How the Blizzard Authenticator works, and why it improves security.


On 26/06/08, Blizzard announced the Blizzard Authenticator, a device that provides your WoW account with an extra layer of security. They sell this device in their Blizzard Store for €6. You may consider buying it, but is the extra security really worth the money? How much more secure does it make your account? This post will explain how this device works, and exactly why it makes your account more secure.


===How the authenticator works===

The Blizzard Authenticator is a token that you can put for example on your keychain. It has a little display that, once your press the button will generate a 6-digit number that changes every minute.

This number is used as a 1-time password. This means the password is only valid once. When you use it to log in, the code becomes invalid and any hacker trying to access your account later with the same number won't be able to log in.

A hacker wanting to access your account will now, in addition to keylogging your username and password, have to physically break into your house and steal the authenticator to see what number it displays. But hackers are clever people. Isn't there any way for them to know which number the authenticator is going to display? The answer is no, and here's why.

Every authenticator has a little built-in clock. This clock keeps track of the number of seconds since, for example the WoW release date, Tigole's birthday or whenever. Each authenticator also has a unique key, which it uses to encrypt this number of seconds into what looks like a completely random number. There is no way, without knowing the encryption key, to guess what number is going to be displayed at any point in time. Even if the hacker has all the numbers you entered before, he can't extrapolate that into what number will be showing next.

The hacker also can't hack into the device itself to find out it's key, because it doesn't connect to the computer in any way. Even if the hacker were the mailman who delivered the authenticator to your house, he would have to open it up and extract the hardware that contained the key. These devices are generally tamper-resistant and will purge themselves when opened.

So, if the hacker can't know your 1-time password, how is Blizzard going to know? The difference is, Blizzard has the key for every authenticator they made. When you log in, blizzard looks up which authenticator is associated with your account, and finds the matching key. They then use this key to decrypt the number you entered into the number of seconds the authenticator has been counting. They then verify that this number matches the current time.

Even if the time on your authenticator doesn't exactly match the time on blizzard's server, they still allow you to log in within a minute or so of the defined time, just in case the clock in your authenticator is running a little slower or faster than normal. This still does not allow hackers to use the number from a minute ago, because when you log in successfully, that number is then disabled and prevented from being used again.

If you still think someone may eventually find a way around it, this security measure is used by businesses and government agencies around the world to provide security, and they have a lot more sensitive information to guard than the login information to a WoW account. This is a tested method that has proven itself to be secure.

===Is existing security not already enough?===

While the authenticator provides an extra security layer strong enough to make your account virtually unhacklable, you can already secure your computer a lot. Is the authenticator really needed?

If you're running Firefox with Noscript, Flashblock, adblockers, 5 different virus and spyware scanners, a NAT router with it's ports strictly regulated, using Linux/MacOS X or another operating system, and other security measures I can't think of at the moment, you are probably really secure. The danger is hackers finding a new way to enter your system that isn't being guarded yet. Until the vulnerability is patched, or instructions to disable the exploited software are issued, you could potentially get infected with a virus or other malicious software during that short time. The more security measures you take, the lower the chance you will be vulnerable. But security is an ever-changing thing. You have to keep things up-to-date constantly in order to stay secure.

Using an authenticator is completely optional, but it does solve the problem by taking another approach. Instead of preventing keyloggers from getting onto your system, it makes you virtually immune to them. They can try, but with a login code that is always changing logging your keystrokes won't be any good.

If you wish to better secure your system without buying an authenticator, instructions are given in stickies on the WoW forums, links to which are provided at the end of this post.

Then there is the issue of cost. Blizzard is offering these for €6, but should they? It would be a lot better if they provided them for free right? Well, I doubt Blizzard is making money on these. The manufacturing and distribution of these tokens costs them money, and €6 is actually pretty cheap. Market prices for these devices can be around €50.

I myself have been playing for almost 30 months, so that's almost €400 this game has cost me already, and I’m not even counting the money I payed for the original game and the expansion. I'm not going to mind another €6, especially since it provides me the peace of mind of never risking account theft. I must admit I’m not using a lot of other security measures, so I will certainly be buying this.

===More Information===

If you wish to learn more about this authentication technology, I got most of my information from the Security Now podcast. All episodes are freely available for download on http://www.grc.com/securitynow.htm. Transcripts are also available. The particular episode that deals with the authenticator technology is #90: Multifactor Authentication, the part which covers some of the information above starting 20 minutes into the episode.

===Useful Links===

Buy the Blizzard Authenticator:
http://eu.blizzard.com/store/details.xml?id=221003132

More information about the Blizzard Authenticator:
Press release: http://eu.blizzard.com/en/press/080626-ba.html
Support page http://eu.blizzard.com/support/article.xml?articleId=28151
FAQ page: http://eu.blizzard.com/support/article.xml?articleId=28152
Activating your authenticator: http://eu.blizzard.com/support/article.xml?articleId=29753

Links for securing your system against keyloggers (no authenticator required):
Protect your PC guide: http://forums.wow-europe.com/thread.html?topicId=273198555
Avoid getting hacked: http://forums.wow-europe.com/thread.html?topicId=102690401
Account security: http://forums.wow-europe.com/thread.html?topicId=35983697
How to recover a compromised account: http://forums.wow-europe.com/thread.html?topicId=17191745

Nice info.
Will be more relevant when more of us can get access to the fobs but reported for sticky anyway.

Thanks, this helped me alot. I will buy one whenever I can, I wasn't going to bother before but this made me realise how it properly works.

Sticky!

Well said!

The US Government uses the RSA Authenticator. This is the same exact thing. It is well worth the price if you are an "internet experimentist".

a way to hack it would be to have a "key logger" running that's more realtime. have the keylogger monitor two things 1) that you're typing in your PIN and randomly generated key fob number 2) that it has a hacker available at the other end to use the number real time. it would also have to previously grab your wow username and password and stored it for this point in time.

then the key logger takes the current PIN and random number and messages it to the hacker with the wow username and password while at the same time it causes the authenticator entry screen (client) to crash so that the number is never presented to the aithentication server and not yet used. this means that the number the hacker has just been messaged is still valid for around 60 seconds. at that point the hacker could log on to your account, disable the authentication or quickly email everything to his account.

just an idea, but would take quite a bit of work to do and therefore probably not worth it for the gold sellers.

Scrumpy, you need to L2READ.

"This means the password is only valid once. When you use it to log in, the code becomes invalid "

Real time wont help you once the password is entered and used. Try again.

No, Scrumpy is right, read again what he said.

Rather than:

1) User types in user/password/random code
2) That gets sent through to Blizzard, and thus can't be used again
3) But the hacker also intercepted it...
4) and tries to use it, but can't because the one use is up

You have:

1) User types in user/password/random code
2) The program logging the keystrokes also BLOCKS the information from making it to Blizzard's authentication servers.
3) The information is sent to the hacker.
4) They use it to login, and NOW it's expired.

Yes, the hacker can only login ONCE, but that's all they need to clear out your gold and items. It will of course stop them from completely hijacking the account, but that's little consolation if you have to wait weeks to get your in-game money and items back.

There have been PRECISELY these kinds of hacks against bank accounts 'secured' with such one-time password generating devices. From the following URL:

http://www.theregister.co.uk/2007/01/19/phishers_attack_nordea/

---

Q u o t e:
A July attack on Citibank demonstrated a technique that was even able to defeat two-factor authentication tactics. The second authentication factor used by Citibank is provided by a security token which generates a one-time password that remains valid for approximately one minute.

---

So please do not think that Blizzard's new one-time password token means you don't ALSO have to secure your machine against the bad guys.

-Ath

---

Q u o t e:
a way to hack it would be to have a "key logger" running that's more realtime. have the keylogger monitor two things 1) that you're typing in your PIN and randomly generated key fob number 2) that it has a hacker available at the other end to use the number real time. it would also have to previously grab your wow username and password and stored it for this point in time.

then the key logger takes the current PIN and random number and messages it to the hacker with the wow username and password while at the same time it causes the authenticator entry screen (client) to crash so that the number is never presented to the aithentication server and not yet used. this means that the number the hacker has just been messaged is still valid for around 60 seconds. at that point the hacker could log on to your account, disable the authentication or quickly email everything to his account.

just an idea, but would take quite a bit of work to do and therefore probably not worth it for the gold sellers.

---

Yep - easier to do than the banks as well as the WoW client is only used for playing Wow (as opposed to browsing random websites that might just be a bank).
Dirty hacker type writes a trojan that replaces the Wow client exe with a lightweight client (plays an mp3 in the background, probably static screen background as a large proportion of people won't pay enough attention to notice their graphic effects aren't working).

This light-weight client has a cross conversation with the user, the hackers equipment and the real WoW servers - where the hacker sits as a 'man in the middle' passing information between you and blizz, but using the information to log their client in and not yours - congratulations, your account is 'hacked'

You could probably set up a nice dialler type environment as well using many Wow Clients, then the hacker can scroll through them, emptying them and logging off (you'd probably need a bot running on the newly nicked account clients to make sure it didn't AFK whilst waiting) when they've finished and on to the next.

All perfectly easy to do - especially when you consider the price of a WoW account to the gold sellers these days, so it certainly isn't a replacement for having your computer in a secure enough state to be connecting to the Internet - it is another level of security though (even if it's just that people will find it much harder to give their account details when signing up for gold buying or levelling services...)

The trojan would be way too big to do this.

I find it absurd that we have to pay to make our accounts as safe as it can be.

---

Q u o t e:


Your account is as safe as the person behind the PC.

---

But, i sit INFRONT of my PC.. aare you suggesting someone sits behind it too? Is he the hacker?! Quick someone inform Blizzard!!

Isn't a bit expensive?

---

Q u o t e:
Isn't a bit expensive?

---

From what i can see this is RSA SecureID technology which is widely used in business - they may even have licenced it directly from RSA because it does appear to work on an identical principal which i'm sure must be copyrighted or something.

What Blizzard are reselling them to the punters for is an absolute bargain. Here at work, each RSA key fob costs me around £40 and that doesn't include the licence renewal and maintenance I have to pay every year to RSA for their software.

As someone who admins these fobs already to help secure my netowork, I totally agree with what Schwick has to say in that "your accout is as safe as the person behind the PC". most users are their own worst enemy, but blizzard are trying to help as much as they can and this is one more option for the people who don't seem to understand enough about computer security to look after their own accounts. Nothing is ever 100% secure in computers, the weakest link is always the end user, but these authenticators will definitely help.

If people don't want to pay the money, they could always take more care over their system, do a bit of research for free (blizzard give enough info themselves), be a bit more cautious about what they open on the internet and install some very good free virus protection. That's always been there, but it still appears that many peoples accounts are still hacked daily due to end users stupidity and failiure to do the most basic maintenance on their PC's.

I guess Blizzard are trying to help, but it's also a case of covering their own backs by offering everything they can to help, but at some point the cost has to be passed onto people - and i'm glad it's being passed onto the lazy people rather than me :)