Authenticator Changes

Technical Support
Prev 1 19 20 21 26 Next
omigawd I love you
I assume this is the additional authenticator functionality that is the reason for the authenticator field being removed from the main login screen?

Will this system also apply to web site functions, such as the forums or remote auction house? If so, I assume account management would still prompt for a code.
I really, REALLY don't feel comfortable with this. I bought the authenticator as an extra step of protection. This effectively removes that extra step from someone at my same location. Granted, the chances are slim, but it still exists.

Additionally, what about location or IP spoofing? How is this covered?

If this has to be implemented, give us an option to op-out so that we have to enter the code every time if we choose, much like we can choose to save our user name or not.
I'm absolutely sure that Blizzard would use some form of verification that utilizes a computer's MAC address (or MAC addresses), public IP address and possibly the LAN IP address coupled with some sort of hash sent from the server back to the client from the last successful login using the authenticator. I'm also sure they would allow users to have to opt in to this instead of out (and be able to do so).

I'm absolutely SURE about this, because that is what I would do, and I would hope the minds at Blizzard get paid more than I do and know more than I do. I would hope.

If it works like that, this is an awesome change.
So much QQ going on though Honestly guys, You use your authenticator to keep friends & family out? You seriously need to learn how to use a password. If you do not write it down or make it anything obvious, they can't get a hold of it. I'm sure blizzard will make an opt out feature since people can't use a password properly.
06/16/2011 04:25 PMPosted by Animaneth
The only way I see this working (and I would still have doubts) is that all login communication with the server includes the whole route the packet does wich can vary during different attempts.

IP means not having the same route for every packet.

(In practice they do almost all the time. But there's nothing wrong with data that goes through Chicago vs. St. Louis.)
Hye All,

Well I love the Idea.

We do need an Opt-Out feature... Why, becuase we pay you for this game.
So you are our employees and should do as we ask and not question it...

Truley we also know that a team of Hacker is stickling everyone and every part of the world.

Sony, Google, and the CIA all got hacked. Also Blizzard can be hacked...

So do us all a favore and let us pick it we want to keep using the tools we pay for to keep safe...

I have spent 5 years playing my toons and I do not need any one messing with them...
I do not like this. Having to input a code every time I log in is a small price to pay to make sure my account is secure. I would like to continue to do so.
06/16/2011 02:24 PMPosted by Zarhym
We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code.

This is kind of like an anouncement from bank of america saying they've updated their ATM's to "intelligently" know that it was you that input the ATM Card and no longer require a PIN for withdrawals.
06/16/2011 02:28 PMPosted by Dreadnb
I don't like this

i dont like this at all either. i just crapped myself and come racing to the forums to say ive been hacked they removed my authenticator to see this thread 1st saying its intended.

please reverse your decision on this. even though its a good idea i feel alot safer putting that code in knowing that codes there meaning i didnt get hacked. with it being gone like this i have sooooooooooooooooooo many characters(1 player capped account and 1 almost capped) that i wouldnt notice i been hacked for a few days at least

i do feel safe entering that code but still not 100% as hackers are pretty f'en smart
/me looks at psn and iphone
that kid was 17 when he hacked iphone and now at 21 brought whole playstation network down. a ancient wow database(guessing) would probably be a cakewalk for people like him.

i like putting in my code so i feel my account hasnt been compromised

you guys should really look at rift and copy their coinlock idea

btw just to throw this in there i bet most your reported account thefts are people who sold their accounts then jacked them back using you to gain free money. just saying(cause i know my real life friend has done that a few times)
Give us an opt out so we can manually enter our authenticator code everytime please.
06/16/2011 02:28 PMPosted by Dreadnb
I don't like this

this is a really bad idea
06/16/2011 04:40 PMPosted by Fizzlepick
We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code.

This is kind of like an anouncement from bank of america saying they've updated their ATM's to "intelligently" know that it was you that input the ATM Card and no longer require a PIN for withdrawals.
That's a terrible comparison.
06/16/2011 04:32 PMPosted by Deadbabyseal
your password is quite likely all you need to be safe.

This is true.. However, my account was hacked a few times. I Don't even know how as I didn't even have time on it when it was.. but whatever. The thing is.. those reasons is why I got my authenticator in the first place. Now, if passwords were case sensitive.. then MAYBE they would be secure enough.. but they aren't anymore(I tried, and tested, this.. unless something changed in the last couple of months..)

I paid money for an authenticator so that I could push that little round button and type in those 6 numbers EVERY TIME I want to play. Sure, maybe it seems like a lot of work to some people.. And I do remember tales of people freaking out because they were too rushed and typed their key wrong and caused a wipe and everyone got mad at them... So give them this feature.. let it be something that is a little checkbox next to the "remember my account name" or something..

I'd like to see a good reason why this shouldn't be OPTIONAL. Lots of people saying "omg yes! Please don't listen to the whiners" but again.. Blizzard has BOTH systems available... OR did anyways. All they'd need is just a tiny bit more code to record and act upon whether I want to use my authenticator or not... Why is this bad? (And before you say "cause it'll take dev time".... it'll probably take less dev time than implementing/coding the "smart tracking" in the first place...)
I would also like an opt out feature, parental controls do not fit my needs but the authenticator does.
Yes, but naive developers consider them unique serial numbers. So theoretically the WoW client could read the MAC address of your NIC and transmit that as a pseudo-serial number.

And naive developers aren't developing WoW. If you believe that the WoW developers are naive enough to use MACs in this manner, then you should also be concerned that they might be transmitting your password and authenticator code in plain text, or that they've invented their own encryption algorithm to handle security.

Nice try. The problem with your static IP address approach is that I can't just go out and purchase your IP address. Static IPs are still assigned by your ISP. I work at an organization that spends tons of money to have a full block of 255 IPs. We didn't get to chose the first 3 bytes.
06/16/2011 04:36 PMPosted by Deadbabyseal
But if you are able to do that, then you're already able to break into my account even if I am required to use an authenticator every time. If you have full control of my computer, there's nothing I can do to stop you.

Correct. In fact if I were sufficiently motivated I can do any number of nefarious things from your computer. Fortunately, I work for the "good guys".

The reason for the opt-out is not because it is 100% secure. The reason for the opt-out is so that there are a lot of targets that are easier to attack. There's no reason to go for a hard target when there's plenty of low-hanging fruit.

So those that are more paranoid can click the checkbox. Those that want more convenience leave it unchecked.
The main reason for authenticators was to stop keyloggers. The people who were using keyloggers to find your password also figured out a way to steal your authenticator password immediately and just input it themselves from their system.

If you are logging in from the same location consistently, you do not need an authenticator password every time unless for some reason you like giving out your password to friends/family or you use a public computer (/facepalm if you do). This change will make your account more secure due to the fact that keyloggers will not have the opportunity to steal the authenticator password from your system but if they do get your login password, they will still need to enter the authenticator code (which they won't have) because they will not be in the location that YOU consistently login from .

People who are scared that this will be more of a security risk do not understand how the authenticator really functions or how keyloggers work I guess.
If you're worried about your sister, brother, etc logging into your account because you live together...

You do know you can put a password on your computer, right?
Hah, I noticed this earlier and was confused. I thought I hacked my own account *gasp*!
Why all the QQ? First off, if a room mate or someone in your house knows your password, CHANGE it. You REALLY think that you're going to get keylogged and then your IP spoofed? Read post 3. If you log in from a different machine, unless from home, then you're obviously going to have to input an authentication code.

I applaud this change, as having to continuously input this code every time I logged in was getting annoying. It's also nice for when I DC during a raid, so I can log in much quicker.

Join the Conversation

Return to Forum