"Security token" for PBBGs

[Jackolantern]

I had kind of a strange idea. I am not sure how many people are familiar with WoW and FFXI "security tokens". They are small plastic trinkets that look like a small stop-watch. You tie them in to your MMO account, and every time you want to log in, the game requires you hit a button on the token and also enter the code that appears on the small string. It adds an extra layer of security by requiring something in the real world.

Of course no PBBG can take security to that level since we can't manufacture electronics like that. But what I was thinking of, is if a player elected to add another layer of security when they are signing up, they could ask for a "security page". This would be a simple HTML + Javascript page that would be generated by PHP. The script would be simple, such as taking the current time (only as accurate as the minute, no seconds or milliseconds) and multiplying it by a random single-digit number with many decimal places up to 8 and 9 digits numbers. The random number would be stored in the database, and the player would be directed (perhaps with a small animation showing them how) to save their "security page" onto their computer. Then when they want to log in, they would be required to run their saved page and enter the number generated by the Javascript page which would be compared against the number that is known on the database also multiplied against the current time in minutes (so naturally they only have one-minute to enter the code). While the token is still on the computer, where it can be found by attackers, game players rarely actually hack each other's computers since you have no way of ever finding the target's computer. Almost all account hacking is either done randonly through key logging with malware or by brute forcing weak passwords. Both of these would be foiled through this strategy, since the random number will be too long and complex to brute force, and a keylogger would only record one instance of the code being entered, which would be void in under 1 minute.

Obviously for the vast majority of PBBGs, their community size and the interest in stealing accounts is so low it isn't worth the time and effort. But if a game did ever grow to the size where accounts were being occasionally stolen and sold, or if there simply amassed a large amount of angry ex-players bent on causing problems, it could potentially be an option. Of course something like this would have to be optional and under the player's discretion to start, just like WoW and FFXI security tokens.

[kaos78414]

I had kind of a strange idea. I am not sure how many people are familiar with WoW and FFXI "security tokens". They are small plastic trinkets that look like a small stop-watch. You tie them in to your MMO account, and every time you want to log in, the game requires you hit a button on the token and also enter the code that appears on the small string. It adds an extra layer of security by requiring something in the real world.

That's kind of like USB dongles. Programs like Cubase use them, basically you have to put in the USB thing or you can't open the program.

As for the rest of that, it does sound like it would add some security, though I agree that it would be have to be optional. Good idea

[hallsofvallhalla]

sounds like a good idea. Truth is Captcha's are the worst idea for a security system. For the life of me I cannot understand why we use them.

Use pictures, a video, math, anything but letters and numbers. So stupid.

Sites the use flash should use a flash captcha. Have 100 random 3 second movies that each have 3 questions or something, bigger sites could have hundreds or thousands of movies.

"What was boys shirt color?"
"How many times did the green crayon jump?"

Even a picture or something.

[Jackolantern]

Systems to beat password crackers are a good thing, even if it is just Captchas, since that over-head for the cracking program to read the image would render the cracker useless. Password crackers live and die based on their performance, since have to check billions of possible combinations in very short periods of time.

But a major problem is users who don't choose good passwords. Some casual internet users simply choose "password" for their password, thinking that no one will guess that (when in actuality, most crackers try "password" first). Another portion of this group will choose a word that is on the login screen, or the name of the service/game. All of these don't even require a cracker, as someone can break them by hand in minutes. Of course users who would choose a password like this would likely not be security-minded enough to download a security token page. Some sites force users to choose strong passwords, but that opens another can of worms in that it can cause people to choose random passwords that they forget in minutes, and it also adds a barrier to entry that could cause them to leave your registration page if they were already on the fence.

[kaos78414]

As has been said before, security is always a direct trade off with usability. For our generally small PBBG projects, it may not be worth it to go overboard with security features. But new security features like this idea here, are great because people will have to work that much harder to figure out this new system. We aren't stopping them by any means, eventually they will find a way to break it. But that's all we can do is hold them off for some unforeseen amount of time

[SpiritWebb]

That sounds like a great idea.

I use the security token for work. A small electronic display with button that I have to turn on to get the new code to remote into my work PC from home. Neat little gadget.