Account Security Improvements

by The EVE Dev Team12:00pm on Wednesday 3rd July 2019

If you'd like to discuss this devblog, feel free to head on over to the comments thread on the official forums!

Hi, fellow capsuleers.

EVE Online accounts are incredibly valuable, and we are constantly taking steps to make your accounts more secure. In this blog, we'd like to tell you about what steps we've recently been taking to improve your safety. Before that, we first want to tell you about something we have been working on with our friends at 1Password.

Introducing: The EVE Players' 6-month free trial for 1Password Family

-IMAGE-

Yes, you read that correctly! We had a little chat with our friends at 1Password, and they were awesome enough to give all of you a free 6-month trial on their family plan! This allows you to synchronize your passwords between devices, be it desktops or mobile devices, and share selected passwords and vaults between up to 5 family members.

There is no obligation involved in the trial, so in case you are worried about losing access to those passwords should you decide not to continue after 6 months (why would you? It's awesome!), don't worry as the applications will only be put into read-only mode. So, we highly encourage each and every one of you to sign up with them if you haven't already.

You are, of course, free to use any other password manager if you so choose, but please do use a password manager as it greatly improves the online security for most people. In the example below, we'll show you how you can take advantage of 1Password to not only manage your passwords, but your Two-Factor Authentication codes for EVE Online as well.

You can sign up for the extended 1Password trial right here.

For those interested in the nitty gritty, or for those on the edge of having someone else manage their passwords, 1Password has a detailed description of their security practices and models here.

TLDR: Only you can decrypt your passwords on your own devices.

Two-Factor improvements: One authenticator code for all your accounts!

After consulting with Troy Hunt and Scott Helme (Scott is also an EVE player!) on the security side of things a little bit, we worked together with the team in charge of the Account Management website to introduce a small "quality of life" update to the Two-Factor Authentication (hereafter 2FA) setup on https://secure.eveonline.com.

You can now provide your own seed for the 2FA setup, and therefore use the same TOTP generator for multiple accounts. If you have more than one account, you can simply set up 2FA on one of your accounts, then copy the 2FA seed and use that same seed when setting up 2FA on your other accounts. This way, you no longer have to scroll through your 2FA application to find the right code, since you can now share it between accounts.

To make matters even easier, you can also have 1Password take care of the code for you, so you can sync it between the browser and your mobile, for example. In that case, sharing the seed isn't necessary since 1Password will take care of populating the correct code for you.

Please note that sharing the 2FA seed is not as safe as having a unique seed for each account, but it's still safer than not having 2FA at all.

Here's an example of how easy it is to hook an existing account up to 1Password, as well as enabling 2FA:

  1. Sign up for 1Password if you haven't done so already and install the browser extension, then log in to your 1Password account. This demo uses the official 1Password X Chrome extension on Windows (it works on Edge Chromium as well).

  2. Go to https://secure.eveonline.com and log in to your account. You will be prompted to save the login information to 1Password so it can auto-fill your credentials the next time you log in.

-IMAGE-

  1. Finish logging in and then open the Authenticator settings on Account Management, and once they open, click the "Enable Authenticator" button on the right-hand side. There, you will also see the new option to provide your own authenticator seed, if you'd like to use the same seed between multiple accounts. As mentioned above, although that is less secure than using a separate one for each account, it's always better to have 2FA enabled than having no 2FA at all.

-IMAGE-

-IMAGE-

  1. Once the QR code is displayed, click the 1Password extension in the browser bar and have it scan the QR code on the page for you. This will allow 1Password to take care of the authenticator code as well, to make login even easier. Once that is done, you'll get a message from the 1Password extension saying "Authentication Code Saved", with the code automatically added to the clipboard. Paste the code into the verification field, click "Verify", and voila, 2FA is now enabled for your account!

-IMAGE- -IMAGE-

Please note that the 1Password 2FA feature works not just for EVE Online, but also any other online account that has 2FA support as well. So make your life easier and use a good password manager!

Have I Been Pwned Integration

On 2 May 2018 (a little over a year ago), we added a password check against Troy Hunt's Pwned Passwords API (which is part of Have I Been Pwned). We did this to be able to notify our players if their chosen passwords had been compromised as part of an existing data breach. This has been very well received by our players and has also been noticed by others who have used our implementation as a reference.

We do have a few things to finish up such as making sure the passwords are properly checked on the "Change Password" and "Account Registration" pages as well, to prevent players from picking another bad password, but overall password security has improved a lot! When we first implemented the check, about 19% of logins were greeted with the message that their password was not safe enough. Today, this has dropped down to around 11-12% and hopefully will continue to go down.

This means that, overall, our players are more safe from dictionary/credential stuffing attacks than before. Coupled with Two-Factor Authentication, a player's account security will be greatly improved, keeping nefarious hackers away. 1Password also takes advantage of HIBP to do the same thing, notifying you if any of your stored passwords occur in a data breach.

Here is an example of the breached password notification when logging in:

-IMAGE-

Miscellaneous improvements

We have also made other changes over the last year, which should have gone mostly unnoticed by our players, but are nonetheless important security features. Here's a small list:

We added a Content Security Policy to the EVE Online SSO. This helps us reduce the chance of malicious code from 3rd party libraries or browser plugins doing bad things.

We submitted our eveonline.com and testeveonline.com domains to the HSTS Preload list, which forces all compliant browsers to only load them over HTTPS.

We are taking advantage of browser reporting capabilities to monitor browser issues such as Content Security Policy violations, network errors, browser feature deprecation and crashes, so we can act on those if needed.

We've improved the way we detect and invalidate login sessions and 3rd party application authentication tokens to make sure that access is reliably revoked when you change passwords, transfer accounts etc.

And we're not done yet...

We will continue to make several improvements to our players' account security in the near future, with the primary focus being a reduction in account takeovers and improved account security, without impeding or making it harder for our players to play the game.

We will hopefully be able to provide a more detailed description of these improvements soon, so stay tuned for future updates, and fly safe!

Without any further ado, it's time to "buzz the tower"!

o7