It’s like that picture except mine has the riot fist in them.
I’m still getting them since I posted this. I’m at work and not sure where I can find my ID, I don’t see it anywhere on the riotgames site. I won’t have access to my game launcher until I get home.
I have the option to setup a riot ID in the settings menu, should I do that?
We sorted this out with the OP in DMs.
Do they look like this, OP? semi-related: did you enable multi-factor authentication on your account?
https://i.imgur.com/B40pIBW.png
If you feel comfortable so I can look into this further, please drop me a Reddit DM with your Riot ID (it'll look like Riot danhonks#NVB94)
Riot should also recognize how they're an industry leader and moves they make will have effects downstream and in their own future.
It's a relatively small cost project when you consider it in the larger scheme like that.
I am aware of this and that's why I am interested in software proposals like IndieAuth rather than relying on The Big Companies as OAuth providers (I have not proposed changing how we do this in the company just yet as IE needs as bit more maturation).
I don't think there is much value to the business in U2F devices, like Yubikeys, in games, even when we consider that. I do feel like moblie devices are going to be the way to go there.
That said, I'm an IC and not a business strategist. I don't feel like the juice is worth the squeeze on U2F, all the same; we have limited resources and the resources spent on U2F would probably have better return on investment for Riot and its players if spent on devices we already know players have and are invested in.
Supporting U2F would be a big investment, would not work across all devices, for minimal gain, only to provide value for a lot of people who honestly already are pretty well-engaged in security. I thin...
Read moreWe probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future.
Are you more likely to support these things if I do or if I don't enable the email option?
I think TOTP is a core requirement of a successful MFA solution regardless of how the good the uptake of email-based MFA is.
Man, I was all ready to go to finally secure my Riot account... and then find it's only email.
Hopefully this is just the beginning of the scope and you can add yubikey/FIDO2/U2F and TOTP.
Here are some starting resources. Yeah, I should probably implement this in something myself somewhere, since it'd take a bit of work.
TOTP: https://hackernoon.com/how-to-implement-google-authenticator-two-factor-auth-in-javascript-091wy3vh3
FIDO2: https://webauthn.guide/
Respectfully, we don't need assistance on implementing these things in the form of guides. The primary limitation to projects of this scale is not in the form of code or know-how. It's logistical. I could go and write the TOTP implementation right now in my text editor, but getting that out to all of our games is significantly more complicated.
We probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future.
any plans on making a totp auth?
I've mentioned a few times in this thread: It's not my place to make promises but if it were entirely up to me (it is not) then yes
Read moreThis depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.
I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phi...
This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.
This is true, a lot of services do better than Riot does in this regard. I think we might want to revisit the policy that your email is the key to the kingdom, but that is where we are right now, and that would be a far more broad-reaching change than enabling MFA.
...Read more
Getting 2FA makes me hope that maybe, some day, in the future, we'll get U2F-based second factor option, which should solve all issues with changing accounts or remembering devices (since it's physical token device). Hopeful for the future, and if we end up having U2F supported and recommended, Riot will have my eternal gratitude for pushing probably the safest 2FA method to wider userbase.
So, I never want to say never, but we probably won't support U2F devices like Yubikeys for the time being. There are a lot of reasons for this that I can't get into here, but it's primarily that as of current U2F devices are not prevalent.
I think these devices make a lot of sense in scenarios where you are willing to distribute those devices to the individuals using them. I think it goes without saying that this is not an option at Riot's scale.
My opinion following - I do not have the power to effect this view across Riot:
If I had infinite time and resources, my focus would be on building security solutions into mobile phones, including taking advantage of Secure Enclave in iOS which is sort of similar to U2F. There are a lot of things we can do that provide a better user experience than what we have now that don't involve getting a dedicated hardware device.
I'm no oracle, but with the way tech is going, I think the bet that mobi...
Read moreMy email does not support 2FA sadly.
Could you clarify? Do you mean that your email provider does not offer 2FA to it's customers? Or are you somehow encountering issues with MFA from Riot due to your email provider?
I would strongly recommend changing email provider if that is the case.
Can you speak to some of those flaws? It seems to be near industry standard (outside of authentication apps).
Hi, sorry for the late response. Most of my concerns with SMS are not actually based on security, but practicality.
It doesn't matter. You don't build these together.
Do you wanna break that news to Faker, or shall I?
https://gol.gg/game/stats/35833/page-game/
The game rarely requires you build both - usually it doesn't go on long enough, or there's a different utility item you might want, but you can absolutely build void and shadowflame together
Either way, the point is that Viktor is not broken b/c of Lich Bane because he doesn't build it, and regardless of your thoughts on Shadowflame + Void, Viktor isn't really building LB to replace either of those
into Shadowflame, Void
you know its worrying when a rioter posts this
(not in that order)
Read moreThis depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.
I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phi...
Hi, just letting you know I've seen this and will reply when I can.
Getting 2FA makes me hope that maybe, some day, in the future, we'll get U2F-based second factor option, which should solve all issues with changing accounts or remembering devices (since it's physical token device). Hopeful for the future, and if we end up having U2F supported and recommended, Riot will have my eternal gratitude for pushing probably the safest 2FA method to wider userbase.
Hi, just letting you know I've seen this and will reply when I can.
My email does not support 2FA sadly.
Hi, just letting you know I've seen this and will reply when I can.
Can you speak to some of those flaws? It seems to be near industry standard (outside of authentication apps).
Hi, just letting you know I've seen this and will reply when I can.
Here's Facebook's response on whether or not they use mobile numbers for 2FA for advertising purposes
We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.
They're absolutely selling them as well, companies like that have no morals.
I realise it's splitting hairs here but Facebook are not "selling" your phone numbers - they're not making them visible to other people. They definitely use contact numbers to determine who to connect you with and determine what interests you have from that.
It's rather moot though because as I've outlined elsewhere it's very unlikely we will support SMS MFA
Hijacking this thread because it's probably not going anywhere beyond this point...
Any insight on whether or not 2fa through either SMS or Google Authenticator (preferably) will be available eventually?
What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it
If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.
Either way I am incredibly happy with this feature so thanks! It makes a difference in how I feel about the security of my account with thousands of hours played and hundreds of dollars in skins. So big props! Even if it stays a rarely used feature, it makes a difference for the people who do use it.
If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.
That was easier a few years ago but it's very difficult to make an incentive that would appeal to everyone. I'm not ruling incentives out but our immediate focus will be making the accessibility of stuff like this easier rather than trying to bait you into enabling it with skins.
I've really liked the idea of a unique skin that's only enabled if you have opted into MFA but this is expensive for one game, let alone all of them - and we would need to have something for all of them - and due to the nature of our games it's difficult to come up with an incentive that would appeal to many players; what's the point in a cool Braum skin if you only play top lane, for example?
can we eventually have the option for TOTP. Email 2fa is fine, but TOTP would be a great add
Can't make promises about features but, yes, I would consider TOTP a core requirement
devtrackers.gg