[Suggestion] 2FA Planetside 2 log-in?

Discussion in 'PlanetSide 2 Gameplay Discussion' started by AntDX316, Jun 24, 2022.

  1. AntDX316

    We need 2FA to be enabled somehow, with SMS text and/or an e-mail. No need to have Google Authenticator.

    Sure, the game isn't super popular but a lot of us have thousands of hours and money invested. Someone could compromise an account, send lots of DBG Cash now that gifting is now possible, disband a big outfit if they are the owner, and delete high-level characters that cannot be undeleted.

    I have a unique password for the game that I don't use anywhere else but it's still a good idea to create some sort of 2FA before matters get out of control if the game does get super popular, it doesn't become too late and too difficult to fix.
    • Up x 1
  2. JibbaJabba

    this should have been in place before gifting
    • Up x 4
  3. VV4LL3

    BLUF: Great recommendation. SMS - No, Pin Generator - Yes, Push Notification - Yes, Email - Yes
    Costs of a compromised account for the business and customer typically costs more than the implementation of these technologies. Long term cyber-business strategies should keep this in mind when deciding whether or not to implement vice continuing to pay for cyber-insurance or bulk up on customer service/ account recovery plans.

    For business and security purposes, recommend only token, App One Time Pin (OTP), and/or push notification. If the user does not have SMS Transfer/Port Blocking enabled from their provider, this is a relatively easy and inexpensive exploit through third party companies. Two Factor (2FA) and Multi-Factor Authentication (MFA) are valuable tools to secure an account, knowing the pros and cons of the different technologies in terms of business costs vs likelihood of exploit is important to Day Break Games and customers.

    Recommend: Implementing a token, such as google authenticator for 2FA, is the least expensive and easiest to implement from an enterprise for both the organization and user since it's free.

    Additional Reading on the topic:

    Governance: https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication

    Overview: https://www.cisa.gov/sites/default/files/publications/MFA-Fact-Sheet-Jan22-508.pdf

    Tips and Tricks: https://staysafeonline.org/resources/stay-safe-online-related-links/

    Free MFA Solution Articles:
    Formal Academic: https://www.sans.org/white-papers/36087/

    Free Commercial Solution: https://support.google.com/accounts/answer/1066447?hl=en&co=GENIE.Platform=Android
    • Up x 1
  4. AntDX316

    Do you have a good link on how to implement a 2FA/MFA solution that works through possibly Google Authenticator to save money? How much does it even cost to run (per person)?

    I get Steam 2FA SMS at times that I did not even request. 2FA is important.

    E-mail instead if SMS isn't available is also good.

    There has to be at least some people with no voice that had these issues happen or going to happen if 2FA isn't available. Everyone should have some sort of 2FA log-in if they have a membership or DBG already attached to the account. If they are new of course, they don't need it. Even just having something like a 4-digit code is enough to cover accounts but if there is a huge issue with how API works in the game, then it could be bad.

    2FA just has to happen without it compromising performance or making the monetary upkeep too high.

    Only best way to protect our accounts now is to have a super rare password not used anywhere else as of course all the other passwords on the web are most likely compromised if used the same on forums.
  5. VV4LL3

  6. AntDX316

    wow so they do have 2FA, I have it on but it says it's for password recovery and not for log-in

    Daybreak Authenticator exist though but you have to buy the device.. why can't they just use SMS?
  7. VV4LL3

    Setting Up 2 Step Authentication
    1. Log into your account and go to Account Management and choose Enhanced Security.
    2. Click the Button to Turn On 2-Step Verification.
    3. You will need to know the answer to your Security Question. (If you do not have one yet, you will be prompted to create one.)
    4. Enter your country and mobile phone number (ensure that the country code is correct.)
    5. You will receive an SMS message with a security code, enter it in the box provided and click Continue.
    6. Win!
  8. AntDX316

    It's already enabled before but it's only for password Recovery, not log-in.
    • Up x 1
  9. VV4LL3

    Don't know what to tell you, friend. Wish I was on the DBG Senior Staff to address these things, sadly we are at the mercy of the Cybersecurity-Cost benefit analysis.

    What isn't known, is the number of account compromises, which would give them great incentive to fix some of these MFA feature requests.

    Most companies these days buy cyber insurance which is cheaper monthly than the cost of full cyber staff or fixes to meet the threats out there. When a hack/breach occurs, companies rarely face the consequence of damages to customers.

    I've seen it firsthand in the community, experienced it from executives, and been shut down by Directors. You can lay out the costs, benefits, savings even at the cost of risk mitigation and it will always come down to the bottom line--this is true in both government and private sector. The truthful biggest incentive is legal compliance and the result of an audit's noncompliance. Multimillion dollar contacts can be lost, companies fined, and people fired. Have yet to hear of incarcerations though due to Director or Executive negligence.

    Even on DBG forums when cybersecurity comes up, there's always that nay-sayer that has little to no cyber risk management experience, defending poor security practices simply because "they" don't know. It's common and part of the culture--"We only care when it's too late." Have to remember: An organization has to be right 100% of the time. A bad actor only has to be right once!

    When you see their networks performance bog down, check the DDoS maps, and have an idea of their server configuration, you get a pretty good idea of what sort of attacks and vulnerabilities are being exploited.

    In the US, personal information security laws are very lackluster, and most private industry requirements involve financial data, health, and proprietary laws. There's very little personally identifying information laws, which is why you, the consumer, are also the product.

    I would recommend ensuring your account does not have stored financial data and use unique passwords. This will insulate you from the eventual fallout of a breach. Since game sessions are poorly managed, which is likely why basic exploits crash the servers (might have been patched recently) and IPs can be mapped, I'd also recommend using a VPN as well.
    • Up x 1
  10. AntDX316

    Back in Runescape, I was thinking one day all the stats would be wiped. Even in Planetside 2, I wouldn't be surprised if my account no longer worked, outfit disbanded, Planetside 2 closed down. I really like the game but I'm not expecting it to last forever (though I hope it lasts forever though). Same with Google or anything we use including our own lives. Look at Ukraine and Russia. A lot of the ways we go about life are built off not so stable foundations. Infinite money pumping, data being held and trusted from matters we truly don't 100% know how it all works. We can all think the sun won't explode, moon won't crash into Earth, moon won't leave orbit, our hearts won't stop beating tomorrow etc. Most of the time we don't think about these operational matters that always seem to have been working forever. If the devs have it all handled, great. We will continue to play just as we will continue to exist hour by hour, day by day, month by month.
    • Up x 1