Jump to content

Security updates: reCaptcha and Two-factor Authentication


Recommended Posts

As we continue to add features like Donation Points to our services, the security of your account becomes more and more important. To that end, the team has been working to provide you with updated systems and tools that will help to ensure that your account and content do not fall into the wrong hands.


Many of you have no doubt already noticed the first of these new features when logging in to the website, known as reCaptcha. Most of the time, this system will not require any input from the user, but if deemed necessary, you may be presented with a challenge or puzzle that is intended to be easy to solve by us humans but prove difficult for bots. Only after carefully reading and successfully completing the challenge, will you be able to log in.

We realize that this may be a bit of an annoyance, but we feel these systems are necessary to help ensure that our services are not compromised, keeping your accounts and content secure. More information about our primary captcha service can be found here: https://support.google.com/recaptcha/


Though most people will see Google's reCaptcha 2 system, if it fails to load for whatever reason, the website will fall-back to a similar alternative. Only when you are logging in will this affect you. So as long as your account remains logged in on your device(s) of choice, you will not be bothered by this minor hurdle (though always be sure to log out when using a public device, of course).

Two-factor Authentication

The more recent addition to our account security suite is known as Two-factor authentication. When enabled, this system serves two purposes. First, it is designed to keep your account secure by ensuring that you, and only you, have access to your account. Secondly, it provides a method to regain access to your account in the event that you lose control of the email address associated with it.


Though optional, we highly suggest that you enable this feature to help ensure the security of your account. More detailed information about our new Two-factor Authentication system can be found here: https://help.nexusmods.com/article/74-two-factor-authentication-for-nexus-mods

That's all for now. We hope that these new systems serve you well. If you have any questions or concerns, comment below or contact [email protected].


Link to comment
Share on other sites

  • Replies 60
  • Created
  • Last Reply

Top Posters In This Topic

Aww no option to use a 2FA app on your phone? Ofc this is better than nothing, and deffinatly a step in the right direction, but 2FA with email only is rather cumbersome to use, compared to an app on your phone
Link to comment
Share on other sites

In response to post #61981992.

CreeperLava wrote: This fallback for captchas seems like a very bad idea from à security standpoint. If the alternative is less secure than google's, it's easy enough to force it to appear instead of google's. Kind of defeats the point of having it.

The capcatcha failsafe is there to have something available instead of locking people out of their accounts until the service comes back up.
Considering how reliable Google's services (usually) are, this will be a rare occurance if nothing else.

It doesn't 'defeat the point' of having capcatchas at all; it is something I (rarely) encountered when I was still living in an apartment complex and sharing the same IP with others. Nexus has to balance security and convenience and I feel they've struck an acceptable balance between the two. Besides, in a worst case scenario you have a vandal who messes with a modder's settings or something that can be easily undone if reported quickly enough. Edited by DaedalusMachina007
Link to comment
Share on other sites

I hope that Nexus considers proper 2FA instead of this email-based pretend authentication.



SecSign is free for business if you use their cloud-hosting; otherwise Nexus can self-host by paying their fees:



There are also other providers, but that one came up first as a free solution in search results.

This isn't an advert; just a quick internet search to find an alternative to e-mail based pseudo-2FA that can be easily intercepted/manipulated since e-mail has zero encryption outside of PGP or specific e-mail services like ProtonMail.

Edited by DaedalusMachina007
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...