Since December 2018, the Epic Games Store has maintained an aggressive weekly campaign of free game giveaways. That campaign changes this week, though not with any plans to stop offering freebies.
Instead, Epic has updated the promotion with its first security-minded rule: if you want to claim EGS giveaways going forward, you’ll have to turn on two-factor authentication (2FA).
The news appeared on Tuesday at both the EGS official site and as an automatic alert for EGS users on Windows and Mac. It explained that EGS will “periodically” confirm account credentials with a 2FA notice when a user attempts to claim free games between now and May 21. The company’s only explanation for the change came as follows: “We understand that this is a minor inconvenience for some, but we want to provide the best possible solutions to protect your Epic account.”
We reached out to Epic Games asking if it had launched this campaign due to its own security breach or if the campaign came as a response to other recent gaming-service breaches, particularly last week’s leak of “160,000” Nintendo accounts. In an email to Ars Technica, Epic Senior PR and Communications Manager Nick Chester replied to both questions with a flat “no.” Chester did not immediately clarify why Epic is only implementing this restriction until May 21.
Last week, Nintendo urged all of its users to activate 2FA on their Nintendo accounts, which proved to be an effective block against an exploit that apparently targeted the dated Nintendo Network (NNID) account system. Nintendo has since removed the ability to link NNID accounts to modern Nintendo accounts.
Before EGS launched in earnest, Epic Games had already dangled a carrot to encourage its users to adopt 2FA. That came in the form of a free “emote” dance move for its popular online shooter Fortnite, which could be claimed starting in August 2018 by following the same steps encouraged in today’s EGS news. Fortnite uses the same Epic account system as EGS, which originally only supported email as a 2FA protocol; that has since expanded to supporting TOTP apps like Duo, LastPass, and Authy (which we suggest) and SMS (which we do not). https://arstechnica.com/?p=1671650