The RuneScape Authenticator is an additional layer of protection players can utilise on their accounts. It replaces the Jagex Account Guardian (JAG), by using an RFC-compliant time-based one-time password (TOTP) compatible with Google Authenticator. This algorithm can be used both on supported mobile devices and in desktop implementations. This system works for both RuneScape 3 and Old School RuneScape, unlike the JAG did previously.
To set up the RuneScape Authenticator, a player must visit the Authenticator landing page. Jagex generates a random 80-bit secret key unique to each user and presents it as a 2-dimensional barcode and as a 16-character Base32 string. Many mobile devices can read the barcode directly through their camera, which is equivalent to entering the Base32 string manually. The implementation generates a 6-digit code every 30 seconds based on the key and epoch time.
Once set up, players are prompted to enter the 6-digit time-based code whenever they log in to the game using an untrusted computer. Jagex implements a 10-minute window (five minutes on either side of the actual time) to enter the correct code to allow for a possible lack of synchronisation between Jagex's server time and player devices.
Players can choose to trust the computers on which they play RuneScape for up to 30 days or choose to enter a code every time they wish to play.
Players can also choose to use the authenticator for their bank PIN instead of the fixed 4-digit PIN. However, the 4-digit PIN is not obsolete. Logging into the bank or the Grand Exchange from the RuneScape Companion app still requires the 4-digit PIN. Players who choose to stop using the authenticator as the bank PIN revert back to the last 4-digit PIN used.
To disable the authenticator, click on the "disable authenticator" link. Jagex sends an email containing a link to disable the authenticator to the email address registered for that account. It is highly encouraged that the email associated with the account require two-step authentication so that the RuneScape authenticator can not be easily removed. That is, it is suggested that the email be tied to a mobile device either by texting or a call before a new computer can gain access to said email.
- On release, although the authenticator was stated to trust the computer for 30 days if selected, it only did so for 14 days. It now trusts the computer for the stated 30 days.