Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsBattle.net authenticator process updated with smarter log-in detection
by Mathew McCurley 
Jun 16th 2011 at 7:00PM
Blizzard wants make the authentication process less intrusive and this is a first step towards that goal. Right now, having to input a code each and every log in is a pain, sure, but it also makes me feel secure. I'm never going to say no to more security, however, and if the system is something that can accurately figure out where I am and let me on, that's great.
This doesn't take into consideration the circumstance where you use an authenticator to prevent access to WoW, even from the home PC. I know some parents who use a simple password that their kids can remember but use the authenticator as the gate to prevent unwanted play. Maybe there will be an opt-out feature of some kind to always ask for the code.
You can check out the Battle.net account security page or check out the Blizzard mobile site for application information. For more information on this specific change to the authenticator system, follow me after the break.
If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We've recently updated our authentication system to intelligently track your login locations, and if you're logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we're sure the person logging in to your account is you.
We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don't already have a Battle.net Authenticator attached to your account, don't wait until it's too late - http://us.battle.net/en/security/checklist
If you have comments, concerns, or feedback regarding this change, please visit this thread to voice them so we can consolidate your thoughts. Thanks!
Original Thread: http://us.battle.net/wow/en/forum/topic/2674529777
We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don't already have a Battle.net Authenticator attached to your account, don't wait until it's too late - http://us.battle.net/en/security/checklist
If you have comments, concerns, or feedback regarding this change, please visit this thread to voice them so we can consolidate your thoughts. Thanks!
Original Thread: http://us.battle.net/wow/en/forum/topic/2674529777
Filed under: Blizzard, Account Security
Reader Comments (Page 5 of 7)
Oteo Jun 16th 2011 11:31PM
Thank goodness I read this earlier, 'cause I just logged on with my Authenticator in my hand and was not prompted for it. I would thought someone hacked my account and taken off my Core Hound Pup :P
dsauto Jun 17th 2011 12:11AM
I am curious what happens if you use a proxy service (600+ Australian pings are terrible) what the affect would be? with a proxy its now around 230.
BTW when I started playing back in 2005 my ping was 150-180 with no proxy or packet mod. now without either or both its 600 & climbing.
Trish Jun 17th 2011 12:54AM
Cool!
I was willing to put up with the extra time and effort for better security, but now they've improved it! Yay!
Kavu Jun 17th 2011 12:57AM
I don't feel like reading all the comments, so someone may have already said this, but I just noticed this when I got disconnected and logged right back in- didn't ask me for my Auth. code.
dodgeballer2005 Jun 17th 2011 1:26AM
tldr: Authenticator is invented for accounts. Whining about entering it in every time.
Smart log-in implemented. People think they don't need the authenticator any more. More whining.
Does ANYTHING please you guys?
Amaxe Jun 17th 2011 2:10AM
The "whining" was obviously done by two different groups with two different preferences.
Personally I *preferred* the authenticator entry below the password, and I would *prefer* Blizz return to that method.
Joseph Smith Jun 19th 2011 3:42PM
I don't prefer that Blizzard uses either method, however I'd PREFER to be given the choice. Then BOTH groups would have had nothing to complain about.
Bigred_ore Jun 17th 2011 1:32AM
From the Twitter Account of @BlizzardCS
@Celycynd The system is not checking for just a change in IP. Other factors are taken into consideration when deciding to ask for a code.
@Celycynd You are under impression that IP is the only thing taken into account. >^.~< It is much, much more specific than that!
@MattG1978 Yes, Battle.net related sites will continue to ask for your authenticator each time you log in.
@daedalus4096 Unless you are sharing your account and/or computer information, this change does not increase the likelihood of a compromise.
@frozensolidone The system checks for other things as well. If someone is able to pull that off, you have bigger things to worry about. ;)
@tifffox2009 Our system is not making a decision to ask for the Authenticator solely based on your IP address.
#Authenticators still offer the same level of protection while making it more user-friendly; this will NOT up the chances of getting hacked.
Jabouty Jun 17th 2011 2:40AM
CISSP standards for security require that two tier security implement two layers of authentication: who you know (your password) and what you have (authenticator hardware code, biometric fingerprint etc). Location / computer / hardware ID hash is not one of them.
Color me pissed about this change. I want to input my 6 digits thank you.
Jabouty Jun 17th 2011 2:42AM
Freakin iPhone ... That's supposed to read "what you know" for the password.
WTB edit feature for comments.
Brett Porter Jun 17th 2011 7:39AM
"Location / computer / hardware ID hash is not one of them."
But it is. At least, now it is. Perhaps it has always been, since they would flag accounts that log in on a very different computer/location than normal. I guess that's what makes me most confused about the vocal group (not sure if minourity or not) that are upset about this: it takes into consideration what you said CISSP normally doesn't.
That means extra security. I'm ok with this change. Folks may have other opinions, but saying this makes it less secure doesn't make it so.
Spark Jun 17th 2011 10:51AM
Just a couple points of clarification...
CISSP is a standard for individual certification - in essence, the individual has demonstrated a minimum level of understanding for the subject material at hand. It isn't a certification of practices, procedures, or implementation.
Two factor authentication is more often referred to as two of three factors; something you know (i.e. password, PIN), something you have (i.e. token, key, smart card), or something you are (biometrics - finger print, retinal pattern, etc.).
Now on to my take on this...
-----
Brett Porter Jun 17th 2011 7:39AM
I guess that's what makes me most confused about the vocal group (not sure if minourity or not) that are upset about this: it takes into consideration what you said CISSP normally doesn't.
-----
The question would be, is Blizzard making proper assumptions? At some point, Blizzard's authentication system is substituting a token for (we assume) a computer system. I say we assume because we really don't know.
We know the tech behind the tokens (aka Authenticators). The algorithms and methodology have been publicly vetted. They are complex little cryptographic devices that, as of yet, have withstood scrutiny.
Blizzard's implementation of identifying a computer system has not had that scrutiny. We don't know how it works. We don't know what indicators it is using. But we can make some assumptions on what possible indicators are available. And there is little that holds up to the cryptography used in Authenticators.
I would be very uncomfortable swapping out system indicators for tokens and further would shy away from claiming that such a system is "more secure". Its a very plausible additional layer to add to strong two-factor authentication. But Blizzard is substituting. It may be sufficient. But if given the choice, I would opt out of this additional risk and choose to maintain the trade-off of minor convenience for the better authentication.
Jabouty Jun 17th 2011 11:42AM
Thank you Spark, you conveyed what I was trying to get across my more eloquently then I did.
Aggrajag Jun 17th 2011 4:42AM
I, and two of my work colleagues, regularly play on our work PCs at lunchtime. These computers could be (they generally aren't, but they could be) shared.
If Blizz stops asking me for my authenticator code doesn't that mean I run the risk of being hacked by a simple keylogger?
Dude Jun 17th 2011 5:09AM
They watching you. Watching yoooooooo. Oooooooooweeeeooooo.
Dude Jun 17th 2011 5:09AM
They watching you. Watching yoooooooo. Oooooooooweeeeooooo.
datgrl Jun 17th 2011 6:28AM
Blizzard, at least give us a choice.
"IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. ... By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication."
http://en.wikipedia.org/wiki/IP_address_spoofing
"Encryption and Authentication - Implementing encryption and authentication will also reduce spoofing threats. ... Ensure that the proper authentication measures are in place and carried out over a secure (encrypted) channel."
http://www.symantec.com/connect/articles/ip-spoofing-introduction
"Any services that authenticate based on the IP addresses or host names are vulnerable. These include RPC, NFS, r-commands (rlogin, rsh, rcp, etc.), anything wrapped by the TCP daemon wrappers, X windows, and other applications that use source IP addresses for authentication."
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/IPexploits/
Spark Jun 17th 2011 11:08AM
IP spoofing isn't trivial. Successful attacks using IP spoofing either don't require interaction or are simple enough that one can guess the expected interaction. Think of it as a phone conversation where you can't hear the other person talking. If the conversation is short, simple, or scripted then you can fake an interactive conversation. Any complexity will quickly mean the conversation breaks down. And that assumes your carefully crafted spoofed packets make it to your intended target - it isn't likely.
A lot of what you linked is history. Modern network configurations and IP stacks have done a lot to prevent most useful forms of IP spoofing. The possibility of an attacker using IP spoofing to avoid Blizzard's detection is next to none (never say never).
Now - that doesn't mean an attacker couldn't tunnel traffic through a victim's machine. But then, that's something else.
kia Jun 19th 2011 7:18AM
Like Blizzard CS have said over and over, the system is based on a lot more than just IP addresses.
hacknstabber Jun 17th 2011 6:40AM
This means hackers won't be targeting blizz anymore. Instead they will be trying to pivot through player pc's.