RuneScape replaces JAG with 2FA authenticator

2014-06-23

RuneScape announced recently they were removing their JAG security in favour of using a time-based one-time code authenticator.

See the official announcement.

There are many apps for smartphones, including Android, iPhone and Windows phone that are able to keep you secret key secure. This is one of the advantages and points about two-factor authenticator (2FA), that the device that generates the code is separate from the device that uses it.

Use of authenticator technology has become a necessary part of online gaming, where social engineering still ranks as the main attack and to which many gamers often and unintentionally fall victim.

Adding and using an authenticator is a quick and painless process. When logging in on an untrusted device you are asked for a six digit code, which you get by just opening your authenticator app.

However, not everyone has a smartphone and some users would like a backup or alternative way to generate their authenticator codes.

WinAuth has been around since 2010 and has been used with other gaming services, such as Blizzard’s Battle.net including World of Warcraft, Diablo III and Starcraft. WinAuth also supports Trion’s Rift and GuildWars 2.

Encryption

WinAuth, like all authenticator apps, stores the secret key on the device and requires that the key is kept private. Encryption is done using a password as well as using Windows own built-in account protection that can lock data to an account or specific computer. This way, if the file is stolen from you, and even if they knew your password, a hacker could still not access the authenticator data.

So if you do run WinAuth on the same computer as games are installed, make sure to add a password in use the “encrypt to only be useable on this computer” protection.

Backups

You should make a backup in case you ever delete your Windows account or re-install Windows, as otherwise your authenticator will be permanently lost. This can be done simply by right-clicking your authenticator in WinAuth and choosing “Show Secret Key…”. Write the code down on a piece of paper and put it somewhere safe.

Common Issues

The RuneScape wiki has a guide explaining how to add an authenticator and use WinAuth on a computer or laptop. Armoede also has written a useful post with some troubleshooting help.

Most common issues with WinAuth, are:

1) There is no specific RuneScape authenticator, it uses the standard implementation, which in WinAuth is called the “Google Authenticator”. So that’s the one you need when you click the Add button.

2) When adding your new authenticator, you must click OK to save it.

3) If you get an invalid code, it is most likely a clock issue. Right-click your authenticator in WinAuth and choose Sync Time. Then get a new code and try again.

4) To see your code, click the Refresh icon on the right. Your code will show for 10 seconds. Or, you can right-click and choose “Auto Refresh”, where the code will always be visible.