Administrivia: Some new account security options

[loftar]

I've implemented some account security changes. None of these should be particularly critical and could probably be left to discovery instead of writing an announcement about it, but since account security kind of matters, I thought it best to be explicit about it so that you may know how it works.

As you may or may not know already, when you check "Remember me", the client does not actually save your password*. Instead, it requests a randomized token from the server that it saves instead, and uses to log in in the future when the save is used. One consequence of this is that when you check "Remember me" on another computer, the previous token is overwritten on the server and becomes invalid. This is both good and bad: It's a bit bad in that you can't save your login on multiple computers, which is inconvenient; but it's also good in that you can't accidentally leave saved logins floating around indefinitely on computers you may never return to.

In order to address that, I've now implemented the ability to save multiple tokens. This means you can keep saved logins on multiple computers, but it also means that saved logins on computers you may not return to may have to be managed explicitly. For that reason, this is an option that is turned off by default. In other words, if you make no changes, it basically keeps working as it always has. You can however go your account options and turn on multiple saved logins. When turned on, up to 5 simultaneous logins can be saved. The account options have also been modified to display a list of all saved logins, so that you can centrally revoke any previously saved login without needing access to the computer that it's saved on.

Along with this, I've also changed how the automatic login from the "autohaven" launcher works. Previously (for historical reasons a bit too long to delve into here), it was only given a very temporary authentication token that could only be used once, which has made it slightly sub-optimal. While it has worked for one automatic login, using password-less login in that manner would require you to download a new launcher from the website every time you want to log in, which probably noone will ever do. From now, however, the authentication token that the launcher is given has gained the ability to create a permanent save (just like the one from checking "Remember me" in the client), which means that launcher authentication will keep working as long as that token is kept valid. The details here are that the token given to the launcher is temporary and will only work once (and expire in 2 hours), which is why the client has to exchange it for a permanent token. The rationale for this weird token dance is that, once launched once (or the token is allowed to expire), the downloaded client file will be harmless, as the token that it contains is now invalid, and the permanent token is saved on the system instead of in the launcher file.

Part of the reason I've changed the autohaven automatic authentication (apart from just making it more useful) is to make it more realistic to never have to use password logins in the client. This could make the possibility to add such things as 2-factor or federated authentication to the website more realistic, if client authentication can be done via autohaven only, instead of any second authentication factor also having to be separately possible to implement in the client. I've no immediate plans to implement any of these right now, but it could be a future development now that it is perhaps at all realistic.

On a separate note, account sharing is never supported, and is by far the number one reason for security breaches**, but if you're going to do it anyway (as I know some of you will), please consider turning on multiple logins and giving a downloaded launcher file to the other user instead of giving them your password. That way, at least they won't have access to website login (and the ability to change passwords and e-mail addresses), and you can revoke their token whenever you feel they shouldn't have access any longer. (Since you can only have 5 tokens saved, you'll even have plausible deniability when they feel betrayed by you having revoked their token -- "Oops, I just happened to log in on a sixth computer".)

* This is true for the default client. I know that there are customs that do it differently. Saving passwords in plaintext isn't exactly a good idea, so I'd encourage any custom client authors doing so to reconsider.
** If I sold a hat for every time I've seen "I only share the account with my RL friends that I can trust with my life"...

[Ysh]

Neat.

[shubla]

I
On a separate note, account sharing is never supported, and is by far the number one reason for security breaches, but if you're going to do it anyway (as I know some of you will), please consider turning on multiple logins and giving a downloaded launcher file to the other user instead of giving them your password.

Didn't know that this was a thing, never though of it. I wonder how many people have just sent the downloaded file to their friends.

[loftar]

Didn't know that this was a thing, never though of it. I wonder how many people have just sent the downloaded file to their friends.

Probably not many up to this point, since doing so would have been fairly useless given how it worked. As it works now, on the other hand, you can even use it just to log in once to get the saved token, and then just use that even to log in with a custom client.

[Phaen]

I used to play a game that did support account sharing and yes, the person you were sharing with might change the password but you can get it back with a password reset so that's no big deal. They could not, however, change the email because it required confirmation from the old email to do so.

I suggested haven implement this here

[loftar]

I suggested haven implement this here

I've seen this suggestion multiple times, so apparently I hadn't responded to yours specifically, but the reason I've rejected it is because it makes e-mail changes useless for their number one intended reason: Switching from an e-mail account that you've lost access to.

[Phaen]

Ok that's valid

[MightySheep]

wheres the tl;dr

[loftar]

wheres the tl;dr

If there is any, I guess it would be that you can now go to your account settings and enable the ability to save logins on multiple computers.

[Lunarius_Haberdash]

I suggested haven implement this here

I've seen this suggestion multiple times, so apparently I hadn't responded to yours specifically, but the reason I've rejected it is because it makes e-mail changes useless for their number one intended reason: Switching from an e-mail account that you've lost access to.

Thank you so much for this wise decision. XD