Dual factor authentication for free trials?

[Dangerzone]

On 9/9/2023 at 6:12 PM, Rudel_chw said:

pity, I tried the ED 2FA security for a while when it first appeared and didn’t like it at all, not only it forced to have the darn phone with me everytime I play, but if my phone is ever stolen or lost I would be locked out of DCS. After about two months of using it I ended up disabling the 2FA  

Just FYI - 2FA isn't restricted to one device. I never have my 2FAs on only one device (as I have the same concerns as you - what if my phone is lost or stolen).

Using either the QR code, or the manual code, you can have your 2FA on multiple independent devices. I normally go with my phone, as well as an app on my main PC (at a minimum). This gives redundancy/backup. 

Edited September 20, 2023 by Dangerzone

[Lyrode]

4分钟前，Dangerzone说：

I'm assuming you have 2 accounts because one is for a server, and the other is for your actual gaming?

Server is one thing, my case is more special.

Years ago when they were still using code lisences I bought multiple lisences from third parties. That's why. But in order not to buy lisences into wrong accounts, I never save the account info on my computer. Hence, 2FA everytime.

[MAXsenna]

Maybe the fact that when you click on the free trial, the first thing it says is "Download the Google Authenticator App"
 
And thank you so much for the education Dangerzone, gonna try your suggestion with WinAuth

It does? That's ridiculous. Then I can understand people's objections.
Moderators, you should change the wording!

Sent from my MAR-LX1A using Tapatalk

Just FYI - 2FA isn't restricted to one device. I never have my 2FAs on only one device (as I have the same concerns as you - what if my phone is lost or stolen).
Using either the QR code, or the manual code, you can have your 2FA on multiple independent devices. I normally go with my phone, as well as an app on my main PC (at a minimum). This gives redundancy/backup. 

Also, I ALWAYS save my codes to MULTIPLE places like Onedrive where I can access them from anywhere.

Sent from my MAR-LX1A using Tapatalk

[Dangerzone]

13 minutes ago, Lyrode said:

Server is one thing, my case is more special.

Years ago when they were still using code lisences I bought multiple lisences from third parties. That's why. But in order not to buy lisences into wrong accounts, I never save the account info on my computer. Hence, 2FA everytime.

Yeah - that makes it a bit more difficult.

Possible solutions may be:

1) ED allowing the same 2FA to be linked to multiple accounts, or

2) Contact ED Support and see if they will migrate the licenses onto a single account. (Given that this 2FA is a new thing, even if you've tried this in the past and were denied, they may be willing to reconsider this time). 

In either situation, your scenario sounds very unique, so I doubt ED are going to change their options to suit such a unusual scenario. The better bet would be to see what they can do to assist you in getting into a more comfortable setup that's more inline with how the purchases are designed to be.

Edited September 20, 2023 by Dangerzone

[MAXsenna]

@Dangerzone
Applause to you!
You won The Most Constructive Answer Award today.
Moderators, take notes and add them to the FAQ!

Cheers!

Sent from my MAR-LX1A using Tapatalk
 

Edited September 20, 2023 by MAXsenna
Spelling and grammar

[Rudel_chw]

1 hour ago, Dangerzone said:

Sorry, but that is completely incorrect. It can be used without a smart phone. (See my post above, I've already done it)

I tried ED’s 2FA for a couple of months, I did so by following their setup instructions … which did instruct me to install Google Authenticator on my phone. I wonder how many users know enough about this subject to be aware that there are alternatives. 

[zildac]

1 hour ago, Dangerzone said:

I'm not sure if I'm missing something here, but my understanding of 2FA (in the way that ED is implementing it) is very different to what people are sprouting here.

Half this thread seems to be giving miss-information. Here's a few things that are needed to clarify the 2FA authenticator method that ED is using:

1) It does not have to be linked to your mobile phone number, or even your mobile phone. 

2) You are not forced into a particular application, or company. (It's a open algorithm)

3) You don't have to pay for applications in order to use it

4) You can use a free, stand-alone, open source 2FA applications on your PC if you want to go that way (see below)

5) You do NOT need an internet connection, or mobile phone network, or anything to use 2FA. The only requirement for this method of 2FA to work is that the device you're running the application on (whether it be phone, PC, or some other device) has an accurate clock. 

In the same way, I don't see how this has anythign to do with ED not trusting their customers. It doesn't help them trace anything back to you. It only confirms future logins are from the same person who setup the 2FA option to start with.

It makes the users account more secure (which maybe in turn, makes things more secure for ED - I have no idea how many hacked accounts they're dealing with, and maybe this is the way to get more people to start using 2FA). 

But all the objections I've read here seem to either account to many people having no clue what 2FA is (they're worried about being forced to reveal phone numbers, or use smart phones, or use Google, of which none of this is true), OR I'm missing something big here.

So my question is this - WHY is 2FA a "deal breaker" for so many people? (I'm genuinely wanting to understand). Is it that there is great misunderstanding of the 2FA that ED is using, or otherwise what am I missing?

As for free apps you can use that don't require a phone, try WinAuth https://winauth.github.io/winauth/download.html

Instead of scanning the QR code, just copy and paste the manual code given by ED into the app.

 

Winauth hasn't been updated since 2016?!

[Shimmergloom667]

Wait, what - people are *complaining* about 2FA in 2023? The mind is boggled.

[zildac]

5 minutes ago, Shimmergloom667 said:

Wait, what - people are *complaining* about 2FA in 2023? The mind is boggled.

Quite. The pushback from individuals would tend to suggest that they don't use MFA for anything else either, which is far more worrying than "just" DCS.

[Shimmergloom667]

Just now, zildac said:

Quite. The pushback from individuals would tend to suggest that they don't use MFA for anything else either, which is far more worrying than "just" DCS.

Absolutely. Well, learning through pain when the first important online account is stolen.

[Tom Kazansky]

Is it possible to disable 2FA for an ED account (after you had enabled it of course)?

If yes, is it possible to activate it for a free trial and deactivate it afterwards (edit: after the free trial period)?

The least thing I have in mind is to help bad guys to harm ED but maybe this 2FA is not so helpful as one might think.

Edited September 20, 2023 by Tom Kazansky

[MAXsenna]

14 minutes ago, Tom Kazansky said:

Is it possible to disable 2FA for an ED account (after you had enabled it of course)?
If yes, is it possible to activate it for a free trial and deactivate it afterwards?
The least thing I have in mind is to help bad guys to harm ED but maybe this 2FA is not so helpful as one might think.

Yes, you can disable it at anytime. Not sure if ongoing trials will stop.  

Sent from my MAR-LX1A using Tapatalk
 

Edited September 20, 2023 by MAXsenna

[Tom Kazansky]

7 minutes ago, MAXsenna said:

Yes, you can disable it at anytime. Not sure if ongoing trials will stop.  

Sent from my MAR-LX1A using Tapatalk
 

 

Yeah, I meant after the trial period.

[Extranajero]

1 hour ago, Shimmergloom667 said:

Wait, what - people are *complaining* about 2FA in 2023? The mind is boggled.

For me at least, the two factors aren't the issue, giving the number of my tracking and surveillance device ( sorry, smartphone ) to Google is.
I wouldn't even own a smartphone at all unless it was virtually impossible to get through modern life without one sometimes.

I already have two factor authentification for some important things, but it doesn't involve a mobile number.

Thinking that Google want your phone number for your own protection boggles my mind. These are people whose AI reads your emails so they can serve you targeted adverts and build a profile of you that they can sell - there's literally no limit to their spying. I heartily dislike them and everything they stand for, so I'll do my best to keep their tentacles out of my private data.
 

[Shimmergloom667]

9 minutes ago, Extranajero said:

For me at least, the two factors aren't the issue, giving the number of my tracking and surveillance device ( sorry, smartphone ) to Google is.
I wouldn't even own a smartphone at all unless it was virtually impossible to get through modern life without one sometimes.

I already have two factor authentification for some important things, but it doesn't involve a mobile number.

Thinking that Google want your phone number for your own protection boggles my mind. These are people whose AI reads your emails so they can serve you targeted adverts and build a profile of you that they can sell - there's literally no limit to their spying. I heartily dislike them and everything they stand for, so I'll do my best to keep their tentacles out of my private data.
 

You don't have to give a mobile number or anything to google to use this form of 2FA. You don't have to use the Google Authenticator, don't have to be online, don't have to yield any information.

[Extranajero]

19 minutes ago, Shimmergloom667 said:

You don't have to give a mobile number or anything to google to use this form of 2FA. You don't have to use the Google Authenticator, don't have to be online, don't have to yield any information.

I have to download Google Authenticator, because that's the method that ED have chosen to use

[MAXsenna]

9 minutes ago, Extranajero said:

I have to download Google Authenticator, because that's the method that ED have chosen to use

No, you don't. They have just worded it very badly so users gets confused. Have been using 2FA with ED for years and I have never downloaded the Google Authenticator.

@Dangerzone explains it very thoroughly above.

 

Edited September 20, 2023 by MAXsenna

[Extranajero]

5 minutes ago, MAXsenna said:

No, you don't. They have just worded it very badly so users gets confused. Have been using 2FA with ED for years and I have never downloaded the Google Authenticator.

 

ED wording something badly ? I don't find that very hard to believe
If the cockpits of ED modules featured a shovel then I know that to bind the control I have to look for " use earth inverting implement " in the assignments
Thank you

[Dangerzone]

3 hours ago, zildac said:

Winauth hasn't been updated since 2016?!

I’m not sure of your point? 2FA is set. There’s no need to update it. The algorithm is the algorithm. I can use a 20 year old calculator app and get the same answer as a modern app. 

Winauth was mentioned simply because it’s proven and for the KISS mentality and It’s open source too. 

But if you’d prefer something else, go for it. The beauty with this kind of 2FA is that it’s effectively public domain and there’s tones of options. If you don’t like any of the many other apps, you could go as far as applying the algorithm and write your own app. 

3 hours ago, Rudel_chw said:

I tried ED’s 2FA for a couple of months, I did so by following their setup instructions … which did instruct me to install Google Authenticator on my phone. I wonder how many users know enough about this subject to be aware that there are alternatives. 

I’m not sure. I agree that the web page could be more informative. I understand the hesitation to use Google anything. One of the reasons I use Winauth.

[zildac]

16 minutes ago, Dangerzone said:

I’m not sure of your point? 2FA is set. There’s no need to update it. The algorithm is the algorithm. I can use a 20 year old calculator app and get the same answer as a modern app. 

Winauth was mentioned simply because it’s proven and for the KISS mentality and It’s open source too. 

But if you’d prefer something else, go for it. The beauty with this kind of 2FA is that it’s effectively public domain and there’s tones of options. If you don’t like any of the many other apps, you could go as far as applying the algorithm and write your own app. 

I’m not sure. I agree that the web page could be more informative. I understand the hesitation to use Google anything. One of the reasons I use Winauth.

Hmm, the calculator analogy is not really the same though, is it? Whilst the TOTP algo hasn't changed, that's not the attack surface here, it is the app "around" it that is essentially abandonware and would/could likely contain security vulns. Perhaps vulns that allow someone to grab your seed value, for example. Either way, I’m not bothered I use a smartphone. But my point was, trusting your security to an app that hasn't; been maintained or likely security reviewed in 7 years isn't really a good option in comparison to just using a supported smartphone app.

Edited September 20, 2023 by zildac

[Dangerzone]

8 minutes ago, zildac said:

Hmm, the calculator analogy is not really the same though, is it? Whilst the TOTP algo hasn't changed, that's not the attack surface here, it is the app "around" it that is essentially abandonware and would/could likely contain security vulns. Perhaps vulns that allow someone to grab your seed value, for example. Either way, I’m not bothered I use a smartphone. But my point was, trusting your security to an app that hasn't; been maintained or likely security reviewed in 7 years isn't really a good option in comparison to just using a supported smartphone app.

 

I think the calculator analogy is almost spot on.

Think of it this way: I say to you you’re going to have a unique code. Let’s say it’s 123456. From that unique code, I need you to add the year, the month, the day, the hour, and the minute. you will always have a different number to everybody else, because of the unique code you started with, and someone having a different one. every minute you will get another unique code.

That’s all this 2FA app is doing. The summing is a little bit different but at it’s foundation it is only a calculator with a clock. It doesn’t use internet communications. It doesn’t use mobile network. It doesn’t communicate with a server. There’s nothing for someone to intercept and hack.

So what  security vulnerabilities are left that could be that you consider risky? This isn’t a web service app. It’s a local pc app. 

Respectfully, in this instance I don’t think your point comes from a true  understanding of the security side. I would suggest trusting (or not) pc apps based on compile date is a very poor way to base security. One needs to know what the app is doing for potential venerabilities.

I’ll try to elaborate to make it clear as I would consider apps like lastpass or Google authenticator more risk because they are web service in that they tend to store your key in their database (and we’ve seen how cloud databases can get hacked in the past).

But that’s just me. I acknowledge even that’s so unlikely it’s not a real factor. But even so, this app has none of that, so it could be argued that even with its age it’s more secure than modern “phone home” apps.

This app only stores data locally only on your own PC. How secure it is is up to how well you maintain your own PCs security. If your worried about someone hacking the app, you’ve got bigger issues to worry about as they’re in your PC.

In the end I don’t care what people use, I’m just trying to clarify some misinformation and unrealistic concerns here by giving people better information to make their own informed choices based on a better understanding of what all this is.

[Beirut]

7 hours ago, VF19_Congo said:

This sucks, I was just about to trial the Mi-8 before purchasing.

No trial, no purchase..... goodbye Mi-8.

There is no way I'm putting an app on my phone for this.

 

You can't be too harsh. The free trials are/were really great and, I think, very generous. I've enjoyed it a great deal. But I probably won't continue as it requires my phone to be involved.

 

For what it's worth, the Mi-8 is really nice. The cockpit has dated graphics, but the flight model is great! It's a lot of fun.

[zildac]

24 minutes ago, Dangerzone said:

I think the calculator analogy is almost spot on.

Think of it this way: I say to you you’re going to have a unique code. Let’s say it’s 123456. From that unique code, I need you to add the year, the month, the day, the hour, and the minute. you will always have a different number to everybody else, because of the unique code you started with, and someone having a different one. every minute you will get another unique code.

That’s all this 2FA app is doing. The summing is a little bit different but at it’s foundation it is only a calculator with a clock. It doesn’t use internet communications. It doesn’t use mobile network. It doesn’t communicate with a server. There’s nothing for someone to intercept and hack.

So what  security vulnerabilities are left that could be that you consider risky? This isn’t a web service app. It’s a local pc app. 

Respectfully, in this instance I don’t think your point comes from a true  understanding of the security side. I would suggest trusting (or not) pc apps based on compile date is a very poor way to base security. One needs to know what the app is doing for potential venerabilities.

I’ll try to elaborate to make it clear as I would consider apps like lastpass or Google authenticator more risk because they are web service in that they tend to store your key in their database (and we’ve seen how cloud databases can get hacked in the past).

But that’s just me. I acknowledge even that’s so unlikely it’s not a real factor. But even so, this app has none of that, so it could be argued that even with its age it’s more secure than modern “phone home” apps.

This app only stores data locally only on your own PC. How secure it is is up to how well you maintain your own PCs security. If your worried about someone hacking the app, you’ve got bigger issues to worry about as they’re in your PC.

In the end I don’t care what people use, I’m just trying to clarify some misinformation and unrealistic concerns here by giving people better information to make their own informed choices based on a better understanding of what all this is.

We'll agree to differ, and I get your points. But my "security understanding" is very much "true"

[MAXsenna]

 
You can't be too harsh. The free trials are/were really great and, I think, very generous. I've enjoyed it a great deal. But I probably won't continue as it requires my phone to be involved.
 
For what it's worth, the Mi-8 is really nice. The cockpit has dated graphics, but the flight model is great! It's a lot of fun.

You're in luck. @Dangerzone has explained how to cope without a phone.

Sent from my MAR-LX1A using Tapatalk

[Tomas9970]

Just an idea. Could you maybe take an approach similar to Steam's limited accounts?

 

Let's say if your account has more than 30 dollars worth of purchases (aka you own a single full-fidelity plane or a single paid map), it will become verified and you will be able to start trials without needing extra authentification. The two-factor requirement would therefore only be used if the account is absolutely fresh.

 

That would make having multiple accounts to run infinite trials (which I assume is what the restiction is about), pretty costly while having minimal impact on regular customers or even relatively new people.

Edited September 20, 2023 by Tomas9970