In what must be a first for online gaming, Blizzard have introduced an RSA-style keychain token as an additional level of security for when you login to World of Warcraft.

A press release from Blizzard show that it will be available for US$6.50 from their online store.

IRVINE, Calif. –- June 26, 2008 -– Blizzard Entertainment, Inc. today introduced an optional extra layer of security for World of Warcraft®, its award-winning massively multiplayer online role-playing game. Designed to attach to a keychain, the lightweight and waterproof Blizzard® Authenticator is an electronic device that generates a six-digit security code at the press of a button. This code is unique, valid only once, and active for a limited time; it must be provided along with the account name and password when signing in to the World of Warcraft account linked to it.

promoted forum item

Wonder what backend technology they are using for this or whether they have used a third party product like RSA?

I wonder what is motivating them other than a way to try and get even more money from you chumps. My bank doesn't even have a system like this, why would my video games need it?

Woah! I hope that's what the key chains are actually going to look like.

Kind of like a gaydar, so you can identify other wow players in a pub and hit on them.

Probably to stop the Chinese stabbing each other when someone hacks anothers account and steals a sword or something.

No, when they do stab each other, they will rip the RSA key from the neck chain of the dead gold farmer like army dog tags.

http://img444.imageshack.us/img444/6453/swordofathousandtruthsia1.png

So wait its a one time use only or every time you log in you must press the keychain and get the number?

every time you log in, the number is only valid for a short period of time.

Bloody hell, it took me ages to work out that RSA is a company name and not the crypto algorithm being used, and that they generally use AES now anyway. Silly company name!

So how does the code get from the keychain to the server authentication?
WiFi or something?
Or is it just a random generation based on a set of algorithms and any generated key works?

I wonder what is motivating them other than a way to try and get even more money from you chumps. My bank doesn't even have a system like this, why would my video games need it?

i guess its needed

wow player seem to love going to dodgy websites that install keyloggers, leaving them with their accounts haxed

So how does the code get from the keychain to the server authentication?
WiFi or something?
Or is it just a random generation based on a set of algorithms and any generated key works?

it works by the token and a box at blizzard being synced.

so before they issue a token they sync it with the box in their server room, so that box knows what number is going to be displayed at any given time by the token because they have two things in common, a clock differential (ie, how many ticks the tokens clock is from the hosts on clock) and an algorithm to run the time through to generate the token number.

it works by the token and a box at blizzard being synced.

So it's a bad idea to use it in space?

so before they issue a token they sync it with the box in their server room, so that box knows what number is going to be displayed at any given time by the token because they have two things in common, a clock differential (ie, how many ticks the tokens clock is from the hosts on clock) and an algorithm to run the time through to generate the token number.

How do they prevent clock drift?

probably will make you buy a new key each year, lololol

The one I saw had USB and you're required to run a sync once a week/month or so.
Reason for this I guess would be people losing their accounts to keyloggers finding their password.

One of those annoying floating keyboards not good enough? I dont know.
Final Fantasy XI (yes, I still play it) uses a floating keyboard now. They have recently had a huge spade of account thefts (they say) as a result of keyloggers on user machines.

Also, i've met some people that would hold their WoW/AoC/FFXI accounts more dear then their bank account... Which would be the ones that RMT would target I suppose.

Wouldn't it be easier to use the same security system the banks use, register your mobile phone and you get an sms code with a 6 digit number.

How do they prevent clock drift?

You would have to ring up and synchronize again. They don't lose sync fast though.

Wouldn't it be easier to use the same security system the banks use, register your mobile phone and you get an sms code with a 6 digit number.

Why would it be safer to use a mobile phone? But anyway...banks are using Tokens too. Depends which bank. Personally I prefer tokens over hoping an SMS arrives in a timely fashion.

So basically your WoW account is now more secure than the personal information most companies allow floating around on laptops to be stolen.

How do they prevent clock drift?

well, the token generated code changes every 5 seconds, so you have a 5 second window to be correct in. once the clocks drift 5 seconds i guess you are in trouble but the tokens do have expiry dates of around 2-3 years.

So how does it work though? Do I have the keychain here with me at my computer? So how does the code get from the tag to my pc?

at login screen u gotta type in the number correlating to the number on the keychain at that exact time.

gonna cost u an extra few seconds each time u log in

Sync is typically fixed thusly:

1. You enter the code
2. Server goes "hmm, that's not the code, but it's the previous code, so I think you need syncing - please tell me the next number you get"
3. You enter the next code
4. Server goes "ok, that's the next code, I'm resynching you to 'Now'"

Requires no phone call, exchange of product or additional purchase.

As weird as it is having a token for a game, this is tempting for just $6.50.


(not that I go to dirty web sites that could install keyloggers)

Suncorp Metway has secure tokens like this, think its $20.
and i believe Commonwealth went the way of a Mobile SMS code system or similar.

oh, and OT but suncorp metways mobile banking is awesome, was away on holidays pretty remote place, had barely 1 bar next-G, but was able to do all my weekly banking by mobile.

last edited by 3x0dus at 23:59:48 27/Jun/08

Lol this is nuts. I've never played WoW but for blizzard to create a key chain similar to what my bank (what bank...yes the commbank!) have is crazy town!

that's because there's so many fkn idiots that play wow and get keylogged, blizz prob thought they could make even more of a killing... and they will

thats the stupidest idea i have ever heard, having to carry a f***ing keychain around to login to ur account. pos game

the good part is you don't have to buy it

Wow so many retards in this thread. Blizzard improves security through completely optional means and you burn them. It's not like the keys are expensive.

$6.50 is a good price, we are paying over 100 bucks per RSA token and license at work :s

press release link is broken, please fix.

press release link is broken, please fix.

Blame Valve

it works in the same way the bank tokens work
I got one from suncorp and it just adds that third layer of auth

rather than having to guess my username/password combo, now a phisherman would also have to know the security token which changes every 30 seconds (but is valid for a few seconds after it changes to the new one)

ie. when you type in your username and password sometimes you can see that the number is *just* about to change (little count down thing no unlike bars of reception on a phone)
but it will still let you login even if you click submit once it has changed (for 5 seconds or so tops)

my guess is that this would compensate for the drift effect given that;
if it failed and you just typed in one code that changed straight away, you're likely to just go and try again with the newly generated 6 digit code - and it should be successful, this in turn allows for up to say 15~ seconds of drift (s***loads)

its just a random number generator that has a salt for each unique token, the server would also know the salt which is attached to the username on the blizzard auth servers and therefore it can generate your code at anytime to use as a checksum

Yeah I got one of these RSA things from CBA when I left overseas as was worried about keylogging at coffee shops

Umm, the sale value of a lot of player's accounts would be more than their bank balance. Consider how much a raid guild banker's brazillions of golds would be worth.

Its not a stupid idea.

I was reading a thread on a forum about a chick who got her account hacked, she logged in to find all the items sold, all the gold transferred, etc, etc. She got it all back in the end but for a few days inconvenience I can see the beneift of shelling out $6.50.