Changes: Jagex Account Guardian

RS

The Jagex Account Guardian was an account security feature that provided enhanced security, blocking unknown devices from accessing a player's account. Although the functionality of the system remained undisclosed as stated by Jagex, it seemed to use modern device-recognising technologies to authenticate a user trying to log in. This included a combination of the user's MAC address, their IP address, an encrypted security token saved on the user's system, as well as other unstated properties. Its aim was to prevent against phishing and hijacking; additionally, it discouraged account sharing. It has since been superseded by the RuneScape Authenticator.

A player chose the device(s) that they wish to grant access to for the account. Unknown devices required to pass email and security checks before access was permitted.

If a player played from multiple locations, they could add new devices at any time and could have as many devices as they liked. Devices could be given access on a temporary or permanent basis.

With the introduction of JAG, the recovery question feature was removed and replaced with a permanent recovery question system within JAG. The questions provided could not be customised, therefore the pre-set questions aim at answers that only the real owner of the account would provide. Answers could not contain capital letters. The question choices were:

• Secondary email address for JAG / account security
• Where was your first vacation / holiday?
• In what city or town did your mother and father meet?
• What was your favourite place to visit as a child?
• What is the last name of your favourite teacher?
• Who was your first best friend – first name?
• What is your favourite sports team?
• What is the first book you remember reading?
• What was the first video game you bought?
• What was the first music album you bought?
• What is your mother's middle name?
• What is your oldest cousin's first name?

On 15 May 2017, the Jagex Account Guardian was disabled on all accounts that still had it enabled.

Flaws and concerns

In the event that a hijacker was able to obtain a player's questions and answers (whether by keylogging, social engineering, or some other means), he or she would have permanent access to that player's JAG settings, notwithstanding a changed password. It is strongly advised that one should never give out ANY information whatsoever; doing so opens up more doors for the hijacker.

Aside from JAG recovery questions, a hijacker may gain full access to the account through the Customer Support Centre on the forums. This alternative method requires them to present to the customer support team as much possible information pertaining to the account in hope to claim ownership of the account, so it is very important to keep all information online completely undisclosed.

The idea that recovery questions cannot be changed once they are set presented some other issues with the JAG system. Although this would be rare since the questions aimed at very personal questions and ones that are hard to forget, however if a player forgot the answers to their questions, they would be locked out of the JAG security system, and possibly their account. Such players could attempt to log in and remember or properly guess their answers, however only three tries were permitted every 24 hours — after which the account is locked for 24 hours to all non-permanent access.

Jagex's official response to those two concerns was to remind players to choose security questions they will not forget, and to keep their login details secure.

On the official FAQ page for the Jagex Account Guardian, Jagex stated that their method of identifying devices is top-secret. This is a case of security through obscurity.

Players who claimed to be under 13 would not have the ability to use JAG, and received this message upon trying to. However there was a short period upon release for a short period of time to use JAG.