Security updates: reCaptcha and Two-factor Authentication

  • Comment
As we continue to add features like Donation Points to our services, the security of your account becomes more and more important. To that end, the team has been working to provide you with updated systems and tools that will help to ensure that your account and content do not fall into the wrong hands. 

reCaptcha

Many of you have no doubt already noticed the first of these new features when logging in to the website, known as reCaptcha. Most of the time, this system will not require any input from the user, but if deemed necessary, you may be presented with a challenge or puzzle that is intended to be easy to solve by us humans but prove difficult for bots. Only after carefully reading and successfully completing the challenge, will you be able to log in. 

We realize that this may be a bit of an annoyance, but we feel these systems are necessary to help ensure that our services are not compromised, keeping your accounts and content secure. More information about our primary captcha service can be found here: https://support.google.com/recaptcha/



Though most people will see Google's reCaptcha 2 system, if it fails to load for whatever reason, the website will fall-back to a similar alternative. Only when you are logging in will this affect you. So as long as your account remains logged in on your device(s) of choice, you will not be bothered by this minor hurdle (though always be sure to log out when using a public device, of course).


Two-factor Authentication

The more recent addition to our account security suite is known as Two-factor authentication. When enabled, this system serves two purposes. First, it is designed to keep your account secure by ensuring that you, and only you, have access to your account. Secondly, it provides a method to regain access to your account in the event that you lose control of the email address associated with it.



Though optional, we highly suggest that you enable this feature to help ensure the security of your account. More detailed information about our new Two-factor Authentication system can be found here: https://help.nexusmods.com/article/74-two-factor-authentication-for-nexus-mods

That's all for now. We hope that these new systems serve you well. If you have any questions or concerns, comment below or contact [email protected]

Cheers!

60 comments

Comments locked

A moderator has closed this comment topic for the time being
  1. debralou2002
    debralou2002
    • supporter
    • 0 kudos
    The two factor system isn't working for me. I have tried three different authenticator apps (google, authy and microsofts authenticator). They recognize nexus but nexus won't recognize their code. 
  2. fgy67hjjuytt
    fgy67hjjuytt
    • member
    • 0 kudos
    > Many of you have no doubt already noticed the first of these new features when logging in to the website

    You mean that god awful login Captcha that is hilariously easy to get around by abusing googles own speech to text service?

    > Most of the time, this system will not require any input from the user

    Maybe if you're lucky and don't care about privacy, for the rest of us it's a ordeal of disabling various anti-tracking addons, disabling content blocking and enabling javascript

    > We realize that this may be a bit of an annoyance

    It's a massive annoyance. In fact it's such an annoyance that I got feed up and now just use jdownload2 and it's niffy little Captcha solver to avoid logging in via a browser

    > but we feel these systems are necessary to help ensure that our services are not compromised

    Lol then you're wrong. No other website does this, not to mention that if you actually cared about the risk of compromised you'd set up some sort of proper 2 factor auth instead of this disgrace of a email system. Yea no need to worry about compromise when anyone with access to my email account can read my 2fa codes.

    There's also the fact that this terrible system doesn't even bother to make the user fill in the code every time, so if my computer is ever compromised your 2fa won't mean s#*!

    > When enabled, this system serves two purposes. First, it is designed to keep your account secure by ensuring that you, and only you, have access to your account

    No. It ensures that anyone with access to my computer or my email can access my account. I mean really how hard is it to set up a OTP system?
  3. Gummiel
    Gummiel
    • premium
    • 28 kudos
    Aww no option to use a 2FA app on your phone? Ofc this is better than nothing, and deffinatly a step in the right direction, but 2FA with email only is rather cumbersome to use, compared to an app on your phone
    1. kojak747
      kojak747
      • premium
      • 724 kudos
      i prefer 2fa email tbh
    2. Gummiel
      Gummiel
      • premium
      • 28 kudos
      Well I never said to replace it, but offer it as an option beside it, that said the kind of 2FA that utilize a phone app, is in fact more secure, since with a mail based system there is a mail that could be intercepted with the code needed to get into ones account, where as the app based 2FA dont have any data being send at at all, so they would literally have to hack into your phone first to then get the code
    3. acbatchelor
      acbatchelor
      • premium
      • 48 kudos
      I agree that there should be an option for 2FA by phone. It doesn't even have to be an app. I've seen it done by text message as well.
    4. AzureRaptor
      AzureRaptor
      • premium
      • 0 kudos
      I strongly second the motion for an optional TOTP-based 2FA system. It's really not that hard to set up, and considerably more secure than email-based 2fa - nor is it subject to email delays.
  4. GOLDENTRIANGLES
    GOLDENTRIANGLES
    • premium
    • 8 kudos
    Looks good.
    1. JaxomPern
      JaxomPern
      • member
      • 0 kudos
      NO it does not look godd ;(

      I have now tried 2 WEEKS daily multiple times to login and recaptcha did not work and fallback did not Trigger!
      It is pure Luck it did trigger now! I Start toi really HATE Google recaptcha and Nexusmods gets more and more annoying.

      WHY ?! Money issus (Server) or whatever.. And i can't update my hardware or software just for fun to "meet" their expectations money is THERE an issue too ;)

      P.S. Please think about people not able to use "modern" browsers. And sometimes "modern browsesr are an annoyance too.
    2. evelynharthbrooke
      evelynharthbrooke
      • premium
      • 0 kudos
      They're not going to focus on older hardware or browsers. It's 2018, they're just trying to adapt to newer technology. It's not their fault that your older hardware can't seem to exactly keep up. And it's not money issues, it's security issues. They need to enhance their security otherwise the risks of them getting hacked are higher.
  5. ConnieandMike
    ConnieandMike
    • premium
    • 0 kudos
    I don't mind the capta but when it starts wanting me to click on pictures that have this or that in them... I can't stand that. It just goes on & on sometimes.
    1. Kenrox
      Kenrox
      • member
      • 29 kudos
      Cause you are a robot.
      Gotcha!
    2. DeathClawDC
      DeathClawDC
      • premium
      • 60 kudos
      And robots don't complain!!!
    3. Moksha8088
      Moksha8088
      • supporter
      • 112 kudos
      I think one of the first rules of robotics is that the robot is supposed to comply provided you have purchased both the robot enabling microtransaction and a set of the Doom Marine Power Armor.
    4. Black Jack 11
      Black Jack 11
      • member
      • 4 kudos
      Give me the pictures over the word reCaptcha i suck at the word reCaptcha
    5. BAPWAS
      BAPWAS
      • premium
      • 104 kudos
      What if a Synth tries to log in? :D
      Jokes aside, ConnieandMike said it right. It just goes on and on most of the times (7-8 pictures sometime).
    6. Pickysaurus
      Pickysaurus
      • Community Manager
      • 649 kudos
      The number of image challenges is based on how convinced Google is that you're not a synth... once you've got passed them though you can stay logged in or it should require less challenges (or none) next time you try to login.
    7. Dubbyk
      Dubbyk
      • supporter
      • 11 kudos
      Lets hope it's more effective then the G.O.A.T. at spotting robots
    8. dubiousintent
      dubiousintent
      • premium
      • 77 kudos
      "It just goes on & on sometimes." Been there, had that.

      This can happen if you do not enable cookies from third-party sites (such as Google) or destroy them too quickly. You definitely need to enable persistent cookies from "*.Nexus.com" to avoid most of the recaptcha annoyance on your personal device.
    9. anonymousgammer740
      anonymousgammer740
      • member
      • 1 kudos
      makes me wounder what they have agents robots . .
  6. LadyHonor
    LadyHonor
    • premium
    • 92 kudos
    This is so dumb. I usually like the sites upgrades, but this one is nothing but a pain. When I accessed it with my pc all I had to do is click "I am not a robot." When I accessed it with my cellphone I had to do the captcha thing that was nearly impossible to read. I finally had to use the audio thingie to say it for me. If it has to be there it would make much more sense to only have to click the I am not a robot for cell access and do the captcha thing for your pc browser.
    1. anonymousgammer740
      anonymousgammer740
      • member
      • 1 kudos
      yea i don't like it either it is stupid and pointless to have a set up like that . i would never do something like that if i run a website .
  7. ozzyfan
    ozzyfan
    • premium
    • 41 kudos
    I'd prefer a tap/click-to-solve authentication to ones where you have to type out words. More convenient for mobile phone users.
  8. customtemplar
    customtemplar
    • premium
    • 5 kudos
    This is a step in the right direction, but SMS based 2FA is not very robust as its vulnerable to interception. Hopefully TOTP 2FA can be implemented soon.
  9. TheCaptain19WingNut
    TheCaptain19WingNut
    • supporter
    • 1 kudos
    "Most of the time, this system will not require any input from the user, but if deemed necessary, you may be presented with a challenge or puzzle that is intended to be easy to solve by us humans but prove difficult for bots." THIS HAPPENS EVERY DAMN TIME I TRY TO LOG IN!! The text is completely unreadable. It takes usually 6+ tries and dozens of reloading the text to get one I can kinda guess the letters of. It is anything but "easy for us humans" and nothing but an annoyance that DOES NOT HELP WITH SECURITY. Just read this: https://www.komando.com/happening-now/355395/captcha-codes-are-more-than-just-annoying-theyre-putting-your-security-at-risk. This is completely useless.
    1. TheCaptain19WingNut
      TheCaptain19WingNut
      • supporter
      • 1 kudos
      Well it only took 2 dozen time today. WTF!!!!! Its about time nexus had some competition. This used to be a good site but its been getting worse. They dont support NMM anymore and the re-captcha is a damn joke.
    2. Mk15dap3sLVLghnQfIzftlkNU4
      Mk15dap3sLVLghnQfIzftlkNU4
      • supporter
      • 2 kudos
      I'll add this here:
      "Google's new CAPTCHA security login raises 'legitimate privacy concerns'"
      https://www.businessinsider.com.au/google-no-captcha-adtruth-privacy-research-2015-2

      Partial summary. Google ReCaptcha doesn't just check if you're human, it identifies you as a specific individual and tracks your travels across the Internet (e.g. including sites with Google captcha logins). When you use their recaptcha, they also place / update a Google cookie to remember where you individually have been / your activities. They use a mix of fingerprinting techniques (anonymity-defeating techniques), including examining all info about your browser, including which browser addons you have installed. In other words, it's Google.
    3. CyniclyPink
      CyniclyPink
      • supporter
      • 21 kudos
      Im really looking forward to the reply for this.....

      "Google's new CAPTCHA security login raises 'legitimate privacy concerns'"
      https://www.businessinsider.com.au/google-no-captcha-adtruth-privacy-research-2015-2
    4. Xz0mb13killaX
      Xz0mb13killaX
      • member
      • 4 kudos
      the mere act of casually browsing mods isn't even fun anymore.........
  10. DeathClawDC
    DeathClawDC
    • premium
    • 60 kudos
    Well new problem found, the second recaptcha (the one with number challenge) just keeps giving me error of my code being wrong every time reloading doesn't work and I have to restart my whole browser and reconnect my net to get first recaptcha (the one with a blue arrow) and then I'm finally able to login
    Don't think it's properly working for me
    1. Pickysaurus
      Pickysaurus
      • Community Manager
      • 649 kudos
      We made some changes to the system over the last couple of days so it should be working as expected for everyone now.
    2. DeathClawDC
      DeathClawDC
      • premium
      • 60 kudos
      Ok now that's what i like about this community , instant reply with instant system fix(or say check)
      anyway really appreciate the reply and thanks again for taking your time for replying