Battle.net Authenticator By-Pass Now Active

90 Human Paladin
6610
11/29/2011 11:36 PMPosted by Huatar
Just for clarification, this means that IP-detection is no longer effective and I can log in from any location I want outside of my home, without having to change my password?


No. This means you can make it so it always requires an authenticator code regardless of where you are. Relying solely on IP is poor security anyway. Your ISP won't give you a static IP for free simply because they can charge for it. It'll probably stay the same for a while because of happenstance.

It's what the WoW people have had for a while with the addtion of the opt-out.

Kantankerus. Calm down man. Way to cherry pick the part of the post that's old and that they just fixed. The original uproar was because people wanted their authenticator to always be required but the new feature implemented didn't require it as long as you were on the same IP (in other words the same computer more or less). You can opt out of this feature now. They gave you what you wanted. It's not a crime to read the OP rather than partial quotes.
Edited by Foibles on 11/30/2011 12:39 AM PST
Reply Quote
85 Worgen Warlock
9015
I understand the fear some of you feel about the apparently lax security surrounding the decision by Blizzard to only check the authenticatior sporadically. I also applaud Blizzard for adding the opt out feature.

Yet, I will not be opting out. I was really tempted at first, better safe then sorry, but then I noticed exactly how stringent the default settings really are.

It is advertised as logging IP's, but it is much more stringent then that. When I attempt to log on from different nodes on my LAN, it still asks for authentication on *EACH* node, once a week.

Not only that, on the exact same hardware, reporting the exact same internal IP, with the exact same MAC address, and using the exact same client, on the native file system, if I log in with a different operating system, (dual boot Win764 and Linux/Wine, and a couple of different distros) when I dual boot into a different OS, each OS, while using the same internal IP, on the same hardware, in the same client software, on the same partition and file system, it asks me independently for an authenticatior code.

That is some slick heuristics, by anybodies standard.

Blizzard is ahead of the curve. They just are. Statistically they are the rarity, but lets look at things objectively, they got it licked.
Reply Quote
85 Night Elf Druid
7905
11/29/2011 11:29 PMPosted by Kantankerus
Those of you who wish to disable this feature can do so by opting out of the bypass on your Battle.net account management page. If you opt out of the by-pass, you will be prompted by Battle.net for an authentication code each time you log in.

This is appalling security practice. 'Hey guys, you know how for the last few years we've been telling you all that the Authenticator will prompt you each time you login, well without asking you we've lowered the security on your account'. Not even a Fair Notice email about it. Well, maybe they are mailing us but personally I'd rather have heard about this a week or so before implementation, not after the fact.
I've not been playing the game recently. Haven't put the latest patch on yet. No idea if it's mentioned in the patch notes that the security of my account has been lowered without my consent and without proper disclosure to me as the account holder.
I would have been completely unaware of the lowering of my security if I hadn't thought about sticking my head in to CSF to see how the new patch was shaking out, merely from a geeky interest point of view.
I appreciate Daxxarri's post, moreso because I had NO knowledge of the change in security, as well as Kodiac's pointer to (practically) some other random thread.
I just boggle at the lack of notification beyond some forum posts that if I'd not seen, I would've been in the dark. On class changes, game changes etc., I can deal with that. Lack of notification on lowering of default security settings is inexcusable. Seems the only reason Blizz wanted to contact me recently is to flog me an annual pass. This tells me that $ > safety. Far less inclined to resub now than ever before.
/rant
Ummmm, welcome to 5 months ago. I guarantee you with absolute certainty you do not have a single new idea to add to this discussion that has not been said 14,000 times already.
Reply Quote
66 Undead Mage
675
Good change, interesting timing. Was there a groundswell of support among WoW users to restore the original authenticator policy using a bypass opt-out or did security concerns enter into the picture?
Reply Quote
100 Tauren Druid
12355
I echo a couple of previous comments - I travel a lot and play from hotels using a laptop. Every hotel I have to go through the password reset. It gets a little frustrating. I understand there are cases of authenticator accounts being hacked - but it's my belief if I'm using a strong password (heck my e-mail address is hard enough to figure out) and an authenticator, I'm the type of account a hacker would move on to easier prey.

It's probably not in my top five annoyances with Wow, and have enough of an Information Security background to understand the reasoning - I just believe a password reset for every new IP address is risk mitigation above and beyond what is necessary for a game.
Reply Quote
85 Night Elf Druid
3355
No. It means that for the paranoid among us, there is now a way to be challenged on each log in. See Noxine's post above for a very good tech explanation of the why's and wherefore's of the bypass system.
Reply Quote
100 Blood Elf Hunter
16865
It gives back an extra layer of protection from player, in less then ideal living conditions. It helps to prevent problems caused by a spiteful or mischievous household members, who know a player well enough to guess their Log in information(little brothers/sisters can be such a pain at times).
Reply Quote
100 Human Mage
17925
12/02/2011 11:22 AMPosted by Bubbabear
No. It means that for the paranoid among us, there is now a way to be challenged on each log in. See Noxine's post above for a very good tech explanation of the why's and wherefore's of the bypass system.


That's the narrow way of looking at it. If a parent wants to easily ground their child from playing the game, now they can.
Reply Quote
100 Human Mage
17925
11/29/2011 11:36 PMPosted by Huatar
Just for clarification, this means that IP-detection is no longer effective and I can log in from any location I want outside of my home, without having to change my password?


I would give anything to opt-out of this. I had to change my password again this morning because of this. It would be nice if we were at least given the option if we use our authenticator at every login.
Reply Quote
85 Undead Warlock
5905
I think that will be awesome. I only play WoW at one location and I recently fell for a phishing scheme and I had to change certain configurations so the phisher wouldn't get into my account. I've ordered an authenticator for good measure. My account doesn't appear to be compromised but I'm not taking any chances.
Reply Quote
i play wow (or at least try to) from 3 total locations.. 2 of which are school and one is home and i hate the fact i cannot log in without having to spend the twenty minutes changing my password i never minded having to enter in my authenticator code every time that didn't bother me at all. It's the having to change the password if i could opt out on this it would make my life but alas i don't see that happening
Reply Quote
85 Night Elf Warrior
7100
I'd way rather just have to type it in every time. Just an extra measure in case anything should happen with your computer that you actually play on.
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]