The Blizzard Authenticator - Page 3

Prinsesa · 06/27/08, 2:08 AM

As someone who uses a similar device at work, I agree that it's an awesome idea, and I'd definitely get one given the chance.

And about it replacing your password: No. At work, the number sequence provided by my authenticator is still used in conjunction with a user-defined password. A key concept I was taught in security was "Something you have, and something you know"

If my password gets keylogged, they can't get in because they don't have my authenticator. If my authenticator gets stolen, they can't get in because they don't know my password. Granted, there's still the possibility of losing both to the same person/organization, but that's much more unlikely to happen.

• Beliandra · 06/27/08, 2:51 AM

This looks identical to the device I use for my online banking. Excellent idea, imho, I remember getting surveyed about such an idea by Blizzard a while back and I strongly recommended it.

Originally Posted by Merrack

Going from something you know to something you have is, in many ways, a decrease in security. I'll be able to leave my Blizzard keyfob lying around because my friends would still need to know my password to log in. Without the password, stealing the authenticator gets you access to the account.

The quoted article makes it clear that under this system, yes, you will require username, password and keyfob to log in. So it is an increase in security in every way.

Kinv · 06/27/08, 3:36 AM

So wait how does this work? It just generates a key you have to input as well as your PW? or you have to plug it in? If you just need a key from it what's stopping that from getting keylogged as well?

Nadiar · 06/27/08, 3:49 AM

Originally Posted by Kinv

So wait how does this work? It just generates a key you have to input as well as your PW? or you have to plug it in? If you just need a key from it what's stopping that from getting keylogged as well?

Because its only valid once, then you enter it in, and that code isn't valid until you enter in like 500,000 different ones or something.

Monique · 06/27/08, 3:50 AM

Originally Posted by Kinv

So wait how does this work? It just generates a key you have to input as well as your PW? or you have to plug it in? If you just need a key from it what's stopping that from getting keylogged as well?

From the first post, Hardware Authenticators

Vagabond · 06/27/08, 3:52 AM

Originally Posted by Prinsesa

As someone who uses a similar device at work, I agree that it's an awesome idea, and I'd definitely get one given the chance.

And about it replacing your password: No. At work, the number sequence provided by my authenticator is still used in conjunction with a user-defined password. A key concept I was taught in security was "Something you have, and something you know"

If my password gets keylogged, they can't get in because they don't have my authenticator. If my authenticator gets stolen, they can't get in because they don't know my password. Granted, there's still the possibility of losing both to the same person/organization, but that's much more unlikely to happen.

While I agree that the 2 pass or tier or whatever login *is* more secure, the extra security is moot for me. I don't live in Rang'Rang land and have no fear of roving bands of ruffians stealing my physical possessions just to get at my game characters. I don't frequent Cybercafe's. The Dohickey would be strictly an inadvertently installed keylogger prevention device for me. (though the idea that a certain portion of the population will quit practicing (or simply never start) good/safe/clean methods and now just ignore possible keyloggers while they do their online banking and whatever....)

Note: it doesn't solve the issue with some jackass looking over your sholder at a Cafe, but quite a few of the import/rebuild Asian games use some form of onscreen keyboard/keypad entry to defeat keyloggers. Requiem has normal Un/Pw to get to character select, then onscreen 4 digit code entry (with the numbers in the 3x3 jumbling each click) to actually enter game on one. 9Dragons requires Uppercase, lowercase, & numbers for the PW AND you have to type at least 3 characters of it using the onscreen QWERTY.

Prinsesa · 06/27/08, 4:22 AM

(with the numbers in the 3x3 jumbling each click)

Back when I played Ragnarok Online, the player's Stash was also protected by a 6-digit code entered via this "jumbling numbers" keypad. However, the bot programs found some way around that as well - I'd just input the Stash code as part of the bot's config and it would still be able to access my stash anyway. So not even THAT was foolproof.

◊ Cadfael · 06/27/08, 4:40 AM

Originally Posted by Vagabond

While I agree that the 2 pass or tier or whatever login *is* more secure, the extra security is moot for me. I don't live in Rang'Rang land and have no fear of roving bands of ruffians stealing my physical possessions just to get at my game characters. I don't frequent Cybercafe's. The Dohickey would be strictly an inadvertently installed keylogger prevention device for me. (though the idea that a certain portion of the population will quit practicing (or simply never start) good/safe/clean methods and now just ignore possible keyloggers while they do their online banking and whatever....)

Hopefully you don't use Internet Explorer at all. This is new and it is apparently possible since IE 6 up to and including 8 to record any and all keystrokes after you visited a malicous site and you are no longer there. It persists by circumventing basic security mechanism that should prevent code running after you left the site and stays around invisible.

US-CERT Vulnerability Notes
sirdarckcat: Browser's Ghost Busters
sirdarckcat: Ghosts for IE8 and IE7.5730
You better stop using Internet Explorer for now

What can be done by this is embed evil code for example in an add displayed on a non-malicous webpage that installs this ghost on your IE and when you later at some time log in to the Blizzard forum or your account management page, it can record your keypresses and send them somewhere.

Note that this vulnerability in theory is not limited to Internet Explorer alone, though there hasn't been a working proof of concept for other browsers yet (to my knowledge)

Ukerric · 06/27/08, 7:23 AM

Originally Posted by Kinv

So wait how does this work? It just generates a key you have to input as well as your PW? or you have to plug it in? If you just need a key from it what's stopping that from getting keylogged as well?

The key displayed on the FOB is valid for exactly one minute, and if it's used, it's no longer valid, even during that minute.

(theory here, in practice, unless you used that time code already, it allows you the "previous" or "next" code, i.e. a 3mn window. Because you might start typing at xx:50, and finish typing the code at xx:10, which would theoretically require the next code)

Hozz · 06/27/08, 8:55 AM

Its long overdue and I will get one as soon as they start selling them.

I am surprised Blizzard is not eating the cost on these, though. If everyone had them it would cut the volume of account hack calls they have to deal with by 99%. It seems like it would be a good idea for them to start including them, pre-associated, in boxed copies of the base WOW game.

Fendryl · 06/27/08, 9:46 AM

Originally Posted by Oaken

Unlike, say, how easy it is to get your character and gear restored when you are hacked.

Except, I'm much, much more likely to misplace this, than I am ever getting hacked. If I could somehow have a backup one, be it either a 2nd separate key also linked to the account, or a clone on my primary one, I'd feel a lot better about it.

None the less, I'm still pretty tempted to get one just for the peace of mind. Putting this in a Collector's Edition bundle would probably make it a deal-sealer for me.

flyingtoastr · 06/27/08, 10:00 AM

Originally Posted by Hozz

I am surprised Blizzard is not eating the cost on these, though. If everyone had them it would cut the volume of account hack calls they have to deal with by 99%. It seems like it would be a good idea for them to start including them, pre-associated, in boxed copies of the base WOW game.

I would guess they are doing this as a trial run to check out interest within the community and work out any kinks in the system.

If this idea takes off (so far there is only one child on my realm boards who refuses to buy one because, and I quote: "I have never in my life ran antivirus, firewall, "javascript blocker" (lol?) and everything is on the default settings and I haven't been hacked ever", everyone else seems reasonably interested) I could see this becoming mandatory or at least bundled with Wrath quite easily.

I personally can not wait for these. It isn't quite perfect, but it sure is a lot safer than just the username/password system we're using now. A large step in the right direction by Blizzard.

righ · 06/27/08, 11:12 AM

Its definitely huge step forward in safety of our precious accounts. I haven't been hacked yet, but I know people that lost everything. You can play smart, but shit happens. Someone finds exploit in random common software and you're fucked regardless of antiviruses, firewalls and common sense. What I don't understand is all the bitching about price of this piece of hardware. 6.5 dollars/euro is nothing compared to hundreds hours lost in gold and equipment. I will get one for sure, would be great if they bundled them in wrath boxes.

djhbrd · 06/27/08, 11:28 AM

I'm considering picking one of these up. My account was not originally mine, it was given to me by a friend of a friend a couple years ago. He said he was done with the game, but in the back of my mind it still troubles me that none of the information on the account management page belongs to me (except the credit card, obviously). I keep thinking that some time he's going to ninja the account back, he can easily get my password if he wants as the email address on the account is his. Would picking one of these up circumvent any measures he tries to take to get his account back?

Blacksen · 06/27/08, 11:30 AM

Originally Posted by koaschten

For those that might not know what those tokens look like, this is my similar PayPal token
//edited to insert picture of original product.

So how exactly does this work? The instructions seem simple enough, but how does Blizzard know what number the Authenticator Generates?

◊ Cadfael · 06/27/08, 11:41 AM

Originally Posted by Blacksen

So how exactly does this work? The instructions seem simple enough, but how does Blizzard know what number the Authenticator Generates?

They have serial numbers and these numbers are part of the "seed" that generates the sequences. You'll most likely have to pair these to your account and to do that you will need to enter the imprinted serial number in your account management and then probably one or two of the codes it produces so the server on Blizzard's side knows exactly which token it is.

Brohm · 06/27/08, 11:46 AM

Originally Posted by Blacksen

So how exactly does this work? The instructions seem simple enough, but how does Blizzard know what number the Authenticator Generates?

The token will generate your code using a special formula with the current time and the unique key associated with you device/account as the parameters.

Since Blizzard knows the time and your device/account key, it can generate the same exact code to make sure they match.

jaxdahl · 06/27/08, 12:03 PM

This will stop harvesting of usernames & passwords, but it won't protect against (theoretical?) man-in-the-middle attacks that intercept the information entered and immediately use it to enter your account and attempt to liquidate your assets as quickly as possible before you figure out your login was blocked due to the interception. I do wonder if the attackers will take the efforts required to make attack suites like this, or stick to the tried and true method of keylogging people that did not buy and use an authenticator. Will Blizzard account/character recovery specialists treat hacked accounts that were protected by an authenticator the same way they would for accounts without one?

I currently have a mental image of someone setting up a webcam and a remote button pusher so his friends can get the passcode if they want to get on his account.

• Chicken · 06/27/08, 12:12 PM

Complete protection of anything is basically unfeasible anyway. Typically one of the goals of security isn't so much to ensure something is impossible to crack, but to make it so the effort to crack it is hard enough to make it not worth the effort to do so.

Man-in-the-middle attacks are certainly possible, but that is a lot more complicated than the current system is. Data collected from keylogging currently can be acted upon at the person receiving the data's leisure. While as I understand it, man-in-the-middle attacks require the person interested in breaching security to be active at the same time as the user being breached. That's quite a lot more complex... And more likely to be noticed by the user.

Furthermore these kind of systems typically have it set up so that if a user would try logging on twice in a short time frame from different IPs that both users get disconnected, and that the old code is invalid, meaning you have to wait until the code from the key fob refreshes again.

Edit: That still leaves reverse-engineering the algorithm used, but that's very complicated. With enough different codes from a user you could potentially figure it out, but it's comparable to figuring out a password through brute-forcing. Possible, but unlikely.

Galanna · 06/27/08, 1:05 PM

I don't know about this particular implementation, but sometimes a generation counter also enters the equation, and even the key may be modified at each generation. This mean reverse-engineering is even more difficult. (This also means if you generate to many codes without actually using them, the key/counter in the token will be de-synchronized with the server ones, requiring a re-synchronization via customer support)

Miaxi · 06/27/08, 1:37 PM

They should include those into the WoltK boxes.

◊ Penguin · 06/27/08, 1:49 PM

Originally Posted by jaxdahl

I currently have a mental image of someone setting up a webcam and a remote button pusher so his friends can get the passcode if they want to get on his account.

I recall a site a while back that was just a webcam zoomed into the screen of a dongle. You couldn't see what company or site it was for, so it was useless to anyone but the owner, but it became well known enough that I think it got covered on Slashdot. The key-press portion makes it harder to do that with these, as well as the giant Blizzard logo plastered on it.

PSGarak · 06/27/08, 2:06 PM

All you need is a decent hash algorithm on the serial number and the timestamp, and you're basically secure. What's even more secure is having the external serial number being the lookup reference for a much stronger arbitrary-length internal seed. If the internal seed is long enough, and actually random with respect to the external serial, you can have the hash effectively guarantee that the seed is irrecoverable from the keycode even if the algorithm is discovered by cracking one open and looking at the hardware. I don't think that this in itself technically qualifies as strong cryptography because the seed is recoverable from a finite amount of information, but a decent hash algorithm can basically require a lookup-table of every seed-timestamp combination to reverse-engineer it. And lookup tables are actually impossible when they have to be bigger than the known universe, which takes surprisingly small seed sizes.