Authenticator change?

[MiRai]

What is the problem with it not asking unless you play on different machines?

I just don't trust "intelligent" systems. The dial-in authenticator was supposed to be a great alternative to a
physical authenticator but that was a whole lot of fail. I'm not sure why China won't be able to spoof
something such as a computer hardware ID in addition to an IP -- All of that information is still stored directly
on your computer where the key logger you've unknowingly downloaded resides and is gathering your
information.

I separated my BNet accounts back in the day so I only require 1 code to log everything in at once and having
my authenticators enabled at all times would make me and my virtual goods feel safer.

[Daeri]

I just don't trust "intelligent" systems. The dial-in authenticator was supposed to be a great alternative to a
physical authenticator but that was a whole lot of fail. I'm not sure why China won't be able to spoof
something such as a computer hardware ID in addition to an IP -- All of that information is still stored directly
on your computer where the key logger you've unknowingly downloaded resides and is gathering your
information.

I separated my BNet accounts back in the day so I only require 1 code to log everything in at once and having
my authenticators enabled at all times would make me and my virtual goods feel safer.

I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit this

[Lax]

I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit this

Guys, let's not kid ourselves. Having authenticator is not 100% protection from being hacked.

If the attacker has something installed on your PC, like a keylogger with a tunnel, the attacker can simply hijack WoW when you try to log in, while locking you out of it, and at that point it's mostly irrelevant whether or not you have an authenticator... You entered the code, they have something like 10-11 minutes to exploit it. They can wipe out everything you had on your account, and you'll stare at the screen asking why you can't log into WoW at all.

An authenticator is NOT to protect you against a competent attacker who already has access to your compromised PC. You're already fucked if that's the case. Blizzard's software scanning (Scan.dll specifically, which runs some scans when you launch WoW) IS to help protect you against this type of attack, along with other anti-[virus/malware/spyware/etc] solutions.

Your authenticator helps protect your account against brute force and dictionary (and harvesting, etc -- say if someone with a wow-related site expects you to use the same password on your wow account that you used on their site) types of attacks, not the man in the middle you are describing.

With that said, brute forcing is unlikely to come from your own PC and I heartily agree with the trade-off made here. You were doing a lot of work when you log in to protect yourself from these specific attacks, when it doesn't solve the man in the middle problem. They have removed the work for YOU, and left it for the attacker it protects against.

But I would also agree that people who want to have to enter it in should be allowed to, I guess

[MiRai]

Why opt out? It marks your computer as being safe. If a hacker uses even IP masking its still missing your computer ID to make it safe. I know this cause my laptop is on the same IP as my desktop when I'm at home and I still needed to enter the authenticator the first time on it after I cleared it on my desktop. Now hackers can't use keyloggers to use your authenticator.

I already replied why at the top of this page. It doesn't matter how safe others feel or think this is, why can't
Blizzard respect my decision to not want to automatically opt into something they believe is the best thing
security-wise? People who don't want to use Real ID get to opt out, why can't I get a simple check box under
my account settings to "always require authenticator code"?

You entered the code, they have something like 10-11 minutes to exploit it. They can wipe out everything you had on your account, and you'll stare at the screen asking why you can't log into WoW at all.

10 - 11 minutes was from my initial testing of how long auth codes lasted. Now, an auth code is valid for
approximately 2 minutes to use on the website and approximately 30 seconds to use to log into the game.