Friday, June 17, 2011

Why the authenticator changes are bad

Like many WoW players, including Lodur over at World of Matticus, I'm earn my not insubstantial paycheck as an IT Manager.  Unlike Lodur, I don't think that this authenticator change is a good idea.  While I don't have any issues with the technologies being used to help ease the burden of using an authenticator, I do see a few potetial pitfalls ahead of us.

Now, all this is being said with no real testing on my part.  I didn't spend hours and hours running parse logs, examining my firewall, or trying to do things like spoof my MAC address (or run through a routing host like PingFree).  In fact, my concerns aren't technical at all, but lean towards more of the Social Engineering side of hacking.

Changing mid-stream is bad

Ask anyone who works in Customer Service, and they'll probably tell you that changing the way someone operates is generally a path to heartache and failure.  Anyone who upgraded users to the 'Ribbon' feature in Office probably experienced this.  It's not that there was a reduction in fucntionality, but the way it looked was simply different.  Heck, it was dedidedly better than the previous version, but things just didn't look the same.

Now with security measures, this is even more extreme.  You want people to follow them, embrace them, love them even.  It doesn't matter what it is, they have to do it every time.  How many of us, just out of habit, erased our username when logging onto WoW because we hit Tab and then entered our Authenticator Code - KNOWING that it wasn't there any more - we just habitually did it.

Making a habit something that is hit or miss

So now, years later, Blizzard has finally gotten (I'd hope) the majority of the userbase accustomed to using an authenticator.  It doesn't matter if it's on your phone, your iPad, or a dongle - you're using it.  Yeah, it's a pain in the ass when you get DC'd in the middle of a boss fight and you have to pull up the application on your iPhone (I assume, I use a dongle), but you're used to it.  Hell, as soon as I DC I'm already reaching for the thing.

So now it seems that Blizzard has changed the way this works.  I don't know if it's live yet, but based upon the blue post I read, sometimes you'll have to use it - and others you won't.  Based on Lodur's findings, it'll be only the first time you log in after a reboot.  I don't know how accurate this is, but it sounds feasable.

So here's my concern

Now you've got a bunch of folks that reluctantly agreed to use the bloody authenticator in the first place.  They get used to not having to enter the code, and now - they're hacked.  Seeing the box pop up every time, having to enter the code every time - this was reinforcement of good behavior.  Now?  It's hit or miss.  What if you're a player that doesn't read the forums, or blogs, or anything else?  Am I going to get an email in my BNet account about this?  How will I know it's not another phishing attempt?  How long will it be before someone writes an application that will cause an authenticator window to pop up?

Who knows.

Now granted, part of my job is to do network security, so I'm naturally paranoid and suspicious.  I'm sure that the good folks at Blizzard have thought this out from a technical standpoint - but the thought of not having some kind of indication that you've actually authenticated securely seems like an oversight to me.  Maybe just putting some kind of notice on your latency meter - I don't know.

6 comments:

  1. I had many concerns about this change. One point that you covered never even occurred to me, "How long will it be before someone writes an application that will cause an authenticator window to pop up?" I don't think that's being paranoid at all. How am I supposed to know I'm secure if my authenticator check sporadically pops up whenever it feels like it.
    This just seems like an unneeded change to me... Why fix something that isn't broken?

    ReplyDelete
  2. Well i have just gotten the authenticiator a couple pf months ago and gotten use to it. It only takes seconds to do and felt good about the extra security of it.

    One day i loged in and no code to enter? So i call in to be told it was changed by recording custormer service.I dont read forums or blogs most of the time.

    Now i dont have to use it to log in and if there is a problem i may have to at some point in time, but i am not used to having it there each and every log in so wear the heck is it now that i need it. GET MY POINT?

    Dum idea i think and now i am right back to before buying it to begin with it feals like with no extra security at all. Bet many feal the same way.

    ReplyDelete
  3. One of the reasons it may have been changed is Rift's system of automatically reloading you in if you get booted off the server instead of having to relog, that doesnt even ask you for your password so may or may not be safer than blizz's new idea.

    the second reason , maybe it's just me but since the new network speed option I have been experiencing lower latency in dungeons which is great but have been getting booted back to the login screen when logging out of one toon and logging into a second in quick succession a lot more often than i used to.

    ReplyDelete
  4. I certainly miss it - and I'm just waiting for the day when I need it and my cat has decided that it needs to live under the couch in her mini-mouse concentration camp.

    ReplyDelete
  5. Blizzard flat out lied about the change. It is not as secure as before. But as a fact, it is now less secure.

    Room mates and siblings are a great example. Knowing someone's login and password is trivial. If your sibling or room mate gets onto your computer and logs in, the Authenticator do not ask for a code, and they are in.

    This is a basic security 101 prevention. Someone at Blizzard screwed up in a huge way.

    ReplyDelete
  6. I'm sorry Shannara - but I have to disagree with you on this point. While there are a few technical reasons on how this could be less secure, from a standpoint of roomates/siblings, etc - you shouldn't be sharing your password with them in the first place. This is an area where there has to be some self-accountability.

    You agreed to keep your information secure when you agreed to the ToS. If you've shared this information with someone, that's on you. If you use the same password for multiple accounts (i.e. WoW, Rifts, etc), that's on you. The authenticator is there to prevent hacks and account theft from outside sources. Of course anyone who works security knows that insider threats are the most dangerous, but still.

    ReplyDelete

Note: Only a member of this blog may post a comment.