Blizzard Authenticators May Become Mandatory

An anonymous reader writes "WoW.com is reporting that a trusted source has informed them that Blizzard is giving serious consideration to making authenticators mandatory on all World of Warcraft accounts. The authenticators function the same as ones provided by most banks — in order to log in, you must generate a number on the external device. Blizzard already provides a free iPhone app that functions as an authenticator. The source stated, 'it is a virtually forgone conclusion that it will happen.' This comes after large spates of compromised accounts left Bizzard game masters severely backlogged by restoration requests."

get used to it. this is going to be common

[timmarhy]

it's ironic that 10 years ago many professional applications used dongles for licensing and access. now it's basiclly comming back in.

i think it's a good thing though, if it wasn't for lax security there wouldn't be so many theifing pricks in the world. no we just need to convince credit companies to use the same level of security that a bloody computer game uses and we might all be better off.

Re:iphone app?

[Microlith]

Why not a PC app? Potential for compromise. A keyfob removes all question.

And why not educate users? Because blizzard doesn't have the time or money to deal with angry children who refuse to remember a random 8 character password. Never mind people who do have a good password and log on via their friends compromised system.

Re:No thanks

[grumbel]

but what about if this starts a trend and all online games start to require such?

Maybe secure login will then become a common practice and devices will be standardized and we will live in a bright shiny future where login is no longer done by the most primitive system imaginable.

I mean seriously, passwords are among the weakest chain when it comes to security today and not something that can be fixed by 'educating the user' (last time I counted I had around 100 password), it wouldn't hurt to replace them with something that is more secure and more comfortable to use, even if it might be a bit painful at first.

Re:Waste o'money

[compro01]

You want to have to go through email/text every single time you log in vs. pushing a button on a key fob and typing in 6 numbers?

The hardware in question costs $6.50. This is a game you're already spending $15/month on.

Re:Umm why?

[neokushan]

Because hijacking accounts and stealing gold and items from players to be sold on is actually quite a lucrative market. If you can't farm gold because the bots are detectable or because that little chinese kid costs too much money to pay, why not just steal it?

Re:This uses the standard Ace / RSA system right?

[Jthon]

Blizzard does have several soft token schemes which don't require that you purchase a physical authenticator. There's an iPhone app you can get for free and use to do generate an access code. They also have apps for a few other phones available.

The only thing they don't offer is a PC application and this is intentional. Using a PC app means some virus/trojan could run your pc authenticator and capture the code which makes it decidedly less useful.

Re:No thanks

[MORB]

I would hate for it to become mandatory. I just don't need it because (and I don't think I'm alone with these reasons):

1. I'm not an idiot and am careful enough that someone stealing my account is unlikely
2. Losing my wow account wouldn't even be a big deal to me, it's not like leveling a character and gearing it up takes ages
3. I don't want to rely on a physical object that I can lose or misplace to log in into a game.

Not going to solve your problems

[selven]

2008: Oh no, I forgot my password! I need to call Blizzard for help!

2011: Oh no, I lost my authenticator! I need to call Blizzard for help!

Re:Umm why?

[thesandtiger]

Is your time worth $0?

Many people playing these games have hundreds or thousands of hours spent playing - a $7 device and 5 seconds each time you log in is a pretty fair price for protecting that time spent.

Even if this were entirely a benefit to Blizzard and completely neutral for the player, it still actually would benefit players: less support staff time spent on "I got my account hacked!" means that players with other problems can get tickets answered more quickly.

Re:No thanks

[Kjella]

1. Most people who have their account stolen probably think the same
2. That probably works both ways, if you don't care much then maybe you won't
3. It's hardly worse than a CD check (a physical object needed to play)

In general, I disagree about the "no big deal" - at least not to Blizzard. I have lost lots of savegames on occasions, particularly one nasty hdd crash, and the result is that I look at it and go "Meh, I'd have to do all that over again" and end up never getting started. You don't need to be an epic-spec'd god to think it's extremely frustrating going back to fighting lvl 1 creatures with your puny sword of dullness. For a single-player game then who cares, they got their money already and I'll probably find a new one and everyone will tell me I should have taken backups. Lose your WoW account? Straight hit to their revenue, plus other players fear it'll happen to them and there's no easy way to make sure their machine never will be compromised and their login stolen.

Basically, you're not worried because you're not the one taking most of the hurt. Like I don't fear that much that someone will abuse my visa card, unless I've been careless my exposure is quite limited. But visa definitely cares, which is why I got a free new card with chip in addition to the magnet stripe. To be honest, they're probably more worried about losing customers like you that just don't care that much. The wowholics would be back at grinding pretty soon no matter what.

very wrong

[ccozan]

• I think you have never played WoW. So you don't know how much work is put into building a char and keepup with the challenges. Losing this because your Windows allows malicios code to run equals to a cataclysm ;).
• Blizzard has _nothing_ to do with incompentence of users which allow keyloggers and stuff on their computers. The fact that Blizz allows the recovery of your items/gold on _their_ costs, is a fact that you will never find anywhere else.
• 3. the authenticator is 7 euro. This is two beers. I find it acceptable if i can keep my account thus protected.

Re:No thanks

[insufflate10mg]

Right, right, but his complaint does make sense. I believe in WoW one may have multiple characters per account; one his character's has the ability to "cut gems" and the others have different abilities. As of now, both he and his friend know the account password; when his friend isn't around, he logs in to the account using the shared password and uses the gem-cutting character. If WoW was to implement the fobs/mobile authenticators as a default and mandatory security measure, he would no longer be able to share the account with his friend and it would become far more difficult to use his friend's abilities on a whim. It's an understandable concern (whether WoW account sharing is encouraged or discouraged) because it is very popular for friends to share accounts.

Re:No thanks

[thesandtiger]

You misunderstand - I'm saying that it is possible (easy, in fact) to get your WoW information stolen without you, personally, being an idiot, not that many people who play WoW are not idiots. I do suspect that a large portion of the accounts that have been compromised belong to people who take less precautions giving that information out than they do with their credit cards - but that's not the only way it can happen.

I was objecting to your seeming "all or nothing" categorization of people as idiots or that people who are not idiots cannot get their accounts hacked.

As to the tape - you can get it with velcro, which will let you remove the thing to bring with you. Or get the version for your phone. It isn't like there's "all kinds of crap" taped to my monitor, either. Certainly if your desk is so messy you would be prone to misplace your fob, a thing taped to your monitor will not mess up the space even further!

The real REASON for authenticators

[ukyoCE]

Let's not forget the real reason authenticators are becoming mandatory. It's because accounts are getting hacked, sure, but why are accounts getting hacked?

Because there are idiots paying real life $$ for in-game money, which they get by hacking accounts and selling off their stuff. The customers of these websites are paying these hackers to take over people's accounts, effectively.

Do away with the monetary incentive, and accounts wouldn't be getting hacked.

Re:No thanks

[Late Adopter]

OpenID is web-based. That may work for WoW, but it's a non-starter for a long-term SSO solution.

How about Kerberos or something based on it? Is there a real need to reinvent the wheel?

Re:No thanks

[Snaller]

"This business of every application requiring its own password is a problem in itself. (I've got 400 passwords in my Roboform archive!) That's why so many sites are adopting OpenId."

And the hackers than you - now they only need one password to hack all your sites.

Re:No thanks

[Ckwop]

That's why so many sites are adopting OpenId.

I'm not sure why people are adopting OpenID. It requires all this extra overhead of going to and from an additional authentication server. It's a complicated protocol and complexity breads insecurity.

If I use OpenID I've gone from one point of failure (the compromise of my computer) to two points of failure (compromise of the OpenID provider and compromise of my computer). There's actually a third potential point of failure in that the OpenID protocol could be flawed in some way, which compromises all OpenID providers.

What's wrong with entering a entering a username, the site replying with a challenge token? I then sign the token with my PGP key and access is granted. You could make this extremely painless by making a browser plugin that handle most of the leg work.

Now I'm back to a single point of failure and the security of the login authentication has been substantially improved. With OpenID I've created a separate point of failure and I'm still stuck using crappy password authentication.

OpenID is a pretty crap solution to this problem.

Simon

Re:No thanks

[Wingman 5]

*cough*TPM [wikipedia.org]*cough*

Re:Umm why?

[petermgreen]

Afaict in most MMOs you get ahead by spending more time "grinding" at the game than other people. Skill helps too at least to some extent.

The thing is some people want to get ahead without the effort and/or get further than they reasonablly could on thier merits alone so they bend or break the rules. This phenomenon isn't unique to computer games, look at how many sportsmen over the years have used drugs to get ahead.

Now in MMOs one of the common ways of breaking the rules is to trade real-world money for ingame money. Of course this ingame money has to come from somewhere. That means either

1: paying people to "farm" for it
2: writing bots to "farm" for it
3: stealing it

Afaict all these techniques have been used by WOW gold-sellers.

Other than completely getting rid of the in-game economy or restricting it so much that everything feels horribly forced or selling in-game currency for real money at knock-down prices (a cure that I think would be worse than the disease) I don't see any real way to stop real money trading.

What gives Blizzard the right to do that?... Well.

[Petersko]

If you are a player of WoW, You agree to the terms of service. That means you and Blizzard "agreed" you wouldn't share/sell the account.

So, in essence, if you play the game, you, specifically, gave them the right.

Re:What gives Blizzard the right?

[BigFire]

It's their game. You are only leasing it from the at $14.99 a month. Read the EUA.