Blog

Updates about the world or the blog at large.

Battle.net Authenticator Changes, Don’t Panic!

by

So in-case you missed it, there was a recent change to how our accounts are authenticated, here it is again for you again if you didn’t see it.

If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we’re sure the person logging in to your account is you.

We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don’t already have a Battle.net Authenticator attached to your account, don’t wait until it’s too late – http://us.battle.net/en/security/checklist

Well, this statement has raised quite a few questions. Many of us in the gaming community work in Information Technology / Information Security, and we are quite honestly interested in having more information on this.

Now before I get started I want to have a note here that the information after this point will represent a more general view of internet protocol. This is not intended to be a tech manual, just the musings of an internet worker who is also a gamer.

There are a couple ways that you might authenticate a computer at a physical location. One is by authenticating the public IP address that is reaching out to the login server. If you see multiple requests from the same IP in a short period of time, you can assume this is the same person to a certain degree. This works in part because IPs are purchased by ISP’s and assigned to a specific region. After that, you as the user rent the IP with a lease sort of like renting an apartment. If you have a static IP, you have a “permanent” lease on that particular IP. If you use a DHCP service, like cable internet, it may change based on what’s available. Every time you get a new IP, it’s from your local region and the local pool. It could also authenticate by not only your public IP address, but also your computers MAC address. A MAC address is a unique identifier that all networking devices have. Think of it like a social security number for your computer. Each one is unique per device. There is however a couple potential problems; IP’s / MAC addresses can be spoofed. Not that it’s something you should be worried about all the time, but it is a fact that it can happen. Also if you have a Dynamic IP and it solely authenticates by the address, every time your IP changes it could cause issues.

Another manner is the creation of software tokens that are placed on client end at the point of logging in. Essentially you log in to your account and a software token, or marker of a successful login, is created on your machine to further authenticate you. By doing this it can validate the token on your machine instead of requiring you to to punch in your authenticator code every time.  The potential problem with software tokens is that if your system is compromised due to trojans or other methods, it could result in a compromising of the security token. Again, while this isn’t something to worry about all the time, but it does happen.

There are several other methods you could use, but those are probably the easiest.

So what method is Blizzard using? Well I decided to perform a little experiment last night to see what I could gleam as far as information goes. Since I work for an ISP in my daily Clark Kent style life I have access to a few things that I can do easily (and legally) to perform a simple test.

Step one was to pick a new IP. I changed my IP to one available from a local pool in the lovely state of Wisconsin. I logged into my Bnet account, it asked for my authenticator normally. I logged out for a period of time, roughly 15 minutes, logged back in and it did not ask me for my Authenticator.

Step two was to change back to a local IP address from back in good old NY state. I logged into my bnet account, and it asks me for my authenticator code. I logged out for another 15 minutes and then logged back in and it did not ask me for my authenticator.

Step three was to repeat step one, but this time after it did not ask me for my authenticator I logged out and completely shut down and restarted the computer. Logging back in required me to use my authenticator. I repeated the steps with a local IP with the same results. Continuing this process multiple times confirmed the same results, each time with different IPs.

From this incredibly simple experiment it would seem that the new authentication process is using a combination of validating your IP either for location, consistency, or potentially both as well as potentially a software token on your machine validating it after a successful login. Every time you cold boot your computer it will remove temporary data, including any software tokens created. Whether or not this is actually how Blizzard is doing it, we won’t know unless they say something.

There are a couple things that confuse me slightly. First is that there was no prior announcement to the change going live rather than it just appearing. I’m wondering if this is a knee-jerk reaction to the recent string of hacker invasions going on across the blog-o-sphere. Second the lack of explanation of the process is concerning, not the exact process per say, but knowledge that this was carefully thought out and not hastily implemented would be comforting, as well as hearing the reasons for the change. Lastly is that there is no option to opt out of it, it just happens. If nothing else I am a creature of habit, and I like typing in my authenticator code every single time. It’s a preference, but it’s something that I would like to have the option to continue doing.

So in the end, while my first reaction to the change was not a positive one, I feel much better about it after my simple experiment. At the very least we know that they are checking for multiple factors before just allowing you to log in. While on a professional level I would love to know more about the process they are using, I don’t think it’s anything we should be too overly worried about. Now if only we could get that pesky opt in/out toggle…

Matticast Episode 21 – Guild Coups, Healing For Beginners, and Applications

by

On Episode 21 of The Matticast, BorskMattKatChase and Brian discuss:

– Fending of Guild Coups

– Getting started as a healer

– How (not) to deal with Guild Apps

– 10 Random WoW Resources (in no particular order!)

Don’t forget you can send us your questions or topics, visit the PlusHeal Forums, or tweet us with the hashtag #matticast

Subscribe to the show: iTunesRSS

 

WoW Premium services: Yes/no/murloc?

by

Over the course of a game’s lifetime, things change. Features are added, pricing models change, content evolves. Blizzard’s fantasy epic World of Warcraft is no different. The game has been around for over six years at this point, and in that time we’ve seen many things change.

Remember when the game was first released? There were PvE server and PvP servers. On PvE servers you could have toons of both factions no problem, but on PvP servers it simply wasn’t allowed. Over time that changed, and Blizzard allowed you to make toons of both factions on a PvP server. There was also a time when Blizzard said you wouldn’t be able to pay to transfer your toon to another server, that it was only for server stability / population control. Not too long after the service became available for a small fee, the birth of the WoW premium service. From there we’ve gotten to recustomize our characters look, the ability to race change or change factions and all for a small one time fee. Every time this has happened, people have drawn a line in the sand. Either they love it, or they love to hate it.

Recently we’ve seen more in the way of Micro-transactions and premium services being added into the game. In game mounts like the Sparkle-Pony or the Winged Lion coupled with numerous in-game mini pets are available for purchase with real money. Pets will run you $10, mounts will run you $25. When they are purchased they are made available for all of your characters that currently exist, and any that you will create from this point on. Permanently attaching the items to your Battle.net account. There are also other premium features, such as the remote auction house. For an additional $3 a month, you can set up and purchase auctions from your enabled mobile device, and as an added bonus you can talk to your guild mates using the application as well.

The most recent announcement was that the developers at Blizzard are working on a Cross-Realm Dungeon Feature. In case you missed it, or are reading this post from somewhere not Blizzard-site friendly here’s the blue post

With the continued popularity of the Dungeon Finder, many players have been asking for a way to group up with real-life friends who play on other realms to take on instances together. Today, we wanted to give you a heads up about a new feature currently in development that will allow players to invite Real ID friends ( http://us.battle.net/en/realid/ ) of the same faction to a party regardless of the realm they play on, and then queue up for a 5-player regular or Heroic dungeon.

As this is a fairly complex service to develop, we don’t have a release date to share quite yet. It’s important to note that as with some of the other convenience- and connectivity-oriented features we offer, certain elements of the cross-realm Real ID party system will be premium-based, though only the player sending the invitations will need to have access to the premium service. We’ll have more details to share with you as development progresses — in the meantime, you may begin to see elements of the feature appear on the World of Warcraft PTR.

So there it is, for a small fee, you will be able to invite your friends across servers into a group for 5-man dungeon running. This actually caused almost as much a stir as Real ID did when it was first announced. People either love, or hate the idea of having to pay to play with friends across different servers. Ignoring everything else, premium services or these additional cookies are luxuries. They don’t break the game, or give someone an unfair advantage. They are options, and love them or hate them they are very much real.

My personal opinion on this particular premium service is that I like it. I like the idea of being able to play my alts with friends from other servers for dungeon running. I recently moved servers and left a lot of my friends behind. I’m exactly the demographic that this premium service is aimed at. Is it for everyone? No, not even close. For some people though, they’ll gladly pay the extra cash for it.

Do premium services ruin the game? Are they a betrayal of the customer / supplier relationship we have with Blizzard Entertainment? I don’t think it does. These are all optional and don’t really have an impact on the overall game-play, they are just nice cookies for us to enjoy if we feel the price is right. If you don’t like it, you don’t have to pay for it. If it suits your needs, you can indulge in it. Our $15 a month has brought us many improvements over the years. New servers, higher population caps, improved development in characters, raids and the UI. The ability to talk with friends across servers anytime I want. I don’t think our free upgrades are done by a long shot, and if Blizzard wants to charge for additional services, that is their choice. While I can understand both sides of the coin, at the end of the day I see it as you’re paying your monthly fee to play the game, all the other stuff are just extra. The things they develop as premium services aren’t for every audience, so developing them for smaller groups, sure there may be a cost attached. I mean hey, just because you aren’t paying for mobile armory every month doesn’t mean you’re going to miss the chance to punch Deathwing in the face.

What do you think?