Battle.net Authenticator Changes (Cont. #8)

85 Troll Priest
3880
See? Blizard is smart. They know security probably at a far deeper level than most of you. Keep in mind, they've written Warden. Warden, from a technical standpoint, is VERY good at what it does.

All of this without getting in your way and making you wait to play the game.

So yes, be quiet. Learn a little bit about security.



well you go ahead and use some new and untested security all you like as for me and other players well stick with what has been tried and true and know our accts are still safer


besides as you said they know PROBABLY know what to do well i can read a bunch of book of medical care and PROBABLY perform surgery but that doesnt make it a good idea


DUDE! I have this .. thing.. I need removed... can ya help a mook out?
85 Troll Priest
3880



to all the people saying this new system is foolproof and safe well let me ask you this can you guarantee that? no of course not nothing is guaranteed not even the authetincators are 100% however they have proven for the moment that they are quite capable of slowing down acct theft



not to mention why are so many ppl pushing for this "new" change? makes me wonder how many of them are hackers who are probably already working on a way to crack this new system i mean why else would they be pushing for others to blindly trust this thing and not ask question hmmm? personally id rather waste 3 seconds inputting a 6 digit code and know my acct is safer rather than assume it is


The reason this is pushed for is because a LOT of people out there think two factor authentication is EXTREMELY cumbersome. I'm going to go out on a limb and say < 20% of the WoW playerbase uses an authenticator. It's probably far less than that.


No one forced ANYONE to buy an authenticator, those who did - didn't feel that it was cumbersome.. further, where do you get these figures from... "<20%" is that a number that you pulled out of the hat? I want to see your source of this statistical information please.

People don't like when security "gets in the way". That is, people don't like having to dig out their phone/authenticator to type in a 6-digit code each time.

This is a known fact. I've worked in IT for many years. I'm part of the OWASP project and follow security very closely. I've got protections on my systems that many people in here have never even heard of. I'm also part of the WoW Community Tech team that helps people clean their computers of viruses whenever they hop in and get crashes and other problems with their game.


Once again, no one forced the 2FA on anyone. those who chose it did not feel that it was "in the way" as the TONS of posts here prove

This new "change" addresses the cumbersomeness of the authenticator system by having you, the end user, rely on your authenticator only when necessary. What this will do is open up the authenticator to people who previously thought it would be too much of a pain in the ass to use.


Making assumptions here again? How do you come up with the idea that more people will buy the authenticator now than they did before?

For someone such as myself, two-factor isn't a huge problem. My work uses a combination of biometrics and RSA tokens (lol RSA) to provide security. For the longest time my bank account didn't even support this level of security (WoW account more secure than my bank account? YOU BET!) It was only very recently that my bank supported the ability--and so I turned it on.

The core of the matter is that this change does NOT reduce your security in any way.


How is not requiring you manually enter in a key code EVERY time NOT reducing security?

Regardless of whether or not you have an authenticator you should follow proper password practices. Do not use the same password everywhere, yet most people do. An authenticator isn't meant to guard against stupidity.


Finally something I can say I agree with you on

Your WoW account should have a unique password, preferably 6-8 characters in length (though WoW uses a Challenge Authentication Protocol rather than password authentication). If you need this spelled out for you, it means your WoW password is not transmitted over the wire. Your password is used to create a token which is transmitted over the wire, where the WoW server authenticates it and determines whether or not to log you in.

See? Blizard is smart. They know security probably at a far deeper level than most of you. Keep in mind, they've written Warden. Warden, from a technical standpoint, is VERY good at what it does.

All of this without getting in your way and making you wait to play the game.

So yes, be quiet. Learn a little bit about security.


5 seconds to wait to play the game, that's too long.. wait.. so is the 15 seconds it takes to enter in a login and password, so lets do away with those as well. That's YOUR logic there.
2 Draenei Hunter
0
I'm gonna start off by saying I like the new feature. It is very convenient.

Secondly, if everyone is so worried about keyloggers, all you gotta do is have a notepad open with your password in it, and then copy/paste the password into WoW. Bam. Keyloggers can't read through copy/paste. If you want added security (perhaps from someone in your home), just either hide the document in one of the many folders all over your computer and don't name it "MY WOW PASSWORD".

Thirdly, I do believe Blizzard should implement the option to "always ask for authenticator" under your battle.net account for those who want added security.


Yes, they can. Keyloggers read the clipboard. They can also search files, depending on the key logger.
90 Draenei Shaman
9040
Ivivika judging by how hard Ako is defending the system, he's the JR Dev who came up with this thing

if I could make my bank acct use an 2FA authenticator, I would, instead I don't online bank
omg that means I have to go to the bank IN PERSON to talk to someone /gasp that is an inconvenience so it must not be true
than again, I have to badge, bio scan, dead mans door, and log on about a billion IDs before I can do a damn thing at work... it comes with the job

flat out, we found flaws, we want them addressed
it can be one of 2 ways, allow us to OPT OUT OF the 'feature' of smart authentication or let us set edit our safe computers... one would never happen because if we can see the list someone can hack the system even easier
2 Draenei Hunter
0

The reason this is pushed for is because a LOT of people out there think two factor authentication is EXTREMELY cumbersome. I'm going to go out on a limb and say < 20% of the WoW playerbase uses an authenticator. It's probably far less than that.

Then don't use it.

People don't like when security "gets in the way". That is, people don't like having to dig out their phone/authenticator to type in a 6-digit code each time.

The fact that this thread exists, tells me that people WANT to whip out their phone and type in their 8 digit code.

This new "change" addresses the cumbersomeness of the authenticator system by having you, the end user, rely on your authenticator only when necessary. What this will do is open up the authenticator to people who previously thought it would be too much of a pain in the ass to use.

It's not cumbersome. It's 5 seconds to enter the code.

The core of the matter is that this change does NOT reduce your security in any way. Regardless of whether or not you have an authenticator you should follow proper password practices. Do not use the same password everywhere, yet most people do. An authenticator isn't meant to guard against stupidity.

When will people learn?

You said you're an IT person that deals with security, but if you were, you'd know that passwords are pathetically weak security. The fact that keyloggers exist proves that.

So yes, be quiet. Learn a little bit about security.

I agree.You should learn before you spout non-sense.

If Blizzard wants to make it less cumbersome, lose the password and use my authenticator code as a password.
90 Blood Elf Mage
8410
I really think the option to turn this "feature" on/off needs to be added
Everybody is quoting blizz... "by loggin in from a computer numerous times ...blah blah blahh..."

is nobody reading the post I made earlier? I've proven the new system false and unsecure! Just as a test I went to my friends house, (that I only logged in on once ever and it was about a week ago) and it didn't ask for my authenticatior. How is this secure? One login on a different computer, ISP, and IP some time ago and the new system thinks that as my "Frequent" computer. So now the System thinks 2 computers and neither asks for my authenticator... Jeeze Comon Blizz get over it already admit you F#*$ed up and fix this already!

06/19/2011 07:54 PMPosted by Melina
I think this is complete crap! I don't use any addons, go to fake sites, or even use my Real email (game one) when I register on other wow related sites.. but yet I've had 2 haking attempts on my account good thing I purchased an authenticator when they first came out cause that's what saved my account/guild vault. As a test I just went over to my friends house and tried to log in on his come and guess what didn't ask for my authenticator... WTF!! where's the security in that? Just becuase I logged in on his comp a week ago i no longer need the authenticator? I don't know about the US but in Canada we have laws that protect consumers from not getting what they paid for! Myself and friends have already launched a complaint with the Ombudsman under the Consumer Complaints Act. AT LEAST GIVE US THE OPTION TO OPT OUT!
85 Blood Elf Mage
9755
I like this change.
I'm a very, very lazy man, and not having to input my authenticator codes saves me about 3 - 5 seconds every time i log in.
85 Draenei Shaman
3280
I like this change.
I'm a very, very lazy man, and not having to input my authenticator codes saves me about 3 - 5 seconds every time i log in.


I got to ask.

If 3-5 seconds is that precious to you why did you get the authenticator??

Not bashing. Not disagreeing.

I'm just curious as to why people are saying they didnt want to enter the code yet opted to get an "optional" added feature.

85 Dwarf Paladin
3865
I am uncomfortable with this to say the least. I feel insecure not entering an authenticator code and take no pleasure in Blizzard poking around my computer for any information they want to use to confirm my identity. Although Blizzard holds itself in high regard with respect to its' development staff I do not. The innumerable botched updates and maintenance do not support your claim.

Some of my gripes and suggestions.

If Blizzard wants to make things easier by enabling this feature I WANT the ability to opt in to it, or at the very least opt out. It should not be the default at the whim of Blizzard.

I believe, in time, whatever Blizzard uses to verify who I say I am will be learned by hackers that want to know that information. Blizzard is certainly not smarter than the myriad of government, bank, and gaming organizations that have been compromised.

The argument that "Additionally, please note that there was a so-called "man-in-the-middle" compromise that would snatch an authenticator code after it was entered and then crash WoW's executable, submitting the valid code to someone hoping to break into your account. While this method will still function, it will be defunct on systems that are already affected by this change. No authenticator code to enter means no authenticator code to steal." is a sorry excuse to implement this change. A more elegant solution would be to prevent the authenticator code from being used more than once per successful login attempt. That way if you are logged out for any reason after using an authenticator you would need to wait for the next cycle to log in again.

Why wasn't this change posted on the splash screen when it was implemented? Why did Blizzard subject me to unnecessary discomfort by automatically and stealthily implementing this?

WHY DO I NOT HAVE THE OPTION TO OPT OUT?????????

Blizzard did the same thing when they implemented realID and angered many people. This is the same developer minded as opposed to user minded approach and it stinks. For me it just moves me one step closer to finally leaving WoW.

Oh, and did I mention...I WANT THE ABILITY TO OPT OUT AND KEEP BLIZZARDS' NOSES OUT OF MY PC!!
85 Human Paladin
1990
ok here is a scenario. i play in a club. we rotate where we play. every place we play has wow on the machines(we do not bring our own). sometimes its at my house sometimes its at another persons. this would be considered a "normal place" from where my account is logged in. so since blizz now sees this as a normal place of login for my account it will not ask for my code and allowing someone to put a keylogger on the pc and accessing my account. please explain how this is now safer. the only way to avoid this is to stop the wow club or everyone bring their pc's to the home we are playing at for that weekend. please let me make the choice of wheater or not to put the code in.
Still angry about this change.. do not feel safe. Demanding the old process back or with opt in.

I get hacked during this fiasco and I will drop all my accounts.
85 Tauren Paladin
9675
All it is gonna take is one person to actually get hacked durring all of this and if you think the forums are flaring now...
85 Night Elf Hunter
2550
Jesus freakin' Christ! stop it! just stop! It's over! Done! DEAL WITH IT!

EDIT TO ADD: No seriously, this is stupid. 8 Threads for a simple change that doesn't affect your security if you maintain an updated and secured system? This whole train wreck needs to be destroyed...



No... for reals. its getting old. where are my funny forums..

oh wait, there being over run by useless forums..

Ugh.
85 Worgen Druid
7385
I am uncomfortable with this to say the least. I feel insecure not entering an authenticator code and take no pleasure in Blizzard poking around my computer for any information they want to use to confirm my identity. Although Blizzard holds itself in high regard with respect to its' development staff I do not. The innumerable botched updates and maintenance do not support your claim.

Some of my gripes and suggestions.

If Blizzard wants to make things easier by enabling this feature I WANT the ability to opt in to it, or at the very least opt out. It should not be the default at the whim of Blizzard.

I believe, in time, whatever Blizzard uses to verify who I say I am will be learned by hackers that want to know that information. Blizzard is certainly not smarter than the myriad of government, bank, and gaming organizations that have been compromised.

The argument that "Additionally, please note that there was a so-called "man-in-the-middle" compromise that would snatch an authenticator code after it was entered and then crash WoW's executable, submitting the valid code to someone hoping to break into your account. While this method will still function, it will be defunct on systems that are already affected by this change. No authenticator code to enter means no authenticator code to steal." is a sorry excuse to implement this change. A more elegant solution would be to prevent the authenticator code from being used more than once per successful login attempt. That way if you are logged out for any reason after using an authenticator you would need to wait for the next cycle to log in again.

Why wasn't this change posted on the splash screen when it was implemented? Why did Blizzard subject me to unnecessary discomfort by automatically and stealthily implementing this?

WHY DO I NOT HAVE THE OPTION TO OPT OUT?????????

Blizzard did the same thing when they implemented realID and angered many people. This is the same developer minded as opposed to user minded approach and it stinks. For me it just moves me one step closer to finally leaving WoW.

Oh, and did I mention...I WANT THE ABILITY TO OPT OUT AND KEEP BLIZZARDS' NOSES OUT OF MY PC!!


The EULA gives them the ability to poke around your PC for security purposes.
73 Orc Shaman
910
This is good news to me!
06/20/2011 12:05 AMPosted by Shafturbum
cmon blizz this is pathetic. my authenticator arrived in the mail and then 2 days later you announce this change...i mean wtf...


They didn't even announce it
85 Worgen Druid
7385
Ivivika judging by how hard Ako is defending the system, he's the JR Dev who came up with this thing

if I could make my bank acct use an 2FA authenticator, I would, instead I don't online bank
omg that means I have to go to the bank IN PERSON to talk to someone /gasp that is an inconvenience so it must not be true
than again, I have to badge, bio scan, dead mans door, and log on about a billion IDs before I can do a damn thing at work... it comes with the job

flat out, we found flaws, we want them addressed
it can be one of 2 ways, allow us to OPT OUT OF the 'feature' of smart authentication or let us set edit our safe computers... one would never happen because if we can see the list someone can hack the system even easier


Do you run your system with UAC off?

If so, shut it :)
This topic has reached its post limit. You may no longer post or reply to posts for this topic.

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]