Jagex Account Guardian

[Mercifull]

I'm not sure if i mentioned landline support in my original concept thread but I definitely agree with you there. As well as support for SMS and smartphone app there should definitely be audible codes as well not just for those without a cellphone but for visually impaired. A dedicated physical secure key could also be sold via the Jagex store for people with no access to a phone at all.

[Mercifull]

Ok I might be a bit premature posting this here but noticed something on the official RuneScape wiki when I accidently clicked on a mods contributions. I noticed that today they have been making a page which currently is titled JagexHidden Testpage1.

 

Don't want to sadden this great find, however, you can change the "1" to any number sequence and it loads the same page ("You do not have permission to access JagexHidden Testpage999999999.")

Except none of the pages other than the one I have posted show in the Recent changes page.

 

[Zerker_Jane]

 

I'm calling this. If I'm wrong then you can all beat me with a rubber chicken in central Varrock.

 

How would this work?

[Sy_Accursed]

 

I'm calling this. If I'm wrong then you can all beat me with a rubber chicken in central Varrock.

 

How would this work?

 

Same way google does it.

First step is to synchronise the app and your account.

Then both the jagex servers and your app generate identical key codes valid for about 30 seconds at a time and keep doing this indefinitely.

When you log-in it'll ask for the key code.

Short of being an insanely lucky sob to guess the right code out of the possible millions or hacking jagex servers, grabbing the data and decoding it all before the code expires there is no way to get in unless you have the phone app to show you the current code.

[Mercifull]

 

 

I'm calling this. If I'm wrong then you can all beat me with a rubber chicken in central Varrock.

 

How would this work?

Check out this thread http://forum.tip.it/topic/313950-2-step-verification-for-runescape-concept/ but yeah in short, its pretty much googles system.

[stevepole]

SWTOR used a similar system http://www.swtor.com/info/security-key

[Zerker_Jane]

 

I'm calling this. If I'm wrong then you can all beat me with a rubber chicken in central Varrock.

 

How would this work?

 

Same way google does it.

First step is to synchronise the app and your account.

Then both the jagex servers and your app generate identical key codes valid for about 30 seconds at a time and keep doing this indefinitely.

When you log-in it'll ask for the key code.

Short of being an insanely lucky sob to guess the right code out of the possible millions or hacking jagex servers, grabbing the data and decoding it all before the code expires there is no way to get in unless you have the phone app to show you the current code.

 

Ah I see, I could've used that a few months ago >.>.

[Ruinous Edge]

Long, long, long overdue update and Mercifull's find is very promising that this could come sooner than I expected, *clears space on my android smart phone for the inevitable app*

To be fair, this system should have been introduced from day 1. Just a shame that technology and cash constraints stopped Andrew, Paul and Constant doing something along these lines when RS membership started back in 2002.

[Artemis1330]

Seriously hope they do not allow email as one way to get the code. It is stupidly easy to take over email accounts, minus google (with 2 step enabled). Furthermore, email is one of the largest, if not the largest, reason recovering/hacking is so bad today. Just really seems to null the entire thing to use email to get the code.

 

And I agree, landline usage should absolutely be enabled as well. It's possibly even more secure then using a cell phone, as you can't really steal a land line. While I don't know of any, there are probably ways to somehow intercept texts or hack into apps. And in this day when players banks reach the hundreds of bills (a small percentage yes), and therefore thousands and thousands of usd, I can see someone somehow doing all that for a rs account. And if the tech to take over apps/intercept texts does not exist yet, I can see that developing as 2 step becomes more and more popular.

 

I'd personally go with the sms/app way if you'd need it every time you login. But I do use landline verifaction for some of my 2 step emails, does not really make sense to me to have all 2 step verified emails linked to one device. yea there is usually a secondary way to contact you, but still, better to be safe then sorry as they say :P

[@Dan3HitU]

I'm not sure if i mentioned landline support in my original concept thread but I definitely agree with you there. As well as support for SMS and smartphone app there should definitely be audible codes as well not just for those without a cellphone but for visually impaired. A dedicated physical secure key could also be solved via the Jagex store for people with no access to a phone at all.

I agree entirely with this.

 

Btw, your post, great find (the screenshot).

[Mercifull]

I agree about not allowing email. Unless you have 2-step on your email then its barely more secure than if you had nothing at all really. And if you do have 2-step on your email it would seem silly to use email as the second verification system for something else :S

[Lord Paul]

I'm not sure if i mentioned landline support in my original concept thread but I definitely agree with you there. As well as support for SMS and smartphone app there should definitely be audible codes as well not just for those without a cellphone but for visually impaired. A dedicated physical secure key could also be solved via the Jagex store for people with no access to a phone at all.

I agree entirely with this.

 

Btw, your post, great find (the screenshot).

 

A few years back, Jagex came out of the idea with a USB dongle, and they even came out with a poll on it. I think the idea was scrapped because

A) the poll indicated it wasn't financially feasible

B) the majority of players only wanted it because it was supposed to come with extra bank slots since your account "was more secure"

 

I'll go find the link.

Edit: Why can't I find old polls?

[Ruinous Edge]

I'm not sure if i mentioned landline support in my original concept thread but I definitely agree with you there. As well as support for SMS and smartphone app there should definitely be audible codes as well not just for those without a cellphone but for visually impaired. A dedicated physical secure key could also be solved via the Jagex store for people with no access to a phone at all.

I agree entirely with this.

 

Btw, your post, great find (the screenshot).

 

A few years back, Jagex came out of the idea with a USB dongle, and they even came out with a poll on it. I think the idea was scrapped because

A) the poll indicated it wasn't financially feasible

B) the majority of players only wanted it because it was supposed to come with extra bank slots since your account "was more secure"

 

I'll go find the link.

But since then Jagex have had more backing from IVP (for better or worse) and found another form of steady income other than recurring memberships, i.e. SOF/SGS, this could be the difference maker in such a device being made & sold this time around.

Can't say I'll ever be a fan of IVP, but if there involvement in Jagex helps fund these dongles I'd be very happy customer knowing my account is that much more secure.

[Mercifull]

I'm not sure if i mentioned landline support in my original concept thread but I definitely agree with you there. As well as support for SMS and smartphone app there should definitely be audible codes as well not just for those without a cellphone but for visually impaired. A dedicated physical secure key could also be solved via the Jagex store for people with no access to a phone at all.

I agree entirely with this.

 

Btw, your post, great find (the screenshot).

 

A few years back, Jagex came out of the idea with a USB dongle, and they even came out with a poll on it. I think the idea was scrapped because

A) the poll indicated it wasn't financially feasible

B) the majority of players only wanted it because it was supposed to come with extra bank slots since your account "was more secure"

 

I'll go find the link.

Edit: Why can't I find old polls?

http://services.rune...em?allcat=false

 

Thats the old newspost about it though.

 

You have to remember that technology has improved since the idea was first proposed. The advent of smartphones means that large numbers of people could take advantage of a more secure system without physically buying a secure key.

[Lord Paul]

Excellent, thank you.

 

Yes, I think that they should bring it up again. I would buy one. Just as long as I don't have to spin for it. :roll:

[Mercifull]

I don't think that there would be any link to SoF or Solomon. Mark Gerhard originally comes from a security background and I'm confident that RuneScape will very shortly have a very good system for making our characters safe.

[Ruinous Edge]

Linking JAG to SOF/SGS would be the stupidest decision that IVPex have ever thought of, and they have a lot of competition in that department :/

[Alg]

I don't think that there would be any link to SoF or Solomon. Mark Gerhard originally comes from a security background and I'm confident that RuneScape will very shortly have a very good system for making our characters safe.

Paranoid comment about how the new people behind the game turned around a stance made by someone else 10 years ago. Comment about how this logically means that everything will cost real money, flavored with a hint of anti-capitalist/anti-American rhetoric. Close post with a threat to quit the game should this happen (Or a comment about this justifying a decision to quit earlier this year).

 

Did I miss anything? :twss:

 

In all seriousness, it's about time he finally showed off that security background he kept mentioning all those years ago, though I'm a firm believer in the idea that the best security system is the one you don't notice.

[Kaida23]

You have to remember that technology has improved since the idea was first proposed. The advent of smartphones means that large numbers of people could take advantage of a more secure system without physically buying a secure key.

Technology in general, yes. Security dongles were in use (I don't know if they still are) nearly 20 years ago to allow employees to access secure networks. My mom was a computer securities expert for the military and I still remember the one she had (and how super parinoid she was about it, as my brother found out one day :lol:).

 

It's about time someone figured out a way to utilize the increasing ubiquitousness of smartphones to generate a completely electronic version. Even if people don't have a smartphone, a physical device could be offered, say a USB flash drive, that will only allow people to log into the account when it's plugged in. I have a client whose control systems use a similar device to prevent unauthorized use of the software, and if it's not plugged in the program simply won't run.

 

There are so many options that it's kind of mind boggling that they haven't figured out a way to secure our accounts short of e-mail verification.

[Platinum_Myr]

Any good method would require a physical item which they simply haven't wanted to distribute because the physical item costs money to make.

[Kaida23]

That's true, but the cost per unit produced would be very low. USB flash drives can be purchased from a retail store for a little over $1 per GB, so just imagine how low the wholesale cost would be. Espeically when bought in the quantities Jagex would need. Personally, I wouldn't have a problem with a one-time cost of $10-$15 for one (and even voted that way when it first came up years ago) to ensure my account was secure.

[Omali]

That's true, but the cost per unit produced would be very low. USB flash drives can be purchased from a retail store for a little over $1 per GB, so just imagine how low the wholesale cost would be. Espeically when bought in the quantities Jagex would need. Personally, I wouldn't have a problem with a one-time cost of $10-$15 for one (and even voted that way when it first came up years ago) to ensure my account was secure.

 

Those aren't USB flash drives that they use. Ive said calling them "usb dongles," is misleading. They dont connect to a computer at all. Blizzard, Sony, and Square Enix all use a modified VASCO Digipass drive, which are the best and pretty much the only company who will make deals with game developers. When Blizzard launched the WoW authenticator, they pointed to the price ($6.50) as providing zero profit for Blizzard, due to the cost of getting the dongles and systems from VASCO. That's why the mobile authenticators are free.

 

If Blizzard and Sony don't have the ability to create it themselves, and thus had to go to a third party, I highly doubt Jagex could avoid the same pitfall. If you want a non-mobile authenticator, expect to pay $6-7 for it.

[Sirknudsen]

So basically this would be like an rsa securid with out the dongle but an application that you'd sync to your account

[Platinum_Myr]

That's true, but the cost per unit produced would be very low. USB flash drives can be purchased from a retail store for a little over $1 per GB, so just imagine how low the wholesale cost would be. Espeically when bought in the quantities Jagex would need. Personally, I wouldn't have a problem with a one-time cost of $10-$15 for one (and even voted that way when it first came up years ago) to ensure my account was secure.

 

Those aren't USB flash drives that they use. Ive said calling them "usb dongles," is misleading. They dont connect to a computer at all. Blizzard, Sony, and Square Enix all use a modified VASCO Digipass drive, which are the best and pretty much the only company who will make deals with game developers. When Blizzard launched the WoW authenticator, they pointed to the price ($6.50) as providing zero profit for Blizzard, due to the cost of getting the dongles and systems from VASCO. That's why the mobile authenticators are free.

 

If Blizzard and Sony don't have the ability to create it themselves, and thus had to go to a third party, I highly doubt Jagex could avoid the same pitfall. If you want a non-mobile authenticator, expect to pay $6-7 for it.

 

That's not the only type of authentication. A good backup method is to use entropy to generate a key value pair that you associate with your account. This could be done with simple software on the device, or stored as a raw binary file and distributed. It would be fairly cheap now, a very tiny flash drive can hold enough data. That extra authentication could be added if a user desired. Password safe software uses this method a lot. I am not sure how secure it is compared to the VASCO system though.

[Omali]

That's not the only type of authentication. A good backup method is to use entropy to generate a key value pair that you associate with your account. This could be done with simple software on the device, or stored as a raw binary file and distributed. It would be fairly cheap now, a very tiny flash drive can hold enough data. That extra authentication could be added if a user desired. Password safe software uses this method a lot. I am not sure how secure it is compared to the VASCO system though.

 

I can't vouch for 100% truth, but according to Blizzard when rumors started about people with authenticators being hacked, they reported that they have never seen a single case of an account with an authenticator being broken into. I'm not saying the VASCO system is the only system, but it does appear to be the dongle of choice for MMOs at the moment.