RuneScape Authenticator

From the RuneScape Wiki, the wiki for all things RuneScape
Jump to: navigation, search
The warning players get if they do not have Authenticator active on their account.

The RuneScape Authenticator is an additional layer of protection players can utilise on their accounts. It replaces the Jagex Account Guardian (JAG), by using an RFC-compliant time-based one-time password (TOTP) compatible with Google Authenticator. This algorithm can be used both on supported mobile devices and in desktop implementations. This system works for both RuneScape 3 and Old School RuneScape, unlike the JAG did previously.

To set up the RuneScape authenticator, a player must visit the Authenticator landing page. Jagex generates a random 80-bit secret key unique to each user and presents it as a 2-dimensional barcode and as a 16-character Base32 string. Many mobile devices can read the barcode directly through their camera, which is equivalent to entering the Base32 string manually. The implementation generates a 6-digit code every 30 seconds based on the key and epoch time.

Once set up, players are prompted to enter the 6-digit time-based code whenever they log in to the game using an untrusted computer. Jagex implements a 10-minute window (five minutes on either side of the actual time) to enter the correct code to allow for a possible lack of synchronisation between Jagex's server time and player devices.

Players can choose to trust the computers on which they play RuneScape for up to 30 days or choose to enter a code every time they wish to play.

Players can also choose to use the authenticator for their bank PIN instead of the fixed 4-digit PIN. However, the 4-digit PIN is not obsolete. Logging into the bank or the Grand Exchange from the RuneScape Companion app still requires the 4-digit PIN. Players who choose to stop using the authenticator as the bank PIN revert back to the last 4-digit PIN used.

To disable the authenticator, click on the "disable authenticator" link. Jagex sends an email containing a link to disable the authenticator to the email address registered for that account. It is highly encouraged that the email associated with the account require two-step authentication so that the RuneScape authenticator can not be easily removed. That is, it is suggested that the email be tied to a mobile device either by texting or a call before a new computer can gain access to said email.

Update history[edit | edit source]

The update history project is a work-in-progress – not all updates to this topic may be covered below. See here for how to help out!
  • coldfix 19 March 2018 (Update):
    • Fixed an issue preventing an authenticator pin from being read when using Facebook or Google to log in.
  • patch 24 November 2014 (Update):
    • Players who have set up an authenticator as a bank PIN and subsequently disabled the authenticator can once again access their banks.
  • patch 28 July 2014 (Update):
    • When logging in with Facebook or Google+ the Authenticator no longer requests that you re-enter the code when the remember for 30 days option is selected.

Trivia[edit | edit source]

  • On release, although the authenticator was stated to trust the computer for 30 days if selected, it only did so for 14 days. It now trusts the computer for the stated 30 days.
  • The authenticator cannot be enabled without having a character name set.