Authenticator Changes, Don’t Panic!

So in-case you missed it, there was a recent change to how our accounts are authenticated, here it is again for you again if you didn’t see it.

If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we’re sure the person logging in to your account is you.

We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don’t already have a Authenticator attached to your account, don’t wait until it’s too late –

Well, this statement has raised quite a few questions. Many of us in the gaming community work in Information Technology / Information Security, and we are quite honestly interested in having more information on this.

Now before I get started I want to have a note here that the information after this point will represent a more general view of internet protocol. This is not intended to be a tech manual, just the musings of an internet worker who is also a gamer.

There are a couple ways that you might authenticate a computer at a physical location. One is by authenticating the public IP address that is reaching out to the login server. If you see multiple requests from the same IP in a short period of time, you can assume this is the same person to a certain degree. This works in part because IPs are purchased by ISP’s and assigned to a specific region. After that, you as the user rent the IP with a lease sort of like renting an apartment. If you have a static IP, you have a “permanent” lease on that particular IP. If you use a DHCP service, like cable internet, it may change based on what’s available. Every time you get a new IP, it’s from your local region and the local pool. It could also authenticate by not only your public IP address, but also your computers MAC address. A MAC address is a unique identifier that all networking devices have. Think of it like a social security number for your computer. Each one is unique per device. There is however a couple potential problems; IP’s / MAC addresses can be spoofed. Not that it’s something you should be worried about all the time, but it is a fact that it can happen. Also if you have a Dynamic IP and it solely authenticates by the address, every time your IP changes it could cause issues.

Another manner is the creation of software tokens that are placed on client end at the point of logging in. Essentially you log in to your account and a software token, or marker of a successful login, is created on your machine to further authenticate you. By doing this it can validate the token on your machine instead of requiring you to to punch in your authenticator code every time.  The potential problem with software tokens is that if your system is compromised due to trojans or other methods, it could result in a compromising of the security token. Again, while this isn’t something to worry about all the time, but it does happen.

There are several other methods you could use, but those are probably the easiest.

So what method is Blizzard using? Well I decided to perform a little experiment last night to see what I could gleam as far as information goes. Since I work for an ISP in my daily Clark Kent style life I have access to a few things that I can do easily (and legally) to perform a simple test.

Step one was to pick a new IP. I changed my IP to one available from a local pool in the lovely state of Wisconsin. I logged into my Bnet account, it asked for my authenticator normally. I logged out for a period of time, roughly 15 minutes, logged back in and it did not ask me for my Authenticator.

Step two was to change back to a local IP address from back in good old NY state. I logged into my bnet account, and it asks me for my authenticator code. I logged out for another 15 minutes and then logged back in and it did not ask me for my authenticator.

Step three was to repeat step one, but this time after it did not ask me for my authenticator I logged out and completely shut down and restarted the computer. Logging back in required me to use my authenticator. I repeated the steps with a local IP with the same results. Continuing this process multiple times confirmed the same results, each time with different IPs.

From this incredibly simple experiment it would seem that the new authentication process is using a combination of validating your IP either for location, consistency, or potentially both as well as potentially a software token on your machine validating it after a successful login. Every time you cold boot your computer it will remove temporary data, including any software tokens created. Whether or not this is actually how Blizzard is doing it, we won’t know unless they say something.

There are a couple things that confuse me slightly. First is that there was no prior announcement to the change going live rather than it just appearing. I’m wondering if this is a knee-jerk reaction to the recent string of hacker invasions going on across the blog-o-sphere. Second the lack of explanation of the process is concerning, not the exact process per say, but knowledge that this was carefully thought out and not hastily implemented would be comforting, as well as hearing the reasons for the change. Lastly is that there is no option to opt out of it, it just happens. If nothing else I am a creature of habit, and I like typing in my authenticator code every single time. It’s a preference, but it’s something that I would like to have the option to continue doing.

So in the end, while my first reaction to the change was not a positive one, I feel much better about it after my simple experiment. At the very least we know that they are checking for multiple factors before just allowing you to log in. While on a professional level I would love to know more about the process they are using, I don’t think it’s anything we should be too overly worried about. Now if only we could get that pesky opt in/out toggle…

Real ID on Blizzard forums, the good and the bad *Updated AGAIN!*

Real ID on Blizzard forums, the good and the bad *Updated AGAIN!*

*update* Real ID is canceled on official forums Blizzard most definitely listened, and it’s a good thing!

So, Vaneras over on the EU forums just informed us that Real ID will be making an appearance on the forums. Needless to say there is a slew of comments slinging around about this. Some people love it, some people hate it. Some say it will be the new life of the forums while others think that this marks their imminent death. So I thought it would be good to talk about it a little bit here.

First off, lets talk about the current state of the forums. There are some good threads there. There are some helpful guides and bits of information. But for each helpful bit there is a counterpart. People that just show up to cause issues, scream drama and pick Internet fights. I know a lot of people personally who avoid the forums just to avoid those specific people. This is a sad thing though, as the forums are set up to help build the community and not to be a source of drama or argument. On a personal level I hate having to weed through 15,000 posts of people complaining to get to the 1 that has a valid point in a discussion. This is obviously an exaggeration, but you get the idea.

Let’s face it, the Internet is a place where people can hide behind a fake name and say and do whatever they want with little to no recourse. This can be simple complaining out outright just being an ass-hat.  This Internet anonymity is what Blizzard is trying to take away I think. How many times have they posted a proposed class change only to have intelligent well thought out responses from posters get drowned out by the wailing masses? How many times has a person asked for advices on gear or spec or spell priority only to be called a noob for pages on end? It happens, trust me I know.  So I can see what Blizzard is trying to do here, by eliminating the ability to hide behind a character name, that person is held accountable for what they said or do.

Quick story here. I know a guy who in real life is one of the kindest people I’ve ever met. Intelligent, well spoken and would give you the shirt off his back. When he logs into game or on the forums however, he does a complete 180. He yells at people, argues incessantly, turns into a complete womanizing bigot and has a completely abrasive personality. This sounds extreme but it is a lot more common than you think. When you don’t have to be held accountable in real life for your actions, the rules change. The Blizzard forums have been plagued by this from day 1.

By adding this level of accountability Blizzard I’m sure is hoping to cut down on the forum slop by discouraging the trolls from posting, and making people think twice about just posting empty whining.

There is however another side to this coin. There are a ton of people who try very hard to separate their real life from their game life. They post helpful guides to trade-skills, or how to level efficiently on the forums for general reading. They offer insight to class changes and constructive criticism when people ask for help. This group of people also has something to lose by this change going live, as does the community in general if they stop posting. Some people like the anonymity of their toons as a way to just separate their lives into distinct parts. If they stop posting because of this change, that will be very sad indeed.

Some are concerned for their safety. They fear stalkers and real life harassment and fallout from the forums following them into real life. As a person who has worked in internet security for a long time, I can tell you the chances of this are pretty slim. A persons name alone does not provide a ton of information. It does not for example provide your address and township. Your internet providers work very hard to keep that information private as do most websites, banks etc. It is in Blizzards best intrest as well to keep this information private, and so far they have done a pretty good job of it. Unless you have a one of a kind name and are publicly listed in an international phone book or public websites with your pertinent information, the chances aren’t too great that your name will give up enough information about you to harass you outside of your online personae.  I understand the concern there,  it is a valid reason for being against the change. But it can be rather difficult to find someone .

Another argument is that this goes against the originally stated purpose of Real ID. It was toted as an optional, convenient way to keep track of your friends across servers and even games. Some people feel that being forced to use it to interact on the forums violates this and removes the “optional” portion of the feature. This is a valid argument as there is no way to circumvent this at current.

There are also those of us that this has absolutely zero effect on. Those of us that already live in the public eye and have our names out there will see no change in how we do business essentially. Me personally, doesn’t phase me one bit. My name is out there from the For the Lore podcast and Having my real name show up on the forums isn’t a big deal at this point. I also have the good fortune to have a name that is not exactly unique. Joseph Perez is the Steve Smith of Hispanic names. Try looking it up in the phone book sometimes, it is rather hilarious.

Here are some facts to remember about this

This will only affect the new forums created when SC2 and Cataclysm launch. Old forums and old posts will remain untouched (for now, hopefully this won’t become retroactive)

Blue Posters are not immune to this, and will also be showing their real first and last names

Having your name does not compromise your account security. Email, password (and hopefully you’re using an authenticator) are what let people in. Even if you call Blizzard customer support and say you are “so and so” you have to provide a LOT of proof of identity.

So what do you think? Do you love it? Do you hate it? Will it be a new beginning for the Blizzard forums or will it mark its death?


Let me clarify something real fast. While the change doesn’t affect me personally I still do NOT like it. I understand what they are trying to do with it, but I don’t think it was thought out enough. On facebook I can go silent, I can turn off chat and no one has to know I’m on. I can hide details like my email, phone number and location, and if I so choose I can change my name on the account. Here we don’t have the option. I do NOT like the idea that choice is being taken away from the gamers. We choose to play this game and who to interact with. Why do we not have a choice in this? I think that the overwhelming response people are having to this is a good thing and hopefully Blizzard will see it and make some changes. But again, I am NOT for this change, but I don’t think it needs to be attacked with nukes instead of calm rational discussion. It is a lot easier for people (i.e. Blizzard) to dismiss an over the top emotional response to this (which don’t get me wrong, it’s a perfectly valid response from us as users to be passionate about this change) as opposed to when people calmly lay down why they don’t agree with it. That’s all.

Real I.D., Lodur’s thoughts

Real I.D., Lodur’s thoughts

Since it was first announced there has been a wave of people very outspoken about this feature from both sides. People have been arguing the pros and cons of it and some of them are less than rational arguments. So I figured I’d share my own thoughts on it.

First though, here are some facts that you may not know about Real ID

  • Real ID is another name for Dingo, if you aren’t careful it will steal your babies!
  • Real ID promised to buy me dinner, but when the check came its wallet was in its other pants
  • Real ID will walk into a room, let one rip audibly and blame it on your dog
  • BP isn’t actually to blame for the oil spill, in truth it was Real ID. It just blamed BP and ran like hell.
  • Real ID is so fast it can outrun the Flash, which oddly enough is why Flash doesn’t work on your iPhone
  • Real ID assassinated Archduke Franz Ferdinand
  • I survived Real ID, and all I got was this lousy T-Shirt

I figured a little levity was in order for this one, hope you got a giggle out of.

Honestly though there has been a bevy of ridiculous comments about Real ID to the point I don’t think I hear this much QQ when hunters are nerfed. It seems most of the arguments against it are based off of misinformation. Posts have been popping up every where about it from small blogs to big blogs accross the globe.

Stoppable had a great post about Real ID yesterday explaining some of the misconceptions about the new features. It’s a good read you should take a gander at it. Even Matt offered his two cents on the topic.

Spinks offered a good argument for sometimes wanting to be alone in game and not be bothered by anyone and how Real ID eliminates that. It was one of the better arguments I’ve read against the inclusion of Real ID and it is definitely worth your time as well. Anna from  too many annas has also chimed in on the topic and talked about the opening up of your personal information. It is a well thought out discussion on the negatives of Real ID.

That said I like the idea of Real ID chat ingame. There are actually many reason. First of all is it allows me and the officers in my guild to be more accessible to our guildies. There are times when someone will need an officer but none may be on at that time. As it stands a number of guildies have my cell phone, email, home address, AIM, MSN, Yahoo, ICQ and so forth in order to get a hold of me when needed. I tend to be a night owl, I’m up all hours of the night, but I’m not always in WoW. I do intend to play a lot of SC2 and you bet your arse I’ll be playing Diablo 3. Having a way to keep in touch with guildies and be pegged if I’m needed in game is very nice. Secondly it allows me to stay in touch with friends on different servers and factions. I have friends all over the place, many of my readers here fall into that category. I like being able to send them a whisper and ask what’s up. My girlfriend raids as horde on another server and it is nice to be able to send her a message in game just to say hi. I enjoyed using it in the SC2 beta and it worked really well there.

It is not without short-comings though. First of all, right out of the box it is spam heavy. Pop ups, growl notifications, status spam assail you as soon as you enable the feature. This can be turned off in the game settings, but still it is not a friendly first impression. There are memory issues still. Friends running top of the line PC’s with gobs of ram and terabytes of storage were getting errors about drive space for processing. This needs to be fixed and fixed fast. There are two key binds to reply to someone now in the default UI. A seperate key for chat reply, and one for whisper reply. Heres the thing though, they don’t both work! Chat reply (for chat groups) doesn’t work at all.  Why not just leave it as one key replies to whispers from Real ID or regular friends and leave the chat like a normal chat channel? Privacy mode please. Even on facebook I can turn chat off and have no one know I logged in. Why can’t I do the same here? I can set myself to busy but it’s not the same. Blizzard please add a function where I can turn it off when I don’t want to be bothered. I mean I accidentally did this last night when I crashed but I would rather prefer a button!

Overall I like it.  It is not very different from the communication we used to track friends back in Diablo 2 (you could add or user names to see all of their characters) and many of us utilize services like Steam where we can communicate across ANY game in the steam library to our friends, and it was about time that we saw something like this from Blizzard.

I’ll end today with a couple notes about security and etiquette

Friend of a Friend: People right now are saying that the ability to see friends of a friend are broken and wrong and invade someone’s privacy. The truth is though, besides a name you do not get anything else about the person. You do not see their email or anything like that. In fact, you get more information about friends of a friend from Facebook.

I have to give my email out!?: While the system is designed to search for people by email addresses, you can add other people and they cannot see your email. You can have people add you through friend of a friend and they will never see your email, or simply you can choose not to participate. Either way your information is really only accessible if you volunteer it.

Now I’m going to get spam mail!!!: Well, you may but you wont get it because of this. There are entire companies that do nothing but plug random combination of letters and numbers at domain names offering blanket statements to try and sell you products or click really bad links. Others buy the information from other websites for marketing. Either way I can pretty much guarantee you the Viagra spam email you got had nothing to do with Real ID.

Say who you are!!: A new pet peeve of mine is people adding someone without saying who they are. I’ve gotten a dozen requests that I have no clue who those people are. I accept that this will happen as my information is highly public thanks to, World of Matticus and For The Lore.  All I ask is that if you’re going to send the request tell me who you are. I’ve accepted many friend requests on FaceBook that just said “hey I’m a reader from xyz you should add me”. So my rule is no message telling me who you are, I wont accept the invitation. I will be using this rule for Real ID as well. I mean it’s just common courtesy to announce who you are!

We live in a world where our information is readily available for just about anyone if they look hard enough. Take a look at FaceBook, Twitter, and even personal Blogs and Livejournals. We post information about ourselves that just about anyone can see if they want unless we are ultra super secretly careful. Is this really worse than they are? Is this worse than FaceBook ? In the end this is still optional, you can choose not to participate. Simply don’t accept any requests and don’t send any, and everything goes along as normal. This is not the end of the world. Blizzard is not going to sell your information to gold farmers and spammers (they would have long since done that already if that was the case) and the truth of the matter is your account is in no greater danger than it was two days ago. You should still have an authenticator and you shouldn’t respond to those emails from Gnomeregan royalty who just need a little help to get their money out of escrow.

So now that you’ve had a day with it, what do you think of the new Real ID system?

Special thanks to Thespius and my buddy Doug for the comedic help this morning.

Yes You Can Multi-Box with Battle Net Account Merging