Grim Views

For those people with Android phones...and who, like me, love tinkering with them and always destroying your data, there's a nice 3rd party app that'll do Battle.net authentication.

It's called FlexAuth and the code is hiding on GitHub. Best feature is you can export the shared secret so you can nuke your phone, then upload it again. Also, if I can figure out how to inject the secret into my iPod...then I don't have to be fumbling around for the phone.

And whatever you do, don't run this code on the same machine you play WoW on. You're just asking to have your account stolen if you do.

And the author's website, which has the specification for how the web authenticator works: http://www.coffeepowered.net

Why would you authenticate with your phone or ipod though? Either seems like more work than doing it from your computer, or, if you are very paranoid, Blizzard gadget.

This code is for the Blizzard.net authenticator. As in, that little dongle hanging off your keychain, or the iPhone/iPod/cellphone app.

You know, that thing that gets you the Core Hound pup.

And this is something you don't want on your computer. If a nefarious individual can steal your password, they can steal the secret key. I point you to the excellent Wikipedia article on the subject.

Immermnemion Dawnbringer wrote: Why would you authenticate with your phone or ipod though? Either seems like more work than doing it from your computer, or, if you are very paranoid, Blizzard gadget.

Last year I bought an authenticator.... 3 months ago I got a Droid and replaced my authenticator with the phone app... here are my reasons why:

- My phone is always with me. Im almost positive that its assimilated part of my arm and leg at this point. I had forgotten my authenticator before, never forget my phone
- My phone is backlit. I play in a dark ass room... Id have to turn the light on to authenticate... any given night I need to do that 3 times... thats 6 walks to the light switch... at 8 feet thats like 48 feet walking I save
- I can hide Im a nerd... until the piece broke off I had my auth on my keychain... nothin says Im a stud muffin like a giant BLIZZARD authenticator on the keys... On my phone Im incognito
- With the authenticator, when it breaks... and it does... Id have to wait 3-4 weeks for a replacement... I could either go without protection or not play... with phone I get replacement in 24 hours

Those are the major advantages that I see with using it on my phone... not to mention that I then moved my real auth to my 2nd account so doubled my protection for no cost... win!

Yes, it's not the part of having the code on your computer I'm contesting. It would be risky to do so - all the eggs in one basket.


I just don't see how keeping a password in such a method (authenticator/phone/etc.) creates a significantly positive difference in safety as opposed to those storing/entering it sensibly not using another device.



In the requirement of two independent factors for authentication to have access to a battle.net account, one must have:





1. The email address

and

2. The password





The email address is likely on a lower security level than the password, but supposing it's not, the password alone does you no good. However, it's not that unreasonable to think someone who really wanted to access a specific other's account could discover that person's email address - either through 1. third-party internet sites which use it (like this forum for many), 2. charactername@gmail.com, or 3. physical devices containing trace evidence, such as that person's computer or phone.



1. Unless the email is created only for the purpose of the battle.net account, other parties will have access to the information, so it's not secure from independent parties.

2. If the address is something to this effect for the account, there's a decent chance someone wanting access and knowing the person will hit it by trial and error.

3. Parties having access to these devices have a good chance of discovering the email address on them.



In the first two cases, the security risk is dependent on how conservative one chooses to be with their information online. In the third case, the access is more or less restricted to a physical breach of security.





If one is sensible about passwords, cases 1 & 2 should not apply to them - don't use the same password everywhere, and don't make it something people would guess - an alphanumeric code, shifting of cases, and arcane wording (if words are used at all) can reduce the guess chance to about zilch.




However, the third case may still apply.




Suppose one puts the password - or the coding to generate the password - on one's phone. Another person accessing this phone now has a very reasonable chance to obtain both the email address and password necessary if they were looking for them - account breached. All the eggs in one basket.


This scenario is the same category of risk one takes by keeping tangential evidence of both email and password on the computer. The advantage of keeping it on the computer, however, is while you need the computer to play WoW, you don't need the authenticator (phone) for a password, and this obviation makes one less component necessary for you to use the game. Suppose you'd lost your authenticator. You can't log in now, and you get to go down the yellow brick road of customer service. More convenient not to mess with it.


But less secure? Maybe, maybe not. Since there's a legitimate chance the password and email could be both traced to one's computer (via keylogger) OR to one's phone (not both as that creates unnecessary risk), either option tosses all the eggs in one basket. It's just deciding which basket to pick.


---



Add.:



Personally, I log-in with two buttons (after I start WoW). One button enters my email address and tabs to the password box. The other types the password and presses enter. It's very easy for me as I have a keyboard with plenty of programmable keys, taking a fraction of a second due to finger memory, but a similar keylogger circumvention can be accomplished with copy + paste. In the nearly 6 years I've had the game, I have never been hacked. I changed my password once. While just a single case, I can say the dozen people or so I know whom use similar entry methods to accounts had no problems in the time they've been using them.

Immermnemion Dawnbringer wrote: Personally, I log-in with two buttons (after I start WoW). One button enters my email address and tabs to the password box. The other types the password and presses enter. It's very easy for me as I have a keyboard with plenty of programmable keys, taking a fraction of a second due to finger memory, but a similar keylogger circumvention can be accomplished with copy + paste. In the nearly 6 years I've had the game, I have never been hacked. I changed my password once. While just a single case, I can say the dozen people or so I know whom use similar entry methods to accounts had no problems in the time they've been using them.

False sense of security alert !! Cut and Paste and/or keyboard macros will not stop keyboard loggers from getting that information, the new ones check that too.