• Dear Guest,

    You're browsing our forum as a Guest meaning you can only see a portion of the forum in read-only mode.
    To view all forum nodes and be able to create threads/posts please register or log-in with your existing account.

    TwinStar team

IP-Landlock your own account option

K

knasen

Authorized
Joined
Mar 21, 2016
Hello, I would like you to give an option to IP-lock your account to a country of your choice when logging into the game, this would help stop bruteforce attacks from other countries and force them to use a VPN in your specific country (which i read would be impossible soon)
 
knasen said:
Hello, I would like you to give an option to IP-lock your account to a country of your choice when logging into the game, this would help stop bruteforce attacks from other countries and force them to use a VPN in your specific country (which i read would be impossible soon)
Click to expand...


This is a bad ide, GEO-IP wont always work and a lot of people will be locked out from there accounts.
Iknow other servers did this but if you have some knowledge about networking at all you would never do it.
 
Cision said:
This is a bad ide, GEO-IP wont always work and a lot of people will be locked out from there accounts.
Iknow other servers did this but if you have some knowledge about networking at all you would never do it.
Click to expand...

Worked fine on Nost... Just saying.
 
While it might not be a perfect solution I see no reason not to implement an opt-in feature of this nature for logging in to the game server (not twinstar.cz).

If your IP does change and you appear to be in another country or fail the check some other way just log on the website and untick the checkbox. Even if it doesn't work for everyone it could help some people.
 
markusnemesis said:
Worked fine on Nost... Just saying.
Click to expand...

Im really sorry to say but it would never work out good because 20% would lock themself out of the server.

Hagson said:
While it might not be a perfect solution I see no reason not to implement an opt-in feature of this nature for logging in to the game server (not twinstar.cz).

If your IP does change and you appear to be in another country or fail the check some other way just log on the website and untick the checkbox. Even if it doesn't work for everyone it could help some people.
Click to expand...

How can you login at the website if your GEO-LOCATION are wrong, do you only want this feature on the server and not the homepage? Then a hacker can untick your GEO-LOCATION feature on the site and then login to the game (if the hacker has your twinstar account he got your email too because of the keylogger you have on your computer).

I have over 10 years experience of networking and GEO-Location blocks will be a mess for the GMs and Devs after one month or so.

I would rather see a google authenticator option then, much better and much more secure.
https://github.com/google/google-authenticator
 
Last edited:
Cision said:
Then a hacker can untick your GEO-LOCATION feature on the site
Click to expand...

Make it so you need email confirmation, just like you need for unlocking your character for auctions. You clearly think an email lock is necessary (and helpful securitywise) for this, so why not make it so you can opt-in to have this lock apply to loging in the game too?


Cision said:
(if the hacker has your twinstar account he got your email too because of the keylogger you have on your computer).
Click to expand...

So it doesn't protect against keyloggers.
It does protect people who would otherwise lose their accs due to foolishly using the same info on other realms or websites, or get their account compromised in a way that doesn't compromise their actual computer (I wanted to send PW to a friend, but pasted it in the wrong place, I accidently pasted my info when I wanted to paste something else, someone bruteforced my info, I had really shitty info that someone guessed, the list goes on and on).



As long as you make it opt-in and require email verification I don't see a problem.
 
Nice argument, that facepalm sure convinced me.


Other than "It doesn't protect against keyloggers" I still don't see a reason not to implement this (other than dev time ofc)
Even if you think keyloggers are the only thing worth including in your threat model, other parts of your team clearly disagrees. Link1 Link2
 
Last edited:
Hagson said:
Nice argument, that facepalm sure convinced me.


Other than "It doesn't protect against keyloggers" I still don't see a reason not to implement this (other than dev time ofc)
Even if you think keyloggers are the only thing worth including in your threat model, other parts of your team clearly disagrees. Link1 Link2
Click to expand...

So you want the devs waste time making a feature that will not work properly? why waste the time on that when they can make something decent with the google auth instead? I see you would love a GEO-location lock but like i said its not any good and it will be more work for GMs all the time to support it even if they could unlock it themself on the site everyday.

I think most people that use the same password on every site they register would lose there email in the same moment they lose there Twinstar account but if you use a google auth feature you will not lose your Twinstar account because you cant keylog it.

So i myself would rather see a authservice instead of a geo-location lock.
 
Last edited:
It would serve it's purpose, preventing accounts from being hijacked, isn't that what you want?
If it's worth the time investment I leave for you to decide, but I don't think you should dismiss it just because it doesn't protect against keyloggers.
 
Hagson said:
It would serve it's purpose, preventing accounts from being hijacked, isn't that what you want?
If it's worth the time investment I leave for you to decide, but I don't think you should dismiss it just because it doesn't protect against keyloggers.
Click to expand...

You are correct, it would serve a very small portion of the server but it would also generate more work for the GMs because people would have more problems.

Im telling you, this would be a bad idee but to understand it you need to look at it from a technical and GM based view.
It would certainly be a great thing for your indead but when you work with large playerbase you need to take a step back and see the whole picture.
 
Last edited:
Cision said:
This is a bad ide, GEO-IP wont always work and a lot of people will be locked out from there accounts.
Iknow other servers did this but if you have some knowledge about networking at all you would never do it.
Click to expand...
What Cision says is true however there are many it would work for to have a solution an unlock mail could be requested when you cannot log in due to the lock.

It would however take a lot of time and management in the start which i am not sure the team has at the current moment considering how much is in the works but a nice idea indeed. So overall what Cision says is you have a good idea but they need to focus on masses over single target and for security its not good having too many different options only usefull for some as that creates confusion when fixing or updating security each time security comes into question :wink:
 
Last edited:
You must log in or register to reply here.
Top Bottom