Dual factor authentication for free trials?

[zildac]

Just an idea. Could you maybe take an approach similar to Steam's limited accounts?
 
Let's say if your account has more than 30 dollars worth of purchases (aka you own a single full-fidelity plane or a single paid map), it will become verified and you will be able to start trials without needing extra authentification. The two-factor requirement would therefore only be used if the account is absolutely fresh.
 
That would make having multiple accounts to run infinite trials (which I assume is what the restiction is about), pretty costly while having minimal impact on regular customers or even relatively new people.

Good idea

[Dangerzone]

6 hours ago, Tomas9970 said:

Just an idea. Could you maybe take an approach similar to Steam's limited accounts?

 

Let's say if your account has more than 30 dollars worth of purchases (aka you own a single full-fidelity plane or a single paid map), it will become verified and you will be able to start trials without needing extra authentification. The two-factor requirement would therefore only be used if the account is absolutely fresh.

 

That would make having multiple accounts to run infinite trials (which I assume is what the restiction is about), pretty costly while having minimal impact on regular customers or even relatively new people.

 

I think there's a false assumption that 2FA is about stopping abuse of multiple accounts for trials. It's not. It can't be. It doesn't work like that. 

2FA has nothing to do with ED not trusting you. It has nothing to do with ED tracking you, or locking your account down to one mobile phone number, or device. It has nothing to do with (nor can it) stop you from making multiple copies of accounts for consistent trials if that is their goal. (Which by your above post, it appears to be your understanding).  2FA can't prove any of this. 

All 2FA does is add an extra layer of security to your account that means someone requires more than a username and password to get into your account. That is it.

That way, if someone manages to get your username and password (such off a hack list) - they still can't get in. Even if they were watching over your shoulder and knew your username and password, and watched you type in your 2FA, once they get home, (or even 30 seconds later) they couldn't log into your account knowing all that - because your 2FA has now changed to another number.  

All it is is an extra layer that a would be thief would have to get through in order to log into your ED account. That is it. It does not, and can not stop people from abusing the trial licensing.  That is not it's purpose. 

As such, having purchases in your account does nothing to increase or reduce the risk compared to 2FA. Having purchases can't reduce the risk of hacking into your account. From my perspective, the more purchases you have, the better off you are with 2FA. It's the accounts with little to no purchases that are the least risk because what's a thief going to get? Next to nothing. On the contrary, an account with all the terrains and 3/4 of the modules is another matter. We would want extra protection on those. 

Now, looking at the flip side - if all this is as people are assuming - about ED trying to stop people from using multiple accounts for trials, then yes - your idea would be good. But 2FA isn't for this, and can't do this, so I really think people's assumptions about it's use here are extremely flawed. 

As to the question why ED has decided to enforce 2FA for accounts that want trials I do not know, nor understand, but I can take an educated guess: That would be that they might be having an increase of issues with people's accounts being hacked that is causing a higher work load, and they want to reduce this. If so, 2FA is one of the simplest solutions for this. But not many people haven't been using it. How can they encourage more to get on it?  Well, as people try out new modules, require people to turn it on. These people may not be aware of 2FA until then, or just be apathetic and not care. This gets them over the line. 

Making it compulsory on trial purchases will have a lot of people switch over to 2FA, securing their accounts better. Doing trial purchases may be the best option, because making it compulsory on existing purchases may be received poorly at forcing people to do this for something they've already paid for. (And given the reactions to the misunderstandings here, if this was their reason, they'd probably be right). 

If, on the other hand ED are doing this to try and stop multiple-account trial license abuse, then they'd be barking up the wrong tree. 2FA can not make any difference with this except for those who misunderstand it and are scared off by it thinking that it's doing something that it's not.

[rob10]

38 minutes ago, Dangerzone said:

As to the question why ED has decided to enforce 2FA for accounts that want trials I do not know, nor understand, but I can take an educated guess: That would be that they might be having an increase of issues with people's accounts being hacked that is causing a higher work load, and they want to reduce this.

If you believe this, then you think that ED is lying to their customers to try and make them do something.  ED has explicitly said (multiple times) that this is in response to problems with cheating on trials.  How people are cheating and how this stops (or at least makes it harder) this cheating I have no idea, and I really doubt ED is going to enlighten us by telling everyone how to exploit it.  If ED was doing this for the reasons you suggest, I can believe they might start with trials, but I don't believe that they would make up a fake reason just to start doing this.  The blowback from lying to their customers would be worse than the blowback of introducing TFA.

Not knowing what the exploit is or how TFA fixes it, I'm really not sure that having "established" accounts considered "safe" would be any help.  Who's to say it's not people that have bought modules already that are exploiting the trials so they don't have to buy more modules?  Personally ED have given me no reason not to believe them on this.

[Dangerzone]

3 hours ago, rob10 said:

If you believe this, then you think that ED is lying to their customers to try and make them do something.  ED has explicitly said (multiple times) that this is in response to problems with cheating on trials. 

Hey there, I'm really not looking for an argument, but I'd ask that you please refrain from put words into my mouth about what I'm thinking. I never said I think ED is lying to their customers. I have no idea what ED have stated. All I am simply doing is clearing the air as to what 2FA is, what it does, and what it doesn't do, and correct the false assumptions people have, while trying to help people understand it's purpose, potential reasons for it's use, and alternatives besides google or smartphone apps that people have expressed desires for due to understandable, but not relative privacy concerns. 

The limits of it's use are basic facts and simple. I've worked with the source code myself, but no one needs to trust me. It's freely available on the net for anyone who wants to check and see how simple and basic it really is. It doesn't take much to see how basic it is and confirm if what I'm saying is true or not for anyone who is interested. 

I'm confused with the resistance to my trying to clear the very smoky air from the misunderstandings about 2FA, and what seems like determination to continue to keep ignorant of it's purpose, capabilities and limitations and be upset about issues that don't need to be issues. But I've spent about as much time on this as I'm willing to and I really don't want to keep going on with people about it if they don't want my knowledge and input, so I'll respectfully bow out of this discussion as it's now past the point of productivity and into diminishing returns. 

Edited September 21, 2023 by Dangerzone

[rob10]

2 hours ago, Dangerzone said:

Hey there, I'm really not looking for an argument, but I'd ask that you please refrain from put words into my mouth about what I'm thinking. I never said I think ED is lying to their customers. I have no idea what ED have stated. All I am simply doing is clearing the air as to what 2FA is, what it does, and what it doesn't do, and correct the false assumptions people have, while trying to help people understand it's purpose, potential reasons for it's use, and alternatives besides google or smartphone apps that people have expressed desires for due to understandable, but not relative privacy concerns. 

The limits of it's use are basic facts and simple. I've worked with the source code myself, but no one needs to trust me. It's freely available on the net for anyone who wants to check and see how simple and basic it really is. It doesn't take much to see how basic it is and confirm if what I'm saying is true or not for anyone who is interested. 

I'm confused with the resistance to my trying to clear the very smoky air from the misunderstandings about 2FA, and what seems like determination to continue to keep ignorant of it's purpose, capabilities and limitations and be upset about issues that don't need to be issues. But I've spent about as much time on this as I'm willing to and I really don't want to keep going on with people about it if they don't want my knowledge and input, so I'll respectfully bow out of this discussion as it's now past the point of productivity and into diminishing returns. 

 

I appreciated the all TFA explanation (and I very much appreciated your details on using the Microsoft authenticator as an alternative) and I wasn't trying to argue any of that, I just don't agree that ED is introducing TFA for reasons other than stopping abuse of trials, which is how I took the part of your post I quoted.  Their explanation has been stated in this thread (and/or the 2nd related one in this subforum) so I assumed you would have seen it before your post.  I did overlook the fact that you did only specifically speak about TFA in relation to multi-account abuse in your post.  The 2nd part of my original post was not meant to be specifically directed at you, it was a comment I had been intending to make prior to reading your post.  I'm sorry if you took my post as an attack on you, that was not my intention, and I regret that it has caused you to bow out from sharing information regarding this.  For what it's worth, I generally agreed with your posts (other than the specific part I quoted) and wondered about how upset people were getting over TFA.

Edited September 21, 2023 by rob10

[Tom Kazansky]

@Dangerzone pls stay with us here. Seems to me we need people who know about this kind of 2FA.

I ask myself how authenticators can work on several devices or systems? Does the second authenticator need a code from the fist initially to start working? Or is it enough to log into the account with the first authenticator and establish the second from there?

edit: just read about WinAuth, and it seems you can note the initial secret key and put it in as many WinAuth's as you want to. Can someone with knowledge confirm this?

Edited September 21, 2023 by Tom Kazansky

[Dangerzone]

1 hour ago, rob10 said:

I appreciated the all TFA explanation (and I very much appreciated your details on using the Microsoft authenticator as an alternative) and I wasn't trying to argue any of that, I just don't agree that ED is introducing TFA for reasons other than stopping abuse of trials, which is how I took the part of your post I quoted.  Their explanation has been stated in this thread (and/or the 2nd related one in this subforum) so I assumed you would have seen it before your post.  I did overlook the fact that you did only specifically speak about TFA in relation to multi-account abuse in your post.  The 2nd part of my original post was not meant to be specifically directed at you, it was a comment I had been intending to make prior to reading your post.  I'm sorry if you took my post as an attack on you, that was not my intention, and I regret that it has caused you to bow out from sharing information regarding this.  For what it's worth, I generally agreed with your posts (other than the specific part I quoted) and wondered about how upset people were getting over TFA.

 

Thanks for clarification Rob. My apologies for misunderstanding where you were coming from and I appreciate the clarification. TBH, it's been a week of headbutting walls, and I misunderstood where you were coming from, so the clarification is greatly appreciated!  I also haven't read every post, I got through a few and thought "oh dear - this is a mess that needs clarification" and jumped in.

Edited September 21, 2023 by Dangerzone

[Dangerzone]

1 hour ago, Tom Kazansky said:

@Dangerzone pls stay with us here. Seems to me we need people who know about this kind of 2FA.

I ask myself how authenticators can work on several devices or systems? Does the second authenticator need a code from the fist initially to start working? Or is it enough to log into the account with the first authenticator and establish the second from there?

edit: just read about WinAuth, and it seems you can note the initial secret key and put it in as many WinAuth's as you want to. Can someone with knowledge confirm this?

 

Hi Tom,

So how it works is like this. The QR code (or the manual seed code) you get is all that's needed for the devices to calculate the authentication. 

I give an analogy in here how it works. No devices need to know about other devices. If you enter the same manual code, all devices will give you the same number because all it is is combining the initial seed/code with the current date/time to come up with a specific number. (Which number and combinations will be different depending on the starting seed/code)

 

You are correct. If you note the initial secret key/code/seed - you can put it in as many WinAuths (or as many different authenticators as you want). You can have WinAuth running on your PC, Microsoft Authenticator running on your phone, etc. They will all just combine your initial secret key with the current date/time and give you a calculated figure that should match.

This is the best 2FA (in my opinion) for this kind of setup, because:

1) It's an open formula that can be used (and is used) by many different programs, and

2) There's no syncing between devices, so you can have multiple independent devices as backups, or convenience, and

3) Unlike SMS messaging, there is no costs involved in it's use, and

4) It's completely separate/independent. There's no network needed. No tracking. No having to give ED any personal information.

It's effectively 'free extra security'. 

Edited September 21, 2023 by Dangerzone
Clarification

[Tom Kazansky]

2 minutes ago, Dangerzone said:

Hi Tom,

So how it works is like this. The QR code (or the manual seed code) you get is all that's needed for the devices to calculate the authentication. 

I give an analogy in here how it works. No devices need to know about other devices. If you enter the same manual code, all devices will give you the same number because all it is is combining the initial seed/code with the current date/time to come up with a specific number. (Which number and combinations will be different depending on the starting seed/code)

 

You are correct. If you note the initial secret key/code/seed - you can put it in as many WinAuths (or as many different authenticators as you want). You can have WinAuth running on your PC, Microsoft Authenticator running on your phone, etc. They will all just combine your initial secret key with the current date/time and give you a calculated figure that should match.

Thanks a lot

[Blazkovitch]

7 hours ago, Dangerzone said:

14 hours ago, Tomas9970 said:

I think there's a false assumption that 2FA is about stopping abuse of multiple accounts for trials. It's not. It can't be. It doesn't work like that. 

It requires the clock on your desktop to be accurate so no more going back in time to prolong the trial. But the risk of abusing multiple accounts ia still there. This, in turn, can be mitigated by using a hardware-based checksum. 

[Dangerzone]

48 minutes ago, Blazkovitch said:

It requires the clock on your desktop to be accurate so no more going back in time to prolong the trial. But the risk of abusing multiple accounts ia still there. This, in turn, can be mitigated by using a hardware-based checksum. 

Oh, that's what people were/are doing or how ED are trying to use this for trials?  Ummm..  OK. I won't say anything further on this re 2FA because I don't want to cause problems by exposing the holes with this approach.  

Good point though on the hardware based checksum. Hopefully that's already being used, as that would definitely be a way of tracking abusers with the multi-account approach, and thanks for clarifying or giving a reason why people are linking 2FA with 'trial abuse' security. I appreciate the explanation. 

Edited September 21, 2023 by Dangerzone

[Art-J]

At this point one can only speculate. We officially know the measures taken were aimed at some form of practice of abusing trials, but I indeed doubt ED will reveal any compromising  tech details.

I'm bookmarking this thread, though. Have no idea what WinAuth is and haven't used such 2FA solutions (no-phone ones I mean) myself, so I'm glad to read your extra tips and tricks. They'll come in handy outside of DCS as well.

[Blazkovitch]

34 minutes ago, Dangerzone said:

Oh, that's what people were/are doing or how ED are trying to use this for trials?  Ummm..  OK. I won't say anything further on this re 2FA because I don't want to cause problems by exposing the holes with this approach.  

Good point though on the hardware based checksum. Hopefully that's already being used, as that would definitely be a way of tracking abusers with the multi-account approach, and thanks for clarifying or giving a reason why people are linking 2FA with 'trial abuse' security. I appreciate the explanation. 

 

I don't know if that's the reason but I heard about such cases  And this is still not a bullet-proof solution unless you require it for every login (I think). I'm happy with the trial mechanism and I can see other ways to enforce security which are worse than using 2FA  

BTW, if someone does not want to use a mobile phone and does not trust a standalone app, a browser-based option is also possible (with an additional benefit of improving security posture of the invidivual by introducing him to a Password Manager such as Bitwarden or Proton Pass). And if you own an iPhone you can (if i'm not mistaken) import 2FA into the built-in Password Manager. Finally, if you someone is still a yellow-sticky-notes-kind-of-a-guy then <insert Michael Jordan's quote here>.

[MAXsenna]

It requires the clock on your desktop to be accurate so no more going back in time to prolong the trial. But the risk of abusing multiple accounts ia still there. This, in turn, can be mitigated by using a hardware-based checksum. 

Ah! Of course!

Sent from my MAR-LX1A using Tapatalk

[draconus]

10 hours ago, Dangerzone said:

I have no idea what ED have stated.

They stated that it's done for security and to fight with Free Trials abuses.

[oldcrusty]

I'm not surprised some people are hesitant to trust any company these days with all the pressure from global tech 'advisers'. 

Since I'm not exactly a cyber genius and I love open and clear communication I'd be extremely happy to learn how the module trial system was abused for educational and preventive measures. CVE on Virustotal? lol.  I imagine 2FA countermeasure would suggest some ID shenanigans. 

As far as any personal data being collected and sold and re-sold... that battle has been already lost for me long time ago.  Now, I simply focus on keeping AI totally confused and not being able to make any coherent profile on me... other then an nutcase .  More restrictive you get, more flags pop up.  No Tor browsers, no de-googled phones, etc.  Besides, if I ever tried to do any of that, it would not be to hide something but simply to piss these controlling buggers off 

Back to standby... 

[Beirut]

@MAXsenna I followed Dangerzone's plan and got the 2FA through my PC. No phone involved. Burned a few brain cells trying to understand it, but it worked. 

 

So thanks to Dangerzone for the info, and to you for being such a bother and pointing me in the right direction. 

[MAXsenna]

@MAXsenna I followed Dangerzone's plan and got the 2FA through my PC. No phone involved. Burned a few brain cells trying to understand it, but it worked. 
 
So thanks to Dangerzone for the info, and to you for being such a bother and pointing me in the right direction. 

Awww, that's nice! Haha!
Yes, a huge shout out and thanks to @Dangerzone
I learned something even if I've been using 2FA for years for work.
This forum is awesome!

Sent from my MAR-LX1A using Tapatalk

[Dangerzone]

10 hours ago, Beirut said:

@MAXsenna I followed Dangerzone's plan and got the 2FA through my PC. No phone involved. Burned a few brain cells trying to understand it, but it worked. 

 

So thanks to Dangerzone for the info, and to you for being such a bother and pointing me in the right direction. 

Glad to hear I could be of help and you've got a suitable solution. Enjoy your trials! (Which reminds me, it's about time I teased myself with something else). 

[Beirut]

30 minutes ago, Dangerzone said:

Glad to hear I could be of help and you've got a suitable solution. Enjoy your trials! (Which reminds me, it's about time I teased myself with something else). 

 

Thank you again for the help. I do enjoy the free trials. I'll be in the Miig-19 tonight. Another three-weeks before I can try the trainers again, those are the one I'm really waiting for.

[Burning Bridges]

Question: Is two stage authentification permanent or can it be disabled again?

Cause even if the reasons seem plausible it sounds like a major pita and I am on the fence if I rather skip trials. tbh I'll be damned if I want to require a phone everytime I play a sim.

[Gianky]

2 minutes ago, Burning Bridges said:

Question: Is two stage authentification permanent or can it be disabled again?

Cause even if the reasons seem plausible it sounds like a major pita and I am on the fence if I rather skip trials. tbh I'll be damned if I want to require a phone everytime I play a sim.

AFAIK, it'd be only to access your account on the webiste, not for logging into the sim. And, yes, you can disable it, from your profile page on the website.

[draconus]

6 minutes ago, Burning Bridges said:

I'll be damned if I want to require a phone everytime I play a sim.

As already mentioned the phone is not a requirement for 2FA.

[Rudel_chw]

15 minutes ago, Burning Bridges said:

Question: Is two stage authentification permanent or can it be disabled again?

 

It can be disabled … I tried the 2FA on DCS for a couple of months, found it too cumbersome having to use my phone everytime I wanted to access the forum, so I disabled it with no difficulty 

 

15 minutes ago, Burning Bridges said:

tbh I'll be damned if I want to require a phone everytime I play a sim.

The 2FA is used to access the ED websites, not for playing the sim.

 

 

[Burning Bridges]

Thanks, that would make is somewhat easier.

33 minutes ago, draconus said:

As already mentioned the phone is not a requirement for 2FA.

According to ED's instructions it is the only method. If you found a way to circumvent their anti-circumvention measue thats fine with me. But I am not interested and usually such experiments only lead to less and less time for the hobby. I want to fly not learn the latest emulation tricks.