Free Windows Authenticator OS

Warning: This app is not sanctioned by Blizzard, or tested in any manner – use at own risk! Blizzard have stated a stance of accepting that it works, but they prefer customers use the real sanctioned tools.

As the app runs on a pc, that app can be compromised as much as any other.

Wandering through the D3 and Blizzard discussions on security, I found a free Windows app which emulates the authenticators. Basically it is the same app as used on the mobile devices, except it is Windows software. And it is open source, currently v1.7.1314 and appears to be updated regularly.

screnshot of windows authenticator softwareRefs:

Wow, a pretty impressive give away of a useful function!

WinAuth uses the same algorithm as the Mobile Authenticator for Android and iPhone, and so generates the same codes when using the same serial number and secret key. One of the initial reasons to write it was to remove the dependency on having the phone available, but still use the same codes.

Whilst you cannot directly read the Mobile Authenticator’s private keys from an iPhone or non-rooted Android, you can now use the new Restore feature to copy your authenticator over to WinAuth.

Impressive, and now even less excuse not to have an additional line of account security for Blizzard games.

Real$AH WTB Authenticator

Apparently the Real Money Auction House will be up for play tomorrow, and restricted to people who have authenticators. Shucks, I think that is good news.

Why? – Well security, and knowing that the cash transaction is far more likely to be the real people involved, not a hacker exploiting. The only barrier I can see if those people who cannot afford or desire either a dongle authenticator, or a mobile device authenticator, and I seriously think that if you are willing to risk your game account by not using the almost free tools then you are not really invested in the game(s) at all.

Wanted: Account Setting Lockout – I still won’t be using the real money AH though, my real money is far too valuable to see being spent on golden pixels, and I have not interest in selling gear for cash. I would like an account setting in the Battle.Net profile to block all Real Money AH type transactions. This way even if my account is compromised, the hacker needs to make a setting change, and kids and partners cannot buy/sell “by mistake“.

Continue reading

Less WoW Account Security Flaws

So WoW’s account security got a shot in the arm today, with the forums requiring the authenticator.

Isn’t this more of a “sorry it took so long” situation? This was so bloody obvious that it surprises me that it has taken till now. Maybe there were technical reasons why this could not be done, and as a consumer I do not appreciate the work involved. Maybe.

But maybe it is also not unreasonable to expect this level of forethought when a feature like the authenticator is introduced, and expect a change to the systems we use within a good timeframe. Say less than two years after the press release.

I think the change was implemented to help slow down account hacking. If you think about it the forums are the perfect place to brute force attack a username/password combination; as its a web based delivery system that has to be tollerant to many different interfaces, and has been around a very long time. That means it was probably installed to be a basic solution, and became the juggernaut before anyone really saw what was happening.

The follow-up question is why now rather than later or much earlier; and only Activision-Blizzard could tell you that; the cynics will say its because hacks cost too much (meh), but it could also be that it will be a legitimate and substantial improvement to the forums systems, that has been planned for a while. If the changes for RealID were being planned, it stands to reason that this was part of it.

So yes, it is a very good move, and something that has been asked for a long time.

Upper or lower case characters? Irrelevant.Update 8 Aug 2010:

Further to the account security, the WoW login screen now recommends some security measures, like letter and numbers – but still fails on the upper or lower case for those characters.

Continue reading

Authenticate iPhone or Keyring, not both.

There is much rejoicing about the iPhone based authentication recently released, and why not? Its a free version of the keychain. I said previously:

This little app has the potential to help every one of the millions of Blizzard clients, and if done well will help change our expectation of online services.

But they’ve got it 90% right. I tested the sign-up process and have found two things that I don’t like.

Continue reading

Software authenticator announced

A software based authenticator for mobile devices has been announced. Good god, that is an interesting idea!

software_authI think the employee who thought this up, or even the team who wanted it should be taken out to lunch. Somewhere nice too, with white tablecloth. This little app has the potential to help every one of the millions of Blizzard clients, and if done well will help change our expectation of online services.

  • Can you reverse engineer a iPhone/mobile/whatever app? Probably, but how hard. Does the delivery to so many platforms make it easier to get security flaws, as there are so many difefrent platforms?
  • Connection only needed the first time it runs, to setup the account link. Obvious, but important.
  • I wonder if I can put in the serial of my physical keychain, and then use my iPhone for authentication. This way I have two devices linking to my account. Why? So that if my iPhone crashes, or I drop my keychain into the toilet by accident I can still play wow.
  • It won’t be free (nothing good is) but hopefully its no more expensive that the keychain model.

This is also a great sign of what online games, apps, links, and services all over the place should be doing if the proport to have “high security”. 10/10, but it remians to be seen if its safe. The early adopters will be taking a few risks, so I’ll stay with the keychain till after the first few rounds of release.

ps. I wonder if the Apple App Store will give the Devs grief to get the app approved. Afterall you can talk about rude things while playing the game….