devtrackers.gg
any plans on making a totp auth?
I've mentioned a few times in this thread: It's not my place to make promises but if it were entirely up to me (it is not) then yes
any plans on making a totp auth?
I've mentioned a few times in this thread: It's not my place to make promises but if it were entirely up to me (it is not) then yes
Read moreThis depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.
I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phi...
This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.
This is true, a lot of services do better than Riot does in this regard. I think we might want to revisit the policy that your email is the key to the kingdom, but that is where we are right now, and that would be a far more broad-reaching change than enabling MFA.
...Read more
Getting 2FA makes me hope that maybe, some day, in the future, we'll get U2F-based second factor option, which should solve all issues with changing accounts or remembering devices (since it's physical token device). Hopeful for the future, and if we end up having U2F supported and recommended, Riot will have my eternal gratitude for pushing probably the safest 2FA method to wider userbase.
So, I never want to say never, but we probably won't support U2F devices like Yubikeys for the time being. There are a lot of reasons for this that I can't get into here, but it's primarily that as of current U2F devices are not prevalent.
I think these devices make a lot of sense in scenarios where you are willing to distribute those devices to the individuals using them. I think it goes without saying that this is not an option at Riot's scale.
My opinion following - I do not have the power to effect this view across Riot:
If I had infinite time and resources, my focus would be on building security solutions into mobile phones, including taking advantage of Secure Enclave in iOS which is sort of similar to U2F. There are a lot of things we can do that provide a better user experience than what we have now that don't involve getting a dedicated hardware device.
I'm no oracle, but with the way tech is going, I think the bet that mobi...
Read moreMy email does not support 2FA sadly.
Could you clarify? Do you mean that your email provider does not offer 2FA to it's customers? Or are you somehow encountering issues with MFA from Riot due to your email provider?
I would strongly recommend changing email provider if that is the case.
Can you speak to some of those flaws? It seems to be near industry standard (outside of authentication apps).
Hi, sorry for the late response. Most of my concerns with SMS are not actually based on security, but practicality.
It doesn't matter. You don't build these together.
Do you wanna break that news to Faker, or shall I?
https://gol.gg/game/stats/35833/page-game/
The game rarely requires you build both - usually it doesn't go on long enough, or there's a different utility item you might want, but you can absolutely build void and shadowflame together
Either way, the point is that Viktor is not broken b/c of Lich Bane because he doesn't build it, and regardless of your thoughts on Shadowflame + Void, Viktor isn't really building LB to replace either of those
into Shadowflame, Void
you know its worrying when a rioter posts this
(not in that order)
Read moreThis depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.
I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phi...
Hi, just letting you know I've seen this and will reply when I can.
Getting 2FA makes me hope that maybe, some day, in the future, we'll get U2F-based second factor option, which should solve all issues with changing accounts or remembering devices (since it's physical token device). Hopeful for the future, and if we end up having U2F supported and recommended, Riot will have my eternal gratitude for pushing probably the safest 2FA method to wider userbase.
Hi, just letting you know I've seen this and will reply when I can.
My email does not support 2FA sadly.
Hi, just letting you know I've seen this and will reply when I can.
Can you speak to some of those flaws? It seems to be near industry standard (outside of authentication apps).
Hi, just letting you know I've seen this and will reply when I can.
Here's Facebook's response on whether or not they use mobile numbers for 2FA for advertising purposes
We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.
They're absolutely selling them as well, companies like that have no morals.
I realise it's splitting hairs here but Facebook are not "selling" your phone numbers - they're not making them visible to other people. They definitely use contact numbers to determine who to connect you with and determine what interests you have from that.
It's rather moot though because as I've outlined elsewhere it's very unlikely we will support SMS MFA
Hijacking this thread because it's probably not going anywhere beyond this point...
Any insight on whether or not 2fa through either SMS or Google Authenticator (preferably) will be available eventually?
What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it
If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.
Either way I am incredibly happy with this feature so thanks! It makes a difference in how I feel about the security of my account with thousands of hours played and hundreds of dollars in skins. So big props! Even if it stays a rarely used feature, it makes a difference for the people who do use it.
If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.
That was easier a few years ago but it's very difficult to make an incentive that would appeal to everyone. I'm not ruling incentives out but our immediate focus will be making the accessibility of stuff like this easier rather than trying to bait you into enabling it with skins.
I've really liked the idea of a unique skin that's only enabled if you have opted into MFA but this is expensive for one game, let alone all of them - and we would need to have something for all of them - and due to the nature of our games it's difficult to come up with an incentive that would appeal to many players; what's the point in a cool Braum skin if you only play top lane, for example?
can we eventually have the option for TOTP. Email 2fa is fine, but TOTP would be a great add
Can't make promises about features but, yes, I would consider TOTP a core requirement
You do have the option in the PC client to select remember this device, which will not prompt for a 2FA code again for a certain number of days.
Yeah, sorry, I lumped that in with 'stay signed in'. I had major brain worms later on yesterday evening
He does. Just because he doesn't rush it doesn't mean he "doesn't build" it.
Viktor's build is Crown into Shadowflame, Void, Rabadon, Zhonya and boots (not in that order). That might change with the Lich changes but right now, LB is not built on him except by 3% of all players (according to op.gg).
Love playing him but I'm not looking forward to the balance team hitting him over the head. All of my favourite mid laners are strong right now.. it does not bode well for my winrate in a few weeks x)
I've seen this a few times here, so to clarify: Weekly Wins have consistently awarded 1,000 tokens total over the past several events. The only difference is that the first 3 weeks used to award 230 tokens, and the final week awarded 310 tokens (again, for a total of 1,000 tokens).
We have made each Weekly Win mission award 250 Tokens to even that out, but it's still 1,000 tokens total.
The reason the nerf was important is that it meant it's more optimal to use other mythics now, and its defensive shield was less strong since it was frustratingly strong. Yasuo and Yone may have gotten marginal damage buffs but the fact that they were so hard to kill with shieldbow is what's been nerfed.
The nerf wasn't Riot going "we just want shieldbow users to have a lower winrate lul".
Basically this. It's moving some of the shieldbow champs' power budget out of shieldbow and into other aspects of their kits/items.
you must think customers are stupid they're willing to give you number
Luckily for them, they can still benefit from MFA. This is email only, and it's unlikely we'd enable SMS based MFA as it has a lot of flaws.