Dual factor authentication for free trials?

[actually_fred]

Both Google Authenticator and Duo Mobile *can* work offline; Google Authenticator gives you the option to sign in for backups etc, but you don't need to; as I understand it, Google's primary motivation here is simply reducing spam and account takeovers - it reduces their other costs, the app is not directly an income source. Duo Mobile supports the standard authentication offline, but the same app also supports enterprise 2FA services (which is where they get their money)

If there are any of the big tech companies you do trust, almost all of their apps will work with this - Microsoft, Salesforce, etc; again, their primary motivation for giving away these apps for free is usually to reduce account takeovers, which are a cost for them.

FreeOTP is probably one of the more common 100%-offline apps - and its' rated low on the apple store because it's entirely offline: no way to transfer to a new phone, need to re-setup everything or use recovery codes etc. "Entirely offline" means "easy to get locked out of your accounts".

Edited September 13, 2023 by actually_fred

[Gianky]

Got it, thank you again, actually_fred!

[oldcrusty]

LOL, whatever.  I'm already cross-device fingerprited, 5fa-id'd, have pegasus running at full blast, my alexa talks sh** back to me, my monitor uses speakers as a mike, what else...

I just want my Hornet finished and fully VR debugged. 

[Rebel28]

So how does this work if you do not own a SmartPhone? Even if I did the area is a dead cell area located between 2 mountains.  

[Rudel_chw]

32 minutes ago, Rebel28 said:

So how does this work if you do not own a SmartPhone?

 

It doesn't, can't be used without a smartphone:

 

https://www.digitalcombatsimulator.com/en/support/faq/User_profile/#3319486

 

[zildac]

SMS as a second factor would mitigate a number of these (valid) worries.

[Bucic]

I've just tested it with Microsoft Authenticator. Works fine.

[zildac]

I've just tested it with Microsoft Authenticator. Works fine.

Still requires a "smartphone"

[Bucic]

5 minutes ago, zildac said:

1 hour ago, Bucic said:

I've just tested it with Microsoft Authenticator. Works fine.

Still requires a "smartphone"

I didn't say it doesn't.

[actually_fred]

SMS *lowers* security by making your account vulnerable to SIM takeover, and is actively banned as a two factor method in all modern standards. Lots of banks use it for customer authentication, and that makes pretty much every computer security professional sad. They generally insist on different - actually secure - methods for their employees though.

There's PC options including WinAuth (free) and 1Password (subscription, but well worth it as a general purpose password manager), but the downside of these is that malware on your PC can potentially steal the 2-factor configuration along with your username and password.

[zildac]

54 minutes ago, actually_fred said:

SMS *lowers* security by making your account vulnerable to SIM takeover, and is actively banned as a two factor method in all modern standards. Lots of banks use it for customer authentication, and that makes pretty much every computer security professional sad. They generally insist on different - actually secure - methods for their employees though.

There's PC options including WinAuth (free) and 1Password (subscription, but well worth it as a general purpose password manager), but the downside of these is that malware on your PC can potentially steal the 2-factor configuration along with your username and password.

Yes, agreed (day job) but we're not talking about a resource that requires super secure MFA here. SMS would allow people who may not want to use an additional  desktop app, or one of the authenticator apps, to try the trials.  And let's be honest, the SIM takeover approach is not exactly simple, the effort required to pull it off far outweighs the benefits in this particular scenario.

Edited September 19, 2023 by zildac

[MAXsenna]

4 hours ago, Rebel28 said:

So how does this work if you do not own a SmartPhone? Even if I did the area is a dead cell area located between 2 mountains.  

How do you get online?

[VF19_Congo]

This sucks, I was just about to trial the Mi-8 before purchasing.

No trial, no purchase..... goodbye Mi-8.

There is no way I'm putting an app on my phone for this.

Can ED please figure out an alternative?

Oh, another thing, I introduce a lot of people to DCS and entice them with the free trials.

Most of them WILL NOT download the google app in order to do this.

ED will suffer over this.

Edited September 20, 2023 by VF19_Congo

[NineLine]

I'm sorry, but at this time it's the best we can do and still limit abuse to the system. Thanks.

I personally do not or have not seen an issue with something like Google Authenticator, It worked great and I use it for close to 20 different logins on different types of sites, I even use Steam's Authenticator App as it makes my life a little easier. 

I mean at the end of the day we can remove this, and continue to watch trials be abused and people brag about it, and eventually, the trial option be removed completely, we think this is the best compromise for now.

[VF19_Congo]

You would think long standing accounts that own lots of modules (like mine) would be exempt from this, I mean you are basicly calling your supporters crooks.

[SkateZilla]

At this point in Technological evolution,

Nearly everyone uses 2FA now, some services go as far as giving discounts if you have it set up, as it's extra security for you and the service provider.

Saying your against 2FA is like buying a home, and removing the deadbolts and security system panel because it's one more thing to do when entering your home.

And since the Internet is easily the shadiest place on earth, the same said home would be in the shadiest neighborhood for comparative example.

All of my accounts especially those that involve any type of purchased content or subscriptions are protected by 2FA.

My employer also uses 2FA for everything through their servers as well, and has for the last 5 or 6 years.

 

Edited September 20, 2023 by SkateZilla

[SkateZilla]

5 minutes ago, VF19_Congo said:

You would think long standing accounts that own lots of modules (like mine) would be exempt from this, I mean you are basicly calling your supporters crooks.

No they are basically trying to keep your account safe, especially if you are someone that purchased significant amounts, as 2FA is an extra security layer to prevent anyone from gaining access to your account through dis-honest or mis-leading methods.

[Lyrode]

Real pain.

I have 2 DCS accounts, each with paid products and 2FA makes everything messy. Now everytime I want to check the website I have to do 2FA. Not trial, just to login.

Fortunately, they haven't restricted logining to the game. 

Please, come up with something more sensible.

Edited September 20, 2023 by Lyrode

[VF19_Congo]

15 minutes ago, SkateZilla said:

Saying your against 2FA is like buying a home, and removing the deadbolts and security system panel because it's one more thing to do when entering your home.

Ah, Yes, I forget that I live a charmed life here.... no deadbolts, no security system. My garage and toolshed don't even have doors.

Maybe I will just buy the Mi-8 anyway, I guess I'm a lucky guy after all.

 

Edited September 20, 2023 by VF19_Congo

[Dangerzone]

I'm not sure if I'm missing something here, but my understanding of 2FA (in the way that ED is implementing it) is very different to what people are sprouting here.

Half this thread seems to be giving miss-information. Here's a few things that are needed to clarify the 2FA authenticator method that ED is using:

1) It does not have to be linked to your mobile phone number, or even your mobile phone. 

2) You are not forced into a particular application, or company. (It's a open algorithm)

3) You don't have to pay for applications in order to use it

4) You can use a free, stand-alone, open source 2FA applications on your PC if you want to go that way (see below)

5) You do NOT need an internet connection, or mobile phone network, or anything to use 2FA. The only requirement for this method of 2FA to work is that the device you're running the application on (whether it be phone, PC, or some other device) has an accurate clock. 

In the same way, I don't see how this has anythign to do with ED not trusting their customers. It doesn't help them trace anything back to you. It only confirms future logins are from the same person who setup the 2FA option to start with.

It makes the users account more secure (which maybe in turn, makes things more secure for ED - I have no idea how many hacked accounts they're dealing with, and maybe this is the way to get more people to start using 2FA). 

But all the objections I've read here seem to either account to many people having no clue what 2FA is (they're worried about being forced to reveal phone numbers, or use smart phones, or use Google, of which none of this is true), OR I'm missing something big here.

So my question is this - WHY is 2FA a "deal breaker" for so many people? (I'm genuinely wanting to understand). Is it that there is great misunderstanding of the 2FA that ED is using, or otherwise what am I missing?

As for free apps you can use that don't require a phone, try WinAuth https://winauth.github.io/winauth/download.html

Instead of scanning the QR code, just copy and paste the manual code given by ED into the app.

Edited September 20, 2023 by Dangerzone

[VF19_Congo]

4 minutes ago, Dangerzone said:

But all the objections I've read here seem to either account to many people having no clue what 2FA is (they're worried about being forced to reveal phone numbers, or use smart phones, or use Google, of which none of this is true), OR I'm missing something big here.

 

 

Maybe the fact that when you click on the free trial, the first thing it says is "Download the Google Authenticator App"

 

And thank you so much for the education Dangerzone, gonna try your suggestion with WinAuth

[Dangerzone]

13 hours ago, Rebel28 said:

So how does this work if you do not own a SmartPhone? Even if I did the area is a dead cell area located between 2 mountains.  

It works off the device's clock. That's all it needs, an accurate time piece. (Plus the original unique encoder code that was used to set it up, which ED provides you both with a manual text version, and a QR code).

 

12 hours ago, Rudel_chw said:

 

It doesn't, can't be used without a smartphone:

 

https://www.digitalcombatsimulator.com/en/support/faq/User_profile/#3319486

 

Sorry, but that is completely incorrect. It can be used without a smart phone. (See my post above, I've already done it)

 

11 hours ago, zildac said:

12 hours ago, Bucic said:

I've just tested it with Microsoft Authenticator. Works fine.

Still requires a "smartphone"

That is incorrect. Check out WinAuth for a non-mobile phone option.

48 minutes ago, VF19_Congo said:

There is no way I'm putting an app on my phone for this.

You don't need to put an app on your phone. Use a non-phone 2FA app if you want. See WinAuth as one (of many) free, open source, PC friendly alternatives.

 

20 minutes ago, Lyrode said:

Real pain. I have two DCS accounts, each with paid products and 2FA makes everything messy. Now everytime I want to check the website I have to do 2FA. Not trial, just to login.

Please, come up with something more sensible.

This is the first concern I've read on this forum that actually has some credibility. Maybe it might be possible for ED to allow us to specify our own manual code, or use the same QR/manual code on multiple accounts, so only one 2FA code is required. But that aside, most 2FA applications out there allow you to have many 2FA's displayed simutaneously, so it's not like you need to have a separate app for each one. I've got a 2FA app with probably 15 different authenticators 'in one'. Maybe ED would consider though allowing us to link accounts for a single 2FA?

5 minutes ago, VF19_Congo said:

Maybe the fact that when you click on the free trial, the first thing it says is "Download the Google Authenticator App"

  Aaaah - now the penny has dropped.   People who don't understand 2FA are seeing "Download Google Authenticator" and are going "Hell No!". 

OK - I understand. If I didn't understand how 2FA worked, I'd probably be concerned/confused by that as well. Maybe ED needs to change the website to make it a bit clearer that google authenticator is only one of many options available.

Edited September 20, 2023 by Dangerzone

[NineLine]

26 minutes ago, VF19_Congo said:

You would think long standing accounts that own lots of modules (like mine) would be exempt from this, I mean you are basicly calling your supporters crooks.

That's a pretty big stretch, we explained why we had to do it. We are not calling anyone crooks. 

If this is going to disolve into this type of conversation, we can just end the thread here. Please stay constructive. 

[VF19_Congo]

2 minutes ago, NineLine said:

That's a pretty big stretch, we explained why we had to do it. We are not calling anyone crooks. 

I'm sorry, kneejerk reaction from an honest person, my bad.

If I do enable 2FA, and I lose everything on my PC, my HDD dies.... whatever, will I still be able to recover my account without anything other than ED's record of my account as it has stood in the past?

[Dangerzone]

27 minutes ago, Lyrode said:

Real pain.

I have 2 DCS accounts, each with paid products and 2FA makes everything messy. Now everytime I want to check the website I have to do 2FA. Not trial, just to login.

Fortunately, they haven't restricted logining to the game. 

Please, come up with something more sensible.

 

OK - I just realised it doesn't need to be a pain. I'm assuming you have 2 accounts because one is for a server, and the other is for your actual gaming?

Firstly, it looks like ED is only requiring 2FA for trial licenses, Thus, you don't need 2FA on your other account(s) such as server accounts - only the gaming account that you want to do trials with.  (And I'm assuming you only have one of those, otherwise you may be breaching ED's T&C). This means that ED only require you to have 2FA on one account. (The one that you'll be doing trial licenses with). 

Secondly, it's worth noting that ED gives you the option to disable 2FA as well. So, you only need to activate 2FA for the time that you want to trial the new module. Once you're finished, you can disable 2FA.

Edited September 20, 2023 by Dangerzone