Although it's been a while since our last update, work on account security improvements has continued. We have just today gone live with website login Authenticator checks, and work continues on further Authenticator improvements.
However, we've also endured a sustained multi-month attack on our servers, and the time required to manage this has pushed back other, more visible, projects.
Here's an update on where we're at:
Since the last blog, many of you have told us that you want additional security for the Authenticator. A common request is for the introduction of a delay to Authenticator changes.
A delay would give you the chance to block any attempt to remove your Authenticator by someone with access to your email address. However, introducing a delay would also create a number of issues:
1. It requires you to respond to any alerts during the delay period.
2. Any email alert by design relies on an email that's being sent to your compromised email account. Obviously, whomever has control of your email account can easily delete this.
3. If your email alert is deleted, you risk missing the alert should you happen to not log-in during the delay period.
4. There's the added complication of the email potentially being sent to your junk or spam folder.
5. If a hijacker gets into your account and sets their own Authenticator Delay, it would keep you out of the game for even longer.
So, to avoid these flaws we're taking a different approach to improving Authenticator security - Backup Codes.
We intend to introduce a Backup Code system. This means you’ll receive a Backup Code during Authenticator setup that you'll need to write this down and keep in a safe place. This will be used to remove your Authenticator if you don't have access to it any more, and prevents compromised emails being used to steal accounts. Your Backup Code will ONLY be used on our website to remove your Authenticator. Be sure to keep your Backup Code safe.
We've chosen this approach over a delay for a number of reasons:
1. You won't need to intervene to prevent your Authenticator being removed.
2. Hijackers that don't have your backup codes will not be able to remove your Authenticator.
3. If you lose access to your Authenticator, your Backup Code can be used to restore access.
4. Even if someone gains access to your email address, your RuneScape account will remain secure.
5. Other companies have successfully used the same system, giving us a clearer idea of what the right solution looks like.
In preparation for Backup Codes, we have already added Authenticator checks for all website logins.
If you lose your backup code you can get a new one when you log-in and pass your Authenticator check.
If you don't like the idea of using a Backup Code and you are 100% confident in the security of your email address, then you can continue using the old email method to remove an Authenticator, although obviously we do not recommend it.
Losing Your Backup Code & Authenticator
Once live, if you lose your Authenticator and Backup Code it will be possible to request help from Player Support, but this process will be very strict and require very clear information to ensure that you are the owner of the account. No request will be actioned for at least 72 hours.
An Authenticator Removal Request to Player Support will be a LAST RESORT.
You will not be able to rely on this service to manage your Authenticator. It will mean you aren't able to access your account for a minimum of 72 hours, and the amount of evidence you will need to prove you're the account owner is VERY HIGH.
Here are our current Account Security priorities:
- Adding Backup Codes to the Authenticator in 2020. We encourage everyone to update their Authenticators to add a Backup Code as soon as it is released.
- Making it easier to move your Authenticator to a new device if you change phones.
- Continuing the password complexity work (once we're happy that Authenticators are more secure).
It is possible that we may alter the schedule if this allows us to release security improvements faster.
We know that Account Security can be quite a complex subject and that progress can appear slow, but hopefully this gives you a clearer idea of the direction we're heading. We'll be back with another tech update in the future.
Thanks very much
The Player Support Team
The Jagex Web Team
Continue the discussion on Reddit, Discord or on our forums.