One of the interesting announcements that came out of Sony Online Entertainment’s Fan Faire was the addition of two factor authentication options for your SOE Station Account.
Basically, you can have an authenticator just like Blizzard offers. (Or a an app for your smart phone at some point soon.)
I am sure there is something that could be said about this showing up more than two years after Blizzard made such a device available. But it could be that account hacking isn’t as big an issue at SOE as it is at Blizzard. The price of popularity.
And SOE is still ahead of most other companies on this front. I am surprised that CCP has not adopted this system for EVE Online yet.
The physical authenticator you can purchase (or could purchase if the Station Store was working) looks to be the same model of Vasco Digipass model that Blizzard uses.
Picture above “borrowed” from the EQ2 Wire article on the subject.
Since both companies appear to be using the same authenticator from Vasco with the same 10-digit number on the back, my first thought was about compatibility.
It sure would be nice if I could use just one authenticator across multiple games. SOE would get the same benefit, another user with a secure account, without having to ship me a unit that is probably a break-even proposition at best. And it would save me $10.
(SOE is selling them for $9.95 compared to Blizzard’s $6.95, which I am going to guess is based on the number of units each company ordered. Having an order of magnitude more users in the US gets you a discount I bet.)
However, the SOE Authenticator FAQ is unsurprisingly quiet on the subject of compatibility with Blizzard.
I guess I will just have to try registering my Blizzard authenticator on my Station Account to see. The 10-digit serial number might be generic across the Vasco product line… or it might be specifically tied to the authentication backend service SOE has licensed.
We shall see.
Addendum:
In further surprising proof that a wide range of people read this blog, I received a note from Will at VASCO Data Security, the makers of the authenticator fobs and the creators of the back end security infrastructure for them, regarding compatibility between SOE and Blizzard authenticators.
I can also state that the devices used by the different partners out there are currently not interchangeable. They are owned by their respective companies and there is currently no way for them to be shared between them.
That said, he does feel the pain of having to have multiple devices on hand.
As an avid gamer and a lover of security, the ability for one device to be used across multiple providers is something that I am strongly advising for and hopefully is something we will see soon.
See, gamers are everywhere.
And, he also added in that CCP has actually signed up to offer authenticators, something I totally forgot about.
I am happy to point out that CCP is also a VASCO customer and has also announced their usage of the DIGIPASS at their fan faire earlier this year.
He even provided a link to a video of the CCP Security session at their fan event which sparked the “Oh, yeah” moment for me.
The SOE announcement was part of the Fan Faire community address, the video of which you can find here thanks to the team GameBreaker.tv.
Thanks to Will for this information!
They won’t be compatible. Using the serial number on the back of your Blizzard authenticator, Blizzard is able to determine what number will be displayed on your authenticator at any given point in time. The same is (or will be) true for SOE and the SOE authenticators. Each company that contracts with Vasco has their own key. Otherwise, any Vasco customer would be able to hack into any other Vasco customer’s database knowing only the serial number of an authenticator. That would make an authenticator only as secure as a password.
LikeLike
I agree that they will likely not be compatible. But Vasco sells Digipass GO 6 units over the counter and in multi-packs at something like a retail level, so I would guess that they offer some low cost service that is less secure, though such units might need to be individually registered with a given security installation.
LikeLike
And, of course, it is nice to get a definitive answer from the source on these things. My thanks to Will at VASCO for the note!
LikeLike
If ‘Will at VASCO’ is reading the comments, he might want to have his sales people call on NCSoft and remind them what happened at SOE, especially considering how NCSoft has a bad rep with accounts being hacked. I know I’d buy one for $10 if it protected GW (and GW2), Aion, and the rest of their games.
LikeLike
“It sure would be nice if I could use just one authenticator across multiple games. ”
What a great idea!
Just one Authentication Site for the entire online game industry.
Think of it! One stop shop for any cyber criminal to: target with direct attacks, spear-phish, push a bot run DDOS against, test zero day attacks on.
Background-
The (GOOD) reason why you can’t use tokens across auth servers right now is due to the site dependent seeds. It get’s a bit techy but to create a trust web you need a root Cert authority. That root essentially needs to self certify this root then issues certs to tokens, SSL, email etc. This is why you cant cross this boundary. [but as a bonus a breach at one customer does not mean ALL tokens are now insecure]
In the wake of the RSA break-in read here (http://www.nytimes.com/2011/06/08/business/08security.html?pagewanted=all)
The actual target of this breach WAS the salts or root cert info that made each site secure to itself. The hackers (obviously state sponsored) wanted to get the root info to attack other big RSA token users [the defense contractor Lockheed being one – you know the company that builds our two Steal Fighters… hmmm wonder who would want to hack them… eh probably NOT the same place that has all the gold “farmers” after all hacking Wow is different right?… wait a minute Wow uses PC clients and offices uses PCs ah well just a coincidence] read here – http://www.infoworld.com/t/hacking/lockheed-hack-should-put-the-us-high-alert-329
Sigh I guess those hackers just needed help on their new toy – http://www.bbc.co.uk/news/world-asia-pacific-12266973
FYI this is a statement below that is either naive or NOT a credible security authority —
“As an avid gamer and a lover of security, the ability for one device to be used across multiple providers is something that I am strongly advising for and hopefully is something we will see soon.”
This is just absurd given the RSA break in. NEVER EVER believe anyone who espouses security through single points of failure and single points of trust.
LikeLike
Pingback: MMO Security « The Running Gamer