Skip to Content
2-08-2010 @ 11:20PM
"The code from the Authenticator is based off of the serial number of the device or app and a date/time stamp. Because of this, a code is only good for about 30 seconds."While I am skeptical of the claims of the original article, and believe that authenticators are probably secure, I have found that codes *can* be good for longer than 30 seconds. I tested it when authentication servers were borked up around the time 3.3 dropped. Someone on another site I frequent claimed too their friend had had their account hacked and that they had an authenticator. Another person in the same thread claimed that they would use their authenticator to generate codes and then use them at a later date without having the authenticator in hand. I didn't believe the guy, so I made my authenticator spit out three codes, and then used each of them ten minutes apart. They all worked. I was able to log in to the game (though not do anything, because servers were so messed up). So is it possible there's some kind of vulnerability? I don't know enough about the technology to say. All I'm saying is that I have seen codes work for more than 30 seconds. Believe me or don't believe me, but I've had an authenticator since August, and I have no reason to make the claim up.
2-08-2010 @ 11:42PM
I'm not trying to be inflammatory in any way in my response; if that really happened, it concerns me. On the flip-side, given the way I understand VPN technology works, it feels like a pretty wild claim.I'd be very, very curious to see this feat repeated at any time (I've never been able to replicate this supposed problem) and have it documented in video, or something.
2-08-2010 @ 11:46PM
I've tried to replicate it when the login servers are functioning normally, and I haven't been able to. I plan to try next time the servers are screwed up again. I was as skeptical as you are, which was why I even tried in the first place. I was sitting there going, okay, there's no way that works. On a slightly unrelated note, the two people in my guild that had their accounts "hacked" both had them hacked when the servers were down for maintenance
2-09-2010 @ 12:05AM
I had done some testing myself with my mobile authenticator on my iPhone, i have not tested this is my new Key-Fob device.It turned while each number was displayed for around 30 seconds, it was then still valid for another 30 seconds after it disappeared from the screen, but only 30 more seconds.I Wrote down a code, after it disappeared, tried it a minute later and it didn't work.I suggest anybody reading this person's comments tries this for themselves before you take this commenters findings as fact.In my conclusion, the iPhone moblie authenticator, each codes was valid for approx 60 seconds, overlapping with the codes either side of it.
2-09-2010 @ 12:25AM
I admitted that my findings were under very specific conditions and didn't apply when servers were functioning regularly. I'd hope no one takes it as fact that it works that way all the time. I have an authenticator, I have pestered everyone in my guild to get authenticators. I think they're a great investment. I don't want to try and stop anyone from getting or using one. That's not my intention.That being said, if there *is* some sort of a vulnerability with them, I'm just pointing out an area that maybe needs a look.
2-09-2010 @ 3:23AM
The authenticator codes are generated from the clock that's embedded in the device. Not all clocks run at the same speed, so the login system has to account for a condition known as "clock skew" - where your token's clock gradually runs ahead of or behind the clocks on the Battle.net login servers, which will probably be synchronised to within a few milliseconds of one of the world's atomic clocks using the Network Time Protocol. Your token can't sync with the atomic clocks, so it'll gradually drift from the "correct" time. Mobile phone authenticators suffer less from this problem, by the way, as the phone's clock is often kept correct by the phone network.The result of this is that the login servers have to accept any code that they think might have been generated by your token at the current time. I suspect that as a token gets older and the battery runs down, the skew between real time and "token time" may increase, though I've not taken one apart to find out! Certainly I'd expect more than one code to be valid at any one time, though a code still being valid 10 minutes after generation surprises me.
2-09-2010 @ 9:49AM
At the very least, we do know that once you use a code, all previous codes become unusable. You need 3 codes to remove an authenticator from an account.
2-09-2010 @ 10:14AM
Hmmm... Your post makes me curious. I have been using this same time of authentication for years on more security sensitive sites. (Mostly corporate banking.) I have never experienced what you describe. When you said the codes were good for an extended period of time... Did you try the same code more then once? (ie. Login with a code. logoug. Wait 5 mins or so, then log back in with the same code.) When you said you couldn't do anything because the servers were so screwed up, does that mean you were able to load a toon, but couldn't do anything in realm? Or do you mean you couldn't load a toon because the servers were screwed up?Obviously, what you describe isn't optimal, but it sounds like you still needed a vaild code generated by your authenticator. If you were able to reuse the codes, it would be much worse. Provided you were able to load your toons. Though clearly Blizzard had borked the authentication servers as a whole at that time. My brain isn't working all that well this week, but isn't that also when Blizzard moved to requiring Battle Net logins as well?
2-09-2010 @ 1:06PM
If you tested when authentication servers were "borked" as you say, then it wasn't a true test - you can't test an authenticator when the authentication servers are down, right? This is the logic part of testing/troubleshooting.These debates about authenticators tire me. Tokens of this sort have been used as a second form of authentication for VPN services by major corporations for years. Additionally, token authentication removes the necessity of discussing remote access policies with auditors at length for HIPAA/PCI compliance. It's an industry standard for 2-factor authentication. While the soft-tokens are a relatively new player in the space, they are also accepted as the second form of authentication.If they were as vulnerable as all the tin-foil hat folks would like to claim, they wouldn't have lasted as long as they have in the compliance space.
2-09-2010 @ 3:08PM
No, I wasn't able to use the same code more than once. I was still bothered by the fact i was able to punch the button on my authenticator three times in a minute, get three codes, and then use them over the course of 30 minutes though, when the device *isn't* supposed to work that way. It's one of the Starcraft II fobs, which I purchased in August, so I'd really hope that battery clock de-synching, which someone mentioned earlier, would be the culprit. Plus, how could it be, since I haven't been able to replicate it since that time?Servers being borked isn't perhaps an optimal test, but I'm still suspicious of the fact that the two people I know personally who had their accounts compromised had clean system scans and their accounts were compromised during server reboots/downtime on non-normal maintenance days. Neither had authenticators. Again, I'm not saying anyone with an authenticator has had their account hacked. I'm just not discounting the potential of some security issue. And I was disputing the original claim by Robin that codes are only good for 30 seconds.Like I said, our guild requires them for guild bank access at this point. I'm not an authenticator-hater. But I don't believe in blind trust of a security device just because it's not supposed to crackable either.
2-10-2010 @ 10:12PM
My comment about optimal, wasn't about your test being during a time of server issues. Hopefully, I didn't make you think that! My reference to not being optimal was in regards to the code not expiring in 60 seconds. It sounds like you still needed a valid code and it expired on use, so there was a significant amount of protection still in place. More then enough to foil a hacker, even in those circumstances.I'm the IT Director for a good sized CPA firm, so you can be sure of three things... I take computer security very seriously, I tend to be very analytical and I am paranoid about security because I am paid to be. LOLThe fact that you couldn't use a code twice, is a point in favor of it being properly setup. If you were able to actually load a Toon with a code that was older then 2 mins, would be a point in favor of saying Blizzard needs to be sure they implemented the authentication properly on their end. (Which IS the case you are describing, and I am sure Blizzard has done just that.) The tokens are only as good as the processing program on Blizzards' servers, so there is always room for scepticism. I have seen with my own eyes, token systems that were NOT implemented properly. Clearly, at the point in time you are describing, there were issues throughout their servers. Even with the issues a code was still needed, and without the fob, you still wouldn't be able to login. The bottom line is that with Technology nothing is 100% perfect, but the token system is light years ahead of the simple user/password arrangement when it comes to internet security. The De-Syncing/Battery issue would prevent a valid code from being given, so that is definitely not the case for you. (I have a client that is still using a similar fob by the same manufacturer that is 3 years old.)
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.