Greetings, Toyhou.se!
Toyhou.se is one the very few websites I use that does NOT have any system to protect your account(s). So, today I am here to make my case on why I think Toyhou.se should add more of their resources to changing this.
Suggestion One: Two Step Authorization
Two Step Authorization is one, if not the most common way, websites protect user's accounts. There's many ways to enable Two Step Authorization that is accessible to most users. Adding two or more options so users can pick which Two Step Authorization they want is the best way to go about it. And the best thing about it is it's optional in a majority of cases. If users don't want it, they don't need to have it!
Here's some common Two Step Authorizations:
- E-mail: The user gets a code via their e-mail inbox.
- SMS: The user gets a code sent via their phone number messaging system.
- Third-party App: The user needs a third-party app (typically on their phone) and the app generates the code.
Suggestion Two: Security Questions
Another way that is common is adding security questions. A user will be asked to add the security questions via their Settings page and then the prompt to fill in the answers will be triggered if suspicious activity is found and/or every new login. Personally, I don't suggest this, it's deemed very annoying on the user-end; however, it's one of the easier ways to implement account protection.
Suggestion Three: Login Information Page
Login information, or a list of your login data, is a page to show all of your login activity. Typically within a 30 or 60 day window.
This page can show information such as:
- IP addresses / Estimated Location
- Device Information
- Login Date + Time
- Etc, etc.
This information is used so that the user can determine if they notice an unauthorized login. The user can then decide to change their password/e-mail/etc. Sometimes the feature to disconnect a current connection is possible as well. (To boot off users you don't recognize, etc.) (Last sentence inspired by Xen's response.)
Suggestion Four: Captcha
Adding a Captcha at the login page can help prevent password guessers. Data leaks are common, and a lot of people reuse the same password for everything. So password guessing (whether with a machine or manually) is extremely common. Captcha should only be triggered after a few failed login attempts and shouldn't be added for every login attempt in general. (Unless you have a bot problem.)
Suggestion Five: Character Transfer/Deletion Delay
An optional cool-down feature would be neat as well. The user should be able to enable it for a single character or for all of their characters via a Settings page. "For that same reason, maybe have a cooldown option on trades/deletion of certain characters? So that when you have it enabled, the character, when transferred or deleted, will remain pending for a certain amount of time, e.g. seven days, leaving the owner with enough time to react in case the action was not performed by them." (Suggestion by Vuurstern)
Suggestion Six: Link/button Approval Via E-mail
Sometimes a website will send you an e-mail to approve/deny a login attempt. Typically via a generated authorized link. (Suggestion by lophiusdragon & nyan_cat)
Why do you need account protection?
Account protection is very important to protecting things you care about, such as:
- Your creations: Artwork credit and/or protecting your ownership tab rights.
- Preventing users from removing your rightful credits.
- The characters you're hosting onto your account. (Protecting their images, their bios, their credits, etc.)
- When someone gets into your account, they can delete or transfer the characters.
- Your reputation as a user on the site.
- Your credibility you've formed by making sales/commissions, etc.
- Etc, etc.
ANYONE CAN BE A VICTIM!
- Well-known artists and creators are high-risk for having their accounts be compromised.
- Users with plenty of characters or plenty of artwork are also at risk of being compromised. (Highly desired characters or CS)
- Someone who was close with someone but it ended sourly could be seeking revenge.
- Maybe impersonation of an inactive account.
- Maybe it's to get around the invite-only system.
- Etc, etc.
You can think of many reasons why someone would want to get the account of another user - any reason is enough.