Anyone else not need an Authentcator this morning to log in?

[halabar]

could someone spoof your IP to make their servers think it's your logging in from your PC and the authenticator code wouldn't be needed?

Spoof? No. There's plenty of potential man in the middle attacks that can be done against simple 2 way communication, but in general the shared secret authentication that Blizz uses with the authenticator is fairly strong against that sort of thing. The usual points of failure on that would be on either end of the connection, so for example if someone has control of your PC while you log in, then you can pretty much forget it.

Basically: If your computer is compromised then you can pretty much expect that your shit is forfeit whether Blizz asks for a token or not.

A few things here....

First, it would be hard and impractical to try to spoof your IP address. However, if you are playing on an unprotected Wifi setup, or playing on a Uni or hotel or other large system with dynamic IPs, it would be a lot easier for a hacker with access to appear to be you, since the IP pool is shared.

Second, they are likely doing this to alleviate some of the load on their authentication servers, since that appears to have been an issue lately, and especially with a patch coming soon.

Third, the authenticators are not as secure as you think. Read up on RSA's recent troubles. Lockheed Martin got hacked because they trusted RSA, so now about 20 million government and defense workers in the US are gonna get new authenticators.

[Teranoid]

I'm pretty sure after the nightmare of having to restore tons of accounts due to hacks they would have never gone through with this if they weren't completely sure it would work.

I personally like it if anything because they still haven't solved the login bug where when you switch characters you immediately get dc'd and have to punch in codes every 20 minutes :\

[halabar]

I'm pretty sure after the nightmare of having to restore tons of accounts due to hacks they would have never gone through with this if they weren't completely sure it would work.

I personally like it if anything because they still haven't solved the login bug where when you switch characters you immediately get dc'd and have to punch in codes every 20 minutes :\

That login bug seems to happen more for DKs or toons in major cities.. dunno why.

[Sabindeus]

First, it would be hard and impractical to try to spoof your IP address. However, if you are playing on an unprotected Wifi setup, or playing on a Uni or hotel or other large system with dynamic IPs, it would be a lot easier for a hacker with access to appear to be you, since the IP pool is shared.

One thing I didn't mention in my previous post is that I sincerely doubt they are basing this solely on IP address.

[Fetzie]

First, it would be hard and impractical to try to spoof your IP address. However, if you are playing on an unprotected Wifi setup, or playing on a Uni or hotel or other large system with dynamic IPs, it would be a lot easier for a hacker with access to appear to be you, since the IP pool is shared.

One thing I didn't mention in my previous post is that I sincerely doubt they are basing this solely on IP address.

The following posts were made on the BlizzardCS twitter:

#Authenticators still offer the same level of protection while making it more user-friendly; this will NOT up the chances of getting hacked.

source: http://twitter.com/#!/BlizzardCS/status ... 8242651136

Our system is not making a decision to ask for the Authenticator solely based on your IP address.

source: http://twitter.com/#!/BlizzardCS/status ... 7147727872

[Worldie]

I for one quite like this change. I often swap between WoW and SC2, and using the authenticator had become more of a nuisance than something welcome. I would never remove it as I got hacked already 2 years ago and don't plan to lose everything I've done in the last 7 years to hackers.

[halabar]

First, it would be hard and impractical to try to spoof your IP address. However, if you are playing on an unprotected Wifi setup, or playing on a Uni or hotel or other large system with dynamic IPs, it would be a lot easier for a hacker with access to appear to be you, since the IP pool is shared.

One thing I didn't mention in my previous post is that I sincerely doubt they are basing this solely on IP address.

Certainly. Was just pointing out that that authenticators are not the magic boxes that people tend to think they are.

[Holyblaze]

Don't touch my junk!

Cheers,

haha BAM! This!

[Hrobertgar]

Aerron wrote:
Was having this discussion on another forum. I'll just cut and paste my comments from there over here:

If I had to guess, I'd say they're taking this "log in location" cue from RIFT, which does the same thing.

RIFT's is very specific as to where you log in from. I tried to log in to my wife's account from my computer. She normally plays on her comp which sits right next to mine, both connected to the same router. When I logged into her account, it totally locked me down.

Ask me, that's pretty specific.

Most likely it uses some way of defining the hardware as its way of defining 'location'. Whether that's as simple as MAC address, or as complex as building a hash from your CPU/motherboard/video card/etc, it would disallow what you tried.

One thing I didn't mention in my previous post is that I sincerely doubt they are basing this solely on IP address.

I normally play on my desktop so I can comfortably use my 32" LCD TV as a monitor, but I do have a laptop that only has HDMI output which causes an overscan issue. The actual point is that the two computers ahve different 'names' for my network setup. It is possible that they could use computer name as well or instead of hardware profile. But I am aware that they do actually check hardware profile currently, as I get messages sometimes that Blizz wants to collect non-user information about system hardware/OS for compatibility purposes.

Also, I frequently get the login bug switching between my alts. I only have 1 DK, abandoned on an old server, but I keep most of my toons in major cities next to a mailbox close the an AH.

[Shoju]

I think I have an idea on what it is taking into account, as I was able to use my wife's comp and log in sans authenticator, but using another comp in the house created the need for an authenticator.


Will post more when I do a little more research.

[Sabindeus]

I gotta say, the discussion thread on the official forums for this topic just makes me mad.

[Amirya]

How so?

[Sabindeus]

Because almost every post is a knee-jerk reaction based on straight up wrong information, or people using their authenticators improperly.

[culhag]

How do you use it "improperly" ?

[Sabindeus]

How do you use it "improperly" ?

Here's some examples:

And if I have a child whom I share the account with, and use the authenticator to monitor their playtime?

Please, no. I don't care if it "thinks" its me, could be my sister or my brother-in-law logging into my account. Then what?

Yea, I don't think so. Just because its the same location, won't necessarily mean its the same person if there are multiple people under one roof. I'd rather have it ask me every single time to log in the game.

Freaking lazy people