Battle.net Authenticator Changes

So Blizzard,

You seem to have changed this but tinkering with my registry if found that changing the permissions about will give me my login screen back for my authenticator.

You do understand that if hackers get to this key, they simply have to copy it from the compromised computers registry and voila, no need for an authenticator no more. I understand you're going to say, End user problem, but why change something that's not broken? At least give us the option to opt in and out of this.

Thanks Blizzy
Edited by Deysi on 18/06/2011 16:08 BST
Reply Quote
85 Blood Elf Mage
6900
I'm happy with this change.

Especially at those moments I get disconnected more than twice in a row.
Reply Quote
90 Human Priest
4160
i see you can never win - too many people complaining - i think this is a good idea especially if you log on numerous times in a day - for those who go on security issues.. if you use a public pc or some-elses pc - then change your pass word after using it - one of our members got his account hacked but blizzard refunded every item - i lost no sleep over it - blizzard have done something that should help the majority of us log on a bit more easier - thx blizzard - still a great game after all these years
Reply Quote
85 Tauren Paladin
3150
04/07/2011 17:48Posted by Shaolinmonk
i see you can never win - too many people complaining - i think this is a good idea especially if you log on numerous times in a day - for those who go on security issues.. if you use a public pc or some-elses pc - then change your pass word after using it - one of our members got his account hacked but blizzard refunded every item - i lost no sleep over it - blizzard have done something that should help the majority of us log on a bit more easier - thx blizzard - still a great game after all these years
That'd be fine if that were the only way possible to exploit this "feature". Except that's not really the case.

It should be optional, to please everyone. The only reason not to make it optional is the financial reasons posted herein (or in the other thread). Which is quite frankly, shocking.

I stand by my point made over and over. This IS exploitable by a black hat with the time/energy to do so. Whether anyone will do so, or not remains to be seen.
Reply Quote
1 Human Paladin
0
17/06/2011 10:58Posted by Geomatician
I feel that this change shouldn't be mandatory, despite being a good change. An opt-out option is important. Consider it.

I also vote for an Opt-out option, please do it.
Security > convinience.
Reply Quote
85 Blood Elf Mage
5135
I also feel that this change shouldn't be mandatory. I would prefer to have to put it in every time. Could you make that possible?
Edited by Demonspear on 07/07/2011 21:29 BST
Reply Quote
85 Blood Elf Mage
5135
So to try out this change, I connected on my cousin's computer entered the code.
Now my account can be used without the authenticator on both computers.
So like the previous post I sent: Could we please have an opt-out option!
Reply Quote
51 Night Elf Druid
190
I'm agreeing with the fact that this should really have an op out option. There are too many ways that our acounts could be hacked and the authenticator made me feel safer. Pleae give us an opt-out option Blizz!
Reply Quote
85 Night Elf Druid
0
Another voice added to the seemingly ignored ones in the thread already it seems. Though I'm not so much asking for an opt-out as an end to the madness. There was an opt-out in place already; people either parted with their own money and bought an authenticator because they chose to enter 6 teeny little digits adding a real-world element to their login process ... or they didn't buy one. It's that simple & it's been said before.

I paid Blizz money for an authenticator that (at the time) was sold with the proviso that it'd be required for ANY login attempt to my account. This feature is no longer available to me and as such, I'd either like the option to go back to it, or I'd like that money back on principle (though I'd like my login process back much more)!

Like many have pointed out before, there are MANY situations which would mean assuming a single person logging in at a specific computer is the only scenario for your playerbase is flawed. Many share computers, many can see the pretty obvious ways that hackers can exploit the information stored on a persons computer to their advantage to get around the authenticator system.

Put simply, Blizz, we opted to authenticate with our own cash, you were happy to take it at the time and offered incentives to encourage us to take up the feature. Now give the system we paid for the pleasure of using back to us in it's original form, please. Otherwise I'm left wondering what I and so many of your subscribers bothered to invest in at all and just how little you think of customers who you've made a shocking amount of money from in exchange for the promise of a little more security now that you're going back on the agreed terms.
Edited by Feloriene on 07/07/2011 22:11 BST
Reply Quote
100 Draenei Shaman
10280
I just bought the damn thing in hopes that my account would be safer with it. It was unpleasant like hell to log in and see everything I had was gone. And now I find myself in the same situation as before: with a HUGE possibility of my account being hacked... again. Seeing it's not very complicated to just spoof any IP address, I now wonder why I had to spend money on something that just doesn't work any more. Come on now, people's WoW accounts deserve the same safety as a bank account, seeing we invest both time and money in it. I would appreciate the possibility to use the item I paid for, for something I invest time and money in.

I feel like I was cheated out of my authenticator money, seeing that the possibility of my account being hacked pretty easily is still there...
Edited by Briersting on 09/07/2011 06:39 BST
Reply Quote
1 Orc Warlock
0
This is awesome. Nice work!
Reply Quote
100 Tauren Shaman
4485


I just returned to the game after a longish period away. It took me quite a long time to figure out that my account was not hacked even though I didn't see the familiar authenticator requests at each log in. I can appreciate why it would be annoying to some to input a new code each time, but I personally care more about the security than the inconvenience. Any chance caching could be made an opt in / opt out choice?
Reply Quote
90 Dwarf Warrior
13400
Now this was a horrible idea. Not only did you give me a huge scare but reading some of the notes indicate that this is not even a server side check (registry? WTF[1]?) .

If this was the change that prompted the removal of the easier to use combined password/challenge inputs on the login screen, you have really made a mess of it.

If a player can reconnect from the same IP within say three minutes of disconnecting, then just _maybe_ this would be a less bad idea.

If people do not want to use the authenticator, then they should not use it, do not destroy it for those of us that actually care about account security.

[1] Pardon my language but in this case it is definitely called for.
Reply Quote
90 Dwarf Warrior
13400
18/06/2011 15:53Posted by Árcfélonas
I like entering my 6 digits thank you very much each time I log in and I also like the fact my account is safe because the fact the physical key to it is in my hands the same way as in locking the house up when I go out so please just realise not everyone has that same level of over all confidence you do. Would you leave your house unlocked no don't think so and that's how some of us feel about WoW as well.


This is what it is all about.

Just because someone punched the correct code to deactivate the burgler alarm the last time someone used a key to open the door does not mean that it should be deactivated the next time someone uses the same key to enter the building.

It is actually a perfect analogy (albeit in reverse):
Think of your password as a key. Anyone with a copy of the key can open the door and enter.

The authenticator is the burglar alarm panel and you need to know the code to turn it off.


If using the correct physical key was all it took to deactivate the alarm, the alarm would be more or less useless.
Reply Quote
90 Dwarf Warrior
13400
Thankyou! Thankyou! Thankyou! Thankyou! Thankyou!

As a 5-boxer, I stopped using my authenticator when you made the codes single-use, as logging in 5 accounts was a 2.5m PITA!

Seeing this announcement this morning, I've now re-applied my authenticator and feel much safer :)


So this is what it is all about.

I understand the hardships of this multiboxer but to make the authenticator one-use-only to cater for this rather small part of the player base?
Reply Quote
85 Undead Warlock
3300
09/07/2011 06:33Posted by Briersting
Seeing it's not very complicated to just spoof any IP address, I now wonder why I had to spend money on something that just doesn't work any more.
Will you people please shut the hell up about spoofing IP addresses? Read the thread and realize it's not a valid attack vector.

God dammit...
Reply Quote
85 Orc Shaman
7415
Seeing it's not very complicated to just spoof any IP address, I now wonder why I had to spend money on something that just doesn't work any more.
Will you people please shut the hell up about spoofing IP addresses? Read the thread and realize it's not a valid attack vector.

God dammit...


True, the IP alone won't work. But if you tunnel through another PC (e.g. one you have a keylogger on) you can get in to their account without an authenticator. This definately works as I've tested it using my own account. It's a flaw that was brought up on day 1 of the changes, but blizzard have ignored it.

Since this is such an obvious flaw and not something blizzard would miss (I hope). They must have made this change for money reasons, reducing bandwidth usage at the cost of people who use authenticators. There is a way to re-enable it though by altering the registry and preventing wow from saving authenticator info on your system :)
Edited by Shamit on 10/07/2011 18:07 BST
Reply Quote
Customer Service

Will you people please shut the hell up about spoofing IP addresses? Read the thread and realize it's not a valid attack vector.

God dammit...


True, the IP alone won't work. But if you tunnel through another PC (e.g. one you have a keylogger on) you can get in to their account without an authenticator. This definately works as I've tested it using my own account. It's a flaw that was brought up on day 1 of the changes, but blizzard have ignored it.

Since this is such an obvious flaw and not something blizzard would miss (I hope). They must have made this change for money reasons, reducing bandwidth usage at the cost of people who use authenticators. There is a way to re-enable it though by altering the registry and preventing wow from saving authenticator info on your system :)


This isn't a money saving scheme since your not actually spending anything to generate the code, nor are you impacting bandwidth in anyway. While your concerns are noted, your account no less secure than it was before, the only change is that you will only be prompted once a week to enter unless you change IP address, from where you'll need to enter your authenticator code.

There are a lot of valid concerns, which our developers are aware about, however we cannot give a direct response to all posts made.

Never the less we are not ignoring any feedback posted, its read and noted.

As for authenticator information, this is managed server side not on your actual system.
Edited by Gelmkar on 10/07/2011 18:17 BST
Reply Quote
85 Orc Shaman
7415
[quote][quote]

As for authenticator information, this is managed server side not on your actual system.


It is saving data to a folder in the registry under: HKEY_CURRENT_USER > software > blizzard entertainment > battle.net, in a folder cunningly named "authenticator". It creates 2 reg-binary files related to the authenticator and decide whether the client asks for a code or not. Which is why you can remote through a victim's PC and log in to their account without needing a code.

We don't know what they mean yet, but it's only a matter of time before someone decodes them. If you deny write permissions to that folder it will not save anything and ask for you a code every login.
Edited by Shamit on 10/07/2011 18:37 BST
Reply Quote

Please report any Code of Conduct violations, including:

Threats of violence. We take these seriously and will alert the proper authorities.

Posts containing personal information about other players. This includes physical addresses, e-mail addresses, phone numbers, and inappropriate photos and/or videos.

Harassing or discriminatory language. This will not be tolerated.

Forums Code of Conduct

Report Post # written by

Reason
Explain (256 characters max)
Submit Cancel

Reported!

[Close]