Blizzard introducing security dongle

[Numtini]

I just ran into this, apparently the keylogger and account security problem is so bad that Blizzard is going to introduce a hardware authenticator, I assume a usb dongle of some kind for account authentication. It's an interesting idea. I wonder if this type of thing will become more standard. Should be cheap enough to just stick in a box. Given how much CSR time they use, I'm surprised they don't just include it in the next expansion.

[kaid]

Its all fun and games until somebody steals or you lose your dongle and then you are really up the creek.

[Trippy]

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID

[cevik]

I really hate those things, it's going to be a usability nightmare for Blizzard.  I hope this remains optional (and dies a quick death).

[fuser]

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID

I hate those... token's use to always go outta sync with the software just when you needed to use em. Cool thing was the 6 digit token use to be only active for 30 seconds so if you were entering your username/password/token you had to wait for the digits to roll over which was constantly happening on the token without any user input.

From the press release "Designed to attach to a keychain, the lightweight and waterproof Blizzard® Authenticator is an electronic device that generates a six-digit security code at the press of a button."

Newer one's look a bit better and my god for $7 thats pretty freaking smart as you still require your own user chosen password.

[bhodi]

They need *something* to combat keyloggers in internet cafes. The problem is huge, and this is as good a solution as any. I know three people who've had their accounts stolen in that way. Of course it will be optional! This is an additional layer of security (2 factor authentication) for people who desire it.

Just like the SecurID token trippy posted, and the that cevik probably uses, and the one that I use (Aladdin), it's used in addition to your game password. The general method is your normal password and then the numbers that the device spits out on the end. Just having the token does not get you in, any more than just knowing the password would. You'd have to both know the user name, password, AND have the device to get into your account.

[Bunk]

Ok, that sounds reasonable as long as its an option. Having also had our company use a dongle in the past, I will attest to what an utter nightmare they can be to support.

[fuser]

They have a decent FAQ. This is acually quite good, big kudos to Blizzard!

What is the Blizzard Authenticator?

The Blizzard Authenticator is an optional tool that offers World of Warcraft players an additional layer of security to help prevent unauthorized account access. The Authenticator itself is a physical “token” device that fits easily on a keyring.

Where do I enter the digital code when I log in to World of Warcraft or to Account Management?

After you enter the account name and password, you’ll be prompted to provide the digital code from your Blizzard Authenticator. You must press the button on your Authenticator and enter the code it displays to complete your login.


Can I apply my Blizzard Authenticator to more than one account?

Yes! You’re welcome to associate a single Blizzard Authenticator to as many accounts as you like. Please remember that you must have that Authenticator with you to log in to any of these accounts afterwards.

[Trippy]

They need *something* to combat keyloggers in internet cafes. The problem is huge, and this is as good a solution as any. I know three people who've had their accounts stolen in that way. Of course it will be optional! This is an additional layer of security (2 factor authentication) for people who desire it.

I'm waiting for the first news report of somebody being beaten up/robbed for one of those things.

It's sort of like the rise in carjackings because of the use of encoded car keys. It used to be people would break into the cars when nobody was around to steal them. Now they steal them at gunpoint when the driver is still in it.

[Viin]

We've used these internally at AOL for years - never had a problem with them, unless I let it expire (after 2 years).  They also started offering this to consumers a couple years ago, for logging in to the AOL client - mostly to keep kids from logging in I think, as mom has the securID fob in her purse.

[vex]

I think they are a good idea for people who desire that level of security.  I used to use one for our work VPN and it wasn't a big deal.  Personally I don't know if I'd get one to secure a game account but when PayPal started offer them for $5 I didn't hesitate on that.

[Lakov_Sanite]

To chime in with more the same.  For $7 and optional? this is certainly going to be a big thing for those who play at cafes, work etc and also more $$$ hats for blizzard

edit: i hope to god they make it murloc shaped

[Trippy]

Actually they are probably losing (a little) money on those things given the hardware cost to them for the fobs and the costs on their end to license the software/hardware and modify their accounts system to support the keys.

[Hawkbit]

I used these working 3rd party server repairs at a bank about 10yrs ago.  Personally, I found them easy to use. 

If it works out, and it likely will, I could forsee them being used with a bunch of different games.  It could even give incentive for developers to use game portals (like SOE's all access).  They could even have third party portals that smaller developers sign with... dunno... just spouting here.

[KallDrexx]

My bank in AU used these for internet banking.  It seemed to work well, was easy to keep around and didn't really cause any trouble.

I think it's a good thing they are doing this.

[bhodi]

It's sort of like the rise in carjackings because of the use of encoded car keys. It used to be people would break into the cars when nobody was around to steal them. Now they steal them at gunpoint when the driver is still in it.

Oh come on. You aren't seriously equating carjackings to keyloggers, are you?

[Nevermore]

I'd just like to say that 'dongle' is an awesome word.   

[Nija]

Man I'd fucking love it if somehow WOW caused smartcard readers to become standard equipment.

I'd just love it.

[ajax34i]

Do you think these things will be used to prevent account sellers from reclaiming their account after the sale by calling Blizzard for a password reset?

[Oban]

Do you think these things will be used to prevent account sellers from reclaiming their account after the sale by calling Blizzard for a password reset?

Sounds as easy to defeat as the new TSA ID requirements; a seller would just tell Blizzard they lost their SecurID dongle and provide their address, phone number and date of birth.

[Falwell]

Do you think these things will be used to prevent account sellers from reclaiming their account after the sale by calling Blizzard for a password reset?

Sounds as easy to defeat as the new TSA ID requirements; a seller would just tell Blizzard they lost their SecurID dongle and provide their address, phone number and date of birth.

I've dealt with 2 guildies getting their accounts hacked and in both cases, account recovery was far from that easy.

Both had to provide not only the above information but also had to fax their birth certificates, photo ID and 2 other forms of ID to even get the ball rolling. From there it took a couple weeks for them to even regain account access.

This strikes me as a hell of a deal for WoWers. It's affordable, effective (seemingly), and easy to use security.

[Morat20]

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID

Don't have much of a problem with mine -- except when it expired. SecureID actually "looks back" and "looks ahead" at the previous and next numbers in the cycle and synchs you forward or back if you're out of synch. It'll only do this a few times before it locks, though.

Since we're now facing the prospect -- different set of folks entirely -- of using a 12 character password on a "can't reuse for 360 days" cycle, with minimum of 1 special character, one number, and at least one uppercase and one lowercase character, as WELL as having a seriously annoying dictionary/common name/common password mangles check...

SecureID is a hell of a lot less of a PITA than that.

[Viin]

Since we're now facing the prospect -- different set of folks entirely -- of using a 12 character password on a "can't reuse for 360 days" cycle, with minimum of 1 special character, one number, and at least one uppercase and one lowercase character, as WELL as having a seriously annoying dictionary/common name/common password mangles check...

SecureID is a hell of a lot less of a PITA than that.

No kidding. Military networks require a new password every 90 days, with the rules above. *And* if you don't login for 28 days, you have to setup a new password the next time you login. (Which means every month a reservist gets on base, they have to create a new password.. that's 12 different passwords that don't resemble any previous passwords or any words or anything you'd ever remember - after a couple of those, you just give up and don't bother to log in ever).

SecurID is way way easier than the stupid draconian password policies some IT departments push on you.

[Salamok]

No it's not a dongle. I used to use one of those things at a previous company to access certain resources. They are a fricking pain in the ass.

http://en.wikipedia.org/wiki/SecurID

The one I use now is great!!!  I especially love how the shitty display makes 5 indistinguishable from S, 8 indistinguishable from B and 0 indistinguishable from O.

[Viin]

The one I use now is great!!!  I especially love how the shitty display makes 5 indistinguishable from S, 8 indistinguishable from B and 0 indistinguishable from O.

Umm, hmm. Do you have picture of it? All of the RSA SecurIDs I've seen are numeric only and are really easy to read.

[Salamok]

The one I use now is great!!!  I especially love how the shitty display makes 5 indistinguishable from S, 8 indistinguishable from B and 0 indistinguishable from O.

Umm, hmm. Do you have picture of it? All of the RSA SecurIDs I've seen are numeric only and are really easy to read.

No pic it has a sticker advertising www.securecomputing.com on the back and was issued by the Austin Board of Realtors for MLS access.

[Furiously]

No kidding. Military networks require a new password every 90 days, with the rules above. *And* if you don't login for 28 days, you have to setup a new password the next time you login. (Which means every month a reservist gets on base, they have to create a new password.. that's 12 different passwords that don't resemble any previous passwords or any words or anything you'd ever remember - after a couple of those, you just give up and don't bother to log in ever).

No you just write it down and put it in your wallet.

[fuser]

No kidding. Military networks require a new password every 90 days, with the rules above.

No you just write it down and put it in your wallet.

If your really wanna defeat the new unique password restrictions just change your password xyz times in a row then change it to your original.

When I worked at it worked with the AD policies.

[Ookii]

Apparently RSA's new initiative is to integrate their software in mobile devices so people won't have to carry multiple things and companies won't have to pony up for the hardware.

My company right now is awesome, they use basic authentication to connect to resources from the internet to the internal network on a server that is trusted on the domain yet serving all external webpages.  They think changing the password complexity and throwing it on an SSL (yes the logins and passes transmit in plaintext) is going to fix it, they don't even know what SecurID cards are.

[vex]

Apparently RSA's new initiative is to integrate their software in mobile devices so people won't have to carry multiple things and companies won't have to pony up for the hardware.

I do know they used to have a software client so this would be smart and easy. 

My bank has something similar but instead of me having the software they send a text message to my phone with the code when I need to perform certain functions. 

As far as the 90 day password changes, I used to just do Autumn07, Winter07 or some easy variation.  The more onerous the password policy the more likely people are to cheat.

[Fordel]

This really does highlight how bad of an issue all this account stealing is.


I guess they think the support required for dongles will cost less then all the support hours required for account recovery.

[Trippy]

It's sort of like the rise in carjackings because of the use of encoded car keys. It used to be people would break into the cars when nobody was around to steal them. Now they steal them at gunpoint when the driver is still in it.

Oh come on. You aren't seriously equating carjackings to keyloggers, are you?

Is that what I said?

[Tale]

As far as the 90 day password changes, I used to just do Autumn07, Winter07 or some easy variation.  The more onerous the password policy the more likely people are to cheat.

Me too ... some11thing changed to some22thing, etc. Now I'm heading through qwerty ... somewwthing :)

The other good thing about a SecurID tag is you can allow someone else to log in as you in an emergency (read them the number over the phone) and know they can only do it once.

[Furiously]

As far as the 90 day password changes, I used to just do Autumn07, Winter07 or some easy variation.  The more onerous the password policy the more likely people are to cheat.

Me too ... some11thing changed to some22thing, etc. Now I'm heading through qwerty ... somewwthing :)

The other good thing about a SecurID tag is you can allow someone else to log in as you in an emergency (read them the number over the phone) and know they can only do it once.

Good point!

[Count Nerfedalot]

No kidding. Military networks require a new password every 90 days, with the rules above.

No you just write it down and put it in your wallet.

If your really wanna defeat the new unique password restrictions just change your password xyz times in a row then change it to your original.

When I worked at it worked with the AD policies.

My work account is set so we can't change the password for 24 hours once it's been changed successfully, so it would take 12 days to cycle back to a favorite one.  And passwords expire after 30 days.  And the idiots wont allow passwords over 10 (or 12? I'm not sure) characters, so you can't use a phrase or something memorable either.  And they must be mixed case, alpha and numeric, plus at least one special char, and who knows what else since even passwords within those constraints sometimes fail.  And the password checker WILL NOT TELL YOU why the password you entered is not acceptable!   

I finally gave up and started using my favorite password with the month appended and flip the domain admins a bird every time I log in.  Earthlings make me furious.