Mandatory authenticators?

[kungfumonkey]

So what are the "hacked account recovery" employees gonna do now then?

They could always get new jobs at the Authenticator making factory

[Phage0070]

One concern i do have is if gold sellers lose the ability to hack accounts, will they turn to abusing in game mechanics for gathering resources more frequently, such as underground mining or porting from herb to herb. Still i think putting an authenticator in the cataclysm box would be a wise move.

Blizzard would *love* for that to happen, not only because that is something they can detect and control, but because it does not require customer interaction. Dealing with bitching customers all day is much harder than dropping the ban hammer on some loser teleporting around between gathering nodes. They can even be sure that every account being used to farm illegally is also extra money in their pockets, and not some poor dude's raid character that they will have to restore.

[Rapti]

Bad thing.
As long as there are accounts without authenticator, hackers are not even trying to go for protected ones.
A bit like the 2 unprotected WIFIs in the neighborhood

More seriously, since 100% security doesn't exist in the computer world , it makes sense.

They DO GO for protected accs and they end up being blocked (auth code entered wrong 3+ times = acc block) - thats what happened to my friend lately.

[Sensei_Sin]

Blizzard would *love* for that to happen, not only because that is something they can detect and control, but because it does not require customer interaction. Dealing with bitching customers all day is much harder than dropping the ban hammer on some loser teleporting around between gathering nodes. They can even be sure that every account being used to farm illegally is also extra money in their pockets, and not some poor dude's raid character that they will have to restore.

However gold sellers would then impact the (server) economy a lot more since they'd flood the AH with goods, even if only in between ban waves.

[Ellgee]

Sharing accounts is against the rules - end of - so no not a good argument for not having one.

Its your own fault if you get hacked - ? not always so, I know of several guild members that have had their account compromised, just before the mandatory battle.net conversation. The 'hackers' were using some kind of exploit in the coding to merge accounts into different battle.net accounts without the use of keyloggers or passwords.

The majority of compromised accounts and part of the reason we have so many damn gold spammers and not so many active farmers, is due to peoples own stupidity. "hmm now lets see, lets use my wow account email address and password to make a forum account at some random wow fansite linked to on the intarwebs"

The main 'issue' spotted in the wow.com article was the distribution, well if they box one with cataclysm retail copies its not going to be a problem.

I have to say I'll be happy to see the majority of gold spammers gone as well the reduction in gold selling going on. As a guild we now have a policy for booting dormant accounts because it only seems a matter of time before they're hacked and credited with stolen credit card details.

[Nametaken]

Blizzard is quite capable of waiving that requirement for special circumstances. They could give you a week off from that requirement as they ship you another one, and the chances you are going to be hacked during that time are slim to none considering 99% of the time hacking is impossible. Given that every time an authenticator craps out that situation comes up, I doubt they would force a customer to sit out while they wait for an overnighted package to arrive.

As Sensei_Sin said, this is not only speculation (so far as how they would implement mandatory authenticators), it's also extremely naive to think they would change protocol just so you can keep playing. How many times does an authenticator crap out? Aside from that, if WoW is so important you can't last a few days without it, you could have one spare, just in case.

Authenticators also aren't overnight for everyone. A friend of mine who was hacked waited for 3 full weeks to receive his authenticator...in Israel. Oh, and he paid ~40 euros to get it sent there.

[olih27]

Dude you are the worst fucking speller iv seen since 2cnd grade. And nice job admitting to ACCOUNT SHARING and having your toons name in your sig now anyone can report you. FYI the authenticator is free on iphone and itouche. And it doesnt take someone to send you any type of warez to hack you. All they need is a bruteforcer.

Oh the irony of this post

[Phage0070]

And it doesnt take someone to send you any type of warez to hack you. All they need is a bruteforcer.

Not going to happen. Remember that a given authenticator code is only valid for about 30 seconds, after which it changes to a new sequence. That would mean that your brute forcer program would need to either try all possible combinations of a 6-digit numerical code within 30 seconds, or start over. Once some dude tries to log in a million or so times in 30 seconds I think they will know something is afoot.

[olih27]

And last time I checked SHARING accounts wasn't against Blizzard's TOS.

Check again, it is against the rules

[Phage0070]

Oh and I agree with the person you're quoting in the post. It's your damn fault, I haven't been hacked in 4 years and I surf the web freely willy. And last time I checked SHARING accounts wasn't against Blizzard's TOS.

6:
Username and Password.
During the registration process, you may be required to select a unique username and a password (collectively referred to hereunder as "Login Information"). You may not share the Account or the Login Information with anyone other than as expressly set forth herein.

You are not allowed to share login information with anyone else. Thus, no account sharing.

[Ellgee]

So what are the "hacked account recovery" employees gonna do now then?

hopefully answer in-game tickets.... don't know about US but in EU you can pretty much kiss goodbye to a response time under 3 hours, under 6 hours is still pretty lucky - the majority of my tickets are replied to by in-game mail (and about 50% of the time they don't get it right as the ticket text limit is too small to explain things clearly)

[Teslatroll]

I'm gonna put forward the arguement against authenticators..

Firstly theres the dcing issue, we've all had moments where we've dced during a boss and know the faster we get back in the more likely it is that we arn't dead, having an authenticator does lengthen the logging in process and would get irritating.

Secondly, although this reason doesn't hold a huge amount of weight, some people do account share. I'll give my example, recently we cleared all ulduar hard modes after spending a while trying yogg +1. I was very happy but like most people had missed a previous raid where one of the achievements was done (in my case razorscale).

As a guild we agreed to re run through the hard modes to finish off the meta for most people, on the night where razorscale was being done I couldn't be online for various reasons, I gave my details to a guy in the guild who'd I'd known for over 4 years and trusted perfectly well, he went on my acc just for the Razorscale kill and I got the drake, had I not done that I wouldn't have a drake.

Theres also the other problems with accounts getting locked, lost authenticators, people not turning up for raids because they're authenticator ran out of battery and they had no spares etc.

I think with an MMO as big as wow the hackers aren't just going to give up because of authenticators, they'll find ways to get around authenticators..tricking people into giving them an authenticator code or w/e. Right now if you buy an authenticator, you stop being a target for hackers, it should remain this way. If authenticators become mandatory, everyone is once again a target.

I stopped right here. Let's take it from the start.

I actually get quite a few WoW errors, and even with an authenthicator, it has made no difference whether the extra 3 seconds really made it in. You quickly get used to it, and my authenthicator is always ready when i'm raiding.

Account sharing isn't adviseable, but i'm glad you got the Ulduar drake from it. However, you can't use an argument like that, saying that authenthicators are bad because you can't have your friends gearing/working on your character for you. It's your character, and if you can't be there to get the job done, so be it. You'll miss out, which is a consequence of your choice of not being there. You can't expect epics and metas, if you're not willing to take part in the entire effort yourself.

And no, it won't make anyone else a target. Not more than they are now anyhow. It will just raise the difficulty for the keyloggers, as it's no longer a simple issue of cyberspace piracy.

Basically, there's no realistic argument about making the authenthicator mandatory, if even just for the Cataclysm players. Simple, put an authenthicator in the shipping box for Cataclysm (and include a free authenthicator with shipping for those who buy it online). This means you can play the first 3 games, Vanilla, TBC and WoTLK without authenthicators, and as such, new players won't have to use an authenthicator.

[Xenryusho]

Not going to happen. Remember that a given authenticator code is only valid for about 30 seconds, after which it changes to a new sequence. That would mean that your brute forcer program would need to either try all possible combinations of a 6-digit numerical code within 30 seconds, or start over. Once some dude tries to log in a million or so times in 30 seconds I think they will know something is afoot.

They'd need to brute force you within 30 seconds of you hitting send code... And before you enter your code. So if they are omnipotent and omniescent they can hack you. But if they were that they'd be god. In which case they'd probably have access to your WoW account anyway. And if God were trying to hack my WoW account I'd be more afraid of other things. If you get the code wrong 3 times in a row you're locked out.. So they have three guesses just in case they're not god. To guess an 8 digit numerical code. That's 100,000,000 different possible combinations that they have to brute force in a maximum of 30 seconds if you stand there with your finger up your ass, or a more likely maximum of 5 seconds... And they have to know exactly when you do it too. Did I mention that the code generator is impossible at this time in human evolution and technology to crack by all stretches of the imagination? Banks use this same auth company to do billion, and trillion dollar transactions. Do you really think trillions of dollars is going to be entrusted to a system that some scrawny Chinese hacker or fat nerf in their mothers basement could crack? The answer is no.

It being mandatory is something, I, however, am against. Simply because a small inconvenience to someone in an area with bad reception could seriously suck. I have it for my iPhone.. AT&T sucks.. I have to walk out into -20 degree weather to authenticate every time I get disconnected should my college's network decide to hate me.

It being mandatory, despite my gripes, would be the most beneficial course of action. If you want to know why please actually read the thread, it's been stated probably multiple times already covering financial costs (authenticators < Customer service costs) to economic costs (no hackers means less gold being sold).

[nerthus]

Putting an authenticator in the Cata box would be pretty stupid and uneconomical because of all the people who have one already. They could do some kind of mass-send out to people when they upgrade their account to Cataclysm and don't already have one, or something.

[Sensei_Sin]

The problem Teslatroll is still supply.

Supplying that many authenticators, at the same price range and making sure people can get them at all/in a decent time frame.

[Deleted]

Remember that a given authenticator code is only valid for about 30 seconds, after which it changes to a new sequence.

Not quite correct. To test it, press your magic button, write down the code and try it tomorrow. It works fine. The code itself is only available for a small period of time after which the authenticator moves onto the next in it's sequence, but any of the codes it generates are valid although only the once.

The device is simply a sequence of numbers initialised by a random seed that it churns out whenever you press the button. It may skip some in the sequence depending on time elapsed or something but there is no time correlation between the device and Blizzard's servers which would be necessary to synchronise which code is valid for which 30s window each time the button is pressed.

[Xenryusho]

Not quite correct. To test it, press your magic button, write down the code and try it tomorrow. It works fine. The code itself is only available for a small period of time after which the authenticator moves onto the next in it's sequence, but any of the codes it generates are valid although only the once.

The device is simply a sequence of numbers initialised by a random seed that it churns out whenever you press the button. It may skip some in the sequence depending on time elapsed or something but there is no time correlation between the device and Blizzard's servers which would be necessary to synchronise which code is valid for which 30s window each time the button is pressed.

Of course there is. You hit the button. The servers get it. A timer starts. What other correlation do you need besides when you authorize the code for use?
And I have tested it, working as intended for me. I can't use it about a minute after I enter it.

[Deleted]

Not quite correct. To test it, press your magic button, write down the code and try it tomorrow. It works fine. The code itself is only available for a small period of time after which the authenticator moves onto the next in it's sequence, but any of the codes it generates are valid although only the once.

The device is simply a sequence of numbers initialised by a random seed that it churns out whenever you press the button. It may skip some in the sequence depending on time elapsed or something but there is no time correlation between the device and Blizzard's servers which would be necessary to synchronise which code is valid for which 30s window each time the button is pressed.

Sorry Tenaka30, but you are totally wrong. Of course those Authenticators are time synchronised with the servers, and of course the code is only valid for a limited duration (which might be 1min instead of 30 sec, not quite sure there, but doesn't really matter).
The best test is that is you take too long to input the given code, you will fail at authentication, because the code is expired.
So as it happened to me many time to miss the code by a few seconds, I really don't see how you could use it 24h later!

[Sensei_Sin]

Part of the reason you can't replace it's battery is because it gets de-synchronized with the server clocks.

[Deleted]

Of course there is. You hit the button. The servers get it. A timer starts. What other correlation do you need besides when you authorize the code for use?
And I have tested it, working as intended for me. I can't use it about a minute after I enter it.

Sooooooooooooooooooooooo

you think you press the button on the autheticator and it contacts the blizzard server?

How exactly?