Authenticator Changes

Technical Support
Prev 1 20 21 22 26 Next
I thought I had been hacked for a
Better hope someone doesn't clone your IP address or steal your computer.

EDIT: cool change but doesn't it kind of defeat the purpose of security? That would be like not doing a pat search at a security checkpoint in an airport simply because you see the same person come through 5 times a day.

Neither of those would work. By cloning the IP you would be logging in with a different computer so the authenticator prompt would appear. If you tried to move the same computer to a different location the prompt would appear.
Adding in a built-in weakness to the strongest security measure you've implemented since the game's inception is a terrible, terrible move, particularly given the rash of password thefts going on. I don't care how smart this new code is, it can't do anything but weaken the security of an authenticator-enabled account.

The whole point of the authenticator is that it allows for an additional type of shared secret between the user and Blizzard. The password represents the first, something you know. The authenticator is the second, something you have. Adding the authenticator strengthens the security because it's an "and" relationship: in order for someone to break into your account, they need something you know and something you have.

This new code weakens that security by replacing one of those factors with an "or" relationship. A hacker would need your authenticator or whatever combination of data that Blizzard uses to identify you as you. Maybe it's not just your IP address. Maybe it's your MAC address, geolocation, hardware hash, or even a traceroute analysis. Maybe it's all of the above. It doesn't matter, though, because all of those are "something you know" factors and all of them are static and/or spoofable.

By adding this new default case where an authenticator code isn't necessary, you've added a route to bypass that extra layer of security. There's nothing your new code can see that can't be faked, and we're right back to the problem of people having their accounts silently stolen by malware. It'll have to be more sophisticated malware, to be sure, but sophistication isn't a problem for these people. Just look how far keyloggers have come. It doesn't matter how diverse or obscure the digital fingerprint is that you look for. They'll figure it out, and then account security is right back to square one, little better than just a password.

Please, Blizzard, if you value the security of your customers' accounts, scrap these plans. At the very least, make this new feature opt-in. Not opt-out, opt-in. Require by default that we keep entering our authenticator codes every time, and provide an option under our account security settings to enable this new "smart" code. Users that are so inconvenienced by the authenticator code will be able to hamstring their security if they really want to, but at least less knowledgeable players will be less likely to be caught in that trap.
I don't like this

i dont like this at all either. i just crapped myself and come racing to the forums to say ive been hacked they removed my authenticator to see this thread 1st saying its intended.

please reverse your decision on this. even though its a good idea i feel alot safer putting that code in knowing that codes there meaning i didnt get hacked. with it being gone like this i have sooooooooooooooooooo many characters(1 player capped account and 1 almost capped) that i wouldnt notice i been hacked for a few days at least

i do feel safe entering that code but still not 100% as hackers are pretty f'en smart
/me looks at psn and iphone
that kid was 17 when he hacked iphone and now at 21 brought whole playstation network down. a ancient wow database(guessing) would probably be a cakewalk for people like him.

i like putting in my code so i feel my account hasnt been compromised

you guys should really look at rift and copy their coinlock idea

btw just to throw this in there i bet most your reported account thefts are people who sold their accounts then jacked them back using you to gain free money. just saying(cause i know my real life friend has done that a few times)

It wasn't that kid that did it. He "Unlocked" The iphone so he could use it for T-mobile. He hacked a psp to play free games and got into the ps3 using linux when Sony found out he did that they were going to put a law suit on him but he promised he'd never mess with another sony product again (Hacking Wise) He was not the one that did PSN.

From what I've heard they won't just be going off of IP for this new feature but many other very secure ways. I'm sure there will be an Opt-out feature because of all the QQ but in all honesty, it won't be needed. I didn't get an authenticator until 6 months ago and I've been playing for four years and never been hacked. Just keep your password to yourself and be a smart user.
Taking away the need to use authenticators in any location does not in any way make it safer, it simply adds more coding to test, more process to make sure, and negates the need for authenticators for the majority of players in the first place, making you wonder why you have them at all. All in all: It's to make players more lazy.

I really don't like this. Some of us like to have to input those numbers, reguardless of where we are. I don't want it to stop asking for my authenticator. How about we stop worrying about how to make WoW players -more- lazy and worry about keeping them safe and happy?
If they do this smartly (ID generated with Hardware + IP), it will be fine.

However, when I used the Dial-In Authenticator, I was hacked twice AND I moved TWICE and NEVER saw the prompt (and apparently neither did the hacker). It was a really #%*%ty system or had some serious bugs. I hope this isn't the same system.
Thanks for making my highly effective keyfob into into something as week and lam as the dial in Authenticator.

Tell me did the same geniuses that thought RealID for the forums, or the taking away the Exulted title from players who already earned it, think this one up too?

I freaked out when it wasn't asking me for my authenticator, but this is great news!
06/16/2011 04:45 PMPosted by Deadbabyseal
Nice try. The problem with your static IP address approach is that I can't just go out and purchase your IP address. Static IPs are still assigned by your ISP.

Ok, let me lead you down the path then.

I find out your routable IP.

I use a computer directly connected to the Internet, instead of through a NAT.

I change my IP to yours.

My ISP is vaguely shady. After all, they've serving evil bastards like me. So they do nothing.

And now I am using your IP. A few broadcasts to tweak the relevant routing tables, and I get your packets.

Or if I happen to have the same ISP as you, it's even easier.
I really don't like this. I happen to play wow from a Lan cafe when i raid and i don't want it memorizing my ip from there and making it so someone could log in from that computer without my authenticator code.
Also don't like this. Entering the numbers takes all of five seconds. Would like the ability to opt out of this.
Scared the hell out of me just now. I prefer using my token every time - that way I know that there is no way that my account has been compromised.
I'm also am very interested in the ability to opt out of this. It seems ridiculous to me to implement a two factor authentication security system and then not require the actual code generated by the device be entered. I realize recent events have called into question certain aspects of the technology, but I would still prefer to actually enter a code rather than rely on the system to decide that I'm logging in from an "authorized" location. There really needs to be an option you can change in one of the config files or a setting you can select in the launcher to change this behavior.
Ok, let me lead you down the path then.

I find out your routable IP.

I use a computer directly connected to the Internet, instead of through a NAT.

I change my IP to yours.

This is absolutely not possible. You are displaying that you know nothing at all about how local networks and network routing works.
Please tell me there will be an option NOT to use this "feature..."

I do NOT like this. And would much rather type in my code every time than have reduced security.
Love this change, thank you!
06/16/2011 04:54 PMPosted by Khaarg
This is absolutely not possible. You are displaying that you know nothing at all about how local networks and network routing works.

Thank god there are people like you in the world. I make a lot of money doing things people like you say is absolutely not possible.
Blizzard, Will you please explain EXACTLY how this works but don't use any big words because obviously these people can't handle it. It's secure folks please quit QQing blizzard gets enough of it.
So if anyone takes over my comp and is able to log in with the credentials i keep on my desktop in a note pad file.. I am screwed? Or what about friends who come over or my pissed off girl friend?

The authenticator was my ace in the hole.. as it were.
06/16/2011 04:56 PMPosted by Texi
Thank god there are people like you in the world. I make a lot of money doing things people like you say is absolutely not possible.

Alright, here is your challenge.

Change your IP address to the same IP address as Google. Put up a web server so I can see a message from you.

If you can accomplish that, come back here and I will gladly hand over the deed to my nice, but not overly lavish 5 bedroom home paid courtesy of my 10+ years at 3com.

Put up, or please please please, shut up.

Join the Conversation

Return to Forum