So in-case you missed it, there was a recent change to how our accounts are authenticated, here it is again for you again if you didn’t see it.
If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we’re sure the person logging in to your account is you.
We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don’t already have a Battle.net Authenticator attached to your account, don’t wait until it’s too late - http://us.battle.net/en/security/checklist
Well, this statement has raised quite a few questions. Many of us in the gaming community work in Information Technology / Information Security, and we are quite honestly interested in having more information on this.
Now before I get started I want to have a note here that the information after this point will represent a more general view of internet protocol. This is not intended to be a tech manual, just the musings of an internet worker who is also a gamer.
There are a couple ways that you might authenticate a computer at a physical location. One is by authenticating the public IP address that is reaching out to the login server. If you see multiple requests from the same IP in a short period of time, you can assume this is the same person to a certain degree. This works in part because IPs are purchased by ISP’s and assigned to a specific region. After that, you as the user rent the IP with a lease sort of like renting an apartment. If you have a static IP, you have a “permanent” lease on that particular IP. If you use a DHCP service, like cable internet, it may change based on what’s available. Every time you get a new IP, it’s from your local region and the local pool. It could also authenticate by not only your public IP address, but also your computers MAC address. A MAC address is a unique identifier that all networking devices have. Think of it like a social security number for your computer. Each one is unique per device. There is however a couple potential problems; IP’s / MAC addresses can be spoofed. Not that it’s something you should be worried about all the time, but it is a fact that it can happen. Also if you have a Dynamic IP and it solely authenticates by the address, every time your IP changes it could cause issues.
Another manner is the creation of software tokens that are placed on client end at the point of logging in. Essentially you log in to your account and a software token, or marker of a successful login, is created on your machine to further authenticate you. By doing this it can validate the token on your machine instead of requiring you to to punch in your authenticator code every time. The potential problem with software tokens is that if your system is compromised due to trojans or other methods, it could result in a compromising of the security token. Again, while this isn’t something to worry about all the time, but it does happen.
There are several other methods you could use, but those are probably the easiest.
So what method is Blizzard using? Well I decided to perform a little experiment last night to see what I could gleam as far as information goes. Since I work for an ISP in my daily Clark Kent style life I have access to a few things that I can do easily (and legally) to perform a simple test.
Step one was to pick a new IP. I changed my IP to one available from a local pool in the lovely state of Wisconsin. I logged into my Bnet account, it asked for my authenticator normally. I logged out for a period of time, roughly 15 minutes, logged back in and it did not ask me for my Authenticator.
Step two was to change back to a local IP address from back in good old NY state. I logged into my bnet account, and it asks me for my authenticator code. I logged out for another 15 minutes and then logged back in and it did not ask me for my authenticator.
Step three was to repeat step one, but this time after it did not ask me for my authenticator I logged out and completely shut down and restarted the computer. Logging back in required me to use my authenticator. I repeated the steps with a local IP with the same results. Continuing this process multiple times confirmed the same results, each time with different IPs.
From this incredibly simple experiment it would seem that the new authentication process is using a combination of validating your IP either for location, consistency, or potentially both as well as potentially a software token on your machine validating it after a successful login. Every time you cold boot your computer it will remove temporary data, including any software tokens created. Whether or not this is actually how Blizzard is doing it, we won’t know unless they say something.
There are a couple things that confuse me slightly. First is that there was no prior announcement to the change going live rather than it just appearing. I’m wondering if this is a knee-jerk reaction to the recent string of hacker invasions going on across the blog-o-sphere. Second the lack of explanation of the process is concerning, not the exact process per say, but knowledge that this was carefully thought out and not hastily implemented would be comforting, as well as hearing the reasons for the change. Lastly is that there is no option to opt out of it, it just happens. If nothing else I am a creature of habit, and I like typing in my authenticator code every single time. It’s a preference, but it’s something that I would like to have the option to continue doing.
So in the end, while my first reaction to the change was not a positive one, I feel much better about it after my simple experiment. At the very least we know that they are checking for multiple factors before just allowing you to log in. While on a professional level I would love to know more about the process they are using, I don’t think it’s anything we should be too overly worried about. Now if only we could get that pesky opt in/out toggle…