Anyone else not need an Authentcator this morning to log in?

[sherck]

As the title says, I have a RNG attached to my account; however, this morning I did not need it to log in. My password was good enough to do so.

Checked my account, all was good. Checked my Blizzard.net and it indicated that the account did still indeed have an authentcator attached to it.

Thoughts?

Cheers,

[KysenMurrin]

They announced yesterday that they were going to change it so people who always log in from the same location will not need to use their code. There were a lot of negative responses.

[Malkieri]

If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We’ve recently updated our authentication system to intelligently track your login locations, and if you’re logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we’re sure the person logging in to your account is you.

We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don’t already have a Battle.net Authenticator attached to your account, don’t wait until it’s too late

Is the blue post.

[Shathus]

Yah, I'm not a fan of the change. I just feel more comfortable entering my code in, and think the option is fine IF YOU WANT IT, but would chose to opt out given the choice.

[sherck]

Thanks for the quick reponse all. I had not seen that post and was fearful that I was getting hacked somehow.

Cheers,

[Shathus]

Thanks for the quick reponse all. I had not seen that post and was fearful that I was getting hacked somehow.

Cheers,

You should probably give your gold to me for safe-keeping just to be sure though

[Aerron]

Was having this discussion on another forum. I'll just cut and paste my comments from there over here:

If I had to guess, I'd say they're taking this "log in location" cue from RIFT, which does the same thing.

RIFT's is very specific as to where you log in from. I tried to log in to my wife's account from my computer. She normally plays on her comp which sits right next to mine, both connected to the same router. When I logged into her account, it totally locked me down.

Ask me, that's pretty specific.

[Sabindeus]

Yah, I'm not a fan of the change. I just feel more comfortable entering my code in, and think the option is fine IF YOU WANT IT, but would chose to opt out given the choice.

So you're one of those guys that prefers Security Theater to actual security, eh? :p

[Zalaria]

Was having this discussion on another forum. I'll just cut and paste my comments from there over here:

If I had to guess, I'd say they're taking this "log in location" cue from RIFT, which does the same thing.

RIFT's is very specific as to where you log in from. I tried to log in to my wife's account from my computer. She normally plays on her comp which sits right next to mine, both connected to the same router. When I logged into her account, it totally locked me down.

Ask me, that's pretty specific.

Most likely it uses some way of defining the hardware as its way of defining 'location'. Whether that's as simple as MAC address, or as complex as building a hash from your CPU/motherboard/video card/etc, it would disallow what you tried.

[Shathus]

Yah, I'm not a fan of the change. I just feel more comfortable entering my code in, and think the option is fine IF YOU WANT IT, but would chose to opt out given the choice.

So you're one of those guys that prefers Security Theater to actual security, eh? :p

Well, I have the authenticator so that is actual security technically, mostly I just don't trust hackers, they figure out too many ways around stuff. (apologizes in advance if this is just incorrect but) could someone spoof your IP to make their servers think it's your logging in from your PC and the authenticator code wouldn't be needed?

Yes yes, you can still get hacked w/ an authenticator, but I'll take the 5 seconds to make me feel safer. Now, the TSA at the airport can blow me.

[Shoju]

Well, I have the authenticator so that is actual security technically, mostly I just don't trust hackers, they figure out too many ways around stuff. (apologizes in advance if this is just incorrect but) could someone spoof your IP to make their servers think it's your logging in from your PC and the authenticator code wouldn't be needed?

Yes yes, you can still get hacked w/ an authenticator, but I'll take the 5 seconds to make me feel safer. Now, the TSA at the airport can blow me.

I'm assuming that they are building the profile based on what they collect in their non personal information system information requests.

I didn't try to login from my wife's comp last night, but I will try. I play from an external SSD drive, So I will run it into hers, and try it out.

And TSA, you mean they haven't tried that with you yet? Oh man... I thought my wife was going to get arrested when they "screened" her. The guy actually grabbed her breast, and she slapped him right across the face and said: "If you can't tell thats real, you shouldn't be working here."

[sherck]

Don't touch my junk!

Cheers,

[Shoju]

I really thought that was where we were headed. The guy simply turned beat red, apologized, and quickly finished up. no men in black suits waiting at the other end.

[Sabindeus]

could someone spoof your IP to make their servers think it's your logging in from your PC and the authenticator code wouldn't be needed?

Spoof? No. There's plenty of potential man in the middle attacks that can be done against simple 2 way communication, but in general the shared secret authentication that Blizz uses with the authenticator is fairly strong against that sort of thing. The usual points of failure on that would be on either end of the connection, so for example if someone has control of your PC while you log in, then you can pretty much forget it.

Basically: If your computer is compromised then you can pretty much expect that your shit is forfeit whether Blizz asks for a token or not.

[fafhrd]

Interesting, if they keep this change, I might finally be willing to get an authenticator.

Although if they decide to revert the change later on I'd be pissed, so probably not.