks inherent with such a decision.

Perhaps something like those who disable 2FA are ineligible for 'hacked' account support or something.

Nobody thinks things will happen to them until they do. This makes me uncomfortable with the idea of letting players assume full risk.

 

An opt-out functionality isn't completely off the table, but even if it gets implemented, I would probably reserve it for the most extreme circumstances.

Share this post


Link to post
Posted (edited)
On 3/15/2018 at 12:05 AM, Desu said:

You're unlikely to be bothered by it unless you change devices super frequently.

We store all passwords hashed with a strong hash function (bcrypt)

Nobody thinks things will happen to them until they do. This makes me uncomfortable with the idea of letting players assume full risk.

An opt-out functionality isn't completely off the table, but even if it gets implemented, I would probably reserve it for the most extreme circumstances.

If a TOTP-based 2FA system was implemented with a 'remember this IP for a week' option then I feel that would make a nice middle-ground between security and convenience.

I'm glad the hashes are stored securely server-side.  Still not too thrilled with the password being stored in plaintext client-side in the Windows Registry.

If you and Kyu can work together to take care of that plaintext-registry issue, that would likely do a lot to mitigate 'hacked' accounts as well.

Thank you again for your time and responses on this issue.  I know how busy you and Kyu are.  :)

Edited by Daedalus007

Share this post


Link to post
Kyu   
6 minutes ago, Daedalus007 said:

I'm glad the hashes are stored securely server-side.  Still not too thrilled with the password being stored in plaintext client-side in the Windows Registry.

If you and Kyu can work together to take care of that plaintext-registry issue, that would likely do a lot to mitigate 'hacked' accounts as well.

Thank you again for your time and responses on this issue.  I know how busy you and Kyu are.  :)

Authentication tokens are stored in the game client's config directory and look like this:

Quote

client.saved_credentials.keys=9DpsOcicN+R61NiZ84jIcNgQUoGxLObDdsvgww8cz9c\=

They're not a representation of your password. I'm not sure where you got this idea, but it's wrong.

Share this post


Link to post
Posted (edited)
39 minutes ago, Kyu said:

Authentication tokens are stored in the game client's config directory and look like this:

They're not a representation of your password. I'm not sure where you got this idea, but it's wrong.

I'll send you a PM shortly with the details of what I mean with regards to plaintext passwords being stored in the Windows Registry and how it happens.
I'd rather not post it publicly here ;)


UPDATE

Ok I stand corrected.  Likely another benefit of the 27-Feb-2018 update that I was unaware of, but plaintext credentials are NO LONGER stored in the registry.  I noticed a new file in my PokeMMO\config directory named 'savedcredentials.properties' and the username and hashed password are both present in the file.  Very nice indeed :)

I've gone ahead and done strikethrough text on my previous inaccurate statements.  I think I'll be ok with 2FA as-is until some time can be spent improving it.  :)

Edited by Daedalus007

Share this post


Link to post
Kyu   
1 hour ago, Daedalus007 said:

Ok I stand corrected.  Likely another benefit of the 27-Feb-2018 update that I was unaware of, but plaintext credentials are NO LONGER stored in the registry.  I noticed a new file in my PokeMMO\config directory named 'savedcredentials.properties' and the username and hashed password are both present in the file.  Very nice indeed :)

I'm not trying to dog on you for this, but just to be clear for the sake of everyone's knowledge/safety: We have never offered a plaintext credential storage using the "Remember Me" function. You're mistaken. This is how it has always worked, since the system's initial implementation in 2014.

 

The hashes which are stored in savedcredentials.properties aren't real- they're just session tokens which are sent from the server when you request an authentication ticket. They do not represent your password in any way shape or form. Infact, if you copy them over to another computer or you try to login from a different network, you'll notice that they become invalid and your login will be rejected (this is to protect you against having your client stolen) because they're just session tokens.

Share this post


Link to post
Posted (edited)
On 3/16/2018 at 7:40 PM, Kyu said:

I'm not trying to dog on you for this, but just to be clear for the sake of everyone's knowledge/safety: We have never offered a plaintext credential storage using the "Remember Me" function. You're mistaken. This is how it has always worked, since the system's initial implementation in 2014.

 

The hashes which are stored in savedcredentials.properties aren't real- they're just session tokens which are sent from the server when you request an authentication ticket. They do not represent your password in any way shape or form. Infact, if you copy them over to another computer or you try to login from a different network, you'll notice that they become invalid and your login will be rejected (this is to protect you against having your client stolen) because they're just session tokens.

*snipped*

The hashes are not hashes but session tokens.  Awesome.  I gotcha and I appreciate the clarification.

 

Update:  Someone went through the trouble of removing my forum posts on the issue as well as cleaning out the PokeMMO discord of mentions of the plaintext thing, so unless I have some screenshots I will be seen as a 'liar'.  GG.  I don't want to risk my game account over this so you win Kyu.  You win.  Have fun with it.

Edited by Daedalus007

Share this post


Link to post
Kyu   
Posted (edited)
On 3/18/2018 at 1:35 PM, Daedalus007 said:

 

Update:  Someone went through the trouble of removing my forum posts on the issue as well as cleaning out the PokeMMO discord of mentions of the plaintext thing, so unless I have some screenshots I will be seen as a 'liar'.  GG.  I don't want to risk my game account over this so you win Kyu.  You win.  Have fun with it.

 

That's alright. I'll help you out.

 

Here's a screenshot from my PTS folder from last July with the same savedcredentials.properties file and the same style of session token (omitting my username):

 

QAsKEMC.png

 

Now, I'm sure that we all know that "The Devs" are leet hackers and can change timestamps on a filesystem, but to be quite honest, if you believe that's what I'm doing here, then you're beyond hope. Anyone who participated in the last Public Test Server who turned on "Remember Me" can go look in their config folder and they'll find the same type of file.

 

We didn't find any Forums posts regarding plaintext passwords in the registry (deleted topics are actually kept for 60 days before they're permanently deleted) but we didn't look that hard. The only Discord messages I saw from you regarding the Windows Registry are from January 30th in #support, before I even joined Discord. You can go look at them by searching for "registry."

 

I don't really understand where this narrative of " 'The Devs' are trying to coverup something and turn everyone against Daedalus" is coming from, but I will say this: If I wanted you gone, I would have just banned you, because that's a shitload easier than faking things and letting you be a jerk on the forums. We have a lot better things to do with our time than conspire against forum trolls, so please stop with that. It's really obnoxious.

 

Since the OP's question has been answered by @Desu and there doesn't seem to be more to add, I'm closing this now.

Edited by Kyu

Share this post


Link to post
Guest
This topic is now closed to further replies.

×

Important Information

By using this site, you agree to our Terms of Use and Privacy Policy.