Skip to Content
7-27-2011 @ 9:03AM
Ugh, brain fail. Second paragraph above should have read:"Security theory says that to be effective, you need to verify two of three things: something you **know** (like a password), something you have (like the authenticator), or something you are (like a fingerprint scan.)"While I'm about it, let me explain that a bit further. The reason for splitting things up like that is to require two things that can't be compromised in the same way. If WoW required two passwords, a key logger could pick up both, so no benefit there. (Same reason using your email address instead of a username isn't a big security fail; the username's not something worth keeping secret anyway, because it doesn't add any security over your password.)If WoW required *only* the authenticator code, then someone could rob your authenticator and get access that way. In that instance, the poor, unloved password is actually the most important part of your security.If you have an authenticator on your account, Blizz requires something you know (password) and something you have (authenticator code). But then, for the next few days, Blizz replaces the "something you have" with "this machine which you used to play WoW recently".Why is that okay? Because for an attacker to be successful, they'd still have to compromise them in different ways. It's not enough for your housemate to get physical access to your machine (or your authenticator) - they need to know your password too. The password still matters.The conclusion here, by the way, is that even having an authenticator doesn't make your account *totally* proof against *any* sort of hax. If someone is really determined to target you and *you personally*, then it can be done. But in WoW, that's not the sort of hacking that causes widespread problems - it's miscreants grabbing the single passwords of weakly protected accounts.This, by the way, is why Blizzard is putting the effort into getting authenticators in our hands for less than cost (free phone apps, free shipping, etc.) But we're still getting the full benefits against untrusted housemates and thieves on the street. :-)
First time? A confirmation email will be sent to you after submitting.
Members enter your username and password.
Enter your AOL or AIM screenname and password.
Please keep your comments relevant to this blog entry. Email addresses are never displayed, but they are required to confirm your comments.
When you enter your name and email address, you'll be sent a link to confirm your comment, and a password. To leave another comment, just use that password.
To create a live link, simply type the URL (including http://) or email address and we will make it a live link for you. You can put up to 3 URLs in your comments. Line breaks and paragraphs are automatically converted — no need to use <p> or <br /> tags.