Friday, January 8, 2010

An Open Letter to Blizzard: Add a Authenticator Option

Recently Blizzard (vendor of World of Warcraft as well as the upcoming Diablo 3 and Starcraft 2 titles) has switched over to their networked gaming platform to manage all accounts for their games. In doing this, they've also pushed out an authenticator that's much like many high tech employees use to work from home. These little gadgets have a secret formula that they use to produce the next number in a sequence every time you press the button. knows this sequence, and can verify your identity by making sure that the code you enter is the next (or nearly next, just to allow for mistakes) number.

Recently has been suggesting that Blizzard might be on the edge of making these mandatory for the game. I understand this move, but there are two primary reasons people don't agree with it, and that it may well hurt WoW. First I'll cover those reasons and then I'll discuss the ways to work around them without giving up on account security.


The first concern is simply monetary. Many players can pay their monthly fee and that's it. They really won't pay $6 more to keep playing. Sure, they're probably the minority, but a sizable minority in an 11.5 million player base is not to be ignored.

The second concern is that of having to re-key your authenticator every time you log in, which for some players is fairly often (especially those with the previous concern and therefore have least-common-denominator equipment, resulting in frequent disconnects).

To solve the first problem, simply provide the tokens with the next expansion (Cataclysm) and require their use for any account upgraded to the new content. Sure, some old users won't upgrade. Those who can't afford to upgrade to the next expansion will of course be unprotected, but it's then more reasonable to say that you won't support replacing lost items when these accounts are hacked and they're also a less attractive target for such scams.

Next you have the harder concern. People who get logged out and have to re-connect, potentially in time-critical situations (like a 5-man group they'll be kicked from or a raid that will wipe). For these players, you offer a different way of authenticating (an option, but not the default) where they only have to authenticate once per day per IP address per account. Thus, the user would not be required to enter more than their password on the second login.

This is not an ideal model for shared resources such as school or work computers or laptops that are often left exposed, but it still solves for the primary threat of keyloggers and email scams. Plus, if it's not the default, then most users will never enable it, retaining a higher degree of security.


  1. The way these kind of keys is "supposed" to work is that you get a pin, you plug the authenticator into a USB port, and when you type in the PIN, it gets compared by HW on the authenticator. From then on, the system can ask the authenticator "Please re auth" and there is no typing by the user.

    I have an RSA token with a USB connector, but of course RSA hasn't made it work with Fedora yet, so I type the damn number in every time.

  2. It's the moment every parent dreads: when your child sits there, glum-faced, considering a blank little bit of paper facing them. They've a rapidly-approaching deadline for their essay, and nothing, but nothing you do as a parent seems to simply help them get any nearer to completion. Exactly what do you do to simply help? The answer is: quite a lot. from this source

  3. What a great blog website! Keep up the good work; you done a terrific job of touching on everything that matters to all readers. And your blog pays far more attention to details. I really appreciate you sharing.
    Abogados Divorcio en Virginia

  4. Open letters often carry significant emotional or political weight, aiming to engage and influence readers while fostering transparency and accountability. Their accessibility and potential for impact make open letters a powerful tool for communication in the modern age. How much is the fine for reckless driving in Virginia