Although it's been a while since our last update, work on account security improvements has continued. We have just today gone live with website login Authenticator checks, and work continues on further Authenticator improvements.
However, we've also endured a sustained multi-month attack on our servers, and the time required to manage this has pushed back other, more visible, projects.
Here's an update on where we're at:
Since the last blog, many of you have told us that you want additional security for the Authenticator. A common request is for the introduction of a delay to Authenticator changes.
A delay would give you the chance to block any attempt to remove your Authenticator by someone with access to your email address. However, introducing a delay would also create a number of issues:
So, to avoid these flaws we're taking a different approach to improving Authenticator security - Backup Codes.
We intend to introduce a Backup Code system. This means youll receive a Backup Code during Authenticator setup that you'll need to write this down and keep in a safe place. This will be used to remove your Authenticator if you don't have access to it any more, and prevents compromised emails being used to steal accounts. Your Backup Code will ONLY be used on our website to remove your Authenticator. Be sure to keep your Backup Code safe.
We've chosen this approach over a delay for a number of reasons:
In preparation for Backup Codes, we have already added Authenticator checks for all website logins.
If you lose your backup code you can get a new one when you log-in and pass your Authenticator check.
If you don't like the idea of using a Backup Code and you are 100% confident in the security of your email address, then you can continue using the old email method to remove an Authenticator, although obviously we do not recommend it.
Losing Your Backup Code & Authenticator
Once live, if you lose your Authenticator and Backup Code it will be possible to request help from Player Support, but this process will be very strict and require very clear information to ensure that you are the owner of the account. No request will be actioned for at least 72 hours.
An Authenticator Removal Request to Player Support will be a LAST RESORT.
You will not be able to rely on this service to manage your Authenticator. It will mean you aren't able to access your account for a minimum of 72 hours, and the amount of evidence you will need to prove you're the account owner is VERY HIGH.
Here are our current Account Security priorities:
It is possible that we may alter the schedule if this allows us to release security improvements faster.
We know that Account Security can be quite a complex subject and that progress can appear slow, but hopefully this gives you a clearer idea of the direction we're heading. We'll be back with another tech update in the future.
Thanks very much
The Player Support Team
The Jagex Web Team