Forums  /  The Site  /  E-mail Authentication
  PacPac

Hello speedfriends.

In light of repeated attempts at account takeovers and leaderboard vandalism (you can read more in this very detailed and helpful post by DerekMK) we've introduced a new security measure:

E-mail authentication

This is mandatory (and already enabled) for all verifiers and moderators (of games, series, marathons, teams, and future modules), translators, and site staff. It is optional for everyone else, however if you ever want to be added as a moderator you'll need to enable it first. It can be toggled in Settings.

I realise that this may be an inconvenience to some of you, but I hope you can understand why it's necessary.

Oh, and anybody having trouble receiving e-mails should contact support@speedrun.com or message me on Discord (don't forget to mention your username and account e-mail address).

Cheers 🍻

KaDiWaKaDiWa, SpeedyFolfSpeedyFolf and 72 others like this. 
  Derek_MKDerek_MK

Thank you very much for implementing this, and especially thanks for making it mandatory for mods/verifiers/etc. This should at least cut back on the frequency of these incidents.

I've heard a lot of people giving sentiments to the effect of "Why should I be inconvenienced if my own account is secure?" The answer is mainly that one person's account being compromised can affect other people. It's not just a matter of "Secure your account or something bad will happen to you." It's moreso "Secure your account or something bad will happen to you and all the people who run or spectate the game you moderate." So hopefully that puts things into perspective.

Potential future steps going forward to build on this could be to implement SMS-based 2FA, or even better, authenticator-based 2FA. Email-based 2FA is definitely a huge step up from nothing, but other forms of 2FA would make the system more effective (removing the vulnerability if someone's email account is also compromised), and potentially even more convenient for end users.

blegbleg, Snolid_IceSnolid_Ice and 10 others like this. 
  MeowdoriMeowdori

As someone who uses randomised passwords stored in a KeePass container, I'm really, really happy that this 2FA solution is email-based rather than requiring a telephone number

 
  bogdan_mkdbogdan_mkd

This isn't inconvenient at all, everyone has an email and it's not just something you can lose like a phone, which is why i never have phone 2fa. Thank you for finally adding this.

 
  DrClicheDrCliche

If you're going to make it even more of a pain in the rear to log in to the site, can you PRETTY PLEASE let us stay logged in forever? It really grinds my gears that the dang site logs me out every couple days.

 
  TimmiluvsTimmiluvs

Quote

If you're going to make it even more of a pain in the rear to log in to the site, can you PRETTY PLEASE let us stay logged in forever? It really grinds my gears that the dang site logs me out every couple days.

Ignoring the obvious bait about 2FA...

I've been logged into the site for 8 months straight - the only times I've ever been logged out were forced logouts by staff after accounts were compromised before (hence the whole point of this) or when I do a full browser clean that involves removing my cookies. As far as I know, the site doesn't do any regular logouts of users.

RazorflameRazorflame, KrayzarKrayzar and 5 others like this. 
  ShikenNuggetsShikenNuggets

Yeah, if you're actually being logged out every couple days, that's probably on your end. Like @TimmiluvsTimmiluvs I also haven't had to log in for quite a while. Aside from global password resets, the only time the site forces me out is very rarely when the site's cache is refreshed or something (which I only remember happening like twice ever). No idea what would be causing your frequent logouts, but it's not the site itself.

On a somewhat related note, perhaps "logout all instances" would be another good security feature to have.

HakoHako, RazorflameRazorflame and 3 others like this. 
  PacPac

Originally posted by ShikenNuggetsOn a somewhat related note, perhaps "logout all instances" would be another good security feature to have.
Added! You'll find the new button on Settings > Password.

bloodtv_bloodtv_, RazorflameRazorflame and 13 others like this. 
  Gameboy9917Gameboy9917

Very good feature and glad to see it implemented. I hate seeing vandalized leaderboards, and this should help quite a bit with that.

 
  stllrstllr

love the idea. this is a nice happy medium between log-in effort spent and account security. will we be able to re-use previously used passwords now? I came up with a really sweet password between rollbacks 1 & 2 and was sad that I only got to use it for a day

 
  ShikenNuggetsShikenNuggets

Originally posted by stllrwill we be able to re-use previously used passwords now?

@stllrstllr I don't know what exactly the site currently does in terms of restricting password re-use, but in any case, you absolutely should not do that ever.

This new security measure is NOT a replacement for good password security. It is a fallback for a worst-case scenario where somebody gets your password (which ideally should never happen in the first place). You should still use a strong password, and you should still never ever re-use passwords (even ones you only used for a day).

PacPac likes this. 
  NoTeefyNoTeefy

We finally got that feature we all waited for so long, but why mail only?
Can we get the option to use Google authentificator for this site aswell? I am not a big fan of mail 2FA because most of the "insecure/most likely to be compromised" users are using the same passwords for their mail account aswell...

Best regards

BenInSwedenBenInSweden likes this. 
  RiekeltRiekelt

That might be a wake-up call to also become more aware of your passwords. Change those 😉

MeowdoriMeowdori likes this. 
  LivLiv

Reusing old passwords is a bad idea.

Right now you have two gates a user must get through to compromise your account. If you reuse a password, you potentially limit that to only one gate, which would be your email. Reusing passwords also shows you are kind of lazy when it comes to passwords, which means your email is also very likely to be a duplicate, very similar or reused on some other website somewhere either presently or in the past. Which makes you a target for anyone looking to break into someone's account. By showing on here you're fairly nonchalant when it comes to passwords, these people will learn your general attitude towards passwords and how you handle your own security.

You're simply leaving yourselves vulnerable by reusing passwords. Most sites will also utilize "backup codes" to get into your account in the event you lose your phone. Google and Twitter both use these, and whilst they're a convenience... it also means someone does not need your phone to get into either of these accounts if you have these set-up. All they have to do is crack one of your backup codes.

RazorflameRazorflame and MeowdoriMeowdori like this. 
  stllrstllr

I have a password system for all of my important passwords. I came up with a password I really like for SRC after the first leaderboard compromise. I was forced to swap it to a different password because of the second leaderboard compromise. I'm not asking for people to let me use a really weak password ("dog123" for example) again, I just want to be able to re-use the earlier password I came up with specifically for SRC before I had to come with a separate, not as enjoyable one to use.

I understand why password security is important, you don't need to lecture me about it. I just want to use the original one. If that can't happen it's not a huge deal I was just asking.

 
  MeowdoriMeowdori

Honestly, what bothers me, is why people who are seemingly at least moderately tech-savvy (I guess every speedrunner) don't all like the idea of using a password manager like Keepass.

 
  DaravaeDaravae

I assume that is because people wrongly assume their passwords are secure enough to keep having passwords they can remember. Personally, all my passwords are randomly generated and stored in a password manager. At this point, even I don't even remember what most of my passwords are, and I prefer to keep it that way.

bloodtv_bloodtv_, RazorflameRazorflame and 4 others like this. 
  letcreate123letcreate123

I think it would be nice to have the site have a device whitelist like how Gmail does. Basically, logging in from an unrecognized device would trigger the regular PIN requirement and send a message to the linked e-mail account along with providing instructions to whitelist the device so the PIN requirement doesn't constantly appear each time I log in. It's tedious having to go over to my e-mail account every single time just to log in.

dhadha, ImaproshamanImaproshaman and 3 others like this.