Blizzard Authenticator - How secure is it?

[Puri]

Aside from man-in-the-middle attacks, token systems like the Blizzard Authenticator rely on the used algorithm and the secrecy of the token seed.

Usually the token information is saved in a different database on a different server than the actualy login data (most token systems still require a PIN or password), but if a hacker could obtain both databases the system would be broken.

But this is from the server view, the actual security from this system is the client side where - I think in Blizzards case we can say - 100% of all account hacking happens. Even if a hacker gets the username, the password and the tokennumber, he was not able to hijack the account. When a number from the token system is successfully used, it gets marked as such and cannot be used again in a certain timespan, and you have to wait for the token to change. So if the hacker had this information, he could not use it to login, even if he would do it in the timespan until the token changes.

So unless the token algorithm and the seed are weak and rendering the next tokens predictable, the system is very, very safe. No idea how many digits the blizzard authenticator uses (I assume 5 or 6), you can estimate chances of successfully hacking the system if you know the PIN/password and the username are 1 in 10^(5|6) in a single attempt, or accumulated in x attempts until Blizzard closes the account because of too many failed tries.

[Madd77]

Aside from man-in-the-middle attacks, token systems like the Blizzard Authenticator rely on the used algorithm and the secrecy of the token seed.

Usually the token information is saved in a different database on a different server than the actualy login data (most token systems still require a PIN or password), but if a hacker could obtain both databases the system would be broken.

But this is from the server view, the actual security from this system is the client side where - I think in Blizzards case we can say - 100% of all account hacking happens. Even if a hacker gets the username, the password and the tokennumber, he was not able to hijack the account. When a number from the token system is successfully used, it gets marked as such and cannot be used again in a certain timespan, and you have to wait for the token to change. So if the hacker had this information, he could not use it to login, even if he would do it in the timespan until the token changes.

So unless the token algorithm and the seed are weak and rendering the next tokens predictable, the system is very, very safe. No idea how many digits the blizzard authenticator uses (I assume 5 or 6), you can estimate chances of successfully hacking the system if you know the PIN/password and the username are 1 in 10^(5|6) in a single attempt, or accumulated in x attempts until Blizzard closes the account because of too many failed tries.

TLR version. Use an authenticator.


If you think it's too annoying to type in an extra code when your IP changes or once a month. Your f#@$@ing lazy.

[PuppetShowJustice]

I tried it for a while and found it to be a huge annoyance. If you don't do anything retarded on your PC, you won't have to worry about your account.

I don't get this. Hitting a few buttons when the log-in server asks you to is a huge annoyance? But once you get in game hitting those same number keys is totally cool? Dismissing safely measures always kind of boggles my mind. It's like saying "Well, I leave my garage door open but I live in a good neighborhood so I have nothing to worry about."

[Kujako]

I don't get this. Hitting a few buttons when the log-in server asks you to is a huge annoyance? But once you get in game hitting those same number keys is totally cool? Dismissing safely measures always kind of boggles my mind. It's like saying "Well, I leave my garage door open but I live in a good neighborhood so I have nothing to worry about."

At a guess, he "tried it" before they let you set it to only ask for a new code when your client or IP address changes.

[Deleted]

Theoretically speaking, it's somewhat more secure than not having one because it adds the hurdle of having to intercept the WoW login request in order to perform a MITM attack, which requires a more advanced piece of malware.

In practice, it's a lot more secure because on top of the technical hurdle, it requires the would-be thief to be available in real-time and use the intercepted code to log in and clean the characters before getting the account locked. The relative difficulty of doing this combined with the multitudes of accounts that don't use an authenticator means that it's pursued extremely rarely because it's way less profitable for the professional thieves. So the chances of this actually happening to you are as close to nil as they get without being guaranteed.

At the same time, never make that fact an excuse to not think and act securely on the web

[Regen]

It's worked very well for me.

[Deleted]

It is more secure than not having one

Man in the Middle attacks can still happen though, where they intercept your code as you type it in and quickly (before the code expires) log in with it.

They tried to fix this by not asking for your code every time if you logged in from the same machine (we have no idea how "same machine" was defined) but it was not just IP address, loads of forum rage and most people click on "ask every time" for some strange unknown reason.

[Deleted]

A friend of mine once got his account hacked despite using an Authenticator.
I found out later that somebody fudged his ID card, and contacted Blizzard with the request to remove it, though.

Seeing that such a scenario is highly unlikely to happen, and probably the only way (besides man-in-the-middle-attacks), one's account can be in danger while using an Auth., it is fairly safe to say that using it is a massive safety plus.

I'm using one since they first gave them out together with the first Blizzcon Goodie Bag as a physical device.
Even though I have to re-enter the code at least once a day, because my connection is prone to DCs, I'd still never ever go without one again. The effort is so trivial.

[Slowpoke is a Gamer]

Authenticator alone won't save you, as keyloggers will just log your keys and repeat your codes.

Authenticator + Regular Virus Scans will keep you almost totally secure.

[thorkin69]

I haven't been hacked yet. I have a computer that is for nothing but wow . no internet surfing at all nothing on the harddrive but OS ,Internet connection and WoW. also have an authenticator.I have another 2 laptops for surfing the net and getting downloads that are searched and verified clean before they ever are put on the WoW puter.

[ghrolt]

Very. I tried to destroy mine with a hammer. It roundhouse-kicked me in the face, took the hammer, strapped it to a frisbee and flung it over a rainbow.
Then it hit me.

Seriously. Its safe.

[Joán]

A Man-in-the-middle attack is pretty much the only way to get around an blizz authenticator. That is generally more work then it's worth however.

In theory it would be possible to reverse engineer them and that way make copies of a specific authenticator, but then you would still need to know the internal number of each autenticator, which (provided that Blizz are not idiots) are not the same thing as the number on the back of your authenticator.

The authenticator is not designed or made by Blizzard, it's a commercial product called Vasco Digipass Go, it is bank-level security and it will never be "hacked" unless your computer is compromised to the point where your game account is the least of your problems. If someone could reverse-engineer or spoof these things they'd be busy making trillion of dollars extorting all the world's governments and building a secret moon base.

[Tehterokkar]

I only use the SMS protection, which is the best protection since you can't change any passwords or details on an account without getting the code from the text message. And seeing as most hackers are from eastern europe/russia/asia, I don't see how they could get my phone.

Edit: best protection for WoW account.

[Araxom]

To add to this, here's the FAQ about the free mobile authenticators for anyone who has not already checked them out.

[Kewi]

I've had the exact same username/password for the last 4-5 years... Never been hacked... With an authenticator.

As others have said, there are ways people can still 'hack' your account.. but an authenticator stops 99% of them. Someone has to REALLY want YOUR account... and would have to severely compromise your computer/connection to do so

[ComputerNerd]

Either Phishing or a Man in the Middle attack are both vulnerabilities that using an authenticator cannot avoid.
But it will nullify a keylogger, someone glancing over your shoulder or discovering/knowing your credentials where there is an attempt to use the same information later, where the code will be different, assuming though that it requests a new code each time.
That is an option you have to enable on the account, otherwise a "recognised" machine from which you recently logged into from will not generate a request until either its IP changes, or a certain time period passes.

The authenticator is not designed or made by Blizzard, it's a commercial product called Vasco Digipass Go, it is bank-level security and it will never be "hacked" unless your computer is compromised to the point where your game account is the least of your problems. If someone could reverse-engineer or spoof these things they'd be busy making trillion of dollars extorting all the world's governments and building a secret moon base.

The pattern or sequence has been known for some time, so you can use a software emulator to generate the same sequence of codes.
Though that does require knowing the serial or whatever the number is of the device which "seeds" the number generator in the first place.
That is something that as far as I can tell is not accessible even by the user of the account without reading it off the back of the device.

Authenticator alone won't save you, as keyloggers will just log your keys and repeat your codes.

Authenticator + Regular Virus Scans will keep you almost totally secure.

If you log in successfully, then that code a keylogger observes will be utterly useless without the ability to log in from the same machine.
It is the interception, and use of the code by another client that is the problem but is a considerably more difficult task than a traditional keylogger.
A keylogger simply observes and pass that information to a 3rd party to be used later, at which point the code required would be different since it is from another location.

[Deleted]

It looks like my assumption stated in the first post was correct Also, I don't see any reason why I shouldn't be using it in the future.

[Kewi]

Authenticator alone won't save you, as keyloggers will just log your keys and repeat your codes.

Authenticator + Regular Virus Scans will keep you almost totally secure.

IF the keylogging software can immediately interrupt your connection after you've half-logged in... and sent your code to the hacker from the 2nd set of the authentication procedure... while severing your connection to the server...
And then the hacker used the information, spoofed your machine perfectly -- probably needing to VPN tunnel through your machine -- within ~45 seconds, and immediately started to clean out your account...

So... someone really needs to want YOUR account to pull that off...

[thelordpsy]

The authenticator is not designed or made by Blizzard, it's a commercial product called Vasco Digipass Go, it is bank-level security.

Yup.

and it will never be "hacked" unless your computer is compromised

Nope

If someone could reverse-engineer or spoof these things they'd be busy making trillion of dollars extorting all the world's governments and building a secret moon base.

Nope.


They are incredibly secure. There are many attack vectors that still exist but they're not anywhere near worthwhile. Spoofing them wouldn't get you anywhere (and has already been done).

[Tharkkun]

MarkeeDragon did a video on Auths about how it got cracked, That was in 2010 tho so its probably better now.

Youtube "WoW Authenticators Cracked!" Since I can't post links ;_;

No, it's never been cracked, broken, defeated, etc. There were some documented cases in Taiwan where a machine so infested with spyware was compromised by a man in the middle attack.

Even then the hacker has to be monitoring your machine at the exact moment you login, record your keystrokes and login from their end in a 30 second window. This logs you off so if you were to login again it would bump them as well. In that same window of time they would need to do a password recovery, retrieve it from your email account, and reset it on the website or they will need to wait until you login again.

If someone has the ability to do this you no longer own the contents of your machine and it should be immediately formatted.

---------- Post added 2013-05-21 at 05:20 PM ----------

I tried it for a while and found it to be a huge annoyance. If you don't do anything retarded on your PC, you won't have to worry about your account.

Here's the problem. Do you trust your email provider to never be compromised? Do you ever use the same password on any other websites? Are you 100% sure they won't be compromised? You are at the mercy of 3rd party services so it's better to be safe than sorry. If you don't mind losing your account for a few days or possibly weeks then it's not a big deal.

I'm sure Blizzard would appreciate not having to track, ban, clean, restore and reactivate your account when it does get hacked.