Original Post — Direct link

You can now secure your account with two factor authentication by going to "Account Security" after logging into the client.

Finally!

Edit: Looks like it's only email 2FA. Better than nothing I guess.

External link →
about 2 years ago - /u/riotdanhonks - Direct link

i was hoping no one would notice until i got my banger memes ready

y'all noticed this a bit earlier than we had anticipated, so the Learn More link is broken on the page. coming soon. promise!

we'll have a more official post coming soon as well. like i said, we weren't expecting it to be noticed, but y'all are observant

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by nypato123

It might have slipped by if not for the giant banner that popped up when I logged in.

hey i made that banner

about 2 years ago - /u/some__other__guy - Direct link

Originally posted by riotdanhonks

i was hoping no one would notice until i got my banger memes ready

y'all noticed this a bit earlier than we had anticipated, so the Learn More link is broken on the page. coming soon. promise!

we'll have a more official post coming soon as well. like i said, we weren't expecting it to be noticed, but y'all are observant

hey dan i am ready for your memes

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by some__other__guy

hey dan i am ready for your memes

👉😎 👉

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by tautviux

will there be more than email option in the future ?

At this time, I don't want to make any promises about future features.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by OnyxWarden

How does one make banger 2FA memes?

It's not something that can be taught, sorry

also who said they were 2fa memes?

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by penguin-cat

awesome, got it

looks like only email 2FA right now tho

Yes, for the time being this is only email MFA.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by Riley_

Wish we could use mobile authentication, so I don't have to put a secure password on my email account.

As things stand, your email account is the keys to the kingdom to your account, and this would not change even if we introduced mobile based authentication, or if you used OAuth. You should use a secure password and two factor authentication on your email.

If you don't wanna juggle multiple passwords like this, I would recommend using a password manager so you only have to remember one good one.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by antl34

Why would anybody care enough about a league account to 2FA it

Emotional and time investment aside, as others have covered, accounts that are botted/scripted/sold - you get the idea - are overwhelmingly accounts that are compromised by someone.

Enabling MFA helps make your own account secure, but additionally, every account secured with MFA is one less account that is significantly less likely to get compromised and sold to someone who wants to script, bot, or be super toxic in games.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by Riley_

Yeah. I am starting to switch everything to a password manager. I lost my friends list cause someone got in my Riot account.

You guys are one of fewer and fewer services left where someone can log in from a new location and change their email address without any kind of mobile verification.

If you have a verified email address, it is not currently possible to change your email address without demonstrating you have access to the original email address; the account management portal has had two-factor authentication like this for quite some time.

We could add mobile verification to that, but like I said, our current policy (which is in line with most other services out there) is that if you have access to the email address of the account holder, you are the account holder. It also does not sit well with me personally that we would be required to collect your phone number, or that you need a smart phone, in order to benefit from a core security measure.

That said, if you don't have your email verified, yes, this is a big problem. We will revisit the scope of this problem in the future to see if we can't shift more players to have verified emails.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by dancoe

Anyone know if enabling this will make you use 2FA every time you open league from the same computer?

Or is it just for new locations?

You will need to go through the prompt every time you log into the Riot Client - If you tick 'stay signed in', then you don't have to worry.

This is usually not a problem, but if you have multiple accounts, this might not be ideal. I would still recommend enabling it.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by MibitGoHan

Fun fact, a lot of those other places that use mobile identification have given your number to telemarketers.

not if they operate in the EU they don't

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by JoshQuest1

They're a meme that you have use Reddit and Twitter to get.

Ceci n'est pas une pipe.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by Burpmeister

Shoutout to some random Riot security worker who a few years ago told me that League doesn't have and/or need 2fa because "it would annoy some players".

Hi.

I am that security worker, and that is not what I said. :) I do not believe I have ever said or implied that MFA is not necessary or something that Riot should implement, but I am the primary person within our team that has engaged on social media.

What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it - Since the odds are that if you'll engage with a security measure without an incentive, then you're probably doing pretty good for security already.

That still stands. MFA will prevent a lot of attacks we see, but most of the attacks we see will be on players that are not and will not engage with security measures, and that is always going to be a challenge for us. The problem is that implementing something on this scale requires a large amount of investment that might be better spent elsewhere. If we're going into it knowing that it might not have the impact we want, then that's not a great sell.

The difference between then and now means we were better equipped to be more confident about how MFA would land and that it would have the impact we needed for it to be justified without releasing an additional incentive, but our work isn't finished, there's still more to be done to improve the security of our players beyond just email-based MFA.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by pmpvb

Not trying to be hostile but what makes Riot better equipped now about MFA when lots of other gaming companies before seemed to be able to implement their versions of it just fine? Even more comprehensive versions too (at least for now).

Lots of reasons. Off the top of my head:

  • Many (most?) game companies don't have to retrofit their solution to work with hundreds of millions of players across multiple platforms (Web, Desktop, Native Mobile).
  • Despite Riots growth, we still have a very limited number of engineers for the weight class we are in. Prioritising projects that span the entire breadth of our product offering is challenging and needs a compelling argument to prioritise it over something else. I'd have to guess that at least 100 people were involved in making this happen, from engineers to QA to player support, comms.. and a lot of those people are working on teams that have other commitments (like the most recent Riot X Arcane event)
  • We know that MFA is going to be enabled by a minority of players, and it might not have the security impact we want. However, due to some research we conducted (which I cannot get into), we decided that now was a good time to implement it - It's not going to get any easier to implement it.
  • In the past, we felt like there were other things we could achieve that would have a larger impact on player security than MFA. It's not that that was the wrong decision to make, but a lot of the bigger things we could have done, well, we have done, or are in the process of doing. Many of these things are not visible to players.
  • This is the first tranche of things we're working on for player security. We're dedicating resources toward that goal, and that's not something we had a dedicated function for before.

I do still feel like MFA is not going to have the uptake that we'd like it to have. We're going to be working on ways to increase that, and as you've highlighted there are a lot of ways that other companies do this better than we do. This is, however, our first iteration, so, watch this space.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by darkacesp

Bitwarden is a good one I recommend. Otherwise Dashlane and LastPass are staples, not sure if LastPass allows for mobile and desktop sync or if you have to pay for that.

I use BitWarden in my personal life. It's alright. The autofill is a bit flakey on Android though.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by 00Koch00

No thanks, im not that stupid to lose my account nor put simple or leaked password that are in password dictionaries

If I got compromised to this in 2016, you are absolutely capable of being pwned by it too.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by zeinterrupter

It isn't ideal but is it planned to be changed (to only one 2FA on a set computer/location) or is it gonna stay like this?

I'm not sure what the long term plan is at the moment when it comes to remembering devices. There will be an official article coming out with more information sometime soon and I'd recommend checking that.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by poor_lil_rich

you must think customers are stupid they're willing to give you number

Luckily for them, they can still benefit from MFA. This is email only, and it's unlikely we'd enable SMS based MFA as it has a lot of flaws.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by r_MoshiDog

You do have the option in the PC client to select remember this device, which will not prompt for a 2FA code again for a certain number of days.

Yeah, sorry, I lumped that in with 'stay signed in'. I had major brain worms later on yesterday evening

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by bigmadsmolyeet

can we eventually have the option for TOTP. Email 2fa is fine, but TOTP would be a great add

Can't make promises about features but, yes, I would consider TOTP a core requirement

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by ruvskiten

What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it

If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.

Either way I am incredibly happy with this feature so thanks! It makes a difference in how I feel about the security of my account with thousands of hours played and hundreds of dollars in skins. So big props! Even if it stays a rarely used feature, it makes a difference for the people who do use it.

If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.

That was easier a few years ago but it's very difficult to make an incentive that would appeal to everyone. I'm not ruling incentives out but our immediate focus will be making the accessibility of stuff like this easier rather than trying to bait you into enabling it with skins.

I've really liked the idea of a unique skin that's only enabled if you have opted into MFA but this is expensive for one game, let alone all of them - and we would need to have something for all of them - and due to the nature of our games it's difficult to come up with an incentive that would appeal to many players; what's the point in a cool Braum skin if you only play top lane, for example?

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by JACOBSMILE1

Hijacking this thread because it's probably not going anywhere beyond this point...

Any insight on whether or not 2fa through either SMS or Google Authenticator (preferably) will be available eventually?

  • SMS - 99% likelihood will not be supported
  • TOTP - I would consider it a core feature but I can't make promises on timelines, it's not my place to do that
about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by MibitGoHan

Here's Facebook's response on whether or not they use mobile numbers for 2FA for advertising purposes

We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.

They're absolutely selling them as well, companies like that have no morals.

I realise it's splitting hairs here but Facebook are not "selling" your phone numbers - they're not making them visible to other people. They definitely use contact numbers to determine who to connect you with and determine what interests you have from that.

It's rather moot though because as I've outlined elsewhere it's very unlikely we will support SMS MFA

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by XDME

Can you speak to some of those flaws? It seems to be near industry standard (outside of authentication apps).

Hi, just letting you know I've seen this and will reply when I can.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by Sterenn

My email does not support 2FA sadly.

Hi, just letting you know I've seen this and will reply when I can.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by WiatrowskiBe

Getting 2FA makes me hope that maybe, some day, in the future, we'll get U2F-based second factor option, which should solve all issues with changing accounts or remembering devices (since it's physical token device). Hopeful for the future, and if we end up having U2F supported and recommended, Riot will have my eternal gratitude for pushing probably the safest 2FA method to wider userbase.

Hi, just letting you know I've seen this and will reply when I can.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by WiatrowskiBe

This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.

I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phishing attacks); and since some other second-factor methods (TOTP, U2F, token generators - last one can combine merch and security) don't require collecting any personally identifying data, it shouldn't at least be a problem from GDPR perspective.

Hi, just letting you know I've seen this and will reply when I can.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by XDME

Can you speak to some of those flaws? It seems to be near industry standard (outside of authentication apps).

Hi, sorry for the late response. Most of my concerns with SMS are not actually based on security, but practicality.

  • SMS hijacking/swapping attacks - it's relatively straight forward to break SMS 2FA for specific targets. This is the main security reason to not enable SMS 2FA but it's not something I am concerned about that much - The number of players that would be affected by this are miniscule. However, the people who would be impacted by it would be rather high profile and this would undermine trust in both Riot and the 2fa syste.
  • SMS 2FA requires cell service. I live in the middle of a city and cell service is very patchy here. Some cell providers will also charge you for receiving automated texts, or you may need to pay a contract to have cell service at all.
  • Phone numbers are an extra piece of tier 1 personal information we would need to collect. When designing a system, it's important to minimize the amount of personal information you need to collect for it to function. Storing personal information is not free, and we may run into legal issues. We have global accounts now and we'd have to account for the scenario where users store their personal information with us but want to access it from different data jurisdictions.

As many phones these days are smart phones, it's difficult to justify using SMS-based MFA, which would require collecting a lot of personal information. For anyone who does not use a smart phone, they have email.

Of course, if the only option was SMS MFA or nothing then we'd support it, but since there are alternatives that don't require collecting phone numbers, I'd prefer we go with that. With the demographics of the playerbase we have, I think it is a safe bet that most players who would want to enable MFA will have either a smart phone or access to their email when playing one of our games.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by Sterenn

My email does not support 2FA sadly.

Could you clarify? Do you mean that your email provider does not offer 2FA to it's customers? Or are you somehow encountering issues with MFA from Riot due to your email provider?

I would strongly recommend changing email provider if that is the case.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by WiatrowskiBe

Getting 2FA makes me hope that maybe, some day, in the future, we'll get U2F-based second factor option, which should solve all issues with changing accounts or remembering devices (since it's physical token device). Hopeful for the future, and if we end up having U2F supported and recommended, Riot will have my eternal gratitude for pushing probably the safest 2FA method to wider userbase.

So, I never want to say never, but we probably won't support U2F devices like Yubikeys for the time being. There are a lot of reasons for this that I can't get into here, but it's primarily that as of current U2F devices are not prevalent.

I think these devices make a lot of sense in scenarios where you are willing to distribute those devices to the individuals using them. I think it goes without saying that this is not an option at Riot's scale.

My opinion following - I do not have the power to effect this view across Riot:

If I had infinite time and resources, my focus would be on building security solutions into mobile phones, including taking advantage of Secure Enclave in iOS which is sort of similar to U2F. There are a lot of things we can do that provide a better user experience than what we have now that don't involve getting a dedicated hardware device.

I'm no oracle, but with the way tech is going, I think the bet that mobile devices are going to be the nexus of your digital identity (and thus the thing that stores key material for you) is the way the world is going and I think it makes sense for Riot to move in that direction too.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by WiatrowskiBe

This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.

I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phishing attacks); and since some other second-factor methods (TOTP, U2F, token generators - last one can combine merch and security) don't require collecting any personally identifying data, it shouldn't at least be a problem from GDPR perspective.

This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.

This is true, a lot of services do better than Riot does in this regard. I think we might want to revisit the policy that your email is the key to the kingdom, but that is where we are right now, and that would be a far more broad-reaching change than enabling MFA.

I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phishing attacks); and since some other second-factor methods (TOTP, U2F, token generators - last one can combine merch and security) don't require collecting any personally identifying data, it shouldn't at least be a problem from GDPR perspective.

I don't think it's likely that we will provide token generators like Blizzard did, or U2F keys, but TOTP support is definitely something we are interested in for the reasons you list.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by koobzar

any plans on making a totp auth?

I've mentioned a few times in this thread: It's not my place to make promises but if it were entirely up to me (it is not) then yes

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by Serinus

Man, I was all ready to go to finally secure my Riot account... and then find it's only email.

Hopefully this is just the beginning of the scope and you can add yubikey/FIDO2/U2F and TOTP.

Here are some starting resources. Yeah, I should probably implement this in something myself somewhere, since it'd take a bit of work.

TOTP: https://hackernoon.com/how-to-implement-google-authenticator-two-factor-auth-in-javascript-091wy3vh3

FIDO2: https://webauthn.guide/

Respectfully, we don't need assistance on implementing these things in the form of guides. The primary limitation to projects of this scale is not in the form of code or know-how. It's logistical. I could go and write the TOTP implementation right now in my text editor, but getting that out to all of our games is significantly more complicated.

We probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by Serinus

We probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future.

Are you more likely to support these things if I do or if I don't enable the email option?

I think TOTP is a core requirement of a successful MFA solution regardless of how the good the uptake of email-based MFA is.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by Serinus

Riot should also recognize how they're an industry leader and moves they make will have effects downstream and in their own future.

It's a relatively small cost project when you consider it in the larger scheme like that.

I am aware of this and that's why I am interested in software proposals like IndieAuth rather than relying on The Big Companies as OAuth providers (I have not proposed changing how we do this in the company just yet as IE needs as bit more maturation).

I don't think there is much value to the business in U2F devices, like Yubikeys, in games, even when we consider that. I do feel like moblie devices are going to be the way to go there.

That said, I'm an IC and not a business strategist. I don't feel like the juice is worth the squeeze on U2F, all the same; we have limited resources and the resources spent on U2F would probably have better return on investment for Riot and its players if spent on devices we already know players have and are invested in.

Supporting U2F would be a big investment, would not work across all devices, for minimal gain, only to provide value for a lot of people who honestly already are pretty well-engaged in security. I think U2F is better used when protecting corporate assets.

about 2 years ago - /u/riotdanhonks - Direct link

Originally posted by DragonlordSupreme

Hey, just wanted to let you know that the authentication system just spammed me with hundreds of emails until I finally logged in

Yeah, so we're seeing situations where some people are getting a lot of emails and the team are already trying to reduce that.

There's no bug here; the system is working as intended, sending an email when someone enters the correct username and password for your account. If you're getting lots of emails - and it wasn't you who tried to log in - well, you should change your password :)

We'll be trying to reduce the number of emails sent in this scenario so it looks less like the system is freaking out and more like "oh, actually, maybe my account has been compromised".

Good job on enabling MFA, because you just saved your account from being sold.

almost 2 years ago - /u/riotdanhonks - Direct link

Originally posted by znaczki65

Can I ask you whether MFA by TOTP on app (either Authy like or Riot Mobile) or even a hardware security key is planned in the future to settle for people's needs?

TOTP support is something we are working on. I don't think we have any plans for hardware security keys right now, but it would be cool if we could one day do that.