Why Implementing Multi-factor Authentication In League of Legends Isn't That Easy

League of Legends still doesn’t yet have a multi-factor authentication yet to protect players’ [...]

(Photo: Riot Games)

League of Legends still doesn't yet have a multi-factor authentication yet to protect players' accounts, much to the concern of some users, but a Riot Games engineer recently offered some insight into why adding the feature isn't quite as simple as some would think.

Several other games and online services have implemented the often optional security measure that provides another layer of safety to accounts over the past few years. With League lacking that feature, a commenter within a Reddit post brought up the absence of MFA and referenced year-long hopes that it would be added. The post in question was coincidently one about Riot Games not catering to every opinion that was formed within Reddit, but Riot's A Red Herring offered a response.

Beginning with the Rioter saying that they also wanted MFA to be implemented, A Red Herring explained some of the obstacles that stand in their way.

  1. "Spaghetti or legacy code. I know it's a meme, but it's a real consideration, especially when a system has to scale up to 100 million users per month and it absolutely cannot fail once because players get locked out of their accounts.
  2. "The likelihood is most users who use MFA have nothing to worry about because they are likely to be more security conscious, so there's little gain in terms of actual security unless we can offer incentives to the broader playerbase to adopt security measures, which leads into..
  3. "Determining an effective incentive to get players utilising MFA is hard. We'd need to find something that would appeal to all players. The only thing I can think of here is a free skin, which would appeal to both veterans and newbies, but then it would have to be a new skin so as to not give out a skin everyone has.. okay, so now we have to design a new skin, what champion should it be for? What thematically makes sense?
  4. "Options for MFA. A lot of players, particularly in less wealthy countries than Western Europe and the United States, may not have a compatible smart phone that enables them to use MFA - so releasing an app that only works on smart phones is gonna feel pretty bad man and again it reduces the impact of the security measure. Text messages could work, but that would involve having to work with a carrier in every country we work for so that users do not get charged for SMS (which is a lot of work)."

A Red Herring summed up the thoughts by saying that they agreed it shouldn't take four years to implement, but it was a difficult process regardless.