Battle.NET account + Blizzard Authenticator + today = fail

[Dor]

http://forums.worldofwarcraft.com/th...317391&sid=1#8
http://forums.worldofwarcraft.com/th...sid=1&pageNo=1



just did a quick search on forums found these 2 posts also

in that second link this was posted (not by a blue) ...might be the reason it was changed:

I'm an IT professional and the VASCO system used by Blizzard is slightly more vulnerable than the RSA SecurID system used by most corporations and financial entities... or the problem lies in how they have it configured.

When using my authenticator I can login twice using the same OTP (one time passcode) from the token. This is bad because in that 60 second window that token is valid for someone could login to your account IF and only IF they intercept the token code AND use it within the 60 second time frame it's valid for.

Most businesses have this feature disabled to prevent the security breach- IE as soon as the OTP is used you can't login again until it changes to the next code in however many seconds you have remaining.

It'd be really great if someone from Blizz could comment on if this was intended with your deployment .

[Tonuss]

"I'm an IT professional and the VASCO system used by Blizzard is slightly more vulnerable than the RSA SecurID system used by most corporations and financial entities... or the problem lies in how they have it configured."

This attitude drives me crazy. I understand that Blizzard's login security isn't as good as that of my bank, or my job. I can live with that. Having my WOW account(s) hacked would suck, but my concern would be with my WOW account(s) and nothing more. I wouldn't even be in a hurry to recover them, to be honest. Having my bank info hacked could be disastrous and could affect a lot more than just the bank account. It could affect my finances, which are a hell of a lot more important than a video game. Having the servers at work hacked could be disastrous. It could cost my company millions of dollars in damages over the long term, and could cost me my job.

I do not need for Blizzard's login security to be as good as that of "most corporations and financial entities." They are two completely different levels of importance for people. It's like complaining that your XBOX isn't built to the same safety standards as your car. If having your WOW account hacked is as bad for you as having your bank info stolen, then you are either too young to have any money or you seriously need to get your priorities in order.

I can live with the annoyance of having to log in five separate times for that same reason-- it's a video game. And an extra two minutes, while a pain in the ass, won't kill me. And if it turns out that Blizzard did this because thefts of authenticator-enabled accounts had risen to an alarming level, I'm cool with it. But if it was changed because some idiot wants world-class security for his fucking MMO fix because his self esteem is tied to the fact that he's top 5 in DPS on his PuG raids... that's just really retarded. It's stupid.

[moosejaw]

If its an American car, the XBOX is probably built better....

Zing!

10 characters....

[Ualaa]

It should be... one time code.. per account.
Not one code per battlenet account.

[moosejaw]

I don't mind the one code per account thing, just give us a countdown timer on the device so I know when the new number will be refreshed.

Push.......wait ....... push......... wait........push New Number!!!! repeat.....

[ghonosyph]

Seems you all are upset ONLY because something changed and no one at bliz said shit about it. My take on it is this, my computer really hates me when I log all 5 at once anyway, but I can do it. I don't, I just log them all one at a time. Sure it takes a while to do, but once you log in with a key code, it instantly refreshes it. You may be lucky enough to have the option of the battlenet passwoord but quit crying over something that not only increases security, but is completely trivial lol

Ps. I'm pooping at work right now! Lol

[jag989]

Seems you all are upset ONLY because something changed and no one at bliz said shit about it. My take on it is this, my computer really hates me when I log all 5 at once anyway, but I can do it. I don't, I just log them all one at a time. Sure it takes a while to do, but once you log in with a key code, it instantly refreshes it. You may be lucky enough to have the option of the battlenet passwoord but quit crying over something that not only increases security, but is completely trivial lol l

I think the reactions here would be the same even if they announced it.

For those of us that have decent enough hardware to log in multiple characters at once, it isn't trivial when it takes 3 minutes of spamming your authenticator to log in, it's aggravating.

[Aesthier]

I just started my 4th and 5th account back in Sep and still using my RAF. (Trying to milk it for all its worth.)

I have many issues already with the whole mandatory B.Net (read x-box live meets myspace) thing but now I have to hold off even longer to make the choice between multiple B.Nets or one individual one. The whole time my RAF time is clicking away.


As a side note I was talking with one of my network security friends today and he was explaining how the Authenticators work.

Had I read this thread I would have gotten more in depth but one thing I did pick up was the fact that the Authenticator in itself is fairly secure. However:

Each Authenticator has an individual algorithm that is mirrored to an exact copy on the server which has been tied to each individual account (or B.net dependent on what you purchased) What most people don't know is that the Key prior, the current key and the next key will all work in that 60 second period (only one of any of those three would be accepted I believe though). (This is most likely due to Blizz planning ahead for latency or natural lazy "slow" human response time)

That being said what most of you are having issues with, the one code for one login, likely results from the code was used and now the sever side authenticator is looking for the next code.


As a side note to all you I-phone junkies

When I asked him about the cell phones authenticator apps he began laughing, the authenticator itself is secure but what people don't realize is by putting it on thier cell phone it has now just become less secure as I-phones etc...(constantly connected when turned on) are fairly easy to hack.

I will talk with him this weekend and try to find out more.

Let me know if there is anything you want me to ask him.
Remember he is a network security guy not a Blizz employee but he does know his stuff.

~Aes

[jag989]

That being said what most of you are having issues with, the one code for one login, likely results from the code was used and now the sever side authenticator is looking for the next code.

I think that has been thoroughly determined as the point of the thread

That didn't use to be the case though.

[moosejaw]

I'm going to switch to an iphone authenticator for the sole reason that I can tell when the damn key is going to expire.

Hitting the button on the key-fob 15 fucking times trying to get a new code is enough to make me not want to log in at all.

^^ This. I am going to open a new line on my ATT account and get an iPhone. Mobile armory and all my iTunes videos, Woot!

Edit: I have to remember to write down the authenticator serial in case the phone crashes though.