Dial-In Authenticator not working as intended

85 Draenei Mage
9385
I really like the idea of the new dial-in authenticator, but some things I've been hearing have me concerned. I have several friends reporting that after applying the dial-in authenticator, they have somebody test it by trying to log into their account from a different location, but in all of these cases, the person has been able to log right in without being asked to dial in and authenticate. This also made me realize that I have no way to confirm that my own dial-in authenticator is working properly without giving someone else my account information to test with, or hauling my desktop to another location, neither of which are feasible for me.

Is there some current issue with the location detection in the dial-in authenticator, and could a procedure or something be put in place so that people can be assured that there authentication is working properly? The most obvious idea I had is the ability to manage the IP addresses allowed by the authenticator in my Battle.net account management. This way I can make sure that only the two addresses I log in from are allowed, and be assured that anything else would be denied. There may be some issues for people using ISPs that don't have static IPs and/or are given a private IP behind an ISP NAT device, but in those cases, you could use a combination of the IP subnet and the MAC address for verification or something.

TL;DR - Dial-in authenticator isn't stopping other locations from logging in as expected.
Reply Quote
80 Night Elf Rogue
4065
There is another option that will force you to have to call in each time you log in, regardless of location, if you want to try that.

There may be another factor to these log in location triggers that we don't know about. My assumption is that's more along the lines of "there's no way it's humanly possible that the same person logged out from Seattle five minutes ago and is now logging in from Hawaii." :X
Reply Quote
85 Draenei Mage
9385
There is another option that will force you to have to call in each time you log in, regardless of location, if you want to try that.

There may be another factor to these log in location triggers that we don't know about. My assumption is that's more along the lines of "there's no way it's humanly possible that the same person logged out from Seattle five minutes ago and is now logging in from Hawaii." :X


I didn't realize that the force call option was available, but that would defeat the purpose for me, as I moved from the mobile authenticator to the dial-in. I appreciate the information though.

Once realizing that it was not working properly, I know people have been trying things quite like that just to try to get the system to trigger, even having multiple people in multiple far spread locations log in quick succession, and still have not been able to get the authenticator to fire. (However I believe at least one person did manage to get their account temporarily locked to where they had to log into Battle.net and unlock it, but still didn't get the authenticator flag in game.)
Reply Quote
85 Blood Elf Warlock
4730
There is another option that will force you to have to call in each time you log in, regardless of location, if you want to try that.

There may be another factor to these log in location triggers that we don't know about. My assumption is that's more along the lines of "there's no way it's humanly possible that the same person logged out from Seattle five minutes ago and is now logging in from Hawaii." :X


I didn't realize that the force call option was available, but that would defeat the purpose for me, as I moved from the mobile authenticator to the dial-in. I appreciate the information though.

Once realizing that it was not working properly, I know people have been trying things quite like that just to try to get the system to trigger, even having multiple people in multiple far spread locations log in quick succession, and still have not been able to get the authenticator to fire. (However I believe at least one person did manage to get their account temporarily locked to where they had to log into Battle.net and unlock it, but still didn't get the authenticator flag in game.)


the dial- authenticator is a step down in secuirty due to it being re-active instead of pro-active. i wouldnt give up the normal authenticators for it.

being a new system it also has some kinks to work out still..
Reply Quote
85 Draenei Mage
9385
the dial- authenticator is a step down in secuirty due to it being re-active instead of pro-active. i wouldnt give up the normal authenticators for it.

being a new system it also has some kinks to work out still..


Actually, if it was working properly it is more secure than the original authenticators. Anyone trying to log in would need to be logging in from your location, able to use your phone to make a call, AND know the PIN you created when initializing the authenticator. All of these pre-set walls are pro-active.
Reply Quote
85 Blood Elf Warlock
4730
the dial- authenticator is a step down in secuirty due to it being re-active instead of pro-active. i wouldnt give up the normal authenticators for it.

being a new system it also has some kinks to work out still..


Actually, if it was working properly it is more secure than the original authenticators. Anyone trying to log in would need to be logging in from your location, able to use your phone to make a call, AND know the PIN you created when initializing the authenticator. All of these pre-set walls are pro-active.


as long as it's dependant apoun location detection it will be vulnerable always to ip and geo-location spoofing. which is far easier to pull off then a man in the middle attack.

and its alot more vulnerable to social engineering.

(note, i can't comment on the always call option as this is the first i've heard of it)
Edited by Shadofall on 11/20/2010 11:45 AM PST
Reply Quote
85 Draenei Mage
9385
the dial- authenticator is a step down in secuirty due to it being re-active instead of pro-active. i wouldnt give up the normal authenticators for it.

being a new system it also has some kinks to work out still..


Actually, if it was working properly it is more secure than the original authenticators. Anyone trying to log in would need to be logging in from your location, able to use your phone to make a call, AND know the PIN you created when initializing the authenticator. All of these pre-set walls are pro-active.


as long as it's dependant apoun location detection it will be vulnerable always to ip and geo-location spoofing. which is far easier to pull off then a man in the middle attack.

and its alot more vulnerable to social engineering.


The location is only one factor. While IP spoofing would obviously be a concern if it was the only requirement, they would also have to be able to spoof your phone number and know your PIN. If they are able to spoof your IP, your phone number, and social engineer your PIN out of you somehow, then I'm sure any authenticator wouldn't have been able to help you.

Edit: Although, I guess if they spoof your IP, then they would never be presented with the actual authentication. However, a spoof is only one way, if the login server attempts to confirm by replying back to the spoofed IP, it should still not allow you to log in because that reply isn't going to go back to the attacker. I'm not sure how the game's login methods handle this situation though.
Edited by Damien on 11/20/2010 11:53 AM PST
Reply Quote
85 Blood Elf Warlock
4730


The location is only one factor. While IP spoofing would obviously be a concern if it was the only requirement, they would also have to be able to spoof your phone number and know your PIN. If they are able to spoof your IP, your phone number, and social engineer your PIN out of you somehow, then I'm sure any authenticator wouldn't have been able to help you.


if there is an always call option then my arguments are moot i'll admit that.

but i've found no indication or information on a force always call option so far.

which leaves the system to on re-act to suspicious activty. which goes back to location and ip spoofing which is as easy info to collect as a username and password.
Edited by Shadofall on 11/20/2010 11:55 AM PST
Reply Quote
85 Draenei Priest
10465
long story short, I'm sticking to my authenticator. typing in 6 numbers before logging in is something i've done for almost 2 years now...
Reply Quote
85 Draenei Mage
9385
Selecting what IPs are allowed is a bad idea as most users are on dynamic IPs.


I covered that possibility in the sentence directly after the sentence you are referring to.

"There may be some issues for people using ISPs that don't have static IPs and/or are given a private IP behind an ISP NAT device, but in those cases, you could use a combination of the IP subnet and the MAC address for verification or something."
Edited by Damien on 11/20/2010 1:46 PM PST
Reply Quote
90 Blood Elf Mage
7825
I have several friends reporting that after applying the dial-in authenticator, they have somebody test it by trying to log into their account from a different location


I don't recommend doing this as a test.Why? You're giving your accound details to someone else which in turn could result in another action altogether. After all, you did agree NOT to give your account login details when you agreed to the terms and conditions of your account.

Why don't you simply test it out by using things like internet cafe's?
Reply Quote
50 Tauren Druid
630
There is another option that will force you to have to call in each time you log in, regardless of location, if you want to try that.

There may be another factor to these log in location triggers that we don't know about. My assumption is that's more along the lines of "there's no way it's humanly possible that the same person logged out from Seattle five minutes ago and is now logging in from Hawaii." :X


I didn't realize that the force call option was available, but that would defeat the purpose for me, as I moved from the mobile authenticator to the dial-in. I appreciate the information though.

Once realizing that it was not working properly, I know people have been trying things quite like that just to try to get the system to trigger, even having multiple people in multiple far spread locations log in quick succession, and still have not been able to get the authenticator to fire. (However I believe at least one person did manage to get their account temporarily locked to where they had to log into Battle.net and unlock it, but still didn't get the authenticator flag in game.)


Its not an option.

I suggest you use the mobile authenticator, people have already been compromise because they switched, you have been warned.

IF the only thing keeping a malicious party out of your account is a physical or mobile authenticator switching to the phone-in authenticator is a nearly guaranteed method of being compromised.

Actually, if it was working properly it is more secure than the original authenticators. Anyone trying to log in would need to be logging in from your location, able to use your phone to make a call, AND know the PIN you created when initializing the authenticator. All of these pre-set walls are pro-active.


Except its not possible to make it request you call in every single attempt to login, it will only request the code IF the system detects something malicious, if the malicious party is spoofing their information the likely hood of that is reduced.

You are create if the system detects something is wrong, the phone-in authenticator is more secure, of course thats also the huge flaw in it.
Edited by Pailamaha on 11/20/2010 2:14 PM PST
Reply Quote
85 Troll Druid
5940
If your friend lives in the same city its not gonna work, if your friend lives in the same country it won't work..

If an asian farmer/hacker logs in with his/her ip, it will work.
Reply Quote
85 Draenei Mage
9385
Most people wouldn't know what a subnet is nor even how to find their Mac or even their IP, especially if behind a router with a nat'd IP. Plus the Mac address isn't necessarily known by the destination, etc. Basically there are a lot of reasons that feature would cause far more hassle and confusion.


I'm not talking about having the user manage this information, I'm talking about having the security of the login server look at the information in this way.

I don't recommend doing this as a test.Why? You're giving your accound details to someone else which in turn could result in another action altogether. After all, you did agree NOT to give your account login details when you agreed to the terms and conditions of your account.

Why don't you simply test it out by using things like internet cafe's?


Obviously giving your password to people isn't a good way to test, which is why I said that it isn't a feasible method for me to be sure that the dial-in authenticator was working. I also said that I didn't want to haul my desktop to another location just to test it. If you're implying that you feel that the internet cafe's own computers are secure enough for you to enter any information for anything in to, then I'd suggest you stay away from internet cafes :P

If your friend lives in the same city its not gonna work, if your friend lives in the same country it won't work..

If an asian farmer/hacker logs in with his/her ip, it will work.


I doubt that the intention of the new authenticator is to only flag on IPs from Asia, but allow anybody in a country to log into any account.

I have already moved back to the mobile authenticator because the first line of defense in the dial-in, location detection, clearly has serious issues, which makes it less that useless because it also gives off a false sense of security where there most likely is none.
Edited by Damien on 11/20/2010 3:14 PM PST
Reply Quote
Blizzard Employee
Greetings Damien,

I'm hoping to shed some light on this topic.

First of as a short reminder, the Dial-in authenticator is by no means a replacement for a physical or mobile authenticator.

in all of these cases, the person has been able to log right in without being asked to dial in and authenticate
The dial-in authenticator is not designed to prompt you to call every single time.

Is there some current issue with the location detection in the dial-in authenticator, and could a procedure or something be put in place so that people can be assured that there authentication is working properly?

No issues that I am aware of.

Have your friends logged in to the game using the connection that what used during their test? If so, keep in mind that the dial-in authenticator will kick it when the account has activity that appears to be exploitive. The connection may already be marked as safe, until something else changes in the pattern.

The most obvious idea I had is the ability to manage the IP addresses allowed by the authenticator in my Battle.net account management. This way I can make sure that only the two addresses I log in from are allowed, and be assured that anything else would be denied.

If we allowed such feature then we really wouldn't be offering any protection at all. If your account is compromised, the individual who has access to your account would be able to flag their IP as being legit and prevent you from recovering your own account.

Dial-in authenticator isn't stopping other locations from logging in as expected

The Dial-in authenticator is not meant to simply look for the location, but rather a change in pattern. Unfortunately I am unable to provide you with additional details as to what it checks for.

As mentioned above, the Dial-in authenticator is not a replacement. If you do have concerns using this feature, it may not be the best option for you at this time.

Reply Quote
85 Draenei Mage
9385
Thank you Roraks for the clarification. It seems like it would be more suited to be able to be used alongside a physical or mobile authenticator given this information. It is a bit misleading to have to replace your existing authenticator to use it, even though it isn't meant as a replacement.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]