[286+] Account protection suggestions

Posted 4 years, 2 months ago (Edited 2 years, 1 month ago) by AcneScars

What's your favorite feature?

232 Votes Two Step Authorization
47 Votes Login information log
15 Votes Captcha
81 Votes All
38 Votes None
View Results

Greetings, Toyhou.se!
Toyhou.se is one the very few websites I use that does NOT have any system to protect your account(s). So, today I am here to make my case on why I think Toyhou.se should add more of their resources to changing this.

Suggestion One: Two Step Authorization

Two Step Authorization is one, if not the most common way, websites protect user's accounts. There's many ways to enable Two Step Authorization that is accessible to most users. Adding two or more options so users can pick which Two Step Authorization they want is the best way to go about it. And the best thing about it is it's optional in a majority of cases. If users don't want it, they don't need to have it!

Here's some common Two Step Authorizations:

  • E-mail: The user gets a code via their e-mail inbox.
  • SMS: The user gets a code sent via their phone number messaging system. 
  • Third-party App: The user needs a third-party app (typically on their phone) and the app generates the code.

Suggestion Two: Security Questions

Another way that is common is adding security questions. A user will be asked to add the security questions via their Settings page and then the prompt to fill in the answers will be triggered if suspicious activity is found and/or every new login. Personally, I don't suggest this, it's deemed very annoying on the user-end; however, it's one of the easier ways to implement account protection.

Suggestion Three: Login Information Page

Login information, or a list of your login data, is a page to show all of your login activity. Typically within a 30 or 60 day window. 

This page can show information such as:

  • IP addresses / Estimated Location 
  • Device Information 
  • Login Date + Time
  • Etc, etc. 

This information is used so that the user can determine if they notice an unauthorized login.  The user can then decide to change their password/e-mail/etc. Sometimes the feature to disconnect a current connection is possible as well. (To boot off users you don't recognize, etc.) (Last sentence inspired by Xen's response.)

Suggestion Four: Captcha 

Adding a Captcha at the login page can help prevent password guessers. Data leaks are common, and a lot of people reuse the same password for everything. So password guessing (whether with a machine or manually) is extremely common. Captcha should only be triggered after a few failed login attempts and shouldn't be added for every login attempt in general. (Unless you have a bot problem.)


Suggestion Five: Character Transfer/Deletion Delay  

An optional cool-down feature would be neat as well. The user should be able to enable it for a single character or for all of their characters via a Settings page. "For that same reason, maybe have a cooldown option on trades/deletion of certain characters? So that when you have it enabled, the character, when transferred or deleted, will remain pending for a certain amount of time, e.g. seven days, leaving the owner with enough time to react in case the action was not performed by them." (Suggestion by Vuurstern)

Suggestion Six: Link/button Approval Via E-mail

Sometimes a website will send you an e-mail to approve/deny a login attempt. Typically via a generated authorized link. (Suggestion by lophiusdragon & nyan_cat)  


Why do you need account protection? 

Account protection is very important to protecting things you care about, such as: 

  • Your creations: Artwork credit and/or protecting your ownership tab rights. 
    • Preventing users from removing your rightful credits. 
  • The characters you're hosting onto your account. (Protecting their images, their bios, their credits, etc.)
    • When someone gets into your account, they can delete or transfer the characters. 
  • Your reputation as a user on the site.
    • Your credibility you've formed by making sales/commissions, etc. 
  • Etc, etc. 


ANYONE CAN BE A VICTIM! 

  • Well-known artists and creators are high-risk for having their accounts be compromised.
  • Users with plenty of characters or plenty of artwork are also at risk of being compromised. (Highly desired characters or CS)
  • Someone who was close with someone but it ended sourly could be seeking revenge.
  • Maybe impersonation of an inactive account.
  • Maybe it's to get around the invite-only system. 
  • Etc, etc. 

You can think of many reasons why someone would want to get the account of another user - any reason is enough.

DMApollogies

Currently only have something to say about suggestion one and six, I think it's a great idea but I don't think SMS or third party app would be a good idea although I think e-mail is a great idea. Personally I don't want to download a app I've probably never heard of each time I want to log in and personally I'm just uncomfortable with the text message idea


I think suggestion 6 is good although I would see it being a lot of hassle for people who share a account for species, ARPG or for other reasons

3 months, 7 days ago
Back to Top
3529 Users Online 10:50 am © cyancrows 2017
About FAQ Rules TOS