Welcome to the second in a series of four blogs from the Jagex Support Team. In our first, we detailed plans to upgrade our systems. This blog is about Account Security and will examine:
- What we're working on now:
- Strengthening passwords
- Breached password usage warnings
- Coming soon
- Email notifications and validations for account behaviour changes
- Authenticator checks on the website
- Investigating if we should implement an authenticator delay
- And in the future:
- Additional account security systems
- Increasing account recovery security
Account security is a challenge for all businesses on the internet. The number of websites to which people submit personal data, and the frequency of efforts to access this data, means that breaches are happening ever more frequently.
It's therefore no surprise that improving account security comes with some major challenges. But we are nonetheless committed to overcoming them, although we must also be realistic - these changes will take time.
Here's a detailed look at the various challenges with account security and how we're going to solve them.
Our first priority is to strengthen passwords, and work is already underway.
We’re updating our systems to allow more complex passwords to be set, and adding user guides that help users create them. We're also looking into how we can support password managers.
Work with a third-party provider is underway to implement a system which searches the internet for breached password data. That way we can warn you if you’re using a password that might not be safe, or even stop you from choosing an insecure password in the first place.
We really need your help on this, as these new systems will only benefit you if you choose to use them. In general, when it comes to password security, the essential things to remember are:
- Never use the same password for your RuneScape/Old School account as you do for your email
- If you are in any way concerned about your account safety, then set a new password immediately
- Use a different password for every service you use online
Email Notifications and Security
Once password security is improved, our focus will shift to email notification.
One of the quickest ways you can confirm you’re the owner of an account is by using the email address registered to it. This is a very common security method you have likely seen on other sites.
We're going to start sending email notifications to your email address if we see strange changes in account behaviour, and in some circumstance we will require authorisation from that email address to login.
However, the risk of using emails for security is that we don’t know if your personal email address is secure. And if the login details for your email are the same as your RuneScape/Old School account, then you’ve made it twice as easy for someone to find all the details they need.
Essentially, the more secure your email address is, the more secure your RuneScape account is. If your email provider has extra security features like 2-factor authentication, then please use them (here are the links for Google, Yahoo and Outlook).
Ultimately, these problems mean that in the long-run we want to move away from email and toward improved 2-factor authentication.
One of the most secure things you likely own is a smart phone. Some have biometrics built in, most have additional password security and importantly people are generally very protective of them.
We therefore want to use the security of your phone more to keep your RuneScape/OldSchool account safe, and the way to do that is 2-factor authentication (2FA) apps.
Do note that we already offer 2FA and it is currently used by about 50% of active players. If you haven't already done so, then please setup 2FA as soon as possible ! Our aim is for all of our players to use an authenticator and for it to apply to the game and website logins.
One feature often requested by players is authenticator delays. There are several ways we could do this, such as delaying change requests or temporarily limiting trades. We haven’t ruled anything out just yet, but are mindful that there is a big risk of players getting locked out of their accounts or enduring restrictions if their phones are lost in the interim.
We must also support users who need to change authenticator because they've lost access to their phone. These change requests already happen more times a day than Player Support could handle if they had to check everyone individually.
Our preferred option, therefore, is additional account security systems.
Additonal Security and Account Takeovers
We’re looking into additional security checks using the same type of technology used to tackle payment fraud. This system will allow us to react to new threats in real time, create different security models for different states of a RuneScape account (e.g. active player, dormant account, not email registered, authenticator supported etc...), and respond sufficiently fast to avoid the blocks that an authenticator delay could create.
We believe this data driven account security method is our best chance to tackle account takeover. It can work for all accounts and for all players. However:
- If for whatever reason you can’t use 2FA, this will be your backup to protect your account. As a result, though, it will take a few seconds to run checks every time you login so users might encounter a slight delay.
- This system will check millions of logins every day, and it would be wrong of us to assume it will get it right every time. Striking the right balance between brevity and security (in other words, letting the right users in and keeping the illegitimate users out, all without creating too much of a delay) will be a process, and we're unlikely to get it right straight away. We will be doing extensive testing before going live to perfect this, but please be patient with us. We are looking at how you’ll be able to contact us and resolve the situation ASAP if you do get incorrectly blocked.
- If all goes to plan then this should all just happen without you ever seeing it or having to worry about it - unless you’re trying to steal someone’s account, of course. For that reason we won't be regularly updating players on progress.
- The build and setup is going to take some time. This is a key priority for Jagex so it will be ready as soon as possible - current estimates point to a rollout in the first half of 2020. Despite the challenges, we think the benefits are worth overcoming the issues.
One of the biggest challenges we face when reviewing account recovery attempts is identifying if the request has been submitted by the account owner.
Our focus for the next year is on stopping the hijackers before they even get to an account, but regardless we need to improve how we process account recovery attempts. This may mean that appeal information requirements become stricter. It’s going to take some time to find that right balance between safety and swiftly getting players back into the game. At the moment we don’t feel we have it quite right, so work will continue on this.
And from the team
We understand how important account security is to you all, just as it is for us - we hear everything you're saying. And while we can't fix it overnight, we won't stop until things get better. We'll keep you posted on our progress but please keep talking to us, please keep sharing your concerns and please keep offering your suggestions. We're committed to doing everything we can.
The Player Support Team
Continue the discussion on Reddit, our official forums, or the community-led OSRS Discord in the #old-school channel.
We'll also discuss the blog on Wednesday's weekly OSRS Q&A which you can watch at 5pm BST on the Old School Twitch channel.
Ahead of that you can also see the blog being discussed on the weekly RuneScape stream, featuring appearances from Player Support, the Tech Services team, and Mod Sween as an Old School representative. You can watch that at 5pm BST on the RuneScape Twitch channel.