Battle.net Authenticator Changes

100 Worgen Mage
19075
Please make it optional. Don't see anything mentioning it in the original post.
Edited by Digerati on 6/16/2011 4:25 PM PDT
90 Draenei Shaman
11285
This has got to be one of the worst ideas... like ever. Most hacking attempts are rootkits at the machine. Really awful. I don't mind the extra layer of security. I bought this authenticator because I was hacked once. I think you are really missing it here. Sorry, but you are. Reinstate it as it was. This is a security nightmare waiting to happen. Sorry you don't want to support the authentication process, but too bad.
85 Troll Shaman
5895
I bought the authenticator I have now after my account was hacked for a brief time nearly a year ago now. What is the point of having this authenticator on my account if it doesn't ask for it? Personally I don't care if it's the same location or not, unless you have a camera looking at the person there is no way to tell if it is indeed the owner of the account or not. Picking up a keylogger is easy to do with some of the stuff out there now. I pay for this account each month and I don't like the thought of someone getting lucky and not getting asked for an authenticator code simply because I've been there before. The 5 extra seconds that it takes to put the code in isn't going to break the game or kill you to do. The added security is worth the extra 5 seconds. I've never threatened to do this before but this is something I would quit the game over if we're not given the option to use our authenticators all the time.

Even when I'm right there looking at the person I don't like for friends to be doing anything with my account, even if it's just typing in a macro code for me. It's not that I don't trust them I just don't like other people on my account. I pay for me to use the account, not for others and this is something far too risky. You made authenticators for a reason, to prevent people from getting hacked. They're fine the way they are. If there isn't an option for us to opt out of this then I'll probably not renew my account when it comes time to do so. I sure as heck will not pay for some hacker to use the account.
100 Tauren Druid
8155
Yikes. I guess it's true what they say - People fear change, even if it's good for them.

The authenticator is a method of two-factor authentication. It requires that you "know something" and "have something" in order to authenticate. Location based authentication will be only very very slightly less secure in the vast majority of cases. It requires that you "know something" (your password) and "be something" (logging in from a particular IP address). Your chances of being hacked only increase in any amount worth mentioning if you use the authenticator as a crutch.

If you use a strong password and don't share it with anyone, you will be, for all practical purposes, just as secure as before. In fact, you could even argue that you will be more secure. That's right, I said more. (I also said "argue", I am not 100% confident that you will, in actuality, be more secure, but it can be argued).

Pre-4.2 Scenario:

Alice plays World of Warcraft. Her account is secured with an authenticator. She wants to log in. She launches the WoW client, enters her password, enters her authentication code, and is logged in successfully.

Trudy (or Mallory, if you like :P) wishes to gain access to Alice's account. Trudy has exploited Alice's machine and gained administrative access. With this access, Trudy has installed a key logger. Trudy is watching Alice's keystrokes as Alice logs in. Trudy is able to capture Alice's password and authentication code, and uses both to log into Alice's Battle.Net account before the authentication code expires. Trudy successfully authenticates as Alice. Alice is pwnt.

Now, let me present you with a Post-4.2 scenario:

Alice plays World of Warcraft. Her account is secured with an authenticator. She wants to log in. She launches the WoW client and enters her password. Because she has recently logged in with her authenticator from the same IP address, she is not prompted to enter her authentication code. She is logged in successfully.

Trudy wishes to gain access to Alice's account. Trudy has exploited Alice's machine and gained administrative access. With this access, Trudy has installed a key logger. Trudy is watching Alice's keystrokes as Alice logs in. Trudy is able to capture Alice's password. Trudy attempts to log into Alice's Battle.Net account. However, because Trudy is using a different IP address than Alice, she is prompted to enter Alice's authenticator code. Trudy is unable to authenticate as Alice. Alice is not pwnt.

As demonstrated above, there is actually an existing attack scenario that is hampered by the new feature.

The bottom line is this: Security is a tradeoff. Always. (see http://www.schneier.com/essay-155.html). This is a tradeoff of a little, teeny-tiny bit of security (and, as I mentioned above, maybe not even that) for a massive increase in convenience. In many cases, that's worth it.
Edited by Deadbabyseal on 6/16/2011 3:19 PM PDT
85 Blood Elf Warlock
5440
Very cool. TY MUCH
90 Pandaren Hunter
10330
Hackers have always been able to spoof IPs. And they are capable of hacking someone even if they have an authenticator. Not sure why everyone's freaking out now. :\
90 Troll Hunter
11295
Out of curiosity, will it be possible to opt out of that? While I'm sure the developers will roll out software that is indeed quite "intelligent" and does the job well, I would like to have the option to always use my authenticator regardless of where I'm logging in from.


Yes, please add some type of toggle to choose whether or not we wish to enter our authenticator at each log in or not.
100 Dwarf Paladin
21125
06/16/2011 02:33 PMPosted by Sunshiny
My concern is that the dial-up authenticator already does this... and is much less secure because of it.


This.

Please consider reverting this change or allow it to be an optional toggle. I use the authenticator instead of the dial-in authenticator for the additional security.
86 Dwarf Paladin
10050
One more point I would like to add: Blizzard is likely using more data than solely IP address. I'm sure they use other system information as well, such as hardware IDs. With companies being compromised left and right, you can rest assured that Blizzard isn't going to do anything to hinder their security at this point.


exactly my point. login caching is a little more compex then just storing an IP


All of this, All of this, All of it, can be spoofed by thieves with a trojan access to your machine.
90 Draenei Shaman
11285
Yikes. I guess it's true what they say - People fear change, even if it's good for them.

The authenticator is a method of two-factor authentication. It requires that you "know something" and "have something" in order to authenticate. Location based authentication will be only very very slightly less secure in the vast majority of cases. It requires that you "know something" (your password) and "be something" (logging in from a particular IP address). Your chances of being hacked only increase in any amount worth mentioning if you use the authenticator as a crutch.

If you use a strong password and don't share it with anyone, you will be, for all practical purposes, just as secure as before. In fact, you could even argue that you will be more secure. That's right, I said more. (I also said "argue", I am not 100% confident that you will, in actuality, be more secure, but it can be argued).

Pre-4.2 Scenario:

Alice plays World of Warcraft. Her account is secured with an authenticator. She wants to log in. She launches the WoW client, enters her password, enters her authentication code, and is logged in successfully.

Trudy (or Mallory, if you like :P) wishes to gain access to Alice's account. Trudy has exploited Alice's machine and gained administrative level access. With this access, Trudy has installed a key logger. Trudy is watching Alice's keystrokes as Alice logs in. Trudy is able to capture Alice's password and authentication code, and use both to log into Alice's Battle.Net account before the authentication code expires. Trudy successfully authenticates as Alice. Alice is pwnt.

Now, let me present you with a Post-4.2 scenario:

Alice plays World of Warcraft. Her account is secured with an authenticator. She wants to log in. She launches the WoW client and enters her password. Because she has recently logged in with her authenticator from the same IP address, she is not prompted to enter her authentication code. She is logged in successfully.

Trudy wishes to gain access to Alice's account. Trudy has exploited Alice's machine and gained administrative level access. With this access, Trudy has installed a key logger. Trudy is watching Alice's keystrokes as Alice logs in. Trudy is able to capture Alice's password. Trudy attempts to log into Alice's Battle.Net account. However, because Trudy is using a different IP address than Alice, she is prompted to enter Alice's authenticator code. Trudy is unable to authenticate as Alice. Alice is not pwnt.

As demonstrated above, there is actually an existing attack scenario that is hampered by the new feature.

The bottom line is this: Security is a tradeoff. Always. (see http://www.schneier.com/essay-155.html). This is a tradeoff of a little, teeny-tiny bit of security (and, as I mentioned above, maybe not even that) for a massive increase in convenience. In many cases, that's worth it.


So I'm coming from the same IP address, it doesn't guarantee it was me. This is just bad practice.
- Technical Support
90 Blood Elf Hunter
17510
06/16/2011 03:16 PMPosted by Mcgruffin
Seriously, some of you seem to think Blizzard is run by 13 year olds playing around with Perl in the basement or something. They're professionals and value security.


It almost does seem that way sometimes, doesn't it? Blizzard's security developers likely know a lot more than people give them credit for. Notice how other huge companies such as Sony are broken into dozens of times, yet Blizzard seems to be untouched? MMORPGs are quite common for attacks, and given how large WoW is, it is faring very well.
________________________________________________
The wise speak only of what they know. - J.R.R. Tolkien
CORE I7 3.8GHz | 12GB RAM | ATI 5970+5870 | F120 SSD
Live Support: irc://chat.freenode.net/wowtech
100 Night Elf Druid
11215

Possibly to circumvent the man in the middle attack.


It doesn't actually do this.

The attacker's program can just wait until the user is asked for a code. After all, the attackers aren't in any hurry. Alternatively, the malware could forge the request for the authenticator code.

This also opens up a new attack: Get the username/password, then route the attacker's login attempt through the victim's machine.

Granted, it doesn't really reduce security either because if your computer is compromised, an authenticator doesn't protect you from a smart attacker either way. If you have a strong password and protect it properly, the authenticator doesn't really provide security anyways (because of this attack).
Edited by Kalisti on 6/16/2011 3:21 PM PDT
- Technical Support
100 Human Warrior
20935
06/16/2011 03:17 PMPosted by Bootee
This has got to be one of the worst ideas... like ever. Most hacking attempts are rootkits at the machine. Really awful. I don't mind the extra layer of security. I bought this authenticator because I was hacked once. I think you are really missing it here. Sorry, but you are. Reinstate it as it was. This is a security nightmare waiting to happen. Sorry you don't want to support the authentication process, but too bad.


what does this have to do with anything, you worried about your wife using a rootkit on you? cuase this is completely irrelevent to an outside hack attempt on you, they still need your authenicator code.
85 Blood Elf Paladin
10520
So wait a second....

I bought my authenticator to protect my account. It can't possible protect my account if it's not working. I only ever play WoW on my person computer.

So essentially, since you are now basically turning off my authenticator on the only computer I use it for, I bought a keychain and an in game pet?

Can I get my shipping charge reimbursed?
I believe people are mistaking the purpose of an authenticator a little. I thought it was to provide an added level of security to help prevent your account from being hacked. If your account is being hacked from your own home by your relatives then I think you have bigger issues to worry about than WoW.

I do think that players should be able to require an authenticator regardless of login location though. After all, it's their security so they should have the choice.

As far as people worrying about relatives using their account. that's what passwords are for. Authenticators are more for keyloggers and other tools used by less savory people to hack your account.

Bottom line. Chill out, but the option would still be nice.

Edit: The belf above me brings up a very good point. But the Authenticator does kick in if another person at another location tries to log in your account. Without the autyhenticator you are screwed still. So it still the same as before. If you never get hacked you baught a cheap mount and keychain. If you do then you made a very wise investment.
Edited by Milsa on 6/16/2011 3:23 PM PDT
- Technical Support
90 Blood Elf Hunter
17510
http://twitter.com/#!/BlizzardCS/statuses/81485048242651136

As they stated, this won't increase the probability of being compromised by an outside source. Could someone close to you possibly break into your account? Sure, but they are far less likely to do the amount of damage that, say, a gold farmer would do. Even then, they would still require your login credentials. You shouldn't be sharing those!
________________________________________________
The wise speak only of what they know. - J.R.R. Tolkien
CORE I7 3.8GHz | 12GB RAM | ATI 5970+5870 | F120 SSD
Live Support: irc://chat.freenode.net/wowtech
Edited by Kodiack on 6/16/2011 3:22 PM PDT
100 Dwarf Paladin
21125
All of this, All of this, All of it, can be spoofed by thieves with a trojan access to your machine.


Yup.

A compromised computer can very easily have Remote Desktop Access (or its mac equivalent) accessed. Hackers could simply use the victim's own computer to log into WoW and pillage an account of everything.
90 Undead Mage
8800
06/16/2011 03:17 PMPosted by Deadbabyseal
Yikes. I guess it's true what they say - People fear change, even if it's good for them.


I get to decide what is good for me. That's why I chose to buy an authenticator.

06/16/2011 03:17 PMPosted by Deadbabyseal
Trudy is able to capture Alice's password and authentication code, and uses both to log into Alice's Battle.Net account before the authentication code expires. Trudy successfully authenticates as Alice. Alice is pwnt.


Clearly you don't know what you're talking about. Once Alice uses the code, it immediately expires. The same authenticator code can not be used twice. Once it has been used once, that's it. So unless Trudy uses the code BEFORE Alice (unlikely) then this is not a problem.
85 Dwarf Hunter
6795
06/16/2011 03:19 PMPosted by Kodiack
Seriously, some of you seem to think Blizzard is run by 13 year olds playing around with Perl in the basement or something. They're professionals and value security.


It almost does seem that way sometimes, doesn't it? Blizzard's security developers likely know a lot more than people give them credit for. Notice how other huge companies such as Sony are broken into dozens of times, yet Blizzard seems to be untouched? MMORPGs are quite common for attacks, and given how large WoW is, it is faring very well.


Exactly. The people posting here, probably 99% of them, understand less about security than the employees at Blizzard do. They need to trust that Blizzard is not going to allow things to be less secure, only more convenient.

We don't need to understand the details, we just need to trust that our security team knows what they are doing, and it seems the majority of people here don't have that trust. It's not like Blizzard has a bad track record for security.
90 Orc Hunter
0
Does this include the website? How many logins does it take before it stops asking? Will this encourage hacking via remote access to the PC to bypass the authentication?
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)

Reported!

[Close]