game controller

Gamers level up with rewards for better security

There was a time when stolen gaming accounts were almost treated as a fact of life. Console hacks weren’t taken particularly seriously. Security research in this area was occasionally derided as unimportant or trivial. Gaming accounts had an essence of innate disposability to them, even if this wasn’t the case (how disposable is that gamertag used to access hundreds of dollars worth of gaming content)?

These days, gaming security is taken very seriously indeed. The gradual roll-out of Two-factor Authentication (2FA) across both gaming platforms and titles themselves is a wonderful thing, but one worries about buy-in. When sign-up rates for something as common as Google accounts are struggling to hit double figures, it’s definitely a concern.

Customer support: compromised accounts all the way down

There’s also the impact on publisher bottom lines. More stolen accounts means more time tying up customer support lines. If the victims of the stolen accounts have invested lots of money into a title, there’s the possibility of bad press should it get that far. Forgotten passwords will tie up support’s time, for sure. But the moment someone calls through with one single account compromise, the customer service rep has no idea what they’re walking into.

It could be a fairly straightforward phish. Alternatively, someone may have imitated a game developer on a Twitch stream. Did the attacker bypass text-based 2FA by social engineering the mobile provider? Perhaps the victim fell for bogus loot crates via a YouTube video. Fake game developers sending private messages? You bet.

The possibilities are endless, and also potentially endlessly time consuming.

The digital expansion of gaming

Games haven’t been a one-purchase-and-done procedure for a long time. Downloadable content, expansions, and the concept of “Games as a Service” mean content can flow forevermore. This is particularly true in the realm of Massively Multiplayer titles. It’s not uncommon for the most popular games to keep on trucking for a decade or longer. These titles offer a variety of payment options.

Some games are a one-off payment with paid-for expansions down the line. Others might have a free-to-play option, with subscription accounts for more features and content access. A few mix all of these approaches, and there’s really no set standard.

When roleplaying sets the stage for security

MMORPGs are one online realm where security has been a big part of the overall package for years. Developers had the foresight to realise account protection would become increasingly important over time. World of Warcraft developers Blizzard released their first authenticator way back in 2009. People are often surprised when they find out how long WoW has had authentication in place. Yes, this may well be something of an outlier. They’ve also run into occasional issues with people trying to bypass the system.

Even so, this is probably one of the ways mainstream gamers run into this kind of authentication for the very first time. When the biggest organisations in a space use this tech, it hopefully encourages other companies to consider doing the same thing. In 2018, they were offering backpack upgrades for anybody using authentication and their SMS Protect service.

An increasingly valuable treasure chest

What I’m fascinated by is MMORPGs with frequently expensive in-game items bought with real money. Those in-game stores often offer premium items, and it can quickly turn into an expensive hobby. Some items are cosmetic, some give in-game benefits which can occasionally turn into “pay to win” accusations.

However you stack it up, accounts with lots of purchases are incredibly valuable targets. Going back to what I said earlier, the last thing Big Game Company Inc needs is a ton of bad press where they weren’t seen to be helping “premium” gamers. They also don’t want support channels flooded with stolen account calls.

In 2012, Steam encouraged users to enable Steam Guard in return for a badge during a community event. In 2015, they took this one step further and offered sale discounts.

A few months prior to this, MMORPG developers were already gamifying 2FA and offering rewards for enabling it. ArenaNet, developers of Guild Wars 2, were handing out a cool looking dragon for enabling 2FA. Here’s another game from 2015, Wakfu, which seems to have given small stat bonuses for using their 2FA system.

The security problems facing game developers

I’m not sure if 2015 was some sort of specific flashpoint for “everybody start using this, please” but clearly the groundwork was being laid. Due to a lot of videogame reporting being lost to the ages via link rot, I’m also uncertain if games using 2FA years prior to this offered up incentives for using it. I would assume quite a few of the older titles would say the incentive was simply “not losing your account”. Perhaps this is one reason why uptake is low. After all, people are complaining about the hassle of having to use it despite freebies on the Wakfu forums.

With this in mind, what we have is:

  • Users reluctant to use the tech
  • Depending on game, a potentially very young audience who may not want the hassle of setting up 2FA
  • Accounts in use for long periods of time, with significant years of purchases behind them

This is clearly not ideal. As a result, gamifying the overall approach and offering up perks and items is the way to go.

Some current examples of security bonuses

Black Desert Online

A few months ago, the incredibly popular MMORPG Black Desert Online ran a “security campaign” event. If players set up a OTP (one time password) process for their logins, they were rewarded with a 7-day value pack. These value packs are incredibly useful for BDO players. They grant significant boosts for loot collection, buffs, inventory, storage, weight limit, marketplace sales, and much more.

If you’re even a semi-serious BDO player, these are prized items and you’ve likely bought quite a few, or grinded out events to get some for free. The alternative is paying for a variety of different Value Packs in the game’s Pearl Store via real money transactions. Although the event is now over, I’d be surprised if it doesn’t get another outing.

Star Wars: The Old Republic

This Bioware / EA juggernaut has been around for a few years and shows no signs of slowing down. It’s essentially free to play, but with various restrictions applied unless you purchase a subscription. It also contains an in-game store which offers up cosmetics, items, large scary animals which you can ride around on, the works.

I’ve played quite a few MMORPGs where large store purchases are involved, yet there often seems to be a lack of additional security to help keep accounts secure in some titles. That’s not the case here, as we’ll see.

The basic rule with premium stores is, everything is pretty expensive. There may be essential items like storage capacity or crafting bags hidden behind paywalls. You might be able to buy a house for cheap, but then you have to spend a lot more money to fill it with items or even unlock different rooms.

Developers really want you to feel that premium, exclusive angle on every purchase you make. As a result, anything given away for free in many games is often not very good. You’ll almost never get any of those premium items for free unless it’s during a special event.

Items are usually purchased with special forms of in-game currency. That is usually bought via a gaming platform for real money. In Star Wars: The Old Republic, this currency is called Cartel Coins. Developers don’t give premium store funds away for free, because that wouldn’t make any sense.

And yet.

One of the big pulls for setting up 2FA with the game’s dedicated authenticator app, is indeed free premium currency. As a bonus for setting up the app, gamers are rewarded with 100 Cartel Coins a month. That’s 1,200 coins every year the app is ticking over, which is certainly enough to buy an item or two a month, or one of the bigger discounted bundles when the player breaks the 1,000 barrier.

I’m not sure if this giveaway approach is something which coincided with the release of the app, or an additional perk which came later. As far as encouraging players to make use of additional security features, I’d give this effort 10/10.

Final Fantasy Online

Square Enix are big on One Time Passwords. They use various options like physical security tokens or software authentication to get the lockdown job done. Their in-game reward is free teleportation. Many MMORPGs charge nominal amounts to fast travel, which adds up very quickly. This is a fantastic way to get buy-in from an MMORPG audience.

Gaming platform account bonuses

It’s not just individual games handing out the freebies. Gaming platforms like the Epic Store are getting in on the act too. In 2018, if you added 2FA to your Epic Games account, you received a free skin.

This may not sound like much but trust me, kids love free gaming skins.

As of 2019, the offer had broadened out considerably. In addition to a skin, players also received armory slots, backpack slots, and a free legendary troll stash Llama because hey, why not.

Interestingly, the 2FA reward program isn’t just limited to platform logins and Fortnite. If you want to keep claiming the endless selection of free titles offered on the Epic Store, you now need 2FA up and running. No additional security? No free games.

This is smart in a realm where Steam arguably still rules the roost in terms of most established PC gaming platform. By carving out chunks of the Epic Store’s most impressive platform offerings and placing them behind good security practices, the pull factor is no doubt strong. There have to be a good chunk of Epic users now sporting much better protected accounts, and that’s a win-win.

Closing thoughts

While some gamers will quibble about the value of giveaways on some titles, ultimately the devs are doing them a favour. When the worst case scenario is “You don’t lose your account to compromise”, that sounds like a pretty good deal to me. Receiving some free goodies to feed back into your gameplay loop is the icing on the cake. An easy win for everybody apart from account thieves is surely the best Game Over screen we can hope for.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.