Question: Imagine you are a developer at a large company which runs an online fantasy roleplaying game. You have a large number of players each of
Imagine you are a developer at a large company which runs an online fantasy roleplaying game. You have a large number of players each of whom runs one or more player characters (PCs) in the game world. The individual PCs are directly created by their players, and have a variety of attributes associated with them such as name, clan membership, race (elf, dwarf, halfling, etc), and so forth. These attributes are directly visible to the player, and often integral to their PC's identity. Your players pay a small monthly fee for the game. However, not everyone pays with a credit card and you know there are at least some minors who are old enough to play but not to have a valid means of payment of their own. Presumably these players' parents/friends/older siblings are paying for them Recently, a large number of accounts have been falling to hackers who appear to be working from a list of credentials they acquired somewhere else. The attackers have been attempting to access accounts that never existed, in addition to ones they have successfully breached, so it's clear they didn't get the credentials from your company. (Think attackers breaching Yahoo and then trying to log into your accounts with those credentials.) You need to stop, or at least slow down, the attackers. Your company doesn't use 2-factor authentication (yet), so it won't save you this time. Getting 2FA turned on is a priority for after the current attacks are dealt with, however. You also don't send many emails that require your users to respond, so it's entirely ossible the email accounts you have on file are stale. 1. (4 points) Propose a way to authenticate users so they can do a password reset without requiring much extra work for regular players. It's ok to make players who do not connect often do more work, but someone who plays every day should have an easy time of it 2. (3 points) How do you know the attackers won't have the authentication data you're requesting? 3. (3 points) What might prevent the user from providing the authentication information you're request
Step by Step Solution
There are 3 Steps involved in it
Get step-by-step solutions from verified subject matter experts