Posted June 30, 2017 On 6/28/2017 at 10:23 PM, Keenan said: Note: The forums do not always ask for this code on login. It does it in suspicious situations to help safeguard your account. Then how come it's making me login in every time I return to the forums and provide the authentication code even though I have it marked to keep me signed in? Share this post Link to post Share on other sites
Posted June 30, 2017 (edited) 23 hours ago, Keenan said: As mentioned, https://winauth.com/ - WinAuth is a good solution for those who do not have a smartphone. Dont have windows, as use Linux / Lubuntu - please advise how to proceed now? Edit: Also do not have a smartphone. Edited June 30, 2017 by Baloo 2 Share this post Link to post Share on other sites
Posted June 30, 2017 On 6/29/2017 at 1:05 AM, Keenan said: Edit: It's also opt-out for members, though definitely recommended which is why I have it prompting people to opt-out of it. Fortunately you have enabled the disabling of this option by not opting to use it as another option, which perhaps some would consider optimal. Possibly in the not too distant future all will be "required" to pay for the monthly service cost of a gotcha smarty phoney; however, at this time those individuals who are more independent minded and have no need to pay for this item can just be "deprived" of its many "benefits" and blissfully ignore its intrusions into ones personal life and quiet times. Conformity continues to raise its ugly head of domination which few have the fortitude and/or craftiness to resist. Should everyone's life be an open book for others to read? Might not really be much of interest within it but the option to share it should be secured from this "security" and "nothing to hide" intrusiveness. This crack in the door you provide at least enables something that was already available before this "better security" intruded. =Ayes= Share this post Link to post Share on other sites
Posted June 30, 2017 (edited) @Ayes Every time I read one of your posts I'm impressed by your writing skills. I never know what your stance is and sometimes I don't even get what the point it was. But none the less I still feel like there was some important message even know I'm not sure what exactly it was...lol. I was annoyed with the forums security measures as I actually don't care about my WO forum account. After the first confirmation that I "REALLY" do want to opt-out of the two-factor business it seems to be back to normal. Normal being not bothering me will these confirmations. This all makes me appreciate those web sites where you can just post as an anonymous entity. Edited June 30, 2017 by joedobo 1 Share this post Link to post Share on other sites
Posted June 30, 2017 1 hour ago, Ayes said: Fortunately you have enabled the disabling of this option by not opting to use it as another option, which perhaps some would consider optimal. Possibly in the not too distant future all will be "required" to pay for the monthly service cost of a gotcha smarty phoney; however, at this time those individuals who are more independent minded and have no need to pay for this item can just be "deprived" of its many "benefits" and blissfully ignore its intrusions into ones personal life and quiet times. Conformity continues to raise its ugly head of domination which few have the fortitude and/or craftiness to resist. Should everyone's life be an open book for others to read? Might not really be much of interest within it but the option to share it should be secured from this "security" and "nothing to hide" intrusiveness. This crack in the door you provide at least enables something that was already available before this "better security" intruded. =Ayes= You don't need to pay for anything. There are options that work without a smartphone. I'm finding this misinformation is common though. Perhaps I'll nag someone to do a FAQ write-up to help dispel it. No, you don't need a smartphone. No, it doesn't need personal information. No, you don't need a Google account. No, it doesn't even need network access. Yes, it's as simple as scanning a code. 4 Share this post Link to post Share on other sites
Posted June 30, 2017 1 hour ago, joedobo said: @Ayes Every time I read one of your posts I'm impressed by your writing skills. I never know what your stance is and sometimes I don't even get what the point it was. But none the less I still feel like there was some important message even know I'm not sure what exactly it was...lol. I was annoyed with the forums security measures as I actually don't care about my WO forum account. After the first confirmation that I "REALLY" do want to opt-out of the two-factor business it seems to be back to normal. Normal being not bothering me will these confirmations. This all makes me appreciate those web sites where you can just post as an anonymous entity. Seeing as we have people that use these forums to facilitate transactions that can involve real world funds, it would be irresponsible for us to not take advantages of the security measures available now. We always need to consider the entire customer base. 3 Share this post Link to post Share on other sites
Posted June 30, 2017 4 minutes ago, Keenan said: You don't need to pay for anything. There are options that work without a smartphone. Yes, yes, I read about those options and I also opt out of those options as well. Generally if I am not interested in something or deem it to be too much additional learning required to acquire what I consider to be of minimal benefit I will opt out, if this option is available (opting out). WoW had a nice keychain authentication system that was very simple to use requiring no side downloads or even a telephone of any sort whatsoever. Surely Wurm is not going to set something up like this but go to the easier route of what you have described here. I used their authenticator where in contrast to your option I will not but rather opt out of it by clicking twice as if I was perhaps mistaken by choosing to click the opt out option only once. Yea, my post was much about nothing really but that is the way I am sometimes and perhaps even a faint grin might arise on another's face as a result. All in good humor really, which is the current mood I happen to be in for a while. 12 minutes ago, Keenan said: Seeing as we have people that use these forums to facilitate transactions that can involve real world funds, it would be irresponsible for us to not take advantages of the security measures available now. We always need to consider the entire customer base. Perfectly logical and entirely responsible as described. Kind of dull though and not very creative in inducing a frivolous repertoire, for that the imagination must traverse into realms unknown to logical thought processes. Let us not quibble no more. With that in mind I leave you with your concise descriptions and wish you a good day/eve. =Ayes= Share this post Link to post Share on other sites
Posted June 30, 2017 I find it difficult to understand why people complain over an option that is available now that wasnt available before. It costs nothing. You now can choose to use the authenticator or go back to your standard user/password combination. The use of the authenticator is heavily encouraged, but not mandatory. If tomorrow you wake up, quit your real life job and make Wurm the center of your universe, you have an option available to you to secure your account better. If you are one of those who could care less if someone steals it or it gets misused, you can ignore the authenticator. What's not to like? More is better. 4 Share this post Link to post Share on other sites
Posted July 1, 2017 (edited) On 6/28/2017 at 7:23 PM, Keenan said: We've enabled two-factor authentication. Click your profile at the top, then Account Settings. On the left you will see Account Security. When you click, you will need to enter your password and then you will have the option to enable two-factor authentication via Google Authenticator. You will be prompted to scan a QR Code with the authenticator app and input a code from the app to finish the setup. Note: The forums do not always ask for this code on login. It does it in suspicious situations to help safeguard your account. It has asked me to do this every single time I've signed back in today. Huge pain, as I then have to go find my phone and check the app for the code every single time I try to log in to the forums. I haven't been able to find any option to turn this off. Where in my profile settings should that be? Edited July 1, 2017 by Batta 2 Share this post Link to post Share on other sites
Posted July 1, 2017 Prior to using the authenticator, I never had to log in. My account remained logged in permanently as intended both on my PC and my phone. Since using the authenticator, it kicks me out several times a day on both devices. Today I had to log in about 4 times on my pc and about 3 times on my phone. This requires me to get off my rear end and go hunting for my phone. There is no more quick checking my phone at work either for messages, as I have to go into the ritual of entering my user/password, then toggling to the authenticator, then waiting for it to get he max timer again, then toggling back to the forums to enter the code to finally log in. Its a real headache. I am not sure if this intended, but if it is, its a deal breaker. 2 Share this post Link to post Share on other sites
Posted July 1, 2017 Not even using the authenticator (phone didn't like it for some reason, probably unsteady hands), & still am required to login each new session. Share this post Link to post Share on other sites
Posted July 1, 2017 13 hours ago, Angelklaine said: If you are one of those who could care less if someone steals it or it gets misused, you can ignore the authenticator. Or you can "care" and still not choose to use the authenticator. 13 hours ago, Angelklaine said: What's not to like? Already went into that but apparently not liked by someone, or maybe a few. Yoo hoo, know who. 13 hours ago, Angelklaine said: More is better. Less is normally better for those who prefer to avoid needless paranoid options. There ya have it! =Ayes= 2 Share this post Link to post Share on other sites
Posted July 1, 2017 (edited) Its not paranoia if they are really after you! Though a nation state can always use more traditional methods... The human element has always been the weakest link in any security system. Convenience is a close second. Anyways, I digress, having it as an option is nice. Sony did similar a few years ago, and I still have the keychain deal for theirs. Edited July 1, 2017 by Klaa Share this post Link to post Share on other sites
Posted July 1, 2017 I've made a change to the two-factor authentication timeout that should help with the complaints brought up so far. 1 Share this post Link to post Share on other sites
Posted July 1, 2017 (edited) will this double authentication help stop all the account sharing? if its added (and mandantory) for ingame accounts? edit: if so i +500 it double edit: omg what would chaos / epic do if they couldnt share the kingdom title accounts LMFAO Edited July 1, 2017 by Evilreaper Share this post Link to post Share on other sites
Posted July 1, 2017 2 hours ago, Evilreaper said: will this double authentication help stop all the account sharing? if its added (and mandantory) for ingame accounts? edit: if so i +500 it double edit: omg what would chaos / epic do if they couldnt share the kingdom title accounts LMFAO Stay tuned for details on an upcoming account system. 2 Share this post Link to post Share on other sites
Posted July 2, 2017 3 hours ago, Keenan said: Stay tuned for details on an upcoming account system. You horrible tease! Share this post Link to post Share on other sites
Posted July 2, 2017 Things would definetely change if account sharing went down the drain. Even if I would be one of those affected, I still think its a good thing. It would stop all that drama about group accounts being sold by their "owner" and funny account stealing business. 1 Share this post Link to post Share on other sites
Posted July 2, 2017 16 hours ago, Evilreaper said: will this double authentication help stop all the account sharing? if its added (and mandantory) for ingame accounts? No way! I have never shared my accounts with anyone nor used theirs but I certainly don't want a Mandatory double authentication system enabled in order to be able to log into them, especially linked to a telephone number. Believe it or not some people do very well without any phone at all. That is of course until some financial services, government entities, email services, gaming companies and various *have the right to coerce you into having one in order to provide their services* etcs. get the bright idea that you must have a phone#. Most likely it will again be optional to use for logging in. If I can opt out I will care less one way or the other. =Ayes= 2 Share this post Link to post Share on other sites
Posted July 2, 2017 On 30/06/2017 at 7:40 PM, Keenan said: No, you don't need a smartphone. No, it doesn't need personal information. No, you don't need a Google account. No, it doesn't even need network access. Yes, it's as simple as scanning a code. Fine, but you do need Windows - right ? Don't have windows, as use Linux / Lubuntu - please advise how we Linux users can make use of the 2 factor authentication process? Btw there are more and more of us moving away from MS Windows and towards such operating systems as Linux - for good reasons. Share this post Link to post Share on other sites
Posted July 2, 2017 @Ayes - any sort of two factor authentication will not be mandatory, only strongly recommended. We will be building other measures into the upcoming account system as well. @Baloo- I've actually had it on my list to search for a Linux alternative since you mentioned it before. The closest I've come are a few Chrome extensions, but I'm sure there's something else out there too. I'll comment with more information when I've had the time to look. 2 Share this post Link to post Share on other sites
Posted July 2, 2017 (edited) @Keenan- I can't see the way to log in without having to go find my phone and look for the authenticator app code every single time. I can't scan anything to my computer, only to my phone. After scanning once to my phone, I no longer need to scan anything, but still am asked for the code each time I log in here. The codes are valid for only 1 minute each, so if I'm not quick enough, it switches to a new code and the first one won't work, necessitating speed in accessing and typing the code. Is there a way to avoid having to do this every time? Edited July 2, 2017 by Batta Share this post Link to post Share on other sites
Posted July 2, 2017 4 hours ago, Batta said: @Keenan- I can't see the way to log in without having to go find my phone and look for the authenticator app code every single time. I can't scan anything to my computer, only to my phone. After scanning once to my phone, I no longer need to scan anything, but still am asked for the code each time I log in here. The codes are valid for only 1 minute each, so if I'm not quick enough, it switches to a new code and the first one won't work, necessitating speed in accessing and typing the code. Is there a way to avoid having to do this every time? There's a button next to the QR code which gives you instructions if you can't scan. You can disable the feature via the Account Settings, and then enable it again. Click the link, enter the code it gives you into a program like WinAuth. 1 Share this post Link to post Share on other sites
Posted July 3, 2017 2-factor auth is a really nice feature and working very good. Thank You! Share this post Link to post Share on other sites
Posted July 3, 2017 On 7/2/2017 at 3:01 PM, Baloo said: Don't have windows, as use Linux / Lubuntu - please advise how we Linux users can make use of the 2 factor authentication process? Install python, make a script: import hmac, base64, struct, hashlib, time def get_hotp_token(secret, intervals_no): key = base64.b32decode(secret, True) msg = struct.pack(">Q", intervals_no) h = hmac.new(key, msg, hashlib.sha1).digest() o = ord(h[19]) & 15 h = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000 return h def get_totp_token(secret): return get_hotp_token(secret, intervals_no=int(time.time())//30) print(get_totp_token("YOURSECRETHERE")) Share this post Link to post Share on other sites
