clock menu more-arrow no yes

Filed under:

How to protect your gaming accounts with two-factor authentication (update)

New, 7 comments

It’s the best defense against h4x

If you buy something from a Polygon link, Vox Media may earn a commission. See our ethics statement.

two-factor authentication - phone and laptop
An authenticator app such as Google Authenticator is the best solution for two-step verification.
The Art Friday/Shutterstock.com via Polygon

Cybersecurity is of paramount importance these days, considering our ever-increasing dependence on cloud-based services. We store more and more data online, often for convenience but often because there is no other option, and we trust giant corporations to safeguard our sensitive private information — passwords, addresses, credit cards, Social Security numbers and more.

But paradoxically, our reliance on these systems is increasing exponentially even as our faith in them is dropping. It seems like reports of massive hacks are coming more and more frequently.

To hear our next president tell it, we live in challenging times.

“I think that computers have complicated lives very greatly,” said President-elect Donald Trump last Wednesday, speaking to pool reporters at his Mar-a-Lago resort in Palm Beach, Florida. “The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind the security we need.”

One way to get “the kind [of] security we need” is to enable two-factor authentication on all of our online accounts that support the feature. That includes gaming services, which are a common target for phishing scams and hacking.

As of the end of 2016, almost every single one of the major gaming services allows you to turn on this extra layer of security: Blizzard Entertainment’s Battle.net, GOG.com, Humble Bundle, Electronic Arts’ Origin, Sony’s PlayStation Network, Valve’s Steam, Ubisoft’s Uplay and Microsoft’s Xbox Live. We’ll explain how to do it.

What is two-factor authentication, and why do I need it?

Two-factor authentication, also known as two-step verification or login verification (and commonly abbreviated as “2FA”), is a process that requires users to enter two different “factors” when logging in to a service. Generally, the factors are “something you know” — your existing login details — as well as a second piece of information from your phone (“something you have”), typically a six-digit code generated by an authenticator app or received in a text message. This second factor could also be “something you are,” like your fingerprint.

Once you sign in with your correct username and password, you must also type in the code or use your fingerprint in order to complete the login process. Two-step verification is much more secure than a password alone, since it means that any unsavory types would also need your phone — a device that is in your possession — in order to access your account.

Here are two examples. Even if your Yahoo account was one of the 1 billion accounts that were stolen in 2013, and you use your Yahoo password for everything, the hackers wouldn’t be able to log in to any of your accounts. The same would be true if your dad — or, say, Hillary Clinton’s campaign chairman — got tricked into typing his login credentials into a phishing website.

The hackers or scam artists might have your email address, username and password, but they’d also have to steal your phone if they wanted to log in to your accounts.

What is an authenticator?

An authenticator generates the codes necessary to complete the login process. The secure way to use an authenticator is on a smartphone or tablet in your possession. Apps for the most popular services — Google Authenticator, Authy and Microsoft Authenticator — are available on both Android and iOS. (Some services also work on a computer, such as in a browser, but that wouldn’t be the most secure thing if your laptop were stolen.)

Authy homescreen widget on Android
A homescreen widget for Authy’s Android app.
Authy

Once you’ve installed an authenticator app, you’ll have to set it up with each online service on which you want to enable 2FA. This is typically handled by scanning a unique QR code with your phone or typing in a lengthy code called a “secret key.” After that setup, the app will generate a random six-digit numerical code every 30 seconds, and you’ll have to type it in when you log in.

An important thing to know is that these apps use a time-based open standard, so the time has to be set properly on your device in order for them to work. The apps will account for differences in time zones, and because of the way the underlying algorithm works, your device doesn’t need an internet connection in order for the apps to function. That means you’ll be able to generate and use login codes even if your phone is, say, in airplane mode.

Another note: Using an authenticator is much more safe than the other common method of sending codes for two-step verification, which is a text message. This year, the National Institute of Standards and Technology recommended against using SMS-based two-factor authentication due to security concerns. Unfortunately, though, some services don’t support anything except text messages for 2FA logins.

Typing in a code every time I log in sounds like a pain in the ass.

First of all, what’s more of a pain in the ass: opening an app on your phone and typing in six numbers when you log in to Gmail, or dealing with the fallout of identity theft — like losing irreplaceable documents and photos and having to dispute fraudulent credit card transactions?

Yeah, we thought so.

Secondly, you won’t always have to type in a code.

Most services that support 2FA will allow you to “trust” computers that you use frequently, like your office desktop or personal laptop. If you mark a device as trusted, the service won’t regularly ask you to type in a code — you’ll be able to log in with just your username and password. For instance, you can set your Google account to only ask you for codes once every 30 days. (If you use multiple browsers, you’ll likely have to do this in each one.)

In addition, some apps and services allow you to log in with a simple push notification. It serves the same function as typing in a code — again, the point of 2FA is to make sure there’s a second factor, like something from your phone — and it’s much faster. For example, if you have the Twitter app installed on your phone and you log in to your Twitter account on a new computer, you’ll get a push notification from the app asking you to verify that it’s you who is attempting to log in.

OK, OK, you’ve convinced me. But what if I lose my phone?

Losing your phone or having it stolen is a nightmare on a bunch of levels, but it could be particularly bad for 2FA users. Thankfully, pretty much every service that supports 2FA will let you generate backup codes. These are one-time-use codes that you can log in with if you don’t have access to the authenticator app on your phone. It’s a good idea to write them down and keep them handy at your home or office as a “use in case of emergency” thing. (No, this isn’t like writing down your passwords — you’ll still have to memorize those details and then type in a backup code as the second factor.)

What if an account/service doesn’t support 2FA everywhere?

It’s true that some services support 2FA with limitations, such as the platform you’re using. For instance, Sony’s older gaming platforms, such as the PlayStation 3, won’t allow you to enter security codes when logging in with a 2FA-enabled PlayStation Network account. When you try to type in your usual login information, the system will misleadingly tell you that your password is incorrect.

In these cases, you’ll need something that is commonly referred to as an “app password.” You’ll have to generate these for each device or service that doesn’t support a standard 2FA login, like a PS3 with your PSN account or an Xbox 360 with your Microsoft account.

For the utmost level of security, you’ll want the system in question to prompt you for this app password every time — which means you’ll have to memorize it separately from your account’s existing password. Most people, though, will be fine with just entering the app password once to link a particular device with their account. You can always revoke access and/or generate a new app password if the device is stolen.

Overwatch Mei
Don’t mess with Overwatch’s Mei.
Blizzard Entertainment

How to enable two-factor authentication

Battle.net (FAQ)

Method: authenticator — Battle.net Authenticator only

Blizzard only supports its own Battle.net Authenticator mobile app (Android, BlackBerry, iOS, Windows Phone). You can also buy a physical authenticator — how quaint!

When you log in to your Battle.net account, you’ll receive a login verification request through the Battle.net Authenticator app on your mobile device. You can simply approve or deny the request by pressing a button. If you prefer the more traditional route of entering a six-digit code, you can click “use authenticator security code” on your computer, and then press “enter code manually” on your phone to generate a single-use code that you’ll then type in on your computer.

The Battle.net Authenticator supports the Battle.net application and all current Blizzard games: Diablo 3, Hearthstone, Heroes of the Storm, Overwatch, StarCraft 2, and World of Warcraft.

The Witcher 3: Wild Hunt - Ciri
Ciri in The Witcher 3: Wild Hunt.
Image: CD Projekt Red/Warner Bros. Interactive Entertainment

GOG.com (FAQ)

Method: email only

The only way to use two-step verification with a GOG account is for the company to email you a code. That’s not ideal, since a person in possession of your email account would also be able to log into your GOG account. Do yourself a favor: If you check your email on a public computer, make sure to log out of your account before you leave.

Set up 2FA on your GOG account by going to the security section of your settings. When you log in from a browser or computer that GOG doesn’t recognize, the service will email you a four-digit code. If you don’t see the email in your inbox, check your spam folder.

Humble Bundle (FAQ)

Method: authenticator — Authy only (Android, iOS) — or text message

You can use an authenticator app for 2FA on your Humble Bundle account, but it only supports Authy — no other apps. If you don’t already use Authy, you can head to your account settings and enter your phone number, and you’ll get a text message with a link to download the app. Once you install it, go back into your account settings and click “link” after typing in your phone number; that’ll generate a notification within the Authy app, and you can set up your account from there.

If you don’t want to bother with Authy, you can opt to have Humble Bundle send you login codes via text message.

fifa 17 goal
Scoring a goal in FIFA 17.
EA Vancouver/Electronic Arts

Nintendo Network (FAQ)

Method: authenticator only

Nintendo Accounts now support 2FA with an authenticator app. Head to the “Sign-in and security settings” section of your account settings to get started. You’ll need to verify your email address with Nintendo before you can set up two-step verification. After you enable it, Nintendo will also give you 10 backup codes. Note that Nintendo does not support 2FA on children’s accounts.

Origin (FAQ)

Method: authenticator or email or text message

Electronic Arts will let you get a 2FA code pretty much any way you want. You can use an authenticator app like Google Authenticator, or you can have EA send you codes via text message or email. If you’re a soccer fan, note that EA requires FIFA Ultimate Team users to enable login verification in order to access the mode through companion apps or a web browser.

PlayStation Network (FAQ)

Method: text message only

Sony added 2FA support to PlayStation Network accounts this past summer. The implementation only supports text messages, using six-digit alphanumeric codes that are case-sensitive. In addition, normal 2FA logins only work on the web, on a PlayStation 4, on some Xperia devices or in the PlayStation mobile app. As long as you’ve enabled auto sign-in, you’ll only need to enter the code the first time you log in on a particular device.

Sony PlayStation buttons artwork Samit Sarkar/Polygon

The PS3, PlayStation TV, PlayStation Vita, PSP and certain Xperia devices don’t support the entry of security codes. To log in on those platforms, you’ll need to use an app password, which Sony refers to as a “device setup password.” It’s not possible to activate 2FA directly on these devices; it has to be done on the web.

From your Account Management page, you can generate a 12-digit device setup password for each device you want to log in to. If you enable auto sign-in, you can simply use your username and password after that point; if you don’t, you’ll have to type in that 12-digit app password every time.

Steam (FAQ)

Method: authenticator — Steam app only (Android, iOS, Windows Phone)

Valve has supported 2FA for years on Steam, but only through the official Steam mobile app, which is available on Android, iOS and Windows Phone. The company says that “support for standalone authenticators is being considered,” but that’s it for now.

Steam Guard authenticator Valve

Once you install the Steam mobile app and sign in with your Steam username and password, you set up 2FA by clicking “Steam Guard” in the app’s menu. Valve will text you a confirmation code to enter into the app. Then the app will show you a recovery code that you should write down in a safe place — if you lose your phone, that code will be the only way to identify yourself as the owner of that authenticator.

Now, whenever you log in to Steam on a new device, you’ll have to open the mobile app and click Steam Guard to get a five-digit alphanumeric code that changes periodically.

Because the process involves your phone number, you’ll be able to move the authenticator to another device if you get a new phone. But if you delete the app, you’ll have to reset your authenticator on the Steam support site.

Uplay (FAQ)

Method: authenticator only — Google Authenticator (Android, iOS) recommended

Ubisoft advises setting up 2FA using Google Authenticator, saying that other apps are “not guaranteed to work.” To enable 2FA, you can head to your Ubisoft account’s security settings on the web, or click “Set Up 2-Step Verification” under Account Information in the Uplay PC client.

Xbox Live (FAQ)

Method: authenticator or email or text message

All Xbox Live accounts are also Microsoft accounts, and Microsoft accounts support 2FA through a variety of authenticator apps; you can also choose to receive login codes via email or text message. Logging into an Xbox One or the Xbox app for Windows, for instance, will work fine. But older platforms like the Xbox 360 will require app passwords. You can set them up, and manage all your 2FA settings, on the Microsoft account website.

Update (Sept. 22, 2017): Nintendo added 2FA support to Nintendo Accounts today. We’ve edited the Nintendo Network section of this article with details on how to set it up.