0

A friend of mine plays RuneScape, and mentioned to me that her account was recently compromised. She told me she has two step authentication on her RuneScape account, and on the email address associated with the account.

When she signs into the game client on her computer, she tells me she is asked to provide a code from her authentication app on her phone. However, she has never been asked for a 6 digit code when she signs into the RuneScape website itself.

This struck me as odd, so I created an account to test this, and sure enough, was only asked for an authentication code on the downloadable game client.

Does this count as true two-factor authentication? Are there any standards/guidelines that we can show the game's developers in the hopes of getting them to implement authentication on their website as well as their client?

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
Matthew Denaburg
  • 1
  • yes, it is 'true' 2FA on the game client - no there are no standards for game sites – schroeder Jun 19 '17 at 16:26
  • 1
    I would personally say that its a bad design. If the attacker can avoid multi factor then they will take the easiest route in. Sounds like this application has been developed with security as an after thought. Good luck with getting them to change it for you! – ISMSDEV Jun 19 '17 at 16:28
  • @schroeder OK, thanks. I wasn't sure if there were any guidelines that say "if you implement 2fa, it needs to be everywhere" kind of thing. – Matthew Denaburg Jun 19 '17 at 16:32
  • my bank doesn't make me use my phone when i walk in to cash a check... – dandavis Jun 19 '17 at 19:42

1 Answers1

1

Authentication isn't an either/or sort of thing. An application can have various "levels" of authentication, where higher levels unlock more functionality. For example, you can shop for items on Amazon using just a persistent cookie that tells Amazon who you are-- no password required. But if you wish to perform a purchase or edit your credit card information, a password is required.

Games can be similar. You don't need your second factor to post messages on the game's web forum, but maybe you need that second factor to enter the game (e.g. if entering the game allows you to do more, such as give away all of your in-game currency and/or equipment).

While certain web access seems less secure without that second factor, I'll bet you cannot access your recurring payment information on the web without entering the 2FA info. This allows the user to do low-security tasks without bothering with the token but offers the necessary protections against high-security tasks.

John Wu
  • 9,101
  • 1
  • 28
  • 39
  • No, I'm not prompted to enter a second factor to update payment info, nor does it appear to be required to disable the 2FA - clicking the Disable link in account settings simply sends me an email with a link that immediately disables the 2FA. – Matthew Denaburg Jun 20 '17 at 12:25
  • Try it with an incognito window. You probably have a persistent cookie. – John Wu Jun 20 '17 at 14:58
  • Sorry for the delayed response... I just tried that now, but it doesn't make a difference. I'll probably post something on their forums, their reddit page, etc. – Matthew Denaburg Jun 21 '17 at 19:58
  • So you can disable the 2FA without authenticating via 2FA, and without some other kind of additional credential needed? Yeah, that would be an obvious security hole, due to the end run a hacker could easily do. – John Wu Jun 21 '17 at 20:14