WoW’s New Security – Authenticator

World of Warcraft, Security Authenticator

The Bliz Clicker

WoW’s Security gotten better!

WoW’s always been a little bit ahead in Account Security and restoration. Their “Launcher” (FFXI’s POL Launcher equilvalent) actually does a well-known trojan scan to ensure your PC is clean (also scans for hacking programs), as well as quick response time to a compromised account. Whereas FFXI is a little different.. I know a few friends who got their account jacked and takes 3 weeks to get something restored. Hell I even know one today that got partial item lost! Still have their account but item restoration (Rare/Ex) was not possible.. anyway, well Blizzard finally deploy industry-standard security login. Your Normal Login Authentication (which consists of your Username + Password) + Authenticator or a.k.a the “Clicker”. This is what so call a “two-factor authentication”, meaning even if one thing is compromised, it will still remain safe!

Blizzard Authenticator

After registering your authenticator with blizzard under WoW’s account management, the login screen will requre 3 piece of information instead of two.

UserName: (Or your POL ID)
Password: (POL Password)
Authenticator: (The randomly generated number based on “some information”)

World of Warcraft, Security Authenticator

Authenticator Registration

The easy way of how it works.

The Authenticator is a number that is “generated” according to your serial ID of your authenticator combined with “some other information” that is calculatable such as time. The Authenticator code will only valid for 60 seconds before it expires.

For explanation, we’ll use an easy way to explain the general concept. The real authenticator will work in a much more complex way.

Say your serial of your authenticator 123456. Time now is 1400. Say you login at 2pm, when you press the authenticator, it will give you the number 123456 + 1400 = 124856

World of Warcraft, Security Authenticator, Keychain

Mai work Authenticator or “Clicker”.

Blizzard knows exactly your account’s authenticator serial is 123456, so they are “expecting” the input of 124856 from you that is, “if” you have the authenticator. Part of the registration is “asking for your authenticator serial number”.

Say another person’s authenticator serial is 100000. Time now is 1400. Say you login at 2pm, the same person will have a total different Authenticator password: 100000 + 1400 = 101400 as their password. Which means your authenticator will not work with other accounts.

Because this is randomly generated, brute forcing is nearly impossible. Keep in mind, the real authenticator works in a much more complex ways, which probably requires a pretty complex algorithm (program codes/equation).

Its not new technology.

I’ve been using this to access my corporate network’s data. But I’m glad Blizzard has taken the step to to bring these security tecnology to their customers.

Now we just have to hope SE put this “Authenticator” into our next expansion or offer them for sale. Blizzard is selling it for 6.50, cheaper than mouse pad. Obviously they aren’t really looking into making money from this thing but, the cost saving from not having GM speaking to customer about account compromise is an indirect saving/profit from selling this Authenticator.

If you play WoW, you can keep an eye on this page. Its listed as sold out atm.

Here’s some article related to WoW’s Authenticator.

As always, keeping an account secure is the repsonsibility of the User. Here’s a guide from Blizzard regarding protecting your account.

4 Responses to “WoW’s New Security – Authenticator”

  1. pyra says:

    I’m not quite sure that’s how it works.

    One thing I noticed is that it does not work like a RSA token (probably the most familiar of the security tokens). It says in the description that you have to press some button on the authenticator to get your random number. Which to me, implies that it works more like your car keyless remote.

    Everytime you press the button, it generates a new number. The authentication backend stores the next 50-100 possible numbers, and if it sees #35 come in, it will invalidate #1-34.

    No matter how you look at it, it is better than nothing. It does not, however, offer the same level of security that the corporate-level RSA tokens do.

  2. Maiev says:

    You are right, it does not uses the RSA token, at least from my understanding.

    But I simplified it for explainatory purpose. I notice that at least my key on my own corporate authenticator changes every 20sec, but the key you generate each time is valid for 60sec, for people that type damn slow.

    I was under the impression that its got a timer, but its also got to have some way of being unique, hence some people’s theory of generating a number via using the serial of ur authenticator… which doesn’t sound all that impossible/not feasible. But yea, its better than nothing and is sure way better than just using a single-authentication method.

  3. Sofo says:

    That would be a really welcome method (the authenticator) from what I could skim-read while at work. Would most likely had prevented myself from being hacked after quitting (though I admit it’s not such a big loss now, but still is!).

    Now if only SE would take a few tips from Blizzard there wouldn’t be much regretting after all.


  1. […] actually not a toy, but the security feature that I talked about awhile back! Well I finally got myself one and its pretty lol! Feels safe to login from remote location too. So […]

Leave a Reply