EVE’s SINGLE SIGN ON (SSO) Security Update

JokerGuy 2018-11-19

EVE Online’s ESI (EVE Swagger Interface) allows third-party developers to create some amazing things. Still, visiting these non-official EVE Online website requires pilots to log in using their EVE Online account credentials for maximum usage. This can cause concern for the player’s account security. However, those fears can be managed if the site is using the EVE Online Single Sign On (SSO). The SSO allows users to submit their account information securely to the EVE Online login server, and for the website to confirm the user owns a specific character.

There are some important points to consider when prompted to submit account credentials when visiting a non-official CCP site:

  • Users should ensure that the site which requests the login information is secure. In order to determine the site is secure, please see the ‘SSO the secure way’ section below.
  • Using an authentic SSO means that the web site will not see the account credentials (Username or Password). The SSO will only confirm if an account holds a character.
  • If there is any doubt about the security or authenticity of a website, users should not enter any account information. Any suspicious sites should be reported to security@ccpgames.com.

As part of CCP Game’s continued work to protect the accounts of pilots, they have made a change to the EVE Online SSO. CCP Falcon’s post on the details of the change can be found here. Today the system is more aggressive toward new and unknown devices.

“Many of us here at CCP are long term EVE Online players, and we know the value that our pilots place on their accounts, clones and assets. We also recognize and respect the sheer number of hours that go into creating and maintaining a solid character and want to ensure that all our pilots have the best possible protection for their accounts.” – CCP FALCON

TLDR of the Changes

  • When pilots log in, instead of utilizing geolocation, the SSO will instead look for a specific cookie in the pilot’s browser or launcher.
  • If that cookie is not found and a pilot has not enabled two factor authentication (2FA) via an app such as Google Authenticator, they will be sent a standard 2FA verification code via email.
  • On successful login using this verification code check, a cookie that lasts for six months will be created in the pilot’s launcher/browser.

What is the SINGLE SIGN ON (SSO)?

The SSO, also known as single-sign-on, is a way to log into one web site or application using a username and password from another web site. For example, the comment section will request to sign in with Disqus, Facebook, Twitter, or Google. For Imperium.news this minimizes bot comments and means INN doesn’t have to worry about managing registered username and password information. For EVE Online players, the SSO means logging into a web site that has integrated the EVE SSO and can confirm a specific character. While signing into a site, a character will be chosen to authenticate and the site allows EVE SSO to get confirmation from CCP servers that verifies the character’s ownership. The web site hosting the EVE SSO will only get the character information, while never seeing the account name or password. Additionally, the site wouldn’t know on which account that character is or have any way of linking that character to any other character on the same account.

The Update’s Impact on You

  • CCP Games has been creating these cookies for the last couple of months, so if you’ve been logging in regularly, Impact Zero.
  • Pilots with pinned accounts, Impact Zero.
  • Pilots with the 2FA app enabled, Impact Zero.
  • Should you change your browser, clear your cookies or reinstall the launcher and do not have 2FA enabled via app, Impact Small Delay as you’ll need to use a 2FA verification code via email.

Drive for the Changes

  • Geolocation is not always accurate, and CCP wants to ensure that accounts are as secure as possible.
  • Once pilots successfully log in, they were whitelisted for that country indefinitely, opening them up to hackers coming from the same country.
  • Increased account security due to more aggressive verification of email address if 2FA via app is not enabled.

SSO the Secure Way

The SSO is a power tool, but it is also a gate guard and so there are a few signs pilots should check before making use of the service.

Sadly, the internet is full of fraudsters lingering around and waiting for a chance to make a profit or gain some benefits and they are happy to do this any way imaginable. They try to trick people into giving them their account credentials with the help of social and technical measures including phishing and spoofing of authorities as well as web portals. – CCP Games

  • Validate secure connection to the correct web resource before entering any credentials
  • Verify that the connection is securely encrypted and authenticated
  • Manual verification of the certificate

There is only one legitimate domain and host name combination for our SSO which is login.eveonline.com. Also make sure the connection is via https: (note the “s”) and never enter any credentials over plain text and unauthenticated http: connections.
– CCP Games

How to Help

  • Ensure that you use 2FA via authenticator for the best account security. A great Helpcenter article on how to set it up.
  • Change your password regularly.
  • Make sure you use a complex password, and don’t use the same password in multiple places.
  • Make sure that if you have multiple accounts, you use a unique password for each account.
  • Don’t account share. It’s against the EVE Online EULA, and damage arising from account sharing will not be reimbursed.

On top of these items CCP Games says it’s possible to reduce the risk of account credentials being stolen and encourages users to report any misleading, bogus or questionable usage of its SSO to security@ccpgames.com.

Let your voice be heard! Submit your own article to Imperium News here!

Would you like to join the Imperium News staff? Find out how!

Comments

  • Libluini

    Well, shit. This explains why I’m always getting this dumb email when logging into the forum: I’ve set my browser to auto-flush everything when closing, so I never have those cookies.

    November 19, 2018 at 10:06 am