Authenticator change?

[MiRai]

What is the problem with it not asking unless you play on different machines?

I just don't trust "intelligent" systems. The dial-in authenticator was supposed to be a great alternative to a
physical authenticator but that was a whole lot of fail. I'm not sure why China won't be able to spoof
something such as a computer hardware ID in addition to an IP -- All of that information is still stored directly
on your computer where the key logger you've unknowingly downloaded resides and is gathering your
information.

I separated my BNet accounts back in the day so I only require 1 code to log everything in at once and having
my authenticators enabled at all times would make me and my virtual goods feel safer.

[ElectronDF]

I know I don't understand the internet, but if I have IP of 128.64.x.x and they want to steal my IP, so they make thier IP of 128.64.x.x. Why would the routers in America (where I am), route to an address in Asia when none of the 128.64 addresses exist?

Also, what about a hash of computer equipment that is sent to Blizzard is stored on your computer?

I don't think I would have ever trusted the phone authenticator. That is more marketing than insurance. Also, as some others have said, we are supposed to be smarter than the rest of the players, mostly cause we have more to lose (5 accounts, not just 1). So I would have used an actual authenticator (iphone, keyfob) instead of a system that is supposed to protect you.

I am not against being able to opt out of it. I just really like not having to type in a code each time I get disconnected.

[Daeri]

I just don't trust "intelligent" systems. The dial-in authenticator was supposed to be a great alternative to a
physical authenticator but that was a whole lot of fail. I'm not sure why China won't be able to spoof
something such as a computer hardware ID in addition to an IP -- All of that information is still stored directly
on your computer where the key logger you've unknowingly downloaded resides and is gathering your
information.

I separated my BNet accounts back in the day so I only require 1 code to log everything in at once and having
my authenticators enabled at all times would make me and my virtual goods feel safer.

I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit this

[Tonuss]

After this change I've got no reason to shun the authenticator any more.

Yeah, this weekend I'm going to switch back to the keyfob authenticator. I like this change.

[HomoDoctus]

i'm with fenril on this. In trying to make security less intrusive Blizz is actually making the process less secure. I LIKE having to input 3 codes when i log in and would prefer if their were a retinal scan and dna test as well. the hackers will find a way around this, rest assured.

now if I can convince my bank to issue authenticators i'd be even happier.

[Kang]

Lots of post on the official forums about this. I want an opt out. I know blizz has said they are checking more than just IP but have little confidence this new system is better than the failed dial in system. The whole roll out was half assed. Twitter? Facebook? How about posting a message on the login screen?

[Lax]

I think I read somewhere that the dial-in authenticator was a huge fail mainly because of keyloggers that included a kind of ssh (or whatever) tunnel that allowed hackers to log-in as if they were physically using the hacked computer. So if this is exact, I guess the same issue will soon be raised with this new system. I can trust them to be imaginative enough to find a way to exploit this

Guys, let's not kid ourselves. Having authenticator is not 100% protection from being hacked.

If the attacker has something installed on your PC, like a keylogger with a tunnel, the attacker can simply hijack WoW when you try to log in, while locking you out of it, and at that point it's mostly irrelevant whether or not you have an authenticator... You entered the code, they have something like 10-11 minutes to exploit it. They can wipe out everything you had on your account, and you'll stare at the screen asking why you can't log into WoW at all.

An authenticator is NOT to protect you against a competent attacker who already has access to your compromised PC. You're already fucked if that's the case. Blizzard's software scanning (Scan.dll specifically, which runs some scans when you launch WoW) IS to help protect you against this type of attack, along with other anti-[virus/malware/spyware/etc] solutions.

Your authenticator helps protect your account against brute force and dictionary (and harvesting, etc -- say if someone with a wow-related site expects you to use the same password on your wow account that you used on their site) types of attacks, not the man in the middle you are describing.

With that said, brute forcing is unlikely to come from your own PC and I heartily agree with the trade-off made here. You were doing a lot of work when you log in to protect yourself from these specific attacks, when it doesn't solve the man in the middle problem. They have removed the work for YOU, and left it for the attacker it protects against.

But I would also agree that people who want to have to enter it in should be allowed to, I guess

[ebony]

don\'t think you can clone computer ID at the same time and like lax says it would have to be done from your PC This is safer then the Phone one in many ways If the system don\'t like then it asks for code better then nothing 6 weeks no keyfod not need hacked but i like it there hate codes

[drarkan]

I’m really hoping we’ll be able to opt out of this “intelligent” system.

Why opt out? It marks your computer as being safe. If a hacker uses even IP masking its still missing your computer ID to make it safe. I know this cause my laptop is on the same IP as my desktop when I'm at home and I still needed to enter the authenticator the first time on it after I cleared it on my desktop. Now hackers can't use keyloggers to use your authenticator.

[MiRai]

Why opt out? It marks your computer as being safe. If a hacker uses even IP masking its still missing your computer ID to make it safe. I know this cause my laptop is on the same IP as my desktop when I'm at home and I still needed to enter the authenticator the first time on it after I cleared it on my desktop. Now hackers can't use keyloggers to use your authenticator.

I already replied why at the top of this page. It doesn't matter how safe others feel or think this is, why can't
Blizzard respect my decision to not want to automatically opt into something they believe is the best thing
security-wise? People who don't want to use Real ID get to opt out, why can't I get a simple check box under
my account settings to "always require authenticator code"?

You entered the code, they have something like 10-11 minutes to exploit it. They can wipe out everything you had on your account, and you'll stare at the screen asking why you can't log into WoW at all.

10 - 11 minutes was from my initial testing of how long auth codes lasted. Now, an auth code is valid for
approximately 2 minutes to use on the website and approximately 30 seconds to use to log into the game.