Battle.net Authenticator Changes

Originally Posted by Thornar

Honestly, I like this change. It means those with an authenticator can live without the pain of a disconnect at a bad time, delaying them anymore then it has to.

But, with this there are a few things people should know:

[1] Blizzard are not just starting to track your I.P. address, they've been doing it since the launch of World of Warcraft, so don't panic about them suddenly knowing where you live.

[2] This system will mean that you can log into any computer around the house, as internet I.P Addresses are connection based (Ie: Household, Workplace) instead of each individual computer. This means should you have a disgruntled member in the house hold who knows the password, they could get into the account from another computer.

Not true, I use my desktop most of the time, the laptop sometimes, every time I've tried to log onto my laptop, its asked for a code.

Originally Posted by poachingbear

This new change is not liked by me at all. What if somebody managed to take my laptop when i wasnt looking? Accounts could be hacked soo easily, waste of an authenticator. And to save time when youre dc'd in a raid? It takes two seconds to enter in a SIX digit number...

u r an idiot if u care ur account's future when some1 takes ur laptop... seriously..

Not good if you're playing on a laptop and it gets stolen and the burglar magicly knows your password.

Thank god !

They should have a cooldown on the authenticator, so that if you log back within 30 minutes of DC:ing or something like that, you get this feature where you can skip the code (however it works), but the first time you log in during your session will always prompt for the code.

The entire reason why we purchased authenticators was to garentee that it was a more secure route, by having yourself click a button and putting the code in yourself.I think this idea is stupid, cause not only did we pay 8$ to purchase a authenticator key. but There's no use of it? we cant garentee it is secure again... if we dont take 4s to push a button ect.Blizzard, if the accounts were soo secure in the first place, there would have not been needed an authenticator, soo u create 1 and have millions purchase a key soo it's more secure? If it was such a hassle to push a button and uhhg type a 6 digit number in people would of never purchased an authenticator in the first place.. Dont change it.

Originally Posted by MintJam

I think it'd be neat if they made it into an optional feature for those players who are paranoid enough to not like this. Personally it'll save me from having to strain my eyes in the dark at night trying to read the numbers.

Yea, this is what I was thinking too.

I love how people both here and on the official site are coming up with increasingly more inventive and utterly ridiculous scenarios whereby this change will somehow mean they get hacked, and how entering the code would have been a defense.

"Well, if I was playing at home and suddenly got attacked by ninja squirrels, who then slaughtered my family they could use a time travelling space robot monkey to key log my account and shard my purpz! The authenticator would have stopped them!"

Thing is, I can understand people wanting to enter the code for "peace of mind" factor but people need to understand that not entering the code doesnt suddenly deactivate the protection you get with the authenticator. You have the same level of protection with this as you did before.

Also, if you have people in your life that you think an authenticator is the only thing stopping them playing your account and you dont want them to....you should probably change your password. If you think that somehow they are going to keylog you or use nefarious ways to get your password, you should probably change the people in your life.

Oh, that's why my account was blocked when i logged in from my friend's PC ... They sought I can not travel 2k miles in 1 hour, but forgot about Radmin.

Why the old system was bad:

Because it did not solve the man in the middle problem:
If someone sitting between you and the server gets your password using a keylogger, they can also get your current Authenticator Code. This code can be used for a few seconds. Hence, when you are hacked, you enter your password + authenticator code and get an error message. In the meantime, the hacker logs in using this information and stays online for a whole session. You won't be able to login and kick him out this way, because he sits between you and your sever, preventing any further connection. This is the method they hack you, even if you have an authenticator.

Was all presented on MMO Champion:
http://www.mmo-champion.com/threads/698627-Authenticator-Accounts-Hacked-ICC-Quests-Crimson-Deathcharger

New System:

The Server knows your IP Address AND your PC. It sends the serial of your hard disk, motherboard, etc. in an encrypted way to the server (they can change this system with every patch, so even if someone figures it out, it works only for a limited time). In case this stays the same, no one can log your authenticator code. But this code is necessary for the hacker if the IP Address OR the PC changes. So it even works, if someone steals your Laptop (as long as he does not connect using your LAN).

The only way to hack you, is to entirely hack your PC and run WoW from your location. However, hiding such a big application in the background is not easy, and as soon as you shut down your computer the connection is lost.

Further problem about the old system: a keylogger might not cause your anti-virus to start an alarm, because there are a lot of drivers that actually do the same (e.g. drivers that assign keys to mouse buttons are very close to keyloggers). However, if someone takes over the full control of your PC the anti-virus and firewall must be hacked too.

I admit, I tried RIFT this week, where they already use this system in a different way. I copied the game to my girlfriend's laptop (who uses the same internet connection) and as soon as she logged in using my trial account she got a message, that she can't sell anything, until she entered the code they sent to my email account. Reason: PC or Location changed.

I'd be less skeptical, but I just tried to login on a second PC in the same house I didn't even have WoW installed on before and it didn't ask me for my auth code. Are they sure they aren't just checking IP?

Originally Posted by poachingbear

This new change is not liked by me at all. What if somebody managed to take my laptop when i wasnt looking? Accounts could be hacked soo easily, waste of an authenticator. And to save time when youre dc'd in a raid? It takes two seconds to enter in a SIX digit number...

You think someone would steal your laptop only to hack your WoW account? Paranoid much? And even if such were the case it would have to be someone who know you have an WoW account to begin with and know what the account name is.
Also know that it is not from what machine you log in from but your location. And it's also not only based on your location or IP address.
Learn to read though all the facts before you make silly posts like that.

Originally Posted by Kryos

After what we saw in the past - sure, I don't trust any security in the gaming industrie. Security costs money and because you don't see it, it's one of the first things they try to minimize to economize.

Considering that Blizzard is fully aware that it costs them money and man-hours to restore hacked accounts, I don't really see that argument holding water for anybody with a little common sense.

Do not want this. Seems like this system could be abused rather easily.

By the way, people saying that this is a version of Rift's coin lock or they nabbed the idea from them - it isnt. Blizzard has been using a location based lock out system for ages, its just no where near as aggressive as the version in Rift, which had to be as they released the game with a pretty big security flaw that this was essentially a band aid for. The system blizz had in place previously would lock people out only if something was very obviously dodgy going on. I've used the system in Rift and due need to cover up the flaw (hacked accounts were pretty mental in the first month) it was a bit too eager to lock people out. I got locked out several times, despite always logging from the same PC. Plus, unless they changed it, they could still maliciously delete your account, or play on your toon and act like an ass. They just couldnt do anything with your gold or stuff.

Seriously.. if people use your computer and know your password.. your asking for trouble.. change your damn password .. problem solved.

I think Blizzard is a pretty cool guy, eh likes dks and doesn't afraid of anything.

Originally Posted by Ashaela

Do not want this. Seems like this system could be abused rather easily.

Show us one.
Just one.
I'm not asking i actually challenging you to do so.
Just a single way that you can abuse this.
Show me.

Would be nice to have a tick box, Either you tick so it always pops, or so it only pops when you log at a different location

Originally Posted by Oragan

Would be nice to have a tick box, Either you tick so it always pops, or so it only pops when you log at a different location

Well that is what will probably is going to happen after all the massive clueless retardness that hits the official forums for once more.
It's once more proven beyond any doubt that a certain group of the community just have the need to whine for whatever Blizzard does.