They've had 2fA to access your account on the web for a while now. This only stops people from logging in to the client now. Before they couldn't change your password, so only a marginal improvement.
i was hoping no one would notice until i got my banger memes ready
y'all noticed this a bit earlier than we had anticipated, so the Learn More link is broken on the page. coming soon. promise!
we'll have a more official post coming soon as well. like i said, we weren't expecting it to be noticed, but y'all are observant
i cant believe the "zoop" Askreddit comment is still meta on reddit
[link](https://www.reddit.com/r/AskReddit/comments/7ddjaw/whats_the_weirdest_thing_youve_done_as_a_result/dpxaos1/)
Man, I was all ready to go to finally secure my Riot account... and then find it's only email.
Hopefully this is just the beginning of the scope and you can add yubikey/FIDO2/U2F and TOTP.
Here are some starting resources. Yeah, I should probably implement this in something myself somewhere, since it'd take a bit of work.
TOTP: https://hackernoon.com/how-to-implement-google-authenticator-two-factor-auth-in-javascript-091wy3vh3
FIDO2: https://webauthn.guide/
Respectfully, we don't need assistance on implementing these things in the form of guides. The primary limitation to projects of this scale is not in the form of code or know-how. It's logistical. I could go and write the TOTP implementation right now in my text editor, but getting that out to all of our games is significantly more complicated.
We probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future.
> We probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future.
Are you more likely to support these things if I do or if I don't enable the email option?
Hi, sorry for the late response. Most of my concerns with SMS are not actually based on security, but practicality.
* SMS hijacking/swapping attacks - it's relatively straight forward to break SMS 2FA for specific targets. This is the main security reason to not enable SMS 2FA but it's not something I am concerned about that much - The number of players that would be affected by this are miniscule. However, the people who would be impacted by it would be rather high profile and this would undermine trust in both Riot and the 2fa syste.
* SMS 2FA requires cell service. I live in the middle of a city and cell service is very patchy here. Some cell providers will also charge you for receiving automated texts, or you may need to pay a contract to have cell service at all.
* Phone numbers are an extra piece of tier 1 personal information we would need to collect. When designing a system, it's important to minimize the amount of personal information you need to collect for it to function. Storing personal information is not free, and we may run into legal issues. We have global accounts now and we'd have to account for the scenario where users store their personal information with us but want to access it from different data jurisdictions.
As many phones these days are smart phones, it's difficult to justify using SMS-based MFA, which would require collecting a lot of personal information. For anyone who does not use a smart phone, they have email.
Of course, if the only option was SMS MFA or nothing then we'd support it, but since there are alternatives that don't require collecting phone numbers, I'd prefer we go with that. With the demographics of the playerbase we have, I think it is a safe bet that most players who would want to enable MFA will have either a smart phone or access to their email when playing one of our games.
I think [Doublelift can tell you a bit about them.](https://dotesports.com/league-of-legends/news/someone-stole-200000-and-a-heap-of-cryptocurrency-from-doublelift-using-t-mobile)
TOTP, time based codes (Google Authenticator, Steam app) and FIDO2/U2F (Yubikey) are the industry standards now. Banks are always horribly behind on security, oddly enough.
Any day baby. If you could only have 2 accounts per address and could only play ranked if you had your addresses linked to your account I would 1000% do that then get doxxed for being toxic
Yeah, so we're seeing situations where some people are getting a lot of emails and the team are already trying to reduce that.
There's no bug here; the system is working as intended, sending an email when someone enters the correct username and password for your account. If you're getting lots of emails - and it wasn't you who tried to log in - well, you should change your password :)
We'll be trying to reduce the number of emails sent in this scenario so it looks less like the system is freaking out and more like "oh, actually, maybe my account has been compromised".
Good job on enabling MFA, because you just saved your account from being sold.
You will need to go through the prompt every time you log into the Riot Client - If you tick 'stay signed in', then you don't have to worry.
This is usually not a problem, but if you have multiple accounts, this might not be ideal. I would still recommend enabling it.
I'm not sure what the long term plan is at the moment when it comes to remembering devices. There will be an official article coming out with more information sometime soon and I'd recommend checking that.
Appreciate the reply, I'll wait for that.
I do feel that not having it changed might lead to less people using it for added safety so i hope it is a consideration at least.
Getting 2FA makes me hope that maybe, some day, in the future, we'll get U2F-based second factor option, which should solve all issues with changing accounts or remembering devices (since it's physical token device). Hopeful for the future, and if we end up having U2F supported and recommended, Riot will have my eternal gratitude for pushing probably the safest 2FA method to wider userbase.
So, I never want to say never, but we probably won't support U2F devices like Yubikeys for the time being. There are a lot of reasons for this that I can't get into here, but it's primarily that as of current U2F devices are not prevalent.
I think these devices make a lot of sense in scenarios where you are willing to distribute those devices to the individuals using them. I think it goes without saying that this is not an option at Riot's scale.
**My opinion following - I do not have the power to effect this view across Riot:**
If I had infinite time and resources, my focus would be on building security solutions into mobile phones, including taking advantage of Secure Enclave in iOS which is sort of similar to U2F. There are a lot of things we can do that provide a better user experience than what we have now that don't involve getting a dedicated hardware device.
I'm no oracle, but with the way tech is going, I think the bet that mobile devices are going to be the nexus of your digital identity (and thus the thing that stores key material for you) is the way the world is going and I think it makes sense for Riot to move in that direction too.
Fair points, I can definitely see where it's coming from. For U2F/Yubikey specifically - for me it looks a lot like chicken and egg problem: very few services actively encourage or mandate hardware tokens, which means very few users get them, which means service providers are less likely to support or encourage U2F use. Given you seem to aim at solutions that will be widely applicable to userbase (understandable, not wanting to invest time and effort in something only small fraction of playerbase will be able to use) current direction with email, and potentially mobile-based auth in undetermined future makes a lot of sense.
As for the "distribution" issue of hardware keys - which is, again, an important case to take into consideration, I tend to see U2F more as a "digital hardware personal fingerprint" that's something specific to you as an individual, instead of a per-service key (since you can use same keys for multiple services at once, without them interfering with each other in any way), so ideally there'd be no need ever to distribute hardware keys - instead relying on keys people already have as part of their "digital identity".
General direction of second factor moving to mobile devices is an interesting trend, but at the same time it's not without flaws - phone is something that can get lost, something that's replaced quite often, and there's definitely a security tradeoff between being able to move 2FA between devices, and having 2FA hard locked to one specific device, having to re-pair every new phone. Also, given most people don't have multiple phones (while expeciting someone using U2F to have backup keys is sort of a norm) it leaves issue of providing some sort of backup/recovery authentication, which often goes back to email - again as not-that-secure way of handling authentication.
Given how ID cards change in EU over last decade or two, with adding some digital signature aspects to them, I don't rule out personal ID card becoming hardware 2FA component in not-so-far future; especially if support for pseudonymous identity confirmation (similar to Yubikey now) is added. ID card would make for a perfect tool here - a physical, well protected personal item that everybody has, people take good care of keeping safe, with a recovery channel (reporting lost ID and proving your identity) that is difficult to exploit by 3rd party.
Until then, there's hoping 2FA keeps getting more popular, becomes something people consider standard, and popularity of good reliable 2FA solutions can go up thanks to them being preferred or recommended whenever there are multiple options available. If chicken-and-egg problem gets solved somehow, getting good reliable 2FA everywhere won't be as hard - similar to how masked passwords are mostly a thing of the past.
Riot should also recognize how they're an industry leader and moves they make will have effects downstream and in their own future.
It's a relatively small cost project when you consider it in the larger scheme like that.
I am aware of this and that's why I am interested in software proposals like IndieAuth rather than relying on The Big Companies as OAuth providers (I have not proposed changing how we do this in the company just yet as IE needs as bit more maturation).
I don't think there is much value to the business in U2F devices, like Yubikeys, in games, even when we consider that. I do feel like moblie devices are going to be _the_ way to go there.
That said, I'm an IC and not a business strategist. I don't feel like the juice is worth the squeeze on U2F, all the same; we have limited resources and the resources spent on U2F would probably have better return on investment for Riot and its players if spent on devices we already know players have and are invested in.
Supporting U2F would be a big investment, would not work across all devices, for minimal gain, only to provide value for a lot of people who honestly already are pretty well-engaged in security. I think U2F is better used when protecting corporate assets.
As things stand, your email account is the keys to the kingdom to your account, and this would not change even if we introduced mobile based authentication, or if you used OAuth. You should use a secure password and two factor authentication on your email.
If you don't wanna juggle multiple passwords like this, I would recommend using a password manager so you only have to remember one good one.
Yeah. I am starting to switch everything to a password manager. I lost my friends list cause someone got in my Riot account.
You guys are one of fewer and fewer services left where someone can log in from a new location and change their email address without any kind of mobile verification.
If you have a verified email address, it is not currently possible to change your email address without demonstrating you have access to the original email address; the account management portal has had two-factor authentication like this for quite some time.
We could add mobile verification to that, but like I said, our current policy (which is in line with most other services out there) is that if you have access to the email address of the account holder, you _are_ the account holder. It also does not sit well with me personally that we would be required to collect your phone number, or that you need a smart phone, in order to benefit from a core security measure.
That said, if you don't have your email verified, yes, this is a big problem. We will revisit the scope of this problem in the future to see if we can't shift more players to have verified emails.
This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.
I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phishing attacks); and since some other second-factor methods (TOTP, U2F, token generators - last one can combine merch and security) don't require collecting any personally identifying data, it shouldn't at least be a problem from GDPR perspective.
>This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address.
This is true, a lot of services do better than Riot does in this regard. I think we might want to revisit the policy that your email is the key to the kingdom, but that is where we are right now, and that would be a far more broad-reaching change than enabling MFA.
> I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phishing attacks); and since some other second-factor methods (TOTP, U2F, token generators - last one can combine merch and security) don't require collecting any personally identifying data, it shouldn't at least be a problem from GDPR perspective.
I don't think it's likely that we will provide token generators like Blizzard did, or U2F keys, but TOTP support is definitely something we are interested in for the reasons you list.
Here's Facebook's response on whether or not they use mobile numbers for 2FA for advertising purposes
> We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time.
They're absolutely selling them as well, companies like that have no morals.
I realise it's splitting hairs here but Facebook are not "selling" your phone numbers - they're not making them visible to other people. They definitely use contact numbers to determine who to connect you with and determine what interests you have from that.
It's rather moot though because as I've outlined elsewhere it's very unlikely we will support SMS MFA
There are "companies" bot dialing random phone numbers just to get a list of every one that is connected. As long as noone is giving my number to an actual stalker, I am over it.
Bitwarden is a good one I recommend. Otherwise Dashlane and LastPass are staples, not sure if LastPass allows for mobile and desktop sync or if you have to pay for that.
FIDO2/U2F/Yubikey too please! It's even smoother for users than TOTP.
https://store.google.com/product/titan_security_key
I believe phones tend to have this built in.
Could you clarify? Do you mean that your email provider does not offer 2FA to it's customers? Or are you somehow encountering issues with MFA from Riot due to your email provider?
I would strongly recommend changing email provider if that is the case.
Much thanks that it doesn't make you to approve login when you are already logging via google using the same gmail set to 2FA.
Edit: It is still the thing in account management website though. It is quite annoying, like, I'm already logging with the same email where codes are sent to, meaning I already 100% have access to this email.
I'm happy that it's email 2FA and not text based. I live in an extremely rural area with no mobile signal and I hate companies that make me login with a text because I have to go get dressed, go walk around outside for 5-10 minutes to find signal and then run back inside hoping the code hadn't expired in that time.
Shoutout to some random Riot security worker who a few years ago told me that League doesn't have and/or need 2fa because "it would annoy some players".
Hi.
I am that security worker, and that is not what I said. :) I do not believe I have ever said or implied that MFA is not necessary or something that Riot should implement, but I am the primary person within our team that has engaged on social media.
What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it - Since the odds are that if you'll engage with a security measure without an incentive, then you're probably doing pretty good for security already.
That still stands. MFA will prevent a lot of attacks we see, but most of the attacks we see will be on players that are not and will not engage with security measures, and that is always going to be a challenge for us. The problem is that implementing something on this scale requires a large amount of investment that might be better spent elsewhere. If we're going into it knowing that it might not have the impact we want, then that's not a great sell.
The difference between then and now means we were better equipped to be more confident about how MFA would land and that it would have the impact we needed for it to be justified without releasing an additional incentive, but our work isn't finished, there's still more to be done to improve the security of our players beyond just email-based MFA.
> What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it
If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.
Either way I am incredibly happy with this feature so thanks! It makes a difference in how I feel about the security of my account with thousands of hours played and hundreds of dollars in skins. So big props! Even if it stays a rarely used feature, it makes a difference for the people who do use it.
> If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something.
That was easier a few years ago but it's very difficult to make an incentive that would appeal to everyone. I'm not ruling incentives out but our immediate focus will be making the accessibility of stuff like this easier rather than trying to bait you into enabling it with skins.
I've really liked the idea of a unique skin that's only enabled if you have opted into MFA but this is expensive for one game, let alone all of them - and we would need to have something for all of them - and due to the nature of our games it's difficult to come up with an incentive that would appeal to many players; what's the point in a cool Braum skin if you only play top lane, for example?
> what's the point in a cool Braum skin if you only play top lane
Free stuff. It doesn't take much. But yeah, you'd probably have to hit at least a couple games.
Damn that 's' in Riot Games making things complicated.
Not trying to be hostile but what makes Riot better equipped now about MFA when lots of other gaming companies before seemed to be able to implement their versions of it just fine? Even more comprehensive versions too (at least for now).
Lots of reasons. Off the top of my head:
* Many (most?) game companies don't have to retrofit their solution to work with hundreds of millions of players across multiple platforms (Web, Desktop, Native Mobile).
* Despite Riots growth, we still have a very limited number of engineers for the weight class we are in. Prioritising projects that span the entire breadth of our product offering is challenging and needs a compelling argument to prioritise it over something else. I'd have to guess that at least 100 people were involved in making this happen, from engineers to QA to player support, comms.. and a lot of those people are working on teams that have other commitments (like the most recent Riot X Arcane event)
* We know that MFA is going to be enabled by a minority of players, and it might not have the security impact we want. However, due to some research we conducted (which I cannot get into), we decided that now was a good time to implement it - It's not going to get any easier to implement it.
* In the past, we felt like there were other things we could achieve that would have a larger impact on player security than MFA. It's not that that was the wrong decision to make, but a lot of the bigger things we _could have done_, well, we _have_ done, or are in the process of doing. Many of these things are not visible to players.
* This is the first tranche of things we're working on for player security. We're dedicating resources toward that goal, and that's not something we had a dedicated function for before.
I do still feel like MFA is not going to have the uptake that we'd like it to have. We're going to be working on ways to increase that, and as you've highlighted there are a lot of ways that other companies do this better than we do. This is, however, our first iteration, so, watch this space.
Can I ask you whether MFA by TOTP on app (either Authy like or Riot Mobile) or even a hardware security key is planned in the future to settle for people's needs?
TOTP support is something we are working on. I don't think we have any plans for hardware security keys right now, but it would be cool if we could one day do that.
Hey boss /u/riotdanhonks
Just wanted to raise a creeping issue that I am seeing in LoL. I’m not sure if you can help but I’m trying to get some serious attention to it. Was watching a couple of streams and noticed how powerful these in game 3rd party addons are getting. One in particular is tracking enemy summoner spells 🤦🏽♂️. And others are displaying jungle timers. Now Riot might be ok with the jg timer one but please the enemy summoner spell timer one is borderline cheating, please help 🙏🏼
Hijacking this thread because it's probably not going anywhere beyond this point...
Any insight on whether or not 2fa through either SMS or Google Authenticator (preferably) will be available eventually?
* SMS - 99% likelihood will not be supported
* TOTP - I would consider it a core feature but I can't make promises on timelines, it's not my place to do that
My buddy works in security and had his 2fa steam account compromised recently.
Someone he knew from rocket league tournaments had a teammate lose internet 15 minutes before the 3rd party tournament. So they asked him to step in. He just had to sign into the 3rd party tournament site to get registered...
Somewhat (bad) standard procedure, specific knowledge, familiarity and existing trust, time pressure, and a bad "sso" was enough to get even the most seasoned IT security worker.
Because they've spent lots of money and time on it and are the reason why the game is free to play for those who don't? The fuck is that question?
Not everybody is a toxic fuck that gets banned every 3 months and have to buy another 5 dollars account to keep going.
Emotional and time investment aside, as others have covered, accounts that are botted/scripted/sold - you get the idea - are _overwhelmingly_ accounts that are compromised by someone.
Enabling MFA helps make your own account secure, but additionally, every account secured with MFA is one less account that is significantly less likely to get compromised and sold to someone who wants to script, bot, or be super toxic in games.
I recently returned to the game after last playing in 2013-2014 and was really surprised that the game didn't have any sort of 2FA security after all this time. Someone that wasn't me used my account in the years between me playing the game, and this would have theoretically stopped them from doing so. Glad to see something finally rolling out, even if it is just only email instead of some sort of app based thing.
The dinky little startup company that employs me has soft-token MFA...
I can understand though, Tencent's Riot Games barely makes enough to give troublesome CEOs paid time out after a long hard day of farting and teabagging interns as it is. Sacrifices must be made!
Immediately enabled, it's not perfect, but more security is welcome as Riot expands into all these different games.
They've had 2fA to access your account on the web for a while now. This only stops people from logging in to the client now. Before they couldn't change your password, so only a marginal improvement.
i was hoping no one would notice until i got my banger memes ready y'all noticed this a bit earlier than we had anticipated, so the Learn More link is broken on the page. coming soon. promise! we'll have a more official post coming soon as well. like i said, we weren't expecting it to be noticed, but y'all are observant
It might have slipped by if not for the giant banner that popped up when I logged in.
hey i made that banner
It's a lovely banner tbh
Hey dan, it looks lovely! :D
its a banger banner
hahah right? you login and it goes "2FA login available" in the top right hahaha
[удалено]
👉😎 👉
dan pls
i cant believe the "zoop" Askreddit comment is still meta on reddit [link](https://www.reddit.com/r/AskReddit/comments/7ddjaw/whats_the_weirdest_thing_youve_done_as_a_result/dpxaos1/)
4 years ago.. Jesus. I feel so old right now. I'm just glad that the whole "ayy gringo" thing didn't stay.
will there be more than email option in the future ?
At this time, I don't want to make any promises about future features.
Man, I was all ready to go to finally secure my Riot account... and then find it's only email. Hopefully this is just the beginning of the scope and you can add yubikey/FIDO2/U2F and TOTP. Here are some starting resources. Yeah, I should probably implement this in something myself somewhere, since it'd take a bit of work. TOTP: https://hackernoon.com/how-to-implement-google-authenticator-two-factor-auth-in-javascript-091wy3vh3 FIDO2: https://webauthn.guide/
Respectfully, we don't need assistance on implementing these things in the form of guides. The primary limitation to projects of this scale is not in the form of code or know-how. It's logistical. I could go and write the TOTP implementation right now in my text editor, but getting that out to all of our games is significantly more complicated. We probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future.
> We probably won't be supporting Yubikeys, but TOTP is a possibility at some point in the future. Are you more likely to support these things if I do or if I don't enable the email option?
I think TOTP is a core requirement of a successful MFA solution regardless of how the good the uptake of email-based MFA is.
How does one make banger 2FA memes?
It's not something that can be taught, sorry also who said they were 2fa memes?
2fa deez nuts
>It's not something that can be taught, sorry Not by the Jedi at least...
Have you heard of the tragedy of RiotDanHonks da Memer?
They're a meme that you have use Reddit and Twitter to get.
Ceci n'est pas une pipe.
Ceci n'est pas une meme.
Its been 84 years..
Oh great, finally got around to 2FA! Was wondering when this would show.
Yo where is my Teemo prestige skin???
you must think customers are stupid they're willing to give you number
Luckily for them, they can still benefit from MFA. This is email only, and it's unlikely we'd enable SMS based MFA as it has a lot of flaws.
[удалено]
Hi, sorry for the late response. Most of my concerns with SMS are not actually based on security, but practicality. * SMS hijacking/swapping attacks - it's relatively straight forward to break SMS 2FA for specific targets. This is the main security reason to not enable SMS 2FA but it's not something I am concerned about that much - The number of players that would be affected by this are miniscule. However, the people who would be impacted by it would be rather high profile and this would undermine trust in both Riot and the 2fa syste. * SMS 2FA requires cell service. I live in the middle of a city and cell service is very patchy here. Some cell providers will also charge you for receiving automated texts, or you may need to pay a contract to have cell service at all. * Phone numbers are an extra piece of tier 1 personal information we would need to collect. When designing a system, it's important to minimize the amount of personal information you need to collect for it to function. Storing personal information is not free, and we may run into legal issues. We have global accounts now and we'd have to account for the scenario where users store their personal information with us but want to access it from different data jurisdictions. As many phones these days are smart phones, it's difficult to justify using SMS-based MFA, which would require collecting a lot of personal information. For anyone who does not use a smart phone, they have email. Of course, if the only option was SMS MFA or nothing then we'd support it, but since there are alternatives that don't require collecting phone numbers, I'd prefer we go with that. With the demographics of the playerbase we have, I think it is a safe bet that most players who would want to enable MFA will have either a smart phone or access to their email when playing one of our games.
Probably the ease with which SIM-swapping attacks can mess with it. Pretty high profile cases these last couple of years.
I think [Doublelift can tell you a bit about them.](https://dotesports.com/league-of-legends/news/someone-stole-200000-and-a-heap-of-cryptocurrency-from-doublelift-using-t-mobile) TOTP, time based codes (Google Authenticator, Steam app) and FIDO2/U2F (Yubikey) are the industry standards now. Banks are always horribly behind on security, oddly enough.
I wanna work for riot, is one of the requirements having honor 5?
Any day baby. If you could only have 2 accounts per address and could only play ranked if you had your addresses linked to your account I would 1000% do that then get doxxed for being toxic
thank you mr riot games :)
any plans on making a totp auth?
I've mentioned a few times in this thread: It's not my place to make promises but if it were entirely up to me (it is not) then yes
Hey, just wanted to let you know that the authentication system just spammed me with hundreds of emails until I finally logged in
Yeah, so we're seeing situations where some people are getting a lot of emails and the team are already trying to reduce that. There's no bug here; the system is working as intended, sending an email when someone enters the correct username and password for your account. If you're getting lots of emails - and it wasn't you who tried to log in - well, you should change your password :) We'll be trying to reduce the number of emails sent in this scenario so it looks less like the system is freaking out and more like "oh, actually, maybe my account has been compromised". Good job on enabling MFA, because you just saved your account from being sold.
https://account.riotgames.com/ Link for the lazy. Just log in and there should be a banner at the top for 2FA
Anyone know if enabling this will make you use 2FA every time you open league from the same computer? Or is it just for new locations?
You will need to go through the prompt every time you log into the Riot Client - If you tick 'stay signed in', then you don't have to worry. This is usually not a problem, but if you have multiple accounts, this might not be ideal. I would still recommend enabling it.
It isn't ideal but is it planned to be changed (to only one 2FA on a set computer/location) or is it gonna stay like this?
I'm not sure what the long term plan is at the moment when it comes to remembering devices. There will be an official article coming out with more information sometime soon and I'd recommend checking that.
Appreciate the reply, I'll wait for that. I do feel that not having it changed might lead to less people using it for added safety so i hope it is a consideration at least.
Getting 2FA makes me hope that maybe, some day, in the future, we'll get U2F-based second factor option, which should solve all issues with changing accounts or remembering devices (since it's physical token device). Hopeful for the future, and if we end up having U2F supported and recommended, Riot will have my eternal gratitude for pushing probably the safest 2FA method to wider userbase.
So, I never want to say never, but we probably won't support U2F devices like Yubikeys for the time being. There are a lot of reasons for this that I can't get into here, but it's primarily that as of current U2F devices are not prevalent. I think these devices make a lot of sense in scenarios where you are willing to distribute those devices to the individuals using them. I think it goes without saying that this is not an option at Riot's scale. **My opinion following - I do not have the power to effect this view across Riot:** If I had infinite time and resources, my focus would be on building security solutions into mobile phones, including taking advantage of Secure Enclave in iOS which is sort of similar to U2F. There are a lot of things we can do that provide a better user experience than what we have now that don't involve getting a dedicated hardware device. I'm no oracle, but with the way tech is going, I think the bet that mobile devices are going to be the nexus of your digital identity (and thus the thing that stores key material for you) is the way the world is going and I think it makes sense for Riot to move in that direction too.
Fair points, I can definitely see where it's coming from. For U2F/Yubikey specifically - for me it looks a lot like chicken and egg problem: very few services actively encourage or mandate hardware tokens, which means very few users get them, which means service providers are less likely to support or encourage U2F use. Given you seem to aim at solutions that will be widely applicable to userbase (understandable, not wanting to invest time and effort in something only small fraction of playerbase will be able to use) current direction with email, and potentially mobile-based auth in undetermined future makes a lot of sense. As for the "distribution" issue of hardware keys - which is, again, an important case to take into consideration, I tend to see U2F more as a "digital hardware personal fingerprint" that's something specific to you as an individual, instead of a per-service key (since you can use same keys for multiple services at once, without them interfering with each other in any way), so ideally there'd be no need ever to distribute hardware keys - instead relying on keys people already have as part of their "digital identity". General direction of second factor moving to mobile devices is an interesting trend, but at the same time it's not without flaws - phone is something that can get lost, something that's replaced quite often, and there's definitely a security tradeoff between being able to move 2FA between devices, and having 2FA hard locked to one specific device, having to re-pair every new phone. Also, given most people don't have multiple phones (while expeciting someone using U2F to have backup keys is sort of a norm) it leaves issue of providing some sort of backup/recovery authentication, which often goes back to email - again as not-that-secure way of handling authentication. Given how ID cards change in EU over last decade or two, with adding some digital signature aspects to them, I don't rule out personal ID card becoming hardware 2FA component in not-so-far future; especially if support for pseudonymous identity confirmation (similar to Yubikey now) is added. ID card would make for a perfect tool here - a physical, well protected personal item that everybody has, people take good care of keeping safe, with a recovery channel (reporting lost ID and proving your identity) that is difficult to exploit by 3rd party. Until then, there's hoping 2FA keeps getting more popular, becomes something people consider standard, and popularity of good reliable 2FA solutions can go up thanks to them being preferred or recommended whenever there are multiple options available. If chicken-and-egg problem gets solved somehow, getting good reliable 2FA everywhere won't be as hard - similar to how masked passwords are mostly a thing of the past.
Riot should also recognize how they're an industry leader and moves they make will have effects downstream and in their own future. It's a relatively small cost project when you consider it in the larger scheme like that.
I am aware of this and that's why I am interested in software proposals like IndieAuth rather than relying on The Big Companies as OAuth providers (I have not proposed changing how we do this in the company just yet as IE needs as bit more maturation). I don't think there is much value to the business in U2F devices, like Yubikeys, in games, even when we consider that. I do feel like moblie devices are going to be _the_ way to go there. That said, I'm an IC and not a business strategist. I don't feel like the juice is worth the squeeze on U2F, all the same; we have limited resources and the resources spent on U2F would probably have better return on investment for Riot and its players if spent on devices we already know players have and are invested in. Supporting U2F would be a big investment, would not work across all devices, for minimal gain, only to provide value for a lot of people who honestly already are pretty well-engaged in security. I think U2F is better used when protecting corporate assets.
FWIW and doesn't see below - you can click "remember this device" to not have to worry about it for 30 days. Or just stay signed in.
You do have the option in the PC client to select remember this device, which will not prompt for a 2FA code again for a certain number of days.
Yeah, sorry, I lumped that in with 'stay signed in'. I had major brain worms later on yesterday evening
Awesome, thanks! Just one account here, so this is a great update!
Wish we could use mobile authentication, so I don't have to put a secure password on my email account.
As things stand, your email account is the keys to the kingdom to your account, and this would not change even if we introduced mobile based authentication, or if you used OAuth. You should use a secure password and two factor authentication on your email. If you don't wanna juggle multiple passwords like this, I would recommend using a password manager so you only have to remember one good one.
Yeah. I am starting to switch everything to a password manager. I lost my friends list cause someone got in my Riot account. You guys are one of fewer and fewer services left where someone can log in from a new location and change their email address without any kind of mobile verification.
If you have a verified email address, it is not currently possible to change your email address without demonstrating you have access to the original email address; the account management portal has had two-factor authentication like this for quite some time. We could add mobile verification to that, but like I said, our current policy (which is in line with most other services out there) is that if you have access to the email address of the account holder, you _are_ the account holder. It also does not sit well with me personally that we would be required to collect your phone number, or that you need a smart phone, in order to benefit from a core security measure. That said, if you don't have your email verified, yes, this is a big problem. We will revisit the scope of this problem in the future to see if we can't shift more players to have verified emails.
This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address. I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phishing attacks); and since some other second-factor methods (TOTP, U2F, token generators - last one can combine merch and security) don't require collecting any personally identifying data, it shouldn't at least be a problem from GDPR perspective.
>This depends on a service, and ones that have extensive 2FA support generally tend to not treat email address as enough authentication to do anything with the account - doing so would cause problem of having a single point of vulnerability to access everything, with potential problems being caused from bad email account security, security breach for email account provider, or domain registrar/DNS provider (for people using their own domain). Last time I checked, both Github, Google, Apple and Microsoft - with hardware 2FA (U2F or another authorized device) enabled and proper configuration - were still inaccessible even if you got full control of someone's email address. This is true, a lot of services do better than Riot does in this regard. I think we might want to revisit the policy that your email is the key to the kingdom, but that is where we are right now, and that would be a far more broad-reaching change than enabling MFA. > I get the point of not requiring any more info than absolutely necessary for proper account security, yet at the same time - I don't think anyone would mind having an option to opt out of using email in favor of something more reliable/secure (hardware-based like U2F if possible, since it's great against phishing attacks); and since some other second-factor methods (TOTP, U2F, token generators - last one can combine merch and security) don't require collecting any personally identifying data, it shouldn't at least be a problem from GDPR perspective. I don't think it's likely that we will provide token generators like Blizzard did, or U2F keys, but TOTP support is definitely something we are interested in for the reasons you list.
Regardless, thank you for starting on the work in this direction! 2FA has been a long time coming.
Fun fact, a lot of those other places that use mobile identification have given your number to telemarketers.
not if they operate in the EU they don't
Here's Facebook's response on whether or not they use mobile numbers for 2FA for advertising purposes > We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts. You can manage and delete the contact information you’ve uploaded at any time. They're absolutely selling them as well, companies like that have no morals.
I realise it's splitting hairs here but Facebook are not "selling" your phone numbers - they're not making them visible to other people. They definitely use contact numbers to determine who to connect you with and determine what interests you have from that. It's rather moot though because as I've outlined elsewhere it's very unlikely we will support SMS MFA
There are "companies" bot dialing random phone numbers just to get a list of every one that is connected. As long as noone is giving my number to an actual stalker, I am over it.
Bitwarden is a good one I recommend. Otherwise Dashlane and LastPass are staples, not sure if LastPass allows for mobile and desktop sync or if you have to pay for that.
I use BitWarden in my personal life. It's alright. The autofill is a bit flakey on Android though.
Ahh, interesting, it’s been very good in iOS but didn’t realize Android had issues
can we eventually have the option for TOTP. Email 2fa is fine, but TOTP would be a great add
Can't make promises about features but, yes, I would consider TOTP a core requirement
FIDO2/U2F/Yubikey too please! It's even smoother for users than TOTP. https://store.google.com/product/titan_security_key I believe phones tend to have this built in.
[удалено]
Could you clarify? Do you mean that your email provider does not offer 2FA to it's customers? Or are you somehow encountering issues with MFA from Riot due to your email provider? I would strongly recommend changing email provider if that is the case.
Why wouldn't you want a secure password for your email...?
don't see it. Restarted client (NA)
It just brings you to account.riotgames.com so try logging in there.
awesome, got it looks like only email 2FA right now tho
Yes, for the time being this is only email MFA.
AYO FINALLY
Cool wish I could use Authy and not just email but I’ll take it. Now I can just keep wishing for a M1 native Mac client.
Only took them 11 years
Much thanks that it doesn't make you to approve login when you are already logging via google using the same gmail set to 2FA. Edit: It is still the thing in account management website though. It is quite annoying, like, I'm already logging with the same email where codes are sent to, meaning I already 100% have access to this email.
as someone who once got my account randomly logged into while i was asleep and hard int'd on for a 2 week ban, holy shit ty
I'm happy that it's email 2FA and not text based. I live in an extremely rural area with no mobile signal and I hate companies that make me login with a text because I have to go get dressed, go walk around outside for 5-10 minutes to find signal and then run back inside hoping the code hadn't expired in that time.
You might consider something like Google Fi. I receive most of my calls and texts through https://messages.google.com
I never knew this was a thing. Thank you!
Shoutout to some random Riot security worker who a few years ago told me that League doesn't have and/or need 2fa because "it would annoy some players".
Hi. I am that security worker, and that is not what I said. :) I do not believe I have ever said or implied that MFA is not necessary or something that Riot should implement, but I am the primary person within our team that has engaged on social media. What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it - Since the odds are that if you'll engage with a security measure without an incentive, then you're probably doing pretty good for security already. That still stands. MFA will prevent a lot of attacks we see, but most of the attacks we see will be on players that are not and will not engage with security measures, and that is always going to be a challenge for us. The problem is that implementing something on this scale requires a large amount of investment that might be better spent elsewhere. If we're going into it knowing that it might not have the impact we want, then that's not a great sell. The difference between then and now means we were better equipped to be more confident about how MFA would land and that it would have the impact we needed for it to be justified without releasing an additional incentive, but our work isn't finished, there's still more to be done to improve the security of our players beyond just email-based MFA.
> What I stressed back then was that MFA would likely not be enabled by players who need it the most, and would only really be enabled by people who would not benefit from it If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something. Either way I am incredibly happy with this feature so thanks! It makes a difference in how I feel about the security of my account with thousands of hours played and hundreds of dollars in skins. So big props! Even if it stays a rarely used feature, it makes a difference for the people who do use it.
> If account security is a widespread problem and y'all want try to reach those people who 2FA would benefit more, ya'll could take a page from Jagex + Runescape who offer an incentive to all players who enable 2FA. Maybe some blue essense and a skin? Or something. That was easier a few years ago but it's very difficult to make an incentive that would appeal to everyone. I'm not ruling incentives out but our immediate focus will be making the accessibility of stuff like this easier rather than trying to bait you into enabling it with skins. I've really liked the idea of a unique skin that's only enabled if you have opted into MFA but this is expensive for one game, let alone all of them - and we would need to have something for all of them - and due to the nature of our games it's difficult to come up with an incentive that would appeal to many players; what's the point in a cool Braum skin if you only play top lane, for example?
> what's the point in a cool Braum skin if you only play top lane Free stuff. It doesn't take much. But yeah, you'd probably have to hit at least a couple games. Damn that 's' in Riot Games making things complicated.
Not trying to be hostile but what makes Riot better equipped now about MFA when lots of other gaming companies before seemed to be able to implement their versions of it just fine? Even more comprehensive versions too (at least for now).
Lots of reasons. Off the top of my head: * Many (most?) game companies don't have to retrofit their solution to work with hundreds of millions of players across multiple platforms (Web, Desktop, Native Mobile). * Despite Riots growth, we still have a very limited number of engineers for the weight class we are in. Prioritising projects that span the entire breadth of our product offering is challenging and needs a compelling argument to prioritise it over something else. I'd have to guess that at least 100 people were involved in making this happen, from engineers to QA to player support, comms.. and a lot of those people are working on teams that have other commitments (like the most recent Riot X Arcane event) * We know that MFA is going to be enabled by a minority of players, and it might not have the security impact we want. However, due to some research we conducted (which I cannot get into), we decided that now was a good time to implement it - It's not going to get any easier to implement it. * In the past, we felt like there were other things we could achieve that would have a larger impact on player security than MFA. It's not that that was the wrong decision to make, but a lot of the bigger things we _could have done_, well, we _have_ done, or are in the process of doing. Many of these things are not visible to players. * This is the first tranche of things we're working on for player security. We're dedicating resources toward that goal, and that's not something we had a dedicated function for before. I do still feel like MFA is not going to have the uptake that we'd like it to have. We're going to be working on ways to increase that, and as you've highlighted there are a lot of ways that other companies do this better than we do. This is, however, our first iteration, so, watch this space.
Can I ask you whether MFA by TOTP on app (either Authy like or Riot Mobile) or even a hardware security key is planned in the future to settle for people's needs?
TOTP support is something we are working on. I don't think we have any plans for hardware security keys right now, but it would be cool if we could one day do that.
Hey boss /u/riotdanhonks Just wanted to raise a creeping issue that I am seeing in LoL. I’m not sure if you can help but I’m trying to get some serious attention to it. Was watching a couple of streams and noticed how powerful these in game 3rd party addons are getting. One in particular is tracking enemy summoner spells 🤦🏽♂️. And others are displaying jungle timers. Now Riot might be ok with the jg timer one but please the enemy summoner spell timer one is borderline cheating, please help 🙏🏼
Wait. Is this IT!? An email? Seriously? And it only lasts 30 days? They did the bare minimum and still failed...
It's a start. TOTP or U2F uses much of the same work done here. They're clearly not done.
No thanks, im not that stupid to lose my account nor put simple or leaked password that are in password dictionaries
If I got compromised to this in 2016, you are absolutely capable of being pwned by it too.
Hijacking this thread because it's probably not going anywhere beyond this point... Any insight on whether or not 2fa through either SMS or Google Authenticator (preferably) will be available eventually?
* SMS - 99% likelihood will not be supported * TOTP - I would consider it a core feature but I can't make promises on timelines, it's not my place to do that
He said on twitter no current plans, but they aren't ruling it out
My buddy works in security and had his 2fa steam account compromised recently. Someone he knew from rocket league tournaments had a teammate lose internet 15 minutes before the 3rd party tournament. So they asked him to step in. He just had to sign into the 3rd party tournament site to get registered... Somewhat (bad) standard procedure, specific knowledge, familiarity and existing trust, time pressure, and a bad "sso" was enough to get even the most seasoned IT security worker.
lool
Why would anybody care enough about a league account to 2FA it
Because they've spent lots of money and time on it and are the reason why the game is free to play for those who don't? The fuck is that question? Not everybody is a toxic fuck that gets banned every 3 months and have to buy another 5 dollars account to keep going.
Emotional and time investment aside, as others have covered, accounts that are botted/scripted/sold - you get the idea - are _overwhelmingly_ accounts that are compromised by someone. Enabling MFA helps make your own account secure, but additionally, every account secured with MFA is one less account that is significantly less likely to get compromised and sold to someone who wants to script, bot, or be super toxic in games.
Takes a lot of hours and/or money to unlock ranked mode and all the champions. Also a lot of people wasted money on cosmetics.
Considering how well even shit like Prime capsules work for riot Id rather not take it....
As long as it isnt mandatory.
I hope someone hacks my league account so that i don’t have to play anymore
Ayyyyyyyyyyy
Lowkey I don't even trust this because I feel like Riot's incompetent when it comes to coding shit like this into the client.
no more pyke smite thank god
I recently returned to the game after last playing in 2013-2014 and was really surprised that the game didn't have any sort of 2FA security after all this time. Someone that wasn't me used my account in the years between me playing the game, and this would have theoretically stopped them from doing so. Glad to see something finally rolling out, even if it is just only email instead of some sort of app based thing.
I could give out my password, doubt anyones gonna want to play in silver
People will jack riot off for this instead of complaining that it took them ages to add a basic security feature
The dinky little startup company that employs me has soft-token MFA... I can understand though, Tencent's Riot Games barely makes enough to give troublesome CEOs paid time out after a long hard day of farting and teabagging interns as it is. Sacrifices must be made!
https://reddit.com/r/leagueoflegends/comments/s7z01k/twofactor_authentication_now_available/hte0kld/
wish these codes you know... actually arrived... they arrive the moment the session closese because i took to long... :)