Oct 20 2009

Matter of Factors

robert

One thing that Blizzard has not done a particularly good job of explaining two people is the Authenticator. I’d  like to be able to point you toward the stuff they’ve written about it, but I’m writing from behind the bars of a corporate proxy and firewall, blocked from most of the net (which means they have not found this site yet). In fact I am writing from inside a meeting that I really don’t want to pay much attention to.

The Authenticator is axiomatically a Very Good Thing, for both Blizzard and for the player. It’s obvious that Blizzard spends a fair amount of time and effort dealing with hacked accounts, and it’s obvious that the victim of a hacked account (and possibly their guild) feels even more pain. Very loosely speaking there are two ways that accounts get hacked: either a trojan keylogger is installed on the victim’s computer which captures the user name and password and passes it over to the EvilDoers, or the EvilDoers tricks the user into revealing them.

The Authenticator has two forms at the moment: a program that runs on the iPhone/iPod, and a physical dongle that can hang off your keychain. In either case the Authenticator creates a long number derived from a mathematically complicated calculation unique to that instance of the Authenticator (more or less). This number is used in conjunction with the user name and password – in other words it’s a form of two factor authentication. And it’s very secure.

Technically, theoretically, even two factor authentication schemes can be subverted. But in practice for WoW the effort and complexity of subverting the Authenticator is decidedly non-trivial. A trojan keylogger could easily capture the user name, password, and magic number, but that number becomes useless after 10 seconds. The EvilDoer would need to use those factors within 10 seconds to login to your account. Which is unlikely. In theory a trojan could be used to enable a man-in-the-middle attack… but really, it’s easier to farm gold than create this sort of hack.

The bottom line: use the Authenticator, it makes you much less likely to be hacked. It won’t protect you absolutely… Belmann says “always practice safe hex”.