Two-factor authentification on Frontier customer accounts

J0ker_MDK

J0ker_MDK
Dear Frontier Team,

In times when player accounts are often hacked and stolen (see e.g. Steam), their protection is even more important. Many game manufacturers therefore use two-factor authentication as standard to protect their customers.

You also already use this security method in various places:

- Elite Dangerous launcher: Sending an activation code by email when logging in with an unknown PC.

- Frontier Forum: Generating a code using an authentication app such as Google Authenticator to log into the account.

Unfortunately, this protection is not consistently enforced. Two-factor authentication is neither used nor even offered in the settings for the Frontier customer account, over which I´ve purchased E: D and many other things over the years; so this account is vital to me. At this point, only the email address and password are sufficient to log in. No further code is required.

And that is where the problem lies:
If this data is stolen, e.g. through a hack, the thief not only gains access to my valuable user account and can use it to make purchases. Since this log-in data is also used to dial into Elite Dangerous, a thief could lock me out just by changing the password. I know what I´m takling about. This happened to my Sony Playstation account once and it was very hard to regain access. I don´t want this to happen to my much, much more important Frontier account.

Therefore, I do have an urgent request:
Please give us customers the option to secure our valuable user accounts at Frontier via two-factor authentication as well, as you already do on the Frontier forum.

Thank you very much!

Kind regards and stay healthy,

CMDR J0ker_MDK
 

skananote

S
I am still surprised that MFA is not mandatory EVERYWHERE where ppl use any personal details... Remember one thing, security is always afterthought when platform development finishes... It is always most underdeveloped option, very often left behind till there is real security breach - at that point the owner of the platform will be forced to make improvements which again, very often are minimal to only satisfy the compliance... Security cost money and we all know that businesses are here to make money not spend them on those fancy, unnecessary things...
 

J0ker_MDK

J0ker_MDK
skananote said:
(...) Security cost money and we all know that businesses are here to make money not spend them on those fancy, unnecessary things...
Click to expand...

That's true, of course. However, since the technology is already been used to protect the forum accounts, I have high hopes that porting it to Frontier accounts will be possible without much effort or cost; basically, everything is already available and ready for use elsewhere.
 
Last edited:

EUS

EUS
I'm fine as long as it's not mandatory.
Since it's usually tied to a phone number, I'm not ok with giving it out willy nilly, the weak link in the chain is usually not the end user, but the multitude of corporations that get data breaches while in charge of your personal info.
Yeah I'm a dinosaur, but have never had anything physically, or digitally "stolen" from me.
 

J0ker_MDK

J0ker_MDK
EUS said:
I'm fine as long as it's not mandatory.
Since it's usually tied to a phone number, I'm not ok with giving it out willy nilly, the weak link in the chain is usually not the end user, but the multitude of corporations that get data breaches while in charge of your personal info.
Yeah I'm a dinosaur, but have never had anything physically, or digitally "stolen" from me.
Click to expand...

Of course, this should be only one option. Those who do not want to use this technology should not have to.

By the way, I don't mean two-factor authentication via a smartphone, where an SMS with the needed code is being sent, for example. I'm talking about apps such as the Authenticator from Google and Microsoft which can be downloaded in an app store. They are free, reliable and you don't need a phone number, because the required codes are generated and displayed in the app itself. With such an app, you can already protect your forum account at Frontier if you want to. And I wish this security feature could be applied to the Frontier customer account as well.
 

skananote

S
EUS said:
I'm fine as long as it's not mandatory.
Since it's usually tied to a phone number, I'm not ok with giving it out willy nilly, the weak link in the chain is usually not the end user, but the multitude of corporations that get data breaches while in charge of your personal info.
Yeah I'm a dinosaur, but have never had anything physically, or digitally "stolen" from me.
Click to expand...
Phone is only one option. There are other technologies that could be utilised. Phone is just added convenience. Have a look at Authy, it is an app, generates codes, is portable, it is safe and is used by many in the IT security circles. I use combination of LastPass and Authy. It lives on the phone but also on my computer. There are also YubiKey type of devices and physical fobs for code generation. Many options out there. I am sure you will find alternative to your precious phone... By the way - SMS authentication is the weakest of them all so really should not be an option...
 

alexzk

A
NOOOOOOOOO!

I don't use mobile. Don't force me to pay 1 more bill just to play games. You will lose 1 player at least :D
 

skananote

S
alexzk said:
NOOOOOOOOO!

I don't use mobile. Don't force me to pay 1 more bill just to play games. You will lose 1 player at least :D
Click to expand...
Why would you need to pay any bill. You can use mobile w/o SIM card... Hell, you can have those apps on the tablet, or PC or web...
 

alexzk

A
skananote said:
Why would you need to pay any bill. You can use mobile w/o SIM card...
Click to expand...
Bcs 2-factors are bound to phone number. If it uses my cable, why should I bother to use/have extra device at all? >:
Point is, my computer is physically secured.
Phone is not. It can be lost, forgotten in bar etc. Also SIM / phone num is no way my property. Forgot to pay bill - lost your number.
And also there is S7 breach - hard to repeat, but possible.
Also there are office-repeaters devices, which pretend to be base - station and can be reprogrammed to catch SMS.

So I have no idea why I should delegate my security to so many other companies.

I'm fine with my physically secured desktop. And as software security - I use Linux. Do not use windows since 2013.
 

GJ51

GJ51
I'll pass - thanks anyway

I use Roboform to generate and save 16 character complex passwords.

Anyone who wants to waste the compute power to crack it can have my account...
 

skananote

S
alexzk said:
Bcs 2-factors are bound to phone number. If it uses my cable, why should I bother to use/have extra device at all? >:
Click to expand...
Nope, this is not correct. It might be but phone number is just one medium. I am confused about using your cable... I do not see relation between those two??

alexzk said:
And also there is S7 breach - hard to repeat, but possible.
Click to expand...
I am yet to see actual implementation of this beyond controlled, lab environment. Tin foil hat issue this one, sorry...

alexzk said:
Also there are office-repeaters devices, which pretend to be base - station and can be reprogrammed to catch SMS.
Click to expand...
It is way more complicated than you think... Sorry but you starting to sound like person reading too much on the Internet and believing some random stuff...

alexzk said:
So I have no idea why I should delegate my security to so many other companies.
Click to expand...
Security is a choice. You make your own decisions but please do not try to justify why adding additional layers of security is a bad idea. Hint is in the name. More security doesn't hurt. It is a pain to deal with it from time to time but it is not going to hurt anyone. And at some point it might even help...

alexzk said:
I'm fine with my physically secured desktop. And as software security - I use Linux. Do not use windows since 2013.
Click to expand...
Oh boy, I do not even know where to start on this. If you're happy with Linux please use it. I use open source myself. But please also stop spreading FUD. Linux is full of vulnerabilities in the same way as any other operating system. That is why security professionals make so much money trying to be ahead of so called "hackers" - wrong word by the way to describe malicious computer user with agenda...
 

GJ51

GJ51
Almost 40 years online now and still haven't been hacked.

Strong edge defense and common sense are the best defense.

We filter known bad ip addresses on PFSense with over 10k sites blocked using several sources that constantly update the lists.

Anyone can also run MVPS Hosts file blocker to accomplish pretty much the same thing.

Two factor? Maybe for banking and financial, but for everything else, Malwarebytes and MVPS hostfile blocking will keep most users out of trouble as long as the don't open unsolicited email attachments and can spot a Phish.

And as noted before a good password manager that generates strong random pwds. I like Roboform because it doesn't force you to store pwds online unless you want multiple device sync. I just store on my local PC and put a backup on my storage server. Then when I need to refresh another device like a laptop or tablet, I just import from my home server.

I think even LastPass got hacked a while back.

But for ED? 2 - form is a bit of overkill methinks.
 
  • Like (+1)
Reactions: EUS

Morbad

Morbad
I'm certainly not opposed to options, but mandatory 2FA is not at all appealing for something like this. I tolerate it for financial stuff where real money is on the line, but rarely is it worth the hassle elsewhere.
 

J0ker_MDK

J0ker_MDK
1. 2FA is not supposed to be mandatory, but just another option for those of us who want to protect their Frontier account even more. This is how the 2FA can already be used here in the forum. However, it must be explicitly activated and set up in the settings. Nothing else should apply to the Frontier account. Voluntary is the magic word here!

2. You have never been hacked personally?! Congratulations, because you don't have to. It is already enough if the operator uses software on his servers that have security holes without knowing it, whereby entire databases can be stolen, and then sold on the Dakrnet for blackmail purposes. That's how thieves got my Playstation account. And then it doesn't matter how long and complex your password is.

Just take a look at this page: https://haveibeenpwned.com/

None of us has any influence on data leaks on third party. However, in the event that login data is leaked, 2FA is another barrier to prevent account theft.

And since this technology can already be used here on the forum, I only wish I could protect my Frontier account that way, too. Not mandatory!
 
Last edited:

BL1P

BL1P
EUS said:
I'm fine as long as it's not mandatory.
Since it's usually tied to a phone number, I'm not ok with giving it out willy nilly, the weak link in the chain is usually not the end user, but the multitude of corporations that get data breaches while in charge of your personal info.
Yeah I'm a dinosaur, but have never had anything physically, or digitally "stolen" from me.
Click to expand...

I dont have a mobile, which causes problems normally with this type of auth.
 

alexzk

A
J0ker_MDK said:
Just take a look at this page: https://haveibeenpwned.com/

None of us has any influence on data leaks on third party. However, in the event that login data is leaked, 2FA is another barrier to prevent account theft.

And since this technology can already be used here on the forum, I only wish I could protect my Frontier account that way, too. Not mandatory!
Click to expand...
Checked. My old email is pwned which I used for socials. Well, I don't use that mail any more for new accounts and important accounts moved out long ago. Trash email was pwned, how bad :D I throw it for non-important things, like 2nd free epic account here which is never used yet.
 

J0ker_MDK

J0ker_MDK
BL1P said:
I dont have a mobile, which causes problems normally with this type of auth.
Click to expand...

... And that is why the use of a 2FA should remain voluntary. Those who don't want to use this security technology or can't use it for various reasons should just leave it alone. However, all other customers would have considerable added value if Frontier were to offer 2FA as an option for customer accounts, especially since - I can only repeat myself - this technology is already available here in the forum. Someone at Frontier was obviously aware of the problem with data theft and has implemented appropriate precautions with the 2FA. So why not offer this security benefit to customer accounts as well?!

Maybe I've just been lucky, but I've never had any problems with the apps on any of my devices on any platform. I have backed up all my user and customer accounts this way. The extra effort of entering a numerical code is always worth the extra security to me. And for "lazy" users, some operators of online platforms also offer the option of "trusting" the PC you are currently using, so that in the future you will no longer need to enter the code, either for a limited period of time or even forever; although the latter does not really make sense if you have decided to use 2FA. ;)
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom