In both the recent account security livestream and the accompanying blogpost, it looks like Jagex glossed over a pretty significant change that you can see from the proposed UI for the MFA prompt
This is probably a pretty bad idea because of how much a user's email account is already a single point of failure when it comes to an attached Runescape account. Under the current processes, having control over someone's email account allows you to:
Change their OSRS password
Disable their OSRS authenticator
Change the email address associated with their OSRS account
Unlock the account if it's locked due to suspicious activity
Log in and request a bank PIN removal, while the player is unable to log in to stop it due to the password being changed
All without knowing the user's password or having access to their authenticator app
Adding MFA backup codes is definitely a huge step in the right direction because it allows for stricter requirements for being able to do things like this, since they can take away email verification where there's a more secure way available to verify your identity.
But allowing for email-based MFA seems like it would negate that progress somewhat or even entirely, depending on in what circumstances they allow for email-based MFA (e.g. in-game, non-account management actions in the website, or even account management).
I think a better approach for Jagex would be to use email as the sort of "last resort" for MFA when the user doesn't have an authenticator app. That is, as soon as you make an account, you have to use email-based MFA to log in, and there's no way to disable that. When you attach an authenticator app, that becomes your required MFA, and crucially, you lose the option to use email for MFA. This would spread out the risk across more components and make the threat model a lot more complicated than the current situation of "If you get into someone's email account, then you win".
External link →