Authenticators… Are They Still a Thing?

In which I demonstrate I am clearly running out of things to write about.

There was a point in time, a few years back, when account authenticators were very much a thing.  Back when WoW accounts seemed to be getting hacked almost constantly and people were even phishing for EverQuest II account data, authenticators were news.  I, my daughter, and my mother all have authenticator fobs for our respective WoW accounts.

How many times have I used this shot?

I also have an authenticator fobs for SOE games, although I stopped using it.  Blizzard managed to streamline the authenticator process, requiring it only weekly so long as my IP address/login computer doesn’t change.  SOE’s “append your token to the end of your password” method, which was always a bit awkward, is also resistant to any streamlining.  (And they show a freakin’ SOE mini-splash screen for two seconds when you hit the button? WTF?)  So I decided a long password would suffice for them  Plus, who steals SOE accounts these days?  Is there any money in that?

Other companies offered them as well.  Square Enix had them for their Final Fantasy XI and Final Fantasy XIV MMOs.  EA offered up an authenticator fob for Star Wars: The Old Republic as part of the collector’s edition.

Look, a fob!

If I recall right, CCP even gave out an authenticator fob, or at least talked about one, for EVE Online at FanFest a couple years back, though they have not to my knowledge, implemented multi-factor authentication with it so far… which seems odd, given the meta game there.

All of these are branded versions of the VASCO Digipass Go 6 device.  The trend seemed to be to go that route, no doubt because VASCO has a package that made integration manageable and ability to supply a company like Blizzard, which has millions of customer accounts.  This also allowed companies to go with a “mobile authenticator” option, giving players access to authenticator functionality on their smart phones.   Some companies, such as Trion, have opted to go solely with such an options.  Others, like SOE, only have the authenticator fob option, but promise to get smart phone functionality in the near future.  (But not soon.  We know what SOE means when they say “Soon™”.)

Not that the SOE approach bothers me.  I do not actually own a smart phone, and while I have an iPad, it tends to be a device I only use when away from my computer.  So the authenticator fob works out well for me.  It is a small, single purpose device that sits right where I need it, next to my keyboard.

But, aside from SOE and Blizzard, not many companies seem to be pursuing the who authenticator fob idea.  Square Enix was perpetually out of st0ck on fobs, while I am not even sure you could buy one independently from EA.  And even Blizzard seems to go hot and cold on the idea.  For a while they were giving them away if you knew where to look, while at other times they haven’t been available for love or money.  That was most recently the case when they split the Blizzard Store into the Battle.net Shop and the Gear Store. (Hint: It is in the Gear Store.)

Then again, WoW is the only game where accounts getting hacked seemed to reach epidemic proportions, with nearly everybody in our little guild who didn’t have an authenticator having their account hacked or otherwise compromised at one point a couple of years back.  So I am not sure I really need to bother with an authenticator for other games.  Somebody tried to access my GuildWars 2 account last month… I got three email messages that were in response to a request for a password reset… but there isn’t anything there to steal.  I am not sure I would even notice if somebody got in and did something.  But I changed the password on that email account ahead of schedule, just in case.

So where do people stand on the whole authenticator thing these days?  I wouldn’t remove mine from my WoW account given past history, and I might like the option for EVE Online, given its meta-game tone.  But I feel comfortable enough with decent, unique passwords on other accounts.

How about you and authenticators, fob or mobile based?

The SOE Authenticator

Another tale for the Sony Online Entertainment files.

There is a general rule for online shopping, which is that you should never do it after dark.

The theory is that, at the end of the day, you are tired and more susceptible to making poor or impulsive purchasing decisions.  But if you wait until the morning, you will have given yourself enough time to talk yourself out of any bad ideas.

Given my own past after-dark purchasing record, I am afraid I must agree.  I have, as one example, a pile of songs on my iPod that I bought of iTunes at 10pm at night in a fit of nostalgia.  Then I don’t ever really listen to them again.  I keep them on the iPod as a reminder.  I have a special play list for that.

Still, that is apparently not reminder enough.

So there I was, at about 9pm on Monday night, tinkering around in EverQuest II.  I wanted another peek before my account lapsed.

And while I was there, I decided that maybe I should put an authenticator on my SOE account, just as another layer of protection.  I am the guild leader in two guilds.  Getting hacked could impact us… should anybody log on and notice.

Fortunately, given the after dark rule, SOE seemed quite disinclined to sell me one.

The Station Store is still down.  There is nothing on the SOE main page about the authenticator.  There is no search function to find things.

Eventually I had to leave the SOE site, go to Google, and search on “SOE Authenticator” there.

That actually lead me to the page on their site dedicated to the authenticator.

Easy to Use!

I hate to say it, but typical SOE shooting themselves in the foot, making available something they want their users to have, then hiding it.

So there was the big green “Buy Now” button, so I clicked it.

The site went through the motions of letting me enter my information to buy the authenticator.

Then, on the last step, the site crapped out.  It gave me an error.  It said I should try back later.

Fine.  Whatever.  I probably didn’t need the thing really.  It was an after dark online purchase and all.

But then I got home from work last night to fine a little box had arrived for me from 8928 Tennan Ct., San Diego.

So the site worked well enough to get me an authenticator.  On the other hand, I checked the activity on my credit card and they haven’t bothered to charge me yet.  Now, there can be some delay in showing up on my online statement, but it wouldn’t surprise me if there was yet another error in the process.

Nor was there any order confirmation email sent to me.  SOE always follows up with one of those.  I have a directory where I store them away.  But none with this purchase.  So who knows where the process broke.

Still, I have the authenticator.  It came with a little flyer describing how to use it.

Congratulations! You actually got one!

And I was able to add the to my account.  And it even works.

I had visions of yet more errors on their site.

I see this a lot when accessing my account…

Their whole setup doesn’t seem like it has been put back together right since the big security breach.  I realize that was a big deal, but SOE has been back up since May, and items that were broken back then mostly remain broken today.

Functionally, the authenticator works pretty much like the Blizzard authenticator, with one exception.

When you press the button to get your code, the damn thing pauses for 2 seconds to spell out SOE on the display (Well, S [] E in any case) before showing you the code.  Essentially, they put a splash screen on my authenticaor.  Bleh.

And, just for one final kick in the teeth, once I added the authenticator to the account, I had to go read the FAQ to figure out how to use it.  This should be the easy part.  And if it wasn’t, it should have been on the flyer in the box.

Blizzard, they put up a special field to type in your authenticator code.  It echoes back the numbers you type, since they change every time, so you can verify the code.

SOE, on the other hand, didn’t want to have to change the UI across all their games I guess, so they found another solution.

Where do I enter the authenticator code (PIN) after successfully ADDING the SOE Authenticator to my Station Account?

During your normal login procedure you will enter your Station password plus your unique, one-time authenticator code (PIN) in the same field. Please note you will be required to enter both your Station password and your unique, one-time authenticator code (PIN) in that order. Each time you log in to your Station Account you will be required to enter your current Station password plus your unique, one-time authenticator code (PIN). Log in using both and rest assured knowing your Station Account is now even more secure from malicious attacks and possible threats.

And even that was kind of a “huh?” paragraph.  Who wrote that?  Technically, just saying “enter your password plus… code” describes the Blizz process as well.

But they also sent along an email confirmation (see, I told you they always do that) with a picture for those of us who get hung up on any possible ambiguity.

Yes, type in your password, press the button on your authenticator, wait for the splash screen to go away, then type in the six digit string at the end of your password, which like the password, echoes back dots. (Don’t type the plus.)  Essentially, your password becomes your old password plus the six digit code the authenticator.

It seems to work.  I am able to log onto my account on the web site as well as into multiple SOE games with it, so their “no UI change” design approach was a success.

The whole thing though, from ordering to use, just doesn’t feel as smooth as the Blizzard implementation.

But if that isn’t SOE’s usual song, I don’t know what is.

But Will It Work With My Blizzard Authenticator?

One of the interesting announcements that came out of Sony Online Entertainment’s Fan Faire was the addition of two factor authentication options for your SOE Station Account.

Basically, you can have an authenticator just like Blizzard offers. (Or a an app for your smart phone at some point soon.)

I am sure there is something that could be said about this showing up more than two years after Blizzard made such a device available.  But it could be that account hacking isn’t as big an issue at SOE as it is at Blizzard.  The price of popularity.

And SOE is still ahead of most other companies on this front.  I am surprised that CCP has not adopted this system for EVE Online yet.

The physical authenticator you can purchase (or could purchase if the Station Store was working) looks to be the same model of Vasco Digipass model that Blizzard uses.

SOE Authenticator

Picture above “borrowed” from the EQ2 Wire article on the subject.

Stock Blizzard Authenticator Footage

Since both companies appear to be using the same authenticator from Vasco with the same 10-digit number on the back, my first thought was about compatibility.

It sure would be nice if I could use just one authenticator across multiple games.  SOE would get the same benefit, another user with a secure account, without having to ship me a unit that is probably a break-even proposition at best.  And it would save me $10.

(SOE is selling them for $9.95 compared to Blizzard’s $6.95, which I am going to guess is based on the number of units each company ordered.  Having an order of magnitude more users in the US gets you a discount I bet.)

However, the SOE Authenticator FAQ is unsurprisingly quiet on the subject of compatibility with Blizzard.

I guess I will just have to try registering my Blizzard authenticator on my Station Account to see.  The 10-digit serial number might be generic across the Vasco product line… or it might be specifically tied to the authentication backend service SOE has licensed.

We shall see.

Addendum:

In further surprising proof that a wide range of people read this blog, I received a note from Will at VASCO Data Security, the makers of the authenticator fobs and the creators of the back end security infrastructure for them, regarding compatibility between SOE and Blizzard authenticators.

I can also state that the devices used by the different partners out there are currently not interchangeable.  They are owned by their respective companies and there is currently no way for them to be shared between them.

That said, he does feel the pain of having to have multiple devices on hand.

As an avid gamer and a lover of security, the ability for one device to be used across multiple providers is something that I am strongly advising for and hopefully is something we will see soon.

See, gamers are everywhere.

And, he also added in that CCP has actually signed up to offer authenticators, something I totally forgot about.

I am happy to point out that CCP is also a VASCO customer and has also announced their usage of the DIGIPASS at their fan faire earlier this year.

He even provided a link to a video of the CCP Security session at their fan event which sparked the “Oh, yeah” moment for me.

The SOE announcement was part of the Fan Faire community address, the video of which you can find here thanks to the team GameBreaker.tv.

Thanks to Will for this information!