The Jagex Account Guardian (JAG) is an account security feature that provides enhanced security, blocking unknown devices from accessing your account. Although the functionality of the system remains undisclosed as stated by Jagex, it seems to use modern device-recognising technologies to authenticate a user access to logging in. This includes a combination of the user's MAC address, their IP address, an encrypted security token saved on the user's system, and possibly by other means which remain unknown. Its primary aim is to prevent against phishing and hijacking; additionally, it discourages account sharing. It has since been replaced by the RuneScape Authenticator.
A player may choose the device(s) that they wish to grant access to for the account. Unknown devices need to pass email and security checks before access is permitted. If a player plays from multiple locations, they can add new devices at anytime and can have as many as they'd like. Devices can be given access on a temporary or permanent basis.
With the introduction of JAG, the recovery question feature was removed and replaced with a permanent recovery question system within JAG. The questions provided may not be customised, therefore the pre-set questions aim at answers that only the real owner of the account would provide. Answers may not contain capital letters. The question choices are:
- Secondary email address for J.A.G / account security
- Where was your first vacation / holiday?
- In what city or town did your mother and father meet?
- What was your favourite place to visit as a child?
- What is the last name of your favourite teacher?
- Who was your first best friend – first name?
- What is your favourite sports team?
- What is the first book you remember reading?
- What was the first video game you bought?
- What was the first music album you bought?
- What is your mother's middle name?
- What is your oldest cousin's first name?
Flaws and concernsEdit
In the event that a hijacker is able to obtain a player's questions and answers (whether by keylogging, social engineering, or some other means), he or she will have permanent access to that player's JAG settings, notwithstanding a changed password. It is strongly advised that one should never give out ANY information whatsoever; doing so opens up more doors for the hijacker.
Aside from JAG recovery questions, a hijacker may gain full access to the account through the Customer Support Centre on the forums. This alternative method requires them to present to the customer support team as much possible information pertaining to the account in hope to claim ownership of the account, so it is very important to keep all information online completely undisclosed.
The idea that recovery questions cannot be changed once they are set presents some other issues with the JAG system. Although this would be rare since the questions aim at very personal questions and ones that are hard to forget, however if a player who forgets the answers to their questions, they will be locked out of the JAG security system, and possibly their account. Such players may attempt to log in and remember or properly guess their answers, however only 3 tries are permitted every 24 hours — after which the account is locked for 24 hours to all non-permanent access.
Jagex's official response to these two concerns is to remind players to choose security questions they will not forget, and to keep their login details secure.
On the official FAQ page for the Jagex Account Guardian, Jagex stated that their method of identifying devices is top-secret. This is a case of security through obscurity.
Players who identify themselves as under 13 will not have the ability to use J.A.G., and will receive this message upon trying to, although it was open for a short period of time after its' release.
- Use a mixture of letters and numbers in your password as it will strengthen your password, making it more difficult for it to be cracked.
- Avoid giving out your Facebook, Twitter, or any other social media username as this contains an endless amount of information that a hijacker will use — even if your privacy settings hide everything.
- Avoid giving out an e-mail address or Skype username (as it may contain your e-mail address). Doing so will allow the hijacker to link as many pieces of information together as possible to begin collecting vital information pertaining to your Jagex account.