WoW: Authenticator

So, one of the responses to my post about my WoW account getting hacked suggested getting an “Authenticator”. I remember seeing these devices in the Blizzard store, and basically dismissing them as akin to the identity-theft protection plans sold by credit card companies: an attempt to scare you into paying extra money for something that’s really supposed to be part of the vendor’s job anyway. But this impression was, it turns out, way off. For one thing, you can get an Authenticator free of charge. Blizzard will sell you a hardware device if you need it, a little LCD-display device that fits on a keychain, but they also provide a free app for various mobile platforms (including, but not limited to, iOS and Android), as well as an option to do your authentication through a toll-free telephone number. Basically, they just want you to use an Authenticator of some sort, and try to make it as accessible as possible. In fact, they go so far as to give a special thank-you in the form of a vanity pet — a “core hound pup” — to anyone who links an Authenticator of any kind to their account. As chance would have it, I had exactly 14 pets before I set up my Authenticator, and there’s an Achievement for acquiring 15. So already I think it’s worth the time it took to download the app.

And what does an Authenticator do? It generates eight-digit numbers, which are then required to log onto your account, both in the game and on the web. These numbers are apparently only good for 30 seconds — at least, that’s how often the mobile app version spits out a fresh one. When I saw how it all worked, my first reaction was that there should really be some way to link the authentication to a particular machine instead, like Steam can do, so that you don’t have this extra step every time you log in. But apparently it does that too: once the server recognizes that you log in consistently from the same machine, it stops asking for the Authenticator code there. And, having wished for that, I now hope that there’s a way to stop it if necessary.

Now, there can only be one Authenticator paired with an account at a time. This seems reasonable to me: if there were a way to register a second Authenticator, you wouldn’t be able to be sure that no one else can access your account. But it does raise an issue: if you don’t have an authenticator, the attackers can link your account to an Authenticator of their own, thereby locking you out. Mind you, they’d have to also have access to your email in order to confirm the link, but that’s a possibility: if they can get access to your Battle.net password, there’s a reasonable chance that they can get your email password as well (especially if they’re the same). And being locked out would make it difficult to submit a support ticket, or even to cancel your subscription. So to that extent, the existence of Authenticators actually makes things a little less secure for the people who don’t have them.

I’d complain about this if there were any good reason not to have an Authenticator, but as far as I can tell, there isn’t. The only downside is the extra step in the login process, and that’s nothing next to the worry and inconvenience of being hacked, even if (as in my case) it’s a temporary condition. I don’t really like the fact that an Authenticator is a must-have, but that’s genuinely the way it is. I only wish someone had convinced me of this sooner.

2 Comments so far

  1. malkav11 on 22 Aug 2011

    I wouldn’t even come back to WoW after my hacking incident until they rolled the physical authenticators out (which use a six digit code, incidentally, rather than the 8 digits of the mobile variety). It’s not a perfect system, and I’m sure there’s still some way around it, but I’ve had people nose around my account several times since I installed the authenticator and am very glad it’s there. I suspect it’s just going to be a thing that MMOs do from here on out, as all of them have to deal with hackers to some degree. WoW is just far more popular and thus valuable to the hackers. Rift’s already released a mobile app authenticator.

  2. Merus on 23 Aug 2011

    “And, having wished for that, I now hope that there’s a way to stop it if necessary.”

    This was a very recent change; apparently they’re going to add it back in. It’s probably security theatre, but then you never know, they might be naive enough to go by IP and MAC address.

    “But it does raise an issue: if you don’t have an authenticator, the attackers can link it to an Authenticator of their own, thereby locking you out.”

    If this happens, generally you have to go through the same ‘I’ve been hacked’ process as you would if you didn’t have an authenticator, which often involves a security check to prove you own the account.

Leave a reply