Patch 5.3 interview with Ghostcrawler
Mystery of the Unborn Val'kyr
The latest patch 5.3 news
All of the latest Mists of Pandaria newsBattle.net authenticator process updated with smarter log-in detection
by Mathew McCurley 
Jun 16th 2011 at 7:00PM
Blizzard wants make the authentication process less intrusive and this is a first step towards that goal. Right now, having to input a code each and every log in is a pain, sure, but it also makes me feel secure. I'm never going to say no to more security, however, and if the system is something that can accurately figure out where I am and let me on, that's great.
This doesn't take into consideration the circumstance where you use an authenticator to prevent access to WoW, even from the home PC. I know some parents who use a simple password that their kids can remember but use the authenticator as the gate to prevent unwanted play. Maybe there will be an opt-out feature of some kind to always ask for the code.
You can check out the Battle.net account security page or check out the Blizzard mobile site for application information. For more information on this specific change to the authenticator system, follow me after the break.
If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We've recently updated our authentication system to intelligently track your login locations, and if you're logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we're sure the person logging in to your account is you.
We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don't already have a Battle.net Authenticator attached to your account, don't wait until it's too late - http://us.battle.net/en/security/checklist
If you have comments, concerns, or feedback regarding this change, please visit this thread to voice them so we can consolidate your thoughts. Thanks!
Original Thread: http://us.battle.net/wow/en/forum/topic/2674529777
We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don't already have a Battle.net Authenticator attached to your account, don't wait until it's too late - http://us.battle.net/en/security/checklist
If you have comments, concerns, or feedback regarding this change, please visit this thread to voice them so we can consolidate your thoughts. Thanks!
Original Thread: http://us.battle.net/wow/en/forum/topic/2674529777
Filed under: Blizzard, Account Security
Reader Comments (Page 6 of 7)
Korenwolf Jun 17th 2011 8:40AM
Testing here is strongly indicating that the only thing being checked is the originating IP, not anything which combines IP with machine specific information. So great if you're on a NAT network (though choice or not) and have some morons on the same network who like griefing "for the lulz".
A drop in security, to save bashing in a few numbers.
matt Jun 17th 2011 11:31AM
What testing, Have any security folks attempted to determine the signature that they are using? IP alone would be highly irresponsible in my opinion. Have you attempted to log into your acct from another PC ( that you have not used before) on the same external IP to see if you get an auth request
Also, Why would you give the morons your password?
Korenwolf Jun 17th 2011 11:43AM
Testing here was on a single network with a common public IP, two windows boxes with different hardware specs and origin. Once we had logged on via one machine, the other did not require the authenticator.
Strongly implying that this is purely IP based.
As for the "Also, Why would you give the morons your password?" comment, I have not shared my password, however after 16 years in the industry I can see so many holes to this "security optimisation" it's unreal. Focus on the underlying message rather than trying to shoot the messenger.
matt Jun 17th 2011 12:47PM
Your test seems to contradict Joe Perez's (lodur) testing that he posted over at World Of Matticus. From the test he did, far more rigorous that what you performed, there are multiple factors going into the computer ID beyond just IP address.
http://www.worldofmatticus.com/2011/06/17/battle-net-authenticator-changes-dont-panic/
Mofogo Jun 17th 2011 9:23AM
Well this is good to know. I was worried last when I had it right im front of me and it didn't ask. Immediately checked to make sure it was still enabled on my acct.
matt Jun 17th 2011 10:12AM
Ooh, it's so hard to push a button on a gadget and push those 6 numbers into my PC...
ScrubRogue Jun 17th 2011 10:14AM
Last night it went a bit crazy, I lost connection and reconnected with a new ip and was immediately locked out. Seems they went a bit far especially since I was indeed using an authenticator.
Jabouty Jun 17th 2011 10:44AM
As I said on the sticky at Blizz's place last night: I paid for it ... I wanna pushy the damned button.
Bloodmeel Jun 17th 2011 11:31AM
I find this process incredibly annoying. My son plays his account on his laptop wirelessly and I bet I have to reset his password 3 or 4 times a week. To the point that I am worried I am going to mess up by trying to enter the incorrect password. I like using the authenticator and if I have it I don't see why they feel the need to lock the account.
Crowqueen Jun 17th 2011 11:37AM
I hope people aren't expecting Blizzard to release details of what they are monitoring - that will only help would-be hackers know what to target.
wren Jun 17th 2011 12:56PM
I noticed this last night. I went to get a drink and when I came back I was DCed. I logged back on and it didn't pop up the authenticator box. I was very confused.
Smoke353 Jun 17th 2011 1:26PM
I reaaally don't like this change. I want my account to ALWAYS ask for my authenticator. Even if it's only my computer that it doesn't ask on, I'm not the only person who's on my computer. I want my authenticator to make my account secure. All the time.
Cool option for those who want it. NEEDS an off switch.
banebreak Jun 17th 2011 3:02PM
Here's an important nuance for non-technical users to understand:
Your mac address, your route to Blizzard's servers, your IP, and other such identifiers are _not kept secret_. They are sometimes difficult to come by or to fake, but they are not hidden by design. They can't be, they're required in order to pass traffic from one point to the next.
Using them to detect odd patterns and improve security is fine. "huh, he's logged in from Boston at 6pm, and an hour later tried to login in China, I think this is fishy, let's shut this off while we verify" is a very good design.
However, using any of this location/route/ip info to outright confirm your identity and permit entry is a mistake. The whole point of the authenticator is that you had to be in the presence of the device in order to sign on. Period. That was good security at a cost, namely that if you got booted from the server it cost you an extra few seconds to re-login. That's an ok price to pay for the certainty of the account security it provided.
I am among the crowd hoping that this setting is optional.
msawyer93 Jun 17th 2011 4:28PM
Thank god i saw this, i logged in like an hour ago and it didn't bring up the authenticator box, i got so scared. Thank you WoW Insider.
Trisnic Jun 17th 2011 10:10PM
I'm a bit concerned about this change and IP spoofing. It freaked me out when my authenticator prompt did not come out and I immediately went to the Blizzard site to make sure everything was ok.
datgrl Jun 18th 2011 6:34AM
The TCP handshake hasn't changed since design. Hackers can spoof your IP. Security is about risk mitigation and authenticators help to mitigate risk. The level of security you employ is based on the choices that are made every day.
Scenario: WoW player uses RealID and has a Facebook page, loaded with all sorts of neat widgets and apps that they've sent to all their RealID friends. One of widget has a keylogger and utility that alerts a hacker when you're online. It's just like an STD. You get dc'd and the hacker is logged in, laying waste to your account and the guild bank. You spend 20 minutes trying to figure out what happened. That's all it takes to wipe out someone's account.
Scenario: WoW player uses mobile apps on their phone to access the armory or chat. They've opened up the OS using a jailbreak on their phone. Lot's more apps for phones, with lot's more potential for the above same sort of hacker tools to be installed.
Scenario: IPv6 is turned on by default since Vista on PC's. With the above mentioned tools, a saavy hacker can IPv6 tunnel to your machine and access it. And if WoW is IPv6 ready and running it now, a hacker has everything they need.
One aspect of security is not to talk what what you do. Yet, I have to wonder exactly who makes the decisions and how much security is talked about within the company. I bought an Authenticator because I made a choice to protect my WoW account. I want a choice about *not* using it.
Jabouty Jun 18th 2011 12:09PM
As per my prediction it continues to live.
The Stupid is alive and well on both sides of this issue. Let's see if we can put some decent information out there finally.
I was not a proponent of the change (In fact I was one of the initial vocal tirades that hit the forums), however, I did sit down with the IT Security Administrator of the hospital that I work at and discussed this with him yesterday for close to 5 hours (yes, unproductive time and I was paid for it woot!) (for the down-cryers, I will trust a hospital security admin before anyone else in the business simply due to the requirements of the federal HIPPA (http://www.hhs.gov/ocr/hipaa/) regulations in regards to patient information security) and what he showed me was that while it gives those of us with a enough security knowledge to be dangerous to ourselves the heebee-jeebees to not pushy-our-damned-button, it may actually provide a more secure method of logging in with regards to outside compromises (keyloggers, trojans, malware etc). It will do nothing for internal threats (mom, dad, sister, brother, pissed off spouse, pissed of girlfriend that found out about pissed off spouse, etc).
Assuming that Blizzard knows what they are doing in regards to secure network communications (which I have no reason to doubt considering they were among the first public entities to implement hardware authentication before even most banks did) then we can reasonably assume that they are collecting much more than IP, Geolocation and MAC addresses.
With their side loaded watchdog program (which runs each and every time WoW is active ... you agreed to it when you click accept on the ToU), Warden, they are able to gain access to the hardware GUIDs for each component of the computer system that it is running on now.
So how this *MIGHT* work (I have no clue if it does, it's simply what we came up with after 5 hours of arguing yesterday) is that Warden collects CPUID, MoboID, Harddrive ID, current IP address, MAC address and Geolocation coordinates and runs them together in some way. After which Warden takes the resulting alphanumeric string and does some sort of SHA-2 (http://en.wikipedia.org/wiki/SHA-2) hashing of that long string to encrypt it and what you end up with is a 32 / 64-bit random set of alphanumerics that is pretty much close to impossible to decipher.
The first time you login from your *safe* computer you have to authenticate. This shows Blizz that you are who you say you are because of what you know (password) and what you have (authentication code). When this is good Warden transfers that encrypted hash of location / hardware IDs to Blizz and they then save it in the database containing your account information. The next time you login, Warden again generates and sends it's hash to Blizz to compare. If they match exactly, you're free to go. If they don't then you are flagged to authenticate again. Change any of those things that Blizz has chosen to create this hash of your computer / location off of, and you're flagged to authenticate. I've almost convinced myself completely that Warden's been doing this already in this way for a couple years now because I've had to reset my PW on a couple of occasions where my account was attempted to be accessed from Europe (I'm in the bakcwoods of Montana).
Before there's cries of OMG Warden's collecting personally identifiable information and Blizz is collecting it counter to what they've told us OMGWTFBBQLIES!!!!1! An SHA-2 hash cannot be reverse engineered (http://en.wikipedia.org/wiki/SHA-2) to find your ID-able information and therefore they are not collecting it, only a hash key of that data.
This will actually increase security in regards to outside threats by limiting what is input via keyboard and sent to Blizz. However, I say outside threats, because as I've stated previously this will do nothing for internal threats such as your spouse who's mad cus she found your stash of midget pictures.
After figuring this key aspect of the system out with him (as it's the only thing they can feasibly do while still keeping the claim of "As secure as") I came to the realization that while it might be more secure, I am a creature of habit and I take comfort from the fact that no matter what I do, pushing the button and entering my code means I'm secure. I enjoy pushing my buttons, it feels good. Don't take my ability to stroke my paranoid side into submission away. Let me push my button.
Don't remove the change if this is truly how things work (location / hardware hash, completely impossible to spoof *ALL* of it and the hashes will never match) but give me the ability to force authentication each and every time I log in. In fact, meld the two if that hasn't already been put in place, and give me the option to push my button. It makes me feel special and pretty.
Joseph Smith Jun 18th 2011 7:31PM
There's a lot of suppositions about what Blizzard is and isn't doing to determine your 'location' for logging in purposes.
However, let's assume that your suppositions are correct, and that Warden takes all of that information and combines it into an encrypted hash. In order to hack into my account they would need to send the hash data to Blizzard along with the username and password. While I don't profess to be a security expert, or a virus expert, I would imagine that they can collect that information with a keylogger just as easily as they collect the username and password when i put it in. Because the encryption used to create the hash tag is the same for everyone, and not dependant on the authenticator code in any way then they wouldn't have to break the encryption on a per user basis, just once.
The caveat that I'm going to give here is that, yes, I realize that all of the above would be very difficult and time consuming to accomplish, and that having an authenticator on the account would still give you an added layer of security. However that layer just got a lot thinner, since now instead of needing to crack a random number generator based on an infinite possiblity of starting codes and encryption formulas, they only have to crack ONE encryption code and go back to stealing the information directly off the computer without NEEDING the unattached device.
Ask ANY company that uses a VASCO key fob for their VPN if they'd consider a situation where instead of having to have the fob and enter the numbers they'd just believe the employee was where the computer said they were. The key fob encryption was created for a reason. The inherent security of having a device isolated from the computer that gave the ONLY access to the network.
Ametrine Jun 19th 2011 12:58AM
I have no angry spouse, and I certainly have no stash of midget pictures.
Joseph Smith Jun 19th 2011 11:55AM
Well, I do! and I'll thank you to keep your eyes off of them! Go find your own, these are MAH pictures!