The log-out feature is such a great suggestion! I'm surprised I didn't think of that myself. Thanks for sharing that! :D
I also thank you for sharing your experience - I didn't think about those who are visually impaired/have other issues that prevent them from accessing/using captcha that easily. I 100% would agree with it being triggered after too many failed attempts instead of every single time someone logins! ^^
What's your favorite feature?
232 Votes
Two Step Authorization
47 Votes
Login information log
15 Votes
Captcha
81 Votes
All
38 Votes
None
Greetings, Toyhou.se!
Toyhou.se is one the very few websites I use that does NOT have any system to protect your account(s). So, today I am here to make my case on why I think Toyhou.se should add more of their resources to changing this.
Suggestion One: Two Step Authorization
Two Step Authorization is one, if not the most common way, websites protect user's accounts. There's many ways to enable Two Step Authorization that is accessible to most users. Adding two or more options so users can pick which Two Step Authorization they want is the best way to go about it. And the best thing about it is it's optional in a majority of cases. If users don't want it, they don't need to have it!
Here's some common Two Step Authorizations:
- E-mail: The user gets a code via their e-mail inbox.
- SMS: The user gets a code sent via their phone number messaging system.
- Third-party App: The user needs a third-party app (typically on their phone) and the app generates the code.
Suggestion Two: Security Questions
Another way that is common is adding security questions. A user will be asked to add the security questions via their Settings page and then the prompt to fill in the answers will be triggered if suspicious activity is found and/or every new login. Personally, I don't suggest this, it's deemed very annoying on the user-end; however, it's one of the easier ways to implement account protection.
Suggestion Three: Login Information Page
Login information, or a list of your login data, is a page to show all of your login activity. Typically within a 30 or 60 day window.
This page can show information such as:
- IP addresses / Estimated Location
- Device Information
- Login Date + Time
- Etc, etc.
This information is used so that the user can determine if they notice an unauthorized login. The user can then decide to change their password/e-mail/etc. Sometimes the feature to disconnect a current connection is possible as well. (To boot off users you don't recognize, etc.) (Last sentence inspired by Xen's response.)
Suggestion Four: Captcha
Adding a Captcha at the login page can help prevent password guessers. Data leaks are common, and a lot of people reuse the same password for everything. So password guessing (whether with a machine or manually) is extremely common. Captcha should only be triggered after a few failed login attempts and shouldn't be added for every login attempt in general. (Unless you have a bot problem.)
Suggestion Five: Character Transfer/Deletion Delay
An optional cool-down feature would be neat as well. The user should be able to enable it for a single character or for all of their characters via a Settings page. "For that same reason, maybe have a cooldown option on trades/deletion of certain characters? So that when you have it enabled, the character, when transferred or deleted, will remain pending for a certain amount of time, e.g. seven days, leaving the owner with enough time to react in case the action was not performed by them." (Suggestion by Vuurstern)
Suggestion Six: Link/button Approval Via E-mail
Sometimes a website will send you an e-mail to approve/deny a login attempt. Typically via a generated authorized link. (Suggestion by lophiusdragon & nyan_cat)
Why do you need account protection?
Account protection is very important to protecting things you care about, such as:
- Your creations: Artwork credit and/or protecting your ownership tab rights.
- Preventing users from removing your rightful credits.
- The characters you're hosting onto your account. (Protecting their images, their bios, their credits, etc.)
- When someone gets into your account, they can delete or transfer the characters.
- Your reputation as a user on the site.
- Your credibility you've formed by making sales/commissions, etc.
- Etc, etc.
ANYONE CAN BE A VICTIM!
- Well-known artists and creators are high-risk for having their accounts be compromised.
- Users with plenty of characters or plenty of artwork are also at risk of being compromised. (Highly desired characters or CS)
- Someone who was close with someone but it ended sourly could be seeking revenge.
- Maybe impersonation of an inactive account.
- Maybe it's to get around the invite-only system.
- Etc, etc.
You can think of many reasons why someone would want to get the account of another user - any reason is enough.
That's a great idea!! A lot of websites have lock features when a user, who typically doesn't make major changes, end up suddenly making huge changes to their account (An example could be changing your email and password and then moving characters all in the same day.)
I think locking accounts is a good way, at least it would give a user some time to notice these changes are happening on their account if it wasn't authorized. If they did make these changes to their account, all they would have to do is "this is me" and whatnot.
+1 we need this! It doesn’t seem to be a big issue right now, but it definitely will be once TH leaves beta. I also like the captia thing. But maybe that would only be if you’re logging in from a device you’ve never logged into that account with. Because, chances are, if someone is using a guessing bot, it won’t be on your normal device. There should be two step all the time though
Pepperly I agree with backing things up. I have a folder on my phone with all of my OCs and their art just in case I accidentally delete them or something happens. I also keep all of my old art files with layers incase I ever need to prove that I did the art
+ 1 for 2FA
The sad thing is, with how common things like doxxing, hacking etc. have become its kind of important to have 2FA at this point (seriously, the first thing I did when reviving my other socials was turn on 2FA because it became more common). Even though (from what I've seen) toyhouse doesn't really have a problem with constant hacking and doxxing Its better safe than sorry