Battle.net Authenticator Changes (Cont. #5)

Technical Support
Prev 1 24 25 26 Next



Wouldn't know do NOT want to know or even think about trying it.


You know how confident I am that this hash can't be decrypted?

Here's mine.

Cached-80B07026D502F28B

Hack me. go on. :)

Oh yeah, that's right, you still need both my username and password. How're you going to get that?


I don't think you're understanding the ramifications of this. If it really is that simple to disable the authenticator prompt, then all the keyloggers that were robbing people's username and password now just have to copy that registry key along with it, and we're back to where we started.
I personally would like the option to enter it every time. Convenience is nice, but if I wanted convenience over security I'd have not bothered with the authenticator in the first place.
This morning when I logged in (not previously knowing of this change), I too thought I had been hacked and the authenticator removed from my account. I quickly logged into my second acount from a second computer with the same results (no authenticator prompt).

I then logged into my Battle.net account and was relieved to find I had to enter my authenticator code to access that. I then promptly cut a ticket to inform of an issue that needed to be fixed pronto.

It was only then that I hopped to the forums and found out what Blizzard had done. I closed my ticket after seeing it was a "new feature".

I don't like this change. I want an Opt Out option, at the very least.

There have been numerous comments as to why this is a bad idea. I agree.

And to add one more thought. Virtual Machine software is improving all the time. Once the graphics engines are sufficient to run graphic intense games, the machine footprint (simulated hardware, etc) will basically be the same if run from a Virtual Machine. Depending on how Blizzard makes up the hash used in the registry key, this may also become a security issue for anyone running WoW from a Virtual Machine.

I want Blizzard to revert back or provide an Opt Out option for this.



You know how confident I am that this hash can't be decrypted?

Here's mine.

Cached-80B07026D502F28B

Hack me. go on. :)

Oh yeah, that's right, you still need both my username and password. How're you going to get that?


Then why did you buy an authenticator? Did Blizzard convince you that you needed one to be secure? Does it bother you that now they are telling you "Sucker.. all you really needed was a strong password and an email that is not used for anything else."

<3


<3

The registry data I pasted will only work on my computer. You can't fool WoW into swallowing it if the procedure that generates the hash does not come up with the same answer itself.

For the fellow who was playing around with the regkey before - after you changed it and it asked for the auth code... go back to your registry and see what the cached data is again. Is it the same? Is it different?

I don't think you're understanding the ramifications of this. If it really is that simple to disable the authenticator prompt, then all the keyloggers that were robbing people's username and password now just have to copy that registry key along with it, and we're back to where we started.


I'm afraid you are incorrect.

Here is what happens.


Day 1:
1. Launch WoW
1a. Behind the scenes, WoW looks at some details and generates a value. It caches that value in the registry as previously mentioned.
2. You are asked for auth code.
3. Play game.

Now we've got something in the cache.

Reboot your computer, play something else, log out, whatever.

Day 2:
1. Launch WoW
1a. WoW looks at some details and generates a value. It compares this value to what's already cached.
2. If they match, no auth code is required.
2a. If they do not match, auth code is required.
3. Play game.

I'm pretty sure this is what's happening. It's a pretty confident verification method and does not make your account info less secure.

However, I still do completely understand that requiring the authenticator to log in each time is why many people purchased one to begin with, and your wishes to allow that feature to be toggled are most likely being heard loud and clear, so please don't give up.

I am just offering some insight into how this change actually works, and trying to convince you that your accounts are no less safe at all due to the change.
06/18/2011 11:42 AMPosted by Starien
I am just offering some insight into how this change actually works, and trying to convince you that your accounts are no less safe at all due to the change.


Which of course is wrong, if you have people that use the same physical computer as you.
06/18/2011 11:42 AMPosted by Starien
I am just offering some insight into how this change actually works, and trying to convince you that your accounts are no less safe at all due to the change.


You convinced me.. the moment Blizzard implemented this I was convinced that my authenticator was never needed.

I have seen you and others say that a strong password and email that is only used for WoW is all I ever needed.

Blizzard has for years told us that an authenticator was the best protection we could have.

I want a refund.

<3


What does it matter whether the system is reactive or proactive if the results are the same? More to the point, what evidence is there (aside from rambling speculation which should be well-countered by Blizzard's obvious opinion) that this will increase compromises?


what matters is that we paid for a specific item with specific features. If you paid for air conditioning in your car, would you settle for a bunch of little fans installed instead?


Also as far as what we payed for... Scroll up and read Mcnastie's post. Taken right from the blizz store.


Mcnastie's post is nonsense, twisting and misrepresenting sentences in a epileptic fit of self-righteousness.[/quote]

Nothing was twisted or misrepresented, and nothing says self rightteous. I quoted exactly what was on the page and pointed out that those things are what we bought and paid for.
Wow. Hit the cap 5 times already before I even found out about this. Here's what I'm going to say although I bet it's been said already long since.

First off, is this for forum or for game client? Because I've noticed this for the forum but not for the client.

Secondly, especially if it's for the client, doesn't this mean the opportunity to be hacked is factored back in more strongly? What stops a hacker from attempting to 'impersonate' the "this is the computer this account always uses so skip the authenticator prompt" signal?
I am just offering some insight into how this change actually works, and trying to convince you that your accounts are no less safe at all due to the change.


Which of course is wrong, if you have people that use the same physical computer as you.


Are you in this situation? I can see this is a very real issue for those who are using the same computer for separate logon sessions. Not only home users, but internet cafe users.

Is there any way you could test with different battle.net accounts which use different authenticators to see how exactly this behaves? I have a feeling that a separate registry key will be created for each battle.net account, and they won't cross streams.
If Blizzard doesn't want to ask for my password, that's fine. Passwords are a weak form of security.

However, NEVER stop asking for my authenticator code. I personally would like it if the authenticator code was used as the password :D
06/18/2011 11:46 AMPosted by Blueberry
I am just offering some insight into how this change actually works, and trying to convince you that your accounts are no less safe at all due to the change.


You convinced me.. the moment Blizzard implemented this I was convinced that my authenticator was never needed.

I have seen you and others say that a strong password and email that is only used for WoW is all I ever needed.

Blizzard has for years told us that an authenticator was the best protection we could have.

I want a refund.

<3


I'm afraid you've misread what I've posted. I will try to clarify:

It is advised that you attach an authenticator regardless of what standards you use for your username and password.

Everything you need to know is here:

http://us.blizzard.com/support/article.xml?locale=en_US&articleId=20572

06/18/2011 11:52 AMPosted by Starien


You convinced me.. the moment Blizzard implemented this I was convinced that my authenticator was never needed.

I have seen you and others say that a strong password and email that is only used for WoW is all I ever needed.

Blizzard has for years told us that an authenticator was the best protection we could have.

I want a refund.

<3


I'm afraid you've misread what I've posted. I will try to clarify:

It is advised that you attach an authenticator regardless of what standards you use for your username and password.

Everything you need to know is here:

<a href="http://us.blizzard.com/support/article.xml?locale=en_US&articleId=20572">http://us.blizzard.com/support/article.xml?locale=en_US&articleId=20572</a>


I have misread nothing... you all are talking out of both sides of your faces.

Either the authenticator is neccessary, and I need to use it, or its a piece of trash that I bought and am now told it isn't needed at all.

You can't have it both ways.

Either I need to use it or I want a refund.

<3
5 more posts to #7 continuation of the sticky. Wonder how long Blizz will continue to read these and do nothing to assuage the general populace's fears.
I felt a little more secure having to enter my authenticator everytime...was no big deal for 2 seconds out of my life....however, I have JUST moved...and I am with a totally different internet company...in a totally different location, I moved 2 hours away from where I was, yet the first time I logged in since I moved (which was yesterday I logged in since I moved)...It didn't ask me for my authenticator code o.O
You would think with a new IP & a whole different internet company...I should have most definitely been asked to provide my code.

For all anyone knew...my comp could have been stolen & taken 2 hours away to a highspeed phone line connection instead of the cable highspeed I was on for years :P

I don't like it.
Why try to fix something that wasn't broken. 5 threads in regards to this should tell you that there are plenty of people out there not happy about the change. However, I'm sure plenty do like the change as well.

For me, I want an opt in/out at the very least. I don't want Blizzard deciding for themselves just how secure or unsecure my login location may be. I want to do that myself.

Give us back our original functionality Blizzard.

Regards.
I didn't even think about the same-computer thing.

If someone has your computer, your account and password, but not your authenticator, they can now log in, when before they needed the authenticator.

I think of all the parents out there that were using the authenticator as a form of parental control on this game. And all the kids sneaking off to play it when the parents haven't been adequately informed the authenticator isn't always required any more.

How many people have shared the password with other members of their home for whatever reason, knowing without the authenticator even the password won't let them log in? Oops.
I guess we'll have to see how many people claim "I got hacked even though I had an authenticator."

It's already been possible but hard, now it just seems easier.
Time will tell, I suppose.

Join the Conversation

Return to Forum