Went to log into my 5 toons and only the first required an authenticator code, the others logged right in without one. I repro this at will. Was there a change in how the authenticator works?

Went to log into my 5 toons and only the first required an authenticator code, the others logged right in without one. I repro this at will. Was there a change in how the authenticator works?

Yup http://us.battle.net/wow/en/forum/topic/2674529777

very cool change

I’m really hoping we’ll be able to opt out of this “intelligent” system.

Hmm, I might start using authenticator again.

I got sick of entering fives different codes each time I wanted to play...or after a disconnect.

Woot! Woot! Woot! Yay! Woohoo! Awesome! Yeh! :-)

Woot! Woot! Woot! Yay! Woohoo! Awesome! Yeh! :-)
what he said

Woot! Woot! Woot! Yay! Woohoo! Awesome! Yeh! :-)

After this change I've got no reason to shun the authenticator any more.

Woot! Woot! Woot! Yay! Woohoo! Awesome! Yeh! :-)

/agree :D

I’m really hoping we’ll be able to opt out of this “intelligent” system.

What is the problem with it not asking unless you play on different machines?

What is the problem with it not asking unless you play on different machines?
I just don't trust "intelligent" systems. The dial-in authenticator was supposed to be a great alternative to a
physical authenticator but that was a whole lot of fail. I'm not sure why China won't be able to spoof
something such as a computer hardware ID in addition to an IP -- All of that information is still stored directly
on your computer where the key logger you've unknowingly downloaded resides and is gathering your
information.

I separated my BNet accounts back in the day so I only require 1 code to log everything in at once and having
my authenticators enabled at all times would make me and my virtual goods feel safer.

I know I don't understand the internet, but if I have IP of 128.64.x.x and they want to steal my IP, so they make thier IP of 128.64.x.x. Why would the routers in America (where I am), route to an address in Asia when none of the 128.64 addresses exist?

Also, what about a hash of computer equipment that is sent to Blizzard is stored on your computer?

I don't think I would have ever trusted the phone authenticator. That is more marketing than insurance. Also, as some others have said, we are supposed to be smarter than the rest of the players, mostly cause we have more to lose (5 accounts, not just 1). So I would have used an actual authenticator (iphone, keyfob) instead of a system that is supposed to protect you.

I am not against being able to opt out of it. I just really like not having to type in a code each time I get disconnected.

I just don't trust "intelligent" systems. The dial-in authenticator was supposed to be a great alternative to a
physical authenticator but that was a whole lot of fail. I'm not sure why China won't be able to spoof
something such as a computer hardware ID in addition to an IP -- All of that information is still stored directly
on your computer where the key logger you've unknowingly downloaded resides and is gathering your
information.

I separated my BNet accounts back in the day so I only require 1 code to log everything in at once and having
my authenticators enabled at all times would make me and my virtual goods feel safer.


I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit this :p

After this change I've got no reason to shun the authenticator any more.
Yeah, this weekend I'm going to switch back to the keyfob authenticator. I like this change.

i'm with fenril on this. In trying to make security less intrusive Blizz is actually making the process less secure. I LIKE having to input 3 codes when i log in and would prefer if their were a retinal scan and dna test as well. the hackers will find a way around this, rest assured.

now if I can convince my bank to issue authenticators i'd be even happier.

Lots of post on the official forums about this. I want an opt out. I know blizz has said they are checking more than just IP but have little confidence this new system is better than the failed dial in system. The whole roll out was half assed. Twitter? Facebook? How about posting a message on the login screen?

I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit this :p
Guys, let's not kid ourselves. Having authenticator is not 100% protection from being hacked.

If the attacker has something installed on your PC, like a keylogger with a tunnel, the attacker can simply hijack WoW when you try to log in, while locking you out of it, and at that point it's mostly irrelevant whether or not you have an authenticator... You entered the code, they have something like 10-11 minutes to exploit it. They can wipe out everything you had on your account, and you'll stare at the screen asking why you can't log into WoW at all.

An authenticator is NOT to protect you against a competent attacker who already has access to your compromised PC. You're already fucked if that's the case. Blizzard's software scanning (Scan.dll specifically, which runs some scans when you launch WoW) IS to help protect you against this type of attack, along with other anti-[virus/malware/spyware/etc] solutions.

Your authenticator helps protect your account against brute force and dictionary (and harvesting, etc -- say if someone with a wow-related site expects you to use the same password on your wow account that you used on their site) types of attacks, not the man in the middle you are describing.

With that said, brute forcing is unlikely to come from your own PC and I heartily agree with the trade-off made here. You were doing a lot of work when you log in to protect yourself from these specific attacks, when it doesn't solve the man in the middle problem. They have removed the work for YOU, and left it for the attacker it protects against.

But I would also agree that people who want to have to enter it in should be allowed to, I guess

don\'t think you can clone computer ID at the same time and like lax says it would have to be done from your PC This is safer then the Phone one in many ways If the system don\'t like then it asks for code :D better then nothing 6 weeks no keyfod not need hacked but i like it there :D hate codes

I’m really hoping we’ll be able to opt out of this “intelligent” system.

Why opt out? It marks your computer as being safe. If a hacker uses even IP masking its still missing your computer ID to make it safe. I know this cause my laptop is on the same IP as my desktop when I'm at home and I still needed to enter the authenticator the first time on it after I cleared it on my desktop. Now hackers can't use keyloggers to use your authenticator.

Why opt out? It marks your computer as being safe. If a hacker uses even IP masking its still missing your computer ID to make it safe. I know this cause my laptop is on the same IP as my desktop when I'm at home and I still needed to enter the authenticator the first time on it after I cleared it on my desktop. Now hackers can't use keyloggers to use your authenticator.
I already replied why at the top of this page. It doesn't matter how safe others feel or think this is, why can't
Blizzard respect my decision to not want to automatically opt into something they believe is the best thing
security-wise? People who don't want to use Real ID get to opt out, why can't I get a simple check box under
my account settings to "always require authenticator code"?

You entered the code, they have something like 10-11 minutes to exploit it. They can wipe out everything you had on your account, and you'll stare at the screen asking why you can't log into WoW at all.
10 - 11 minutes was from my initial testing of how long auth codes lasted. Now, an auth code is valid for
approximately 2 minutes to use on the website and approximately 30 seconds to use to log into the game.

The only thing I see changing is the amount of time we have to spend putting in authenticator codes. If you observe the history of wow account hackers, you will see that they always find a way around the security measures that blizzard puts in place.

For me this is a good thing. Because of this I gonna protect my other Battle.net too with a authenticator. (Yes I am a lazy person and hate to type the security code over and over again)

I stopped using the authenticator when they made the codes single use - I'm not going to spend 2.5m every time I want to log in.

This change is great for us multiboxers and I've slapped the hardware authenticator back onto my battle.net account.

I was asked for my code on the first login, Friday morning, then not again all day Friday and Saturday.
I played this morning and then happened to update my ATI graphics drivers (11.6 gives a definite FPS boost for me!) and my next login requested the code, so it's obviously doing some sort of hardware/software configuration check, which is nice.

it's obviously doing some sort of hardware/software configuration check, which is nice.


Actually, no it isn't. I have logged into my accounts from 4 completely different machines in my household and the last time it asked for a code was on Friday. The only thing in common is the router and cable modem. I imagine the next time I am asked for a code will be when my dynamic IP is refreshed with the service provider, but that is only a guess.
I kind of like not having to put in my code for every single little disconnect that I have, but it doesn't make me feel as safe as putting in a code every single time.

Better avoid playing playing from a cyber café then (I know this not something really recommended but many people do this thinking their authenticator adds an additional security layer, I hope Blizzard communicates clearly about this situation).

I haven't been asked to enter any authenticator code since last Friday even when I logged to the battle.net website. As my IP address is supposed to be fixed, I'm curious to know how long I'll be exempted from having to use my authenticator ...

Lax, you're right my argument about the man-in-the-middle attack using a tunnel isn't really valid.

I travel alot and thus play from different locations, sometimes as many as 12 in a month. There are times when I get the "Your account has been locked due to suspicious activity" and I have thru go process of waiting on the email exchange of verifying my info and changing passwords. This is a pain in the ass when trying to box on the road.
Other times it just asks for my authenticator code and I'm on my way.

My issue here is that I DO use the mobile authenticator, yet even after entering the proper code I still have to do the email thing sometimes.

I think I'll like this new system when playing from my home PC :)

I posted my comment to blizzard on the thread number 4, page 19 or something like that.

Basically, I sided with another user who stated, all be it, the authenticator isnt a 100% guarantee, it is a measurable protection that some of us are used to. Even if it is intelligent now, the lack of doing it, is at a minimum, kicking in placebo. A simple solution would be, as the "connecting" "success" "authentication" splash screens are being flashed, throw up the number being used just under the word "authenticating".

At least then I feel better knowing this security measure is still being used, even if it isnt. (conspiracy?)

Dunno. Im a creature of habit and rules. This change, is poorly explained IMO, and poorly executed. As a consumer, I need to feel better about this.

They should just make this change optional.

For most people, like me, who don't play at any other location outside of their home where no one else plays WoW, it's awesome. I can login in about a third of the time.

However, I understand, especially in this community how much people travel for work/business, school, etc and how being able to login with out the authenticator at those locations would be a scary situation.

Only time will tell. I'm sure if enough people get screwed over by this they will revert it. I do see how it could be an issue, but for my own greediness, I love the change.

Unless the new method is equal to, or exceeds, the authenticator in security, it should be optional.

I bet if it were optional, half the people that are currently saying they don't like it would eventually try and stick with it. They just don't like being forced.

- Souca -

When I run my wow traffic through a proxy as expected I get prompted for my authenticator key, but not again until I change proxy servers, or disconnect from the proxy.

Some testing I did:

If I login from my home network first time I get prompted for a key.
Any other logins are straight logins no key required.
Switch to a proxy first time I get prompted for a key.
Any other logins are straight logins no key required.
Disconnect the proxy.
Sign in from home network... I get prompted for a key.

I think blizzard is caching last authenticated IP. Similar to the dialup authenticator. I could be way off, but above is what I did to make me conclude this.

When I run my wow traffic through a proxy as expected I get prompted for my authenticator key, but not again until I change proxy servers, or disconnect from the proxy.

Some testing I did:

If I login from my home network first time I get prompted for a key.
Any other logins are straight logins no key required.
Switch to a proxy first time I get prompted for a key.
Any other logins are straight logins no key required.
Disconnect the proxy.
Sign in from home network... I get prompted for a key.

I think blizzard is caching last authenticated IP. Similar to the dialup authenticator. I could be way off, but above is what I did to make me conclude this.
This is exactly what Blizzard said 3 days ago (http://us.battle.net/wow/en/forum/topic/2674529777). However, there is apparently more than just an IP address
otherwise this would be absolutely no different than the dial-in authenticator.

Blizzard tweeted this (http://twitter.com/#%21/BlizzardCS/statuses/81493177147727872), this (http://twitter.com/#%21/BlizzardCS/status/82171303926308864), and this (http://twitter.com/#%21/BlizzardCS/status/82207039362834432), they're obviously not going to give away all the tricks on what they're
doing on their end.

I think they are looking at me through my web camera, and verifying my identity via retinal scan.

http://www.pcworld.com/article/227031/renttoown_pcs_watch_their_users_via_webcam.html

... and I refuse to talk about it more, until shit changes around here.

If they could somehow identify my wow installation then I wouldn't be as worried...

A transparent proxy should be able to circumvent this security measure. Then again, when someone has that kind of control over your PC that they can install proxy/VPN software, they might be able to start wow on it as well anyway...

I talked to my GM friend about the recent changes, and we both agree that we aren't going to buy an authenticator until shit changes around here. At which point in time I'll make a guide for how to effectively use the various authenticators and other security stuffs.

even on the same network if i change pc run from vmwave same ip then ill get asked for key. if not i do not get asked thats greart my ip does not change much.

I talked to my GM friend about the recent changes, and we both agree that we aren't going to buy an authenticator until shit changes around here. At which point in time I'll make a guide for how to effectively use the various authenticators and other security stuffs.


*double wink*

Why would you wink after saying that?! You need to share this information and the GM friend. I demand it.

I talked to my GM friend about the recent changes, and we both agree that we aren't going to buy an authenticator until shit changes around here. At which point in time I'll make a guide for how to effectively use the various authenticators and other security stuffs.

Why would you wink after saying that?! You need to share this information and the GM friend. I demand it.

ROFL!!! ^^

I shared this with my GM friend. I cant talk about it.

ROFL!!! ^^

I shared this with my GM friend. I cant talk about it.

Apps, I must tell you that I enjoy your Avatar much more than the previous one.

Did your GM friend recommend it? He must be a gentlemen and a scholar.

^^ this

LOL thanks.

Question: What did you see first?

LOL thanks.

Question: What did you see first?

The wood paneling. It's horrid.

- Souca -