Fortnite. com 2fa3/6/2024 ![]() ![]() Add an option to attach a phone number as a last-resort security measure and fully mask it by default.Mask ALL emails in ALL 2FA-related windows/textouts just to be safe.Mask ALL emails in the account and offer a backup email option which can be assigned exclusively for 2FA.I hope they do take their own accounts' security as serious as they claim. There's quite a backlog to clean up there for Epic's security team. Like I already said, it's great to have Google/MS Authenticator and other similar apps by our side. This shouldn't be happening, not with 2FA enabled. The account itself looks like it does lock out for a while after a certain amount of failed auth attempts, but it doesn't appear to state for how long it's locked out, which still allows relatively consequence-less brute-forcing to some extent. Once a 2FA method is added or changed, there're no email notifications nor confirmations about that, nor does the forceful log-out occur in this event.There's literally no way to access the list of devices the account is authorized on, much less manage it.There's still no way to forcefully log the account out on all devices other than the current one.There've already been multiple reports on Reddit alone from people having their accounts busted without getting any insight of what's going on. 2FA as a whole can be easily disabled on an intruder's side without requesting any confirmations whatsoever anywhere.Codes themselves sometimes take QUITE A BIT of time to get delivered, and the most recent issue with it being blacklisted for spamming, essentially blocking out the entire 2FA system for those still using this method, more than tells the story. The mailing service Epic rely on in terms of sending out those codes is vulnerable to outside factors itself.Email-based FA's codes are supposed to refresh at VERY short intervals, yet the actual refresh interval still seems to be more than 10 minutes.If it was possible to redirect 2FA to another email with its own 2FA to provide an additional security layer, it would've been MUCH better. The account email itself still isn't masked.Below is the list with all latest changes accounted for: Keeping an email-based method as an option while restricting the user to one method at a time.Īll in all, it's mostly good news sadly, the flaws I pinpointed are still mostly there.Adding 3rd-party 2FA apps to the options pool (which should've been done from day one if you ask me, but I'm just being a jerk here, lol), complete with emergency one-time code listing Epic offers when attaching those just to be sure.Two-Factor Authentication system Epic offers is being improved noticeably, starting off with: ![]() PSA: Epic started taking steps in the right direction in regards to improving their security, so I'm making adjustments to the original post.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |