Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsBlizzard giving serious consideration to mandatory authenticators
by Adam Holisky 
Jan 8th 2010 at 12:50AM
This response is a direct effort to stop the massive number of compromised accounts by gold sellers and keyloggers. The seriousness of the situation with compromised accounts has reached such a level that wait times for item and character restoration are entirely unacceptable, even to Blizzard executives. Blizzard has taken other internal measures to deal with long wait times of people in account restoration queues, and we'll be covering those measures tomorrow.
However, with the inclusion of mandatory authenticators, this should solve a major problem for Blizzard's support and account administration teams.
The number of compromised accounts under the mandatory authenticator plan should plummet, if not be virtually eliminated, and players should be able to enjoy a much more secure gaming experience. While some might have a hard time with the transition, Blizzard can provide excellent support in getting all of their 11.5 million players up to speed. Indeed, we have already seen some incentive programs appear; the price of authenticators has dropped recently thanks to free shipping, and we are now rewarded with an in-game pet for having an authenticator attached to our accounts.
A few months ago we postulated such an idea as one of our Breakfast Topics. In Why Blizzard should make authenticators mandatory, player reaction was mixed. Some saw it as a great opportunity to eliminate compromised accounts, others thought it would be an unnecessary money grabbing scheme by Blizzard.
Perhaps the best option put forth by commenters on WoW.com was to make the authenticators mandatory with Cataclysm. Many people agreed with this, and it will be interesting to see how Blizzard rolls out their mandatory authenticator system.
On the down side to this plan is a serious logistics problem, in that Blizzard can barely keep authenticators in stock now. They have yet to prove that they have the capacity to distribute them to millions of additional players. We are currently investigating this issue and will report back once we have more information to share.
We do not know if authenticators will be mandatory on just WoW accounts or on any Battle.net account.
Filed under: Blizzard, News items, Account Security
Reader Comments (Page 4 of 20)
dawnseven Jan 8th 2010 8:52AM
@Paul
Good point. It would be nice if they just sold the authenticators in stores. If they can do retail distribution of the games, they should be able to distribute authenticators. It would have been so much easier to just order one off Amazon or run into a Best Buy or Gamestop or something when I wanted one rather than have to camp the Blizz store because they wouldn't take a backorder when they were out of stock. Stores could just stock the things with gaming accessories.
staffan.johansson Jan 8th 2010 9:09AM
@Paul: I strongly suspect that by the time Cataclysm is released (or possibly somewhat sooner, just like the 4.0 patch will likely be released about a month before Cata), they will release a new edition of Vanilla that comes pre-patched. Given that pretty much the whole of Azeroth is changing to some degree, most of what's on the current vanilla CDs/DVDs will be useless, and I know that if I bought a new cool game and then had to wait while my computer downloaded 10 GB worth of patching, I might just decide it's not worth the hassle.
And if they do release a "WoW revised", it will likely come with an authenticator.
paul Jan 8th 2010 4:58PM
@staffan
Good point, never thaught about that :/
In fact, now that I do think about it, I think this will very likely be the case.
Radioted Jan 8th 2010 1:00AM
Everyone in my guild is probably getting one soon after our GM got hacked.
meanwhile, seems to me the best thing to do would be to include one in the Cataclysm box, if they feel they can wait that long. If not, they should deduct the credit you the cost in game time.
flawless Jan 8th 2010 5:22AM
Similar to our guild. We recently had a second Officer compromised, so now Authenticators are mandatory for all raid members and above (casuals are not required to have one).
This not only prevents loss of items, but loss of raid team members - sure, its a pain when you lose your gear and have to wait to get it back, but when your main raid tank is out of action for two weeks you're taking a huge hit on progression.
Allison Robert Jan 8th 2010 6:42AM
My guild is considering the same policy. We've had two members hacked recently, and one of them was one of our two offtanks with the highly specific +block set needed for heroic Anub-25 adds, which wound up being a a bit of a problem, as you might expect.
dawnseven Jan 8th 2010 8:54AM
We've had the same policy for 6 months or so now. All guild officers must have and use an authenticator on their accounts.
Bronwyn Jan 8th 2010 1:01AM
If in fact they DO make the authenticators mandatory (which I'm not really in favor of, but I have one already so I would live with it), they sure as shit BETTER include them with Cataclysm- at least that would make it easier to switch over, if you are required to have it with Cata and it comes included.
I can sort of see why they would do it, but at the same time making authenticators required seems to me like it might spell trouble in that now the hackers will have that much more motivation to start figuring out how to bypass the authenticator, which I think is *not* so great. Right now they certainly seem un-hackable but I also know that people are pretty ingenious and that WoW accounts are a *really* hot commodity. So who knows.
tutti Jan 8th 2010 3:46AM
There are two ways to bypass the authenticator.
The first is that the hacker gets the player to enter the code from the authenticator into a webpage form or something, and then uses it immediately to log in, before the player does, and before the code expires (which I believe takes a minute). If the player logs in after that, the hacker gets thrown out of the account, and cannot log in again. To completely take the account this way, they need to log into account management, and then get the serial number of the authenticator.
The second is that the hacker gets enough information from the player to pretend to be him/her, "recovering" the account. In the few cases this could actually happen, the player will usually send the same data to Blizzard, causing them to permanently close the account as they can't positively decide whose account it is (this has happened before).
If authenticators are made mandatory, it will definitely drastically cut down on hacks. It's likely that either of these cases will happen at some point, but they'll be rare enough to be quite noteworthy when they do happen, and in the case of the first way up there the account should be pretty easy and fast to recover, as Blizzard won't have a long queue of these issues.
Janaa Jan 8th 2010 4:51AM
First - Knowing the serial number will not allow you to figure out the authentication code. The serial numbers are sequential, and have nothing at all to do with the code generated by the authenticator. The serial is purely to register that authenticator against a database at Blizzard, and THEY (Blizzard) have the seed values, which are different for each authenticator. Your authenticator itself doesn't even know its own serial number. All it needs is it's specific internal seed value, which it then applies an algorithm to. (Seed + algorithm * time = displayed code - only blizz and your authenticator know the seed on your specific authenticator). The worst they could do with your authenticator code in a single login is change your payment method, or cancel your account (easily un-done). Sure, they could go to battle.net and read your CD KEYS for your other games attached to your battle.net account, but these are useless to them, as they're already associeated to your account. SO NO. YOUR FEARMONGERING IS ILLINFORMED AND WRONG.
Secondly - No matter how much information they get from you, Blizzard won't remove your authenticator or change it, until you call them up and give them the answer to your secret question over the phone. In order for someone to get all your details and call Blizzard, they would have to not only find out your real name and email address, they'd also have to get your answer to your secret question, and get your credit card number, AND they'd neeed access to your email account to intercept reset emails. Simply accessing your wow account won't give them any of this info. And someone would have to be seriously densely retarded to give all that info to someone on the net. Such an account wouldn't be worrth stealing, unless you LIKE level 14 pallys dressed in cloth and lost in Burning Steppes, with a destroyed hearthstone. And even if they DID manage to do all that, and got the password changed, then they'd need ANOTHER authenticator code from you for a zero-time login. SO NO. YOUR FEARMONGERING IS ILLINFORMED AND WRONG.
The only scenario that WILL occur, is zero-time trojans logging auhenticator codes in real time when you log in, then them logging in, and as rapidly as possible transferring as much of gold out of your account to another toon as quickly as they can. Presuming you're too stupid to just log back into the account once you're booted. However this is easily fixed.
Janaa Jan 8th 2010 5:16AM
@Bronwyn - If you think they're "not that great", you should read up on how they work. :)
In short - there's a long seed value to which an algorithm is applied, along with the variable of time since the device was powered up, which results in a 6-digit number.
Now, to explain how awesome these devices are, we'll take out the time consideration from the equation. Pretend it was just the seed value and algorithm. As there are only 1 million possible authenticator codes (based on a 6-digit physical rather than an 8-digit iphone-based authenticator), different seed codes can produce the same authenticator code at the same time, against the algorithm.
However, you can't guess these. You have a 1-in-a-million chance of getting it right. Theoretically, you could create a huge table with every possible seed value (which, say its just a 32-bit seed code, would result in 4228250625 different combinations (that's slightly more than Excel can handle, but I digress). But lets say theoretically it was possible. Clearly, 1 million goes into that many times over, so simply knowing the value the authenticator gives at a certain time, you'd still have no way of determining which of the millions of possible seeds that gave that result from the algorithm.
So, you'd need to keep pressing the authenticator sequentially, and expand your 4-billion-line table to keep track of what happens for each of those seeds at each sequential press. And THEN, that would give you the seed code for the authenticator you're currently holding in your hand. And no other. Useless info. Unless you could somehow convince your target to keep pressing the button every 30 seconds AND feed you the code, at least 40 times in a row. And then compare that to your imaginary 4 billion row, 40 column (16913002500 cells) spreadsheet.
And now lets throw time back into the equation. The algorithm starts working from the time the device is first powered on. Theres an internal clock, ticking over every 30 seconds or so. It consumes very little power, giving your authenticator a good 3-4 year battery life before it needs replacing (the entire authenticator, not just that battery). Theres no way for the hacker to know the time the device YOU have, was powered up.
So even if they *did* manage to convince you to press your authenticator button every 30 seconds for 20 minutes, *and* you somehow fed the hacker this number each time, *and* they had the necessary 16-billion cell spreadsheet, they'd now need to multiply the results for every 30 second segment of time since authenticators first began being produced.
For the example, we'll pretend they've only been around 2 years. Thats 2102400 (2 per minute, 60 per hour, 24 hours a day, 365 days a year, for 2 years) possible segments of time the device was powered up. So, now, take your 16-billion cell spreadsheet and add a z-table, with 2102400 variations. These super hackers are somehow maintating a 35,557,896,456,000,000 cell spreadsheet. That's 35 quadrillion, 557 trillion, 896 billion, 456 million cells. I think they probably have enough money that your WoW account is small peanuts to them. ;)
And if theoretically, they managed to pull all this off.. THEY CAN HAZ UR GOLD!
TL;DR version: Naw, they're unhackable.
Janaa Jan 8th 2010 5:23AM
Aww.. and after all that, I made a mistake on the maths. I multiplied the 4 billion by 4 not 40. So it's 160 billion cells, not 16 billion. And 355 quadrillion variations taking into account the time z-table, not 35 quadrillion. Though really, it's hardly important. :)
Janaa Jan 8th 2010 5:27AM
DISCLAIMER: Note, this only applies to physical authenticators. For the digital ones, the serial number is the seed.
zappo Jan 8th 2010 10:11AM
"TL;DR version: Naw, they're unhackable."
Incorrect, they can be bypassed by keyloggers. If a keylogger watches you input your password to the game, then captures the code as you type it, it's possible for the keylogger to send information before you do. Quite likely as human reaction time is pretty slow, and you will probably be putting down the authenticator before pressing any more buttons. Some banks with hardware devices like these are already seeing this sort of activity.
Bronwyn Jan 8th 2010 3:19PM
@Janaa, if you'd read my post you would realize I wasn't saying that Authenticators were "not that great" but was rather saying that the prospect of finding workarounds is not that great.
I have an authenticator and I love it. It is 100x easier than I thought it would be and currently I'm quite confident that I am nigh un-hackable. I am also perfectly in favor of Blizzard making authenticators required.
I'm sure that if and when this is implemented the incidences of hacking will go down to next to zero, but I'm just saying- WoW accounts are a really hot commodity, and whatever way there might be to hack with an authenticator (which, believe me, I don't know exist because I am only an amateur techie), you better believe it will be developed. So it would be a mistake for people to think that just because they have an authenticator they should be able to be irresponsible with their information, y'know? And that is something I *do* worry about; it's like the people who buy a Mac because they think it's safer and then still aren't careful about what they do; sure, your chance of getting a virus or getting hacked may be lower on a Mac, but it's not impossible. All it takes is for someone to try and eventually it can happen. You have to be diligent.
Janaa Jan 9th 2010 1:41AM
@zappo - You misunderstood me. I stand by the authenticators being unhackable. What you're referring to is real-time keylogging, which I already covered in the previous post. As previously stated, the damage a hacker can do with a real-time login is limited. If they're hacking for gold, then all you have to do is log back on once you're booted off, preventing them from doing the same (Blizz have anti-system-gaming security, specifically for this scenario. If IP A (user) logs in, then IP B (hacker) then IP A again, IP B is prevented from immediately relogging, to effectively nullify this hack.
If they go for account details hack instead, logging into your battle.net account or wow account details, the worse they can do is (a) buy you a paid service, (b) cancel your subscription, (c) read the cd keys that are already associated with your battle.net accout - none of which actually give them anything useable.
It's quite different from bank-account logins, as merely accessing the account gives them something useful there.
Mcfobos Jan 8th 2010 1:01AM
I would by an authenticator a while a go but.. they don't send it into my country :( ... so.. i cant get it unless...
Zhiva Jan 8th 2010 1:15AM
You know what's the best part of their "we cannot ship to your address"? Try ordering authenticator AND something else, like action figure. Voila, they suddenly are able to ship!
Aren't sales on condition that the buyer also purchase another different product unlawful?
minttunator Jan 8th 2010 2:59AM
Yeah, also tried it. We currently cannot ship to this address.
Lame.
damay Jan 8th 2010 1:03AM
Well, I hope these are going to be 'free' now then.... as far as i can tell its just another cash cow they're going to rip. I'd tell them to fuck off personally.