A case was recently filed against Blizzard regarding the issues surrounding their Battle.net Authenticators. The claimant, Benjamin Bell, asserts that Blizzard does not make it clear to the customers that an Authenticator must be bought in order to completely ensure account security. Blizzard told IGN that, “this claim is also completely untrue and apparently based on a misunderstanding of the Authenticator’s purpose. The Battle.net Authenticator is an optional tool that players can use to further protect their Battle.net accounts in the event that their login credentials are compromised outside of Blizzard’s network infrastructure.”
All arguments aside, how exactly do these Authenticators work but more importantly, do they even work?
The Battle.net Authenticator is a security token which provides users a higher level of security on their Battle.net account. There are two types of Battle.net Authenticators:
Key Ring Authenticator – This is available for purchase at the Blizzard Online store and costs $6.50. In order to connect this to your Battle.net account, you are required to input a 10-digit serial number located at the back of the Authenticator.
Mobile Authenticator – You can download the Battle.net Authenticator at the app store that corresponds to your mobile device. They are available at the iTunes Store, Google Play, BlackBerry App World and for Zune devices free of charge. The Mobile Authenticator requires email verification as well as a 14-digit serial number which can be found within the app. It does not require internet connection to work.
Both types of authenticators, once tethered to your Battle.net account, generate a one-time password (OTP). As its name suggests, this password is only valid for one login session at a time. A new password is generated every 15 seconds. This also means that you only have 15 seconds to input your password before it changes.
Why should I get an Authenticator when Blizzard should just improve their security?
Purchasing or downloading an authenticator adds a second layer of authentication to the log in process. This method is called 2-factor authentication (TFA). This basically requires two or more authentication factors. In this case, the Battle.net Authenticator gives you two factors: a knowledge factor which is something the user knows and a possession factor which is something the user has. The knowledge factor refers to the player’s username and password while the possession factor refers to the password generated by the Battle.net Authenticator.
If a hacker somehow gets a hold of your Battle.net username and password, he/she will still need to break into your house to actually steal your authenticator.
Authenticators are built with an internal clock that records the amount of time after a specific random event, for example, since you activated your authenticator or since 42.9 hours ago or since your birthday. Each Authenticator also uses an encryption key which basically turns the amount of time since the random event into what looks like an undecipherable code. Encryption keys are unique to each Authenticator. Think of it as an equation that is constantly applied to a random set of numbers, the result of which is your 15 second one-time password. If for some reason the hacker has all the OTPs you’ve entered previously, he/she won’t be able to predict the next password without the encryption key.
Blizzard has the encryption key for every Authenticator ever manufactured. When you log in using your OTP, their system looks up which Authenticator is tethered to your account then finds the corresponding encryption key. They then decrypt your OTP using the corresponding encryption key which should result in the amount of time since your unique random event. If this result does not match the amount of time since your unique random event then you are either using an expired OTP or the wrong Authenticator.
The built in clock on your Authenticator may run a little slower or faster than Blizzard’s server. You will still be able to log in successfully a minute or so after the exact defined time. All unused OTPs are automatically rendered useless after the next generation and all OTPs used are automatically rendered useless after successful login.
A flowchart is provided below to make visualizing this easier:
Similar security processes are used by a number of businesses, governments, banks and even casinos which all have information that is much more valuable than someone’s WoW/SC2/Diablo III account.
However, earlier this year in August, hackers illegally accessed the Blizzard network to obtain answers to Battle.net users’ personal security questions as well as information regarding mobile authenticators. Blizzard believes that the information taken could have compromised the integrity of the Mobile Authenticators. Physical Authenticators, however, were believed to have remained intact. Hackers basically used Battle.net users’ personal security questions to bypass the Authentication screen. In order to do this, they would still need access to the players’ email accounts which are more easily hacked than Blizzard.
Authenticators do offer a higher level of security than an account solely protected by a password and a personal security question. Taking into account the incidents earlier in August, it can be said that while the Authenticators’ security process is sound, Blizzard’s security wasn’t.
Hackers are like Zergs; their hacking knowledge evolves according to Blizzard’s security process. So what do you do when the Zerg has evolved enough to attack your base? Raise your defenses and take any opportunity to secure your base. This goes for both Blizzard as well as Battle.net users.