Recover Your Account Without The Hassle
Often enough, if not every day, player accounts are recovered by the wrong people. They intend to use their ill-gotten goods for malicious purposes, or to personally profit. None of this is any news to the astute player. Indeed, if you've attempted to recover your own account, some of you would be surprised at how easy it is for one to retrieve a lost or forgotten password. Even then, at times, you had to wait a while before your appeal was accepted. I've waited for six days on one of my account recoveries.
This is all well and good for legitimate players, in terms of easy account recovery. But how do we keep the baddies at bay? Unfortunately, we can't prevent them all from gaining access to your account. We can try to educate players about how to better secure their accounts, though. I have an idea that will help with this. The solution is simple, but effective.
Recovery PINs. In a word, these PINs (Personal Identification Numbers) are unique 10-digit alphanumeric codes. On the surface, they are much like the redemption codes you can find on the back of a RuneScape game card. But in reality, they are much more. They are convenient security measures. When you register an account (existing accounts too), a unique PIN gets assigned to it. This PIN gets sent to your player inbox. You will be notified, and auto-directed to the new message.
How Recovery PINs Work
Upon being read, the message disclosing the PIN code will be deleted from the server, but the PIN itself remains intact. This is a great security feature because only you'll know what the PIN is. You will have a PIN on your account at any given time. The PIN can never be changed or removed, except by Jagex's password recovery system (see later). Players are instructed to write down the PIN code in a safe place. The steps taken so far in the process has an immediate advantage: no perpetrator looking for your personal info can find this PIN code, because it's deleted from Jagex's servers when the message is read.
But the Recovery PIN has a second advantage more central to its concept. The PIN, when entered into an account recovery form, overrides any other info supplied in the form. All you have to do is type it in the appropriate box, and a confirmation e-mail is sent to your e-mail address. Confirm the recovery, and you get your account back instantly. The Recovery PIN is the most valuable piece of information your account can ever possess.
It's more valuable than your first password and even more valuable than your subscription information. Why is the recovery PIN so valuable? Because it's predicated on the assumption that the only person who'd know this PIN is you. No one else can obtain this PIN because it's unique, it's flexible, and the message is deleted from Jagex's servers when you read it, so it's secure. Presumably, you're the only person who read that message, so who else could know?
You'll notice I said the PIN is flexible. This is a necessary fail-safe feature. In the worst-case scenario, someone obtains your password, and changes it after they're done with your account. Clearly, this isn't something you want. The best alternative is that your account is compromised, but you can recover it instantly thanks to your PIN.
Redeeming your PIN
Each time you attempt a recovery, a confirmation e-mail is sent to your e-mail address. If an intruder tries to recover your account with the PIN, they need to have access to your e-mail to confirm the recovery. If someone tries to change or remove the e-mail address on your account, an e-mail will be sent to your current address informing you of the e-mail change/removal request. In this case, ensure that your e-mail password is different from your RuneScape password, and that your computer has an up-to-date anti-virus and firewall.
When the recovery is confirmed, a new PIN is generated afterward for your account, and is sent to your inbox after you set your new password. If your account doesn't have an e-mail registered, the recovery attempt won't have to be confirmed. Take care to write down the PIN, as it will be deleted from the server afterwards. This whole process occurs over a secure, encrypted protocol, so no one can 'listen in' on the conversation between your computer and the server.
In case the computer drops the connection, the inbox will wait to reveal the new PIN until the secure protocol with the server is re-established by the same computer that first launched the recovery sequence, at which point you will be redirected to your inbox. It's highly recommended that you scan your computer for viruses before you initiate the recovery sequence, so malicious programs like key-loggers can't record your info.
Of course, always be careful with where you place your sensitive information, and ensure you have a computer with up-to-date virus protection software. If your account is broken into, Jagex can lock it, and you can supply the details you first registered with your account. Jagex will look at the address of the computer attempting the recovery in this case. It's very unlikely that your account will fall into someone else's hands.
Of course, this feature won't stop all people who recover accounts for malicious purposes or profit, but it should stall a great majority of them, considering how unlikely it is for someone to obtain your Recovery PIN. In the end, only you can make your account the most secure it can be. This is why you need to educate yourself on how to best secure your account. Write down all your sensitive info on paper, or store it on a very secure computer. Keep that info in a safe place where people are least likely to look for it.
Pros and Cons of PIN Recovery
The benefits of the PIN can be summed up this way:
- Quicker -- Instant account recovery and access when recovery e-mail is confirmed (if you have e-mail)
- Flexible -- Your PIN is only changed when your account is compromised, after you recover your account.
- Unique -- The PIN is a ten-digit alphanumeric code. Chances of someone else getting the same PIN are very small.
- Secure -- No one else can obtain the PIN. The message disclosing it is deleted after you read it.
- Careful -- Confirmation e-mail is sent to your address when recovery attempt is logged by the system (if you have e-mail).
If someone obtains the PIN, account can be infinitely recovered(highly unlikely now, unless intruder redeems PIN).
Do you have any questions, concerns, or comments you'd like to voice here? I thought about including a "Disable PIN" feature where the owner could disable the PIN, but then the intruder could disable the PIN too. I don't want the PIN to be removed because when the account is compromised, how else can the owner recover it as quickly and easily? Comments/suggestions don't have to be exactly about this issue, but they would be appreciated. Thank you to Dev for his suggestions.
Thanks for reading.
Log of Edits:October 10, 2011: Added a paragraph below "Redeeming Your PIN". Updated "Pros & Cons" section of post.