1.) Someone who lied about having an authenticator got hacked. I know of many guilds that only allowed people with an authenticator to access the guild bank, and then these people would get hacked and admit that actually they didn’t have an authenticator at all, they just said they did to get access to the guild bank. The latest WoW patch actually adds the ability for guilds to only allow people with authenticators to have certain guild ranks, and the system enforces it — a nice change.

2.) There is one Trojan out there that actually hijacks people with authenticators. If your computer is infected with it, when you try to log in, it captures your keystrokes and sends them instantly to someone in China, who then logs in at that moment to steal stuff. The authenticator still helps a lot — they only have 60-120 seconds to log in before the authenticator code you typed in is expired. However, if you have malware installed on your machine, it’s really hard for software to protect you.

Ironically, the “instant attack” keylogger Trojan only works because there’s only one World of Warcraft — it’s worth people’s while to make a Trojan to attack it. If banks used two-factor auth, it would be harder (not impossible, though) for someone to attack since there are so many different banks.

Accusing Blizzard of profiteering with the authenticator is kind of silly, though. Come on, it’s free to anyone with a mobile phone (i.e. everyone) and a one-time fee of $6.95 otherwise. Blizzard supports the authenticator purely to protect people from malware, and it’s enormously effective — just not 100% perfectly effective.

Imagine if OpenID had you use your URL and a dynamic password and PIN, rather than a normal static password.

The real trouble is going to come in when you have a dozen of these and need to know what goes with which. (And what do you store them in?) Of course, if they’re branded like the Blizzard one, that helps with identification, but for banks, it might be in their best interest not to identify the keyfob quite so obviously. But then you run into the trouble of customers who need that identification, because otherwise they’ll forget what the thing is for.

But then, I really don’t think it’s a good practice to design security software and protocols for the dumbest user out there — truly secure systems are going to require a level of sophistication to use, and in the end, people learn to deal with that. Actual housekeys haven’t always existed, and I’m sure there was a real fuss about it when they started becoming common (“What if I lose it?! Why should I need one of these? Won’t thieves realize my house has valuables in it if I take the trouble to lock it?”), but people dealt.

Of course, we live in a society where people are almost always willing to trade security for convenience. I think part of my “OMG MUST HAVE” of the Blizzard keyfob is because I like the idea of being able to make my own decisions about when to trade security for convenience. This hasn’t been forced on me by anybody, but it’s there if I want it. It’s definitely something I find appealing.