Indie game storeFree gamesFun gamesHorror games
Game developmentAssetsComics
SalesBundles
Jobs
Tags
Deleted 33 days ago

Uhm. https://itch.io/docs/advanced/two-factor-authentication 

Two points to add there. It is open standard, you do not need to use the google app. You can use any app that uses that totp standard. And second, sadly a 2fa will not protect your account against cookie theft attacks. Use sandboxing, like the one the itch app provides to add a layer of protection to your credentials.

(3 edits)

I'm using the Itch.io app too, what do you mean with sandboxing?  

edit: Okay I think I found that, I activated the option. So you don't think I should get the extra step thingy?

Then again what is that Itch. Player extra account thing now? 

I thank you both for the help I think it's clear that I rarely have done anything like this before or at least in english/on Itch.io

I could offer german to explain some things better but I doubt you understand that better? 

Anyway  Is there a phone number or email here that I should remember in chase something happens at some point?

(1 edit)

Sandboxing is a concept. It means running a game in an environment, where it does not have access to critical things. Games that run in a browser are sandboxed. Games that run on Android are mostly sandboxed. Games that run on an admin privileged windows user account are the opposite of sandboxed.

You asked for authenticators, so I assumed you are interested in security. Trying out new and indie games exposes you to amateur level developers and if you are unlucky, to malware. It is of course mostly a Windows problem that exists for decades. Any malicous programm could read the cookies of your browser. And any badly programmed app could mess with your system settings, or leave clutter at places where no clutter is supposed to be.

The sandbox method the itch app uses is to create a new user that has not the right to read the files of your main account. The game when started by the itch app runs as that user and only can mess with the files of that user.

If you use 2fa, print out the scratch codes. They are needed to restore your account, if you lose your phone with the 2fa app.

Regarding dangers on itch, you might be interested in 

https://itch.io/t/1659440/psa-beware-the-try-my-game-scam

quote from the itch creator: "On itch.io, it is safe to view the page, but do not download any untrusted software" "Treat any page you encounter with suspicion if you are unable to vet the creators in any way."

This goes for pages encountered in recent or by random browsing as well. Scammers spam their malware and not all gets cought in time before some unsuspecting user finds the page. Some of the games in your collections went missing, because they were malware - if you are the type of user that puts games in collections to view later. Others are missing because the developer deleted it, or other reasons.

You  are right and I have to admit I get slightly confused now. I wanted to start paying for stuff or when I reached a certain amount payed I thought maybe I protect the account a bit better. So i wanted to know what I need for that. 

From what I understood you think sandbox mode is enough right? I think I understood that concept now. 

I just have the question if I have to go trough any complicated or "make a new second password" situations when  I allow Itch.io to run with that second account your spoke about.

I have it on another gaming client that two step authentificator and know it as something that helps to protect your account. I'm however  rather unsure in situations like this and it felt like here it's more complicated.


Soooo when I pay for stuff or payed enough I want to protect my account and my games,  well naturally everything else too if you can help it you know.  I lost my train of thoughts, but I wanted to see what I really need since I hate all that download 20 apps even when your phonw is full or create 25 accounts stuff. 

My stuff wasn't always this sorted so I might be just a bit  worried I have to search for hours for a stray password again.

I hope it's still clear what I want now and I haven't explained to much.

(+1)

Sandbox is just a tool, that is cheap to use. That soft sandboxing is little effort and when the itch app handles it, it should be easy enough. If you manually set it up, you would have to shift right click the exe and select run as, and enter password and user. I would not use it to test suspected malware. But rather as a precaution, like driving with a seat belt, even when not expecting a car crash. And just like a seat belt, it will not protect against driving from a cliff. It protects against user level attacks, like stealing your session cookie. Those attacks are very nasty, as they circumvent 2fa and password completely (this is not an itch specific problem).

To protect your machine, you should up your scepticim. I made a tips thread about that. In short, do not trust the new and shiny things, even when hosted on itch. Itch has no account verification, so anyone could be an impostor (yes, just like in Among Us, which incidentally is also hosted on itch). But this is general anti-scam advice. Do not trust strangers on the net, the phone, the mail, on a self publishing store... , even if they say they are royality from other countries and have money to give to you.

Okay thank you this is helpful.

Well with all that my biggest question is always, just in chase there should be any reason I want to or have to remove it, would it be easy?

I don't know where this is coming from anymore, but I always feel like I install it, encounter something that needs me to remove it and i have big trouble to figure out how to remove it without causing any troubles for everything else. (Like those savefiles I think you described are tucked away there)

What I still have not understood, the account that is created, is that like a  camouflage for the account? I remember that it sounded like you keep your account and everyone knows or sees you as Mausakrobat28 but either the folder or your account is somewhere names user3812 (whatever) 

I know I know,  I guess i had some bad experiences and now I'm also figuring this out in english even if it feels easy enough to undertand.

I just keep asking myself these "what if" things.

Soooo what I wanted to know from you before and since the 2fa is different from what I know from steam in how it seems to work a bit, Is sandboxing in your eyes enough at the moment or do I need 2fa and sandbox?   

It starts to sound like 2fa might not be needed in this chase....or wait it's late but you might be actually meaning that I should get both because they kind of both protect one said of the coin a bit.

Thank you again, I hope it's still alright for you to help me a bit further should I still remember something tomorrow.

It starts to feel like i'm to careful again, but now I'm even a bit tired and I just remember your link. I take a look tomorrow I guess.

I believe you are mixing up some things.

The sandbox user is on your computer. It is a windows user. You are on windows, are you not? You realize you can have an admin user, a regular user and a regular user with admin privileges? Regular users cannot access data from other users. That is all there is to it.

2fa is just the concept of having two separate tokens. One is the password. Another one can be phone, email, a special device, whatever. The method used on itch is "totp" and you need a totp app for that. Print out the one time codes, should you decide to use it. 

Regarding what is "enough". Running games not with your main account, is just a very effective method to gain much security for a little bit of effort. Especially on itch, since sadly many people abuse this platform.

(+1)

Okay I guess I understand that, but I didn't had the need to use a second account yet so I guess I wasn't totally aware.

I'm still curious if you would use both methods.

Also do I need to install much stuff again, replay things and whatever?

The most annoying thing I can image at the moment is running into  a situation I can't solve or get myself out of and  that I really need more GB for all the app stuff I probably need soon.

I was only told to maybe not use the newest games and see if someone mentioned a lot of problems viruses or odd things in the comment section. I also usually stay away from stuff that doesn't even show any pictures since that gives me a low effort feeling.

Both things are protecting from different things. Since you asked about installing things twice, you did not understand how this sandbox method works. I already told all there is to it. So maybe read other explanations on the net on the topic, maybe they explain things better.

Just be aware that itch is not steam. If you only play popular games, sandboxing should not be necessary. And by popular I do not talk about that shiny new game you saw on steam that is now free on itch - those are malware most of the time.

I was only told to maybe not use the newest games and see if someone mentioned a lot of problems viruses or odd things in the comment section. I also usually stay away from stuff that doesn't even show any pictures since that gives me a low effort feeling.

Good advice. But be aware that it is trivial to copy description and screenshots from an existing project and publish it on an old hacked account.