Reduced support for password reset requests

[Steve Sokolowski]

Unfortunately, we've had to make a hard decision to reduce our support level for password reset requests. The changes will be effective immediately, starting with all support tickets submitted on May 30 or later.

Recently, there have been a large number of password and two-factor authentication reset requests. We love to assist customers in gaining access to their accounts, and want to help in any way possible. That said, running a business means making hard choices between things that we can do and things that we can not do.

If we offer one service, then there is another potential feature that we don't have the manpower to add. For example, if we spend 20 hours per week resetting passwords, and Chia mining is estimated to require 300 hours to implement, that means that we could have added Chia mining for free in 15 weeks if we didn't respond to some types of password reset requests.

Password reset requests are now taking up so much time that they are actually now hindering server upkeep. We've decided to make the difficult choice to reduce support for some types of password reset requests because reset requests require so much lengthy back-and-forth communication. One particular task being diverted by password reset requests is server maintenance - servers are less stable than they could be because Chris has hardware sitting next to his desk that is not installed, and servers are also not upgraded to the latest software.

The following two types of reset requests will no longer be supported:

• Requests where the customer has not associated an E-Mail address with the account
• Two-factor authentication requests where the customer used Google Authenticator instead of Authy

Both of these cases have prominent warnings on the website stating the risk that the customer is taking by not entering an E-Mail address and how Google Authenticator does not back up keys. To completely eliminate any issue you might encounter as a result of this change:

• Add an E-Mail address to your account.
• Reset your two-factor authentication key and use Authy. Store your Authy "backups password" in a safe place, and you will be immune from phone loss.

Another reason we are eliminating the two-factor authentication service, in particular, is that our terms of service do not authorize us to use data collected for the IRS for any other reason, including to verify the identity of two-factor authentication requests. Therefore, we do not have any authorized data against which to determine if the requestor is genuine.

Thanks for your understanding as we work on giving Chris more time to focus on making the system even better!

[-MaVerick-]

Letting that shiny new hardware gaining dust would be heartbreaking, so you got my support. Also working in customer service, I know how many questions can arise to even the simplest topic. But who knows, maybe one day you will grow and be able to hire new blood

[Banished_Privateer]

Seems rather odd to not have an email address associated. About two-factor authentication, it's the one I reported earlier that it would be better to have more options, as for example email or SMS code verification. Authy and Google Authenticator are a bit painful to use and do not provide much more security to my understanding. I'm already quite unhappy with Steam Guard mobile app that's required for log ins, although I've managed to find a workaround for it (still need it for some cases doe).

Another safety measure could be to whitelist device or IP feature. That's really helpful one and easy to use. Any new device needs to be verified and confirmed via email.

Nonetheless, I think it's a good choice to focus on more important things now to improve your services overall.