Two-Factor Auth for World of Warcraft
Blizzard Entertainment, makers of the phenomenally-successful multiplayer game World of Warcraft, have introduced two-factor authentication for logging into the game. For $6.50, they’ll sell you a dynamic password keychain token called the Blizzard Authenticator, which looks much like the RSA keyfobs many in the IT industry use to log into their corporate VPNs.
It may seem silly to use two-factor auth for a video game. However, with 12 million players, World of Warcraft is a big business, and stolen accounts are worth money. Logging into someone else’s account, looting it for virtual money and supplies, then selling them on the open market can easily net $50 per account, more for particularly lucrative ones. What’s more, the account itself can be sold to offshore “gold farmers” who have a constant need for accounts as Blizzard revokes theirs for Terms of Service violations. Considering that a stolen credit card number is usually worth only about $10, WoW accounts are actually pretty good targets for theft.
People steal these accounts via installing old-fashioned key loggers — Trojan Horses attached to downloaded software that monitor the user and steal their password when they log into WoW. Generally these keyloggers are attached to fake WoW cheat programs with names like “WoW stat changer“, or modern recreations of some early real cheats that no longer work (the “speed hack” and “teleport hack.”) Aspiring cheaters download and install these applications and are disappointed to find they don’t work, but don’t realize that their account has been stolen when the app was run.
The best mitigation to this would, of course, be not to download dubious cheat programs for World of Warcraft. However, since downloading and installing UI add-ons is a normal activity by WoW players, it is perhaps a bit much to expect players to know the difference between a safe UI add-on (written in Blizzard’s LUA scripting language) and an unsafe one (with real executable code.) So Blizzard offers a two-factor token, which renders a stolen password useless — since the dynamic passwords change every minute and are not reusable, keyloggers can no longer steal accounts. If you’re a World of Warcraft player who downloads & runs a lot of not-very-trustworthy Internet software, $6.50 is a small price to pay for security.
The ironic thing about this is that most banks won’t offer this level of security to their customers. The loss of my World of Warcraft account would be a minor inconvenience (Blizzard keeps backups, after all, and can “roll back” a player’s account to a previous state upon request), while the theft of bank accounts and credit cards would be much more serious. Yet my bank offers only passwords for protection, and other banks’ “two-factor authentication” isn’t really (”something you know” and “something else you know” is not two factors, it’s one factor repeated twice.) Banks usually cite cost as the reason, and at the $90 for an RSA token, that sounds reasonable — but if Blizzard can put out their own tokens at $6.50, banks could, too. The real reason is that the banks do not want to inconvenience their customers by making them carry around an additional object for access to their accounts. For the most part, customers care more about convenience than security, and many customers would be locked of their accounts by losing a token than would be saved from theft. (For that matter, customers don’t even know it when their bank account isn’t stolen because of a security measure, so they have no perceived benefit at all.)
Blizzard’s answer to the convenience/security tradeoff is to give customers the option — you can get an Authenticator if you want one, or just use passwords otherwise. Banks don’t want to do this, though, because it would make password-only customers feel insecure. The availability of a token might make them realize how unsafe a password alone is, and they might decide to forgo online banking altogether. This is the last thing banks want — online banking is much cheaper than tellers.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Irony: I look at the RSA keyfobs and think “OMG MUST HAVE!”, even though I’m not the kind of person who downloads illegitimate software. Apparently I am that sort of geek.
The real trouble is going to come in when you have a dozen of these and need to know what goes with which. (And what do you store them in?) Of course, if they’re branded like the Blizzard one, that helps with identification, but for banks, it might be in their best interest not to identify the keyfob quite so obviously. But then you run into the trouble of customers who need that identification, because otherwise they’ll forget what the thing is for.
But then, I really don’t think it’s a good practice to design security software and protocols for the dumbest user out there — truly secure systems are going to require a level of sophistication to use, and in the end, people learn to deal with that. Actual housekeys haven’t always existed, and I’m sure there was a real fuss about it when they started becoming common (”What if I lose it?! Why should I need one of these? Won’t thieves realize my house has valuables in it if I take the trouble to lock it?”), but people dealt.
Of course, we live in a society where people are almost always willing to trade security for convenience. I think part of my “OMG MUST HAVE” of the Blizzard keyfob is because I like the idea of being able to make my own decisions about when to trade security for convenience. This hasn’t been forced on me by anybody, but it’s there if I want it. It’s definitely something I find appealing.
What would be ideal is a dynamic-password-based or smart-card-based federated identity management system. That way you could have one ID, used on multiple sites or services, but only one keyfob. So long as you kept hold of your keyfob, it wouldn’t even necessarily be less secure, though designing federated identity systems that are both usable & secure turns out to be really hard.
Imagine if OpenID had you use your URL and a dynamic password and PIN, rather than a normal static password.
I guess this article just highlights what you’re saying.
http://www.signonsandiego.com/news/state/20080701-1138-tec-atmbreach.html