Two-Factor Authentication
Forum Index > Core > Announcements > News Archive >
As promised, I looked into it. Now we have it.
Update at end of post! What is Two-Factor Authentication (2FA)? When it comes to securing things - where "things" can range from an account all the way up to nuclear launch codes - there are three possible "factors" of authentication. - "Something you know", most commonly a password. - "Something you are", typically biometrics, although this can sometimes include your physical location for example in IP-based tracking. - "Something you have", such as a physical key. One factor is good. Two is better. Three is probably overkill but necessary for super important things. But the key thing to remember is that repeating the same factor doesn't increase security. There were some suggestions of "log in using your email address instead of your username", or even having a "login name". These are just more "things you know" and don't add any security. A real-world example of two-factor authentication would be using your bank card at an ATM. You insert your card (something you have) and type in your PIN (something you know) to get access to your account. How is it implemented on PFQ? Today I am adding a new page for handling two-factor authentication. You can use this page to pair your account to your smartphone using any Authenticator app. Desktop versions exist too. It doesn't matter which app you use - Google Authenticator, Authy, WinAuth and many more. Pick one you trust. PFQ will provide a QR code for easy scanning, or you can directly copy-paste the "secret key" into your app of choice. IMPORTANT: Do NOT save this secret key ANYWHERE other than the authenticator app. Once scanned, the app will start providing you with 6-digit codes, which change every 30 seconds. Enter the code into the form to confirm the pairing and enable 2FA. After enabling 2FA, the way you log in will change. In addition to username and password, you will also need to open the authenticator app and enter the code it gives you. This proves you have the device you paired, which is the "something you have" that makes this 2FA work. Work in progress! As of this post, the feature is mostly done but not completely. You can enable 2FA and use it to secure your account today, but the "emergency backup account recovery" option is not yet implemented. You also can't yet disable 2FA once enabled. This means that if you lose your smartphone, or can't get the 2FA codes for some other reason, you won't be able to log in to PFQ. If this happens, you can contact Support and we'll help you regain access. I will be working on the part of the feature that lets you recover the account yourself, but for now it's off to the Support Centre with you! Will this be required? No. 2FA is an extra layer of security that is completely optional. It is, however, strongly recommended - especially if you have spent money here. This post will probably get updated with more questions later. For now, if you want 2FA, you can have 2FA!
Update 13/Aug: Emergency Backup Code is now available. Head over to the 2FA page to set one up. This will allow you to log in even should you lose access to your 2FA codes. Keep this code safe and hidden. Also you can disable 2FA from the 2FA page just by using your 2FA paired device. Still to do: when important actions are taken on the 2FA page, such as setting it up or - more importantly - disabling it, an email needs to be sent to the user so that you know it's happened, just in case it wasn't actually you! That'll get done soon.
Update at end of post! What is Two-Factor Authentication (2FA)? When it comes to securing things - where "things" can range from an account all the way up to nuclear launch codes - there are three possible "factors" of authentication. - "Something you know", most commonly a password. - "Something you are", typically biometrics, although this can sometimes include your physical location for example in IP-based tracking. - "Something you have", such as a physical key. One factor is good. Two is better. Three is probably overkill but necessary for super important things. But the key thing to remember is that repeating the same factor doesn't increase security. There were some suggestions of "log in using your email address instead of your username", or even having a "login name". These are just more "things you know" and don't add any security. A real-world example of two-factor authentication would be using your bank card at an ATM. You insert your card (something you have) and type in your PIN (something you know) to get access to your account. How is it implemented on PFQ? Today I am adding a new page for handling two-factor authentication. You can use this page to pair your account to your smartphone using any Authenticator app. Desktop versions exist too. It doesn't matter which app you use - Google Authenticator, Authy, WinAuth and many more. Pick one you trust. PFQ will provide a QR code for easy scanning, or you can directly copy-paste the "secret key" into your app of choice. IMPORTANT: Do NOT save this secret key ANYWHERE other than the authenticator app. Once scanned, the app will start providing you with 6-digit codes, which change every 30 seconds. Enter the code into the form to confirm the pairing and enable 2FA. After enabling 2FA, the way you log in will change. In addition to username and password, you will also need to open the authenticator app and enter the code it gives you. This proves you have the device you paired, which is the "something you have" that makes this 2FA work. Work in progress! As of this post, the feature is mostly done but not completely. You can enable 2FA and use it to secure your account today, but the "emergency backup account recovery" option is not yet implemented. You also can't yet disable 2FA once enabled. This means that if you lose your smartphone, or can't get the 2FA codes for some other reason, you won't be able to log in to PFQ. If this happens, you can contact Support and we'll help you regain access. I will be working on the part of the feature that lets you recover the account yourself, but for now it's off to the Support Centre with you! Will this be required? No. 2FA is an extra layer of security that is completely optional. It is, however, strongly recommended - especially if you have spent money here. This post will probably get updated with more questions later. For now, if you want 2FA, you can have 2FA!
Update 13/Aug: Emergency Backup Code is now available. Head over to the 2FA page to set one up. This will allow you to log in even should you lose access to your 2FA codes. Keep this code safe and hidden. Also you can disable 2FA from the 2FA page just by using your 2FA paired device. Still to do: when important actions are taken on the 2FA page, such as setting it up or - more importantly - disabling it, an email needs to be sent to the user so that you know it's happened, just in case it wasn't actually you! That'll get done soon.
Oh, cool.
Medium Dragon Gem
Gem
(: 0)
A medium-sized Dragon-type Gem. Visit Ravyne at the Wishforge to convert it into 10 normal-sized Gems.
Sells for 100
Likes:
Sweet food
94%
Timid nature
Awesome, gonna go hunt a good authentication app down now haha
Just to make sure though, if you're logged in, can you remove the authentication link if need be? I have an old phone that I may loose soon because of charger issues so I just want to make sure before I do anything.
Nevermind .-.
{ Translation: Hello! }
Okay, help. I keep getting an error message that the code is wrong?? I copy-pasted everything??
elliot • they/them
quit, dm xim#7352 if you need me
©
Wooooo, thank you Niet!
Hopefully, a lot of people who wouldn't normally use this can be tempted into enabling it somehow hahaha
2481
pfp = my cat
Hyperspace Ring
Summon Item
(: 0)
A sinister-looking gold ring. Peering into its depths is like looking into another universe. It is said it is deeply connected with the Legendary Pokémon, Hoopa.
Unsellable
Likes:
Spicy food
MAX
Brave nature
Awesome, thanks so much! I've enabled it already and re-logged in already and everything went smoothly. c:
Can an option be considered to check off "remember this device for 30 days" when you log in on different devices/locations? This way you could choose to only need to enter your 2FA code monthly on devices you trust.
I'm not sure if this is possible for Pokefarm, but I do ask because I use this option on other games. This is a helpful choice for people who want the security of 2FA from strangers who might be trying to log into their account to steal (such as the recent Account Breach situation), but aren't as worried about local log-ins. It can be a good balance between security and convenience.
My fields are optimized for clicking!
10k S&S Timid (Sweet/Pecha) Pokemon ♡
sprite made by sojussimblr
sprite made by Lonely Heart
sprite made by Matamoja
sprite made by Matamoja
thank you for making it optional =3 I useually get annoied with 2 factor if it ever signs out a computer I frequent and the cookies on this site with renaming get annoying to me so when I clear them it logs me out. this isn't often but is something that happens and I like that I can opt out until I feel it is required for myself =3
Thanks, Niet! I tried it out and enabled it! I *think* it's working, I've never had to use one of these on the desktop before xD
The extension I added to my Chrome seems to be working so far :>
Thank you for implementing this!
Always looking for quirky pokemon!
- Typerace
- Shop
Current Type
Current Points 148
Clicklist
Next month=
My shop! I offer shelter hunts, free fields, shiny/albino, variants/exclusives and more. Please post in shop rather than send a pm.
Buying
Spectral Leiomano
for anywhere between 20 - 40zc depending on market price - send pm to see if i have enough money ^.^QUOTE originally posted by Peachi
Can an option be considered to check off "remember this device for 30 days" when you log in on different devices/locations? This way you could choose to only need to enter your 2FA code monthly on devices you trust.
I'm not sure if this is possible for Pokefarm, but I do ask because I use this option on other games. This is a helpful choice for people who want the security of 2FA from strangers who might be trying to log into their account to steal (such as the recent Account Breach situation), but aren't as worried about local log-ins. It can be a good balance between security and convenience.
Avatar by the best lizard ever, Bananalizard
#standwithEMS #ELM
Score: 0
Cannot post: Please log in to post