Quote

*** Some text changes below to indicate finalized wording used on the website and dates ***



On April 2nd, we are changing some aspects of our Authentication system. In our first notification of the most visible of the changes on March 5th (http://www.swtor.com/community/showthread.php?p=5954106) we were still waiting on the last few background systems to be confirmed as ready. Now that they are ready, today's notification also includes those changes as well.



email



On April 2nd, the following changes are going live: Display Name only login One-Time Password (via email) replacing Security Questions and Answers during Authentication Self-service for Forgot my Display Name Self-service for Lost my Security Key Self-service for Remove my Security Key Self-service for Move my Security Key

As a result of the original announcement of the initial overall change, there were a lot of questions raised. I'm going to try and give as much detail as I can here to try and answer any questions you might otherwise have, and that way we can focus on anything missed.



Here are some of the questions I expect might get asked. Accordingly I'm going to let one of my ducks do the asking so I can make a first go at answering them...



Quote: Originally Posted by MrYellowDuck Why can't we use our email address? It's awesome! Quack! All the best companies use email address as username! for certain that the account is associated with the website (or game!). For SWTOR this does not mean that the attacker could then take over an account, but it would give them the knowledge of who to craft a phishing attack against and have a higher rate of success in gaining access to information such as Answers to Security Questions. Without the link to email address, they also won't know the needed information in order to target the email account itself for a take-over in order to gain access to SWTOR and anything else linked to that email account.



This change will remove the ability to link (based on knowledge of the correct password) to your SWTOR account.



Even today if an attacker gets the right password they will not be able to gain access to your account, and with this change they will not be able to figure out which email address to send a phishing attack at, or which email account to try and take over. This allows us to place more trust in the ownership of the email account as being validation that we are (electronically) talking to the owner of the account.



Quote: Originally Posted by MrYellowDuck Using Display Name is insane! I will be hacked! *ruffle feathers* You have given the bad guys my username! Half the battle is now lost! I'm 50% less secure!



We put in other controls before the launch of the game during 2011 such as the existing Security Questions and Answers system in order to protect your account even if an attacker managed to get the correct username and password. That security control aspect is not going away (although the 'remember' part is for the website and game launcher). In reality we are making it harder for an attacker, and giving you more control on the security of your account.



Lets look at the different pieces needed to successfully log in today: Display Name or Email Address Password Security Key or Authorized Location Non-Authorized Location via Security Question and Answer

Then lets look at the different pieces needed to successfully log in from April 2nd onwards: Display Name Password Security Key or Authorized Location Non-Authorized Location via One-Time Password (via email) Access to your Email Account

From the get-go, we have never considered the username to be 'hidden' or 'secret'. It never factored into our security model as something to secure, as we have worked on the basis that the attacker already knows it . This is also why we have not provided a self-service system for Security Key's as while the email address is easy (for an attacker) to associate with a SWTOR account. We have had to presume they will phish or attack the email account itself. De-linking the email account means that an attacker who knows the username has no knowledge of who to phish or attack. This means they continue to be unable to take over your account.



There are hundreds of millions of known username/password data rows available on the Internet. Well over 100 million unique email addresses. Most of these compromised details use email address as the username... It is this fact that dictates that attackers will know the username for at least some accounts regardless of any secrecy we may try to implement. You can check your own email address at http://pwnedlist.com/ for instance as one of the posts on the previous thread indicated.



So no, we have not given away 50% of the security. Half the battle is not lost. You should not care that anybody else knows your username. You should instead think they may have it already.



That said, you should care about your password, both on SWTOR as well as on your email account. It is especially important to use a unique password on your email account if nowhere else. I would recommend looking at a two-factor solution for your email account and will give the 2-Step authentication feature on GMail as an example. Google 2-Step today



Quote: Originally Posted by MrYellowDuck I don't want my Display Name to be public! I disagree with everything you are saying!



This is not something that is planned for April 2nd.



It is also not something that can be easily implemented in a matter of minutes. Regardless of if the change would be as simple as adding a column in a database, there is still getting that data presented to the website securely, providing the ability to input data into the column itself (again securely), and that is before we have our awesome QA team make sure the functionality works as expected. We won't say 'soon' on this feature, as it is too early to be able to predict when this could be rolled out.



Quote: Originally Posted by MrYellowDuck What is this 'One-Time Password' you speak of?



With the Security Question and Answer system in place today, it is sometimes possible for an attacker to research a person well enough to be able to have a chance of guessing the correct Answer if they have already got the correct username and password. It is also possible to phish for the Answer if you know the email address.



By changing to a One-Time Password system, this actually decreases the chance an attacker would be able to guess the correct 'answer', as not only will the One-Time Password be randomized each time it is set, there will only be a small number of chances to guess the correct code before the randomization reoccurs and a new password is sent. This keeps a concept called 'entropy' (as applied outside of thermodynamics and instead focusing on 'the degree of disorder or uncertainty in a system') at an extremely high level. If you want an example as applied to passwords, I highly recommend reading XKCD (http://xkcd.com/936/).



If anybody ever does actually guess the One-Time Password, they should immediately go out and buy a single-line lottery ticket. Actually they would have far more chance winning the lottery in the first place. Far, far more chance...



Quote: Originally Posted by MrYellowDuck Your new system will allow anybody to lock me out! *peck!* This is pathetic!



As soon as we detect an attempt to log in from a new 'location', we prompt that location for a One-Time Password which will be delivered to your Email Account (or Security Questions and Answers today). It is only after that prompt is verified that we will move the new location into an Authorized Location status. We do not remove your current Authorized Location as soon as a new location is detected. We keep a number (no I won't say how many) of Authorized Location's in the system, so an attacker can try to lock you out, but they will never succeed as they first have to validate themselves using the One-Time Password. Once the person with access to the Email Account validates using a One-Time Password, from that point forward you will be able to log in from that new Authorized Location and as a result there is no point where an attacker actually lock you out.



Quote: Originally Posted by MrYellowDuck You don't know what you are doing! You will break my Origin account with all my EA games! I won't be able to log on there with my email address any more!



Quote: Originally Posted by MrYellowDuck But what about my current location? Will I need to be sent a One-Time Password on April 2nd along with everybody else???



Quote: Originally Posted by MrYellowDuck Hang on, if I migrate and have to play from an Internet Cafe while flying to my summer home, will anybody be able to take over my account?



The second alternative is to change your password as soon as possible (from your smartphone or tablet perhaps?) after playing, as that will remove the existing Authorized Locations.



Quote: Originally Posted by MrYellowDuck You just told the hackers all your secrets! What the? Are you mad? No security 'professional' would ever do that! Kerckhoffs's principle if you want a more technical view of the background of this maxim). Relying on Security by Obscurity (assuming a username can be kept secret for example) is not a direction we aim towards.



Quote: Originally Posted by MrYellowDuck Do I have to log in with my character name? It has weird and wonderful characters in it that I can't type easily! What do I have to do?



Quote: Originally Posted by MrYellowDuck Well I don't know my Display Name! What do I do? www.swtor.com (or www.starwarstheoldrepublic.com for those that like typing lots), log in and your Display Name will appear in the upper-right of the website.



Starting April 2nd, you will be able to have your Display Name sent to you via email as part of our first self-service option.



Quote: Originally Posted by MrYellowDuck You just said you would use my email address to recover my Display Name? I thought you said email addresses are bad?



I actually like email addresses and don't think they are bad. They just don't always suit being used as a username based on how we implement the different aspects of authentication.



Quote: Originally Posted by MrYellowDuck Hang on, I'm a new Free To Play account. I have no email address. What can I do?



Quote: Originally Posted by MrYellowDuck Are you getting rid of all my Security Questions and Answers? I liked them. Lots.



Of course, we want to keep your accounts secure, so we are not reducing security to try and save costs and instead changing security slightly.



For the Free To Play accounts, Security Questions and Answers are also required when you want to purchase something from us.



Quote: Originally Posted by MrYellowDuck Is there anything I should do? I'm but a simple duck and computers and stuff are not my strong point.



As we transition from relying on Answers to Security Questions to sending a One-Time Password to you via email when authenticating, the security of your own Account becomes something you can impact directly by also making sure your Email Account is also secure.



I would recommend you look at the following or get a more computer savvy friend to help: Use a unique, complex and as lengthy as you can password (stressing it is used nowhere else) on your email account

Where possible add a two-factor system to your email account - 2-Step on GMail is a great example

Make sure your connections to email are secured by SSL or similar. Basic SMTP (sends email in plain text) can easily disclose your password to somebody watching your network as can unsecured POP3 or IMAP

Ensure you have a good AV program installed and kept up to date. Microsoft Security Essentials for example is free on Windows and is one of many great choices

Don't visit hacker websites (or for that matter most adult-entertainment sites). A lot of them have virus attacks included in viewing the pages

Don't open attachments on emails that you aren't expecting. You have more chance of winning the lottery by buying a ticket in a shop...

Don't click links you don't know inside emails. Go to the website you think you need to go to and type the url in the hard way. Takes longer, but helps protect you...

There are many other things you can do - research 'securing my home computer' on Google and do 'all the things' you can!

Quote: Originally Posted by MrYellowDuck Why are you wasting all this time on changing something that I don't think needs changing? Make better graphics! Put in more flashpoints! We want more content, not more security! *peck!*



Quote: Originally Posted by MrYellowDuck You keep mentioning two-factor. What does that mean?

In the security field, when waffling on about authentication we talk of two-factor quite a bit. Two-factor (or dual-factor) is actually not 'the most secure' that we can be, as it really stands for 'two of three factors'. Those factors are: Something I know (e.g. password)

Something I am (e.g. biometrics)

Something I have (e.g. security key) I have often thought that putting all three factors in place would be awesome, but nobody liked my 'pint of blood in order to play' suggestion, so we haven't moved into biometrics as a requirement.

As it is sure to come up, let us be clear that Security Questions and Answers (SQA's) are not truly two-factor. It's the first factor applied twice, so leaves us in a hybrid/grey area which counter-intuitively is actually very secure. Just not as secure as a true two-factor system.

The key implementation that we are currently missing as mandated for all players is 'Something I have'. The Security Key is available and doing well today, and while I would love to see more people using them, we are not pushing people to have a Security Key as a mandatory requirement. Truth be told we deliberately do not make a profit on the physical security key, and absorb all of the cost of the mobile security key.

One last thing that I should also point out, the Security Key is a time-limited code that changes frequently. If you think somebody can brute force their way through an account secured by a Security Key, then you should look into lottery tickets. It's far easier to win the jackpot in the lottery...





Quote: Originally Posted by MrYellowDuck OK, you have convinced me! Quack Quack! What is your email address so I can send you money via PayPal as thanks for all you have done?





OK, enough monologue from me! If you have questions or comments, please don't hesitate to reply. I can't promise an immediate turn-around, but we will be watching this thread and there will be replies when we can get them posted. I would however ask that you refrain from being too descriptive if you feel the need to say I'm wrong anywhere - the forum rules still apply.



Phillip Holmes

SWTOR Head of Security