Dual factor authentication for free trials?

[rob10]

38 minutes ago, Dangerzone said:

As to the question why ED has decided to enforce 2FA for accounts that want trials I do not know, nor understand, but I can take an educated guess: That would be that they might be having an increase of issues with people's accounts being hacked that is causing a higher work load, and they want to reduce this.

If you believe this, then you think that ED is lying to their customers to try and make them do something.  ED has explicitly said (multiple times) that this is in response to problems with cheating on trials.  How people are cheating and how this stops (or at least makes it harder) this cheating I have no idea, and I really doubt ED is going to enlighten us by telling everyone how to exploit it.  If ED was doing this for the reasons you suggest, I can believe they might start with trials, but I don't believe that they would make up a fake reason just to start doing this.  The blowback from lying to their customers would be worse than the blowback of introducing TFA.

Not knowing what the exploit is or how TFA fixes it, I'm really not sure that having "established" accounts considered "safe" would be any help.  Who's to say it's not people that have bought modules already that are exploiting the trials so they don't have to buy more modules?  Personally ED have given me no reason not to believe them on this.

[Dangerzone]

3 hours ago, rob10 said:

If you believe this, then you think that ED is lying to their customers to try and make them do something.  ED has explicitly said (multiple times) that this is in response to problems with cheating on trials. 

Hey there, I'm really not looking for an argument, but I'd ask that you please refrain from put words into my mouth about what I'm thinking. I never said I think ED is lying to their customers. I have no idea what ED have stated. All I am simply doing is clearing the air as to what 2FA is, what it does, and what it doesn't do, and correct the false assumptions people have, while trying to help people understand it's purpose, potential reasons for it's use, and alternatives besides google or smartphone apps that people have expressed desires for due to understandable, but not relative privacy concerns. 

The limits of it's use are basic facts and simple. I've worked with the source code myself, but no one needs to trust me. It's freely available on the net for anyone who wants to check and see how simple and basic it really is. It doesn't take much to see how basic it is and confirm if what I'm saying is true or not for anyone who is interested. 

I'm confused with the resistance to my trying to clear the very smoky air from the misunderstandings about 2FA, and what seems like determination to continue to keep ignorant of it's purpose, capabilities and limitations and be upset about issues that don't need to be issues. But I've spent about as much time on this as I'm willing to and I really don't want to keep going on with people about it if they don't want my knowledge and input, so I'll respectfully bow out of this discussion as it's now past the point of productivity and into diminishing returns. 

Edited September 21, 2023 by Dangerzone

[rob10]

2 hours ago, Dangerzone said:

Hey there, I'm really not looking for an argument, but I'd ask that you please refrain from put words into my mouth about what I'm thinking. I never said I think ED is lying to their customers. I have no idea what ED have stated. All I am simply doing is clearing the air as to what 2FA is, what it does, and what it doesn't do, and correct the false assumptions people have, while trying to help people understand it's purpose, potential reasons for it's use, and alternatives besides google or smartphone apps that people have expressed desires for due to understandable, but not relative privacy concerns. 

The limits of it's use are basic facts and simple. I've worked with the source code myself, but no one needs to trust me. It's freely available on the net for anyone who wants to check and see how simple and basic it really is. It doesn't take much to see how basic it is and confirm if what I'm saying is true or not for anyone who is interested. 

I'm confused with the resistance to my trying to clear the very smoky air from the misunderstandings about 2FA, and what seems like determination to continue to keep ignorant of it's purpose, capabilities and limitations and be upset about issues that don't need to be issues. But I've spent about as much time on this as I'm willing to and I really don't want to keep going on with people about it if they don't want my knowledge and input, so I'll respectfully bow out of this discussion as it's now past the point of productivity and into diminishing returns. 

 

I appreciated the all TFA explanation (and I very much appreciated your details on using the Microsoft authenticator as an alternative) and I wasn't trying to argue any of that, I just don't agree that ED is introducing TFA for reasons other than stopping abuse of trials, which is how I took the part of your post I quoted.  Their explanation has been stated in this thread (and/or the 2nd related one in this subforum) so I assumed you would have seen it before your post.  I did overlook the fact that you did only specifically speak about TFA in relation to multi-account abuse in your post.  The 2nd part of my original post was not meant to be specifically directed at you, it was a comment I had been intending to make prior to reading your post.  I'm sorry if you took my post as an attack on you, that was not my intention, and I regret that it has caused you to bow out from sharing information regarding this.  For what it's worth, I generally agreed with your posts (other than the specific part I quoted) and wondered about how upset people were getting over TFA.

Edited September 21, 2023 by rob10

[Tom Kazansky]

@Dangerzone pls stay with us here. Seems to me we need people who know about this kind of 2FA.

I ask myself how authenticators can work on several devices or systems? Does the second authenticator need a code from the fist initially to start working? Or is it enough to log into the account with the first authenticator and establish the second from there?

edit: just read about WinAuth, and it seems you can note the initial secret key and put it in as many WinAuth's as you want to. Can someone with knowledge confirm this?

Edited September 21, 2023 by Tom Kazansky

[Dangerzone]

1 hour ago, rob10 said:

I appreciated the all TFA explanation (and I very much appreciated your details on using the Microsoft authenticator as an alternative) and I wasn't trying to argue any of that, I just don't agree that ED is introducing TFA for reasons other than stopping abuse of trials, which is how I took the part of your post I quoted.  Their explanation has been stated in this thread (and/or the 2nd related one in this subforum) so I assumed you would have seen it before your post.  I did overlook the fact that you did only specifically speak about TFA in relation to multi-account abuse in your post.  The 2nd part of my original post was not meant to be specifically directed at you, it was a comment I had been intending to make prior to reading your post.  I'm sorry if you took my post as an attack on you, that was not my intention, and I regret that it has caused you to bow out from sharing information regarding this.  For what it's worth, I generally agreed with your posts (other than the specific part I quoted) and wondered about how upset people were getting over TFA.

 

Thanks for clarification Rob. My apologies for misunderstanding where you were coming from and I appreciate the clarification. TBH, it's been a week of headbutting walls, and I misunderstood where you were coming from, so the clarification is greatly appreciated!  I also haven't read every post, I got through a few and thought "oh dear - this is a mess that needs clarification" and jumped in.

Edited September 21, 2023 by Dangerzone

[Dangerzone]

1 hour ago, Tom Kazansky said:

@Dangerzone pls stay with us here. Seems to me we need people who know about this kind of 2FA.

I ask myself how authenticators can work on several devices or systems? Does the second authenticator need a code from the fist initially to start working? Or is it enough to log into the account with the first authenticator and establish the second from there?

edit: just read about WinAuth, and it seems you can note the initial secret key and put it in as many WinAuth's as you want to. Can someone with knowledge confirm this?

 

Hi Tom,

So how it works is like this. The QR code (or the manual seed code) you get is all that's needed for the devices to calculate the authentication. 

I give an analogy in here how it works. No devices need to know about other devices. If you enter the same manual code, all devices will give you the same number because all it is is combining the initial seed/code with the current date/time to come up with a specific number. (Which number and combinations will be different depending on the starting seed/code)

 

You are correct. If you note the initial secret key/code/seed - you can put it in as many WinAuths (or as many different authenticators as you want). You can have WinAuth running on your PC, Microsoft Authenticator running on your phone, etc. They will all just combine your initial secret key with the current date/time and give you a calculated figure that should match.

This is the best 2FA (in my opinion) for this kind of setup, because:

1) It's an open formula that can be used (and is used) by many different programs, and

2) There's no syncing between devices, so you can have multiple independent devices as backups, or convenience, and

3) Unlike SMS messaging, there is no costs involved in it's use, and

4) It's completely separate/independent. There's no network needed. No tracking. No having to give ED any personal information.

It's effectively 'free extra security'. 

Edited September 21, 2023 by Dangerzone
Clarification

[Tom Kazansky]

2 minutes ago, Dangerzone said:

Hi Tom,

So how it works is like this. The QR code (or the manual seed code) you get is all that's needed for the devices to calculate the authentication. 

I give an analogy in here how it works. No devices need to know about other devices. If you enter the same manual code, all devices will give you the same number because all it is is combining the initial seed/code with the current date/time to come up with a specific number. (Which number and combinations will be different depending on the starting seed/code)

 

You are correct. If you note the initial secret key/code/seed - you can put it in as many WinAuths (or as many different authenticators as you want). You can have WinAuth running on your PC, Microsoft Authenticator running on your phone, etc. They will all just combine your initial secret key with the current date/time and give you a calculated figure that should match.

Thanks a lot

[Blazkovitch]

7 hours ago, Dangerzone said:

14 hours ago, Tomas9970 said:

I think there's a false assumption that 2FA is about stopping abuse of multiple accounts for trials. It's not. It can't be. It doesn't work like that. 

It requires the clock on your desktop to be accurate so no more going back in time to prolong the trial. But the risk of abusing multiple accounts ia still there. This, in turn, can be mitigated by using a hardware-based checksum. 

[Dangerzone]

48 minutes ago, Blazkovitch said:

It requires the clock on your desktop to be accurate so no more going back in time to prolong the trial. But the risk of abusing multiple accounts ia still there. This, in turn, can be mitigated by using a hardware-based checksum. 

Oh, that's what people were/are doing or how ED are trying to use this for trials?  Ummm..  OK. I won't say anything further on this re 2FA because I don't want to cause problems by exposing the holes with this approach.  

Good point though on the hardware based checksum. Hopefully that's already being used, as that would definitely be a way of tracking abusers with the multi-account approach, and thanks for clarifying or giving a reason why people are linking 2FA with 'trial abuse' security. I appreciate the explanation. 

Edited September 21, 2023 by Dangerzone

[Art-J]

At this point one can only speculate. We officially know the measures taken were aimed at some form of practice of abusing trials, but I indeed doubt ED will reveal any compromising  tech details.

I'm bookmarking this thread, though. Have no idea what WinAuth is and haven't used such 2FA solutions (no-phone ones I mean) myself, so I'm glad to read your extra tips and tricks. They'll come in handy outside of DCS as well.

[Blazkovitch]

34 minutes ago, Dangerzone said:

Oh, that's what people were/are doing or how ED are trying to use this for trials?  Ummm..  OK. I won't say anything further on this re 2FA because I don't want to cause problems by exposing the holes with this approach.  

Good point though on the hardware based checksum. Hopefully that's already being used, as that would definitely be a way of tracking abusers with the multi-account approach, and thanks for clarifying or giving a reason why people are linking 2FA with 'trial abuse' security. I appreciate the explanation. 

 

I don't know if that's the reason but I heard about such cases  And this is still not a bullet-proof solution unless you require it for every login (I think). I'm happy with the trial mechanism and I can see other ways to enforce security which are worse than using 2FA  

BTW, if someone does not want to use a mobile phone and does not trust a standalone app, a browser-based option is also possible (with an additional benefit of improving security posture of the invidivual by introducing him to a Password Manager such as Bitwarden or Proton Pass). And if you own an iPhone you can (if i'm not mistaken) import 2FA into the built-in Password Manager. Finally, if you someone is still a yellow-sticky-notes-kind-of-a-guy then <insert Michael Jordan's quote here>.

[MAXsenna]

It requires the clock on your desktop to be accurate so no more going back in time to prolong the trial. But the risk of abusing multiple accounts ia still there. This, in turn, can be mitigated by using a hardware-based checksum. 

Ah! Of course!

Sent from my MAR-LX1A using Tapatalk

[draconus]

10 hours ago, Dangerzone said:

I have no idea what ED have stated.

They stated that it's done for security and to fight with Free Trials abuses.

[oldcrusty]

I'm not surprised some people are hesitant to trust any company these days with all the pressure from global tech 'advisers'. 

Since I'm not exactly a cyber genius and I love open and clear communication I'd be extremely happy to learn how the module trial system was abused for educational and preventive measures. CVE on Virustotal? lol.  I imagine 2FA countermeasure would suggest some ID shenanigans. 

As far as any personal data being collected and sold and re-sold... that battle has been already lost for me long time ago.  Now, I simply focus on keeping AI totally confused and not being able to make any coherent profile on me... other then an nutcase .  More restrictive you get, more flags pop up.  No Tor browsers, no de-googled phones, etc.  Besides, if I ever tried to do any of that, it would not be to hide something but simply to piss these controlling buggers off 

Back to standby... 

[Beirut]

@MAXsenna I followed Dangerzone's plan and got the 2FA through my PC. No phone involved. Burned a few brain cells trying to understand it, but it worked. 

 

So thanks to Dangerzone for the info, and to you for being such a bother and pointing me in the right direction. 

[MAXsenna]

@MAXsenna I followed Dangerzone's plan and got the 2FA through my PC. No phone involved. Burned a few brain cells trying to understand it, but it worked. 
 
So thanks to Dangerzone for the info, and to you for being such a bother and pointing me in the right direction. 

Awww, that's nice! Haha!
Yes, a huge shout out and thanks to @Dangerzone
I learned something even if I've been using 2FA for years for work.
This forum is awesome!

Sent from my MAR-LX1A using Tapatalk

[Dangerzone]

10 hours ago, Beirut said:

@MAXsenna I followed Dangerzone's plan and got the 2FA through my PC. No phone involved. Burned a few brain cells trying to understand it, but it worked. 

 

So thanks to Dangerzone for the info, and to you for being such a bother and pointing me in the right direction. 

Glad to hear I could be of help and you've got a suitable solution. Enjoy your trials! (Which reminds me, it's about time I teased myself with something else). 

[Beirut]

30 minutes ago, Dangerzone said:

Glad to hear I could be of help and you've got a suitable solution. Enjoy your trials! (Which reminds me, it's about time I teased myself with something else). 

 

Thank you again for the help. I do enjoy the free trials. I'll be in the Miig-19 tonight. Another three-weeks before I can try the trainers again, those are the one I'm really waiting for.

[Burning Bridges]

Question: Is two stage authentification permanent or can it be disabled again?

Cause even if the reasons seem plausible it sounds like a major pita and I am on the fence if I rather skip trials. tbh I'll be damned if I want to require a phone everytime I play a sim.

[Gianky]

2 minutes ago, Burning Bridges said:

Question: Is two stage authentification permanent or can it be disabled again?

Cause even if the reasons seem plausible it sounds like a major pita and I am on the fence if I rather skip trials. tbh I'll be damned if I want to require a phone everytime I play a sim.

AFAIK, it'd be only to access your account on the webiste, not for logging into the sim. And, yes, you can disable it, from your profile page on the website.

[draconus]

6 minutes ago, Burning Bridges said:

I'll be damned if I want to require a phone everytime I play a sim.

As already mentioned the phone is not a requirement for 2FA.

[Rudel_chw]

15 minutes ago, Burning Bridges said:

Question: Is two stage authentification permanent or can it be disabled again?

 

It can be disabled … I tried the 2FA on DCS for a couple of months, found it too cumbersome having to use my phone everytime I wanted to access the forum, so I disabled it with no difficulty 

 

15 minutes ago, Burning Bridges said:

tbh I'll be damned if I want to require a phone everytime I play a sim.

The 2FA is used to access the ED websites, not for playing the sim.

 

 

[Burning Bridges]

Thanks, that would make is somewhat easier.

33 minutes ago, draconus said:

As already mentioned the phone is not a requirement for 2FA.

According to ED's instructions it is the only method. If you found a way to circumvent their anti-circumvention measue thats fine with me. But I am not interested and usually such experiments only lead to less and less time for the hobby. I want to fly not learn the latest emulation tricks.

 

[MAXsenna]

Thanks, that would make is somewhat easier.
According to ED's instructions it is the only method. If you found a way to circumvent their anti-circumvention measue thats fine with me. But I am not interested and usually such experiments only lead to less and less time for the hobby. I want to fly not learn the latest emulation tricks.
 

No emulation tricks. The text on ED's site ain't exactly on target. You don't even have to use Google's authenticator. There's whole elaborate thread about it.

@Rudel_chw
The forum has never asked me for 2FA codes, neither on Windows nor Android. Might be because I sync Chrome. The EShop on the other can't even remember my codes even if I want to. Strange.

Sent from my SM-A536B using Tapatalk

[Burning Bridges]

some things I have found out in the meantime:

- you cannot disable 2FA while trial period is active

- if you lost the original one you cannot change to secret key while trial period is active. there is also no way to see it in your profile every again afaik

- so while 2FA is enabled one could also easily lock themselves out of your own account because for every log in you always need 2 factor authentification

this could have cost a few customers who don't know how to reach out for support and may currently go through hell

so make sure to write down everything (backup secret key or QR code) and make sure your second device is safe and you dont delete anything, reinstall your OS or something like that

the trials are still a very good way to decide what to buy in the future but everyone should try to understand completely how it will work before they commit to 2FA