RuneScape Authenticator

From the RuneScape Wiki, the wiki for all things RuneScape
Jump to navigation Jump to search
The warning players get if they do not have Authenticator active on their account.

The RuneScape Authenticator is an additional layer of protection that players can add to their RuneScape and Old School RuneScape accounts. It replaces the Jagex Account Guardian by using Time-based One-Time Password (TOTP), supported by two-factor authentication apps on both mobile devices and desktop computers.

Setting up the authenticator[edit | edit source]

To set up the RuneScape Authenticator, players must visit the Authenticator landing page. Jagex generates a secret key unique to each user and presents it as a QR code and as a 16-character string; these are used to add your RuneScape account to a two-factor authentication app (Jagex recommends Authy or Google Authenticator on its support pages). Once set up, players are prompted to enter a 6-digit time-based code whenever they log in to the game using an untrusted computer. Players can choose to trust the computers on which they play RuneScape for up to 30 days or choose to enter a code every time they wish to play. Jagex implements a 10-minute window (five minutes on either side of the actual time) to enter the correct code to allow for a possible lack of synchronisation between Jagex's server time and player devices.

Players can also choose to use the authenticator for their bank PIN instead of the fixed 4-digit PIN. Players who choose to stop using the authenticator as the bank PIN revert back to the last 4-digit PIN used.

Disabling the authenticator[edit | edit source]

To turn off the authenticator, click the "disable authenticator" link on the Authenticator landing page. Jagex will send an email containing a link to disable the authenticator to the email address registered to your account. It is highly encouraged that the email associated with the account also be secured with two-step authentication so that the RuneScape Authenticator cannot be easily removed.

Update history[edit | edit source]

This information has been compiled as part of the update history project. Some updates may not be included—see here for how to help out!
  • patch 17 January 2022 (Update):
    • Changed the 'Can't Log In?' messaging on the Authenticator pop up to 'Lost your Authenticator?' to avoid confusion. Selecting it will take you to the 'Disabling The Authenticator' support page.
  • coldfix 19 March 2018 (Update):
    • Fixed an issue preventing an authenticator pin from being read when using Facebook or Google to log in.
  • patch 24 November 2014 (Update):
    • Players who have set up an authenticator as a bank PIN and subsequently disabled the authenticator can once again access their banks.
  • patch 28 July 2014 (Update):
    • When logging in with Facebook or Google+ the Authenticator no longer requests that you re-enter the code when the remember for 30 days option is selected.

Trivia[edit | edit source]

  • On release, although the authenticator was stated to trust the computer for 30 days if selected, it only did so for 14 days. It now trusts the computer for the stated 30 days.
  • The authenticator cannot be enabled without having a character name set.

External links[edit | edit source]