Welcome, Guest. Please login or register.
October 26, 2025, 03:22:21 AM

Login with username, password and session length

Search:     Advanced search
we're back, baby
*
Home Help Search Login Register
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  MMOG Discussion  |  Topic: Blizzard introducing security dongle 0 Members and 1 Guest are viewing this topic.
Pages: [1] 2 3 Go Down Print
Author Topic: Blizzard introducing security dongle  (Read 25383 times)
Numtini
Terracotta Army
Posts: 7675


on: June 27, 2008, 06:11:13 AM

I just ran into this, apparently the keylogger and account security problem is so bad that Blizzard is going to introduce a hardware authenticator, I assume a usb dongle of some kind for account authentication. It's an interesting idea. I wonder if this type of thing will become more standard. Should be cheap enough to just stick in a box. Given how much CSR time they use, I'm surprised they don't just include it in the next expansion.

If you can read this, you're on a board populated by misogynist assholes.
kaid
Terracotta Army
Posts: 3113


Reply #1 on: June 27, 2008, 06:12:33 AM

Its all fun and games until somebody steals or you lose your dongle and then you are really up the creek.
Trippy
Administrator
Posts: 23657


Reply #2 on: June 27, 2008, 06:35:37 AM

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID
cevik
I'm Special
Posts: 1690

I've always wondered about the All Black People Eat Watermelons


Reply #3 on: June 27, 2008, 06:39:49 AM

I really hate those things, it's going to be a usability nightmare for Blizzard.  I hope this remains optional (and dies a quick death).

The above space is available for purchase.  Send a Private Message for a complete price list and payment information.  Thank you for your business.
fuser
Terracotta Army
Posts: 1572


Reply #4 on: June 27, 2008, 06:44:23 AM

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID


I hate those... token's use to always go outta sync with the software just when you needed to use em. Cool thing was the 6 digit token use to be only active for 30 seconds so if you were entering your username/password/token you had to wait for the digits to roll over which was constantly happening on the token without any user input.

From the press release "Designed to attach to a keychain, the lightweight and waterproof Blizzard® Authenticator is an electronic device that generates a six-digit security code at the press of a button."

Newer one's look a bit better and my god for $7 thats pretty freaking smart as you still require your own user chosen password.
bhodi
Moderator
Posts: 6817

No lie.


Reply #5 on: June 27, 2008, 06:45:35 AM

They need *something* to combat keyloggers in internet cafes. The problem is huge, and this is as good a solution as any. I know three people who've had their accounts stolen in that way. Of course it will be optional! This is an additional layer of security (2 factor authentication) for people who desire it.

Just like the SecurID token trippy posted, and the that cevik probably uses, and the one that I use (Aladdin), it's used in addition to your game password. The general method is your normal password and then the numbers that the device spits out on the end. Just having the token does not get you in, any more than just knowing the password would. You'd have to both know the user name, password, AND have the device to get into your account.
Bunk
Contributor
Posts: 5828

Operating Thetan One


Reply #6 on: June 27, 2008, 06:48:29 AM

Ok, that sounds reasonable as long as its an option. Having also had our company use a dongle in the past, I will attest to what an utter nightmare they can be to support.

"Welcome to the internet, pussy." - VDL
"I have retard strength." - Schild
fuser
Terracotta Army
Posts: 1572


Reply #7 on: June 27, 2008, 07:01:37 AM

They have a decent FAQ. This is acually quite good, big kudos to Blizzard!

What is the Blizzard Authenticator?

The Blizzard Authenticator is an optional tool that offers World of Warcraft players an additional layer of security to help prevent unauthorized account access. The Authenticator itself is a physical “token” device that fits easily on a keyring.

Where do I enter the digital code when I log in to World of Warcraft or to Account Management?

After you enter the account name and password, you’ll be prompted to provide the digital code from your Blizzard Authenticator. You must press the button on your Authenticator and enter the code it displays to complete your login.


Can I apply my Blizzard Authenticator to more than one account?

Yes! You’re welcome to associate a single Blizzard Authenticator to as many accounts as you like. Please remember that you must have that Authenticator with you to log in to any of these accounts afterwards.
Trippy
Administrator
Posts: 23657


Reply #8 on: June 27, 2008, 07:03:27 AM

They need *something* to combat keyloggers in internet cafes. The problem is huge, and this is as good a solution as any. I know three people who've had their accounts stolen in that way. Of course it will be optional! This is an additional layer of security (2 factor authentication) for people who desire it.
I'm waiting for the first news report of somebody being beaten up/robbed for one of those things. Ohhhhh, I see.

It's sort of like the rise in carjackings because of the use of encoded car keys. It used to be people would break into the cars when nobody was around to steal them. Now they steal them at gunpoint when the driver is still in it.
Viin
Terracotta Army
Posts: 6159


Reply #9 on: June 27, 2008, 07:06:35 AM

We've used these internally at AOL for years - never had a problem with them, unless I let it expire (after 2 years).  They also started offering this to consumers a couple years ago, for logging in to the AOL client - mostly to keep kids from logging in I think, as mom has the securID fob in her purse.

- Viin
vex
Terracotta Army
Posts: 178

Smock, turban, latex gloves and rubber slippers.


Reply #10 on: June 27, 2008, 07:26:49 AM

I think they are a good idea for people who desire that level of security.  I used to use one for our work VPN and it wasn't a big deal.  Personally I don't know if I'd get one to secure a game account but when PayPal started offer them for $5 I didn't hesitate on that.
Lakov_Sanite
Terracotta Army
Posts: 7590


Reply #11 on: June 27, 2008, 07:30:29 AM

To chime in with more the same.  For $7 and optional? this is certainly going to be a big thing for those who play at cafes, work etc and also more $$$ hats for blizzard

edit: i hope to god they make it murloc shaped

~a horrific, dark simulacrum that glares balefully at us, with evil intent.
Trippy
Administrator
Posts: 23657


Reply #12 on: June 27, 2008, 07:34:45 AM

Actually they are probably losing (a little) money on those things given the hardware cost to them for the fobs and the costs on their end to license the software/hardware and modify their accounts system to support the keys.
Hawkbit
Terracotta Army
Posts: 5531

Like a Klansman in the ghetto.


Reply #13 on: June 27, 2008, 08:52:42 AM

I used these working 3rd party server repairs at a bank about 10yrs ago.  Personally, I found them easy to use. 

If it works out, and it likely will, I could forsee them being used with a bunch of different games.  It could even give incentive for developers to use game portals (like SOE's all access).  They could even have third party portals that smaller developers sign with... dunno... just spouting here.
KallDrexx
Terracotta Army
Posts: 3510


Reply #14 on: June 27, 2008, 08:56:11 AM

My bank in AU used these for internet banking.  It seemed to work well, was easy to keep around and didn't really cause any trouble.

I think it's a good thing they are doing this.
bhodi
Moderator
Posts: 6817

No lie.


Reply #15 on: June 27, 2008, 09:39:52 AM

It's sort of like the rise in carjackings because of the use of encoded car keys. It used to be people would break into the cars when nobody was around to steal them. Now they steal them at gunpoint when the driver is still in it.
Oh come on. You aren't seriously equating carjackings to keyloggers, are you?
Nevermore
Terracotta Army
Posts: 4740


Reply #16 on: June 27, 2008, 09:54:42 AM

I'd just like to say that 'dongle' is an awesome word.   Oh ho ho ho. Reallllly?

Over and out.
Nija
Terracotta Army
Posts: 2136


Reply #17 on: June 27, 2008, 10:52:05 AM

Man I'd fucking love it if somehow WOW caused smartcard readers to become standard equipment.

I'd just love it.
ajax34i
Terracotta Army
Posts: 2527


Reply #18 on: June 27, 2008, 11:20:24 AM

Do you think these things will be used to prevent account sellers from reclaiming their account after the sale by calling Blizzard for a password reset?
Oban
Terracotta Army
Posts: 4662


Reply #19 on: June 27, 2008, 11:35:44 AM

Do you think these things will be used to prevent account sellers from reclaiming their account after the sale by calling Blizzard for a password reset?

Sounds as easy to defeat as the new TSA ID requirements; a seller would just tell Blizzard they lost their SecurID dongle and provide their address, phone number and date of birth.


Palin 2012 : Let's go out with a bang!
Falwell
Terracotta Army
Posts: 619

Ghetto Gear Solid: Raiden


WWW
Reply #20 on: June 27, 2008, 11:43:04 AM

Do you think these things will be used to prevent account sellers from reclaiming their account after the sale by calling Blizzard for a password reset?

Sounds as easy to defeat as the new TSA ID requirements; a seller would just tell Blizzard they lost their SecurID dongle and provide their address, phone number and date of birth.



I've dealt with 2 guildies getting their accounts hacked and in both cases, account recovery was far from that easy.

Both had to provide not only the above information but also had to fax their birth certificates, photo ID and 2 other forms of ID to even get the ball rolling. From there it took a couple weeks for them to even regain account access.

This strikes me as a hell of a deal for WoWers. It's affordable, effective (seemingly), and easy to use security.
Morat20
Terracotta Army
Posts: 18529


Reply #21 on: June 27, 2008, 12:00:11 PM

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID

Don't have much of a problem with mine -- except when it expired. SecureID actually "looks back" and "looks ahead" at the previous and next numbers in the cycle and synchs you forward or back if you're out of synch. It'll only do this a few times before it locks, though.

Since we're now facing the prospect -- different set of folks entirely -- of using a 12 character password on a "can't reuse for 360 days" cycle, with minimum of 1 special character, one number, and at least one uppercase and one lowercase character, as WELL as having a seriously annoying dictionary/common name/common password mangles check...

SecureID is a hell of a lot less of a PITA than that.
Viin
Terracotta Army
Posts: 6159


Reply #22 on: June 27, 2008, 12:07:30 PM

Since we're now facing the prospect -- different set of folks entirely -- of using a 12 character password on a "can't reuse for 360 days" cycle, with minimum of 1 special character, one number, and at least one uppercase and one lowercase character, as WELL as having a seriously annoying dictionary/common name/common password mangles check...

SecureID is a hell of a lot less of a PITA than that.

No kidding. Military networks require a new password every 90 days, with the rules above. *And* if you don't login for 28 days, you have to setup a new password the next time you login. (Which means every month a reservist gets on base, they have to create a new password.. that's 12 different passwords that don't resemble any previous passwords or any words or anything you'd ever remember - after a couple of those, you just give up and don't bother to log in ever).

SecurID is way way easier than the stupid draconian password policies some IT departments push on you.

- Viin
Salamok
Terracotta Army
Posts: 2803


Reply #23 on: June 27, 2008, 12:09:16 PM

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID


The one I use now is great!!!  I especially love how the shitty display makes 5 indistinguishable from S, 8 indistinguishable from B and 0 indistinguishable from O.
Viin
Terracotta Army
Posts: 6159


Reply #24 on: June 27, 2008, 12:10:36 PM

The one I use now is great!!!  I especially love how the shitty display makes 5 indistinguishable from S, 8 indistinguishable from B and 0 indistinguishable from O.

Umm, hmm. Do you have picture of it? All of the RSA SecurIDs I've seen are numeric only and are really easy to read.

- Viin
Salamok
Terracotta Army
Posts: 2803


Reply #25 on: June 27, 2008, 12:12:50 PM

The one I use now is great!!!  I especially love how the shitty display makes 5 indistinguishable from S, 8 indistinguishable from B and 0 indistinguishable from O.

Umm, hmm. Do you have picture of it? All of the RSA SecurIDs I've seen are numeric only and are really easy to read.

No pic it has a sticker advertising www.securecomputing.com on the back and was issued by the Austin Board of Realtors for MLS access.
Furiously
Terracotta Army
Posts: 7199


WWW
Reply #26 on: June 27, 2008, 12:15:43 PM

No kidding. Military networks require a new password every 90 days, with the rules above. *And* if you don't login for 28 days, you have to setup a new password the next time you login. (Which means every month a reservist gets on base, they have to create a new password.. that's 12 different passwords that don't resemble any previous passwords or any words or anything you'd ever remember - after a couple of those, you just give up and don't bother to log in ever).


No you just write it down and put it in your wallet.

fuser
Terracotta Army
Posts: 1572


Reply #27 on: June 27, 2008, 12:37:22 PM

No kidding. Military networks require a new password every 90 days, with the rules above.

No you just write it down and put it in your wallet.


If your really wanna defeat the new unique password restrictions just change your password xyz times in a row then change it to your original.

When I worked at NDA it worked with the AD policies.
Ookii
Staff Emeritus
Posts: 2676

is actually Trippy


WWW
Reply #28 on: June 27, 2008, 12:50:22 PM

Apparently RSA's new initiative is to integrate their software in mobile devices so people won't have to carry multiple things and companies won't have to pony up for the hardware.

My company right now is awesome, they use basic authentication to connect to resources from the internet to the internal network on a server that is trusted on the domain yet serving all external webpages.  They think changing the password complexity and throwing it on an SSL (yes the logins and passes transmit in plaintext) is going to fix it, they don't even know what SecurID cards are.

vex
Terracotta Army
Posts: 178

Smock, turban, latex gloves and rubber slippers.


Reply #29 on: June 27, 2008, 01:01:30 PM

Apparently RSA's new initiative is to integrate their software in mobile devices so people won't have to carry multiple things and companies won't have to pony up for the hardware.

I do know they used to have a software client so this would be smart and easy. 

My bank has something similar but instead of me having the software they send a text message to my phone with the code when I need to perform certain functions. 

As far as the 90 day password changes, I used to just do Autumn07, Winter07 or some easy variation.  The more onerous the password policy the more likely people are to cheat.
Fordel
Terracotta Army
Posts: 8306


Reply #30 on: June 27, 2008, 01:13:23 PM

This really does highlight how bad of an issue all this account stealing is.


I guess they think the support required for dongles will cost less then all the support hours required for account recovery.

and the gate is like I TOO AM CAPABLE OF SPEECH
Trippy
Administrator
Posts: 23657


Reply #31 on: June 27, 2008, 02:06:14 PM

It's sort of like the rise in carjackings because of the use of encoded car keys. It used to be people would break into the cars when nobody was around to steal them. Now they steal them at gunpoint when the driver is still in it.
Oh come on. You aren't seriously equating carjackings to keyloggers, are you?
Is that what I said?
Tale
Terracotta Army
Posts: 8567

sıɥʇ ǝʞıן sʞןɐʇ


Reply #32 on: June 27, 2008, 02:06:56 PM

As far as the 90 day password changes, I used to just do Autumn07, Winter07 or some easy variation.  The more onerous the password policy the more likely people are to cheat.

Me too ... some11thing changed to some22thing, etc. Now I'm heading through qwerty ... somewwthing :)

The other good thing about a SecurID tag is you can allow someone else to log in as you in an emergency (read them the number over the phone) and know they can only do it once.
Furiously
Terracotta Army
Posts: 7199


WWW
Reply #33 on: June 27, 2008, 02:53:58 PM

As far as the 90 day password changes, I used to just do Autumn07, Winter07 or some easy variation.  The more onerous the password policy the more likely people are to cheat.

Me too ... some11thing changed to some22thing, etc. Now I'm heading through qwerty ... somewwthing :)

The other good thing about a SecurID tag is you can allow someone else to log in as you in an emergency (read them the number over the phone) and know they can only do it once.

Good point!

Count Nerfedalot
Terracotta Army
Posts: 1041


Reply #34 on: June 27, 2008, 06:39:27 PM

No kidding. Military networks require a new password every 90 days, with the rules above.

No you just write it down and put it in your wallet.


If your really wanna defeat the new unique password restrictions just change your password xyz times in a row then change it to your original.

When I worked at NDA it worked with the AD policies.

My work account is set so we can't change the password for 24 hours once it's been changed successfully, so it would take 12 days to cycle back to a favorite one.  And passwords expire after 30 days.  And the idiots wont allow passwords over 10 (or 12? I'm not sure) characters, so you can't use a phrase or something memorable either.  And they must be mixed case, alpha and numeric, plus at least one special char, and who knows what else since even passwords within those constraints sometimes fail.  And the password checker WILL NOT TELL YOU why the password you entered is not acceptable!   Shaking fist

I finally gave up and started using my favorite password with the month appended and flip the domain admins a bird every time I log in.  Earthlings make me furious.

Yes, I know I'm paranoid, but am I paranoid enough?
Pages: [1] 2 3 Go Up Print 
f13.net  |  f13.net General Forums  |  The Gaming Graveyard  |  MMOG Discussion  |  Topic: Blizzard introducing security dongle  
Jump to:  

Powered by SMF 1.1.10 | SMF © 2006-2009, Simple Machines LLC