#519 - July 10, 2011, 5:16 p.m.
Will you people please shut the hell up about spoofing IP addresses? Read the thread and realize it's not a valid attack vector.
God dammit...
True, the IP alone won't work. But if you tunnel through another PC (e.g. one you have a keylogger on) you can get in to their account without an authenticator. This definately works as I've tested it using my own account. It's a flaw that was brought up on day 1 of the changes, but blizzard have ignored it.
Since this is such an obvious flaw and not something blizzard would miss (I hope). They must have made this change for money reasons, reducing bandwidth usage at the cost of people who use authenticators. There is a way to re-enable it though by altering the registry and preventing wow from saving authenticator info on your system :)
This isn't a money saving scheme since your not actually spending anything to generate the code, nor are you impacting bandwidth in anyway. While your concerns are noted, your account no less secure than it was before, the only change is that you will only be prompted once a week to enter unless you change IP address, from where you'll need to enter your authenticator code.
There are a lot of valid concerns, which our developers are aware about, however we cannot give a direct response to all posts made.
Never the less we are not ignoring any feedback posted, its read and noted.
As for authenticator information, this is managed server side not on your actual system.