Bioware insists that the new Display-Name only login, greatly increases security. But one thing I learned from having had a family member in the sales business, is this: Nobody is going to tell you, "Hi, I'm a crook, buy my product so I can screw you out of all your hard-earned money!"
I'm afraid to post on the official SWTOR forums now. Everyone who sees my display name will immediately have half my account information (well, in my case, one third of it, since I use a security key). Before, when I used my email address, they didn't have ANY of my login information. So, what am I missing?
BTW, if you're going to rail on me about why I'm worrying if I have a security key, then don't bother, okay? Because if that's the case, then it's my security key that's keeping my account secure, NOT having to use my display name to log in.
What am I missing, if posting on the SWTOR forums broadcasts one of my login components to every wannabe hacker schnook out there, and if I'm correct in my belief that when I logged in with my email address, nobody had any of the three keys to the lock?
Hi, and thanks for posting. Let me see if I can break it down in a way that makes sense to you. Also, no one here is going to "rail on you" and get away with it, this is a valid concern, and I appreciate that you took the time to pose the question. Having said that:
Consider the way the system worked before: You have your email address and password stored on the authentication server somewhere. Now, in the event that your account is compromised, you would typically use your email address to recover the password and restore access to your account. If someone had hacked or otherwise compromised the authentication server, they would not only have access to your account, but they would also have access to the method by which you would recover the information. Granted, they'd have to bust into your email account, but given what they've already done, it's probably not that far-fetched.
Now, consider the new system: Your username and password are now on the authentication server, and if it's compromised in any way, they will still have the same information as before, with regards to what they need to login to the game; however, what they lack this time is the email address associated with your account and it's subsequent recovery. So, while your login name might be broadcast to the forums as a whole, without knowing your email address they'll have a much more difficult time accessing your credentials. Also, the One Time Password system will require access to your email if you're signing on from an unfamiliar location. This works in a unique way, as it installs the equivalent of a cookie or saved file within your TOR install that flags that computer as safe, regardless of your IP address (for those that have a dynamic IP this is great news, since you won't have to authenticate each time you receive a new IP lease).
So, in summary, it may seem like a more transparent system on the surface, but by removing your email from the equation on the authentication servers, this adds a new level of protection to your account. Hope this helps make things a bit easier to understand, and please feel free to respond to this or PM me with any further questions.
Editing this post to add the following link for clarification:
The account RECOVERY, yes, I'd say I missed that completely. That clears a lot of things up. I do have a small concern remaining about this One Time Password. I frequently scour my hard drive and erase all cookies, including the program CCleaner. In fact, my browser is set to clear all browser cookies each time it's clsoed down. Will this affect OTP?
Nah, since it's not typically stored alongside your browser's cookie information. I'm not exactly sure where it's hidden, and I'm pretty sure that's intentional. But, from what I've learned by asking them directly, it's in a pretty secure place, so your conventional spyware programs or whatever won't get rid of it. My experience with OTP has been positive; it arrived basically instantly, and it made me feel better about the security of my account. I always recommend folks order the security key fob as well; it's five bucks, but it's guaranteed to keep your account safe.