I wrote up a detailed explanation to Unreal about how they could solve these problems, but they just don’t care. Personally though, I am more concerned about the fact that their system is stupidly easy to exploit to shut down an entire studio. All you need is a login bot that repeatedly tries to login to a set of accounts. So once you get a list of emails, you spam failed login attempts to lock their accounts. That’s an old trick from the early 90’s that’s usually used to get people to reuse old passwords eventually, but it can be used as a sort of denial of service attack.
Considering how frequently my account is locked I am fairly certain that bots are already in use, but I’m smarter about my passwords than most so the only real problem I get is that I get spammed by Unreal and there’s no way to make them shut up.
Both the login bot and the of compromised accounts would be easy to solve if they took one of my many suggestions. For example, suppose that if/when an account is locked an IP address that you used to login successfully last is allowed to have continued access. Logically, if the attacker had the correct password they wouldn’t know to lock it anyway so clearly the last successful login can be assumed to be from a valid user. In this case, it reduces the vulnerability to a login bot - and completely eliminates it for companies with a static IP address. It would be even better if they allowed the last, say, 3 IP addresses to remain active or to let the user manually set a white list.
From there, if the user could manually set their account to only allow access from certain geographical locations, it would prevent hacking attempts from outside that geographic area. The attacker shouldn’t get anything more than the normal failed login attempt. This, of course, doesn’t eliminate the possibility of someone in my geographic area from compromising my account or from someone spoofing their IP, but generally speaking if implemented correctly the attacker wouldn’t really know which geographic ranges would be correct. To further protect the account, it could be set to prevent you from blocking out your current geographic range and could be set to prevent that from being changed for X days. So if I set my location, I could say not to let anyone touch it for a year - not even me - so if my account is ever compromised regardless they can’t lock me out.
Lacking any of those fixes, how about lifting the login requirement to create projects and use purchased assets? It’s great that I can use already created projects while locked out, but this always on DRM clearly isn’t working.
Then again, I highly doubt Unreal will do anything whatsoever unless and until one of the larger studios that use Unreal are shut down by a malicious attacker abusing their vulnerabilities and then they get sued, which is even worse IMHO - it represents a callous disregard for real security.
…
Now, in regards to Fortnight, what idiot thought it was a good idea to integrate a game with a development engine? Developer accounts should be totally separate. It’s so bad, that most of the contact emails for Epic are now unmonitored and the few that are tend to focus on fortnight and when I contact about development issues the first responses are always about fortnight. There is no freaking way I will EVER play that game at this point, regardless of it’s merits, because doing so will probably make it even harder to be taken seriously. Why couldn’t you guys just develop a separate client for that game? With a separate account system?