Vasco, the digital security company that makes authenticators for Blizzard, has actually been at BlizzCon for a few years now (last year, they gave away yo-yos, and this year, they were responsible for all of those blue glowsticks floating around). But this is the first year we decided to stop by their booth and chat with them, and it's a good thing we did: Will LaSala, Director of Services, gave us a lot of good insight into how Vasco's relationship with Blizzard came about, just what the system behind the Authenticator looks like, and how the mobile authenticator app fits into all of this.
He was kind enough to give us a short interview, and you can read it right after the break.
How did the agreement with Blizzard come about? Did they come to you saying we need more account security, or how did it all being with Vasco and Blizzard?
Vasco and Blizzard kind of mutually. We've been moving our security products into a lot of online spaces, because you're basically having all kinds of hacking and things like that. There were a lot of problems, and we saw a lot in the community as a World of Warcraft player myself. But mainly from Vasco's standpoint, we do it for our banks, we do it for a lot of online customers -- World of Warcraft, and Square Enix, and a couple of the other online games are a natural progression.
We've said on the site that my characters are more secure than my bank account. Obviously, it's advanced a lot since it first came out. When it first came out, they were selling them for six bucks, and now they've given them out at these conventions, there's a lot more of them today. Is it more of a licensing deal for Blizzard, or do you manufacture the units, or how does the deal work between you?
We manufacture the units, we sell them directly to Blizzard, Blizzard takes care of the pricing and everything like that, they take care of support of the devices, they take care of the installation, the service, everything of that nature. It's all Blizzard. We support Blizzard on that, but Blizzard does all the end-user support.
Do they code the Authentication in that?
They put it in the game, they do everything.
Ok, so when the authentication servers are down, that's Blizzard, not Vasco? Is that right?
That's exactly right. Absolutely. So the product on the backend is Vacman Controller, it's one of our key products, you'll see it right on our server pages and stuff like that, but once it becomes part of our customers' installation, it is theirs completely, so everything is Blizzard's, there is nothing from Vasco. Vasco didn't touch it, there was nothing to do with Vasco.
The other big advantage, obviously, is the mobile authenticator. Did Vasco have a part in that?
No, Vasco offers mobile authentication, but that is all Blizzard.
Ok, so that's another implementation thing where you said here's how you do it, and then they implemented the code, and sold the app, and did that kind of stuff.
Blizzard has been looking at mobile authentication with other mobile applications for a long time. Vasco's always had mobile authentication, it's one of our key products, but Blizzard chose to do it on their own, and they really investigated and built their own everything.
So there's no Vasco?
Not for the mobile authenticator stuff.
So if I use an authenticator, what technology of Vasco's is in there?
The hardware authenticators, that's all Vasco. We manufacture the devices, we provide the library for the backend.
The actual code that lets you in, that creates a code every second.
All it does is validate a password.
Validates a password, but it creates a code every second or something like that?
That's right, so our devices create a code every 30 seconds or so.
And it's an algorithm that matches up to an algorithm on the server. And then they check the authenticator that way and say yes, these are both from the same algorithm and then you're in to the thing.
All banks, everything use that, but basically yeah, it's real technical, you can see it on our website, everything of that nature. Basically, it's a matching algorithm, client generates a one-time password, server generates a one-time password, both match, you get in, that's right.
But Blizzard wrote the mobile authenticator program without any input from you, but it hooks up to your... it's a separate program that hooks up to your software?
I don't know anything about how they did the mobile stuff, I wasn't included in any of the discussion, so.
I thought it was all your code on both sides, and they had implemented the mobile program, but that's completely on their end, too. Cool. The last thing I had was just if there is anything in Battle.net that works with the Vasco authenticators? It seems like if Blizzard is doing mobile authenticators, they might be moving to take over the process itself.
I don't really have too many comments on the mobile authenticator, that is Blizzard's product, they built it themselves, it's completely theirs. But I mean, we still have a very large window of the devices with Blizzard, and we find that people still like them. I think right now there's something like six logos out there on six different Blizzard authenticators.
Yeah, there's all different kinds out there.
The original one, the BlizzCon one from the original year, the one in early spring, the BlizzCon one this year, the new Starcraft one.
There have been quite a few outages on the Blizzard Store as well -- can you give us any insight into why that is, are they just selling so quickly?
They sell very quickly. I don't know how much Blizzard can talk about that or what they talk about. From a Vasco standpoint, we manufacture a very large number of them for all kinds of places around the world. Again, retail banking is core for Vasco overseas, so everybody uses a Vasco device when you go overseas. Here in the US, it's core for banking, that's what we focus on here in the US. Online spaces, such as some of other other customers, those are just starting to bring it into retail, so hopefully we'll see some other stuff on there too.
So we'll see more of this same technology used on the characters elsewhere in the rest of the world.
Hopefully, that's our hope.
Great, thanks very much.