Authenticators to be optional for the Forums and Armory
by Alex Ziebart 
Mar 25th 2009 at 7:30PM
Many of the people who are actually allowed to surf the official World of Warcraft forums were a little unhappy with the change to Battle.net accounts simply due to the fact that it meant that if you had an authenticator attached to your account, you now had to use that authenticator to log onto the forums, which wasn't needed before. Even if you're allowed to surf at work, and even if the authenticator has a ring on it to so it can be attached to your keys, not everyone feels comfortable carrying that thing around all of the time. You lose it, you're out of luck for awhile.The other day, Bornakk announced some good news that I think a lot of those individuals may have missed: They've temporarily removed the requirement to use an authenticator for the forums and the Armory. In the future, they'll be making this feature optional. You'll be able to choose whether or not you want to use the authenticator on the forums. Why would you want to do that? Well, if your account uses an authenticator, it's going to keep keyloggers and hackers/scammers from stealing your account or characters, but if the authenticator isn't attached to your account on the forums, it can still be used for spamming keylogger links since all that's needed there is your password. If you have your authenticator turned off, it's going to do a whole load of nothing to stop that from happening.
It's nice that it will be optional, but if you frequent the WoW forums and don't plan on using your authenticator there, keep in mind that you'll still want to be very careful about where you surf and what you click if forum access is something you enjoy having. In my experience, the forum mods are much less forgiving and not nearly as quick to respond as the in-game GM team.
Filed under: Analysis / Opinion, Blizzard, Account Security
Reader Comments (Page 1 of 1)
NoTomorrow Mar 25th 2009 7:36PM
Wonderful.
Now where the h3ll is my mobile authenticator for ipod/iphone?
WraithgarScartoth Mar 25th 2009 7:57PM
Yeah I am waiting for that download as well for the US
lbizzle Mar 25th 2009 8:28PM
I would imagine that if a software solution was released, it would be reverse engineered to make the authenticators worthless in hours
SaintStryfe Mar 25th 2009 10:05PM
I doubt. Nothing else on the iPhone has been hacked yet, and it's built on Mac OS X, which is a secure platform. Even then, someone would need your base code (note, anyone with an authenticator has the sticker on the back which has that base code), the right algorithm plus your password (note to self: keep changing passwords frequently).
Alexander Mar 25th 2009 11:34PM
Nope, nothing on the iPhone has been hacked, except everything.
steve Mar 26th 2009 8:20AM
The way the keyfobs work (and the soft tokens, e.g. an iPhone authenticator) is they are loaded with a unique "seed" (e.g. a very long randomly generated number); they use an algorithm that combines the seed with the current time to produce the (in this case) six digit code you type into the authenticator box. So hacking or reverse engineering the authenticator app only gets you so far. You still need to know the unique seed loaded on the phone and the user id/password the authenticator is associated with. If you somehow have a large number of login samples (both user id, password, and authenticator id) it may be possible to bruteforce reverse engineer the unique seed, but these things are designed so that you'd need to capture a couple hundred or thousand years worth of logins to do it.
The idea here isn't that these things are uncrackable, but rather that you have to do it user account by user account, which isn't worth the hassle. I'm imagining something like a keylogger on my PC and a keylogger on my cellphone, owned by the same group of hackers, who are then correlating those two streams of data.
Fred Mar 25th 2009 8:25PM
I'm still trying to get an authenticator. They're always sold out and I refuse to buy one from those ebay losers who sell them at a 500% mark up. They need to implement some kind of limit on how many you can buy.
aellas Mar 25th 2009 8:56PM
There is a limit, at least there was when I looked into buying one.
Ringo Mar 25th 2009 8:47PM
I was keeping my authenticator on my key chain (along with the workshop key, etc.) until last weekend when the button became stuck down. A little delicate surgery got it to pop back out but now it stays home. They're a little too flimsy to carry around all day I guess...
Brian Mar 25th 2009 9:56PM
(Captain Obvious) What a foolish decision. This makes the authenticator useless! You'll still be typing in your password when you visit the forum.
Vultrin Mar 26th 2009 8:02AM
This feature will save me, cause i don't have with me the authenticator. As far as iPod/iPhone. It has been hacked BY CORD, not cordless. So where is the difference with the authenticator? It is still an unhacked device. So where is your point mate?
FireStar Mar 26th 2009 9:34AM
Im so happy!!! no longer do i have to wait until i get home to realize that naxx started at 5 instead of 6! i dont wanna keep the authenticator with me at all times cause i dont keep my keys by my computer.
Steve Mar 28th 2009 2:14PM
Was just hacked about three weeks ago and got burned badly. Get some freaking Authenticators in the store...please! I can't pay the $50 for one on eBay, and I'm suspect of ones from external sources anyway. Please get some stock!