This site makes extensive use of JavaScript.
Please enable JavaScript in your browser.
Live
PTR
10.2.7
PTR
10.2.6
Beta
New Authenticator workaround - make it ask for a code everytime!
Post Reply
Return to board index
Post by
Quilan
I like the fact you don't need the authenticator in a often used place. It makes sense. Blizz made the authenticators to prevent people in different places hack your account. The chances a hacker has the same IP as you is about .00000-----------1% if not lower. I'd rather be able to log on and not risk crashing my computer. You can go risk your time, I won't. I like this change. Blizz asking for the authenticator every time at the same IP was annoying when you were pressed for time, I can name about 10 times I was late for a raid because of having to put in the authenticator code in an often used IP.
Post by
Koruchan
For instance, I just had a friend recently have stuff deleted off his account by his brother's friend logging onto his toon and just clicking around (he was rather young, but still). And a guildie recently lost all his guild rep with our guild when his cousin quit our guild and joined another on our guildie's toon for no good reason.
STOP SHARING ACCOUNT INFO. AN AUTHENTICATOR DOES NOT FIX THE PROBLEMS YOU ARE DESCRIBING.
I'M NOT THE ONE THAT DID IT. YOUR CAPS SHOW MUCH KNOWLEDGE AND AUTHORITY.
Seriously, the friend shares the account with his brother, so it's his brother's fault for opening his mouth to his friend. As for my guildie, not sure why his cousin had his info but often times if you use the same password for a lot of your stuff and your family knows this, it's not too hard for them to guess it. In the event that someone knows your username and password, and authenticator DOES fix this problem because it's something you can keep on yourself and not at your computer so the person can't just log in.
An authenticator may not fix all problems, but it fixes many and some of them are nullified on shared computers/accounts when it's not always asked for. Just because the change doesn't affect you doesn't mean it affects no one else.
Post by
buzz3070
An authenticator may not fix all problems
True, but in the cases you provided simple common sense fixes those issues. To be more specific dont use the same password you use for everything. Yes it is convenient but it can cause things like those to happen.
Post by
Cambo
At first I was like "ZOMG WHY CHANGE IT BLIZERD MY ACCT IS NOW UNSAFE"
And then I remembered that I am the only one that uses my PC and my WoW account.
It saves me 4 secs when logging in. YAY!.
Post by
Koruchan
An authenticator may not fix all problems
True, but in the cases you provided simple common sense fixes those issues. To be more specific dont use the same password you use for everything. Yes it is convenient but it can cause things like those to happen.
At the same time, not everyone has common sense, lol. It's not that common. >.> But the option to keep that there for people who need it would still be nice. I don't see why the people who like the change oppose the idea of an opt-out option so strongly. If you like the change, more power to you. I honestly am safe with my info and like the change for myself. I like not having to put my auth code in every time. An opt-out option wouldn't be hurting the people who like the change, so I don't see why it necessitates rudeness. Just standing up for my little dummies who can't be more safe with their information. :D
Post by
Pwntiff
Honestly, this is the way it should have been from the beginning. I actually disabled mine because I was having connectivity issues, and got tired of entering a new authentication code every time I disconnected. No, it doesn't fix account sharing, but if you don't share your password, account sharing isn't an issue either. And if your password got phished or logged, the easiest method of access they have is remote accessing your computer, which can be countered quite easily.
Post by
843771
This post was from a user who has deleted their account.
Post by
Serkac
I remembered when I had dial-up internet that required the use of an RSA SecureID. As such I didn't mind the whole typing in six digits every time (and yes, if it so happens to dial out and then the number changes it fails. Luckily there is a progress bar on the ID itself that gives you a clear shot at when it changes).
As far as I've read on the Blizzard forums it has 'very little' to do with your IP but more the less the combination of what's inside the computer you are using.
Other than that, I don't know. It confuses me as to why people who don't like authenticators get them to begin with. Because face it; give someone a wedge and someone will shove it under the door. I've played other games, browser based, that require paranoia just to maintain an account on those games. I like authenticating because it's just piece of mind (call me crazy...) regardless if there really is or isn't a benefit to it.
With all that said the current system now works similarly to Dial-In Authenticators, and those have been known to keep a backlog of recently logged in locations...Including those that caused the intrusion to begin with. The only difference is the mechanism in between. The current one requires the keybob, the other a phone call.
Post by
Porcell
For instance, I just had a friend recently have stuff deleted off his account by his brother's friend logging onto his toon and just clicking around (he was rather young, but still). And a guildie recently lost all his guild rep with our guild when his cousin quit our guild and joined another on our guildie's toon for no good reason.
STOP SHARING ACCOUNT INFO. AN AUTHENTICATOR DOES NOT FIX THE PROBLEMS YOU ARE DESCRIBING.
I'M NOT THE ONE THAT DID IT. YOUR CAPS SHOW MUCH KNOWLEDGE AND AUTHORITY.
First statement is a general statement to everyone. Second statement is directed at you. The caps display the exasperation from reading your post, since you presented two cases that have nothing to do with authentication.
You said your friend's brother's friend logged on his toon and a guildie's cousin logged on his toon. Account sharing is against ToS and not a good idea for exactly this reason; keep your passwords to yourself and you don't have this problem. Having an authenticator doesn't solve this problem, as 9 times out of 10 the authenticator token is going to be sitting next to the computer anyway. What does solve the problem is not being an idiot about sharing your account. If you share your account you deserve whatever you get.
The authenticator, with these changes, still does what it is supposed to do; prevents unauthorized remote access to your account. It actually improves security because it eliminates middle man attacks, since you no longer have to enter a token code every time you log on from the same computer.
Post by
Serkac
If said friend is 18 or older and the other kid mention is less than that...I don't recall if the ToU explicitly said parental units or not.
Post by
Fawnish
If you are at an internet cafe someone could easily read your details over your shoulder. Who knows what they'd do in the alloted time to access your account while your on your way somewhere else oblivious..
Post by
844145
This post was from a user who has deleted their account.
Post by
844729
This post was from a user who has deleted their account.
Post by
Monday
Blizz decided to take that away.
Thing is, Blizz didn't take it away. It will still ask you for an authenticator if you log on anywhere but your regular area, so unless somebody breaks into your house, they'll still need an authenticator to get in.
Post by
TheReal
What people fail to realize (and Porcell nailed it above) is that this change creates more security than was there previously. If you only ever log onto your account from your house, you will now never need to enter another code. That means if someone is (for whatever crazy reason) keeping track of your authenticator codes via a keylogger and trying to crack the key generation algorithm, that person is now limited to the already-collected codes and cannot use additional codes to help crack the algorithm.
The weakness before (and granted it was a very minor weakness) was that an attacker could collect data regarding your authenticator codes and start to piece together how your authenticator generated the code. Once your authenticator's code generation algorithm is cracked, you might as well throw it away.
But hey, if you don't understand this and need to type in your code, you're costing yourself 3-4 seconds per log-in and exposing yourself to a VERY minor security weakness. In the end, the only real difference is the 3-4 seconds added. I can understand why people want to opt-in, but these are very likely the same people who aren't up to snuff on the workings of information security. If you're doing everything the right way to begin with, you really don't even need an authenticator. If you have one already and you're already protecting your account correctly, then why complain?
Post by
Porcell
The weakness before (and granted it was a very minor weakness) was that an attacker could collect data regarding your authenticator codes and start to piece together how your authenticator generated the code. Once your authenticator's code generation algorithm is cracked, you might as well throw it away.
You aren't helping "our" case by saying things like the above. It is ridiculous to say that anyone was trying to "crack the code." That's pretty outside the realm of possibility.
But what -can- happen, and is documented as happening, is a program that "intercepts" the code you enter and sends it out, submitting a different code to Blizzard (which then fails). The hacker then has up to seconds to enter the intercepted code and log into your characters
http://wow.joystiq.com/2010/02/28/man-in-the-middle-attacks-circumventing-authenticators/
I'm
not
saying this is a big deal or something to fear. I was just using it as an example of how not entering your authenticator can actually improve security.
Post by
Sweetscot
Ok, while I don't really care for this change they've made and think it needs an account option to bypass it, I really think making a change to the registry on your computer over it is a bit extreme.
Also imo the people whom this change most inconveniences are people who aren't always at one computer or who must share the computer and may not have access/permission to make such a change...so thanks but not sure this is the best way to "fix" the situation.
I just hope they got the bug fixed where people were logging in to a friend's computer a couple times and getting the auth bypass then the other person logging on to their own account but when the game loaded were actually in the first person's account (basically they were compromised, just luckily it was people who they knew that didn't jack their stuff).
Post by
TheReal
The weakness before (and granted it was a very minor weakness) was that an attacker could collect data regarding your authenticator codes and start to piece together how your authenticator generated the code. Once your authenticator's code generation algorithm is cracked, you might as well throw it away.
You aren't helping "our" case by saying things like the above. It is ridiculous to say that anyone was trying to "crack the code." That's pretty outside the realm of possibility.
But what -can- happen, and is documented as happening, is a program that "intercepts" the code you enter and sends it out, submitting a different code to Blizzard (which then fails). The hacker then has up to seconds to enter the intercepted code and log into your characters
http://wow.joystiq.com/2010/02/28/man-in-the-middle-attacks-circumventing-authenticators/
I'm
not
saying this is a big deal or something to fear. I was just using it as an example of how not entering your authenticator can actually improve security.
Sorry Porcell. I should have included that thing about MITM attacks that you mentioned as well. By far the scenario you mentioned is much more likely, even though it too is hardly worth worrying much about. I was just trying to add to what you had posted.
: )
Post by
Serkac
When it comes to Man in the Middle Attacks I'm pretty sure trying to look at the hashing and syncing it with Blizzard's systems (Based on all that I've read, the hashes are probably stored on Blizzard's servers and it acts as a lock and the cache is the key) could be very well likely. Face it, all a MitM attack has to do is delete the key if it finds it and then get the authenticator code. So, with that all said, I'm sure that there is no threat difference between a week ago and today. For all practical purposes I'd compare a MitM to the original PSP virus. It exists, it's there and you have to load it into the system by accident or intent (face it...With the authenticator you couldn't attach the file to just anything...).
With that said the new system is probably on par with the old system if there weren't any bugs. However, like many others I still prefer an opt out.
Someone posted a theory how the reason was to reduce costs and the number of authenticator queries. If that were the case I'd take paying an additional dollar monthly to have said functionality. Not a fan of it but there has to be compromises sometime.
Edit: The middle paragraph relates to the technical aspect, not the actual location or access of the computer.
Post by
Tuppence
Interesting thing about the new system. We had a friend plugged in to our router yesterday, for a few hours, and then they left again. Now, this morning, we were asked to (on our stationary, always connected computers) enter our authenticator codes.
I don't know if the router's data to WoW is able to show that we had (or potentially, to the server,
have
) a third person who could be trying to log in without the need of a code. More likely, the third connection just reshuffled our local IPs (although mine seems to be the same) or some other setting. Lastly, could have been a change of our actual IP from our ISP (which would be a coincidence), as I don't believe static IPs are standard.
Point is, I think that the new verification system seems pretty solid.
Post Reply
You are not logged in. Please
log in
to post a reply or
register
if you don't already have an account.