Battle.net Authenticator Changes, Don’t Panic!

So in-case you missed it, there was a recent change to how our accounts are authenticated, here it is again for you again if you didn’t see it.

If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we’re sure the person logging in to your account is you.

We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don’t already have a Battle.net Authenticator attached to your account, don’t wait until it’s too late – http://us.battle.net/en/security/checklist

Well, this statement has raised quite a few questions. Many of us in the gaming community work in Information Technology / Information Security, and we are quite honestly interested in having more information on this.

Now before I get started I want to have a note here that the information after this point will represent a more general view of internet protocol. This is not intended to be a tech manual, just the musings of an internet worker who is also a gamer.

There are a couple ways that you might authenticate a computer at a physical location. One is by authenticating the public IP address that is reaching out to the login server. If you see multiple requests from the same IP in a short period of time, you can assume this is the same person to a certain degree. This works in part because IPs are purchased by ISP’s and assigned to a specific region. After that, you as the user rent the IP with a lease sort of like renting an apartment. If you have a static IP, you have a “permanent” lease on that particular IP. If you use a DHCP service, like cable internet, it may change based on what’s available. Every time you get a new IP, it’s from your local region and the local pool. It could also authenticate by not only your public IP address, but also your computers MAC address. A MAC address is a unique identifier that all networking devices have. Think of it like a social security number for your computer. Each one is unique per device. There is however a couple potential problems; IP’s / MAC addresses can be spoofed. Not that it’s something you should be worried about all the time, but it is a fact that it can happen. Also if you have a Dynamic IP and it solely authenticates by the address, every time your IP changes it could cause issues.

Another manner is the creation of software tokens that are placed on client end at the point of logging in. Essentially you log in to your account and a software token, or marker of a successful login, is created on your machine to further authenticate you. By doing this it can validate the token on your machine instead of requiring you to to punch in your authenticator code every time.  The potential problem with software tokens is that if your system is compromised due to trojans or other methods, it could result in a compromising of the security token. Again, while this isn’t something to worry about all the time, but it does happen.

There are several other methods you could use, but those are probably the easiest.

So what method is Blizzard using? Well I decided to perform a little experiment last night to see what I could gleam as far as information goes. Since I work for an ISP in my daily Clark Kent style life I have access to a few things that I can do easily (and legally) to perform a simple test.

Step one was to pick a new IP. I changed my IP to one available from a local pool in the lovely state of Wisconsin. I logged into my Bnet account, it asked for my authenticator normally. I logged out for a period of time, roughly 15 minutes, logged back in and it did not ask me for my Authenticator.

Step two was to change back to a local IP address from back in good old NY state. I logged into my bnet account, and it asks me for my authenticator code. I logged out for another 15 minutes and then logged back in and it did not ask me for my authenticator.

Step three was to repeat step one, but this time after it did not ask me for my authenticator I logged out and completely shut down and restarted the computer. Logging back in required me to use my authenticator. I repeated the steps with a local IP with the same results. Continuing this process multiple times confirmed the same results, each time with different IPs.

From this incredibly simple experiment it would seem that the new authentication process is using a combination of validating your IP either for location, consistency, or potentially both as well as potentially a software token on your machine validating it after a successful login. Every time you cold boot your computer it will remove temporary data, including any software tokens created. Whether or not this is actually how Blizzard is doing it, we won’t know unless they say something.

There are a couple things that confuse me slightly. First is that there was no prior announcement to the change going live rather than it just appearing. I’m wondering if this is a knee-jerk reaction to the recent string of hacker invasions going on across the blog-o-sphere. Second the lack of explanation of the process is concerning, not the exact process per say, but knowledge that this was carefully thought out and not hastily implemented would be comforting, as well as hearing the reasons for the change. Lastly is that there is no option to opt out of it, it just happens. If nothing else I am a creature of habit, and I like typing in my authenticator code every single time. It’s a preference, but it’s something that I would like to have the option to continue doing.

So in the end, while my first reaction to the change was not a positive one, I feel much better about it after my simple experiment. At the very least we know that they are checking for multiple factors before just allowing you to log in. While on a professional level I would love to know more about the process they are using, I don’t think it’s anything we should be too overly worried about. Now if only we could get that pesky opt in/out toggle…

Real ID on Blizzard forums, the good and the bad *Updated AGAIN!*

*update* Real ID is canceled on official forums Blizzard most definitely listened, and it’s a good thing!

So, Vaneras over on the EU forums just informed us that Real ID will be making an appearance on the forums. Needless to say there is a slew of comments slinging around about this. Some people love it, some people hate it. Some say it will be the new life of the forums while others think that this marks their imminent death. So I thought it would be good to talk about it a little bit here.

First off, lets talk about the current state of the forums. There are some good threads there. There are some helpful guides and bits of information. But for each helpful bit there is a counterpart. People that just show up to cause issues, scream drama and pick Internet fights. I know a lot of people personally who avoid the forums just to avoid those specific people. This is a sad thing though, as the forums are set up to help build the community and not to be a source of drama or argument. On a personal level I hate having to weed through 15,000 posts of people complaining to get to the 1 that has a valid point in a discussion. This is obviously an exaggeration, but you get the idea.

Let’s face it, the Internet is a place where people can hide behind a fake name and say and do whatever they want with little to no recourse. This can be simple complaining out outright just being an ass-hat.  This Internet anonymity is what Blizzard is trying to take away I think. How many times have they posted a proposed class change only to have intelligent well thought out responses from posters get drowned out by the wailing masses? How many times has a person asked for advices on gear or spec or spell priority only to be called a noob for pages on end? It happens, trust me I know.  So I can see what Blizzard is trying to do here, by eliminating the ability to hide behind a character name, that person is held accountable for what they said or do.

Quick story here. I know a guy who in real life is one of the kindest people I’ve ever met. Intelligent, well spoken and would give you the shirt off his back. When he logs into game or on the forums however, he does a complete 180. He yells at people, argues incessantly, turns into a complete womanizing bigot and has a completely abrasive personality. This sounds extreme but it is a lot more common than you think. When you don’t have to be held accountable in real life for your actions, the rules change. The Blizzard forums have been plagued by this from day 1.

By adding this level of accountability Blizzard I’m sure is hoping to cut down on the forum slop by discouraging the trolls from posting, and making people think twice about just posting empty whining.

There is however another side to this coin. There are a ton of people who try very hard to separate their real life from their game life. They post helpful guides to trade-skills, or how to level efficiently on the forums for general reading. They offer insight to class changes and constructive criticism when people ask for help. This group of people also has something to lose by this change going live, as does the community in general if they stop posting. Some people like the anonymity of their toons as a way to just separate their lives into distinct parts. If they stop posting because of this change, that will be very sad indeed.

Some are concerned for their safety. They fear stalkers and real life harassment and fallout from the forums following them into real life. As a person who has worked in internet security for a long time, I can tell you the chances of this are pretty slim. A persons name alone does not provide a ton of information. It does not for example provide your address and township. Your internet providers work very hard to keep that information private as do most websites, banks etc. It is in Blizzards best intrest as well to keep this information private, and so far they have done a pretty good job of it. Unless you have a one of a kind name and are publicly listed in an international phone book or public websites with your pertinent information, the chances aren’t too great that your name will give up enough information about you to harass you outside of your online personae.  I understand the concern there,  it is a valid reason for being against the change. But it can be rather difficult to find someone .

Another argument is that this goes against the originally stated purpose of Real ID. It was toted as an optional, convenient way to keep track of your friends across servers and even games. Some people feel that being forced to use it to interact on the forums violates this and removes the “optional” portion of the feature. This is a valid argument as there is no way to circumvent this at current.

There are also those of us that this has absolutely zero effect on. Those of us that already live in the public eye and have our names out there will see no change in how we do business essentially. Me personally, doesn’t phase me one bit. My name is out there from the For the Lore podcast and WoW.com. Having my real name show up on the forums isn’t a big deal at this point. I also have the good fortune to have a name that is not exactly unique. Joseph Perez is the Steve Smith of Hispanic names. Try looking it up in the phone book sometimes, it is rather hilarious.

Here are some facts to remember about this

This will only affect the new forums created when SC2 and Cataclysm launch. Old forums and old posts will remain untouched (for now, hopefully this won’t become retroactive)

Blue Posters are not immune to this, and will also be showing their real first and last names

Having your name does not compromise your account security. Email, password (and hopefully you’re using an authenticator) are what let people in. Even if you call Blizzard customer support and say you are “so and so” you have to provide a LOT of proof of identity.

So what do you think? Do you love it? Do you hate it? Will it be a new beginning for the Blizzard forums or will it mark its death?

UPDATE

Let me clarify something real fast. While the change doesn’t affect me personally I still do NOT like it. I understand what they are trying to do with it, but I don’t think it was thought out enough. On facebook I can go silent, I can turn off chat and no one has to know I’m on. I can hide details like my email, phone number and location, and if I so choose I can change my name on the account. Here we don’t have the option. I do NOT like the idea that choice is being taken away from the gamers. We choose to play this game and who to interact with. Why do we not have a choice in this? I think that the overwhelming response people are having to this is a good thing and hopefully Blizzard will see it and make some changes. But again, I am NOT for this change, but I don’t think it needs to be attacked with nukes instead of calm rational discussion. It is a lot easier for people (i.e. Blizzard) to dismiss an over the top emotional response to this (which don’t get me wrong, it’s a perfectly valid response from us as users to be passionate about this change) as opposed to when people calmly lay down why they don’t agree with it. That’s all.