[2022] Two-Factor Authentication Now Available

i was hoping no one would notice until i got my banger memes ready

y'all noticed this a bit earlier than we had anticipated, so the Learn More link is broken on the page. coming soon. promise!

we'll have a more official post coming soon as well. like i said, we weren't expecting it to be noticed, but y'all are observant

hey i made that banner

hey dan i am ready for your memes

👉😎 👉

At this time, I don't want to make any promises about future features.

It's not something that can be taught, sorry

also who said they were 2fa memes?

Yes, for the time being this is only email MFA.

As things stand, your email account is the keys to the kingdom to your account, and this would not change even if we introduced mobile based authentication, or if you used OAuth. You should use a secure password and two factor authentication on your email.

If you don't wanna juggle multiple passwords like this, I would recommend using a password manager so you only have to remember one good one.

Emotional and time investment aside, as others have covered, accounts that are botted/scripted/sold - you get the idea - are overwhelmingly accounts that are compromised by someone.

Enabling MFA helps make your own account secure, but additionally, every account secured with MFA is one less account that is significantly less likely to get compromised and sold to someone who wants to script, bot, or be super toxic in games.

If you have a verified email address, it is not currently possible to change your email address without demonstrating you have access to the original email address; the account management portal has had two-factor authentication like this for quite some time.

We could add mobile verification to that, but like I said, our current policy (which is in line with most other services out there) is that if you have access to the email address of the account holder, you are the account holder. It also does not sit well with me personally that we would be required to collect your phone number, or that you need a smart phone, in order to benefit from a core security measure.

That said, if you don't have your email verified, yes, this is a big problem. We will revisit the scope of this problem in the future to see if we can't shift more players to have verified emails.

You will need to go through the prompt every time you log into the Riot Client - If you tick 'stay signed in', then you don't have to worry.

This is usually not a problem, but if you have multiple accounts, this might not be ideal. I would still recommend enabling it.

not if they operate in the EU they don't

Ceci n'est pas une pipe.

Hi.

I am that security worker, and that is not what I said. :) I do not believe I have ever said or implied that MFA is not necessary or something that Riot should implement, but I am the primary person within our team that has engaged on social media.

What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it - Since the odds are that if you'll engage with a security measure without an incentive, then you're probably doing pretty good for security already.

That still stands. MFA will prevent a lot of attacks we see, but most of the attacks we see will be on players that are not and will not engage with security measures, and that is always going to be a challenge for us. The problem is that implementing something on this scale requires a large amount of investment that might be better spent elsewhere. If we're going into it knowing that it might not have the impact we want, then that's not a great sell.

The difference between then and now means we were better equipped to be more confident about how MFA would land and that it would have the impact we needed for it to be justified without releasing an additional incentive, but our work isn't finished, there's still more to be done to improve the security of our players beyond just email-based MFA.

Lots of reasons. Off the top of my head:

• Many (most?) game companies don't have to retrofit their solution to work with hundreds of millions of players across multiple platforms (Web, Desktop, Native Mobile).
• Despite Riots growth, we still have a very limited number of engineers for the weight class we are in. Prioritising projects that span the entire breadth of our product offering is challenging and needs a compelling argument to prioritise it over something else. I'd have to guess that at least 100 people were involved in making this happen, from engineers to QA to player support, comms.. and a lot of those people are working on teams that have other commitments (like the most recent Riot X Arcane event)
• We know that MFA is going to be enabled by a minority of players, and it might not have the security impact we want. However, due to some research we conducted (which I cannot get into), we decided that now was a good time to implement it - It's not going to get any easier to implement it.
• In the past, we felt like there were other things we could achieve that would have a larger impact on player security than MFA. It's not that that was the wrong decision to make, but a lot of the bigger things we could have done, well, we have done, or are in the process of doing. Many of these things are not visible to players.
• This is the first tranche of things we're working on for player security. We're dedicating resources toward that goal, and that's not something we had a dedicated function for before.

I do still feel like MFA is not going to have the uptake that we'd like it to have. We're going to be working on ways to increase that, and as you've highlighted there are a lot of ways that other companies do this better than we do. This is, however, our first iteration, so, watch this space.

I use BitWarden in my personal life. It's alright. The autofill is a bit flakey on Android though.

If I got compromised to this in 2016, you are absolutely capable of being pwned by it too.

I'm not sure what the long term plan is at the moment when it comes to remembering devices. There will be an official article coming out with more information sometime soon and I'd recommend checking that.

Luckily for them, they can still benefit from MFA. This is email only, and it's unlikely we'd enable SMS based MFA as it has a lot of flaws.

Yeah, sorry, I lumped that in with 'stay signed in'. I had major brain worms later on yesterday evening

Can't make promises about features but, yes, I would consider TOTP a core requirement

If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.

That was easier a few years ago but it's very difficult to make an incentive that would appeal to everyone. I'm not ruling incentives out but our immediate focus will be making the accessibility of stuff like this easier rather than trying to bait you into enabling it with skins.

I've really liked the idea of a unique skin that's only enabled if you have opted into MFA but this is expensive for one game, let alone all of them - and we would need to have something for all of them - and due to the nature of our games it's difficult to come up with an incentive that would appeal to many players; what's the point in a cool Braum skin if you only play top lane, for example?

• SMS - 99% likelihood will not be supported
• TOTP - I would consider it a core feature but I can't make promises on timelines, it's not my place to do that

I realise it's splitting hairs here but Facebook are not "selling" your phone numbers - they're not making them visible to other people. They definitely use contact numbers to determine who to connect you with and determine what interests you have from that.

It's rather moot though because as I've outlined elsewhere it's very unlikely we will support SMS MFA

Hi, just letting you know I've seen this and will reply when I can.

Hi, just letting you know I've seen this and will reply when I can.

Hi, just letting you know I've seen this and will reply when I can.

Hi, just letting you know I've seen this and will reply when I can.

Hi, sorry for the late response. Most of my concerns with SMS are not actually based on security, but practicality.

• SMS hijacking/swapping attacks - it's relatively straight forward to break SMS 2FA for specific targets. This is the main security reason to not enable SMS 2FA but it's not something I am concerned about that much - The number of players that would be affected by this are miniscule. However, the people who would be impacted by it would be rather high profile and this would undermine trust in both Riot and the 2fa syste.
• SMS 2FA requires cell service. I live in the middle of a city and cell service is very patchy here. Some cell providers will also charge you for receiving automated texts, or you may need to pay a contract to have cell service at all.
• Phone numbers are an extra piece of tier 1 personal information we would need to collect. When designing a system, it's important to minimize the amount of personal information you need to collect for it to function. Storing personal information is not free, and we may run into legal issues. We have global accounts now and we'd have to account for the scenario where users store their personal information with us but want to access it from different data jurisdictions.

As many phones these days are smart phones, it's difficult to justify using SMS-based MFA, which would require collecting a lot of personal information. For anyone who does not use a smart phone, they have email.

Of course, if the only option was SMS MFA or nothing then we'd support it, but since there are alternatives that don't require collecting phone numbers, I'd prefer we go with that. With the demographics of the playerbase we have, I think it is a safe bet that most players who would want to enable MFA will have either a smart phone or access to their email when playing one of our games.

Could you clarify? Do you mean that your email provider does not offer 2FA to it's customers? Or are you somehow encountering issues with MFA from Riot due to your email provider?

I would strongly recommend changing email provider if that is the case.

So, I never want to say never, but we probably won't support U2F devices like Yubikeys for the time being. There are a lot of reasons for this that I can't get into here, but it's primarily that as of current U2F devices are not prevalent.

I think these devices make a lot of sense in scenarios where you are willing to distribute those devices to the individuals using them. I think it goes without saying that this is not an option at Riot's scale.

My opinion following - I do not have the power to effect this view across Riot:

If I had infinite time and resources, my focus would be on building security solutions into mobile phones, including taking advantage of Secure Enclave in iOS which is sort of similar to U2F. There are a lot of things we can do that provide a better user experience than what we have now that don't involve getting a dedicated hardware device.

I'm no oracle, but with the way tech is going, I think the bet that mobile devices are going to be the nexus of your digital identity (and thus the thing that stores key material for you) is the way the world is going and I think it makes sense for Riot to move in that direction too.

This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.

This is true, a lot of services do better than Riot does in this regard. I think we might want to revisit the policy that your email is the key to the kingdom, but that is where we are right now, and that would be a far more broad-reaching change than enabling MFA.

I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phishing attacks); and since some other second-factor methods (TOTP, U2F, token generators - last one can combine merch and security) don't require collecting any personally identifying data, it shouldn't at least be a problem from GDPR perspective.

I don't think it's likely that we will provide token generators like Blizzard did, or U2F keys, but TOTP support is definitely something we are interested in for the reasons you list.

I've mentioned a few times in this thread: It's not my place to make promises but if it were entirely up to me (it is not) then yes

Respectfully, we don't need assistance on implementing these things in the form of guides. The primary limitation to projects of this scale is not in the form of code or know-how. It's logistical. I could go and write the TOTP implementation right now in my text editor, but getting that out to all of our games is significantly more complicated.

We probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future.

I think TOTP is a core requirement of a successful MFA solution regardless of how the good the uptake of email-based MFA is.

I am aware of this and that's why I am interested in software proposals like IndieAuth rather than relying on The Big Companies as OAuth providers (I have not proposed changing how we do this in the company just yet as IE needs as bit more maturation).

I don't think there is much value to the business in U2F devices, like Yubikeys, in games, even when we consider that. I do feel like moblie devices are going to be the way to go there.

That said, I'm an IC and not a business strategist. I don't feel like the juice is worth the squeeze on U2F, all the same; we have limited resources and the resources spent on U2F would probably have better return on investment for Riot and its players if spent on devices we already know players have and are invested in.

Supporting U2F would be a big investment, would not work across all devices, for minimal gain, only to provide value for a lot of people who honestly already are pretty well-engaged in security. I think U2F is better used when protecting corporate assets.

Yeah, so we're seeing situations where some people are getting a lot of emails and the team are already trying to reduce that.

There's no bug here; the system is working as intended, sending an email when someone enters the correct username and password for your account. If you're getting lots of emails - and it wasn't you who tried to log in - well, you should change your password :)

We'll be trying to reduce the number of emails sent in this scenario so it looks less like the system is freaking out and more like "oh, actually, maybe my account has been compromised".

Good job on enabling MFA, because you just saved your account from being sold.

TOTP support is something we are working on. I don't think we have any plans for hardware security keys right now, but it would be cool if we could one day do that.