I've heard of this authentication system before and I understand that it has been used successfully on several major websites. I think that it would be great it you could get the added security for D3. If an authenticator is working successfully on the WoW servers, why should I think that it would not work on Diablo servers? I hope this issue doesn't turn into another WoW hater, thread spamming subject.
It seems some of you don't understand how this "keychain" works. I'm the admin of one of those systems at my work. We've only had it for about a year though.
Its basically an RSA secureid token (http://www.rsa.com/node.aspx?id=1156) with a Blizzard logo slapped on it. The token has an algoritm it uses to generate that number. It does not connect to anything. Its a standalone unit. The server (and backup server) the tokens come with know the serial number for each specific token and algorithm for that specific token and generates the number for authentication accordingly. It is possible for a token to get out of synch which requires a call to the helpdesk to resynch it although this is pretty rare. I've never had to resync my token in over a year. The implementation we use is a bit more secure. If Blizzard is just requiring the code from the token there is still a chance that someone could steal your token and use it, although they would have to know your account name. We require a pin number you choose plus the number generated on the token for a passcode. That way even if someone steals your token and steals your username from your computer because its saved somewhere, then they would still not have your pin number. Another thing they could do is sell the USB version of the token which has a digital certificate on it. Then if you want to connect to BNet you just have to plug it into your USB port. The battery on these things will run out after a certain point and you will have to buy a new one. I don't think you can simply replace the battery on your own. There is also what appears to be an expiration date on mine set for next year. I'm not sure if the token will still function after that. Although I have admin rights on the server I'm not really the main button pusher, the guy who sits across from me is. I'll have to ask him about that today. I know in rare cases where some VIP has left their token at home we have gone into the server and set them a static password temporarily. I doubt Blizzard will do that as policy. I'll bet they ship every box of SC2 and D3 with one of these tokens and make them mandatory for those games. I know I would.
It seems some of you don't understand how this "keychain" works. I'm the admin of one of those systems at my work. We've only had it for about a year though.
Its basically an RSA secureid token (http://www.rsa.com/node.aspx?id=1156) with a Blizzard logo slapped on it. The token has an algoritm it uses to generate that number. It does not connect to anything. Its a standalone unit. The server (and backup server) the tokens come with know the serial number for each specific token and algorithm for that specific token and generates the number for authentication accordingly. It is possible for a token to get out of synch which requires a call to the helpdesk to resynch it although this is pretty rare. I've never had to resync my token in over a year. The implementation we use is a bit more secure. If Blizzard is just requiring the code from the token there is still a chance that someone could steal your token and use it, although they would have to know your account name. We require a pin number you choose plus the number generated on the token for a passcode. That way even if someone steals your token and steals your username from your computer because its saved somewhere, then they would still not have your pin number. Another thing they could do is sell the USB version of the token which has a digital certificate on it. Then if you want to connect to BNet you just have to plug it into your USB port. The battery on these things will run out after a certain point and you will have to buy a new one. I don't think you can simply replace the battery on your own. There is also what appears to be an expiration date on mine set for next year. I'm not sure if the token will still function after that. Although I have admin rights on the server I'm not really the main button pusher, the guy who sits across from me is. I'll have to ask him about that today. I know in rare cases where some VIP has left their token at home we have gone into the server and set them a static password temporarily. I doubt Blizzard will do that as policy. I'll bet they ship every box of SC2 and D3 with one of these tokens and make them mandatory for those games. I know I would.
While I agree its a nice additional feature, I wouldn't want it to be mandatory. I've never had my D2 or WoW account or any account for anything ever hacked. And although I can certainly see how this authenticator will help some people, I wouldn't use it, it seems like a rather big hassle.
snip
The battery on these things will run out after a certain point and you will have to buy a new one. I don't think you can simply replace the battery on your own. There is also what appears to be an expiration date on mine set for next year. I'm not sure if the token will still function after that.
/snip
With the ones that I have had in the past the battery worked long past the expiration date. I never tried to use one past the expiration date but I figure that they wouldn't work at all since they are expired. You will not be able to replace the batteries on your own, at least on the older style, I have not used the newer style but I imagine that it is the same. Once they expire/break we sent them back to RSA and got replacements from them, I'm not sure what the cost was though and if there was any.
As far as I know, the "rolling password" system uses something like a "hash". This hash is what's used to sync two systems together, and must be transmitted in a secure manner (in person, over secure line, etc. - most of the time a wired or high security wireless internet connection would be sufficient), since it's essentially the master password.
Time is not necessarily a factor, as someone mentioned, since you could just obtain a new passcode/password based off the number of uses, as opposed to the time. Even time-based could get the time off an internet server, and those are always steady.
Overall, the security may be a bit of a hassle, but it will definitely protect from brute forcing and keylogging. It will not protect from a specific virus/program on the computer that hunts down for the hash code, though (which even if it wasn't stored on the computer, it would need to be typed or transmitted to the computer, making it readable by a memory hook or keylogger).
As far as I know, the "rolling password" system uses something like a "hash". This hash is what's used to sync two systems together, and must be transmitted in a secure manner (in person, over secure line, etc. - most of the time a wired or high security wireless internet connection would be sufficient), since it's essentially the master password.
Time is not necessarily a factor, as someone mentioned, since you could just obtain a new passcode/password based off the number of uses, as opposed to the time. Even time-based could get the time off an internet server, and those are always steady.
Overall, the security may be a bit of a hassle, but it will definitely protect from brute forcing and keylogging. It will not protect from a specific virus/program on the computer that hunts down for the hash code, though (which even if it wasn't stored on the computer, it would need to be typed or transmitted to the computer, making it readable by a memory hook or keylogger).
Read the above posts, in particular the wiki article. The codes are seeded by the current time.
Realize that Blizzard's system may not be like RSA SecurID. I'm saying that it doesn't need to use the time. it can just use the session number (login times). Even if it was using the time though, it could use time from an internet server, which wouldn't fail.
Making it mandatory for D3 would be suicide for the technology. Enough hackers are going to get their hands on these simply to dissect them and see how they work(me being one of them, sorry everyone...). If it's MANDATORY, then cracking the code(so to speak) will also be mandatory. The blizzard site says it helps vs. keyloggers...except keyloggers will get your password...or your Blizzard Authenticator password...and your account name. It won't do anything against keyloggers.
This will only help people who use basic passwords like 'baseball981' that can be brute forced in seconds. people who use passwords more akin to !K293Q><32udH))Cc would only be wasting their money, especially if they had an easy way to remember such a string.
Making it mandatory for D3 would be suicide for the technology. Enough hackers are going to get their hands on these simply to dissect them and see how they work(me being one of them, sorry everyone...). If it's MANDATORY, then cracking the code(so to speak) will also be mandatory. The blizzard site says it helps vs. keyloggers...except keyloggers will get your password...or your Blizzard Authenticator password...and your account name. It won't do anything against keyloggers.
This will only help people who use basic passwords like 'baseball981' that can be brute forced in seconds. people who use passwords more akin to !K293Q><32udH))Cc would only be wasting their money, especially if they had an easy way to remember such a string.
Are you kidding? How is it NOT going to help against keyloggers? Is the keylogger going to magically find your keychain and read your token? So what if it gets your username and pin? Its still not going to have the third piece of the puzzle.
Complex password vs keylogger? Do you even understand the concept of a keylogger? You could have a 200 character password case sensitive with special characters and the keylogger is going to record it and send it back to the author.
You don't sound like a "hacker" to me. You sound like someone who runs kiddy scripts or maybe dabbles with scripting utilities to compile simple keylogging scripts and posts them up on a website as a wow addon or new version of maphack.
You can take apart as many RSA tokens as you want. The problem is that they are ALL unique. Obviously if you get your hands on someone's token you aren't going to need to dissect it when you can just read the screen. You don't think RSA already though of that?
Quote from "Xapti" »
Realize that Blizzard's system may not be like RSA SecurID. I'm saying that it doesn't need to use the time. it can just use the session number (login times). Even if it was using the time though, it could use time from an internet server, which wouldn't fail.
The whole point of using time is so that the token can be standalone. How is the token going to get a session number? Its not some kind of wireless device. It does not connect to anything unless you have one of the newer ones with a USB interface.
It IS a SecureID token. It looks exactly like the older ones except for the Blizzard decal on it. If Blizzard went through the trouble of completely re-engineering the way they work, why use the same outer shell of it?
But I'm not even talking about whatever system WoW is using. I'm saying that it may be a good idea to just have the hash (with a small program) stored on the user PC. The reason for this, is because if each game is packaged with a separate device instead, it means the price of the game up will inflate unnecessarily and people may have extras buying multiple games. It also makes it not feasible to buy the games online, which is something Blizzard seems to be moving towards now. It could still be an option to buy one separately though, of course, but shouldn't be forced. A separate device will be more secure, making it almost impossible to hack into, but to steal the hash from a computer would require more malicious code than a keylogger for instance, making it less of a viable option (due to less security holes and better anti-virus detection).
Are you kidding? How is it NOT going to help against keyloggers? Is the keylogger going to magically find your keychain and read your token? So what if it gets your username and pin? Its still not going to have the third piece of the puzzle.
The keylogger will get the password when it's typed in, not from the authenticator. A person who wants in to your account will be patient enough for the keylogger to report the authenticator password.
Quote from "SlickSTi" »
Complex password vs keylogger? Do you even understand the concept of a keylogger? You could have a 200 character password case sensitive with special characters and the keylogger is going to record it and send it back to the author.
Why yes I do understand keyloggers I have edited and used them in the past. When I said it wouldn't help complex passwords I meant this: Brute forcers will crack easy passwords in seconds, if not sooner(words, numbers[like the ones on the token], simple things). A person with such a simple password would be the only person to benefit from the authenticator simply because their password wouldn't be a static, easily crackable sequence...it would change often. If you use a complex string for a password, the authenticator adds nothing. Cracking a difficult password without a quantum computer could take seconds(theoretically, if the password was guessed quickly) or centuries. I already said the device wouldn't help protect against keyloggers, so when I went on, I went on the assumption the reader would understand the rest of it wasn't conditional on whether a keylogger would be stumped or not. Sorry to confuse you.
Quote from "SlickSTi" »
You don't sound like a "hacker" to me. You sound like someone who runs kiddy scripts or maybe dabbles with scripting utilities to compile simple keylogging scripts and posts them up on a website as a wow addon or new version of maphack.
Keylogging "scripts" by nature are simple. You can make it look purdy. But all you really need to log is the active window and the keys being typed, the extra stuff just keeps the keylogger from being viewed as an active process easily...and the code for that isn't specific to any one program(as in...re-useable code). I don't write hacks for games. I don't post hacks on the internet(edit yes, but I don't start from scratch and post it). Sorry to disappoint you. I can hack, but that doesn't mean I'll find a system and search for XSS exploits, buffer overflow potentials or DDoS it. Not everyone who understands computers is a malicious user.
Quote from "SlickSTi" »
You can take apart as many RSA tokens as you want. The problem is that they are ALL unique. Obviously if you get your hands on someone's token you aren't going to need to dissect it when you can just read the screen. You don't think RSA already though of that?
If someone were to crack the code on a single RSA token, and write a program that could replicate the process for another(the process of getting the code from the RSA token), then all they would need is a brief moment with the token. If you were to get your hands on a token and STEAL it, the original user would most likely call Blizzard and get the device deactivated(or do it online or what have you). If someone is capable of ripping the algorithm quickly and crack it later, it would be beneficial to merely touch the device for a few moments, and leave it looking as if it were untouched(thus not alerting the user to knowing they're vulnerable). I'm not spelling out every little detail though because that isn't necessary. I was just pointing out where some of the vulnerabilities of the system arise(I assure you there are plenty more). Many of the places these things are used are for business who probably have few, if any, hackers trying to get in to their systems. Blizzard on the other hand will need to fight against thousands, if not millions, of people trying to break through. As it is currently only optional for WoW, it didn't draw much attention yet. I was saying if it was MANDATORY, then the amount of focus hackers would have would be unrivaled for the given technology.
The tokens will stop basic hackers from getting basic information and getting through basic passwords, but if the device is mandatory for every, then eventually someone is going to find a gaping hole in the process and passwords will be cracked through the authenticators left and right. Unless you believe this is a flawless system?
rhunex, you don't seem to know what you're talking about. If a system is keylogged, it only knows the password for the account that just logged in. Assuming it was a quick person who was at the computer while they were reading the fresh/live keylog (unlikely), it would still do no good, since the user's already logged in, and it would likely prevent anyone else from logging in untill he logs out, which would most likely be after a new password would be necessary to log in.
brute forcing is completely useless against a 36 character depth 12-length string. The possibilities are about 5x10^15, considering that there would be brute force protection (prevent mass login attempts in short periods of time), it would be virtually impossible to ever get close to cracking the TEMP password, which doesn't even last long...
edit: it's actually 11 digits, and we don't know if it's alphanumeric or not. Even if character depth was at 10, at 11 length, it's still strong enough with hammer/bruteforce protection.
Ovbiously, a person who has physical access to the security device or computer, could quite easily get the "master information" (token, hash, or whatever you want to call it)... that doesn't make it insecure...
The one slight issue, is if the information is kept on the user's PC, in which case it is vulnerable to some viruses which could steal the information. Problem with that though, is that that virus would use actions which are more malacious than just a keylogger, making them much easier to be blocked by the operating system (or much harder to find security holes), as well as much easier to be detected by anti-virus programs. When you get to this point, there's nothing else you can do, since it's the user's own damn fault if they use an unsecured computer.
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
You can read all about it here:
http://us.blizzard.com/support/artic...rticleId=24660.
http://en.wikipedia.org/wiki/SecurID
Its basically an RSA secureid token (http://www.rsa.com/node.aspx?id=1156) with a Blizzard logo slapped on it. The token has an algoritm it uses to generate that number. It does not connect to anything. Its a standalone unit. The server (and backup server) the tokens come with know the serial number for each specific token and algorithm for that specific token and generates the number for authentication accordingly. It is possible for a token to get out of synch which requires a call to the helpdesk to resynch it although this is pretty rare. I've never had to resync my token in over a year. The implementation we use is a bit more secure. If Blizzard is just requiring the code from the token there is still a chance that someone could steal your token and use it, although they would have to know your account name. We require a pin number you choose plus the number generated on the token for a passcode. That way even if someone steals your token and steals your username from your computer because its saved somewhere, then they would still not have your pin number. Another thing they could do is sell the USB version of the token which has a digital certificate on it. Then if you want to connect to BNet you just have to plug it into your USB port. The battery on these things will run out after a certain point and you will have to buy a new one. I don't think you can simply replace the battery on your own. There is also what appears to be an expiration date on mine set for next year. I'm not sure if the token will still function after that. Although I have admin rights on the server I'm not really the main button pusher, the guy who sits across from me is. I'll have to ask him about that today. I know in rare cases where some VIP has left their token at home we have gone into the server and set them a static password temporarily. I doubt Blizzard will do that as policy. I'll bet they ship every box of SC2 and D3 with one of these tokens and make them mandatory for those games. I know I would.
With the ones that I have had in the past the battery worked long past the expiration date. I never tried to use one past the expiration date but I figure that they wouldn't work at all since they are expired. You will not be able to replace the batteries on your own, at least on the older style, I have not used the newer style but I imagine that it is the same. Once they expire/break we sent them back to RSA and got replacements from them, I'm not sure what the cost was though and if there was any.
Time is not necessarily a factor, as someone mentioned, since you could just obtain a new passcode/password based off the number of uses, as opposed to the time. Even time-based could get the time off an internet server, and those are always steady.
Overall, the security may be a bit of a hassle, but it will definitely protect from brute forcing and keylogging. It will not protect from a specific virus/program on the computer that hunts down for the hash code, though (which even if it wasn't stored on the computer, it would need to be typed or transmitted to the computer, making it readable by a memory hook or keylogger).
This will only help people who use basic passwords like 'baseball981' that can be brute forced in seconds. people who use passwords more akin to !K293Q><32udH))Cc would only be wasting their money, especially if they had an easy way to remember such a string.
Are you kidding? How is it NOT going to help against keyloggers? Is the keylogger going to magically find your keychain and read your token? So what if it gets your username and pin? Its still not going to have the third piece of the puzzle.
Complex password vs keylogger? Do you even understand the concept of a keylogger? You could have a 200 character password case sensitive with special characters and the keylogger is going to record it and send it back to the author.
You don't sound like a "hacker" to me. You sound like someone who runs kiddy scripts or maybe dabbles with scripting utilities to compile simple keylogging scripts and posts them up on a website as a wow addon or new version of maphack.
You can take apart as many RSA tokens as you want. The problem is that they are ALL unique. Obviously if you get your hands on someone's token you aren't going to need to dissect it when you can just read the screen. You don't think RSA already though of that?
The whole point of using time is so that the token can be standalone. How is the token going to get a session number? Its not some kind of wireless device. It does not connect to anything unless you have one of the newer ones with a USB interface.
It IS a SecureID token. It looks exactly like the older ones except for the Blizzard decal on it. If Blizzard went through the trouble of completely re-engineering the way they work, why use the same outer shell of it?
Why yes I do understand keyloggers I have edited and used them in the past. When I said it wouldn't help complex passwords I meant this: Brute forcers will crack easy passwords in seconds, if not sooner(words, numbers[like the ones on the token], simple things). A person with such a simple password would be the only person to benefit from the authenticator simply because their password wouldn't be a static, easily crackable sequence...it would change often. If you use a complex string for a password, the authenticator adds nothing. Cracking a difficult password without a quantum computer could take seconds(theoretically, if the password was guessed quickly) or centuries. I already said the device wouldn't help protect against keyloggers, so when I went on, I went on the assumption the reader would understand the rest of it wasn't conditional on whether a keylogger would be stumped or not. Sorry to confuse you.
Keylogging "scripts" by nature are simple. You can make it look purdy. But all you really need to log is the active window and the keys being typed, the extra stuff just keeps the keylogger from being viewed as an active process easily...and the code for that isn't specific to any one program(as in...re-useable code). I don't write hacks for games. I don't post hacks on the internet(edit yes, but I don't start from scratch and post it). Sorry to disappoint you. I can hack, but that doesn't mean I'll find a system and search for XSS exploits, buffer overflow potentials or DDoS it. Not everyone who understands computers is a malicious user.
If someone were to crack the code on a single RSA token, and write a program that could replicate the process for another(the process of getting the code from the RSA token), then all they would need is a brief moment with the token. If you were to get your hands on a token and STEAL it, the original user would most likely call Blizzard and get the device deactivated(or do it online or what have you). If someone is capable of ripping the algorithm quickly and crack it later, it would be beneficial to merely touch the device for a few moments, and leave it looking as if it were untouched(thus not alerting the user to knowing they're vulnerable). I'm not spelling out every little detail though because that isn't necessary. I was just pointing out where some of the vulnerabilities of the system arise(I assure you there are plenty more). Many of the places these things are used are for business who probably have few, if any, hackers trying to get in to their systems. Blizzard on the other hand will need to fight against thousands, if not millions, of people trying to break through. As it is currently only optional for WoW, it didn't draw much attention yet. I was saying if it was MANDATORY, then the amount of focus hackers would have would be unrivaled for the given technology.
The tokens will stop basic hackers from getting basic information and getting through basic passwords, but if the device is mandatory for every, then eventually someone is going to find a gaping hole in the process and passwords will be cracked through the authenticators left and right. Unless you believe this is a flawless system?
brute forcing is completely useless against a 36 character depth 12-length string. The possibilities are about 5x10^15, considering that there would be brute force protection (prevent mass login attempts in short periods of time), it would be virtually impossible to ever get close to cracking the TEMP password, which doesn't even last long...
edit: it's actually 11 digits, and we don't know if it's alphanumeric or not. Even if character depth was at 10, at 11 length, it's still strong enough with hammer/bruteforce protection.
Ovbiously, a person who has physical access to the security device or computer, could quite easily get the "master information" (token, hash, or whatever you want to call it)... that doesn't make it insecure...
The one slight issue, is if the information is kept on the user's PC, in which case it is vulnerable to some viruses which could steal the information. Problem with that though, is that that virus would use actions which are more malacious than just a keylogger, making them much easier to be blocked by the operating system (or much harder to find security holes), as well as much easier to be detected by anti-virus programs. When you get to this point, there's nothing else you can do, since it's the user's own damn fault if they use an unsecured computer.