Every other major online game has it, from Fortnite to WoW to Steam, 2FA is a necessary security feature that we have lacked for a decade. It's honestly ridiculous that for the playerbase size that league is we don't have such a basic security feature.
External link →Add it but don't make it mandatory.
There is a problem with making MFA opt-in: Only the people who are otherwise secure would enable it. This would make MFA pretty ineffective since the largest at-risk group would see no increase in their security.
I know you said "don't make it mandatory", but usually people associate "not mandatory" with "opt-in", which is why I'm pointing this out.
We are actively investigating the space of account security as a whole (This is my current area of focus for the next while) and hopefully we will have something more to share soon.
MFA will happen, it's more a matter of when.
The year was 2018. The year being 2020 was a strong argument in favor implanting 2FA, in the end though 2018 brought more to the discussion.
The e-mail verification for accessing your account panel does help to prevent irretrievable account takeover, but it won't stop someone from logging into your account and potentially doing damage (like transferring your account to another region).
There are some limitations of this implementation that make it great to prevent access to a web panel, but not great for use when logging into the game.
thats the internet. People can literally hack anything. If a guy manages to hack into the fbi servers you can be quite certain that your league of legends account is not safeproofed aswell
This is sort of accurate.
The most likely vector of compromise of your account will be if you re-used your password and another site got breached.
This is why you should use unique passwords for every site you're on in general, and having a strong unique password will make it very difficult to take over your account indeed even in the absence of MFA.
it is only once in League's history that we had a password dump leaked, which was back in 2012. Since that time we've changed the mechanism by which we store passwords both in terms of software (ie, how they get into our database) and infrastructure (where they are located and what controls are in place to prevent access to said database)
To be fair, though Riot for some reason doesn't like to admit it, League has the opposite problem.
People are being TOO willing to give up their account details to other people (namely boosters to go boost their accounts). Putting in extra security just makes it more inconvenient for them. :P
though Riot for some reason doesn't like to admit it,
Literally the only thing the password changes is the time it takes to crack it.
These people, in general, don't attempt to brute force random accounts. They take open-source password dumps and run them through a program that tries to log into League - this is called "credential stuffing".
The uniqueness of your password is as important as the length of it, but it's incorrect to say that changing the length of the password would not prevent an attacker.
Attackers are, in general, not interested in breaking into a specific account unless you're a high-value target. They make their money from yield of accounts, so for them if they can't break into an account with a few attempts their program will move onto the next one. Having a difficult to guess password is your primary mitigation against this.
MFA does nothing to protect you unless your password has already been broken.
You sir have absolutely no idea about this matter from what i was able to read just now.
You dont connect a phone number, you basically download an app which handles the 2nd factor authentication for you, it generates a code which you enter to be able to login at all.
If you dont have this setup, you cant play ranked in Rainbow 6 for example.
In what world did you assume that something that makes your account access more secure is going to steal any data from you?
If you are this paranoid then you might as well should stop using the internet.
You dont connect a phone number, you basically download an app which handles the 2nd factor authentication for you, it generates a code which you enter to be able to login at all.
Phone number MFA is absolutely a thing that exists and users should be wary of giving any unnecessary personal information to any provider, Riot included.
In what world did you assume that something that makes your account access more secure is going to steal any data from you?
Rogue employee attacks, us screwing something up and having a software vulnerability... there are lots of ways that personal information can be extracted from any system designed with the best of intentions. I don't fault /u/oziprolamka for being suspicious.
That said, yeah, Rainbow6 does not use phone number verification, which is great. They use TOTP authentication through an app, which means they don't have to collect phone numbers and only have access to the IP address from which you logged in.
Changing the length doesn't prevent it. It makes it harder. If it's a password, it can be cracked. That's why 2FA is so important.
Data breaches being the biggest risk only emphasizes the importance of 2FA. No matter how strong your password is, it doesn't do shit if it's handed to net-criminals on a silver platter.
Use 2FA if you can whenever you can. It's the best you can do aside from not having an account to begin with.
Changing the length doesn't prevent it. It makes it harder.
This is a little disingenuous. If every password was equally breakable, then I would agree, but that's not the case - Basic set theory dictates that as the length increases the search space gets so large that it is effectively impossible to randomly guess the correct password. SO while it is theoretically possible to break an account with, say, a 20 character password, as long as it's unique it is very unlikely unless it's a word from a dictionary or common phrase or some permutation thereof.
No matter how strong your password is, it doesn't do sh*t if it's handed to net-criminals on a silver platter.
This is also an "it depends": If passwords are hashed and salted, the only thing a data breach does is enable an attacker to confirm when they have the right password without having to connect to a remote server. This is a significant speed-up in break time and prevents rate limiting, but a sufficiently complex algorithm being used like pkbdf2 with a good number of rounds, again, makes it difficult to brute force accounts with any degree of speed.
Of course, this relies on providers using things like pkbdf2 or bcrypt, but you get my point - I think you're being a little hyperbolic.
Use 2FA if you can whenever you can.
You should use MFA where possible, I agree. But MFA is not the only security step you should take, and if you're wondering where to start there, a long, unique password, ideally generated using a password manager, is far more likely to stop any attacks than MFA will.
What if it were opt-out? Wouldn’t that be able to satisfy everyone?
Not everyone. Opt-out only really works with something like email-based or SMS MFA, which would cause significant issues for cultures where using a PC Bang is more common, like Korea.
Not to mention, switching on opt-out MFA for a player-base our size would be fraught with issues if things went wrong, and it would likely have business risk (for example, renewals may be affected if individuals would be forced to login). Imagine if we turned on MFA for an entire region and it buckled? That would be a nightmare for everyone involved! While I do have higher expectations of our engineering ability, working at our scale has complexities and it's something to be kept in mind.
You can see the problem :) an implementation of MFA that serves all of our players is complex. That's part of the reason we're still investigating this.
There is no MFA solution that will satisfy everyone. There will be compromises that make people unhappy, as with everything.
You seem far more experienced in the subject than I am so I'll take your word for it.
However when I had a couple of information security courses at my university a few years back the general consensus was that 2FA (which was and still is far more available to the general user than MFA (which is mostly used by banks as far as I'm aware?) was by far the most effective way to secure your accounts. Even more so than a password manager (obviously you can and 100% should use both but the point was which one is abstronger form of protection). Has something changed since?
I do remember being told that there was supposedly a nearly uncrackable form of protection in the works that was at the time only used by some militaries. I haven't heard about anything similar since though so I dunno.
All in all, thanks for chiming in and correcting my mistakes. It just baffled me how many people in this thread were completely against the idea of *optional *stronger protection for their accounts.
You seem far more experienced in the subject than I am so I'll take your word for it.
I'm a security engineer for Riot. This is literally my job. :P
was that 2FA (which was and still is far more available than MFA (which is mostly used by banks as far as I'm aware?)
2FA is a subset of MFA. Many websites these days use a form of MFA where they check both the IP addresses you're logging onto as well as the TOTP prompt. If you have any website which prompts you if youre "logging on from a different location", they are using MFA. I say the term MFA rather than 2FA because 2FA specifically refers to two factors, where MFA gives you more room.
was by far the most effective way to secure your accounts.
As mentioned previously, while MFA is a great way to secure your accounts, it does nothing for you unless the attacker has already guessed your password. It's a protection of last resort should all other protections be exhausted. You should still use it where possible, but if your password is already very secure then there's a good chance you're fine. In general, if you have a unique password, you're much more likely to lose your account to a social engineering attack than someone guessing your password (this is true for anything, not just League).
Even more so than a password manager
This should be covered in the above section, but TL;DR MFA is an extra layer of security on top of a secure password, it should be done in addition to instead of being a security measure in its own right. Defense in depth, yo.
do remember being told that there was supposedly a nearly uncrackable form of protection in the works that was at the time only used by some militaries.
The thing about cryptography is that in general an algorithm is less secure if it is secret. "Military grade encryption" is mostly a thing of the past, with the same encryption used by militaries being used by civilians and private corporations. I very much doubt there is any form of 'uncrackable' protection, particularly if we're using passwords - There is no way to make a passphrase based system uncrackable, since someone can still always guess the password.
It just baffled me how many people in this thread were completely against the idea of *optional *stronger protection for their accounts.
Security benefits do not come in a vacuum. Poorly implemented MFA may increase security (it may not) at the expense of a guaranteed decrease in personal privacy. They also come at a cost of ease of use - If we had a system where you had to log into your email every time you logged into the game, that would be really annoying, especially if the client crashed in the middle of a game, for example.
I'm a security engineer for Riot. This is literally my job. :P I guess I shouldn't be too surprised to see someone like you lurking in a thread like this. I guess it's to be expected.
I very much doubt there is any form of 'uncrackable' protection, particularly if we're using passwords
It's been years since so I'm not really sure but I'm fairly certain it was a specific setup of MFA that was basically considered unbreachable if used correctly (obviously anything can be cracked due to user error or by gaining physical control over the user). I think it was not a particularly cheap system to set up which might've been the reason for mostly militaries using it with government funding.
They also come at a cost of ease of use
I don't think anyone would mind having to take more time logging in if it means extra protection for their accounts worth hundreds or even thousands of dollars.
If we had a system where you had to log into your email every time you logged into the game, that would be really annoying
This shouldn't really be a problem though since it can be set up to require authentication when accessed from a new location or after a certain time period.
Also... Correct me if I'm wrong but doesn't Riot already use MFA when doing certain stuff on League website for example? Why isn't it an option to enable it for the client when logging in from new locations/after a certain time period?
Also also... Clash uses MFA, right?
I don't think anyone would mind having to take more time logging in if it means extra protection for their accounts worth hundreds or even thousands of dollars.
This has two big assumptions:
And these assumptions are not guaranteed.
This shouldn't really be a problem though since it can be set up to require authentication when accessed from a new location or after a certain time period.
In Western culture, where you typically log onto one machine and play from there, that's true. It's not true in cultures where there's PC bangs in place, which is very common in both Korea and in Korean cultures around the world, to say nothing of people who live on a campus, use a VPN etc
Also... Correct me if I'm wrong but doesn't Riot already use MFA when doing certain stuff on League website for example?
It does, but the pattern used there (go to your email to do a thing) is not great when logging into game on a new PC (for example, in PC bang culture). It would also potentially hurt onboarding new players. Ideally, you'd want some interface within the client for this, which takes engineering time. You can see how the borders of this problem expand.
Also also... Clash uses MFA, right?
Clash uses phone verification to ensure that an account (probably) has a unique owner and that there's no smurfing on. It's not really MFA as you'd think of it.
Fair enough points but you're dodging the biggest aspect. What's the harm in any of these if it's up to the player to decide whether or not they use it?
Also quite frankly I think 1. is a bit insulting. Every single account is valuable whether or not they've spent money or not since every single one of those accounts has trusted Riot with important personal information.
Fair enough points but you're dodging the biggest aspect. What's the harm in any of these if it's up to the player to decide whether or not they use it?
The harm to the player is that we spent lots of resources implementing a system for MFA that doesn't accomplish it's goals that could have been spent on something with more tangible effect. The solution needs to account for less security-conscious people - i.e, people who do not care about security, which is the vast majority of people - otherwise it's a waste of money and resources.
not since every single one of those accounts has trusted Riot with important personal information.
There is nothing that stipulates you have to provide any real information about yourself to Riot. You could use a throwaway email account; we don't hold payment information. I would agree with you, but again, I am not providing my personal opinion. I am providing the viewpoint of most individuals who play the game, who are disengaged from security.
devtrackers.gg