Blue Tracker
World of Warcraft Blue Posts
Diablo II: Resurrected Blue Posts
Diablo III Blue Posts
Hearthstone Blue Posts
Overwatch Blue Posts
Heroes of the Storm Blue Posts
Diablo IV Blue Posts
BlizzCon Blue Posts
Warcraft Rumble Blue Posts

About the Recent Authenticator Change

Forum Avatar
Anii
#1 - July 24, 2011, 5:41 p.m.
Blizzard Post
after a month on non replies, the orginal linked posts being deleted, 13 CAPPED threads asking for an opt out or a rollback of the authenticator change(really we just wanted an opt out of the failed system)
as of now numerous players have quit or are quitting(my acct expires in days) as we are unhappy about the change and the lack of response from Blizzard

I expect this to be deleted in short order, but as the one on the Tech forum(and we suspect soon the one on the CS forum) have already been ignored and / or deleted
(yes this is a cut and paste)

System start date
http://us.battle.net/wow/en/forum/topic/2743697739?page=14#264
Official notice
http://us.battle.net/wow/en/forum/topic/2674529777#1 (deleted)
http://us.battle.net/wow/en/forum/topic/2674529793

A computer may have been marked as authorised before the system went into effect
http://us.battle.net/wow/en/forum/topic/2674980195?page=25#489

Computers marked as authorised may not need to be individually re-authorised
http://us.battle.net/wow/en/forum/topic/2743697739?page=14#278

Computers marked as authorised may not need to be individually re-authorised, even if in different locations
http://us.battle.net/wow/en/forum/topic/2674991820?page=24#474

A change in location and ISP may not prompt for an Authenticator code
http://us.battle.net/wow/en/forum/topic/2674990905?page=25#496
http://us.battle.net/wow/en/forum/topic/2674991820?page=25#485

The WoW client uses a registry key on the client machine to determine if an Authenticator code is required
http://us.battle.net/wow/en/forum/topic/2674990905?page=6#117

The system is designed to prompt for the Authenticator code weekly
http://eu.battle.net/wow/en/forum/topic/2226156035?page=27#536

Blizzard are still advertising the Authenticator as a 'use for every login' device
http://us.blizzard.com/store/details.xml?id=1100000822

There has been no official response from Blizzard on the US forums, but there have been two responses to a much smaller discussion on the European forums
http://eu.battle.net/wow/en/forum/topic/2226156035?page=26#519
http://eu.battle.net/wow/en/forum/topic/2226156035?page=27#536

A player also claims to have tested a proof of concept attack that duplicates the stored registry key onto a virtual machine to allow un-authorised login
http://us.battle.net/wow/en/forum/topic/2743697739?page=15#283


Whilst the registry hack will cause an authenticator prompt at login, this obviously won't effect any other 'authorised' computers.

I would also note that it would be relatively easy for a variant of the existing man in the middle attack to use this registry hack to force an authenticator prompt.

Whilst I acknowledge that there will be issues that Blizzard and I disagree on, I find it very disappointing that they have elected not to respond to player concerns, and even more disappointing that they are now deleting threads.
Forum Avatar
Zarhym
Community Manager
#148 - July 26, 2011, 8:53 p.m.
Blizzard Post
We understand the concern many players have with the recent Battle.net authenticator changes. To that end, we’re exploring the idea of adding an “Opt Out” option within Battle.net Account Management, which would then force the prompt for an authenticator code whenever you log into World of Warcraft.

To be clear, we have gone to great lengths to ensure Battle.net accounts and authenticators provide players with a high level of security. Maintaining a safe and secure Blizzard gameplay environment remains a top priority for us.
Forum Avatar
Zarhym
Community Manager
#167 - July 26, 2011, 10:27 p.m.
Blizzard Post
We understand the concern many players have with the recent Battle.net authenticator changes. To that end, we’re exploring the idea of adding an “Opt Out” option within Battle.net Account Management, which would then force the prompt for an authenticator code whenever you log into World of Warcraft.

To be clear, we have gone to great lengths to ensure Battle.net accounts and authenticators provide players with a high level of security. Maintaining a safe and secure Blizzard gameplay environment remains a top priority for us.


Isn't this going about it a little backwards?

I recently added an authenticator to my account. While I don't ever want to have to enter the code while I'm at my home computer, if I were to visit a friend's house and use his, I'd sure want it to force the code each time.

Wouldn't an opt-in make more sense? You have to enter the code every time unless you log in to account management from the computer you want it to save it for? Or since that seems kind of impossible (thinking about colleges here where there may be many computers behind one IP), maybe it should just be done at the login page.

We've been discussing the best way to implement new options for this feature since the moment it was announced. We don't yet have additional details about exactly how we might implement the feature, or whether it's something you'll need to opt out of by default, or opt into by default.
Forum Avatar
Zarhym
Community Manager
#173 - July 26, 2011, 10:51 p.m.
Blizzard Post
07/26/2011 03:30 PMPosted by Kodiack
Zarhym, out of pure curiosity, what happened to the original thread? There was some great reference material there!

I'm not sure. I just came across this one and wanted to get some visibility on the fact that we've been gathering player feedback on this change all along.