account security is very outdated on mapleroyals yes it is important to not use the same username/pw combo in multiple places but 2FA is very common nowadays, always sad to see friends and players get hacked logging into a client from another IP or a new device requires some 2fa verification on the control panel would be a really nice extra layer of security
I do agree with having 2FA would be good (just unsure about the feasibility) *email address isn't a good 2FA in Royals context cause too many people lost access to their emails However, I disagree with requiring 2FA when the client is logged in from another IP address as some ISP would assigns dynamic IP address to their users (it would be a real hassle for each login) *the above scenario would also apply to players that requires a different IP address to login such as VPN users
I do agree that 2fa would of course add some additional security. However I disagree that the absence of 2fa means that account security is very outdated. We offer two layers of pin/pic protection, utilise captchas, rate limiting, email verification after failed login attempts and more. The reason why accounts get broken into is not due to our account security being outdated, instead it's players not using good practices for their account credentials. Our control panel logs show that in almost all cases; the accounts which are being successfully accessed by hackers do not have failed password attempts, meaning that the account name/password combination was already known. And that those accounts either do not have a pin/pic set, or have very weak pin/pic combinations. Therefore if those users are unable to ensure they are not using the same username/password combination as they have used elsewhere, and are too lazy to set a more complex pin/pic, that it is unlikely that they would bother with the additional 2fa security for their account.
Problem is good account security means you are slower to login, as well as having a harder time to get a shop spot after resets. I say allow for opt in 2fa using the authenticator app. Every 30 days you need to re-verify as long as your from the same IP or whatever, same as runescape handles it.
if the 2fa is only triggered under certain circumstances i dont think it would have an impact on how fast it is for you to get a shop spot
Oh yeah I worded that badly sorry. What I meant to say was, in its current implementation with the pin you have to enter on every login, it becomes "not meta" to have that security feature enabled. Instead, I'm saying that yeah 2fa is a good choice and we should have it, because players can still login fast and compete whilst still having imo good account security. As long as your computer and IP stay the same, you'd only need to re=verify every 30 days, if that's the approach we're choosing, such as Runescape.
