Tobold's Blog
Wednesday, July 09, 2008
 
Blizzard authenticator mandatory one day?

Jack-o-Lantern wrote me, because he was wondering whether the Blizzard authenticator had hidden implications. Using it certainly increases the security of your account. But it also makes it harder to sell an account, because you would need to send the authenticator by normal mail, not just UserID and password by e-mail. And it makes it harder to share accounts between guild mates, or give your account temporarily to a powerlevel service. Thus the authenticator cuts down on a lot of behavior which Blizzard previously had problems stopping.

Right now Blizzard can't produce as many of the authenticators as people are willing to buy. But I'm guessing guilds in which a lot of account sharing is going on simply won't buy the thing. So what if later Blizzard makes the use of the authenticator obligatory, for example by packing one in the next expansion box and only unlocking accounts for the latest expansion if it is protected with an authenticator?
Comments:
I like the idea, but then again not even banks can force people to use authenticators. I don't see it happening unless it comes with the box and is not something added after launch of a game.
 
Forcing it would be a disaster. Imagine how many people would call about a lost/broken authenticator, and then complain they lost game time due to a broken authenticator?

It would solve a ton of problems with gold sellers and such, but it would be a nightmare to actually make it work in a reasonable fashion.
 
Sobering thought.

It doesn't hamper account sale because you can turn it off easily through admin.

But you're right, it would be a good way to eliminate the scourge known only as "lemme hop on Bob's alchemist to make those" that's tearing Azeroth apart...
 
Well.. here banks do force people to use authenticators if you use their Internet services. Blizzard will do the same if the cost of getting a one-time-password generator for everyone is less than the manpower spent in resolving hacking incidents.

As always, people will complain, but unless the authenticator contains a structural or a logic flaw, there's little grounds for any sort of compensation. Blizzard is doing it's customers a favor with the authenticators. They're not responsible for securing the customers' computers, but still they're doing what they can: damage control. Even if the username/password is compromised by a trojan or a virus, the authenticator can limit the damage to one login session. If the customers can't keep their computer (and thus their username/password) secure and their authenticator secure and in working order.. there's little Blizzard can do.

It's not the automaker's fault if you keep losing your keys.
 
I wonder how they could make mandatory authenticators work with trial accounts or prepay cards, which tend to be favoured by gold farmers.
 
Then i might consider resubscribing to WoW :)
 
yes it would completely solve many issues like account hacking and sharing/power leveling.
but it would cost blizzard alot. If they were to become mandatory, then blizzard can't expect people to pay for them and replace them when people loser them, and also that will require a huge new separate customer service devision.

its a nice idea but i don't really think it would be very easy to implement or worthwhile in the long run.
 
Here in Italy, some banks do use those keys and they _are_ mandatory.

Same thing for some wroking places. You have an hardware authenticator like the one provided by blizzard and you need it to login into the intranet.

Those keys are all the same. They may differ in shape or logos. But the chip and the maker is usually always the same.

@notmercury
I tought that you can't simply turn it off from your account admin. As I had read from FAQs, you can activate it that simply. But deactivating need blizzard assistance.

@Sven
Trials accounts and prepaid cards aren't an issue with Blizzard Authenticator.
Trials can be the same.. just trials. They are already pretty limited and actually are used only for spamming.
And prepaid cards are a form of payment and not a form to login. You can keep using prepaid cards.

Also, WoW in europe and north america.... is handled very differently in comparison to China. Starting from the simple fact that there servers aren't by Blizzard. So eventually Blizzard could use a policy that is very different from China. As is already with billing and revenue model.
 
I doubt Blizzard would ever force you to use a hardware authenticator. Doing so is just too much logistical trouble:

1. Have to distribute authenticators to all current subscrbers.

2. If including one in retail box, have to either eat the additional expense or raise the price and piss off the customers.

3. Loss of account access if the authenticator is lost or broken.

It's a nice OPTIONAL idea, especially if you can make a couple of dollars on each unit you sell. But makng it required isn't worth it.
 
Wow. This is the exact same thing as having to have a dongle to use certain software. That's really not used anymore either. It'd be like 1998 all over again.
 
"Blizzard authenticator mandatory one day?" i think maybe.
 
I think the idea of including one in-box with all expansion (or at the very least one with each collector's edition) would be a good idea. Making it mandatory for all accounts would likely not fly very well, due to people losing it or other sundry reasons.

However that being said, requiring it for registering your expansion and other such would _SEVERELY_ impact account trading and GoldFarmer hacking. No more free accounts for the malware industry would quickly cause the more spurious on services to dry up. More hardworking or PowerLevelling services could still exist, provided they are within the same relative area (shipping overseas takes forever and costs a fortune).

That however would see the end of cheap powerlevelling, cheap farmed gold sales and such. I imagine there would still be services like people selling Bear Mounts in timed runs and selling spots on high level farmed end game content to beef up a character. This would not eliminate those, nor would it eliminate Account trading or the gold farming industry entirely.

The idea that it would be required is nice, but would put off a lot of people. Granted the process is rather simple, but so many people are phobic of technology despite using it to play their game.

Needless to say, it is an idea that does warrant some debate and possibly mention from Blizzard as to what their eventual plans are for them.
 
simple case of the bad apples ruining it for the good apples.

an internet without spam, keyloggers, hackers, cheaters, crackers, pirates....
 
Blizzard is still a company that wants to sell boxes, so i dont see a reason why they should make it more difficult for the user to use it.
To be honest, i dont see a security problem in the Login system used in wow right now.
i never heard of an account hack, where the hacked person is absolut innocent.
 
No different than using a memory card in a console.
 
I don't think Blizz will make the authenticator mandatory. If they included in the expansion they would need to charge $6 more, or basically give away $6 to 10 million people. Also I'm sure having to use the authenticator would ruin any chance of playing WoW on someone else PC. For example just logging onto to your buddies PC to show them your toons/gear.
 
@Preston
Those hardware keys don't cost 6 euros, are sold at 6 euros. Blizzard surely pay less. All is to be seen what cost more. Giving out those keys or assistance for stolen accounts?

Also, you can always play with another PC or when at friend's house as a guest.... as all you need is login/password as before AND your blizzard authenticator that can be with you along with your house/car keys
 
I understand banks use authenticators and some make it mandatory, but working in the IT field with the darn little things, I can tell you a lot of people will forgo using the service if it is required. Hence, why it is optional with most banking institutions I am aware of. US btw.
 
More likely they'll only offer certain services for people with it, to get people to sign up. Like if you get your account stolen, then say they'll only restore it if you pay the $6 for the authenticator. This would be pretty logical for them to do, since someone who got hacked - if due to carelessness - may be more likely to get hacked again. And it probably costs them more in labor to investigate and restore an account than it does to send a keyfob over.
 
I can totally see them requiring these. However I think the choice will be based on if this device reduces support costs enough to be worth it. Selling them for a low cost is the best way to see how much they cost to support. (people will loose them etc)
 
@anonymous (about Dongles)

I was thinking the same thing

Autocad got rid of these, and all i can think of is the issues that arose from the "Dongles" in the past.

Some companies made you pay for a new one if you lost your old one.
I could see the same thing here.
Thanks, but, No THANKS!
 
Blizzard can do whatever they wish. I hope they do make them mandatory. The sooner, the better.

Does anyone realize how many millions of dollars and thousands of man hours Blizzard spends on investigating compromised accounts?

As a subscriber my focus should be on enjoying my play experience. Now when people log into WoW they do so with the fear that their account could be hacked by an international organized crime ring. That's unacceptable.

Blizzard has no choice but to introduce these authenticators. For once I agree with something that Blizzard has done. Now if only they would clean up the official forums...
 
so blizzard should make us pay millions because it cost them millions to make even more millions?
Authenticators are a bad idea. Go on a trip and forget it. Now wow. Go to your friends and you can't log on and check your auctions if you want. Break it, lose it to a lightning strike etc and you have to buy another.

Nothing good there at all but them putting the onus on us for what is thier job. And 1 week after they are mandatory hackers will be stealing your key information and creating fake keys. Anything can be copied.
 
Do you even know what an authenticator is? It's not a dongle, it's a one-time-password generator. It fits into your keychain and can't be plugged into anything, so it won't be fried by lightning. You press a button and get an unique password that's only good for one login, so there's no point in keylogging that, because the password is already obsolete the moment you log in.

If the really wanted to hack an authenticator-protected account, they'd have to steal your authenticator. A physical item in your keychain. If that happens, then your WoW account is the least of your concerns.
 
If its on your computer and take a surge. And I've had my usb port just blow and take out a flash drive, it's gone. It's still a device you have to remember to carry with you if your not home. Remember the days of companies screaming because they had salesmen in seattle that couldn't get on the network because thier safe card was in thier desk because IT security told them not to take it home? I do. They broke. We occasionally had the safe cards go bad. In theory that was never supposed to happen but it did. And of course no one wants to talk about what happens when you restore your database and a 1000 or more users are now not on the list of authenticated smart cards. Lots of things work well in theory or in a lab and the real world makes them suck. The first time I showed up at a friends house for a lan party and couldn't play because I forgot my dongle because I took my wifes car instead of mine I"d find a new game.

And the simple fact is. If I pay for the game and I pay a monthly fee I"m not paying for a dongle because the company getting my money is looking for a cheap out to doing thier job.
 
Actually.. the reason why Blizzard is introducing authenticators is that customer's aren't doing their part and securing their own computers. So it looks like it's you that's "cheaping out" of something.
 
you know every company like apple that soars to the top of the food chain gets there for one reason. They figure out what thier customer wants and just accept thier human flaws and work with them.

good luck changing people. That's generally a recipe for businesses that flop. And the whole time a bunch of bitter whiners go down with the ship screaming about stupid lazy customers.
inconvienence your customers for your own selfish reasons at your own risk. Just don't whine about it when sale drop more than the money you save on your IT security.
 
So, it seems like we're in the "damned if you do, damned if you don't" situation then. If customers' computers get hacked and they lose access to their accounts, it's Blizzard's fault. If they introduce something to avoid that, it's Blizzard's fault. It's pointless to continue this "discussion" that that point.
 
For now, in Europe...
I think not many will buy an authenticator.

Now is again avaible thru the shop but.....

Express shipping:
Subtotal: EUR 5,04
Sales Tax: EUR 0,96
Shipping & Handling: EUR 11,20
Shipping Tax: EUR 2,13
Grand Total: EUR 19,33

Standard shipping:
Subtotal: EUR 5,04
Sales Tax: EUR 0,96
Shipping & Handling: EUR 8,30
Shipping Tax: EUR 1,58
Grand Total: EUR 15,88

This at least for Italy
And to me, it seems a bit expensive... especially for the standard shipping.

and what's shipping tax!?!?
Items can have taxes, but not shipping!!!!

And we have to consider that the key doesn't need even a special security while delivered. Isn't like a credit card that could be used if stolen. Authenticator if stolen (prior receiving it) is useless... oh well... it could be used with another account, activating it. But can't be used to steal an access to an account.
 
I never said it was blizzards fault if a customers account got hacked. But one of the unfortunate side affects of the internet age is every smart company in the world has an IT security department spending resources trying to deal with the internet con, men,thiefs etc.

They were there screwing customers and companies were trying to deal with ways to thwart them long before electricity existed. I'm simply saying if your efforts to get the bad guys inconvienence the customers you've gone too far down the road of being a cop instead of a company focused on delivering your core product. And your company will pay the price for that poor decision. Hollywood trying to figure out why thier movie download solutions always fail is a perfect example. The pirates get the movies and copy them no matter what they do. But they punish the fools that try the new high tech delivery systems out of fear of the new. And as a result they fail every time.
 
I'm simply saying if your efforts to get the bad guys inconvienence the customers you've gone too far down the road of being a cop instead of a company focused on delivering your core product.
That's a rather strict criteria. It's quite inconvenient to be forced to remember an username and a password. It's quite inconvenient to be forced to use a key to get access to your car. Or your house. Why can't everything just be unlocked?-)

Security is always a tradeoff. If you evaluate companies according to an unfulfillable criteria, you're bound to be disappointed again and again. The point here is that one-time-password generators trade a small inconvenience of having the key with you for a rather large increase in security, because the security of your computer ceases to be an issue.
 
but shalkis. Is the security that big a deal for a large percentage of the wow target audience? What percentage of people are we talking about? .00005, 1 percent?

50%?

I suspect we are talking less than one percent of the accounts being hacked. And most of those are probably hacked by friends or family that would have had access anyway. Security is always great. But security always adversly affects useablity. Thus the neve ending fight over whether you are going to be accessable or secure. Because you can't have both.

And as heartless said. people won't use them for thier bank accounts. And you think you can force them to do it for a game?

I remember doing executive support, generally the executives were the worst offenders because they wanted easy not secure. As far as they were concerned us IT guys were the cops and we were supposed to be invisible. Thats were most of the paying customer base stands on the issue too.
 
There's around 10 million WoW players. That's a player base big enough to attract malware authors to create WoW-specific viruses and trojans, so I seriously doubt that it's just "friends and family" that are doing the hacking.

And security is not always great. Even in the age of auto-updating operating systems and anti-malware packages, there's a lot of unpatched and unprotected systems out there. And what happens when those systems are compromised and the account name/password stolen? Will users blame themselves for not installing patches? Or the operating system/application vendors for creating vulnerable programs in the first place? No. What they see is that they're unable to access WoW, so they're going to blame Blizzard. They're going to call customer support. Their going to tell their friends, blog and complain. And even 1% of 10 milllion is still 100 000 angry customers. Making those 100 000 customers happy again (or at least content enough to keep subscribing) is going to cost a lot of money, probably more than what 10 million one-time-password generators are going to cost to manufacture.

And yes, some banks can and do force people to use authenticators. But their customers have been educated and realize that it's in their own best interest to use authenticators, because they're the ones that are going to be a lot more inconvenienced by an account compromise than by having to use an authenticator.

The customer is always right, but sometimes they are forced into forming an opinion using incomplete or even misleading information. For example, someone might claim that the authenticator is something that it clearly isn't. If that is the case, then Blizzard is truly "cheaping out" and not working for the customer's best interest or even their own.
 
but you just sidestepped my point shalkis. If you lose 150,000 customers to make the game safer for the 100,000 customers then you have lost.

And again having some experience in Law Enforcement and IT security I'll state again. Most of those accounts hacked were most likely by friends or family members or friends of family members. Just like Identity theft. Most peoples Identities are stolen by someone they know.

Yes makeing the MMO safe for 100% of the customers is an admirable goal. But I still predict more lost accounts from frustrated people who left thier dongles at home, or thier dog chewed it up, thier baby threw it in a glass of coke, or the USB port surged and blew it out. Than from people you'll keep because of the security.

The twisted thing here is. If you make it perfectly secure no one will notice. Because nothing's wrong it will be an invisible benefit they never notice. If they are inconvienced by your security measures they'll hate you every time. It's one of the reasons working in IT can be so frustrating.
 
I will sidestep your points as long enough as you keep spreading misinformation and thus basing your arguments on false information. The one-time-password generator is not plugged into anything. Who are the customers going to believe, you or their lying eyes?

Secondly, WoW players are a huge target and thus remain lucrative for hackers that don't know their victims. Why would Blizzard do anything if the costs from angry customers hacked by third-party attackers wasn't substantial already? I am not advocating that Blizzard makes the authenticators mandatory. I'm simply saying that it could be worth it. If this "trial run" proves that the (downplayed) benefits outweigh the (exaggarated)
downsides, Blizzard will do it in a heartbeat.
 
I may have gotten that one point wrong. But most accounts are compromised by friends or family. They have the easiest access.

And I still stand by my belief if you make it mandatory you'll upset more people that didn't think there was a problem than the people screaming it is a problem. If you work somewhere were your job is to listen to the people screaming for help you begin to think everyone needs your help and lose your perspective.

If you want to ignore everything I say and keep the pit bull argument over the tiniest part of what I said have at it. It only reflect on your ability to talk about the issue rationally.
 
I brought 4 authenticators back from Paris.

I like to correct some false information that is swirling around.

1. The Key is not plugged in anywhere. It's a standalone device with a battery (runs several years)

2. The Push button doesn't generate a new Number ,but only turn on the Display (to safe battery life).

If you push 2 times in a short period ,you get the same number.

The number is generated using a Seed and the Time interval since it started to run.


As for making it mandatory, i think it would give another reason for some people to complain about Blizzard, but in the end most people would benefit from it (even those who complain the most).

Keyloggers are really a big problem, and with WoW in focus, the energy behind the foes to steal your account is bigger and bigger.

Of course you could secure your system ,and wouldn't need such security tokens, but 100% security would mean ,you don't browse to unknown websites, you don't use any 3rd party tools (such as Teamspeak, ICQ, AIM, etc.)

Let's be realistic, 95% of all computers have a very lousy security standard.

And hacking someone's account doesn't only hurt that guy, but also other people will be affected by it.

How about having an Ingame "Symbol" if someone's account is secured, so the community would regulate itself.

People without secured account ,would for example not get Bank privileges in some guilds etc.

That would "friendly" force people to buy the extra layer of security themself.
 
First you say that:
you know every company like apple that soars to the top of the food chain gets there for one reason. They figure out what thier customer wants and just accept thier human flaws and work with them.
So, Apple is a good company because they do what the customers want, but..
If you work somewhere were your job is to listen to the people screaming for help you begin to think everyone needs your help and lose your perspective.
..it's bad to do what customers want?

So, Blizzard should pre-emptively react to possible customer complaints about logon inconveniencies, but Blizzard shouldn't react to actual customer complaints about compromised accounts?

Damned if you do, damned if you don't.
If they are inconvienced by your security measures they'll hate you every time. It's one of the reasons working in IT can be so frustrating.
You know it sucks, but don't seem to see a way out. Sometimes the key is not just listening to customers, but also looking at their problems from a distance and looking at different metrics. Sometimes you'll find the root cause of the customers' problems and you can do what they needed you to do, not what they wanted you to do. However, unless you properly explain your reasoning to the customers in terms they can understand, that effort will be negated by kneejerk reactions. Kind of what's happening here. Crucial facts gets overlooked and ignored, and the customers will only end up seeing the strawman version of your reasoning. And that serves neither yours or their interests.
 
All i've seen you do is argue your position and ignore the statements I've made about the fact that we are talking a very very small number of customers. Your point as I understand it, is that inconvieniencing everyone is the price to stop that minority from suffering in a VIDEO GAME. In my words. The good of the few outweigh the good of the many. And your main reason for doing this is it cost blizzard money everytime they have to do anything about it.

Still have yet to hear a compelling argument for why this is such a compellingly necessary step. If I don't lock my door at home should the police come check it for me every day? NOPE..

Same thing here. If 1% of the base can't take care of business I see no reason to inconvienence the other 99%. And I suspect its less than 1%.

This damned if you do damned if you don't is just pure misdirection and angst. Pure wasted energy.


ANd as you are so upset you cant seem to get the message. I worked in a law enforcement agency for 5 years. A substantial number of officers tend to fall into the trap of believing the whole world is falling apart because they see the dregs of society every day. Statistics don't bear this out. In fact at least here in the US crime rates have gone down a lot over the last 40 years.

Its the same in IT security. If .05% of 10 million people are constantly screaming that the sky is falling it's really hard to accept that it's a small problem. Instead you end up getting buried by it and begin to live it until that's your whole world and you can't see anything else.

Or in Nietzche's words. "If you stare into the Abyss long enough the Abyss stares back at you"

It is very applicable here.

It is a small problem being handled quite well now. It just seems bigger because you have 10 million people that weren't in the MMO world 5 years ago.

But if you wan't to keep screaming your damned if you do and damned if you don't. Feel free to play the martyr.

If you had actually read my previous posts and addressed tho overall argument you'd have realized by now I've clearly stated I think it's a minor thing in the overall scheme of things. less than one percent isn't a reason to change up things.
Of course if you can show me some numbers that prove its far bigger than that I'll be open to them.

Or you can just keep whining.
 
Post a Comment

<< Home
Newer›  ‹Older

  Powered by Blogger   Free Page Rank Tool