True, the IP alone won't work. But if you tunnel through another PC (e.g. one you have a keylogger on) you can get in to their account without an authenticator. This definately works as I've tested it using my own account. It's a flaw that was brought up on day 1 of the changes, but blizzard have ignored it.
Since this is such an obvious flaw and not something blizzard would miss (I hope).
Oh yeah, the fact that anyone could log into ANY account with Rift was pretty obvious as well, still it took them WEEKS and like a million hacked accounts before the problem became obvious and even then it was a PLAYER that found the problem. Add to that the fact that stupid ##@* like SQL Injection is still the No1 way systems get compromised and I'm very very doubtful that nothing obvious could get missed "even" by Blizzard (ask Sony, Nintendo, Microsoft, ... about their great unbreakable security).
They must have made this change for money reasons, reducing bandwidth usage at the cost of people who use authenticators. There is a way to re-enable it though by altering the registry and preventing wow from saving authenticator info on your system :)
How is that different than a man-in-the-middle attack through a backdoor? (Security wise)
If an attacker is able to tunnel through you, it doesn't matter if you need to put in your key or not.[/quote]
If they manage to get your key (which has to be some key/hash stored locally) together with probably your IP (though my IPs changed a few times, so they might be using the MAC instead, still trivially spoofable) and they got free reign on your account.
As far as I know, SSH ports are locked by default and those connections prevented aswell by a normally configured Windows PC*.
*I belive you have to specifically open those ports and
Wrong. Windows barely blocks anything outgoing and certainly not SSH (I use it daily, never get prompted by UAC about it). In fact if anything is unlikely to be blocked it is SSH (only http(s)/imap(s)/pop3(s) are less likely), and if that is an issue just run your SSH server on port 80, problem solved.
I don't think Windows even supports SSH connections out of the box.
Right, but that doens't matter as a GUI SSH program already is less than 0.5Mb (PuTTY) so getting something with SSH support on a PC is trivial if you already have access.
Anyway, it's probably still secure enough for a game but I rather turn it off and put in my key every time. The fact that Blizzard doesn't want to give any meaningful details about the security scheme to me means it's unreliable and probably relies on the hackers being too dumb to find out how it works. Hint: gold selling and account cracking is big business, they WILL find out, and when they do...