Monday, June 30, 2008

Blizzard's Two-Factor Authentication

Blizzard's announcement of two-factor authentication for World of Warcraft is more significant than people realize.

Passwords are obsolete. They are broken. We all recognize this, yet we aren't quite ready to give up on passwords because we haven't an easy alternative.

World of Warcraft (WoW) is a good test case. It is the biggest online game and has the largest "black market" where people buy in-game money ("gold") for real-world dollars. User accounts, protected only by passwords, have real-world value. Hackers first strip the accounts for gold, then use the accounts as mules to sell gold and spam others with messages advertising their gold. Blizzard eventually bans the account, by which point the hackers have moved onto the next hacked account.

This is a huge cost. It costs Blizzard a lot of money (I would guess in the range of $100) to help a user recover from a hacked account. That assumes the user still wants to play and doesn't cancel their $15-a-month subscription, which costs Blizzard even more money.

Today's "viruses" usually contain keyloggers that specifically look for people logging into games like WoW. Phishing attacks likewise target gamers. However, there is an even easier way to getting people's account names. People choose the same username/password for multiple sites. Therefore, if you want to steal somebody's account, you simply set up a site that requires a username/password and encourage players to log in. You then test all the accounts on your own site in order to see if they are also legitimate WoW accounts. Likewise, when hackers break into online sites, they can crack the password file and test how many are legitimate WoW accounts.

There are also other tricks. I just googled "hack warcraft account" and came up with a bunch of YouTube videos. You should watch them if you want to plumb the depths of human stupidity. They don't teach you to hack somebody's account. Instead, they show you a lot of technical mumbo jumbo, and bury within it all the tiny detail that you e-mail your own username/password to an account like "". This account is not owned by Blizzard, but by the hacker trying to social engineer you into revealing your own WoW password.

If users are too stupid to make choices about passwords, the obvious solution is to take that responsibility out of their hands. That's what Blizzard has done. They are selling the user a typical two-factor-authentication device. Without this device, nobody can log into the account.

Some experts claim that two-factor authentication won't work. They are wrong, of course. There is not such thing as perfect security. Any solution has flaws, so for any solution, you'll have experts lining up to explain why it's not perfect. The only real question is whether something will improve security, and how much it costs, and whether the benefits outweigh the costs.

Blizzard is charging $6 for the tokens. This sounds like they are providing these "at cost". There are other costs to Blizzard, too. They need to maintain software on the backend that works with the keys. They also need to deal with support costs, as users break the keys and lose them. The users themselves will also experience costs. They have to learn how to use they keys, and it makes logging onto their account more annoying. That last item is an important cost - WoW makes money when their games are fun, annoyances caused by security make games less fun.

The benefits would be big. Users who use the same username/password on multiple accounts would no longer be danger. Phishing attacks would similarly be broken. Keyloggers in malware would no longer be a threat. Hackers could update their malware from simple keyloggers to hacks that would allow them to hijack WoW sessions, but that would be very costly. Keyloggers hack a wide range of applications, not just WoW - custom software for each application may not be worth it. Moreover, if hackers do come up with techniques to hijack sessions, Blizzard could quickly counter them with their famous "Warden" program.

Blizzard's experiment is an interest for all of us. Bank's are trying out jury-rigged authentication schemes to avoid the difficulties of hardware devices like Blizzard's. In our experience as pentesters and system evaluators, these schemes suck. It is our belief that no system can be successful that relies upon people being smart about their authentication credentials. If Blizzard can show success with this system in the gaming community, it'll be a huge boost for the approach in other areas as well.


Matei-Eugen said...

Some banks are already using this login mechanism for their internet banking sites. The two examples that I know are ING Romania and BCR, but, most probably, there are more of them out there.

nicj said...

There are other types of two-factor, take PhoneFactor for example, not tokens or certificates needed. Just your phone

Daniel Pifer said...

There really is not an easy way to do this! Sure its inconvenient, but there are not many alternatives. It is becoming far to easy for people to get a hold of other peoples passwords for everything! It is just a matter of time before two factor auth. is used for almost everything!