Toldain Talks

Because reading me sure beats working!


Toldain started as an Everquest character. I've played him in EQ2, WoW, Vanguard, LOTRO, and Zork Online. And then EVE Online, where I'm 3 million years old, rather than my usual 3000. Currently I'm mostly playing DDO. But I still have fabulous red hair. In RL, I am a software developer who has worked on networked games, but not MMORPGS.

Tuesday, January 13, 2009

Double Secret Account Protection Gizmo

Alice had her WoW account hacked, her toons stripped of gear, and gold stolen from her guild's bank. In itself, this isn't all that unusual, but commenters mentioned the Blizzard Authenticator.

This little gizmo will fit on your keychain, and each click of the button on it will give you a 8-digit or so number that changes every few minutes. And every version of the gizmo gives a different set of numbers. So when you tell Blizzard to associate your gizmo's serial number with your account, it will ask for both your normal password, and the gizmo's number of the moment.

Simple password theft via keylogging or email hacking won't work any more.

I've seen a gizmo like that before, in the hands of a friend who, at the time, worked for the NSA. I'm sure it has some vulnerabilities to a concerted attack, but it's a lot better than simple password protection. The Blizzard store says it's only available in the US. Probably that's because it contains pretty strong encryption technology, and getting an export license for such things is tricky.

I wonder how long before SOE offers them...


Anonymous Milia said...

My company stopped using these to a large extent. We called them tokens. They used to be the size of a credit card and about as thick as 2 or 3. Jio has one today that is much smaller.

Currently, my company uses a remote authentication that sends the authentication number to your phone, pager or non-work e-mail. They are neurotic about security so it must be pretty effective. I think that is a better arrangement for users because you can still log in even if you forget your token. Someone would have to log your log in names for both the game and e-mail, pin (the authentication usually needs a pin or password to send the authentication number to whatever option you choose) and/or have your phone info. It should also be free-er .. er, less costly. So I'm sure that it won't be offered as an alternative by Sony, well, at least not at cost.

I'd use it. It really isn't annoying to get that security. Send the authentication to my phone. I might even pay a very nominal fee for it.

1:50 PM  

Post a Comment

<< Home