Over 250 million user accounts are now registered with the Epic Games Store and, given their recent push into games retail and distribution, it's no surprise that account security is a hot button issue. Addressing the topic this week, Epic Games reiterated their commitment to improving security and announced some new features which will be rolled into the Epic Games account system (covering the store and accounts for Fortnite and other Epic online titles).
It may come as some surprise to you that Epic Games does already offer two-factor authentication on their user accounts. Unfortunately that fact isn't obvious in the Epic Games desktop app, the primary means through which users will be interacting with their account; if you don't know it exists you can easily entirely miss it.
Currently Epic Games provides 2FA authentication through an authenticator smartphone app, a similar tool used by major games publishers and retailers such as Blizzard and Amazon. This generates a code to use on each login, making it substantially more difficult for bad actors to break into your account for nefarious purposes. In the near future Epic will also be offering SMS authentication, where a code is sent to your phone by SMS text for your to input. It's less ideal, but the added option is certainly valuable to some users.
Epic states that their account system has never been hacked, but they are also keen to stress that you should never use the same email/password combination as another site or service. Furthermore, passwords should in general be complex character strings rather than easily discovered using a dictionary attack or as part of common password lists such as that generated by HaveIBeenPwned.
The bulletin goes on to say that they regularly check user accounts against known email/password combinations distributed by hackers, prompting users to update their security if and when they find a match.
One final piece of news is that Epic have begun requiring email verification for all new accounts. Recently, new customers have contacted them to say that when creating an account they received notification that their email address had already been used. It turns out that hackers had been using leaked email and password databases to register millions of accounts through a bot, something possible because email verification wasn't mandatory.
Epic's Games Store still has some way to go before it'll be viewed in as positive a light as Steam, but improving security is definitely a good start.
SOURCE: Epic Games Store Dev Blog