jump to navigation

Authenticators… Are They Still a Thing? June 2, 2014

Posted by Wilhelm Arcturus in entertainment, World of Warcraft.
Tags: , , , ,
trackback

In which I demonstrate I am clearly running out of things to write about.

There was a point in time, a few years back, when account authenticators were very much a thing.  Back when WoW accounts seemed to be getting hacked almost constantly and people were even phishing for EverQuest II account data, authenticators were news.  I, my daughter, and my mother all have authenticator fobs for our respective WoW accounts.

How many times have I used this shot?

How many times have I used this shot?

I also have an authenticator fobs for SOE games, although I stopped using it.  Blizzard managed to streamline the authenticator process, requiring it only weekly so long as my IP address/login computer doesn’t change.  SOE’s “append your token to the end of your password” method, which was always a bit awkward, is also resistant to any streamlining.  (And they show a freakin’ SOE mini-splash screen for two seconds when you hit the button? WTF?)  So I decided a long password would suffice for them  Plus, who steals SOE accounts these days?  Is there any money in that?

Other companies offered them as well.  Square Enix had them for their Final Fantasy XI and Final Fantasy XIV MMOs.  EA offered up an authenticator fob for Star Wars: The Old Republic as part of the collector’s edition.

The key item for me

Look, a fob!

If I recall right, CCP even gave out an authenticator fob, or at least talked about one, for EVE Online at FanFest a couple years back, though they have not to my knowledge, implemented multi-factor authentication with it so far… which seems odd, given the meta game there.

All of these are branded versions of the VASCO Digipass Go 6 device.  The trend seemed to be to go that route, no doubt because VASCO has a package that made integration manageable and ability to supply a company like Blizzard, which has millions of customer accounts.  This also allowed companies to go with a “mobile authenticator” option, giving players access to authenticator functionality on their smart phones.   Some companies, such as Trion, have opted to go solely with such an options.  Others, like SOE, only have the authenticator fob option, but promise to get smart phone functionality in the near future.  (But not soon.  We know what SOE means when they say “Soon™”.)

Not that the SOE approach bothers me.  I do not actually own a smart phone, and while I have an iPad, it tends to be a device I only use when away from my computer.  So the authenticator fob works out well for me.  It is a small, single purpose device that sits right where I need it, next to my keyboard.

But, aside from SOE and Blizzard, not many companies seem to be pursuing the who authenticator fob idea.  Square Enix was perpetually out of st0ck on fobs, while I am not even sure you could buy one independently from EA.  And even Blizzard seems to go hot and cold on the idea.  For a while they were giving them away if you knew where to look, while at other times they haven’t been available for love or money.  That was most recently the case when they split the Blizzard Store into the Battle.net Shop and the Gear Store. (Hint: It is in the Gear Store.)

Then again, WoW is the only game where accounts getting hacked seemed to reach epidemic proportions, with nearly everybody in our little guild who didn’t have an authenticator having their account hacked or otherwise compromised at one point a couple of years back.  So I am not sure I really need to bother with an authenticator for other games.  Somebody tried to access my GuildWars 2 account last month… I got three email messages that were in response to a request for a password reset… but there isn’t anything there to steal.  I am not sure I would even notice if somebody got in and did something.  But I changed the password on that email account ahead of schedule, just in case.

So where do people stand on the whole authenticator thing these days?  I wouldn’t remove mine from my WoW account given past history, and I might like the option for EVE Online, given its meta-game tone.  But I feel comfortable enough with decent, unique passwords on other accounts.

How about you and authenticators, fob or mobile based?

Comments»

1. Eric Schoneveld (@ericscho) - June 2, 2014

Still using mine for the Blizzard account :). Only have to type in a code once a week or so ? Apparently Wildstar has 2 way auth as well, but it wants you to type the number every time you log on, from what I read, which sounds too cumbersome for me !

Like

2. Wilhelm Arcturus - June 2, 2014

@Eric – That was my problem with SOE. They went for the quick fix solution that allowed them to add authenticators in the shortest possible time, but in such a way that they are now stuck with their awkward implementation as the code is expected to be part of the password you provide. Blizz did more work up front and now, as you note, you only have to enter the code once a week or when logging in from a different machine/location/IP address.

Like

3. sid67 - June 2, 2014

Hmm… Lack of things to write about? Or perhaps this post is a veiled attempt to get me to breach my security and let you know which games that I play where I don’t use an authenticator. Well played…

In all seriousness though, I was hacked maybe five years ago and the culprit was a virus that targeted my bank account and my WoW account. I was shocked to learn both were attacked and I’m generally a pretty saavy about security.

I think what’s surprising here for me is that while WoW has an authenticator for additional protection, many (most?) banks don’t have something equivalent.

Like

4. Jenks - June 2, 2014

I had the Blizzard key fob when they first came out, because I had a blackberry. Since then I’ve switched to the app version.

Some games like Firefall are piggybacking on Google’s authenticator, which is really neat.

Like

5. flosch - June 2, 2014

I’ve not played a lot of games recently. I think if I seriously got into a game again, I’d use an authenticator again. I like the additional security they provide. And given the choice, I’d probably opt for a opt for a hardware authenticator again, and not a phone app. I just don’t trust the security on my phone that much, there are suspiciously few security updates for the operating system itself, it’s worse than OSX.

I’ll also use this reply to shamelessly plug my “Authenticators? how do they work?” post I wrote some time ago, because I actually like how that turned out:

http://randomwaypoint.fajs.de/2014/02/authenticators-how-do-they-work/

Hope you don’t mind that, otherwise just cut it out.

Like

6. pkudude99 - June 2, 2014

I got one as part pf my SWTOR CE package, but haven’t used one in any other game.

Oddly, my problem with SWTOR right now is that I don’t recall my username since they swapped off using emails, but whenever I request them to send it to me…… never arrives. And I’m using an email account with no spam filter, I’ve added their address to my contact list to be sure it can be allowed even if there was a spam filter, but. .. . ah well.

Like

7. bhagpuss - June 2, 2014

I don’t have any physical authenticators but I do use the mobile ones when they’re on offer. I also positively like to be required to enter the code every time. I never let my PC remember anything for me at all if I can possibly avoid it. I always re-enter all information at time of use. That’s why you seeing me spell my name wrong when I comment!

Like

8. Wilhelm Arcturus - June 2, 2014

@sid67 – The thing with banks is that they really have to work with a much lower common denominator when it comes to clients. Aunt Mabel isn’t going to remember her password, much less be able to deal with a second factor to log in.

Not that the industry hasn’t considered it. At least 8 years back, when I was working on a phone banking application, there was talk of multi-factor authentication requirements that might become mandatory in the then near future. So we had to alter our design to accommodate such. There is some code that never got used. I am not even sure if that product is still live on any customer sites at this point.

On the other hand, getting access to even a test back end at a company like Fiserv required several layers of authentication, including a code fob similar (though bigger, with more digits) to the MMO authenticators.

Like

9. flosch - June 2, 2014

@Wilhelm Yeah, I remember, many years ago, our neighbor who worked for a bank (or was it at a big security-related tech company) had one of those early RSA tokens. I thought it was the coolest thing I had ever seen back then. But of course, that was for a bank employee, not Joe Average Customer.

Like

10. Helistar - June 2, 2014

I have and use it on my WoW account, and considering that SWtoR gives you +20% cartel coins monthly for using one when you’re subscribed, I can only assume that it really works in cutting down the number of hacked accounts (and the amount of customer service intervention).
@sid67: many banks don’t use an authenticator because they disallow most operations from their website. At my bank, if I want to send money to a new account, I must first “register” it as a possible destination, which requires more or less me to go to the bank to validate the thing…..

Like

11. Mabrick - June 2, 2014

@Wilhelm, this is an excellent topic even if it is only tangentially related to gaming. First think, yes, I contributed to your poll. I’m one of those who use two-factor authentication on any account I can. What I see happening in the world is a wider move to two-factor authentication, and it’s long over due. But fobs are dated, and Google Authenticator or any other app based code generator is just a fob. They were great 15 years ago when they were new, because nothing like them had ever been done. Today most people have a “fob” in their pocket. It’s their cell phone, and it doesn’t even have to be smart. SMS has become one of the main methods for accomplishing two-factor authentication. It’s superior to fobs in that it’s a completely fire and forget methodology. Once the code is used, that’s the end of that code. The next time you use one, the code will be randomly regenerated. This is not how fobs work. They are synchronized, usually at creation. That requires an algorithm. That algorithm is no necessarily unique. It is possible for a clever mathematician to figure it out and create a fob using the same algorithm. Then they can attempt a type of man-in-the-middle attack to redirect your next sync check and wahla, their fob is your fob. This is at least mitigated by software fobs in that they can easily be recalibrated. Stealing a fob’s identity is very difficult to do, but it is possible. SMS codes remove the algorithm. It’s a purely random generator.So, to add to your poll, I vote for SMS whenever possible.

Like

12. Will - June 2, 2014

@Wilhelm, comment 8. Banks outside the US require authentication, for both end users and corporate accounts. In the US the only place we see true 2-factor authentication is for Corporate banking, however, that is beginning to change: http://www.us.hsbc.com/1/2/home/about/press-room/2014/news_02112014_otp_release

Like

13. flosch - June 2, 2014

@Mabrick While I agree that SMS authentication is probably the safest you’ll get on a phone, I disagree about the reasons. The whole beauty of modern cryptography is that the secret is not in the algorithm used to encrypt. Pretty much all modern encryption algorithm are published and checked and rechecked countless times for possible loopholes. The idea is that all security is in the keys and that, correctly done, you can exchange those (almost) risk-free too, with everybody listening in on you, and still not gaining anything. A man-in-the-middle attack is a dangerous scenario, but you do not learn anything about the fob’s internal key from a single passcode.

What is dangerous, though, is the risk of your key that’s residing on your phone getting stolen. The main reason SMS is better is that the there’s no key to steal. That’s a definite security plus, seeing how I don’t really trust smartphones to be all that secure at the end of the day.

Like

14. Will - June 2, 2014

@flosch I’m not sure that I agree that SMS is stronger than an application on the phone. SMS has a bunch of vulnerabilities that make it very difficult to tell if it has been attacked. It’s kinda like the recent HeartBleed bug, essentially you won’t know you’ve been attacked until you are attacked. At least with a mobile application, there are anti-virus and other utilities that can help try to make the platform secure. Depending on the mobile security application, there are many functions they can implement to make the generation of that passcode secure too. Personally, I like hardware devices because there is only one interface and thats the LCD screen on the front, I don’t have to worry about what is happening outside of my eyesight (except for the creepy guy looking over my shoulder). However, the usability of a mobile application is the real winner. With the hardware device I have to type stuff in and its very secure, with a mobile application a bunch of times all I have to do is scan a QR code and I’m completely logged into the application I wanted to access.

Like

15. flosch - June 2, 2014

Hmm… true. I guess SMS feels more secure, ecause it comes a different way (phone network vs. Internet), but I actually don’t know how secure that is.

And yeah, I still prefer the tokens, I just meant on a mobile platform. I’m not sure about the security of Android and iOS; maybe you can properly harden it, but it sounds like an incredible chore. ;)

Like

16. Asmiroth - June 2, 2014

Maybe not authenticators but some sort of 2 factor. I had my WoW account hacked before the auth was a thing. You only need to login once with an empty character to see the logic behind more security.

Anyone working in IT has seen the writing on the wall too…

Like

17. Shintar - June 2, 2014

EA did sell the SWTOR fobs separately in the Origin store, but at least in the EU they were frequently unavailable and I think they’ve now removed them from the site completely. I also have an authenticator for WoW and for online transactions with my bank.

I’m not sure how necessary they really are. The one from my bank makes me feel more secure for sure, and I got the WoW one after my account was hacked, so I guess that had a reason for being there too. Not sure anyone would chase my SWTOR credits, but as has already been mentioned you get bonus store currency for having it, so why not.

I don’t like the move towards mobile versions as I don’t have a smartphone and don’t plan to get one in the near future either.

Like

18. Imakulata - June 2, 2014

Mabrick – I am not sure whether the SMS authentication will ever be popular with gaming companies. I don’t think the SMSes are free, even if the users don’t pay for them – at least not directly. It’s used in banking but banks send most of their SMSes to domestic number (gaming company, depending on region, will probably send a significant number of foreign ones) and they also send notifications via SMS (in other words, more messages) so they have more power when bargaining with the cell phone operators. Banks can also send you details of the order as an additional verification, which isn’t possible with authenticators, but it doesn’t apply to logging on.

Like

19. carson63000 - June 2, 2014

I use mobile authenticator apps on every game I can (which is Blizzard’s one, GW2, and Rift). Because, why not? I’ve always got my phone nearby, so might as well add a little extra security.

But I’ve never owned a physical one – living in Australia, they always seem to cost a couple of bucks plus like fifty bucks postage and handling. I think not.

Like

20. gwjanimej - June 2, 2014

I think my Rift account is the only place I’m not, and that’s just because I haven’t gotten around to setting it up yet. Every time I’ve planned on doing it, I’ve needed to get a new phone.

Like

21. Rambling Redshirt - June 3, 2014

I use a mobile authenticator wherever I can, but this button entry on Wildstar is a bit cumbersome. I much prefer to simply use the number pad rather than having to figure out the random positions of the number buttons to enter them each time I want to log in.

Like

22. Red - June 3, 2014

Authenticators has allowed me to use short and simple passwords while relying the Authenticators to provide the security. I’m firmly convinced that the future of passwords for the average user is a simple password + sometype of smart phone Authenticator. It in effect turns your phone into a key to access your accounts.

Like

23. Coubo - June 3, 2014

I think Wilheim is spot on. Authentificators are much less needed now than they used to be, also because game companies have significantly improved the way they handle security.

I have never used an authenticator in any game (be it WoW, Lotro or many others) and I was never hacked once in 10 years. It comes down to having a strong password and not getting virus on your computers. I think the WoW hacking epidemic was due to a combination of Blizzard having poor safety in place that allowed hacked to run brute force password guessing on their servers combined with a wide audience with weak passwords.

Like

24. Matt - June 3, 2014

I have the mobile WoW authenticator (was hacked in 2010 or thereabouts), but haven’t used it in a while, since the battle.net desktop app automatically authenticates. Maybe it does it the same way Steam et al do.

Like

25. SynCaine - June 3, 2014

“I do not actually own a smart phone”

Be more old.

Like

26. Wilhelm Arcturus - June 3, 2014

@SynCaine – Actually, this is a matter of “be more cheap.” I have had a mobile phone for more than 15 years now, but my phone usage tends to be so low that I changed to a pre-paid plan a few years back. So my wife’s iPhone bill is $90 a month and my cheap-o plan is $80 a year.

In theory there is a version of the mobile authenticator for my phone, an LG Rumor 2. In practice, Virgin Mobile (owned by Sprint now in the US) restricts downloads to the phone in such a draconian fashion that I am pretty much limited to buying expensive ring tones… which I don’t buy.

But hey, $80 a year and Sprint actually has coverage where I need it, like at my home, unlike AT&T. (Wife has to go outside and stand facing southeast to get a decent signal.)

Like

27. Jarhead - June 3, 2014

repeat after me – no one has ever had their accounts “hacked”. some people gave their passwords to power levellers. some people bought accounts and then had them reclaimed by original owners. some people shared accounts with guild mates. some people left their passwords where their little brother had access. some people used botting software that recorded their passwords. some people used their password on multiple locations including wow related media sites that were elaborate fishing scams. some people clicked stupid links, downloaded malware and got their accounts hacked.

Like

28. Wilhelm Arcturus - June 3, 2014

@Jarhead – “…and got their accounts hacked.”

It is more convincing if you don’t contradict yourself in your tirade. Clearly you are not at peace with your own statement.

And what does that have to do with authenticators which, among other things, keep people from getting their account plundered even if they slip up and get phished or end up with malware on their system?

Like

29. epicrevieweradmin - June 4, 2014

I have a fob still, from time to time it goes out of sync… I have to call Blizz to fix it… time to go with the app.

Like

30. Rowan - June 4, 2014

@Jarhead. You’re also victim blaming. I can pinpoint when my WoW account got hacked and it had nothing to do with my password, which was plenty strong and unique to WoW. It was just after the switch from username to battle.net affiliated email addresses. To this day, I believe the breach was on Blizzard’s end. (How many times have we seen company account databases get hacked in recent years?)

Meanwhile, as has been mentioned, WildStar has two-step authentication using Google’s app. With some in-game goodies and a small boost to XP and whatnot, I figured it was worth the small inconvenience.

@Rambling You’re right, the interface is cumbersome. Now imagine that on a 10-key door cipherlock. >_<

Like

31. pixelrevision - June 5, 2014

Seems like 2 factor SMS is the way to go along with tokens and ip combos when balancing security with convenience. One thing I never liked about Blizzards 2 factor mobile app is if your phone breaks you have a lot of hurdles to jump through to prove that you are yourself. If you use SMS then when you get your new phone you have your setup again.

Like


Voice your opinion... but be nice about it...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: