RuneScape Authenticator

From Old School RuneScape Wiki
Jump to: navigation, search
The warning players get if they do not have Authenticator active on their account.

The RuneScape Authenticator is an additional layer of protection players can utilise on their accounts. It replaces the Jagex Account Guardian (JAG), by using an RFC-compliant time-based one-time password (TOTP) compatible with Google Authenticator. This algorithm can be used both on supported mobile devices and in desktop implementations. This system works for both Old School RuneScape and RuneScape 3, unlike the JAG did previously.

Players are required to set up the Authenticator in order to be able to receive a pair of fancy or fighting boots in the Stronghold of Security. In addition, having it set up is required for Solztun to imbue the player's skull sceptre. Should players disable the Authenticator, the skull sceptre will revert back to its regular state.

Setting up[edit | edit source]

To set up the RuneScape Authenticator, a player must visit the Authenticator landing page. Jagex generates a random 80-bit secret key unique to each user and presents it as a 2-dimensional barcode and as a 16-character Base32 string. Many mobile devices can read the barcode directly through their camera, which is equivalent to entering the Base32 string manually. The implementation generates a 6-digit code every 30 seconds based on the key and epoch time.

Once set up, players are prompted to enter the 6-digit time-based code whenever they log in to the game using an untrusted computer. Jagex implements a 10-minute window (five minutes on either side of the actual time) to enter the correct code to allow for a possible lack of synchronisation between Jagex's server time and player devices.

Players can choose to trust the computers on which they play RuneScape for up to 30 days or choose to enter a code every time they wish to play.

Players can also choose to use the Authenticator for their bank PIN instead of the fixed 4-digit PIN. However, the 4-digit PIN is not obsolete. Logging into the bank or the Grand Exchange from the RuneScape Companion app still requires the 4-digit PIN. Players who choose to stop using the authenticator as the bank PIN revert back to the last 4-digit PIN used.

To disable the authenticator, click on the "disable authenticator" link. Jagex sends an email containing a link to disable the authenticator to the email address registered for that account. It is highly encouraged that the email associated with the account require two-step authentication so that the RuneScape authenticator can not be easily removed. That is, it is suggested that the email be tied to a mobile device either by texting or a call before a new computer can gain access to said email.

Setting up on a new device[edit | edit source]

Players who have purchased new devices will have to re-download the app on their devices, disable the Authenticator via the RuneScape mainpage, and re-enable it. After Jagex has sent the email containing a link to disable it, players will have to follow the aforementioned steps to set up the Authenticator on their new devices.

Alternative to using mobile phone for authenticator codes[edit | edit source]

Players who cannot scan the setup QR code, or just want an alternative may use Authy.

Authy is an app trusted by Jagex, that has the same basic functionality as other applications like Google Authenticator, allowing for an extra layer of account security.

You can read about Authy on the support section of the official RuneScape site.

The main advantage of using Authy is that you can easily log back into the app, continue receiving codes, retain the extra security, and not worry about if you get a new phone or mobile number, which doesn't risk problems logging back into RuneScape or require the need for Account support, like it could when using Google Authenticator.

Trivia[edit | edit source]

  • On release, although the authenticator was stated to trust the computer for 30 days if selected, it only did so for 14 days. It now trusts the computer for the stated 30 days.
  • The authenticator cannot be enabled without having a character name set.