It has been the era of online identity theft and account compromise for over a decade now and few users know this as well as gamers and game companies. To help combat this scourge of account hijacking, Authy, a subsidiary of Twilio Inc., produces a two-factor authentication service for consumers and developers that the company hopes will level the security playing field.
Gamers in particular are highly susceptible to account hijacks, especially those who play multiplayer games with valuable in-game items.
“Identity theft and account take overs result the theft of activation codes,” says Marc Boroditsky, President & COO at Authy; and, in the case of online multiplayer games, this can also lead to impersonation and often the theft and sale of valuable accumulated virtual items.
The usual process for two-factor authentication works thus: a player logs into a game, enters username and password, and then is prompted for the security number displayed on the two-factor authentication. Since that number is produced only by the authentication software (and only on the user’s phone), an attacker needs to have both the username and password pair as well as access to the authenticator to hijack the account from the user.
Authy allows consumers to use their smartphone, Android and iOS and Blackberry, to produce two-factor authentication tokens for this process. Developers can enable it in their online applications often with only a few hours of effort, and consumers can link in as easily as launching the Authy app and scanning a QR code to synchronize.
The plight of passwords: The users’ perspective
By now, most gamers—especially PC gamers—have gotten used to needing to sign up for a multitude of multiplayer games and Internet services. Security experts also urge users never to reuse the same passwords across sites—a simple tactic designed to reduce how many accounts can be compromised at once.
Of course, most users don’t do this; because it’s a massive hassle.
This has become so common that tools such as KeePass and cloud-based LastPass have become popular, browsers themselves now embed password storage services such as Google Chrome, Mozilla Firefox, and Microsoft Internet Explorer. These solutions are useful, but looking at how even the LastPass service recently had stored user passwords compromised nothing is entirely secure.
The players of massively multiplayer online (MMO) games are particular targets of account hijacking because many popular game franchises have playerbases that find items valuable enough to pay for with cash. Almost every year articles appear in gaming media about player account compromises, for example Diablo 3 accounts in 2012 and over $10,800 in gold and gear stolen from World of Warcraft accounts in 2013.
“The world has been accustomed to user/pass authentication for decades,” says security industry insider and SiliconANGLE contributor John Casaretto. “The problem with that is if someone gets the password, they get the account. Passwords are not dead, but they are not enough.”
To stop this, Activision Blizzard, Inc. provided their own two-factor authentication mechanism called the Battle.net Authenticator—which users can choose between a keyfob authenticator or a smartphone app. It’s not mandatory, but the authenticator helps.
However, Authy’s Boroditsky adds that he sees Blizzard’s authenticator having many problems (such as locking users out of their accounts.) The Battle.net Authenticator also only works with Blizzard games and services, whereas Authy hopes to reach many more developers (and has quite a stable already).
The scourge of account hijacks: The developers’ perspective
On the developer side, Boroditsky says that getting going with Authy is easy for most game developers.
“Implementing Authy only requires a few hours of effort which includes adding a place on a setting page or a flow to enroll users and adding to their login flow calls to our API,” he told SiliconANGLE about the process. “And if they use all but OneTouch adding a form field for the user to enter a one time code. With [Authy’s] OneTouch there’s no code entry, just an approval on their phone.”
Having a two-factor authentication offering also improves trust, says Boroditsky, referring to the relationship between game developers and gamers.
Each of the examples above of account hijacks and breaches led to a great deal of stress for customers of Blizzard, and this story plays itself out almost daily on MMO gaming forums. Every time this happens, the developer must go into action, reactivate locked accounts, restore lost items, and smooth ruffled feathers.
In all, Boroditsky says that having such as solution available can give ease to the number of customer service implications that arise from having customers’ accounts hijacked. And, as many MMO games have in game economies (and often entire departments dedicated to keeping those on track) it lessens the burden in hunting down the illicit gold or goods that enter those markets.
Two-factor authentication for that extra layer of protection
Casaretto sees the addition of two-factor authentication to any service a must-have, be it Authy or some other service.
“The trifecta for human authentication is something you know (password), something you have (token/smartcard), and something you are (biometrics),” Casaretto says. “Authy is at that token level and by introducing these identifying tokens into the authentication process, the level of security is made better for a whole lot of sites and services that goes way beyond passwords.”
And, Boroditsky believes there is a strong audience for two-factor authentication.
He says, 2FA is regularly brought up by users of major gaming apps and sites. Also, gamers, multi-user online games, are very tech saavy and probably use 2FA other places and wonder why it’s not implemented on all their online games.”
According to SuperData’s 2015 MMO market report the industry will surpass $11 billion this year, projected to exceed $13 billion in 2017. Much of that money flowing through the industry comes from free-to-play games, which rely heavily on in game virtual items and cash shops to fuel their revenue—this means even more players will have more precious virtual items that can be pilfered.
To the everyday player and the free-to-play MMO developer this can only mean a need for increased security.
On that note, Casaretto leaves us with a suggestion on two-factor authentication: “If you have the option, you should activate it.”