Note: This is a modified version of my post on the RSOF [QFC]277-278-105-63939404[/QFC] Introduction I think most people here know me, or at least know of me. I have been playing RuneScape on and off for well over 10 years now some people here may have met me at RuneFest in 2010 or 2011. Like many other people in the past I've been the victim of account thefts and lost what would probably now be the equivalent of billions of GP (loss of partyhats). It's an incredibly furstrating and stressful experience and it's not always the users fault. 0-day exploits and social engineering methods as well as the more common keylogging and phishing scams. I have created a concept (well put together more like rather than inventing it) for a more secure way of logging in to RuneScape or any of Jagex properties. It's called 2-step verification and it is very similar to what Google uses as well as other games such as World of Warcraft, Diablo III, Rift, Star Wars: The Old Republic and many more. Back in 2008 Jagex proposed a scheme whereby you could purchase a USB sized Secure key which you could use to generate a unique code to login. At the time Jagex were planning to offer an increased bankspace as an incentive to get people to purchase these keys unfortunately there was outrage from a vocal minority of the community about how paying real money (for a key) could get you an in-game advantage (more space) and so along with possibly prohibitively expensive costs the project was cancelled. Fast forward to 2012 and the world and community is a different place. Security technologies have improved, smartphone usage has risen to over half of the population in America with similar figures in Europe and most of the western world. This means that mobile app authenticators have become much more viable, cost effective and easy to distribute. Why this is needed An authenticator prevents unauthorised access of a RuneScape account even if you are unlucky enough to have your password compromised meaning that noone can steal your in-game items or even cause you real life monetary loss by a malicious person using up your Solomon RuneCoins or Squeal of Fortune spins. The recent bannings of high profile dicers and the mugging of a player with an immitation firearm goes to show how much of a real value some people (legitimately or not) put on our characters and items. The theft of items can in theory net a malicious "hacker" thousands of pounds. How to set it up To set up 2-step verification you would go login to your account on the RuneScape homepage and go to your 'account settings'. In the list of account options there would be a new line of text underneath the 'Recovery Questions' called '2-step verification'. Clicking the + sign would expand the information where you would then get the options of setting it up in three different ways. SMS text message on your mobile phone Smartphone app Secure key You MUST enter your mobile phone regardless of which option you choose to set up, this is incase you cannot get online using the smartphone app, perhaps it is out of sync with the server or your smartphone is broken and you are using a backup phone with your normal SIM, or if you have broken or lost your secure key. If you only choose option 1 then after you have typed your mobile phone number in you will be sent an SMS text message with a special code. You then need to verify this code on the RuneScape homepage. You will then have option 1 SMS verification enabled. I will explain how it works when trying to login shortly. If you choose option 2 then you will first need to enter your phone number as with option 1 but after you have verified the number you need to go to an additional step. You will then be instructed to download an app for your smartphone. Apps would be available for the key providers iOS (iPhone, iPad, iPod touch), Android and WindowsPhone7.5 (or WP8 when it's out). If you do not have a compatible phone then you can click a button to simply choose option 1 or you can cancel the process all together. Once you have downloaded the correct app you can press the next button online. To syncronise your account you would choose the option in the app to add an account and a barcode scanner would activate on the phone. On the browser screen a barcode would be showing and you would be instructed to scan this using your phone. Once you have done this another verification code would show on your phone. You simply type this into the browser box provided press 'complete verification' and then it would be enabled. Option 3 is slightly different and is effectively the canned original idea from Jagex about using a dedicated secure key about the same size as a USB stick which generates a unique code every minute or so. To set this up you would first have to order this from the Jagex store. These could be sold as a cost of around $10 plus post and packaging. To activate this you would need to type in the code that shows on the key into the the runescape homepage set up first and then it would work just the same as options 1 and 2 where you have to type in the verification showing on the key on login to the game or website. If you lose the key you can use the backup phone number you provided in an earlier step to request a code to login to the runescape homepage and deactivate 2-step verification until you order a new one or change your method to option 1 or 2. How it works The look of the app could be comething like the concept below (please forgive my naff photoshop skills). Basically on opening the app it shows a large 8 digit verification code which changes every minute and then a new one is displayed. If you have enabled 2-step verification then when you log in to the RuneScape webpage, forums etc you will be taken to a second page after the username/password which asks you for the verification code. If you have chosen the SMS option then you will shortly recieve a code which is valid for one use only to allow you to login. If you have chosen to use the app option then you will need to type in the code displayed before the timer runs out. If you optn the app and see it's about to change simply wait a few seconds for the next code to be displayed. A small tick box would show under the verification box which says 'remember this computer for 30 days'. This would use cookies to remember your computer so you wouldn't need to enter a verification code each and every time. If you have your browser set to clear cookies regularly then you will need to enter the code in more often. Logging in to the game would work in a similar way. You type your username and password as normal and before you get to the lobby you are asked for the verification code. This works exactly the same as logging in to the website and also gives you a 'remember' tick box. What to do if you lose your phone or get a new number Well there's a few things that Jagex could do. For example you could set up a backup phone number from a family member or trusted friend or Jagex could provide an emergency one use backup code which you will be asked to print out and put in your wallet for safe keeping. With this could could login to update your phone number. Otherwise you would have to go through the recovery questions just like a forgotten password. Costs Ideally options 1 (SMS) and 2 (app) should be free to the player. However I understand that this would require significant development time to work with the Jagex billing system and so the maximum I would suggest Jagex charge woudl be 69p/$0.99 or whatever the minimum fee for apps are on the relevant app stores. A dedicated secure key would obviously have a charge because it is a physical device with manufacturing cost. Other game companies sell these for around the $10 range. Other bits This is just an initial concept I have devised based on my experience of other services which use similar things. This would be entirely optional and so noone would be forced into this. There are immense benefits to this which means that if you lose your password to a phishing site, 0-day exploit or even if you are keylogged or sell victim to a phishing site a "hacker" could notaccess your account. 2-step verification works because of the two types of things you need to access your account something you know (password) and something you physically have (phone). This would also save Jagex significant time in dealing with investigating account thefts and returning accounts to the rightful owner. Obviously Jagex recovery system would need significant rework too to prevent the social engineering away of accounts via the Jagex recovery system being gamed as someone could just claim they simultaniously forgot their password and also got a new phone/deleted authenticator app etc. I feel that if this were to be implemented there also needs to be radical improvements of the recovery system. I strongly believe that the recovery system is the weak link and so even with activated 2-step verification it would need vast improvements as well. New guidelines should be published on how to create more secure recovery questions. With so much personal information available via social networks, YouTube and even searching whois databases people should be discouraged from recovery questions such as “mother’s maiden name”, “first school”, “pet’s name”, “favourite band” etc. Instead people should use information which is easy for a player to remember or find out but impossible for a person to remotely discover. For example “The first 5 numbers from a vehicle identification number” or “Print number from the painting hanging in the hallway”. There are many suggestions from people on this forum and on the RSOF on how to improve the recovery process but the crux is what happens after someone has successfully entered sufficient information. If a person has activated 2-step verification then on a successful recovery claim a person does not get to choose what the password should be, instead a password is created by the Jagex recovery system and sent via SMS to the number they used on setup. If a person does not have this phone number anymore they can opt to also have a copy of the new password also sent to the backup phone number. This way even if a malicious “hacker” has managed to find out enough information to impersonate me to Jagex support, without physical access to my phone they cannot access my account. I think I've got everything in my head down. I hope this make sense.