Guest
home
beatmaps
rankings
community
store
help
forum
  1. Forums
  2. osu!
  3. Development
  4. Feature Requests

Add 2FA to osu!

posted
Total Posts
29
This is a feature request. Feature requests can be voted up by supporters.
Current Priority: +501
Miterosan
217 posts
Joined January 2013
Topic Starter
Miterosan

2FA

  • We all want security.
    But remembering or creating long passwords is really annoying and people are able to guess your password.
    So why not add 2FA to osu!


  • How do you use it?
    When you try to login into osu!, you simply copy this 6 digit code into a third field.


    You can use Authy or Google Authenticator to generate the code

    Discord, Teamviewer, Slack, Skype, Amazon and Google are allready having this feature.
    It should be optional of course.

    If you need more reansons why to use 2FA: Click Here or Ask Google
Last edited by Miterosan , edited 7 times in total.
Endaris
5,282 posts
Joined June 2010
Endaris
No why.
That's a lot effort for no particular reward when you can just use a long+complex password and write it down somewhere in the analog world.
I had to type in my password for osu! not more than 5 times over the last 6 years thanks to auto-login functions so what.
Bauxe
1,624 posts
Joined August 2012
Bauxe

Endaris wrote:

No why.
Because it's more secure. In the case someone does manage to get hold of your password (or you share it with other accounts which may be compromised), said person can't get access to your account.

osu! already kinda has 2FA for some features, although it's through an email code rather than a code generator. I wouldn't mind seeing it as an alternative.
Pawsu
osu! Alumni
5,213 posts
Joined February 2013
Pawsu
Duplicate - please support the link provided in the thread and bump it with any ideas you might have.
I still think the Verification system is an already existing good alternate but I can see the reason for a more secure system.
Miterosan
217 posts
Joined January 2013
Topic Starter
Miterosan

Pawsu wrote:

Duplicate - please support the link provided in the thread and bump it with any ideas you might have.
I still think the Verification system is an already existing good alternate but I can see the reason for a more secure system.
the provided link wants it over a email, this wants it over the Google Authentiactor app or Authy (or simelar apps/programs),
so not really duplicate
Pawsu
osu! Alumni
5,213 posts
Joined February 2013
Pawsu
Then I don't really see this even happening. We already have a verification system that won't let you do normal things until you verify it's you via a code sent your email and the /verify command in game. I think it would have been added already if anyone had plans on implementing it.
Miterosan
217 posts
Joined January 2013
Topic Starter
Miterosan

Pawsu wrote:

Then I don't really see this even happening. We already have a verification system that won't let you do normal things until you verify it's you via a code sent your email.
Please note that some people have longer ways to get into their email inbox, like for example web.de, so instead of going to web.de (example), login with you password there, then search for the email, maybe wait for the email if their server a slow again, simply get your mobile phone out (or use the chrome extension of Authy) and copy the 6 digit code, which is way faster and easier.
Bara-
11,978 posts
Joined April 2013
Bara-
I don't think an osu account needs to be secured that much. It's not as valueable as an email account/bank account etc.
Remyria
361 posts
Joined June 2012
Remyria
Adding it as a possibility of using it if you want, I don't see why not, but if it gets planned one day, it will have a low priority, I think
RosieCode
4 posts
Joined February 2016
RosieCode
one of my mail accounts got compromised today subsequently they began resetting all my passwords for different services...

I use random passwords for every account but this was not enough.
PLEASE add 2FA as this would have been more protection needed at a critical time such as mine.

Thanks peeps.
Chirimu
31 posts
Joined November 2015
Chirimu
I bump this because nowadays there are many big leaks of email/pw lists on the web. They only have to get your email credentials and you're locked out of the game if you cant restore it someway. With this option you have a second, WAY MORE SECURE way of logging in (if something happens to your email account).
Nathanael
Global Moderator
6,163 posts
Joined January 2013
Nathanael
I'm not sure if all e-mail services have 2FA support for their consumers but it should be best to move to a service that provides a great level of security (e.g. Google) so they can secure their accounts (and recover via e-mail) not just by 2FA but also by other means that are provided by them.
Caleb Correa
28 posts
Joined August 2016
Caleb Correa
I think it's okay to put this security measure! Because the only security that has osu! At this time is verification of the email with the code! And I tested several computers and cell phones (which were mine and my family) to enter and change the password and the fourth attempt I started to ask for verification of the mail with the code! I think they should implement more security in osu like 2FA if Google has it because we do not? I worry on my own! For me, my account is more than gold! Since I spend money on it and buy things to improve my gameplay like graphics tablets and others! I hope to implement this! Thank you very much for reading greetings
autoteleology
763 posts
Joined October 2014
autoteleology
I don't really see the need. There isn't really much to gain from hacking an account and it should also be very hard to do if you have good password hygiene (use long random passwords + password manager like Lastpass).

It's a whole lot of hassle for very little reward.
Caleb Correa
28 posts
Joined August 2016
Caleb Correa

Philosofikal wrote:

I don't really see the need. There isn't really much to gain from hacking an account and it should also be very hard to do if you have good password hygiene (use long random passwords + password manager like Lastpass).

It's a whole lot of hassle for very little reward.
Sorry, but you're a bit wrong, if you get to hack the pc that happens? Get your data hack your account, but what if the 2FA? Or if at least before changing the password or hotmail asked you for verification to do it because I do not ask even if I am with another pc or some other cell phone (my family) I see it absolutely necessary
Faustas156
232 posts
Joined April 2015
Faustas156

Caleb Correa wrote:

Philosofikal wrote:

I don't really see the need. There isn't really much to gain from hacking an account and it should also be very hard to do if you have good password hygiene (use long random passwords + password manager like Lastpass).

It's a whole lot of hassle for very little reward.
Sorry, but you're a bit wrong, if you get to hack the pc that happens? Get your data hack your account, but what if the 2FA? Or if at least before changing the password or hotmail asked you for verification to do it because I do not ask even if I am with another pc or some other cell phone (my family) I see it absolutely necessary
Then don't get hacked, simple as that, you can just write it on a piece of paper, and then just keep it and make sure you don't lose it, that's all.
Chirimu
31 posts
Joined November 2015
Chirimu

Faustas156 wrote:

Then don't get hacked, simple as that, you can just write it on a piece of paper, and then just keep it and make sure you don't lose it, that's all.
There only have to be a database leak and your account data can be compromised. Yahoo for example lost 1B user account details to hackers in 2013 including emails, passwords, telephone numbers, ... and then it's wayne if you wrote down your password.
autoteleology
763 posts
Joined October 2014
autoteleology

Caleb Correa wrote:

Philosofikal wrote:

I don't really see the need. There isn't really much to gain from hacking an account and it should also be very hard to do if you have good password hygiene (use long random passwords + password manager like Lastpass).

It's a whole lot of hassle for very little reward.
Sorry, but you're a bit wrong, if you get to hack the pc that happens? Get your data hack your account, but what if the 2FA?
They hack your account and then what? Steal all your pp and osu!coins? What could anyone possibly have to gain by hacking your account?

2FA is something that should be reserved for things that actually need protection, like a Google, Facebook, or bank account.
Nathanael
Global Moderator
6,163 posts
Joined January 2013
Nathanael
Adding 2FA in game itself is not really necessary and the e-mail verification is good enough. Securing your e-mail is also securing your account that uses it not just in osu! but also from other places you've registered. As I said before, use an e-mail service that provides these security measures.
-Makishima S-
2,434 posts
Joined August 2013
-Makishima S-

Philosofikal wrote:

They hack your account and then what? Steal all your pp and osu!coins? What could anyone possibly have to gain by hacking your account?

2FA is something that should be reserved for things that actually need protection, like a Google, Facebook, or bank account.
----------------

Several people already made drama over this issue in reddit, calling out support + peppy himself for how they got nothing (afaik there was a guy who constantly complained for over 2 months before he got unbanned). As far as I remember, all cases was handled by Emphemeralis and this people got unbanned. Maybe support situation right now got better but you never know.

As it goes for PC - as far as you use Windows/IOS (especially IOS) it isn't hard to get access to your pc IF you don't use dedicated firewall/active malware scanner. Windows defender is worth jack shit and it is proven in every DEFCON Conference that person with enough knowledge and tools (which are open for everyone in internet) needs up to 10 min to get full access to your PC with basic security.

2FA is not only for "valuable" things but services which contain one or more information which may cause trouble to you. If service require your e-mail / real name / etc - it should have 2FA for security reasons.

Tbh if you use 2FA on your actual e-mail in term of confirming logging, not just recovering - email auth should be enough but I still don't trust it (yeah, I have trust issues).
Faustas156
232 posts
Joined April 2015
Faustas156

[Taiga] wrote:

Philosofikal wrote:

They hack your account and then what? Steal all your pp and osu!coins? What could anyone possibly have to gain by hacking your account?

2FA is something that should be reserved for things that actually need protection, like a Google, Facebook, or bank account.
----------------

Several people already made drama over this issue in reddit, calling out support + peppy himself for how they got nothing (afaik there was a guy who constantly complained for over 2 months before he got unbanned). As far as I remember, all cases was handled by Emphemeralis and this people got unbanned. Maybe support situation right now got better but you never know.

As it goes for PC - as far as you use Windows/IOS (especially IOS) it isn't hard to get access to your pc IF you don't use dedicated firewall/active malware scanner. Windows defender is worth jack shit and it is proven in every DEFCON Conference that person with enough knowledge and tools (which are open for everyone in internet) needs up to 10 min to get full access to your PC with basic security.

2FA is not only for "valuable" things but services which contain one or more information which may cause trouble to you. If service require your e-mail / real name / etc - it should have 2FA for security reasons.

Tbh if you use 2FA on your actual e-mail in term of confirming logging, not just recovering - email auth should be enough but I still don't trust it (yeah, I have trust issues).
Just use Private Browsing on your chrome/firefox, it won't save your gmail in there now will it ? I don't think there's something really this big to riot about, same applies for osu.ppy.sh, just use private browsing.
Caleb Correa
28 posts
Joined August 2016
Caleb Correa

Faustas156 wrote:

Caleb Correa wrote:

Philosofikal wrote:

I don't really see the need. There isn't really much to gain from hacking an account and it should also be very hard to do if you have good password hygiene (use long random passwords + password manager like Lastpass).

It's a whole lot of hassle for very little reward.


Sorry, but you're a bit wrong, if you get to hack the pc that happens? Get your data hack your account, but what if the 2FA? Or if at least before changing the password or hotmail asked you for verification to do it because I do not ask even if I am with another pc or some other cell phone (my family) I see it absolutely necessary

Then don't get hacked, simple as that, you can just write it on a piece of paper, and then just keep it and make sure you don't lose it, that's all.


I'm sorry, but I still think you're wrong, I do not have to put a long password to avoid hacking or stealing my account or something, and you said you did not win a lot by hacking an account, it's not just that, maybe the hacker is envious of you or something and hack it to make you have a bad time or something, I think there are more options to protect the account much better, the 2fa is the best option
abraker
Global Moderator
8,327 posts
Joined July 2014
abraker

Faustas156 wrote:

Then don't get hacked, simple as that, you can just write it on a piece of paper, and then just keep it and make sure you don't lose it, that's all.
Obligatory
rHO
462 posts
Joined May 2012
rHO
bump

with the verification check that goes to your emails, i feel like adding an external 2FA application support (using Authy and/or Google Authenticator) would solve a lot of hassle. not only adding a layer of security, i feel like it's just more convenient overall. i have seen some people having to do these email verification checks multiple times in a short span of time (myself included in the past), and i think putting this (optional) feature would help a ton.

concept image
Last edited by rHO , edited 2 times in total.
Stormghetti
2 posts
Joined October 2016
Stormghetti

smh wrote:

bump

with the verification check that goes to your emails, i feel like adding an external 2FA application support (using Authy and/or Google Authenticator) would solve a lot of hassle. not only adding a layer of security, i feel like it's just more convenient overall. i have seen some people having to do these email verification checks multiple times in a short span of time (myself included in the past), and i think putting this (optional) feature would help a ton.

concept image
That concept image seems perfect to me.

Your osu account is probably the last thing a hacker would target (assuming you don't use the same nickname for every account on every website, and also assuming osu, as a whole, is not what makes up most of your online persona, obviously), but I think adding 2FA as an optional setting would be alright. The fact that this debate has gone on for so long makes me think it's just not going to be added, though.

I've come back to osu from a long hiatus, and when I tried to log in to my account, I noticed I have to use my username to log in, not my e-mail. That puts account security at a bigger risk, and I'm not entirely sure why it's been disabled. Looks like it was needed in the past, but the option was removed in recent times. But with osu's security measures, it's not that big of a deal, I feel like.

For these reasons, people should start to use more secure passwords in general (long ones with numbers, symbols, special characters, etc. I recommend using Google Chrome's built-in, random password generator, if that's your browser of preference), and obviously, don't use the same password for every service (use more than one e-mail account, too). If a hacker seizes an important account of yours for having a flimsy password that could easily be brute-forced, that's all your fault.

Not very comforting, is it? But that's all you can do when 2FA is not present. Stay safe, don't click suspicious links from strangers (use the Tor browser or a Virtual Machine if you really need to. Just use anything that's portrayed as secure like those two) and don't do anything else that's silly.
Last edited by Stormghetti , edited 1 time in total.
Hans5958
24 posts
Joined May 2015
Hans5958
I still don't get why people think the email verification as the main 2FA is okay. Having email verification is quite an hassle compared to SMS verification and Google Authenticator/Authy, even in 2020 when smartphones still becoming smarter, and I estimate that the cost to implement this is small.

And please don't come here and tell me to "use your common sense, duh" and "no one cares with an osu! account." Then, why do we have the email verification in the first place? We should remove it, just a password is enough, right?
Last edited by Hans5958 , edited 1 time in total.
RosieCode
4 posts
Joined February 2016
RosieCode
2FA is fairly easy to implement, and i implement it into all services i create,

yes.. you should have a secure password
yes.. you should use a password manager
yes.. to all the recommendations above

however, what happens when you have your password manager breached?
2FA does not only prevent access to the account but also prevents people resetting the account in the event of a breach

for example: your email gets breached, they can request a recovery email to a service and use that breached email to reset your accounts password, things like this should never happen in an ideal world however they do happen and having another wall of defence is never a bad idea. this is just another step to protecting user accounts and securing data and i will always be for that no matter the platform or service.
abraker
Global Moderator
8,327 posts
Joined July 2014
abraker
There is an issue on osu!web: https://github.com/ppy/osu-web/issues/5163
RosieCode
4 posts
Joined February 2016
RosieCode

abraker wrote:

There is an issue on osu!web: https://github.com/ppy/osu-web/issues/5163
thanks, i will track that <3
Please sign in to reply.

New reply

0
1 / 29