The truth about Authenticators [Updated]
by Robin Torres 
Jun 10th 2009 at 4:00PM
After getting a glimpse into the operations and motivations of a scammer, a lot of questions have arisen about the Authenticator. Can it be circumvented? Briefly and with your help, yes. Is having an Authenticator worth the hassle? Absolutely. These are just quick answers, and this is a topic worthy of more in-depth questions and long answers.What is the Authenticator?
The Authenticator is a small device (pictured right) or an iPhone/iPod Touch app that can be tied to your account and provide an extra layer of security. The application is free, but the physical Authenticator costs $6.50 with free shipping in the U.S. They are also available in other countries.
How does it work?
The Authenticator generates a code that you must enter after entering your username and password when logging into WoW or when accessing your account management screens. This code is a one use code that is valid only for a limited time. But it is valid for longer than it lasts on the Authenticator. A new code is generated every few seconds, but an unused code is valid for longer than that (I'm not sure how long). For more details about how the Authenticator works, please read our interview with Blizzard.
The scammer said he could get around the Authenticator.
Yes, he did. He said he could get around it once by obtaining a code through his phishing site and then he would have to use it to change the password or as a one time login to get your valuables and leave. He also said that he hadn't tested this as of yet, because after hacking into 50 accounts, none of them had Authenticators. His theory is that people have stopped using them because the hacking rate has gone down.
But you don't need Captain Obvious to tell you that the scammer wasn't being completely forthcoming here. First of all, he would have to know whether or not you have an Authenticator on your account before sending you the link. When you log into Blizzard Account Management, you have to enter an authenticator code only if you have one attached to your account. So the standard phishing link doesn't ask for one. But let's say he did know and sent you the appropriate code-stealing phishing link and he got a code from you. If he spent that one code on changing your password, he wouldn't be able to use it to login to the game. Also, he would need two consecutive codes to remove the Authenticator from your account for a total of 3 codes, since he would need to spend one code on logging into Account Management. Therefore, one code would allow him one game login only and he'd have to get his "business" done quickly before you tried to log in again, kicking him off.
Update: Some commenters have said things that made me do further testing on the one use claim by Blizzard. Here are the results:
- It is one use per account, so if you have the same authenticator on multiple accounts, you can use the same code on each account before it expires.
- It is one use per kind of login, so if you use the same code before it expires when you try to login to WoW, it will not work the second time.
- It is not one use per account per different type of login. This will allow the scammer to use the password to login to your account management and your account at the same time, if he does it quick enough. Once there, however, he will still not be able to remove the authenticator from your account for the reasons stated above.
I really, really don't want to discourage anyone from getting an Authenticator, but I must admit, they are a pain to use. You have to have it with you when you login. If you forget it at home, then your laptop is useless for playing WoW while you are traveling. If you keep it on your keychain or it's a phone app, then you have to have those nearby before you get comfy for your gaming session. I am also constantly entering in my code as my password and then having to start all over again with the login. But I still won't stop using it. It really is a minor inconvenience compared to the hassle involved with getting my account hacked. Yes, I practice safe computing, but I also make mistakes. We all do. Most of us have to use multiple keys to get into our homes and this is really similar. The added ickiness is well worth the peace of mind.
OK, I'm sold. Where can I get one?
Well, I have bad news if you are in the U.S. and don't have an iPhone or iPod Touch: they are currently sold out... again. And when they are in stock, they go quickly. But they are working on getting apps for other cellphones and they do get more Authenticators in periodically. Here are the appropriate links:
- U.S. Authenticator
- Canada, Australia, New Zealand and Latin America
- Europe
- iTunes App Store (this link launches iTunes)
Be careful out there!
Please remember that account safety and computer security is your responsibility! While WoW.com has provided you with resources to additional information, do your homework and make sure you know what you're doing before installing any antivirus or other software.Filed under: Account Security, Analysis / Opinion
Reader Comments (Page 1 of 5)
Arlen Jun 10th 2009 4:11PM
The scammer doesn't need to know if you have an authenticator before he sends the phishing link. He can have box under the username/password boxes and say to only enter the authenticator code if you have one.
If people are falling for the phish, chances are they won't think twice about the authenticator code box being there even though they dont have an authenticator attached to their account.
Caz Jun 10th 2009 4:58PM
The person who has an authenticator and falls for this is a moron - you can't "have box under the username/password boxes and say to only enter the authenticator code if you have one" because the screen where you enter your authenticator code only comes up after your username and password have been entered. You put in the username, password, hit 'log on' and then a new window pops up for the authenticator code.
Anyone who uses the authenticator would have to be superbly foolish to fall for the scam of having them on the same login screen.
Farrell Jun 10th 2009 5:42PM
a more authentic way would be for the site victim enters their details send those same details to an actual blizzard account management site, and if it is prompted for the auth code, then ask for it.
This would be done by code, so the victim wouldn't know it was done.
It wouldn't be too hard to do, just need some http parsing by the server code to know what to look for in each case.
This way, it would also be possible to prompt a victim for the correct log in details [uname/pwd] if they entered them incorrectly.
PeeWee Jun 10th 2009 8:25PM
"Anyone who uses the authenticator would have to be superbly foolish to fall for the scam of having them on the same login screen."
If they have come as far as even seeing this phishing screen, don't you think a small detail like this will just be ignored? I mean, to get this far, you have to be seriously mentally challenged.
Arsyn Jun 10th 2009 4:13PM
I have an authenticator and i love it ive forgotten it a couple of times at home or w/e but its ok ethier way id rather have that happen than get my account hacked and lose everything. in the end i think the authenticator great, deffintly worth the $7.
badjoke Jun 10th 2009 4:27PM
Try this!:
http://en.wikipedia.org/wiki/Punctuation
jfofla Jun 10th 2009 4:13PM
Yeah Authenticators are such a hassle, why use them when the hacking seems to be less?
Yeah Condoms are such a hassle, why use them when the cases of AIDS seems to be less?
Point made?
theRaptor Jun 10th 2009 4:24PM
Better idea: Stop having sex with random strangers.
Condoms are only 99% effective. After enough exposures the probability of infection approaches certainty.
The same holds true for computer security. Don't install untrusted software. Stay fully patched. Run AV software and firewalls. Know what processes normally run. Don't visit dodgy sites. Disable javascript and flash by default. Always enter secure URL's by hand or from a bookmark.
Bubsa Jun 10th 2009 4:21PM
The only way you could have made this analogy appear to be even more idiotic is if you rallied up a Hitler/Holocaust comparison.
Amberm Jun 10th 2009 4:31PM
Because AIDS and hacking are so on the same level? Point made? Ummm magic 8 ball says no.
mike Jun 10th 2009 4:50PM
as if your comment was disgraced enough, condoms are 99% affective at preventing pregnancy, a correctly used condom is 100% effective at stopping the contraction of AIDS. correctly used also implies you're not putting yourself in harms way by other means
Christoffer Jun 10th 2009 5:38PM
@theRaptor and Amberm
Between the two of you, probably the one who really needs the Authenticator is Amberm. Raptor is right, disable disable disable! The only other way to be safe from the internet is to not plug in your computer at all!
And yes, comparing sexually transmitted diseases to viruses is completely accepted. Your computer is basically open to the web sites you visit.. your computer is a tramp on the corner of the street, waiting for his/her next hit!
themightysven Jun 10th 2009 7:28PM
@theRaptor
you econometric-fu is weak and shameful
you assume that each use of a condom is related to all previous uses, but each is an individual event (ignoring extraneous factors such as cycle and randyness)
like if you had to draw a single red marble from a bag containing 99 blue marbles, then try again with a different bag. (Or, if you ran Mr. Rivendare for his horsey
Delox Jun 10th 2009 7:30PM
@theRaptor
"Condoms are only 99% effective. After enough exposures the probability of infection approaches certainty."
Your logic is flawed my friend. The probability of infection is the same regardless of the number of times you've had sex, and it is much lower than 1 in 100. Assuming you're not sleeping with workers of the red light district, odds are your partner does not have an STI. This means that the majority of the time, your odds for getting infected are exactly 0.
Furthermore, if you drop $300 on an "escort," and he/she is infected, your odds of *exposure* are 1%. If you sleep with the same person twice, each time, you only have a 1% chance. The odds you get infected never increases, therefore it cannot approach certainty.
Amaxe Jun 10th 2009 8:10PM
I think the "condom analogy" is a stupid one for an authenticator. If you have a keylogger or a phishing site you access, I suspect even an authenticator with a 99.999% security rate could be worthless. Blizz seems naive about security sometimes. For example, when I converted to a battle.net account I used my common email. Learning that was stupid, I changed it to a new email created solely for WoW. It changed it quickly, and only a few hours later I got a "Your email address has changed" on my old email. Enough time for a hacker to loot it blind before I knew if it was someone else who did it. Knowing this, I wouldn't be surprised if a hacker could exploit a "Um, dude, i lost my authenticator."
I hope Blizz is better with authenticators though than with Battle.net
Zack Jun 11th 2009 5:42PM
While each individual event has a 1% chance of happening, over the course of everything happening, the odds of it having happened in any of the attempts prior goes up. The fallacy is when people do this additively, not when people do this at all. So in the red marble / blue marble example, after 100 bags, the 101st bag as an individual event, you have a 1% chance at grabbing it, however, at the 101st bag, you have a much higher chance of having seen a red marble than 1% before that bag.
So with a condom having a 99% success rate, the odds of you getting an infection on each individual sexual encounter do not go up, however, after having sex 2000 times, the odds of you having an infection are much higher than 1%.
theRaptor Jun 10th 2009 4:14PM
And how hard is it for a phisher (this particular attack is phishing, not hacking) to get enough info to ring up Blizzard and say "my Authenticator broke /sadface please disable it on this account"? Most likely they are just going to ask for your full name, or address, or secret question, all things that any phishing site is likely to attempt to harvest.
Also it wouldn't be hard to write a "keylogger" that intercepted login attempts and redirected the info to the badguys instead of Blizzard. It would be easy to capture multiple 'good' authenticator codes via this method.
The reality of any type of security is that if what it is hiding is valuable it will be broken. Locks on doors don't stop burglars, they just make them look for the easier targets.
Tom Jun 10th 2009 4:18PM
Once an authenticator code is used, it can't be used again. So no, a keylogger which redirected the login to a badguy would not work at all.
That's the point.
theRaptor Jun 10th 2009 4:24PM
@Tom
"redirected the info to the badguys instead of Blizzard"
The code is never used by the real user because the info is never sent to Blizzard. This is a "man in the middle" attack. The user just keeps seeing "authentication failed try again" or "connecting" and is then dumped back at the log in page.
Warden™ tries to prevent this stuff but it is a well known 'secret' that each version of Warden™ is disassembled and analyzed before the servers come back up on patchday.
Joline Jun 10th 2009 4:36PM
It is not as easy as you think to call Blizzard and ask to disable the authenticator. I was travelling for work and left mine at home. I called to get it diabled temporarily and they said the only way they could do that for me is with the identification number that is on the authenticator. (so if this forgetting when travelling is a risk, write that number down somewhere safe and bring it with you)