Source: http://www.wow.com/2010/01/08/blizzard-giving-serious-consideration-to-mandatory-authenticator/

Cross Posting from the other boxing site.
Original post by Polyzon.

Blizzard giving serious consideration to mandatory authenticators

WoW.com has learned through trusted sources close to the situation that Blizzard is giving serious consideration to making authenticators mandatory on all accounts. According to our sources, while this policy has not been implemented yet and the details are not finalized, it is a virtually forgone conclusion that it will happen.

This response is a direct effort to stop the massive number of compromised accounts by gold sellers and keyloggers. The seriousness of the situation with compromised accounts has reached such a level that wait times for item and character restoration are entirely unacceptable, even to Blizzard executives. Blizzard has taken other internal measures to deal with long wait times of people in account restoration queues, and we'll be covering those measures tomorrow.

However, with the inclusion of mandatory authenticators, this should solve a major problem for Blizzard's support and account administration teams.

The number of compromised accounts under the mandatory authenticator plan should plummet, if not be virtually eliminated, and players should be able to enjoy a much more secure gaming experience. While some might have a hard time with the transition, Blizzard can provide excellent support in getting all of their 11.5 million players up to speed. Indeed, we have already seen some incentive programs appear; the price of authenticators has dropped recently thanks to free shipping (http://www.wow.com/2009/12/16/shipping-costs-removed-from-authenticators/), and we are now rewarded with an in-game pet for having an authenticator attached to our accounts (http://www.wow.com/2009/12/08/corehound-pups-in-the-mail-with-patch-3-3/).

A few months ago we postulated such an idea as one of our Breakfast Topics. In Why Blizzard should make authenticators mandatory (http://www.wow.com/2009/09/12/breakfast-topic-why-blizzard-should-make-authenticators-mandato/), player reaction was mixed. Some saw it as a great opportunity to eliminate compromised accounts, others thought it would be an unnecessary money grabbing scheme by Blizzard.

Perhaps the best option put forth by commenters on WoW.com was to make the authenticators mandatory with Cataclysm. Many people agreed with this, and it will be interesting to see how Blizzard rolls out their mandatory authenticator system.

On the down side to this plan is a serious logistics problem, in that Blizzard can barely keep authenticators in stock now. They have yet to prove that they have the capacity to distribute them to millions of additional players. We are currently investigating this issue and will report back once we have more information to share.

We do not know if authenticators will be mandatory on just WoW accounts or on any Battle.net account.




And a Follow Up Post:

Account Administration told not to restore hacked characters

In a stunning revelation from a veteran account administrator at Blizzard, WoW.com has learned that account administrators are being told by Blizzard managers not to restore people's characters and items after their account has been ransacked by gold sellers and keyloggers (http://www.wow.com/2009/06/06/an-interview-with-a-scammer/). Instead, account administrators are being told to give people a "care package" and get them to accept the package in lieu of total account restoration.

If the player does not accept this care package, they are then forced to go into a character restoration queue that is consistently several days to weeks long. According to sources familiar with the situation, this "care package policy" has been implemented in order to lighten the work load of those Blizzard employees who perform account restorations. Similar policies have existed at other times account compromises have been high, such as during the transition from Vanilla WoW to The Burning Crusade.

This care package being offered consists of the following:

2,500 gold
2 Emblem of Frost
10 Emblem of Triumph for every day the players has had to wait to receive the care package

If the player accepts the care package, their restoration case is considered closed and no additional items or gold will be restored on the account that were lost because of the security compromise.

WoW.com believes that this practice, while potentially making some sense logistically, stands firmly against the best interest of the players. Sources that we have spoken with tell us most account administrators do not agree with this policy, however their hands are tied due to Blizzard management (it is their job, after all, and they have to do as they're told).

WoW.com believes Blizzard can do a better job at solving long restoration queue times without placing player's hard work as a secondary concern. Instead of offering players a care package, Blizzard can employ more staff, and as we will discuss in a later post, train those staff in better ways to prevent account compromises and exploitation. The serious consideration given to mandatory authenticators (http://www.wow.com/2010/01/08/blizzard-giving-serious-consideration-to-mandatory-authenticator/) is also part of this solution.

I went ahead and downloaded the authenticator for my Itouch. Better safe than sorry I suppose.

Is a separate authenticator needed for each account?

I disabled it again. It sucks big time. Take 5minutes to login with 5 accounts because it constantly says the info entered is not correct on 2-3-4 of the accounts while I login at the same time.

I disabled it again. It sucks big time. Take 5minutes to login with 5 accounts because it constantly says the info entered is not correct on 2-3-4 of the accounts while I login at the same time.
If all your accounts are under 1 b.net account then you need to enter 1 code PER login, it no longer works for all 5. You can do what Fenril did and create 5 different b.net accounts and have 1 toon per, at this point the 1 auth code works for all 5.

Is a separate authenticator needed for each account?
No the same authenticator can be used on multiple accounts.

Keep in mind though you can only use one authenticator code per battle.net account at a time. You must wait for the authenticator to produce another code [like 30 seconds?] before you can login the next account on that BNet account. I called Blizzard 2 days ago to have them separate my BNet account so I can once again use 1 code to login 5 accounts. The process was very painless [minus the hour that I was on hold] and the guy I was talking to didn't even know that they had changed it to 1 code per account [it used to not be like this]. You can only separate your BNet account by calling phone support. It's always been like this and I asked the representative to confirm when I called and he said that calling is still the only way to separate them.

If you have each account on its own B.Net, then one code will get them all in at once.

If you have several accounts on the same B.Net, then you will need a code per log in, with a 30 second window between each code. As in, 30 seconds per account.

Authenticator sucks big time, it protects your account 100% but man when you have 5 different bnet accounts. You need to do a new code for each one.

Just like the above poster said its like 5-8 minutes to just log in

I am using an authenticator, even if it takes longer to login. I believe more security is better and it does not really matter if it takes longer for me to login.

Still i would love an option in the battle.bet-Account to allow a timeout on the auth token instead of a single-per-account-usage-policy.

Who knows, possibly blizzard is going to allow that in the near future.

The code refreshes every 30 seconds, so it takes between 2m and 2:30s to log in, not 5-8 minutes. That's ONLY if you tied ALL your accounts to the SAME battle.net account.

As others have said many times in many threads; if you have 5 battle.net accounts with 1 wow account each, you can use the same code to log in to all 5 at once.

Even though I've never been hacked and do all my web-surfing on my laptop instead of my gaming machine... the peace of mind is well worth it.

Also, if they DO make it mandatory, they'd most likely include them for free in retail boxes. Otherwise new players wouldn't be able to play after buying the game until after they order and receive their authenticator.

I have five B.Net accounts, one wow per B.Net account.
A single code, from one authenticator gets me into the game.

I would tend to think, they'll include an authenticator in the Cataclysm Expansion box.
But that's purely a guess.

Authenticator sucks big time, it protects your account 100% but man when you have 5 different bnet accounts. You need to do a new code for each one.

Just like the above poster said its like 5-8 minutes to just log in
Wait, so you're saying that the authenticator sucks because you can't be bothered to enter a different bit of text once when registering the accounts? Sounds like the problem is with people being lazy rather than any physical problem with the devices. Yeah, yeah, caveat that this wasn't well known when it started but I mean damn. It's not like this info is new, or exceptionally difficult to get reconfigured. ;)

After using the authenticator a few times today it is a very small annoyance. 3 minutes tops to log in no biggie I could see where it would be more of an annoyance if you have a few disco's a night. All in all I would rather have 1 BNET account to manage 5 accounts than to 5 BNET accounts I should have gotten the authenticator a long time ago.

I disabled it again. It sucks big time. Take 5minutes to login with 5 accounts because it constantly says the info entered is not correct on 2-3-4 of the accounts while I login at the same time.

It's really not that horrible. I log in one, by the time I'm loaded in, the code is ready for the next toon. I log in my alchemists first and by the time my gem transmutes are done, all my toons are in.

I have pen and paper ready for when I go to log in. I'll start inner space write down a code. Start the wow's loading grab another code. Wow's all loaded grab another code.
So in the same about of time I would be waiting for wow to load I have 3 codes written down and by the time I get to loading the third wow codes reset and I'm good for the 4th and final code needed.

I have tried writting down several codes ( inorder or it doesn't work) but it seems they are only good for a certain amount of time. If that time passes you can't use them.
But as a just incase. While playing I'll write down codes for emergancy dc's. Usually about every hour or so.

I have come to live with the authenticator as my accounts is all ties to the same bnet account.

I prefer the longer logintime compared to having all my stuff destroyed and having to wait for Blizzard to restore it all. It's also my 5 cent in preventing the gold sellers getting hold of my gold.

I think blizzard should put an authenticator in the next expansion pack and live with the initial cost. In the long run they will save the cost in reduced support hours(i'm speculating a bit here).

I think it would be unfair to demand an authenticator if they don't give it for free or as a part of the next expansion.

I for one thought they would do this with WotLK... I was stunned that they didn't.

The carepackage thing is jank. If I lost my account right now I'd lose over 50K gold, materials, months of gearing up including a legendary and full ToC gear... I would be livid if blizzard suggested I take a few days of badges and a pittance of cash to compensate.

I just recently started using mine, and I mean really, you guys spent $200 to set these accounts up, why not take 3 minutes to ensure security? You get into a rhythm of typing them in

My concern is two fold:

1. Are they going to have enough authenticators to go around?

2. Are authenticators going to be sold in retail stores, so people don't have to order them over the internet?

I can understand the decision to make them mandatory. I mean, they're paying how many people to restore accounts? That is a cost that could easily be eliminated if people took better security measures on their own.

Now, what really interests me is whether they are going to lower the price of the authenticator to at-cost, since this is really a statement that the authenticator benefits Blizzard more than the player base, and whether newly minted copies of WoW are going to come with one as standard.

Edit: Oh yes, and I'm curious how subscription numbers are going to look when this gets implemented. That's a potentially large amount of rigamarol to keep playing a game. For the average player anyway. Multiboxers should be used to this sort of thing by now.

I have have two authenticators. I stagger them so I go back and forth when I log in. I don't have to wait the unbearable 30 seconds for the CD that way :/ I want one for my Blackberry :/

I think a simpler solution would be to make logging in more secure. I have been using online banks and institutions with data much more sensitive than a few pixels of gold for years and have never had a problem.

they could change how they are authenticating. the generator id is associated with the bnet account... but currently, each sub account would need a different generated code upon login. why? they are trying to insure that you are you and that you have the authenticator. well, you could get the same effect if they tracked the ip address with the login request. if the ip address matches the previous bnet sub account, and the auth code matches, then let it through.

if their concern is that a single bnet account could be shared at an internet cafe (or gold farmer dorm), the existing 1 code per 30 seconds solves nothing. they would just hand around the authenticator.

additionally, if they are generally concerned about sharing, if the people are colluding, they could easily share the generated codes over a phone, IM, text, or vent. tracking the ip address with the login would at least reduce the number of people sharing bnet sub accounts.

to me, this just seems like an unreasonable hassle for no benefit.

I have mixed feelings about the issue - I'm 100% for authenticators, to start with, they work.

But, I'm done with WoW.com. There is NO confirmation that what they posted is true, and if it's not, they've stirred up a hornet's nest that did'nt need to be. MMO Champions will post info they get from channels, for patch releases and data mining files, but the Aholes at WoW.com just threw their "source' under the bus, if this is true - and if they figure out who it was, that person is absolutely fired. They are posting about internal Blizzard conversations and policies, and that's just not cool - if they think of themselves as any kind of journalist, they just blackballed themselves from the good graces of Blizzard, and they may have issues moving forward getting support or goodies from Bliz.

There's also a few things that don't add up...the GMs in the Customer Service Forum have been saying that while the time for restorations is backed up, they're claiming there's been no spike in the number of account thefts. So...what's going on? What are they spending all their time on? Why are they offering the Care Package, if there's no spike in thefts, which requires more specialist time...either Blizz is keeping the real damage under wraps to not give any kind of info to the bad guys...or they're lying.

If they ship Cata with an Authenticator, and require it - awesome. The days of account theft (and selling/trading/sharing) are over...so we'll see a new massive wave of bots and exploiters, so the gold farmer's have inventory to sell. Could be good...could be bad.

I like the idea of the authenticators, because it will put a lot of farmers/thieves out of business. I just don't care for WoW.com's blowing the issue up when it's not even been put forward by Blizz. And yes, Blizz could be behind the link, to gauge the response of the playerbase, but Wow.com has been posting a lot of garbage lately, like how they "discovered" (ie. took from another site) that there's an exploit people are doing with billing, and now they've pointed it out to all the kiddies out there who will want to try it now.

Wow.com needs to think a LOT more before they post. They are becoming a liability, and honestly, the talent left the site when Turpster left. The rest are hacks who post nonsense and nothing of value.

Wait until and IF Blizzard talks about this. Until then, it's all hearsay and rumor - and I hope the Blizzard lawyers sue and subpeona WoW.com to get their source.

I think a simpler solution would be to make logging in more secure. I have been using online banks and institutions with data much more sensitive than a few pixels of gold for years and have never had a problem.

WoW is MORE secure than most online banks. The main problem is there's no good way to track/punish people who hack accounts. If someone hacks your bank account and steals your money, there's an easy to follow trail and various laws they can use to penalize them. When someone hacks your account they're MUCH harder to track down, and there isn't much Blizzard can actually do to the perpetrator outside of the game. IRL you get caught once you're busted. In WoW you get caught you just try again on another account.

The majority of gold, and advertisements for gold, come from hacked accounts.
I could care less, if people are selling gold, but don't like that others are being screwed over to supply it.

I read a blue post about a year ago, stating Blizzard has averaged 30,000 accounts banned each year. Which isn't a whole lot, out of 11 million active accounts. However, the sellers and exploiters are banned.

I know two friends out of the fifteen or so who play wow, who regularly buy gold.. Their logic is sound, can work for 2 hours a month and supply themselves with a week worth of farming in gold, and its "entertainment" money. If Blizzard were to ban the buyers, instead of just the sellers (ie go after the "Johns"), I wonder how many would continue to buy gold.

Assuming they move towards an authentication system. Gold won't come from keylogged accounts anymore, which will be a bonus. But as long as there is a market for it, they will find a way to provide it and profit.

There's also a few things that don't add up...the GMs in the Customer Service Forum have been saying that while the time for restorations is backed up, they're claiming there's been no spike in the number of account thefts. So...what's going on? What are they spending all their time on? Why are they offering the Care Package, if there's no spike in thefts, which requires more specialist time...either Blizz is keeping the real damage under wraps to not give any kind of info to the bad guys...or they're lying.Or someone looked at the balance sheets and saw how far into the red the customer service division of the company is and how much it costs to run all those GMs, thus triggering an effort to cut down on service time. This is a very normal process for companies that have been around long enough for their product to mature and the company to grow to the point where finding areas to improve efficiency mean more resources for the things people care about. (Hint: it ain't some schlub's hacked account, that's fo sho.)

Considering how many people would have to be coerced for your "lying" theory to hold water, I just can't see it.

Or someone looked at the balance sheets and saw how far into the red the customer service division of the company is and how much it costs to run all those GMs, thus triggering an effort to cut down on service time. This is a very normal process for companies that have been around long enough for their product to mature and the company to grow to the point where finding areas to improve efficiency mean more resources for the things people care about. (Hint: it ain't some schlub's hacked account, that's fo sho.)

Considering how many people would have to be coerced for your "lying" theory to hold water, I just can't see it.

Not to mention that account thefts could remain the same, but who knows how many people have been scuttled off to the unemployment line. Game companies and their support staff aren't safe from recessions either.

Hack a bank - Fed's get involved, you make money short term go to jail long term.
Hack a bank across country lines - International authorities get involved, you make money short term, go to jail long term.

Hack a wow account... blizzard restores the account. No legal ramifications.
Hack a wow account accross country lines - even less dangerous for the hackers.

The simple fact is that a wow account is likely to net more profit than ANY bank account once you account for risk.

I know two friends out of the fifteen or so who play wow, who regularly buy gold.. Their logic is sound, can work for 2 hours a month and supply themselves with a week worth of farming in gold, and its "entertainment" money. If Blizzard were to ban the buyers, instead of just the sellers (ie go after the "Johns"), I wonder how many would continue to buy gold.


There is an easy solution if Blizzard wants to solve really the problem.

1 ) Mandatory authenticators or whatever that makes account hacking very difficult or practically impossible, but still not annoying to the final user.
2 ) Ban all the gold sellers and bot users.
3 ) Blizzard start selling ingame gold as they sell character name changes and realm migrations.
4 ) Make a strict policy like "yuou buy gold from a gold seller... you get banned too... but buying gold from the Blizzard official store is ok"
5 ) Make some way for players that have much gold to redeem that gold for prizes. Expensive pets, free game time, special mounts, etc...

Lots of other games allow you to buy ingame currency directly from the company that suplies the game. They have practically no gold selling problems nor spam. Some even allow you to "buy" game play time with ingame currency. EVE Online is just one example, but there are many others.

From the perspective of a player that has a job and some real life, a couple of hours working to buy ingame currency (fun) is quire more rewarding than farming that same ingame currency into the game spending lots of more time than 2 hours.

When an account gets hacked and sends 5k gold to another account then it's more than obvious that something fishy has been happening. Also there are lots of ways to detect bots usage. Unfortunately, gold sellers are a neeeded evil. If they stop the ways to get ingame currency and make everyone farm his gold, lots of people will leave the game because they will have no will or time to farm all the gold needed to craft the epic items they want in order to have fun raiding or oneshoting helpless squirrels with their rogue.

For all those that say "Nooo, that's bad. Blizzard should not sell ingame currency for real life money", think about ingame pets they sell for real life money. In my book this is exactly the same. the player that has no real life money to buy a fancy drunken panda pet will be aunable to buy ingame gold too, but he will be able to farm it if he needs it.

In conclusion, I think that the mandatory authenticator is not that bad, but they should also fix some other things too.
Personally, if that authenticator doesn't allow me to log with all my toons at once and requires me 5 minutes to login I will just cancel my wow subscriptions. This is just a personal choice because I am that much lazy to wait for authenticator to generate new tokens.

I hadn't thought about it but it makes you wonder what would happen to gold sellers/powerlevel companies/etc. if authenticators become mandatory.

This will be great. It will greatly reduce, if not kill off account hacking, which will cut off the supply of gold sellers, which will drive the $USD price of gold up, which will cause less people to buy it, which will mean less overall gold in the wow economy, which will deflate prices, making life easier for everyone, reducing the need to buy gold in the first place...

All that will be left for gold sellers is to employ old school gold farmers who do it the old fashioned way, grinding mats for stuff, playing the AH, etc.

I always thought that gold sellers first did it that way, then moved towards botting to reduce expenses for labor, then started hacking, cause it took less time to get more gold.

Blizzard, wake the fuck up.

They created a login system where account names used to be unknown to one where the account name IS likely the player's email address! Once you know a player's login name (email address), either brute force the password or get a password reset through the email address.

I hate the "battle.net" login Blizz went to. So much so that I created a new email account *solely* for the purpose of logging into WoW. I really liked that no one would ever know my account names, and now no one will know my WoW email address. Unfortunately, so many players didn't think of the security issue here, and they used their main email address as their battle.net login. No more hidden account name!

I don't want a mandatory authenticator as I've taken the proper precautions to never need one. Keyloggers used by WoW hackers? Stop downloading shit on your computer that could be affected by WoW-specific keyloggers, or stop responding to emails from "www.blizzard-manage.com" emails asking to check your account standing.. usually emails with horribly-written English grammar. DUH!

I'm all for mandatory authenticators. It won't cure all hacked accounts, but it will destroy the gold-sellers current economy. End-Users might be upset at the beginning, but after a few months most will adjust (with others screaming "I QUIT!" and still come back). Logging into an account from a friends house or other location will throw people for a loop unless they have the authenticator with them.


I'm also for Blizzard banning customers caught purchasing gold with real cash. I understand the fact that some people don't have time to earn in-game gold... but it just seems like cheating the system (and other people feel the same about us multiboxers). If a player doesn't have the time to earn gold/play the game... why should they have a method to obtain large masses of gold imo (just to blow on collectable pets & such).


Either way, the old fashion Chinese gold farmer will crop up in some other way like in-game /whispers & /trade to sell epics in large quantity. What I don't get... all the recent wow account hacks have had authenticators attached to them to lock out the original user. Where are all these authenticators coming from? To attach to an account, you have to enter the serial number on the back or such. If an organized group of hackers buys authenticators in bulk I don't see why Blizzard couldn't start tracking that (and even banning lot-numbers). At least there's tracks to be followed, however difficult it may appear.