Locking down account.

I was just reading the two recent threads of stolen/hacked accounts at the dev forum, and had an idea for securing accounts.

So how would you safely lock down something? Simple. A key.

My idea is to integrate a key generator into the GW client to create 1024/2048-bit RSA(or any other encryption) keys that you can tie to your account. Then if the GW client doesn't find the key under the GW or a specific directory(ie. gw\keys\accountname.key), you or anyone else will not be able to access the account under ANY circumstance.
Of course this would mean that by losing the key you would lose your account, so backing up your key would be necessary; but this is a matter of common sense.

Comments, suggestions?

And what if i wanted to play my account at a friends house?


Seriously no matter how much more security Anet puts in, most of the time its not a mistake on their part that gets a account breached , its the user using a simple password , giving away his emial, stuff like that, simple things that they give away without noticing.

No, this idea isn't very good.

What if someone tried to get into your account without the key, does it only disable the account for that machine , or is it permanently disabled.

That idea would definitely take away from the portability of the game. Another option is to do like some banks, and require several levels of authentication before giving access to your account. Ex: Ask for some non-account related info like the last 4 digits of your social, then ask a security question, then finally the password. That would make it far harder for someone trying to break in than just needing a password cracker and their victim's email. That would still allow you to log on from anywhere, and it wouldn't disable your account if you lost the key. The multiple levels of authentication might also help to protect the people Xenex was talking about. People are far less likely to give out their social security to some dude that wants to sell them an account key, or send them "1337 GW cheatz," or whatever else people are up to.

Portability isn't a huge issue, because you can just drop your key in the gw folder on some other comp, but then again you have to be careful of not leaving anything behind.

And Dougal mentioned something that I hadn't though of. If you don't have a key and someone locks it, you lose access to your account. However it's not that much different than getting keylogged, someone logging in and changing your account info.

My idea was to just add something else that would lock your account, even if your account details did get logged.

That's still a lot of trouble to have to carry around your key on a jump drive or floppy. What if you play at an internet cafe somewhere and all the hard-disks are write-protected, so you can't copy over the file? Or, like you said, you forget and leave your key on there? That's just asking for trouble.

Personally I'd love this, but I guess I forgot that not everyone is exactly security aware. People need to be educated to start with. :<

Well, that's also a downfall of such an idea. It is very noble, but it simply doesn't work for casual gamers. Your method would work great for someone like me that only plays on computers to which I possess administrative rights, and understands a great deal about computers, and security. The majority of people playing this game aren't security experts by any means. Many are kids. They might not even understand the process you describe. It's just too complicated, and it does effect the portability. That may not be an issue for you, but it is to many people. That's why I suggest more authentication on the server side, by asking for more than just a password.

And what happens if you need to format your comp? I have re-installed had to re-install GW as well as all my other games after a full restore. I would not like to have to go out and buy all the gw games again because this little hidden file has been deleted.

Not to mention if i CAN locate and backup this file then its just as easy for "them" to get a hold of this file and allow them to use GW and lock ME out! Then what? Under no circumstances can i get my account back.

Flawed indeed!

Old idea that has come up numerous times and has been rejected everytime.

Great idea but only if its by choice.

Anyone who has been hacked before and lost everything wants lots of ways to keep their account safe.

I'd say have the key sent to your email for you to download so if you lose it you just redownload it. Don't lock the account out forever if a computer doesn't have the key just require the key for accounts that requested it.

Now if someone hacks your email AND Guild Wars account you have a problem but since you should be using different passwords for both it should be too big of a problem.