Account Security Update

April 11th 2018

Today, we're making some changes to the way two-factor auth operates, as well as slightly changing how you manage the email addresses associated with your account.

First, a brief explanation of the way the two-factor auth system worked before today. After setting up two-factor, you will be asked to enter a code upon login, as well as when you must enter "sudo mode". Sudo mode is simply "elevated privileges" on your account. For example, to request a payout, change your email, set an item's price, etc., you must be in sudo mode (or not have two-factor auth enabled). To enter sudo mode, you are prompted for a code from your two-factor app. Sudo mode persists (for a single login session / IP) for a few hours before requiring another code to perform elevated actions.

Sudo mode is designed to increase account security beyond the initial login gate; requiring an additional code ideally stops most phishing attacks. However, there are still scenarios in which unauthorized access to an account can be devastating; for example, changing your payout email requires sudo mode, but if you are sudo'd or don't have two-factor, there is no further verification required. The same is true for requesting a payout.

To solve these issues, we're making some changes to two-factor as well as how you change your payout email.

If you use two-factor, here's what changes for you:

  • Certain actions, such as changing your payout email or requesting a payout, will require a unique (never used before) two-factor code every time, regardless of your sudo state.
  • We've slightly updated the two-factor code entry dialog to better report errors with authentication.

Here's what changes for everybody:

  • Changing your payout email now requires that you confirm the change through a link sent to your account's primary email address. This is in addition to any potential two-factor requirements for the change. 

We highly recommend that you use two-factor on your account. To set up two-factor authentication, click here. If you sell items or retain any credit on Marketplace, these are inherently at risk if you do not use two-factor authentication. We are committed to account security, but it's a two-way street: your account is most secure when you take the steps provided to protect it.