Blizzard Authenticator to be introduced at the Worldwide Invitational
by Daniel Whitcomb 
Jun 26th 2008 at 2:15PM
The problem with keyloggers and other methods of account theft has been well documented here at WoW Insider, and it seems like a constant problem. Even the most conscientious of players has fallen prey to it. However, at the Worldwide Invitational, Blizzard is introducing a little piece of hardware that could make those problems vanish. Say hello to the Blizzard Authenticator.
The Authenticator is a small piece of hardware that you can associate with your World of Warcraft account. Once the Authenticator is associated with the account, you will need it to log on. Every time you log on, you press a button on the Authenticator to generate a six-digit code that you must input to log on. Since only you know the code, and it's generated apart from your computer at the time you're ready to log on, it will be safe from trojans, keyloggers, and other hacks.
The Authenticator will be available at the WWI to start, then eventually at the Blizzard Store. The starting price being quoted by Blizzard is $6.50 -- a small price to pay for safety from a ransacked bank and naked server transferred characters, for many.
Is this the big announcement though? It's possible, of course, but we like to think there's more in store at the WWI. Stay tuned here, and we'll let you know.
Filed under: Blizzard, News items, Hardware, Account Security, Worldwide Invitational
Reader Comments (Page 1 of 6)
Ethan Butterfield Jun 26th 2008 2:22PM
Ok, so they've added SecurID-type OTP authentication. That's actually pretty cool.
Vlatch Jun 26th 2008 2:33PM
What a fantastic idea. If this works correctly, this will be revolutionary to the MMO gaming industry. Someone should have thought of this years ago.
WTG Blizz!
Naix Jun 26th 2008 2:52PM
Hell yea. I am so buying one the day they come out.
Greg Jun 26th 2008 2:25PM
This may just be me but, shouldn't something like this be free if it's being produced by blizzard?
Ichthus Jun 26th 2008 2:52PM
This is one of those things that the average user really doesn't worry about. However, Guild Leaders and people who do high-end crafting where they have tons of time and effort invested in materials that are difficult to farm might want this as a way to protect their banks.
I've got one of the RSA SecurID key fobs and they're easy to use. There is a random number generator based on a random seed that is generated when it is made. The corresponding random number decoding seed is inputted into the server. Every 60 seconds the key fob generates a new number and the server will know how to decode it based on its own seed (but doesn't know what the actual number is).
When you go to log in, you just read the current number, input it in and viola. Some systems also have a pin number that you enter at the beginning of the number on the fob. So, for example, if you had a pin number of 1138 and the fob said 001122 you would enter 1138001122 into the blank. If the system you're using doesn't do the pin number thing, then you just enter the number on the fob. There is even a little dot in the corner that flashes once per second and 6 bars on the side that tick off every 10 seconds until the next number change.
The only problem with a system like this occurs on the server end as you have to absolutely make sure that the server is synced with GMT to the second. If the server is a minute off, then the system doesn't work.
ropax Jun 26th 2008 3:02PM
It's just you. One Time Password generators are generally pretty pricey. $6.50 is a very small cost for something like this.
Aigarius Jun 26th 2008 3:02PM
I have one of the new ones from my bank and I need to enter a 4-6 digit pin number on a keypad on the token before the authentication code is displayed. That is a more secure way of doing that pin code thing.
Eternalpayn Jun 26th 2008 2:25PM
I'm buying one. It'll take at least a few months before hackers find a way to get around this. (Most likely with their own little piece of brute-force hardware)
However, $6.50 is a small price to pay for a few months of safety. Even with shipping, it'll be worth it in my book.
Shelby Jun 26th 2008 2:29PM
/agree
Primus Jun 26th 2008 2:49PM
Actually, brute-forcing SecurID is very hard. (I am assuming, for argument's sake, that Blizzard is in fact using RSA SecurID tokens for the system.) Auth codes are only valid for a short duration of time, either 30 or 60 seconds. There is some float designed into the system, to offset the possibility of the token getting out-of-sync with the main authentication server, but even with a brute-force algorithm working the WoW login screen, you can only try so many times in that short window.
The real trick to breaking a SecurID token is to get its seed, usually a 128-bit string. Trouble is, SecurID tokens are tamper-resistant, and will destroy themselves if you try to crack them open.
I'm not saying it's impossible. There are really intelligent and determined folks out there, government, criminal or otherwise, and I'm sure some of them have ways of breaking a SecurID login. But this will put a hurting on the vast majority of keyloggers/trojans/et al.
Aigarius Jun 26th 2008 2:52PM
Considering that the most secure Internet banking solutions use this type of tech ... it will probably be broken there before WoW.
ropax Jun 26th 2008 3:09PM
Right, but if you get the seed you still have to get synced with the Ace server so it's not all about the seed. The Token generator would also be deactivated once it's found to be missing, which would render the seed useless anyway.
Chip Jun 27th 2008 4:17PM
Each fob has it's own seed. Even if you bought one and were able to extract the key without destroying the device AND somehow sync it up with the server, you've only managed to crack THAT fob. Everybody else's fob has a different seed.
So with this device, it's effectively impossible for somebody to hack your account without physically possessing the password fob. The only potential avenue of attack is for somebody who has your account and PW to claim the fob was lost or broken, and have the security authorization disabled on your account. As long as Bliz has a really secure way to control this, then the whole system is as secure as you can reasonably get.
Heck yeah I'll get one.
HalcyonGT Jun 26th 2008 2:32PM
This is awesome!
Speaking from the standpoint of someone whose account was compromised 2 months ago, I will most certainly purchase one.
Jordan Jun 26th 2008 2:34PM
I am not paying for Blizzard's protection -- the truth is, if someone gets hacked, Blizzard employees spend time restoring it.
JPN Jun 26th 2008 2:56PM
When I got hacked, I didn't get any gold back, and definitely some of my bank stuff. You will NOT get full restitution. It sucks. And unless you keep a full inventory of what you have somehow (which I never did, and I had 150 items + in my bank) you won't know what you're missing.
I kind of agree though - I have to pay more for their inability to secure their network? Why am I paying for THEIR problem? Rock and a hard place....
Aigarius Jun 26th 2008 3:07PM
Actually, there is no way an account is being hacked due to Blizzard's fault. Their servers and networks are very secure. In all case that are known, the fault was at the user side - insecure usernames and passwords, viruses and keyloggers, same password used on untrusted sites, not using a secure operating system (Linux plug :)), ...
If your account is haxored, it is not Blizzard's fault, it is your fault. Be grateful if they help you when they can.
Aravan Jun 26th 2008 3:08PM
"I kind of agree though - I have to pay more for their inability to secure their network? Why am I paying for THEIR problem? Rock and a hard place...."
Actually, you're paying for your inability to secure your computer. I haven't heard of one instance of a successful attack on Blizzard's system. If your account gets hacked, it typically has arisen from a flub on your end (keylogger, trojan, etc.).
Faar Jun 26th 2008 2:37PM
If blizzard is actually serious about wanting to stop account theft rather than just pay lip-service they should mail these out to all their customers free of charge, not charging $6.50 for it.
Balloondoggies Jun 26th 2008 2:41PM
So you want Blizz to pay for someone's ignorance on how to properly protect themselves?
If the US Gov wanted to protect everyone, they should mail a free tazer to everyone who pays taxes.