« When Journalists Attack | Main | Study: Lots of People Use Dangerously Out-of-Date Browsers »

June 30, 2008

Is That a Broad Sword in Your Pocket or ... er ... a Spiffy Authentication Token?

Robert Graham of Errata Security on Blizzard’s announcement from last week that it has adopted two-factor authentication tokens for World of Warcraft:

“Blizzard is charging $6 for the tokens. This sounds like they are providing these ‘at cost’. There are other costs to Blizzard, too. They need to maintain software on the backend that works with the keys. They also need to deal with support costs, as users break the keys and lose them. The users themselves will also experience costs. They have to learn how to use they keys, and it makes logging onto their account more annoying. That last item is an important cost - WoW makes money when their games are fun, annoyances caused by security make games less fun.

“The benefits would be big. Users who use the same username/password on multiple accounts would no longer be danger. Phishing attacks would similarly be broken. Keyloggers in malware would no longer be a threat. Hackers could update their malware from simple keyloggers to hacks that would allow them to hijack WoW sessions, but that would be very costly. Keyloggers hack a wide range of applications, not just WoW - custom software for each application may not be worth it. Moreover, if hackers do come up with techniques to hijack sessions, Blizzard could quickly counter them with their famous ‘Warden’ program.

“Blizzard’s experiment is an interest for all of us. Bank’s [sic] are trying out jury-rigged authentication schemes to avoid the difficulties of hardware devices like Blizzard’s. In our experience as pentesters and system evaluators, these schemes suck. It is our belief that no system can be successful that relies upon people being smart about their authentication credentials. If Blizzard can show success with this system in the gaming community, it’ll be a huge boost for the approach in other areas as well.”

(Link)

Blizzard has a FAQ about the new tokens, and it so happens that Paul Rubens handed in an assignment about just this sort of thing late last week. It went up today at ENP:

Enterprise Networking Planet: User Authentication Beyond the Password

E-mail   0 Comments    Digg This    add to del.icio.us

Posted by mhall at 5:50 PM | Add Comment

Leave a comment











Type the characters you see in the picture above.

 




JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers