Why Riot Games' Lack of 2FA is Unacceptable - and How the Community Makes the Problem Worse

Posted by Steve

Tuesday, October 5, 2021 1:29 AM

^(Heads up that these are all my own thoughts/opinions as an individual who's played Riot's games for many years. Any services or companies I mention as examples are one of many available alternatives.)


What is Two-Factor Authentication (2FA)?

Also known as multi factor authentication (MFA), two factor authorization, two form authentication, etc. This is any method where, upon login of an account, the person must provide another form of identification that only they (in theory) posses. This could be a code sent to a verified phone number or email address, a software-based token app (like Google Authenticator, Duo Authenticator, Aegis, and Authy), or even a physical hardware token you plug into a computer.

Why is it Important? (Why People Make the Problem Much Worse)

Your username and password, for most people, are not that good of a security wall. Login credentials are stolen via phishing emails that look like Riot Games login notices, shady services that require your Riot ID login credentials to give you a service on something like in game stats or free VP, brute force guessing, and simply copying known credentials from other companies' data breaches.

As a side note, you can avoid many of these situations. Use a proper length password with enough random characters, never try to login to Riot's services through an email (only by directly going to their website), never give your full credentials to a 3rd party service, and PLEASE do not reuse your passwords for multiple services (get a free/paid password manager like Bitwarden or LastPass).

Why Does Riot Games Need it?

You might think "so what, someone logs into my account and plays games - it just gives me XP". And if that was all you could do with the Riot account, you would be right. But as everyone knows, you can sink a lot of money into Valorant. VP/RP can be stored in an account balance for any user to spend with access of an account. During payment, users have an option to save their payment information for next time (please never do this), meaning that anyone with future access to the account can make purchases on your behalf. Not only can someone directly sink money from your bank account, but they can also permanently suspend your account by logging in on a dedicated machine loaded with a common cheat engine they know the anti-cheat will immediately blacklist you for.

Yeah, and it Prevents Smurfing! Right?

Sort of, but no. Anything that makes the creation and login of a new account more cumbersome does, to an extent, dissuade a small amount of people from making that extra account. What people forget is how easy it is to create multiple valid 2FA sources. You can:

  • Use a VoIP (voice over internet protocol) number service like Google Voice, Grasshopper, Twilio, eVoice, Telnyx, and many more (a good portion of which are free).
  • Use a friend's valid phone number.
  • Use a temporary SMS reception service that uses valid phone numbers for your country.
  • Buy a prepaid SIM trial pack (such as Mint Mobile) for 5 USD off Amazon.

However, Riot is looking into whether 2FA can still be used to prevent smurfs. Here is some commentary from Riot EvrMoar about some general thoughts about why you need to be careful before adding something like 2FA as a barrier for ranked matches.

So Why Doesn't Riot Games have 2FA?

Well, they do! But they also don't. Login through a browser to your Riot Games ID from an unverified hardware ID or browser user agent may require you to have a code sent to the account's verified email address as a form of 2FA. They have had this since at least 2018. What isn't protected is login through your Valorant client. And of course, if the person trying to login already has your email from one of the prior mentioned methods, the email based 2FA is no longer effective.

So why don't they make client 2FA? No one fully knows. Steam, Epic Games, Blizzard, and nearly every one of Riot Games' competitors have one or both forms of SMS and software-based authentication. This has been a point of contention from fans on all of Riot Games' games for years, and it is a bit embarrassing that a company with in-game purchases that has been around for over a decade still has not added one of the most basic security recommendations.

So Then They Just Don't Care?

Not quite. While it might be baffling that they don't have client 2FA (especially with the launch of the new Riot client, which was a perfect opportunity), they do have the browser Riot ID email 2FA mentioned and an account locking system. Occasionally, players have reported finding that their account is locked and need to contact Valorant support to have their account unlocked upon request. This is most likely a "suspicious activity lock", where Riot is freezing your account because they think something suspicious is going on. Sensibly, it would be triggered when there is a login from an unknown hardware ID and IP location that makes a purchase on the account. Banks do this as well. That being said, the success rate of this service is not fantastic, and people still get their accounts compromised often.


As a parting word, please understand that Riot employees work on different teams and very few are involved with the decision to change security practices. Please do not harass random devs about this topic.

TL;DR - People make passwords bad, 2FA makes passwords much less bad, Riot neglecting the basic security feature that almost every other company has is REALLY bad.

References

  • https://www.reddit.com/r/VALORANT/comments/q0ox4v/why_riot_games_lack_of_2fa_is_unacceptable_and/
  • https://reddit.com/q0ox4v

More Like This