With the latest release of the PS4 firmware, version 3.55, Sony silently enabled double-factor authentication for account sign-ins, but only allowed a limited number of people in a few regions globally. Now, though, the option to enable double-factor authentication is available worldwide, and if you haven’t already turned it on for your account, I suggest you do so today. Right now. This instant!
For those of you not following the Reddit and NeoGAF threads about this, Sony has been very, very lax about security on the PlayStation Network ever since it launched. At one point they used to not hash passwords and just stored them in plain text – thankfully that’s behind us. But the issues continue unabated. Every week, there’s a dozen or so new threads on the internet and the PlayStation forums about someone whose account got compromised, where their console was deregistered and someone bought a bunch of stuff using their stored credit card details. For all of Microsoft’s faults with the Xbox brand to date, the one thing they can be praised for is security – two-factor authentication has been a feature on Xbox Live for a long time, and hacking into someone’s account is fairly difficult.
The issues go deeper when you see how much of a target Sony is for hackers. This past month, thousands of people have been scammed through the Neverwinter currency hack, which is where hackers gain access to an account, empty the linked Paypal or credit card funds into it with small amounts each time to fly under Sony’s radar, register their own console to the hacked account, and sign into Neverwinter Nights to add the currency into their account. Sony’s aware of the issue, but company policy has not only lead to victims of the hack being banned, it has also been the catalyst for several people to actually jump ship to the Xbox One platform because at least Microsoft doesn’t treat their customers as badly.
That two-factor authentication is now available shouldn’t excuse Sony’s actions or approach to issues like the Neverwinter/FIFA hacks, but we’re getting something that improves the security situation, at least. So, if you’re online, and you play multiplayer games or have a credit card linked to your account, you should be setting up this critical new security feature today. Here’s how:
Option A: On your PS4 console
First, navigate into your settings menu and click on the option for managing your PSN account. Then navigate to the “Security” sub-menu, sign in to your account if necessary, and then click on “2-Step Verification” to get started.
For the PlayStation 4, the service is fairly straightforward. Once set up, you’ll be sent an SMS with a one-time-PIN (OTP) over your mobile network to sign in. Since the PIN is randomly generated, it’s pretty difficult to work around it (although if the algorithm to generate the OTP is rather simple, then someone will eventually figure it out). Even if you’re not playing games online, enable it anyway.
For older devices that sign into your PSN account like the PlayStation 3 or PS Vita, you have to set up a unique device password when you sign into your account. This has the added benefit of protecting your console or device from being deregistered, since the attacker has to get into your e-mail account first to get the unique codes to register their own devices. Note that Sony also adds “and some mobile devices” in this listing, which means that they’ve also using the unique device password system to work for mobile phones and tablets that have the PlayStation app installed.
Finally, add your mobile number and work through the prompts. Now, when ever you sign into your PSN account to make changes, or sign into a new PS4, you’ll be prompted to enter in the OTP using the provided menu to verify your identity.
Option Two: Through your browser
Fire up Chrome, Firefox, Internet Explorer 10 or Opera, and click on this link to get sent to the Sony Entertainment Network website.
You’re now logged into a new web page set up by Sony to enable two-factor verification on not just your PSN account, but across Sony’s entire services offering under the Sony Entertainment Network (SEN) banner. In some ways, I think this might be more preferable to just setting up the security on your PS4. Click “Edit” next to “Mobile Phones” to set up your phone to receive notifications for the OTP.
Make sure your country selection is correct, and then add in your phone number. It doesn’t have to include the “+27” international dialling code, just your number with “0” at the beginning.
Once done, you’ll receive an SMS on your phone with an OTP. This is the one you’ll be putting in to register the device for the first time.
Plug it into the text box! At this point there’s literally no way you’d be able to screw this up, but if you also haven’t received the code after 5 minutes, hit the resend button. If that doesn’t work, try changing your device’s radio from 3G/HSDPA/LTE to plain EDGE. Some networks are finicky about service SMSes coming over the wires.
Aha! Now we’re getting somewhere. Your number has been added and we’re ready to activate the service. Hit the Edit button next to edit the service’s status. If you have more than one number that you use daily, add that as well. The reason for this is so that if you ever lose the other number, when you’re resetting your account permissions you can select your backup number to receive the OTP messages, and you won’t have to call Sony to get them to do that for you. Neato!
Follow the prompts!
We’re almost there now. Remember to set your phone’s mobile connection to EDGE if you somehow don’t receive the messages on time. Keep in mind that a lot of people are hammering the activation services because this feature went live today, so you may get some error messages before reaching this window.
Now we’re done! The process is complete, and you’ll be prompted to sign out of everything that currently uses your PSN ID to log into your account.
When you sign into the PlayStation Store using a browser on your PC, you’ll be prompted to enter in your OTP after entering your account credentials every time you log in. That’s a minor irritation for increased security, in my opinion (speaking as a network engineer by trade, this is more preferable by far). Once you’re back at this screen, sign in again. There are more goodies to be had!
We now have two new options to look at now. The first deals with setting up device passwords for your PS3, PS Vita, PSP, and other devices. If you’re a Google accounts user with two-factor authentication already enabled, you’ll probably be using device passwords for a while now to access your e-mail inside Outlook, for example, or connect with people on Hangouts using Pidgin.
Device passwords are unique and randomly generated, and the pool constantly refills with keys that have been revoked, so there’s no worry about running out of possible passwords (and there’s more than enough to go around as well, with over two trillion possible device passwords). Unfortunately, the drawback with Sony’s scheme is that when you use a device password, you don’t actually know which device is using it. Without the ability to customise names, you’ll have to either guess which password to revoke when it’s time to sell your console or retire it, or revoke all of the keys and set them all up again.
Sony, if you’re listening, let us add unique identifiers so that we know which devices are using which keys. It’s a most logical choice.
Finally, let’s say you make a stuff-up. A monumental stuff-up. You visited Tarryn’s house, partied on Cape Town’s beaches with her cats in secret, and threw ALL of your devices in the water. There’s no getting into your account using an OTP. In this end-of-the-world-scenario, you can have your ass covered with two hard-coded backup codes to get into your account. You only ever get two, so the hope is that you’re smart enough to not stuff up twice and use both codes. However, though I haven’t tested this myself, the codes should regenerate if you use them up after calling Sony and explaining how much your life sucks right now. There’s more permutations available with this length of code than there have been humans who have lived, and generating more isn’t a problem.
Now you’re all set up! Go unto the world and preach about the awesome security that two-factor authentication provides you! Make sure that your friends and family members set this up as soon as possible. Not only is not doing it a disservice to yourself, it’s also a disservice to your friends on PSN, who might be tricked by a hacker smart enough to take over your account and use social engineering attacks to gain access to theirs as well.
And please, please… share this with anyone you know on a PlayStation device. Show Sony that their security measures are appreciated and used, giving them incentive to take steps to one day provide the other service on PSN that we’ve all been asking for – the ability to change our PSN ID.
Further reading: Two-Factor Authentication
See which services support 2FA: twofactorauth.org