Quoting: BeamboomWell, then criticise that, then.

That's indeed what I do and what I called the "reality check" that 2FA doesn't survive. The entire concept has several really fundamental problems that just aren't solved and probably never will be. Like how to solve the lost token recovery WITHOUT trampling on your privacy (and please don't point me at Facebook or Google...we know for a fact that neither of them gives a flying shit about your privacy). Which is a hilarious circumstance given that the most popular token is a device people are super prone to lose - their smartphone.

In the end, my fundamental problem with 2FA that it doesn't really provide any significant additional security for people who use good passwords or service providers that aren't completely inept. Basically 2FA is an attempt to cure stupid. And we all know that in the end you can't. For people who are NOT stupid, it doesn't do anything except making their life more complicated. And introducing a lot of new problems, like making one lose access to -everything- if they happen to lose the single point of failure in that system - their phone.

But go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)

View this comment - View article - View full comments

Quoting: BeamboomBut again - once you understand how this works you'll realise that this system is, in fact, very good.

I find it both funny and a little offensive that you're basically suggesting that I don't understand how 2FA works. But I guess rule #1 for internet debates applies: Whenever you're running out of good arguments, take a stab at the other person's qualifications!

I know that you're not -technically- handing your keys to Google. You're still making yourself dependent on them and their service. Which is in the end just as bad.

Two password walls are better than one. And if that second password is valid for only one single minute before it's scrapped, it's even better.

The problems with 2FA I tried to point out isn't related to that. I already said it's a good idea on paper. Unfortunately one that doesn't survive a reality check. See my above postings.

And the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.

Yes, that's my point. Most of these recovery procedures are really weak security. As weak as a bad/lost password. "Answer this silly question about you, that every halfway determined person can find out in 5 mins". Yeah, right!
To me, the recovery question is actually THE central weakness of 2FA as a concept. I can't remotely think of a good solution to that problem that wouldn't completely do away with any notion of privacy/anonymity online. Which is unacceptable.

An offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open.

You do realize that brute force attacking a file encrypted using a proper cypher and a -good- password takes multiple lifetimes, yes?

Especially since most users use a simple password on that file - since they have to open it quite regularly.[quote]

Can't cure stupid. But if they can't be bothered using a good password for the most important file they possess, what makes you think they'd want to add a super-inconvenient second authentication layer on top of that? And that 2FA is super inconvenient is just an objective fact, sorry.

[quote]So if a hacker gets their hand on that file, you may just as well consider the content exposed. One with know-how will be able to pry it open.

No, they can't. I'd die long before they'd be finished. In contrast to Darth Helmet I don't use 12345 as a password. That being said, I'd still change my passwords if I'd ever lose my phone. Chances are that I am done before they brute forced my password file. *shrug*

View this comment - View article - View full comments

Quoting: Beamboom

Quoting: Kimyrielle

I totally disagrees with all you say, Kim. A good password is unique to each account. And a collection of unique passwords WILL have to be stored in a password file of some sort, and that file WILL, for most persons who do practise good password policy, be stored on the mobile phone too (typically via cloud). And then you're pretty much back to square one if you do lose your mobile and someone gets past the login of the phone.

To argue against 2FS and for good password policy is pretty much counter-productive. 2fs makes the requirement of good passwords less vital and a system much, much more robust. That's the way to go.

In my opinion, absolutely everything even remotely vital (ergo store important data) should be 2FA - preferably all using the same token technology, but today all but one service that I personally use are using the algorithm used in Google Authenticator (it's an open standard, can't recall the protocol right now).

The vital difference is that if I lose the phone with my encrypted password file (people who put unencrypted password files on phones or cloud servers are stupid anyway), I still have a copy of it in my backup, or on my desktop PC. So, if I lose my phone with my encrypted password file, I can simply recover the copy from my backup and carry on. OTOH, losing a 2FA token is a major disaster, since that's the exact thing you need to authenticate with. Recovering lost 2FA tokens is a completely unsolved security problem, btw. There is no satisfying way to prove that the lost token was actually yours, because the possession of the token IS what the system is using to identify you. A service provider will usually resort to asking you things you know, essentially opening possible social engineering attack routes and eliminating most of 2FA's additional security (authenticating with something you KNOW is what passwords do...)

I find it also hilarious that people use Linux to escape MS's monopoly, but would be willing to handle Google the keys to each and every online service they use. Just sayin'.

View this comment - View article - View full comments

Quoting: meggermanAll sites should use 2FA if resonably possible.

The problem with 2FA is that it's a complete PITA. There are about as many authenticators around as there are applications using 2FA, which is bad to begin with (If you use 30 services protected by 2FA, chances are that you will have to deal with at least 25 different authenticators). But the worst thing about 2FA is that most services want you to use your smartphone as authenticator, which is a really, REALLY stupid idea. Smartphones have a much greater chances to get lost or stolen than (good) passwords have, so doing that is adding a security liability, not an asset.
You also cannot use smartphone based authenticators without exposing your identity, at least to the provider of the authenticator. Which is a significant privacy concern, for using such services anonymously is neigh on infeasible.
And since people tend to replace their smartphone quite often, you will have to reset every single authenticator app when doing that. Fun! Not.

2FA is one of the things that look good on paper, but just don't work in real life. The one possible solution to this dilemma would be a global standard provider of 2FA tokens you could purchase anonymously and that would work with every single service on the planet. But when has standardization ever worked anyway! And even then this would result in a single point of failure you better not ever lose. That's the intrinsic problem with 2FA - it's very point is to make you authenticate with something you HAVE and not just know (unlike passwords). But what you have, you can lose!

In the end, 2FA would be totally unnecessary if people would pick good passwords, not reuse them anywhere, and the service providers would stop being daft and start properly hashing/salting them. 2FA does NOT protect services from getting hacked. All it really does is protecting stolen passwords.

View this comment - View article - View full comments

Quoting: razing32I actually like this. Rather than have sequels that are just clones of the originals you get a game supported with more content. If that's not your cup of tea , you can always play vanilla and uninstall I guess.

^ This
Not all games are suitable for endless gameplay, but the ones that are, I want to play for ages. There is not much reason to provide content updates for these "15 hours and done" shooters, but Stardew Valley is a game with near endless replay potential. And in these cases I appreciate developers making updates and DLC for them.

View this comment - View article - View full comments

Controller support, eh?

Oh well, maybe 1.3 will have interesting new content again. :D

View this comment - View article - View full comments

Eh, that's ok. I can live with companies that give their best to make something happen and discover while implementing it, that it was more complicated than they thought. It's not like the garbage some other moron studios pulled on us when they decided they'd rather work on some irrelevant Windows-related updates and not the Linux port they promised when they collected all the Kickstarter money from us.

View this comment - View article - View full comments

I really wonder why they feel making a Linux port from a working Vulkan render path would still be prohibitive? The biggest obstacle for porting a game to Linux is DirectX. Unless they used some really stupid Windows-only middleware, the remaining work should be trivial enough to justify even selling to a smaller audience. One should think.

View this comment - View article - View full comments

Quoting: ZeloxDoesnt this have to do with how long the game has been in beta and the constant server wipes the game has after every update?
I hope the game becomes more alive when its released, Im not a founder but I will probably get this one when its released.

That's pure speculation on my part, but I think MMOs are a "hit business", where titles need to grab considerable attention to florish. Players generally don't like playing in "empty" MMOs, and leave them quickly when they get the impression that their game isn't as populated as they desire. Looking at past titles, a MMO that doesn't grab hundreds of thousands of players right away will not grow into a large game later on, either. It it starts as a niche game, it will remain one.

This particular game doesn't strike me as one with hit potential. Let's face the truth: It's geared at hardcore players, and there aren't that many of them around. I wouldn't expect this game to storm the sales charts anytime soon, really. In the end, I know that hardcore players tend to look down on so-called 'casuals', but you can't have the cake and eat it. A game not appealing to 'casuals' will not sell millions of copies and thus will probably not feel populated.

View this comment - View article - View full comments

Quoting: liamdaweNope. It will be a pay to play game at release.

Which is good thing, IMO. F2P games inevitably tend to put in-game paywalls at every corner, because they need to make money from something. And only way to ensure getting paid is to annoy the player to hell, until they reach for their credit cards (exhibit A: SWTOR). I have yet to see ONE F2P game with a fair business model.

I rather cough up cash up-front and don't get nickled and dimed later on, so B2P is the way to go for me.

That being said, in my experience the "optional" subscriptions tend to be a tad less "optional" than advertised. Usually it's a long list of indeed very optional XP bonuses, but there tend to be a few features hidden in said list that players -really- want to have and are sub-only. Like the famous ESO crafting bag you can't reasonably be a crafter without.

View this comment - View article - View full comments