WoW - Changes to authenticators

From http://us.battle.net/wow/en/forum/to...

If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we’re sure the person logging in to your account is you.

Heh, good to know. Would be a little bit of a WTF moment the first time you don't get prompted.

In other news, it'd sure be nice if they could just assume that any IP in the same subnet is OK for login. Tired of having my account locked every time the DSL modem gets reset.

MikeMac wrote:

Heh, good to know. Would be a little bit of a WTF moment the first time you don't get prompted.

Was it ever.

I logged out and logged back in three times to make sure, then I went to Battle.net and changed my password, just in case.

Then I did a Google search and it was the first thing that came up.

mudbunny wrote:
MikeMac wrote:

Heh, good to know. Would be a little bit of a WTF moment the first time you don't get prompted.

Was it ever.

I logged out and logged back in three times to make sure, then I went to Battle.net and changed my password, just in case.

Then I did a Google search and it was the first thing that came up.

Yep, it's more of "was a little bit of a WTF moment". Thankfully I googled before I changed my password. Can't believe they didn't give us some sort of warning to mitigate the panic. The blue post mentioning the change had 26 pages or replies in the first four hours...

I wonder if they didn't mention the change for security purposes or something. I mean, they mention EVERYTHING; it would seem there is a good reason for implementing this without notice.

ELewis17 wrote:

I wonder if they didn't mention the change for security purposes or something. I mean, they mention EVERYTHING; it would seem there is a good reason for implementing this without notice.

Perhaps Blizzard recently invested in companies that manufacture blood pressure meds, laundry detergent and/or underwear?

ELewis17 wrote:

I wonder if they didn't mention the change for security purposes or something. I mean, they mention EVERYTHING; it would seem there is a good reason for implementing this without notice.

They probably read the same paper that Valve read when they just made the SteamGuard authentication stuff.

I don't have an authenticator myself but there was a lot of WTF about this in our guild chat yesterday. One of us contacted a GM and got confirmation that it was a real change and not a bug, and they said something along the lines of "it's in the new patch". So I'm suspecting that this was intended to be part of the 4.2 update, someone switched it on early by mistake, and Blizz are now in "ah, yeah, I totally meant to do that" mode.

If you log on from the same place all the time you have to use the authenticator less. They're using the IP address as a kind of 'half-factor' for security, to indicate that it's probably you.

There's also the (remote) possibility of a keylogger being used to gain access to your account even with an authenticator. If someone can get you to install software that will send them your username, password and token when you try to log on and then block the login, they can use the credentials quickly to log onto your account. It would be tough to remove the authenticator, since they'd need two tokens (though that's possible if you keep trying to log in over and over), but they could get in. By reducing the frequency of using the token, that illegal access path is at least limited. Not sure if such programs existed or not, but theoretically it is possible. In some senses, this is actually a security increase by tracking the most frequent IP address/network and using that as sort of a shared piece of private information.

Rift has been using this method since about a month after release, I guess they decided more security would be safer in light of the last few weeks and all the hacking.

I'm curious as to why they needed to make the change at all.

I mean, didn't they already have a system where people without authenticators didn't have to use an authenticator they didn't have to log in - thus saving them that step because it never existed?

And those people with authenticators did have to use them - presumably because that was the purpose of purchasing it in the first place?

Maybe I am confused about the nature of the change, if I am, I'd love to have it clarified.