Player Support Blog - Account Security
Welcome to the second in a series of four blogs from the Jagex Support Team. In our first, we detailed plans to upgrade our systems. This blog is about Account Security and will examine:
Account security is a challenge for all businesses on the internet. The number of websites to which people submit personal data, and the frequency of efforts to access this data, means that breaches are happening ever more frequently.
It's therefore no surprise that improving account security comes with some major challenges. But we are nonetheless committed to overcoming them, although we must also be realistic - these changes will take time.
Here's a detailed look at the various challenges with account security and how we're going to solve them.
Our first priority is to strengthen passwords, and work is already underway.
We’re updating our systems to allow more complex passwords to be set, and adding user guides that help users create them. We're also looking into how we can support password managers.
Work with a third-party provider is underway to implement a system which searches the internet for breached password data. That way we can warn you if you’re using a password that might not be safe, or even stop you from choosing an insecure password in the first place.
We really need your help on this, as these new systems will only benefit you if you choose to use them. In general, when it comes to password security, the essential things to remember are:
Email Notifications and Security
Once password security is improved, our focus will shift to email notification.
One of the quickest ways you can confirm you’re the owner of an account is by using the email address registered to it. This is a very common security method you have likely seen on other sites.
We're going to start sending email notifications to your email address if we see strange changes in account behaviour, and in some circumstance we will require authorisation from that email address to login.
However, the risk of using emails for security is that we don’t know if your personal email address is secure. And if the login details for your email are the same as your RuneScape/Old School account, then you’ve made it twice as easy for someone to find all the details they need.
Essentially, the more secure your email address is, the more secure your RuneScape account is. If your email provider has extra security features like 2-factor authentication, then please use them (here are the links for Google, Yahoo and Outlook).
Ultimately, these problems mean that in the long-run we want to move away from email and toward improved 2-factor authentication.
One of the most secure things you likely own is a smart phone. Some have biometrics built in, most have additional password security and importantly people are generally very protective of them.
We therefore want to use the security of your phone more to keep your RuneScape/OldSchool account safe, and the way to do that is 2-factor authentication (2FA) apps.
Do note that we already offer 2FA and it is currently used by about 50% of active players. If you haven't already done so, then please setup 2FA as soon as possible! Our aim is for all of our players to use an authenticator and for it to apply to the game and website logins.
One feature often requested by players is authenticator delays. There are several ways we could do this, such as delaying change requests or temporarily limiting trades. We haven’t ruled anything out just yet, but are mindful that there is a big risk of players getting locked out of their accounts or enduring restrictions if their phones are lost in the interim.
We must also support users who need to change authenticator because they've lost access to their phone. These change requests already happen more times a day than Player Support could handle if they had to check everyone individually.
Our preferred option, therefore, is additional account security systems.
Additional Security and Account Takeovers
We’re looking into additional security checks using the same type of technology used to tackle payment fraud. This system will allow us to react to new threats in real time, create different security models for different states of a RuneScape account (e.g. active player, dormant account, not email registered, authenticator supported etc...), and respond sufficiently fast to avoid the blocks that an authenticator delay could create.
We believe this data driven account security method is our best chance tackle account takeover. It can work for all accounts and for all players. However:
One of the biggest challenges we face when reviewing account recovery attempts is identifying if the request has been submitted by the account owner.
Our focus for the next year is on stopping the hijackers before they even get to an account, but regardless we need to improve how we process account recovery attempts.. This may mean that appeal information requirements become stricter. It’s going to take some time to find that right balance between safety and swiftly getting players back into the game. At the moment we don’t feel we have it quite right, so work will continue on this.
And from the team
We understand how important account security is to you all, just as it is for us - we hear everything you're saying. And while we can't fix it overnight, we won't stop until things get better. We'll keep you posted on our progress but please keep talking to us, please keep sharing your concerns and please keep offering your suggestions. We're committed to doing everything we can.
The Player Support Team