Skip to Content
7-25-2008 @ 12:07AM
I have a noob question about the authenticator.If a keylogger logs your username, password, AND the key (or 2+ keys from multiple loggings) you put in from the authenticator (I'm assuming a keylogging program can log that, too, as you have to type it in), can the hacker then gain access to your account?
7-25-2008 @ 7:43AM
Only if they log on within the minute or so that the particular code key is valid.
7-25-2008 @ 7:45AM
The thing about the Authenticator is that the six numbers that appear on the screen are not always consistent. They sync up numbers in a Blizzard database somewhere and refreshes on a regular basis. I haven't sit down with mine and watched it to see how long, but I'm guessing that the number remains current for about thirty seconds or so.So, even if a keylogger somehow manages to capture all of that information -- username, password, and the six-digit Authenticator number -- it would only be current until the number was refreshed. Unless the potential account thieves immediately got that information and then used it, they would find the Authenticator number out of date.I also discovered that the Authenticator ties into accessing my account information on the official World of Warcraft website. I tried to log in from a computer other than my own (next to which sits my Authenticator) and found that I couldn't log in without that number on hand. Assuming that the Authenticator remains tied to my account that's pretty good!
7-25-2008 @ 7:27PM
Short answer is no, even if someone keylogs a few dozen or hundred of your auth codes, that won't help them log into your account.The code is generated using a big 'ol random number stored on a chip inside the BA, and a time value generated when you push the button. The time value changes at fairly short intervals, usually 30 seconds or one minute. The code you generated five minutes ago is no longer valid. In addition, once a code is used, it's disabled for the rest of that time cycle. If I use 123456 to log in, and some hacker grabs that code and immediately tries to use it to break into my account, the authentication server won't take it because it's already been used.The code generation algorithm is one way - even if you have the end code and you know all of steps involved in the process, you can't reverse them to figure out the starting numbers. The analogy security people like to use is a meat grinder. You can drop a hunk of beef into a grinder and turn it into hamburger, but you can't turn the hamburger back into ground beef no matter what you do.
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.