Battle.net Authenticator Changes, Don’t Panic!

So in-case you missed it, there was a recent change to how our accounts are authenticated, here it is again for you again if you didn’t see it.

If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we’re sure the person logging in to your account is you.

We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don’t already have a Battle.net Authenticator attached to your account, don’t wait until it’s too late – http://us.battle.net/en/security/checklist

Well, this statement has raised quite a few questions. Many of us in the gaming community work in Information Technology / Information Security, and we are quite honestly interested in having more information on this.

Now before I get started I want to have a note here that the information after this point will represent a more general view of internet protocol. This is not intended to be a tech manual, just the musings of an internet worker who is also a gamer.

There are a couple ways that you might authenticate a computer at a physical location. One is by authenticating the public IP address that is reaching out to the login server. If you see multiple requests from the same IP in a short period of time, you can assume this is the same person to a certain degree. This works in part because IPs are purchased by ISP’s and assigned to a specific region. After that, you as the user rent the IP with a lease sort of like renting an apartment. If you have a static IP, you have a “permanent” lease on that particular IP. If you use a DHCP service, like cable internet, it may change based on what’s available. Every time you get a new IP, it’s from your local region and the local pool. It could also authenticate by not only your public IP address, but also your computers MAC address. A MAC address is a unique identifier that all networking devices have. Think of it like a social security number for your computer. Each one is unique per device. There is however a couple potential problems; IP’s / MAC addresses can be spoofed. Not that it’s something you should be worried about all the time, but it is a fact that it can happen. Also if you have a Dynamic IP and it solely authenticates by the address, every time your IP changes it could cause issues.

Another manner is the creation of software tokens that are placed on client end at the point of logging in. Essentially you log in to your account and a software token, or marker of a successful login, is created on your machine to further authenticate you. By doing this it can validate the token on your machine instead of requiring you to to punch in your authenticator code every time.  The potential problem with software tokens is that if your system is compromised due to trojans or other methods, it could result in a compromising of the security token. Again, while this isn’t something to worry about all the time, but it does happen.

There are several other methods you could use, but those are probably the easiest.

So what method is Blizzard using? Well I decided to perform a little experiment last night to see what I could gleam as far as information goes. Since I work for an ISP in my daily Clark Kent style life I have access to a few things that I can do easily (and legally) to perform a simple test.

Step one was to pick a new IP. I changed my IP to one available from a local pool in the lovely state of Wisconsin. I logged into my Bnet account, it asked for my authenticator normally. I logged out for a period of time, roughly 15 minutes, logged back in and it did not ask me for my Authenticator.

Step two was to change back to a local IP address from back in good old NY state. I logged into my bnet account, and it asks me for my authenticator code. I logged out for another 15 minutes and then logged back in and it did not ask me for my authenticator.

Step three was to repeat step one, but this time after it did not ask me for my authenticator I logged out and completely shut down and restarted the computer. Logging back in required me to use my authenticator. I repeated the steps with a local IP with the same results. Continuing this process multiple times confirmed the same results, each time with different IPs.

From this incredibly simple experiment it would seem that the new authentication process is using a combination of validating your IP either for location, consistency, or potentially both as well as potentially a software token on your machine validating it after a successful login. Every time you cold boot your computer it will remove temporary data, including any software tokens created. Whether or not this is actually how Blizzard is doing it, we won’t know unless they say something.

There are a couple things that confuse me slightly. First is that there was no prior announcement to the change going live rather than it just appearing. I’m wondering if this is a knee-jerk reaction to the recent string of hacker invasions going on across the blog-o-sphere. Second the lack of explanation of the process is concerning, not the exact process per say, but knowledge that this was carefully thought out and not hastily implemented would be comforting, as well as hearing the reasons for the change. Lastly is that there is no option to opt out of it, it just happens. If nothing else I am a creature of habit, and I like typing in my authenticator code every single time. It’s a preference, but it’s something that I would like to have the option to continue doing.

So in the end, while my first reaction to the change was not a positive one, I feel much better about it after my simple experiment. At the very least we know that they are checking for multiple factors before just allowing you to log in. While on a professional level I would love to know more about the process they are using, I don’t think it’s anything we should be too overly worried about. Now if only we could get that pesky opt in/out toggle…

15 thoughts on “Battle.net Authenticator Changes, Don’t Panic!”

  1. I, too, am a creature of habit, and I am comforted by the action of typing in my authenticator code. NOT typing it in just… unnerves me, to be perfectly honest.

    I wish we could choose to type it every time. 🙁

    Reply
  2. Like always Blizzard decides what’s best for us. Sure it aint a -huge- deal and it is more convenient. But I’m getting so freaking sick of blizzard always deciding how we should do things.
    And how is it that typing in your authenicator number is less intrusive than knowing that Blizzard entertainment always knows where you are based on where and when you log in. Intrusion of privacy did come to mind.
    It’s like they make it their hobby: “how far can we go with these kind of stuff without people getting really pissed off?”
    But it’s all to make our life more convenient and that makes -everything- alright

    Reply
  3. The problem that most likely caused Blizzard to add this security feature is based on the fact that the software solution that the authenticator is based on was compromised, and hackers now possess the ability to forge your authenticator. So now even the authenticator isn’t (by itself) secure. In fact if Blizzard has reason to believe it really is you logging in then it is better NOT to use the authenticator because authenticators can no longer be trusted. The hackers that stole the authenticator technology have already attempted to use that to hack into Lockheed Martin.

    To be honest I’m not sure why they haven’t just abandoned the authenticators period. The risk is very high, especially with the software based authenticators (like the ones on iPhones).

    The problem is so bad that the company is replacing all of the authenticators used by the Defense Department with fresh, uncompromised algorithms on replacement authenticators. Blizzard users not so lucky.

    Read it all here: http://www.rsa.com/node.aspx?id=3891

    Reply
    • Blizzard uses VASCO authentication, not RSA. While it’s true that nothing is 100%, the fact is that the more layers you add, the better off you are in the long run. I don’t believe authenticators should be abandoned, it is still a viable form of additional security.

    • That’s good to know.

      I guess the best thing to do is use a hard to guess password that you change frequently, and to use a different password for your sensitive accounts than you use on the Internet in general.

    • – Some of the Chinese hackers seem to be former/current WoW hackers, one of the attacker’s websites had an old WoW keylogger on it, and some of their attack emails were WoW themed and used web pages hosted at gaming sites in China. (may be due to both groups using the same weak easily hacked servers as their middlemen)

      – The Chinese hackers hit RSA just to break into US military providers that used RSA tokens.

      – There’s no need for them to break into Vasco (the Blizzard authenticator provider), those devices are manufactured in China and the info would probably be available with just a phone call.

      – The hackers would not know which RSA token went to which employee at the defense contractor unless they broke the RSA server at the contractor itself. I suspect they could infer which token the employee had by sniffing several logins.

      – I don’t know who knows which Vasco token I have.

      – Blizzard took steps to limit the use of tokens.

  4. “but knowledge that this was carefully thought out and not hastily implemented would be comforting”

    This is Blizzard we’re talking about–they don’t do things hastily (much to the dislike of their parent company Activision’s share holders, I’m sure).

    Reply
  5. Something else too that I learned in my internet security class (or really security in general): it shouldn’t be secure through obscurity, it should be secure through the actual mechanics in place.

    Because Blizzard has actually published the authenticator scheme, you can “make” your own programmable authenticator. Some people already have emulators, proving that the security mechanism actually works based on its mechanics and not some magical voodoo.

    Blizzard should do the exact same thing here; describe exactly which conditions it will require/bypass authenticator tokens.

    Also, where is that opt-in/opt-out feature? Lets do that too.

    P.S. Why can’t EVERYTHING just be hooked up to some authenticator? In this day and age, I’d be willing to carry around a keychain of these dangly things to make extra sure people can’t get into any of my accounts with just passwords. Google does it, which is why gmail is now my “main” email.

    Reply
    • Better yet, a standardized system that applies globally in which you can attach your own single, individual authenticator to anything/everything: email, internet banking, car, house, etc. So long as the unified authenticator is 1 factor of several unique to each system (username/password/PIN/memorable phrase), it’d be secure AND convenient.

  6. This is really a stupid move

    I work in the industry
    Ip , service provider and timezone from ip can all be spoofed very very easy

    Please bring back 2 factor authentication
    Something you know password and something you own authenticator

    Make it mandatory

    Reply
  7. In the area of endless key loggers, cheap CPU power for brute-force attacks and man in the middle techniques the effectiveness of complex passwords alone has become fairly poor. Security always is and always will be a multi-layered approach. The concept of “two-factor” authentication (specially time based) has become indispensable to complement other security mesures. So unapparent UserIDs, strong passwords, IP address information and other measures remain important to keep a multilayered security posture, but can be typically obtained with a calculated effort, while certain “two-factor” authenticators can’t. Many have therefore focussed and almost solely relied on “two-factor” authentication and this is the REAL reason why many are in panic mode.

    @Darkener & Vas: A lot of what you are writing still is pure speculation. Nevertheless the situation is interesting and the questions remain who might have had the ressources to pull this kind of thing off (the victims have top-notch security technology) and if they actually are capable of circumventing the authentications servers as there is far more required (Vas has already mentioned one of the missing pieces).

    Reply
  8. Cool.. so it seems a friend of mine down the street can log into my account because they were not prompted for an authenticator code. Which coincedently booted me out of my dungeon… WTG.

    Reply

Leave a Comment