Authenticators sold out, for now
by Amanda Dean 
Jul 3rd 2008 at 7:00AM
It looks like I'm not the only one keen on getting a shiny, new account authenticator. The Blizzard Store is currently marked as "Sold Out" on the product. Tyren posted on the General Discussion forum that it will be several weeks before they will be available for purchase once again.
I believe that those who have placed their orders are still slated to receive them, though I have received no word on my order. I ordered mine Tuesday morning, and the order status is currently sitting as processed. If they follow the shipping schedule in the email, the devices should be sent out at some point tomorrow. I'll give a full review once my token arrives at my doorstep.
Tyren also address the issue of releasing the authenticator in the only. Aparently Blizzard is working on a solution to get the devices shipped overseas in the future. The US-only release was done to avoid delaying the authenticators to at least some of the customers. Blizzard has promised more details on international shipping as soon as they come available. I have heard that some folks have had guildies in the States purchase authenticators to later be shipped privately.
I'm kind of afraid that the authenticator is going to add an additional layer of hassle in addition to security. The product description states that the authenticator should last several years. I happen to be very good at losing things, like leaving my blackberry on my desk at work this afternoon (Good lookin' out, Pam!). I plan to tether it to my computer. I'm also concerned that there may be a hassle if I ever need to deactivate or replace the device.
It's, of course, not required that everyone purchase an authenticator. It is still important to use caution on the Internet, whether or not you buy one of these doohickeys. Using comprehensive internet hygiene will help to protect not just your WoW account, but other important records.
Update- Mine shipped out this morning.
Filed under: Blizzard, Hardware, Account Security
Reader Comments (Page 1 of 3)
Pandaman Jul 3rd 2008 7:14AM
I have my Authenticator from the WWI up and running, i have to say it causes no extra hassle, Log in only takes a few seconds more, Once you type in your password, the screen blacks out a little and a new field comes up asking for the token key. I would say however, if you are the kind of person who plays from many locations, you are gonna need to have it on you at all times. And if you hate hassle don't lose it!!
Dringo Jul 3rd 2008 8:11AM
the only worse thing about these autenthicators is that u never could buy them in the eu
(apart from wwi visitors)
its kinda lame to announce and launch something without having more then a few hundreds of them - if they even had that much....
Zerbe Jul 3rd 2008 7:30AM
I was able to get an order in on Tuesday. No idea when I will get it though. It was it was in stock at the time.
Seprin Jul 4th 2008 9:59PM
I had ordered mine as soon as i saw it available on blizzards site.
I had checked later on the 30th and it had been shipped earlier that day.
I checked it today and it had another line and it said my money was refunded on the 3rd.
I'm taking this as mine wasn't shipped in the first place and I won't be getting one any time soon...lame
Lucas J Jul 3rd 2008 7:54AM
I managed to get one before they sold out... but still no word on my order either.
Rob Tippenhauer Jul 3rd 2008 7:54AM
Puchased 2 on the web on Saturday with overnight shipping and received it yesterday. The website still said processing so that really is no indication that it hasn't shipped. They work great!
Lucas Jul 3rd 2008 8:28AM
is the battery replaceable?
Rob Tippenhauer Jul 3rd 2008 9:51AM
Doesn't appear to allow the battery to be replaced, but you can get a new one and swap it out via a call to support. Again, they are only $6.50.
Mort Jul 3rd 2008 8:16AM
Okay, so problem 1:
These authenticators will be cracked in no more than 3 weeks, I suspect. Once they crack the algorithm the device is worthless. Back to square one, but thanks for giving blizzard $6.50!
Time hashes are not a very complicated form of encryption. Blizzard could be working on other ways to make sure that people's accounts are safe but ultimately its the fault of the user. People don't just stumble onto keyloggers.
There's a phrase for this, its called security theater (see below)
http://en.wikipedia.org/wiki/Security_theater
skajake Jul 3rd 2008 8:29AM
I suggest you do some homework and read up on RSA token two factor authentication technology. I assure you it is not some simple time hash. Start here http://en.wikipedia.org/wiki/SecurID.
This technology has been in use at millions of banks, corporations, and government institutions for years.
I wouldn't be too worried about this getting hacked in 3 weeks over a little game.
fLUx Jul 3rd 2008 8:34AM
Do you even understand how they work? Doesn't seem like it to me...
Fizzl Jul 3rd 2008 8:35AM
So your saying a system that has been in use by large corporations to guard there networks for several years is going to be cracked in 3 weeks because now its guarding your wow account?
Kyrra Jul 3rd 2008 9:46AM
@skajake
The Blizzard ones are not made by RSA. The RSA ones are 128-bit encrypted keys which are not exportable from the USA, while the ones that Blizzard is selling will be exportable (and are made in China).
These were already rolled out in China:
http://www.wowchina.com/topic/s-token/
Some seems the USA based ones are based on this:
http://www.vasco.com/products/product.html?product=70
http://eu.blizzard.com/wwi08/_images/photos/wwi08_034.jpg
They look similar to me.
Aigarius Jul 3rd 2008 10:00AM
@Kyrra
The assuption that strong cryptography can not be exported from US is a myth. That has not been true since the year 2000.
The tokens you mention use DES or 3DES encryption which is actually more secure than RSA.
Nijle Jul 3rd 2008 10:22AM
Ok Mort, i'm not sure what your background is on internet security but you don't sound very informed.
Lets ask a question here, what is the #1 way your account gets hacked? The answer is KEYLOGGERS. SecurID tokens do have vulnerabilities, and the #1 vulnerability to a SecurID two-factor authentication token is the man-in-the-middle type of attack. Since you are putting in a one time password and that gets logged, it will be utterly USELESS to a keylogger type of attack.
Man in the middle type of attacks work like this. You log into the game, it sends your username/password/ and one time 6 digit code out on to the internet. The "man in the middle" intercepts this data from you, then forwards the same info to the blizzard servers. Now they are logged in as you. For this type of use (a video game) this also would be useless. Why? Well think about it. Lets say you are plugged into a network in a college dorm and some Computer hacker geek type saw you playing wow saw your L33t gear and decided he wants to hack your account. He performs a man in the middle attack on you and logs into the game. In the mean time you have hit submit on the log-in page and are now waiting to log in. The client never gets the response from the authentication server and times out. He is running your toon to the bank intent on selling all your phat loot. You say, oh well let me try again and you submit again, this time you log in and he will be logged out. If he tries to use that 6 digit code you originally sent again it will not work as it will time out after about 60 seconds when the token code changes. Again the hacker fails, next time he'll just come steal your token off your desk :)
Lets say someone does know the algorithm that they use in the blizzard tokens. Again even if they had your account password (from say a keylogger) they would still need to get the (typically 128bit) key associated to your token. This is only stored on the host server and inside the token and you will never be sending this key out over the internet. So when you send your login/password and 6 digit code to the server, the server knows which 128bit key is yours (from the username/password you sent) and plugs that into the time based algorithm to check if your 6 digit code was correct.
Please unless you know what you are talking about do not post crap like "oh these will be hacked in three weeks" it really makes you sound dumb. Blizzard could not have picked a better layer of security to add to the game IMHO.
Verit Jul 3rd 2008 1:36PM
These authenticators are based on OTP (one time pad) security - which is entirely unbreakable.
Its not an algorithm that generates the number - its a huge list thats associated with the key itself. Your key has this list, and the server does too. Even if you had both lists it would be near impossible to figure out which point the key and the server were at.
Anyhow each time a number is used - its crossed off both lists - never used again.
Quickshiv Jul 24th 2008 3:53PM
Thank you Mort who has no idea how secure tokens work. I wish people would stop reposting this same ludicrous idea that "dis will be h4x0rd in 3 weeks l0Lz".
These types of algorithms aren't broken ever. You have 1 piece of the key and no way to tell if you are getting a right answer.
How encryption breaking works is you know whats in and what comes out.
Example I encrypt a file that consists of 123 and it comes out 321. I know it is suppose to be 123 so I build a ton of encrypted files and try to figure out the coronation between my unencrypted file and the encrypted file.
With a security key you have a random seed + some form of time + wacky algorithm = random number Even if you spent say a year writing down every number that came out of your token you would have 525,948 sample numbers to try to find a correlation between and even if you somehow figured it out you would have 1 token cracked because you still don't know what the random seed is. You would still have to separate the seed from the algorithm.
But lets say you did that. Through some kind of l337 h4x0r skills some guy with no life has figured out the algorithm. Let's say he reverse engineered the device because that would be easier then using brute force math but still nearly impossible. Ok now were talking we can get right in and steel everyones accounts right. WRONG you still have to figure out what the persons random seed is to plug into your newly H4x0rd supper l337 code. How are you going to do that? Well now you have to write something that reverses the random 6 numbers back into the 128bit hash. This is going to be darn near impossible because there are multiple 128bit possibilities for your 6 digit code. And when I say multiple I mean thousands probably millions. Were talking 128^64th possibilities or more for the hash and you have to figure out which one it is. By the time you got enough samples of the 6 digit code from keylogging say at best 4 per day your grandchildren would most likely be dead.
Kintaro Jul 3rd 2008 8:17AM
I haven't bought one yet but it looks like a good idea to counter keyloggers and trojans. So i will probably get my hands on one soon.
Michael Jul 3rd 2008 8:29AM
I ordered mine Monday night and I still have "Processed" as well. I just hope they honor the fact that we ordered them before they were listed as "sold Out".
nosedive51 Jul 3rd 2008 8:33AM
So not only are they selling us locks to the house we already paid for but now there out of those locks.
Nice.