WildStar, the new MMORPG from Carbine, recently announced an incentive to players to make use of two-factor authentication by adding a free mount to those accounts that use an authenticator.
From 10th July 2014, any accounts that are secured with 2FA will have the new Retroblade Mount added to their account. Players who already use an authenticator will find the new mount in their inventory from 10th July.
Carbine are adding this along with other perks, such as a 2% XP boost, Cybernetic Eyepatch, and in-game title, in an attempt to get more players to take charge in securing their own accounts.
Whilst they haven’t gone as far as making authenticators mandatory, and unlikely as there are still players who would not be able, or would be unwilling, to add an authenticator, it is a way to increase the awareness and importance of account security.
Recent discussions on the WildStar forums have been focused around the 2FA process, its weaknesses or how it could be improved. These are all issues that come up again and again because of incidents of account hacking, botting and gold-selling.
WildStar’s authenticator process is not unusual, and includes the use of a rotating keypad for the code entry. A source of irritation for some players, but another level of protection for others.
Carbine have been criticized for lacking IP-based protection within the game. If account details are stolen, they can be used from anywhere in the world with no additional confirmation. This is different than other big name MMOs, such as Blizzard’s World of Warcraft, where an unrecognized IP must be validated if an account does not use an authenticator.
An authenticator can only be removed by using the code from the authenticator that is currently attached to your account. However, there is a potential security issue where the same code that was last used to log into the game can again be used. If a trojan on the user’s computer is able to intercept login details, it can also immediately access the website and permanently remove the authenticator from the account. However, the user will still receive a notification email, and so should be aware if they receive such a message and should immediately access their account or contact WildStar’s support.
There is also another potential security issue with accessing customer support. Users have commented on the forums that after contacting Carbine support to request an authenticator be removed, it was, with no additional request for proof of identity. This is a potential issue if an email account is compromised, as the attacker could perhaps remove an authenticator without the user’s knowledge.
There are still no confirmed incidents of accounts being hacked whilst using an authenticator. Common passwords, password re-use and account phishing are the common attacks and allowing access to user accounts. Adding an authenticator is one of the best ways to protect an account. Even the best security practices in the world cannot always guard against exploits and vulnerabilities in 3rd party software, such as Flash, Windows or even the servers themselves, as recently seen with the heartbleed bug.
For users who cannot use a smartphone, WinAuth exists as an alternative. Although it does not have the same physically protected storage as at non-rooted Android phone or iPhones, it does provide encryption and password protection of secret keys, as well as locking the data to the Windows account or installation.
Something is better than nothing. Get one, cupcake.