#0 - July 1, 2008, 4:38 p.m.
On 26/06/08, Blizzard announced the Blizzard Authenticator, a device that provides your WoW account with an extra layer of security. They sell this device in their Blizzard Store for €6. You may consider buying it, but is the extra security really worth the money? How much more secure does it make your account? This post will explain how this device works, and exactly why it makes your account more secure.
===UPDATE 28-2-2010===
A new kind of trojan has been found that circumvents the protection given by an authenticator. More info at the bottom of this guide, and the following link.
http://www.mmo-champion.com/news-2/authenticator-accounts-hacked-icc-quests-crimson-deathcharger/
===How the authenticator works===
The Blizzard Authenticator is a token that you can put for example on your keychain. It has a little display that, once your press the button will generate a 6-digit number that changes every minute.
This number is used as a 1-time password. This means the password is only valid once. When you use it to log in, the code becomes invalid and any hacker trying to access your account later with the same number won't be able to log in.
A hacker wanting to access your account will now, in addition to keylogging your username and password, have to physically break into your house and steal the authenticator to see what number it displays. But hackers are clever people. Isn't there any way for them to know which number the authenticator is going to display? The answer is no, and here's why.
Every authenticator has a little built-in clock. This clock keeps track of the number of seconds since, for example the WoW release date, Tigole's birthday or whenever. Each authenticator also has a unique key, which it uses to encrypt this number of seconds into what looks like a completely random number. There is no way, without knowing the encryption key, to guess what number is going to be displayed at any point in time. Even if the hacker has all the numbers you entered before, he can't extrapolate that into what number will be showing next.
The hacker also can't hack into the device itself to find out it's key, because it doesn't connect to the computer in any way. Even if the hacker were the mailman who delivered the authenticator to your house, he would have to open it up and extract the hardware that contained the key. These devices are generally tamper-resistant and will purge themselves when opened.
So, if the hacker can't know your 1-time password, how is Blizzard going to know? The difference is, Blizzard has the key for every authenticator they made. When you log in, blizzard looks up which authenticator is associated with your account, and finds the matching key. They then use this key to decrypt the number you entered into the number of seconds the authenticator has been counting. They then verify that this number matches the current time.
Even if the time on your authenticator doesn't exactly match the time on blizzard's server, they still allow you to log in within a minute or so of the defined time, just in case the clock in your authenticator is running a little slower or faster than normal. This still does not allow hackers to use the number from a minute ago, because when you log in successfully, that number is then disabled and prevented from being used again.
If you still think someone may eventually find a way around it, this security measure is used by businesses and government agencies around the world to provide security, and they have a lot more sensitive information to guard than the login information to a WoW account. This is a tested method that has proven itself to be secure.
