Battle.net Authenticator Changes

My god the people posting in this thread are really making me angry."What if people who have access to my computer log in!11!!"Why would they have your WoW password? You guys seem to think this change makes your account password obsolete.And for people who log in different places often, nothing will change.How is this a bad thing? In anyway, unbelievable the train of thought some people can come up with.

Originally Posted by staal

But if youre behind a NATed network the receiving adress (blizzard) only see the NAT source adress wich is your router, they dont even know your pc exist.

I'd guess that the client on our end can see our PC's MAC address though and transmit that to blizzard's server which they could verify on future logins by repeated transmission of said MAC. That, plus IP confirmation. And whatever else they add with it.

Originally Posted by Michalev

I think it is funny that a few people have already complained about a SIX digit number, apparently they have never used an authenticator, because, in fact, it is an EIGHT digit number

The phone authenticators used 8 digits. The little dongles use 6 digits


And I'd like to say this is very similar to Steam's system, where every time you log in from a new computer you get sent an email with an authentication code.

Originally Posted by Imhullu

Seems like a risky move

This only applies if you are using the same computer and internet connection. If your account is trying to be accessed anywhere else it will still ask for the authenticator. I personally like this and am glad they are moving their technology forward.

The System will work like the steam security system.

The only difference will be that you won't get an eMail with a verification code, but will be asked to user your authenticator.

btw. Gabe Newell (President of Valve) told the world his steam account name and password. The account still hasn't been hacked.

Are you guys kidding me? Lets take a step back to breathe for a moment.
You ready? Good. If you're on your desktop, and you log in a number of times (lets say 20), your authenticator will kick in for the first 10ish (Nothing has changed, your router hasn't released/renewed IP addresses, everything has been the same in the past 12 hours), and then maybe for the last 10 you'll have to enter your authenticator 5 times, maybe more, maybe less.

Now, evil man Fisher wants to steal your account. He tries to log into your account using a proxy through France, but oh no! He must use an authenticator to access your account! Things don't match up, his computer doesn't match your computer, so forth and what not, so he has to enter the authenticator that you have on your keychain. Your privacy is not compromised. If you're worried about a shared computer with people getting on your account, don't share your password to your account or your profile.Oh, and always use protection. Viruses can be dangerous. There are good free anti-virus programs out there, as well as anti-malware programs that work well. This will help foil keyloggers.

This has been a public service announcement. You may return to your incessant whining again.

Originally Posted by andy_mitchelluk

I'd guess that the client on our end can see our PC's MAC address though and transmit that to blizzard's server which they could verify on future logins by repeated transmission of said MAC. That, plus IP confirmation. And whatever else they add with it.

The wow TCP/IP stream is not encrypted, wich means you can alter pacets etc with a man in the middle attack. Its a game, but if they have 2 factor authentication they cant be sloppy about it like this, Id like to see the blueprints of how its gonna work, but if ppl can scan your keyboard, they can see what packets you send that include a mac adress in the upper layers of the IP stack, making them able to fake the transmission.

Originally Posted by staal

But if youre behind a NATed network the receiving adress (blizzard) only see the NAT source adress wich is your router, they dont even know your pc exist. Im talking strictly TCP/IP here, not some jumbo mumbo software that blizz leech from your hardwareconfig and most likely send to the server uncrypted...

Your local IP on the network doesn't matter, because millions of computers all have that same IP, what matters IS your router's IP.

Originally Posted by Michalev

I think it is funny that a few people have already complained about a SIX digit number, apparently they have never used an authenticator, because, in fact, it is an EIGHT digit number

I'm pretty sure the "physical" authenticator is six digits, while the one available on mobile phones is eight.

Originally Posted by Michalev

Your local IP on the network doesn't matter, because millions of computers all have that same IP, what matters IS your router's IP.

Some ISPs use NATed networks even all the way to their central router, having 1000s of pc's on the inside looking like 1 adress to the rest of the internet...

Awesome! Looking at the info they posted on Twitter my account will be just as safe as it ever was. If you complain you obviously didn't read how they track log ins and just proves people will complain about anything.

Originally Posted by poachingbear

This new change is not liked by me at all. What if somebody managed to take my laptop when i wasnt looking? Accounts could be hacked soo easily, waste of an authenticator. And to save time when youre dc'd in a raid? It takes two seconds to enter in a SIX digit number...

That fuck up is completely on you. I think you have bigger issues at hand if someone takes your laptop and you're just worried about the fact they're going to steal shit off your wow. Really? did you think that statement through?

This is basically how Rift's coinlock works. So Blizzard is adopting another feature that is first used by someone else and proves successful. Not a bad thing, but it's something they should have figured out first.

Originally Posted by staal

The wow TCP/IP stream is not encrypted, wich means you can alter pacets etc with a man in the middle attack. Its a game, but if they have 2 factor authentication they cant be sloppy about it like this, Id like to see the blueprints of how its gonna work, but if ppl can scan your keyboard, they can see what packets you send that include a mac adress in the upper layers of the IP stack, making them able to fake the transmission.

A trojan could also easily get access to a MAC or IP as well. There will probably be a unique verification that ties it to your specific PC as well as your IP, MAC & Location. They should be able to detect a proxy attempt so if your MAC/IP were spoofed in another country (like china), they should in theory know and then it will request an authenticator code.

I don't think we'll ever know eexactly how it works as giving away the exact details may prove a big security risk, but who knows, they might tell us how they do it

Originally Posted by Tvrepairman

Yes, because there's absolutely NOTHING called an "I.P. proxy"...no siree bob this looks TOTALLY safe.

I was about to explain how wrong you are... then i went meh mode(tip: easy to counter from server side).

The wow TCP/IP stream is not encrypted, wich means you can alter pacets etc with a man in the middle attack. Its a game, but if they have 2 factor authentication they cant be sloppy about it like this, Id like to see the blueprints of how its gonna work, but if ppl can scan your keyboard, they can see what packets you send that include a mac adress in the upper layers of the IP stack, making them able to fake the transmission.

This can overthrow even the authenticator with ease, even better they don't even need to fake the ip address. Most of you are talking about paranoid cases. Showing how they track your pc(there are countless things that can be checked... without even sending packets back to blizz) would be nice, existing methods doesn't mean they use them... on the other side it might point things to unwanted ppl.

Also bnet 2.0 is doing fine pachet decryption wise, also warden signals are out of bounds as well (that is why a clientless bot will not work for this game).

Originally Posted by Michalev

I think it is funny that a few people have already complained about a SIX digit number, apparently they have never used an authenticator, because, in fact, it is an EIGHT digit number

It's a 6 digit number if you are not using a mobile app for the authenticator.

Originally Posted by andy_mitchelluk

No because if someone from a different PC tried logging in, he/she would get the authenticator request. It's only the PC that your account is frequently used on that WON'T be repeatedly asked for the authenticator. Different PC = authenticator request.

If you dont think there is a way to mask your IP.. you have been sadly mislead sir.

It does sound risky, but i really dont think it is to be honest. There shouldn't be a change to your account security from this option. Though I'd say making it an option for the people who are just wanting to be cautious is probably a good idea (we all like piece of mind). I doubt they would create more work for themselves by making it easier to hack accounts with authenticators attached to them, that would mean they would have to spend more time recovering stolen accounts. Pretty sure they took that into consideration as well when making this system :P

A good change that doesn't affect people in a negative way and people still complain.Stay gold, WoW community.

Originally Posted by Zeddicious

If you dont think there is a way to mask your IP.. you have been sadly mislead sir.

Yes I'm aware you can mask an IP, but they're not using just an IP address to verify. Also, if they use MAC and IP verification and a login attempt comes from china through a UK proxy, they WILL know about it and then the other person will see a nice little authenticator prompt.

Do people really think that they're going to use just an IP address for confirmation? I think not.