Thursday, June 26, 2008

New Security Dongle

According to Broken Toys (aka Scott Jennings/Lum the Mad), it looks like Blizzard is introducing a keychain security dongle called the Blizzard Authenticator.

It looks like an interesting option for anyone really worried about the security of the account, as it enables proper two-factor authentication. You will be able to purchase it from the Blizzard store for $6.50, which is a pretty reasonable price, in my opinion.

The only issue is that this is optional, and some of the people who would get the most use out of this will not hear about it or pick it up.

It will be interesting to see the effect of this Blizzard Authenticator on the game. For example, account sharing is rampant among the high end. But the people at the high end also have the most to lose to a hacked account, and are the mostly likely to purchase and use the Authenticator. And that may cut down on tactics like getting someone else to play your character in Arenas.

It might also have an effect on guilds. A lot of guilds are very concerned about security for the Guild Bank. I can see a guild requiring that all its members, or at least all the officers, purchase and use the Authenticator.

It's good to see that Blizzard has been taking security more seriously lately. They took my advice on disabling hyperlinks on the official forums, and are now introducing a good two-factor authentication system. However, I still think that the default game experience needs to be a little more secure.

14 comments:

  1. It sounds like a very good optional extra to me, but the procedure for 'I've lost my dongle' (*sniggers*) will need to be quite stringent so as not to open up a back door to account hackers.

    In fact, I think it would be a very good idea to include them in vanilla/Collectors Editions of both the Expansion and the Wrath+TBC Battlechest.

    ReplyDelete
  2. I think Blizzard will keep the Authenticator completely optional. That way, the only people who buy them are the people who want them, and that will reduce a lot of customer service issues.

    ReplyDelete
  3. Ah, yes, the nebulous concern that is Customer Service. Yep, you're probably right, but I still think that it may be a 'nice' thing to include in the Collectors Edition pack of Wrath along with the usual masses of bumph.

    ReplyDelete
  4. Yeah, after thinking about it a bit more, I believe you are right, and I see this as more of a trial run. If it works well, Blizz can very easily put one in the WotLK boxes.

    ReplyDelete
  5. If it works for al Blizz games going forward and remains an optional device - its a good thing. Raises a question about using different PCs and how many could be authorised.

    My humble opinion is that this will not be broadly adopted. I certainly won't be using one as I move between so many machines and have a tendency to loose my keys.

    A software based solution would make more sense, and if Blizzard really want to stop accounts being hacked, they should allow us to:
    (a) change out account name as well as password
    (b) set minimum complexity rules
    (c) have the wow forums using a different login to the account login.
    (d) dont show "account already in use" when creating a new account name. When creating my account I was told that my first few choices were already in use. Thats half the user/pass combination hacked right there.

    Typhoon.

    ReplyDelete
  6. Typhoon, you don't connect it to your machine. It's just a fob that you put on your key ring and can carry around with you.

    Essentially, it generates a new code every minute, which is displayed on a little LCD on the fob itself. The server then calculates what code the fob should be displaying and compares it to what you send to it.

    It's completely independent of what computer and game you are using. Though if you have a habit of losing your keys, I don't think this would help. Maybe attaching it to your wallet. Kind of honestly, if I lose my keys or wallet, my WoW account is going to be the least of my concerns.

    As for your suggestions, remember that hackers don't "guess" passwords. It's very easy for Blizzard to detect that someone is trying to guess the password and prevent future attempts at logging in. Hackers use keyloggers and similar cracks to guarantee getting the correct user name and password, regardless of password strength.

    ReplyDelete
  7. I just wonder why they didn't do this in the game software itself instead of a "hardware" ad-on. For example, you could have the optional step of selecting an icon after you input your correct password. Something visual and not password related and cannot be hacked. So a secondary screen would show say 50 icons from the game and you pick the one which you set everytime you log in. This means if someone did keylog you, they still have to guess what your icon is. Make it 2 or 3 wrong guesses and your account is locked. While there's still a small chance the logger could guess correctly (say 3 of 50), it would make it more difficult to get hacked and wouldn't cost anything. And it can be optional so if you are not worried about this stuff you don't have to do it.

    ReplyDelete
  8. Ooh, a hardware "dongle"... how about as mentioned, make the forum login different from game login and adding in software authentication methods. If my friggin credit card, banks and phone company can do it.. so can blizzard. Hell my phone company makes you use a special code (which they postal mail to you lol).

    ReplyDelete
  9. I fail to see how this will help with account sharing like you mentioned. When I was still playing WoW, we had at least one or two people playing someone else's character on each raid night, even if only for a special encounter or two.

    Now if it is only a randomly generated number for which you carry the generator around, I can easily call my guildmate and ask for the current key, can't I? The only solution would be a hardware dongle, and those are a pain in the ass anyways. :P

    ReplyDelete
  10. "Something visual and not password related and cannot be hacked."

    Sure it can.

    Good keyloggers would simply write in a command that takes a snapshot of your screen every .x seconds after submitting your password. They could crack the Blizzard encoding of your packets and simply read what picture you sent (this one is a little far-fetched as the encoding is very well done actually).

    That is the great thing about these little keyfobs. The numbers are randomized and the algorithm is complex enough that to crack it would take so many man hours that it wouldn't be feasible from a monetary perspective. As long as you have the fob your account is pretty damn safe.

    It won't be the death of keyloggers, as until they are mandatory many people won't want the "hassle" of typing in an extra number to log in. It will make a huge difference though for those of us who are worried about account security, and this is clearly a step in the right direction by Blizzard.

    ReplyDelete
  11. http://www.rsa.com/node.aspx?id=1156

    My company already uses these for individuals that work remotely - if you dont have your token, you dont log into the company system. Very simple.

    ReplyDelete
  12. Secure tokens are an amazing idea and definitely will eliminate the stolen account issues. I am debating getting one myself as I have one for work already.

    For those that are not familiar, when an account is enabled your password would disappear. In its place you would have a combination of a PIN and the six digit number that appears on the dongle. The number on the dongle changes every 60 seconds. If someone were able to steal the PIN, in 60 seconds it would do them no good.

    ReplyDelete
  13. I feel dumb typing this, but I made a post on your rating requirements post (as anonymous), and I'd be delighted if you'd consider responding to it, and this is the only way I can think to call your attention to a comment made in an old post: http://blessingofkings.blogspot.com/2008/05/being-on-path.html

    ReplyDelete
  14. Very interesting. These dongles are appearing much more frequently on secure sites and I think it is a very good idea to protect the months of work put into a character for just $6.50.
    I just posted an article on mage pvp on my blog if you are interested at World of warcraft blog

    ReplyDelete