[UPDATED] Account security improvements

[Terrifierslol]

And as has been stated multiple times, a compromised account (generally meaning accessed by an "unauthorized" user) impacts the entire server, not just you and the friend/relative you share the account with. Sure, giving your brother or best friend your password means there's now two points where an unauthorized user can get it from, compared to one (just you)...and account sharing is against the "server rules" (if largely ignored/unenforced)...if you're both playing like normal people on the account, it's not compromising the server integrity. 2FA is a universal policy to maintain server integrity...just because your rule-breaking (account sharing) wasn't punished doesn't mean that you should get an exception to the policy which protects the server to continue breaking the rule.

That's why I answered above, for those who share accounts, this is great, for those who don't share, this is nothing more than a very annoying thing. That's why it should remain optional, if you want to share your password, activate 2-factor and be happy

[sekolaman]

I haven't login for 1 week. I forgot my email on my other account. What should I do? I think it's too fast for warmane to give only 3 days for important policy like this. I'm sure lots of players even lost their gmail acc, forgot gmail password or lost their phone number.

[Morvion]

long term wise, losing stupid players for improved security is so worth it, good riddance tbh. no longer ppl will make posts like "my account got hacked", "i got banned for no reason", "my dog deleted my characters". the server is still flooded without them anyway.

[Korpen]

Annoying af this. Guess it means less game time and fewer players. wd

[LezChap1]

That's why I answered above, for those who share accounts, this is great, for those who don't share, this is nothing more than a very annoying thing. That's why it should remain optional, if you want to share your password, activate 2-factor and be happy

Yeah, you ignored how 2FA protects the integrity of the server...it's not about YOU being happy. It's about the SERVER INTEGRITY. If you want to account share, and you don't share the email account with the other person, figure out how to automatically send the 2FA email (with the code) to your friend. That's on you, not the server to disable 2FA for YOU because you don't care about the server's integrity.

[ujkytgw345]

Allowing players to have dot/+ in their gmail number is a very good change.

[Vengi2678]

Dear administration, I have a problem with receiving the code by email. I remember my email address that was listed in my account. But when I go to my email, I see that the code is nowhere to be found. I sent you an email, please restore my favorite character as soon as possible!!!!!!!!!!!!!!!!!!!!

[Terrifierslol]

Yeah, you ignored how 2FA protects the integrity of the server...it's not about YOU being happy. It's about the SERVER INTEGRITY. If you want to account share, and you don't share the email account with the other person, figure out how to automatically send the 2FA email (with the code) to your friend. That's on you, not the server to disable 2FA for YOU because you don't care about the server's integrity.

Dude, I don't know if you understand, so I'm going to draw it for you, I DON'T SHARE PASSWORDS, I DON'T NEED TWO FACTOR. That's why I think it should be optional.

[LezChap1]

Dude, I don't know if you understand, so I'm going to draw it for you, I DON'T SHARE PASSWORDS, I DON'T NEED TWO FACTOR. That's why I think it should be optional.

Then you're truly not understanding WHY 2FA is becoming the industry norm, or how it protects server integrity over your "I don't want it, I don't need it" naivety.

[sekolaman]

Don't forget that if a player doesn't activated 2FA, it doesn't mean that they will share the account. Lots of us have dynamic ip too. How could warmane gave only 3 days for important update like this? Not all players read website or forum too. At least you could give us 1 month to prepare. Most of players don't play everyday.

[razboinika2]

Hello.
You exposed yourself. Now I need help and 100% I won't be the only one.
I have several accounts that I regularly play with, but I only have protection on one.
Of course I don't remember their email addresses.
You will lose a lot of players this way. But it was good to be maybe a week trial period.
I need my email addresses on several of my accounts! Even a little hint. Of course I know everyone's passwords!
I will help as much as I can!
Thanks in advance. I hope you will contact me soon!!

[LezChap1]

Don't forget that if a player doesn't activated 2FA, it doesn't mean that they will share the account. Lots of us have dynamic ip too. How could warmane gave only 3 days for important update like this? Not all players read website or forum too. At least you could give us 1 month to prepare. Most of players don't play everyday.

Pretty much every consumer-level ISP issues "dynamic IPs" to households. However, the IP for the vast majority of users with said "dynamic IPs" will remain the same for months...unless they purposefully force it to change. Probably only 5-10% of players (being generous, the figure is probably far less) will have to validate their accounts with the code more than weekly. (And yes, I'm discounting people who hide their IP with VPNs, but when you use services like that, your visible IP is going to flip more often...it's part of the price you pay for trying to maintain anonymity.)

[trarara]

Hi everyone,

To maintain the security and integrity of accounts, we are modernizing how both web and game logins are handled.

From Monday, 18 September at 22:00, if you do not already have Email Two-Factor Authentication or Google Two-Factor Authentication and In-game protection enabled, you will be prompted to enter a code when logging in. This code will be sent to the email address that's currently attached to your account.

The "in-game protection" setting will also be removed.

Overall, this system will function similar to other services. Once you've entered the required code to log in, you will not be prompted again unless you are connecting from a different location.

This change affects all accounts and will be a requirement to log in.

You can review your current email by logging into the website and visiting My Account.
Emails can also be updated within the Settings page.

Frequently Asked Questions

I'm not receiving any emails

Spoiler: Show

Authentication emails may be slightly delayed during peak times.

If after a minute you haven't received the code, double check your emails Spam or Junk folders as it may have been filtered there.

If still no authentication email has been received, we recommend double checking you're logged into the same email as the one displayed within the My Account section of the website. You could also update your accounts email to a new one as your email service provider may have incorrectly labelled the email as spam.

Invalid code?

Spoiler: Show

Ensure that you do not close the authentication request when logging in. Simply log in and when greeted with the authentication request, navigate to your email and then copy paste the newly sent code in without closing the request.

Repeatedly restarting the authentication process will cause the previous code to expire.

I have lost or forgotten my email and cannot access my account

Spoiler: Show

Simply email us directly for assistance - [email protected]

It's helpful if you include anything you recall surrounding the account to assist us in verifying your ownership in a timely fashion. Such information includes but is not limited to:

- Account or Forum username (not passwords).
- Current email or a guess if you have forgotten
- Character information
- General account history. For example, "I claimed the holiday gift on my Paladin back in 2018, maybe 2019?"
- Country where you connected or registered from

You may also include a new email address that you would like your account to be updated to. If we have enough information, we'll be able to update your account immediately without the need for further verification.

Update #1:
https://forum.warmane.com/showthread...83#post3196783

Update #2 to security improvements:

Restrictions on what emails can be used have been lifted, this allows using your desired email provider.
Restrictions on usage of "." and "+" have also been lifted, allowing the use of the same email through gmail for multiple accounts for example.

****, i cant log into some of my accounts because the mail box was deledet by google for inactivity

[Powerbats]

The system has been re-enabled, the sending of codes should now be instant, regardless of volume.

We may enable the use of non-gmail emails over the coming days.
We will also introduce a username changing system, for those that receive a lot of suspicious TFA requests.

As someone mentioned, this is indeed a forced-2fa change, as with most modern platforms, security is paramount.
This is a step to bring us in line with other services, reduce our overheads for account compromise support and overall increase account security which is our #1 priority right now with recent compromising waves.

Regardless of players dislike for the system, It is a step in the right direction. The alternative is 'Bot Network' bans continue due to large target on our back, slower support due to amount of attention given to compromised accounts and restoring as much as possible for the player, following the hot-potato like movement of stolen items, gold, coins, characters between hundreds of accounts and so on.

It is not, in fact, a "step in the right direction", it is a step in the wrong direction, right off a cliff.

The alternative was working, and very effective, which is to mass ban all the botters. You could also mass ban all the mboxers since they're also botting with all the extra accounts they level up. And players are actively working to document botters and report them whenever possible.

If you're having trouble with too many "account compromised" requests in your support system, then here's a better idea, an actual step in the right direction: Stop offering support. We already have 2FA available to us, and we could already turn it on and off whenever we pleased, and our emails had 2FA available as well. I've been playing here since 2015 and I NEVER had issues with account security because I never allowed anyone to misuse my account. I always had 2FA enabled for the website account, and on occasion for the in-game 2FA, though that was mostly disabled all the time because of convenience.

Stop making our lives and gaming worse by implementing "***** proof" bars on everything we have or everything we do. Some people will inevitably share their passwords around and screw up and lose their accounts, or maybe they won't have proper protection and lose their account that way, and that's THEIR FAULT. Stop trying to baby the imbeciles, and cut off or severely reduce ALL support for account integrity and account compromise issues. Just stop answering those emails and send them straight to the trash. Problem solved, time and money saved.

And as for following the stolen items, gold, characters, etc? Don't bother. Don't follow anything, it's not your job. That's entirely the responsibility of the PLAYER, it's their account, they have the option for 2FA, and they are solely responsible for keeping their account secure. Once again, making this system mandatory for everyone is a very bad idea. The website account 2FA feature is fine, but the in-game login 2FA feature? Absolute garbage, hugely inconvenient, very annoying and unwelcome by the vast majority of players on this server.

[LezChap1]

And as for following the stolen items, gold, characters, etc? Don't bother. Don't follow anything, it's not your job. That's entirely the responsibility of the PLAYER, it's their account, they have the option for 2FA, and they are solely responsible for keeping their account secure. Once again, making this system mandatory for everyone is a very bad idea. The website account 2FA feature is fine, but the in-game login 2FA feature? Absolute garbage, hugely inconvenient, very annoying and unwelcome by the vast majority of players on this server.

How do you think you catch goldsellers? Tracking the ****ing gold.

Damn...you just suggested Warmane behave more like Blizzard and ignore server-compromising issues. How is that going for Bliz?