Blizzard Authenticators May Become Mandatory 248
An anonymous reader writes "WoW.com is reporting that a trusted source has informed them that Blizzard is giving serious consideration to making authenticators mandatory on all World of Warcraft accounts. The authenticators function the same as ones provided by most banks — in order to log in, you must generate a number on the external device. Blizzard already provides a free iPhone app that functions as an authenticator. The source stated, 'it is a virtually forgone conclusion that it will happen.' This comes after large spates of compromised accounts left Bizzard game masters severely backlogged by restoration requests."
Re:No thanks (Score:5, Interesting)
what about if this starts a trend and all online games start to require such?
This business of every application requiring its own password is a problem in itself. (I've got 400 passwords in my Roboform archive!) That's why so many sites are adopting OpenId [openid.net].
Re:Waste o'money (Score:3, Interesting)
No doubt if Blizzard made this mandatory, they'd cover the cost of the devices themselves. Its probably not going to go down well if they suddenly prevent players logging in unless they pay an additional, one-off fee. Many people would see it as a bad precedent.
Furthermore, they'll probably either supply them with new copies of the game, or only "enable" it (and send it out) to accounts that are more than say 3 months old (as they're arguably not going to have much worth stealing and by then the cost of the device will have been covered in the monthly fees).
Re:Umm why? (Score:0, Interesting)
So, this is not for the players, but because making the game work is too hard for Blizzard. Thanks for the heads up.
Re:No thanks (Score:1, Interesting)
First, every heavy web user has a huge number of logins. Sure, some people use the same passwords for all the web sites they use but that doesn't make them the same logins...
Second, are you implying the passwords we use only bi-weekly (or even once a year) are not important, that remembering them is not required? I use my login at the domain name registry every three years but I consider it fairly important.
Re:No thanks (Score:3, Interesting)
1) It isn't a matter of idiocy on the end-user's part when you have major companies releasing extremely exploitable software and patches that introduce even more security flaws. I sure hope you don't run any software that you personally haven't looked at the source, compiled yourself, and know is 100% secure, because otherwise you're an idiot, by your own lights.
And, I have to say, does it make me an idiot that I'd rather spend 5 seconds each time I log in (maybe 10 seconds a day) using something like this, instead of spending 5 minutes (or hours, when patches are completely broken) every day keeping my computer secure? Hm... 10 seconds and I get extremely good (as in, it works to protect banking it'll damn sure be enough to protect my ability to slay Internet Dragons) security vs. 5 minutes (or more) and MAYBE my security is good, but maybe whoever distributed the patch screwed it up... Yeah, I guess only idiots would need or want to use this!
2) Is your time really worth so little that having to re-do something to get back to where you were if your account got hacked isn't a bother? Or maybe you just really like redoing stuff? I liked getting my characters to 80 and getting them geared up, too, but now that they are I'd really rather not have to redo it because someone slipped an ad with malware attached through to a site (slashdot) that I'm trying to support by not blocking ads...
3) Double sided tape. I have mine attached to my monitor because that's the only place I'd use it. I've lost my glasses when I was wearing them atop my head; I've not lost this thing yet because it's stuck to my monitor. I even didn't have a hard time reattaching it to the new monitor I just bought.
Blizzfail! (Score:3, Interesting)
Re:No thanks (Score:1, Interesting)
Our friend was recently hacked and watched (in frustration and panic) over the shoulder of another player as the account was being looted, while on the phone with Blizzard trying to get it stopped.
The friend complied with your item 1, and was not naive or careless.
Item 2 is just outright wrong for an account with multiple raid geared 80s, valuable crafting supplies, and some items that may have taken a year or more to earn the tokens for. In addition, if not detected and immediately blocked, the guild bank can be looted too. Sometimes the guild bank is looted first.
And sometimes it isn't just gear transfered, vendored or DEed, but talent points reset, character move paid for with your credit card of record, and other vandalism.
Item 3 worries me a wee bit (I would like to have more than one authenticator bound to the account or a way to swap in a new one on short notice), but the device appears to be reliable if it works when it arrives. They have been known to be damaged in the mail, but the infant mortality is low.
So if you think you don't need it, maybe not mandatory. How about if you don't use it, you can't request restoration? If you are hacked, and your account data is taken, you have to open a new Blizzard account with a different credit card, and start over?
The irony was that the friend was actually logged in when the hack occurred, was disconnected from the server by it, and during the attempt to relog was confronted with a request for the authenticator code. The hackers had locked the account by binding their own authenticator.
Restoration delays can be days or weeks and are usually incomplete. In the meantime, raiding in your underwear requires some very patient or overgeared companions.
Re:If you can install a keylogger, you've already (Score:3, Interesting)
So you're going to pay someone to sit there waiting for a 30 second window in which some random compromised account logs in? That just doesn't make sense. Even at Chinese farmer rates.
Why pay somebody to sit in front of a computer? It can all be automated. The receiving program automatically logs in, and then pages, messages, whatever, the person to come clean out the account. Also, there are bots to automatically clear out guild banks, sell things, etc. I don't think that the thieves consider themselves bound by Blizzards ToS. This just makes their lives a bit more difficult, but nobody said gold selling was easy.
Re:No thanks (Score:3, Interesting)
I am not a fan of anything mandatory, but I do like having it as an option for these reasons:
1: An account stolen can mean tens of thousands of dollars to a blackhat organization which can be used to make nastier keyloggers. Usually the account is then botted out with mining hacks until it trips a Blizzard sensor serverside and gets autobanned. Of course, said account has any goods that are on it stripped and the cash bounced from account to account in order to "launder it".
2: My account is an identity. There are some people whom I can only reach through WoW (people stationed overseas, for example.) So, in-game mail is usually the best way to keep in contact with them. Having that compromised wouldn't be good.
3: Passwords need to go the way of the dodo when it comes to public authentication. I'd love to see a standard replacement (not just openID, but something that can be used for authentication on standalone servers not dependant on anyone else's) where one can have the card communicate online to trade public keys, then do offline authentication from there on out, similar to how Bluetooth devices get paired up initially, then function securely when separated. Ultimately, client certificates on a smart card would be the best replacement, but this can be beaten by active malware which intercepts browser requests doing a MITM and displaying bogus info to the user.
Re:No thanks (Score:2, Interesting)
The server for these things resynchs stuff when you enter the code, or when you activate it. That's why you have to enter your code twice in a row when you activate it: it checks which code you entered (to see how much intervals you're ahead or behind), then the second code makes sure it's not a coincidence, and your internal clock is really X*45s ahead.
The Blizzard fob uses 45s clock intervals. Their maker can't use 1mn clock intervals: that's patented by RSA (yup, RSA patented the fob-code-change-every-60s method. An oversight, I presume, I'd have patented every R seconds, where R is a member of the set of real numbers).
Re:No thanks (Score:3, Interesting)
Square Enix uses Digipass Go 6 devices, same as Blizzard. Annoyingly, the manufacturer was lazy and didn't develop them to be able to be shared across multiple services using the same hardware (so you can't use the Blizzard tag with Square Enix's services)