Slashdot Mirror
Blizzard Authenticators May Become Mandatory
An anonymous reader writes "WoW.com is reporting that a trusted source has informed them that Blizzard is giving serious consideration to making authenticators mandatory on all World of Warcraft accounts. The authenticators function the same as ones provided by most banks — in order to log in, you must generate a number on the external device. Blizzard already provides a free iPhone app that functions as an authenticator. The source stated, 'it is a virtually forgone conclusion that it will happen.' This comes after large spates of compromised accounts left Bizzard game masters severely backlogged by restoration requests."
Most of them are not USB devices. Just simple fobs with a push button and cheapo LCD display.
i think it's a good thing though, if it wasn't for lax security there wouldn't be so many theifing pricks in the world. no we just need to convince credit companies to use the same level of security that a bloody computer game uses and we might all be better off.
If you mod me down, I will become more powerful than you can imagine....
Why not a PC app? Potential for compromise. A keyfob removes all question.
And why not educate users? Because blizzard doesn't have the time or money to deal with angry children who refuse to remember a random 8 character password. Never mind people who do have a good password and log on via their friends compromised system.
They're $6.50.
http://us.blizzard.com/store/details.xml?id=1100000822
upon the advice of my lawyer, i have no sig at this time
but what about if this starts a trend and all online games start to require such?
Maybe secure login will then become a common practice and devices will be standardized and we will live in a bright shiny future where login is no longer done by the most primitive system imaginable.
I mean seriously, passwords are among the weakest chain when it comes to security today and not something that can be fixed by 'educating the user' (last time I counted I had around 100 password), it wouldn't hurt to replace them with something that is more secure and more comfortable to use, even if it might be a bit painful at first.
The authenticator is hardly $25. In the US, it's $6.50 with free shipping, and in the EU it's EUR6.99 also with free shipping. The price covers the cost of the physical unit and (obviously) the shipping. Blizzard's hardly making a killing on these.
For mobile authenticators, the Blizzard Website has more detail. The short version is that the Mobile Authenticator is available on a wide range of phones, depending on provider. Support isn't universal, though.
That said, the only time Blizzard could make Authenticators mandatory would be at a game-changing event, like the release of the next expansion. If they go ahead and do that, they'd probably throw Authenticators in the box, to automatically have near-total distribution. Their biggest concern is probably whether they can source a few million of them.
The long and short of it is that account theft is a big problem, both for Blizzard and for people who play WoW. Not everyone has a locked-down system, and phishers are using tactics formerly reserved for actual banks to try to get account info. Players have to deal with having their account possibly stolen, Blizzard has to deal with perpetual requests (some possibly fraudulent!) to restore characters/items, and the game as a whole suffers from the RMT that goes on.
I, for one, welcome our Keyfob and Mobile-Authenticating Overlords.
"Evil company X is threatening to restrict our rights! Let's all get together to stop--OOOH! SHINEY!!!" -- AC
You want to have to go through email/text every single time you log in vs. pushing a button on a key fob and typing in 6 numbers?
The hardware in question costs $6.50. This is a game you're already spending $15/month on.
upon the advice of my lawyer, i have no sig at this time
what about if this starts a trend and all online games start to require such?
This business of every application requiring its own password is a problem in itself. (I've got 400 passwords in my Roboform archive!) That's why so many sites are adopting OpenId.
If you have an iPhone you can get the authenticator for free as an app, and they have said they would like to bring it to more platforms in the future (presumably android, blackberry, minmo and the other major smartphone os's).
Because hijacking accounts and stealing gold and items from players to be sold on is actually quite a lucrative market. If you can't farm gold because the bots are detectable or because that little chinese kid costs too much money to pay, why not just steal it?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
No doubt if Blizzard made this mandatory, they'd cover the cost of the devices themselves. Its probably not going to go down well if they suddenly prevent players logging in unless they pay an additional, one-off fee. Many people would see it as a bad precedent.
Furthermore, they'll probably either supply them with new copies of the game, or only "enable" it (and send it out) to accounts that are more than say 3 months old (as they're arguably not going to have much worth stealing and by then the cost of the device will have been covered in the monthly fees).
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
You seem to have totally misunderstood how the authenticators work. They are decidedly NOT USB dongles.
An authenticator is a changing key generator, which shows you a one time key when you hit a display button. You then type this key in after entering your username and password to log onto the game. This is very similar to the RSA SecurID token my work requires I use to log onto a our VPN.
Basically the keyfob contains a psuedo random number generator which generates a new key every few seconds. The authenticating server knows the original seed, and can figure out the currently "valid" number shown on the key. Since each code is only valid for about 30 seconds, this makes is significantly harder to hack the account.
In fact this system is more secure than any system my bank uses, as very few banks in the US even give you the option of using a system like this.
Blizzard does have several soft token schemes which don't require that you purchase a physical authenticator. There's an iPhone app you can get for free and use to do generate an access code. They also have apps for a few other phones available.
The only thing they don't offer is a PC application and this is intentional. Using a PC app means some virus/trojan could run your pc authenticator and capture the code which makes it decidedly less useful.
I have been using Blizzard's Authenticator on my iPhone for a quite a while now and I'm very pleased with it. I can't imagine the devastation I would be in if my wow account got hijacked. I've spent days and nights developing my characters and It would be a huge loss if I lost them to some script kiddie.
The iPhone Authenticator is like you holding a physical key to your account. Good idea.
I would hate for it to become mandatory. I just don't need it because (and I don't think I'm alone with these reasons):
1. I'm not an idiot and am careful enough that someone stealing my account is unlikely
2. Losing my wow account wouldn't even be a big deal to me, it's not like leveling a character and gearing it up takes ages
3. I don't want to rely on a physical object that I can lose or misplace to log in into a game.
2008: Oh no, I forgot my password! I need to call Blizzard for help!
2011: Oh no, I lost my authenticator! I need to call Blizzard for help!
Is your time worth $0?
Many people playing these games have hundreds or thousands of hours spent playing - a $7 device and 5 seconds each time you log in is a pretty fair price for protecting that time spent.
Even if this were entirely a benefit to Blizzard and completely neutral for the player, it still actually would benefit players: less support staff time spent on "I got my account hacked!" means that players with other problems can get tickets answered more quickly.
Since I can't tell them apart, I treat all ACs as the same person.
Lest anyone think you're insightful or interesting or informative (because your post indicates you are none of these things):
Blizzard is eating the cost of shipping on these inside the US and Europe. They are charging less than $7 for them, which, in addition to the shipping, has got to be pretty near break even. I sourced tokens a couple of years back and we were quoted $10-25 each depending on the supplier.
They are also offering a free version over the iPhone/iPod and for a variety of other devices like Blackberries.
The end result is about 4-5 seconds added to your time to log in, you don't get your account (that you've spent hundreds/thousands of hours on) stolen, and when you do have a legitimate issue in game that requires support there's a better chance someone will be able to help you sooner rather than 3 days from now.
Of course, I suspect based on your post that you don't actually play this game, and probably came in here just to be smug. Is "I won't pay MORE money to play a game I ALREADY paid for" the new "I don't own/watch tv"?
Since I can't tell them apart, I treat all ACs as the same person.
1. Most people who have their account stolen probably think the same
2. That probably works both ways, if you don't care much then maybe you won't
3. It's hardly worse than a CD check (a physical object needed to play)
In general, I disagree about the "no big deal" - at least not to Blizzard. I have lost lots of savegames on occasions, particularly one nasty hdd crash, and the result is that I look at it and go "Meh, I'd have to do all that over again" and end up never getting started. You don't need to be an epic-spec'd god to think it's extremely frustrating going back to fighting lvl 1 creatures with your puny sword of dullness. For a single-player game then who cares, they got their money already and I'll probably find a new one and everyone will tell me I should have taken backups. Lose your WoW account? Straight hit to their revenue, plus other players fear it'll happen to them and there's no easy way to make sure their machine never will be compromised and their login stolen.
Basically, you're not worried because you're not the one taking most of the hurt. Like I don't fear that much that someone will abuse my visa card, unless I've been careless my exposure is quite limited. But visa definitely cares, which is why I got a free new card with chip in addition to the magnet stripe. To be honest, they're probably more worried about losing customers like you that just don't care that much. The wowholics would be back at grinding pretty soon no matter what.
Live today, because you never know what tomorrow brings
1) It isn't a matter of idiocy on the end-user's part when you have major companies releasing extremely exploitable software and patches that introduce even more security flaws. I sure hope you don't run any software that you personally haven't looked at the source, compiled yourself, and know is 100% secure, because otherwise you're an idiot, by your own lights.
And, I have to say, does it make me an idiot that I'd rather spend 5 seconds each time I log in (maybe 10 seconds a day) using something like this, instead of spending 5 minutes (or hours, when patches are completely broken) every day keeping my computer secure? Hm... 10 seconds and I get extremely good (as in, it works to protect banking it'll damn sure be enough to protect my ability to slay Internet Dragons) security vs. 5 minutes (or more) and MAYBE my security is good, but maybe whoever distributed the patch screwed it up... Yeah, I guess only idiots would need or want to use this!
2) Is your time really worth so little that having to re-do something to get back to where you were if your account got hacked isn't a bother? Or maybe you just really like redoing stuff? I liked getting my characters to 80 and getting them geared up, too, but now that they are I'd really rather not have to redo it because someone slipped an ad with malware attached through to a site (slashdot) that I'm trying to support by not blocking ads...
3) Double sided tape. I have mine attached to my monitor because that's the only place I'd use it. I've lost my glasses when I was wearing them atop my head; I've not lost this thing yet because it's stuck to my monitor. I even didn't have a hard time reattaching it to the new monitor I just bought.
Since I can't tell them apart, I treat all ACs as the same person.
I have to admit this is quite funny, in the last few days i had my battlenet/WOW account banned for gold farming. Not played it in about a year, so i went throught the process of trying to establish what happened. Got passwords and so on reset but the git attached the said "Blizzard Activator" to my account and i'm back at square one and locked out of battlenet/WOW.
Right, right, but his complaint does make sense. I believe in WoW one may have multiple characters per account; one his character's has the ability to "cut gems" and the others have different abilities. As of now, both he and his friend know the account password; when his friend isn't around, he logs in to the account using the shared password and uses the gem-cutting character. If WoW was to implement the fobs/mobile authenticators as a default and mandatory security measure, he would no longer be able to share the account with his friend and it would become far more difficult to use his friend's abilities on a whim. It's an understandable concern (whether WoW account sharing is encouraged or discouraged) because it is very popular for friends to share accounts.
You misunderstand - I'm saying that it is possible (easy, in fact) to get your WoW information stolen without you, personally, being an idiot, not that many people who play WoW are not idiots. I do suspect that a large portion of the accounts that have been compromised belong to people who take less precautions giving that information out than they do with their credit cards - but that's not the only way it can happen.
I was objecting to your seeming "all or nothing" categorization of people as idiots or that people who are not idiots cannot get their accounts hacked.
As to the tape - you can get it with velcro, which will let you remove the thing to bring with you. Or get the version for your phone. It isn't like there's "all kinds of crap" taped to my monitor, either. Certainly if your desk is so messy you would be prone to misplace your fob, a thing taped to your monitor will not mess up the space even further!
Since I can't tell them apart, I treat all ACs as the same person.
So what, a keychain fob is going to suddenly stop working if it gets near a Linux device? Open source is a powerful thing, but if it now has an aura that destroys all non-GPL devices in a ten foot radius, I'm really impressed.
Also, "thousands of you" means there are as many of you as there are level 80 female dwarf subtlety rogues wielding Quel'dalar. You'd be insignificant even if you *did* all quit the game rather than play on another platform... which you won't.
Let's not forget the real reason authenticators are becoming mandatory. It's because accounts are getting hacked, sure, but why are accounts getting hacked?
Because there are idiots paying real life $$ for in-game money, which they get by hacking accounts and selling off their stuff. The customers of these websites are paying these hackers to take over people's accounts, effectively.
Do away with the monetary incentive, and accounts wouldn't be getting hacked.
OpenID is web-based. That may work for WoW, but it's a non-starter for a long-term SSO solution.
How about Kerberos or something based on it? Is there a real need to reinvent the wheel?
I have an authenticator and not the best eyesight and do not have a problem reading the numbers. Of course, I only got the authenticator because they were giving an in-game pet with it and I am such a geek, I had to have it :) I have been playing since launch, and have never been hacked, but when one of the officers of my guild got hacked and the GB cleaned out (and it took weeks to get only 80% restored) I figured that the investment is well worth it.
Don't rush me, Sonny. You rush a miracle man, you get rotten miracles.
"This business of every application requiring its own password is a problem in itself. (I've got 400 passwords in my Roboform archive!) That's why so many sites are adopting OpenId."
And the hackers than you - now they only need one password to hack all your sites.
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I'm not sure why people are adopting OpenID. It requires all this extra overhead of going to and from an additional authentication server. It's a complicated protocol and complexity breads insecurity.
If I use OpenID I've gone from one point of failure (the compromise of my computer) to two points of failure (compromise of the OpenID provider and compromise of my computer). There's actually a third potential point of failure in that the OpenID protocol could be flawed in some way, which compromises all OpenID providers.
What's wrong with entering a entering a username, the site replying with a challenge token? I then sign the token with my PGP key and access is granted. You could make this extremely painless by making a browser plugin that handle most of the leg work.
Now I'm back to a single point of failure and the security of the login authentication has been substantially improved. With OpenID I've created a separate point of failure and I'm still stuck using crappy password authentication.
OpenID is a pretty crap solution to this problem.
Simon
So you're going to pay someone to sit there waiting for a 30 second window in which some random compromised account logs in? That just doesn't make sense. Even at Chinese farmer rates.
Why pay somebody to sit in front of a computer? It can all be automated. The receiving program automatically logs in, and then pages, messages, whatever, the person to come clean out the account. Also, there are bots to automatically clear out guild banks, sell things, etc. I don't think that the thieves consider themselves bound by Blizzards ToS. This just makes their lives a bit more difficult, but nobody said gold selling was easy.
I want two or more authenticators, and I want them both to be recognized as valid. For instance, if I were to buy an authenticator and then try to log in, it would look at my username, my password, and then do the calculation based on the key- if it matches, it lets me in. If not, it does not. I would like to check my username, my password, and then calculate all the keys I have tied to the account (perhaps there would be a max of five, or ten). If the input matches ANY of them, it lets me in.
Currently, I don't have an authenticator because I travel all the time and I normally wherever I go, I at least remember to include my brain. Currently I could:
1- Lose an authenticator.
2- Bash it into a wall while tripping over anything.
3- Fall into a fountain- probably it wouldn't get too wet in that time, but hey!
4- Have it stolen- it wouldn't be useful to a thief, but they wouldn't know that.
5- Have the battery be bad or rot.
I've gone through a few cellphones, and a few days with no cellphone can really be bad. I would definitely not want to be on travel for two weeks and be unable to use my fancy laptop to play WoW! Especially given that with a cellphone I can go to any mall and be chatting again in a few hours if it becomes important, but for WoW you have to call up some hotline and identify yourself using whatever secret question I thought would be a great idea 4.5 years ago. The few times I've tested this hotline (granted, not in the last year), I eventually hang up because I'm bored and I can't talk to a human. I would sure hate to be doing that dance for real.
I also don't like the loss of user freedom- currently I can call any of four RL friends up and give said friend my login info if there's something that needs to happen in game, and a few guildies would also probably work. A single authenticator would shut that down unless I was on the phone with them. Blizzard might see this as a feature: according to their extensive ToS, not even your *spouse* is allowed to log into your account.
I am not a fan of anything mandatory, but I do like having it as an option for these reasons:
1: An account stolen can mean tens of thousands of dollars to a blackhat organization which can be used to make nastier keyloggers. Usually the account is then botted out with mining hacks until it trips a Blizzard sensor serverside and gets autobanned. Of course, said account has any goods that are on it stripped and the cash bounced from account to account in order to "launder it".
2: My account is an identity. There are some people whom I can only reach through WoW (people stationed overseas, for example.) So, in-game mail is usually the best way to keep in contact with them. Having that compromised wouldn't be good.
3: Passwords need to go the way of the dodo when it comes to public authentication. I'd love to see a standard replacement (not just openID, but something that can be used for authentication on standalone servers not dependant on anyone else's) where one can have the card communicate online to trade public keys, then do offline authentication from there on out, similar to how Bluetooth devices get paired up initially, then function securely when separated. Ultimately, client certificates on a smart card would be the best replacement, but this can be beaten by active malware which intercepts browser requests doing a MITM and displaying bogus info to the user.
*cough*TPM*cough*
Afaict in most MMOs you get ahead by spending more time "grinding" at the game than other people. Skill helps too at least to some extent.
The thing is some people want to get ahead without the effort and/or get further than they reasonablly could on thier merits alone so they bend or break the rules. This phenomenon isn't unique to computer games, look at how many sportsmen over the years have used drugs to get ahead.
Now in MMOs one of the common ways of breaking the rules is to trade real-world money for ingame money. Of course this ingame money has to come from somewhere. That means either
1: paying people to "farm" for it
2: writing bots to "farm" for it
3: stealing it
Afaict all these techniques have been used by WOW gold-sellers.
Other than completely getting rid of the in-game economy or restricting it so much that everything feels horribly forced or selling in-game currency for real money at knock-down prices (a cure that I think would be worse than the disease) I don't see any real way to stop real money trading.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
If you are a player of WoW, You agree to the terms of service. That means you and Blizzard "agreed" you wouldn't share/sell the account.
So, in essence, if you play the game, you, specifically, gave them the right.
The server for these things resynchs stuff when you enter the code, or when you activate it. That's why you have to enter your code twice in a row when you activate it: it checks which code you entered (to see how much intervals you're ahead or behind), then the second code makes sure it's not a coincidence, and your internal clock is really X*45s ahead.
The Blizzard fob uses 45s clock intervals. Their maker can't use 1mn clock intervals: that's patented by RSA (yup, RSA patented the fob-code-change-every-60s method. An oversight, I presume, I'd have patented every R seconds, where R is a member of the set of real numbers).
Square Enix uses Digipass Go 6 devices, same as Blizzard. Annoyingly, the manufacturer was lazy and didn't develop them to be able to be shared across multiple services using the same hardware (so you can't use the Blizzard tag with Square Enix's services)
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
It's their game. You are only leasing it from the at $14.99 a month. Read the EUA.