New layer of security added to protect accts.

[Sepioth]

I found this little piece of information earlier. I noticed it wasn't posted here yet so I thought I would share the info.

Blizzard Account Authenticator

It's not available just yet but it will be available for $6.50 from the Blizzard Store.

It looks like a great way to completely prevent anyone from ever hacking your account. Honestly though I think it should be free to every registered account. I mean they are making a crap load of money on this game everyday


I had a friend who worked for an VERY LARGE ISP backbone that used one of these. (They provided the government with their internet which was why they had this type of security)

Basically how it works is every few seconds a new number is generated. When you press the button the number is displayed on the LCD (the reason for this is to presumably save the battery from dying by constantly displaying the number). At the same time WoW is creating the same exact number for your account every few seconds. By linking the authenticator to your account it syncs your authenticator to their servers.

The numbers on the authenticator are randomly generated using a specific algorithm (unique in some way from the other authenticator) that same exact unique algorithm is also used by WoW for only your account. Because of this your authenticator and WoW generate the exact same number at the exact same time.

With the amount of authenticators they will be producing there will most likely be a high chance of there being duplicate generators. (In the same way that house keys have several duplicates out there as only so many ridges can be on a key ... eventually the pattern can repeat) But seeing as how you still need your original username and password the chances of this ever being hacked are next to nil seeing how they have only a few seconds to enter the exact same number that only the wow servers know.


The only downfall I really see is what happens when the battery dies or the unit malfunctions. How much of a hassle is it going to be to get back in to WoW?

[Cralor]

This seems really neat. Thanks for sharing!

I too agree it should be free.

To reply to your last question: I think that it should be rather easy to replace or get it fixed if it indeed dies out. They are releasing it to so many people. They must make it easy or people will go insane, lol. With so many people it should be easy to get it fixed.

[Dreadlorde]

I was listening to The Instance last week, and someone wrote in about an authentithication system that was being used where they lived (I don't remeber where ). You have to call a phone number from a specific phone (you can assign like 2 or 3 numbers to it), and you have about 10 minutes to login, and if you don't login in that 10 minutes you have to call again.

Seems pretty nice, I wish I had the option to use it.

[Gemini_II]

I was just reading about this this morning and found it very interesting. From my understanding, your account and the Authenticator don't each generate codes, but instead work in conjunction. Since the Authenticator gets "assigned" to your account or accounts, I believe the hash is generated by the token, using some sort of string that comes from your account, thus making this an incredibly secure system. I think you could see a duplicate key, but the chances are astronomical.

Only downside is that you're more or less screwed and at the mercy of the Account & Billing Dept. if anything ever happened to your token.

[Sepioth]

Originally Posted by Gemini_II I was just reading about this this morning and found it very interesting. From my understanding, your account and the Authenticator don't each generate codes, but instead work in conjunction. Since the Authenticator gets "assigned" to your account or accounts, I believe the hash is generated by the token, using some sort of string that comes from your account, thus making this an incredibly secure system. I think you could see a duplicate key, but the chances are astronomical. Only downside is that you're more or less screwed and at the mercy of the Account & Billing Dept. if anything ever happened to your token.

THIS is basically what it is going to be. If not exactly the same technology. Blizzard just had a button put in place that will display the code only when the user wants to see ... thus saving battery life.

[Shirik]

My mother has one of these as well (she works as an enforcement officer for FINRA, which works closely with the government as well). The number isn't random as was mentioned in this post, but it is based off an AES key. Essentially, it would be EXTREMELY difficult for someone to pick up the algorithm just by watching the numbers you use.

It's interesting to see these in use for a game, but given the level of security some people want for their account, it's certainly a viable option.

Originally Posted by Sepioth With the amount of authenticators they will be producing there will most likely be a high chance of there being duplicate generators. (In the same way that house keys have several duplicates out there as only so many ridges can be on a key ... eventually the pattern can repeat) But seeing as how you still need your original username and password the chances of this ever being hacked are next to nil seeing how they have only a few seconds to enter the exact same number that only the wow servers know.

No, there will be an extremely low chance of a duplicate keyset. Think of how many keypairs already exist on the internet, and we aren't even close to the threshold. If you consider 128 bit keys (I have no idea what they're using), we have 3.4x10^38 keys to use. Significantly higher than the 10 million-strong playerbase they boast about. RSA offers 128, 192, and 256-bit keys in their devices.

Originally Posted by Sepioth The only downfall I really see is what happens when the battery dies or the unit malfunctions. How much of a hassle is it going to be to get back in to WoW?

When the battery dies, you replace it. The key is surely stored in ROM, and it is NOT a random number, it's based off time. The device should have an internal battery as well which serves only the purpose of providing backup power to an xtal oscillator or whatever other means they are using of keeping time, which should last a very long time. This is how your computer keeps time even after you unplug it or remove the battery from your laptop.

Malfunctions, on the other hand, you'll have to contact account services for. However, given that this can be done with an extremely simple microcontroller, an xtal, a couple of resistors and an LCD panel, there is extremely low chance of failure. It is not a complex piece of equipment.

BTW: This is not a new technology. Check out RSA's page on it and what it's all about: http://www.rsa.com/node.aspx?id=1156

[Seerah]

My husband's insurance company started using these a year or so ago. When he wants to connect to their database, he gets it out, sets it next to his work laptop, presses the button, and logs in. He said that for only $6.50 he might get one for WoW.

[Kaomie]

This is called strong authentication, in that case with something you know (your password) and with something you have (your token). I used to manage home VPNs access with SecurID tokens, but then we replaced them with a PKI and certificates on the users PC.

When the token dies it's easy to replace, we used to have a webpage where you enter your previous token serial number, your new token serial number (usually at the back of the token), then you have to enter two subsequent pseudo-random numbers displayed on the new token to synchronized the algorithms and it's done. Just have to call support before to have them send the new token and set the account to "discovery" mode.

[Charvel]

I plan on getting this as soon as it is available. I don't care how much it is. Over the weekend I had my account hacked. Waiting impatiently for Blizzard to get to work so I can call them.

--On that note, does anyone know of an addon that tracks ingame mail sent/received? Seems like this would come in handy in finding out who the hacker's characters (or friends) were since they usually sell your gear and send the money to somebody (assuming they don't transfer you character).

[Sepioth]

Originally Posted by Charvel I plan on getting this as soon as it is available. I don't care how much it is. Over the weekend I had my account hacked. Waiting impatiently for Blizzard to get to work so I can call them. --On that note, does anyone know of an addon that tracks ingame mail sent/received? Seems like this would come in handy in finding out who the hacker's characters (or friends) were since they usually sell your gear and send the money to somebody (assuming they don't transfer you character).

The problem with tracking that info ... which can easily be done ... is it is saved on their computer not yours so you would have no way of seeing it anyway. Only Blizzard could get that info an they would never give it away ... I'm sure they look into that stuff on hacked accounts though.

[Seerah]

Rather... the addon would be installed on your computer, not theirs.

[Sepioth]

Originally Posted by Seerah Rather... the addon would be installed on your computer, not theirs.

Of course .. forgot to say they would need to install the addon too ... which I doubt they would

[Nicedoggy]

Looks great, but I agree they should come with the subscription.