About the Recent Authenticator Change

90 Draenei Shaman
8710
after a month on non replies, the orginal linked posts being deleted, 13 CAPPED threads asking for an opt out or a rollback of the authenticator change(really we just wanted an opt out of the failed system)
as of now numerous players have quit or are quitting(my acct expires in days) as we are unhappy about the change and the lack of response from Blizzard

I expect this to be deleted in short order, but as the one on the Tech forum(and we suspect soon the one on the CS forum) have already been ignored and / or deleted
(yes this is a cut and paste)

System start date
http://us.battle.net/wow/en/forum/topic/2743697739?page=14#264
Official notice
http://us.battle.net/wow/en/forum/topic/2674529777#1 (deleted)
http://us.battle.net/wow/en/forum/topic/2674529793

A computer may have been marked as authorised before the system went into effect
http://us.battle.net/wow/en/forum/topic/2674980195?page=25#489

Computers marked as authorised may not need to be individually re-authorised
http://us.battle.net/wow/en/forum/topic/2743697739?page=14#278

Computers marked as authorised may not need to be individually re-authorised, even if in different locations
http://us.battle.net/wow/en/forum/topic/2674991820?page=24#474

A change in location and ISP may not prompt for an Authenticator code
http://us.battle.net/wow/en/forum/topic/2674990905?page=25#496
http://us.battle.net/wow/en/forum/topic/2674991820?page=25#485

The WoW client uses a registry key on the client machine to determine if an Authenticator code is required
http://us.battle.net/wow/en/forum/topic/2674990905?page=6#117

The system is designed to prompt for the Authenticator code weekly
http://eu.battle.net/wow/en/forum/topic/2226156035?page=27#536

Blizzard are still advertising the Authenticator as a 'use for every login' device
http://us.blizzard.com/store/details.xml?id=1100000822

There has been no official response from Blizzard on the US forums, but there have been two responses to a much smaller discussion on the European forums
http://eu.battle.net/wow/en/forum/topic/2226156035?page=26#519
http://eu.battle.net/wow/en/forum/topic/2226156035?page=27#536

A player also claims to have tested a proof of concept attack that duplicates the stored registry key onto a virtual machine to allow un-authorised login
http://us.battle.net/wow/en/forum/topic/2743697739?page=15#283


Whilst the registry hack will cause an authenticator prompt at login, this obviously won't effect any other 'authorised' computers.

I would also note that it would be relatively easy for a variant of the existing man in the middle attack to use this registry hack to force an authenticator prompt.

Whilst I acknowledge that there will be issues that Blizzard and I disagree on, I find it very disappointing that they have elected not to respond to player concerns, and even more disappointing that they are now deleting threads.
Reply Quote
90 Blood Elf Paladin
10165
1. It's Sunday, the blues are most likely not working. The mods who will delete your thread most likely are, of course.

2. Admittedly copy-pasting a thread you've already made before is pretty much asking to have it deleted.

3. It's been a month. Where's the predicted surge in hacked authenticators? You might be taken more seriously if you had a link to something concrete.

4. This entire little sideshow is practically a repeat of the battle.net merger a couple of years ago, when personalized usernames were replaced with our e-mail addresses. People predicted the death of account security, personal security, and WoW as a result of that as well. It didn't happen.
Reply Quote
11 Worgen Warrior
30
07/24/2011 10:47 AMPosted by Catriona
Asking for blue posts is the fastest and easiest way to not get them.


People feel they need to ask because when a subject gets 13 capped threads and no response from a Blue it is discouraging.
Reply Quote
90 Draenei Shaman
8710

4. This entire little sideshow is practically a repeat of the battle.net merger a couple of years ago, when personalized usernames were replaced with our e-mail addresses. People predicted the death of account security, personal security, and WoW as a result of that as well. It didn't happen.

and all we want is akin to what they did with realid... an option to NOT use it(it's in parental controls, go look)

at this point I don't expect them to respond or care, I wanted the posts SEEN by the players, as we were repeatedly deleted(and in some cases forum banned the players) for posting anything outside of tech support, and who goes to tech support when not having an issue?...
as my acct expires in 2 days what can happen I get a forum ban till after I leave.... HAHAHAHAHA

whoops, edit put realname, ment realid
Edited by Anii on 7/24/2011 11:01 AM PDT
Reply Quote
90 Draenei Shaman
8710
Asking for blue posts is the fastest and easiest way to not get them.


People feel they need to ask because when a subject gets 13 capped threads and no response from a Blue it is discouraging.

not only that, the responded on the EU forums, but not the US ones
despite the fact the EU forums get less posts, and their thread was exponentially smaller

yet we max cap 13 and we get nada
Edited by Anii on 7/24/2011 11:06 AM PDT
Reply Quote
85 Goblin Priest
5230
Blizzard is not obligated in any way to you. It does not matter how many threads on how many forums your foolishly audacious demands are posted. You should be on the customer service phone line and not crying in here.
Reply Quote
MVP - World of Warcraft
90 Gnome Warrior
12365
07/24/2011 11:14 AMPosted by Æza
You should be on the customer service phone line and not crying in here.


Billing and Tech Support are the only phone numbers available to us.

Neither can help with this type of issue.
Reply Quote
90 Night Elf Hunter
13455
Well, I'll say that when I went on vacation and logged in at the hotel I was staying at one evening, not only did I have to put in my authenticator, I was required to go into Account Maintenance, answer security questions, and change my password before it would accept that it was really me.

I think the security is still working pretty well, though I'm not opposed to those wanting an option for it to ask for the authenticator every time.
Reply Quote
90 Draenei Shaman
8710
07/24/2011 11:17 AMPosted by Crepe
You should be on the customer service phone line and not crying in here.


Billing and Tech Support are the only phone numbers available to us.

Neither can help with this type of issue.

and we called them, and were told orginally "no change" then were told "working as intended" (but not as advertised on their own authenticator page which is linked)
Reply Quote
90 Draenei Shaman
8710
Well, I'll say that when I went on vacation and logged in at the hotel I was staying at one evening, not only did I have to put in my authenticator, I was required to go into Account Maintenance, answer security questions, and change my password before it would accept that it was really me.

I think the security is still working pretty well, though I'm not opposed to those wanting an option for it to ask for the authenticator every time.

now go back to that hotel, and log in

even money says it won't request an authenticator
Reply Quote
55 Blood Elf Death Knight
90
Asking for blue posts is the fastest and easiest way to not get them.


People feel they need to ask because when a subject gets 13 capped threads and no response from a Blue it is discouraging.


Doesn't mean they haven't read or noticed it. Besides, they have no reason to post a reply. People would just complain about whatever they say anyway.

This isn't even a big deal, mostly paranoid people upset. Your account is still secure, the chance of you getting 'hacked' hasn't skyrocketed. You'll be fine as long as you don't do dumb things like go to bad sites or open suspicious emails.
Edited by Sarovar on 7/24/2011 11:34 AM PDT
Reply Quote
90 Draenei Shaman
8710
07/24/2011 11:33 AMPosted by Sarovar
This isn't even a big deal, mostly paranoid people upset. Your account is still secure, the chance of you getting 'hacked' hasn't skyrocketed. You'll be fine as long as you don't do dumb things like go to bad sites or open suspicious emails.

I didn't do those before
yet my acct was hacked pre auth(it was on order the day my acct was hacked)
I run security on my home network that would make most CISO think I am paranoid(I have kids, I had to be paranoid)
Reply Quote
89 Night Elf Druid
8265
Well, I'll say that when I went on vacation and logged in at the hotel I was staying at one evening, not only did I have to put in my authenticator, I was required to go into Account Maintenance, answer security questions, and change my password before it would accept that it was really me.

I think the security is still working pretty well, though I'm not opposed to those wanting an option for it to ask for the authenticator every time.

now go back to that hotel, and log in

even money says it won't request an authenticator


As it appears the hackers need to get your authenticator, answer your security questions, change your password and then log in. And once they do that they can log in like any normal person. So what you're saying is, even with all that security manually putting in your authenticator is the only way to go.
Reply Quote
90 Undead Death Knight
6755
07/24/2011 10:59 AMPosted by Chunny
People feel they need to ask because when a subject gets 13 capped threads and no response from a Blue it is discouraging.


Could it be because it is a non-issue from a technical standpoint even if it is an issue from your personal standpoint? They can't change your mind, so why bother responding?
Reply Quote
90 Draenei Shaman
8710
07/24/2011 11:45 AMPosted by Relsindra
As it appears the hackers need to get your authenticator, answer your security questions, change your password and then log in. And once they do that they can log in like any normal person. So what you're saying is, even with all that security manually putting in your authenticator is the only way to go.

no, I am saying that, that site will not likely prompt anymore

also the PW on change of location is MORE random than the authenticator
I did Bradley International -> Charlotte International > Wilmington Airport (for funeral) to Philly > to Bradley
over the course of about 3 days, I logged on at Bradley (Hartford CT), I logged on in Charlotte NC, I logged on in the hotel in Wilmington NC, I logged on in Philly and back home in CT
it NEVER had me do my security questions, that was 4 different sites from where I normally played in 3 different states(2 of which were not my normal state at the time)
I moved 10miles, it made me change(during my divorce)
I moved from CT to NC it made me change
see the issues yet? or do I need crayons?
Reply Quote
51 Blood Elf Priest
210
I do agree that an 'opt-out' option for the new auto-authentication would be very nice (or perhaps a checkbox saying 'Ask me for my authenticator code every single time.')

It would be nice if they'd say something, but perhaps there's nothing official to say yet. :/ I very much doubt that 13+ capped threads are being ignored.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]