Introduction
Securing your account is one of these things you don't really pay attention to until it's too late. The process is usually tedious, you have to remember things and write them down, change your settings around periodically to stay safe and use many different methods to get into your account, often relying on third party services, such as emails. In effort to make security better and easier to understand at the same time, we're gonna talk about Two Factor Authentication today. We'll also go over the current security features on LS-RP and the changes that await them.
What is Two Factor Authentication?
Enabling Two Factor Authentication (2FA from here on) provides another layer of security to your account. It'll require you to provide a code generated by an application on your phone to prove your identity when logging in from a new device. This code changes every 30 seconds, making it practically impossible to guess.
How does that work? Why do I need to install a LS-RP App?!
The "Time-based One-time Password Algorithm" method for two-way authentication is a universal standard supported by many websites and services out there. You only need one application to generate codes for all your internet accounts that support it. Here's how it works in action:
- Download a 2FA application for your mobile device. There's a few out there, I can personally recommend Authy (Android, iOS. protip: it has a Chrome extension too, if you don't want to reach for your phone when you need the app)
- Visit our website here and enable 2FA for your account. This'll give you a QR code you can scan with your mobile application.
- Scan the QR code and confirm it by providing the current six-digit code to the UCP when asked. I highly recommend writing down the "Secret code" the site gives you in case you lose access to the app or your phone, you can input this into your new phone manually without losing access to your LS-RP account.
- Whenever you connect to the UCP or game with a new device or IP address, you'll be asked to write down the code that's currently displayed on your phone.
I lost/changed my phone, or don't have access to my application anymore. Is my account gone?
If you're getting a new phone, remove the 2FA from your account first. Set it up again on the new phone after you install everything. It also helps to write down the "secret code" given to you by the UCP when you're setting the 2FA up, this can be entered into the application manually (it's the same thing as scanning the QR code) and you'll be all set on your new phone/device. If you don't have access to your phone and didn't write the secret code down when setting it up, you'll have to make a ticket to get your issue resolved.
Keep in mind at no point we have access to any data on your phone, or your phone number. What you see is for your eyes only and provided by third-party applications (such as Authy) which work offline as well (your phone doesn't need to be connected to the internet to generate the six-digit, one-time code).
The concept is really simple and easy once you understand it. If you're having a trouble understanding it from what I wrote, you can always google "How does Two Factor Authentication work" or something similar.
Currently, your account has the following security features:
- Main account password - for when you need to log into the UCP.
- Character passwords - individual password for each of your characters, used in-game
- Secret word - second password you need to use when logging into your in-game account from a new device. This will be ignored when you have 2FA set up, and eventually the feature will be removed altogether.
- Memorable word (+memorable hint) - you're asked for this when someone from staff needs to verify your account (for example on the ticket page). This will be likely removed soon and replaced with a more intuitive, automated system rather than a hint/answer combination.
- Security question (+security answer) - used on the UCP when you need to change your password, memorable word or hint, or e-mail. Also used during recovery of your account. This might be replaced by 2FA to a certain extent, or reworked in the future.