League of Legends Dev Tracker

I don't think anyone would mind having to take more time logging in if it means extra protection for their accounts worth hundreds or even thousands of dollars.

This has two big assumptions:

1. That people spend lots of money on their accounts and think it is something valuable.
2. That the individual is convinced that adding MFA tangibly increases their security by an amount proportionate to amount of effort invested to utilize the MFA solution

And these assumptions are not guaranteed.

This shouldn't really be a problem though since it can be set up to require authentication when accessed from a new location or after a certain time period.

In Western culture, where you typically log onto one machine and play from there, that's true. It's not true in cultures where there's PC bangs in place, which is very common in both Korea and in Korean cultures around the world, to say ...

You seem far more experienced in the subject than I am so I'll take your word for it.

I'm a security engineer for Riot. This is literally my job. :P

was that 2FA (which was and still is far more available than MFA (which is mostly used by banks as far as I'm aware?)

2FA is a subset of MFA. Many websites these days use a form of MFA where they check both the IP addresses you're logging onto as well as the TOTP prompt. If you have any website which prompts you if youre "logging on from a different location", they are using MFA. I say the term MFA rather than 2FA because 2FA specifically refers to two factors, where MFA gives you more room.

was by far the most effective way to secure your accounts.

As mentioned previously, while MFA is a great way to secure your accounts, it does nothing for you unless the attacker has already guessed your...

Oops. Raising this up. Thanks!

Could you give me a link to the page on which you found this?

I never say it because punching down is kinda being an asshole

Not everyone. Opt-out only really works with something like email-based or SMS MFA, which would cause significant issues for cultures where using a PC Bang is more common, like Korea.

Not to mention, switching on opt-out MFA for a player-base our size would be fraught with issues if things went wrong, and it would likely have business risk (for example, renewals may be affected if individuals would be forced to login). Imagine if we turned on MFA for an entire region and it buckled? That would be a nightmare for everyone involved! While I do have higher expectations of our engineering ability, working at our scale has complexities and it's something to be kept in mind.

You can see the problem :) an implementation of MFA that serves all of our players is complex. That's part of the reason we're still investigating this.

There is no MFA solution that will satisfy everyone. There will be compromises that make people unhappy, as with everything.

Changing the length doesn't prevent it. It makes it harder.

This is a little disingenuous. If every password was equally breakable, then I would agree, but that's not the case - Basic set theory dictates that as the length increases the search space gets so large that it is effectively impossible to randomly guess the correct password. SO while it is theoretically possible to break an account with, say, a 20 character password, as long as it's unique it is very unlikely unless it's a word from a dictionary or common phrase or some permutation thereof.

No matter how strong your password is, it doesn't do sh*t if it's handed to net-criminals on a silver platter.

This is also an "it depends": If passwords are hashed and salted, the only thing a data breach does is enable an attacker to confirm when they have the right password without having to connect to a remote server. This is a significant speed...

You dont connect a phone number, you basically download an app which handles the 2nd factor authentication for you, it generates a code which you enter to be able to login at all.

Phone number MFA is absolutely a thing that exists and users should be wary of giving any unnecessary personal information to any provider, Riot included.

In what world did you assume that something that makes your account access more secure is going to steal any data from you?

Rogue employee attacks, us screwing something up and having a software vulnerability... there are lots of ways that personal information can be extracted from any system designed with the best of intentions. I don't fault /u/oziprolamka for being suspicious.

That said, yeah,...

These people, in general, don't attempt to brute force random accounts. They take open-source password dumps and run them through a program that tries to log into League - this is called "credential stuffing".

The uniqueness of your password is as important as the length of it, but it's incorrect to say that changing the length of the password would not prevent an attacker.

Attackers are, in general, not interested in breaking into a specific account unless you're a high-value target. They make their money from yield of accounts, so for them if they can't break into an account with a few attempts their program will move onto the next one. Having a difficult to guess password is your primary mitigation against this.

MFA does nothing to protect you unless your password has already been broken.

though Riot for some reason doesn't like to admit it,

We actually did :)

This is sort of accurate.

The most likely vector of compromise of your account will be if you re-used your password and another site got breached.

This is why you should use unique passwords for every site you're on in general, and having a strong unique password will make it very difficult to take over your account indeed even in the absence of MFA.

it is only once in League's history that ...

The e-mail verification for accessing your account panel does help to prevent irretrievable account takeover, but it won't stop someone from logging into your account and potentially doing damage (like transferring your account to another region).

There are some limitations of this implementation that make it great to prevent access to a web panel, but not great for use when logging into the game.

We are actively investigating the space of account security as a whole (This is my current area of focus for the next while) and hopefully we will have something more to share soon.

MFA will happen, it's more a matter of when.

There is a problem with making MFA opt-in: Only the people who are otherwise secure would enable it. This would make MFA pretty ineffective since the largest at-risk group would see no increase in their security.

I know you said "don't make it mandatory", but usually people associate "not mandatory" with "opt-in", which is why I'm pointing this out.

I'm not saying mine is better, but I was here first. Just saying.

not gonna fight my boy to the death tho, we cool

You have valid points. There is one wrong asumption.

team for client changed few times over already due to problems

That is not the reason, not even one of them. Teams change because people leave the company, leave the industry, switch careers, start their own company, they make family decisions and move away, the company does team re-arquitecture etc.

Even if we had a QT client, a lot of stuff would need to be JS. You can't escape integrations with 3rd party web services. Plus you got to consider your deploy strategy, some stuff you'll want to deliver through a CDN, that means web. You still have to hire or train for those chunks of the client, which aren't small or trivial. This is not an argument I'm making to say –web is the clear right answer–, I'm just showing you another level of nuance.

Well, that.. is something. I'll pass this on. lol

LMAO

Superb

Nice

I was playing Renekton vs Ornn, I was 2 levels up and 3/0 to 0/3 Ornn, i lost 1v1 battle with me having ignite and him having tp...

Anyone who has played Top lane knows the frustrations of fighting that abomination

As of Wednesday, we are a multi-game studio. Go play some legends of runeterra ;)