I don't understand the authenticator hype

And no, this post is probably not what you expect from the title, considering the most recent news...

I remember when authenticators were first released, most players didn't care too much about them. I was one of them, but unlike many people I haven't changed my opinion on the matter since then. Basically I think that authenticators are definitely useful - but no more and no less. They are sort of like home security systems: you may have valid reasons to believe that you should have one (because you are very rich/because you share your PC with your little brother who downloads all kinds of crap) and there are tangible benefits to having one, but it also costs money and causes a bit of extra hassle in your everyday life (having to turn the security on and off all the time/having to enter what is essentially a second password every time you log on). So even though it's a useful thing to have, many people still won't want or need one, and that's alright.

I don't have a home security system because I'm pretty poor and live right across the street from a police station. I also don't have an authenticator because I think that I'm pretty sensible when it comes to keeping my passwords and my PC in general safe, and on the very small off-chance that I should mess up anyway, Blizzard seems to be pretty damn good at restoring everything within a couple of days anyway. This is one of those cases where "it's only pixels on a screen" actually rings true for me, because well... they can be replaced easily. It's not like someone clearing out your house in real life, where the burglars might never be caught and even if the insurance company pays up it still won't be the same as actually having your old stuff back.

Lately I noticed a lot of what I'd call "authenticator fanboy-ism" emerge all of a sudden, especially in the comment section on WoW.com, but in other places too, where people say things like "People without authenticators shouldn't get support from Blizzard" or "If you don't have an authenticator, you deserve to get hacked". What the hell? Do you think people who didn't buy a mini Kel'thuzad pet shouldn't get support either, since you seem to think that support is a bonus feature for buying extra gadgets on top of the game instead of, you know, actually paying for the game? Do you think people deserve to have their stuff stolen in real life if they don't have a direct line to the police? It just strikes me as utterly out of proportion.

If you want to buy an authenticator and don't mind the extra hassle every time you log in, by all means go ahead! It does provide an extra layer of security. But don't talk about people who don't feel the need for that as if they were all handing their passwords out to hackers for free. As the latest piece of news on the subject shows, it still always comes down to what the person behind the keyboard actually does with their information. No security system can protect you if you actually invite the thief into your house.

There's also been some talk about Blizzard making authenticators mandatory in the future. I'd really prefer if it didn't come to that. I will accept it if it happens and will pay those extra five pounds or whatever it will cost because I do want to continue to play the game, but I'm convinced that it will not be the end of all hacking, and Blizzard's support team will be no less busy - they might have to deal with fewer keylogging problems and the like, but instead they'll likely get lots of calls about people not knowing how to work their authenticators, losing them, breaking them, or having them stolen by "that friend who originally made the account for me". Authenticators can make people feel better about the safety of your account, but they still can't protect anyone from their own mistakes.


  1. Imho the hassle caused by getting the account hacked is worse than the hassle the authenticator represents to log in (just a 3 secs delay in logging in?). For m it's not "only pixels easily restored". That's true but also means for several days you won't be able to play, and you're paying in order to play. Yes, Blizz can add some days for free into your account, but I doubt they're doing this. It also causes troubles to other people, specially your guildmates who can find suddenly the gbank empty (this is specially sensible if you're an officer or leader with enhanced or full access). So for me authenticator should be mandatory and included in the box when you buy the game. It's the same as when you operate with yo bank via internet: a keycard or authenticator is also required because a password, no matter how complex it is and how hard you try to keep your computer clean is not enough. Of course the authenticator is not the definitive solution (as the news you link), but it makes things much more difficult for hackers. If people think they don't need one because they're already taking preventive measures they should think about other people who'd be affected (like before I said about the gbank) and decide if it's worth the risk.
    And don't get me wrong, I'm not an authenticator fanboy. I jut want to keep things the most secure possible, be it my WoW account, my gmail address or my computer. I know there's no perfect defense, but I like not leaving any window unlocked or door open.

  2. Hehe, but those three seconds can add up if you log in and out a lot! :p And you might never get hacked at all, or simply not consider it the end of the world on the off-chance that it does happen. I just don't think it's as clear-cut as "everyone should have an authenticator, it's optimal for everyone".

    You make a fair point about guild banks, and maybe I'd feel differently if I was leader of a big guild myself (because as you say there's a difference between assessing risks that only affect yourself and considering how your actions can affect others), but seeing how I'm not an officer and only have marginally more access to the bank than an average member (which is not much), that kind of thing is not an issue for me.

  3. The support calls that Blizz will get for broken/missing authenticators and the like will be much easier for them to handle than requests to get their characters restored because of a hack. That would be *their* primary reason for mandating authenticators.

    *My* reason for having one is that even the most sophisticated users proficient in using the Internet can still acquire malware through completely innocent means (hello Flash exploits from a year or two ago). Needing to press a button and key in a six digit number is not enough of an impact on my life to make the $6.50 I paid too high a price.

  4. Remember I have 10 80s in one server and several chars scattered around (5 or 6 in another server, plusone here and there). I don't see much difference in time when swapping. Also if you swap to another char in the same realm you don't need the authenticator.
    And yes, I'm co-leader of the guild where my 80s are, in fact all of them except one (who's in another guild) have co-leader or officer guild, so somebody hacking my account could cause a great gbank devastation (even tough we don't have lot of great items stored there're still lots of useful items)
    And as Justin says, it's just another layer of security that doesn't haslle you much. You can get infected even by visiting trusty sites, so as long as the authenticator is as easy to use as it is now (and I don't care if logging in takes 5 or more seconds more, after all it's pretty fast) I'm up for it and gladly will recommend it to anyone who wishes to keep troubles away.

  5. @Kurnak

    Sadly, I've actually considered leaving my guild simply because the GL doesn't have an authenticator and she lets one of the officers play her toons (not in raids or anything, but to camp hunter pets or to get past a quest she can't handle...yeah, not the best player in the world).

  6. I use one because I got it for free from going to Blizzcon. I like the peace of mind it gives me, in a world in which hackers can hide viruses in banner ads of well-known websites, and you don't even need to click on them to get infected.

    I agree that for the most part, being smart about your info can prevent you from getting hacked (my fiance and I played for years without issues until we got our authenticators), but there are still situations where nothing you do can prevent it. I'd rather not have to worry about those situations, and the few seconds it takes to enter the additional password is worth it to me.

    I don't have anything against people who disagree with me though. If they do make authenticators mandatory, they had better at least package them with the expansion so that people don't have to deal with the hassle of mail-ordering them.

  7. Also remember that the authenticators don't cost anything if you have a mobile phone capable of running the mobile authenticator.

    I run with a hw firewall, virusscanner and authenticator. The only thing I use my wow computer for is... well wow. And I still wouldn't be 100% sure of never catching a trojan. For example, from where do you upgrade your addons? Curse? I know plenty people that have been infected from various banners from that site.

    Oh and you get that cute little core hound with am authenticator as well, even with the free mobile version.

  8. A guildie of mine, who plays on a mac, practices safe internet usage principles, has a good strong passwords (has worked in customer support and now works as an internet security professional) got hacked. It was most likely from a compromise on a 3rd party website where his email address and password were the same as those used by his battle.net account. Guild bank empty, all of his characters were transferred off of his account or deleted. Took 2+ weeks to get his stuff back and about 3 weeks for the guild bank to come back. He like everyone in our guild has full access to the bank.

  9. I refused to get an authenticator!! I thought the extra hassle was absolutely stupid! I still don't like them, but ya I have one. I have an iphone so it didn't cost me anything but I still didn't want it. I am the GM of my guild and we had a lot of hacks. I mean four within a year is too many for me. I had to lock everyone out of some of the bank tabs which I hated to do. But now I required all of my officers to get an authenticator and worked with them to make sure they could do this. It was too much of a risk for my guild, and I didn't want all of their hard work, mats, and money to get lost. Blizzard is not as good about returning things to Gbanks as individuals. Although I have received most items from hackers back. But if some1 doesn't want an authenticator fine by me. I don't think it is dumb, but for officers and GMs I think it is really wise to use one.

  10. In BC, two of the top level officers in my raiding guild got hacked. They were two of three RL roommates. Their badges were spent, our gems, enchanting materials (like 200 epic crystals) and many other things were stolen.

    They had firewalls, virus scanners, and used Firefox with flashblocker and noscript.

    It was absolutely devastating, all their badges were spent and the GMs refused to return them (right before the Sunwell badge vendors dropped). Our MT, one of the three who wasn't hacked, gquit temporarily to make sure he wouldn't jack the bank too.

    As a guild leader I had to deal with about 30 terribly upset raiders. To make matters worse, Bliz dropped the ball and it too more than two weeks for us to get our stuff back. It was only because I had screenshots of the bank logs and threw an epic fit on the support forums calling out Bliz that we got our stuff back. (I even got the GMs to refund their badges, which woulda taken a month to regain.)

    Needless to say I never want to go through that again. I require all officers have Authenticators to have any reasonable amount of bank access and strongly (very strongly) encourage all my raiders to get an Authenticator. People losing their stuff means trouble for us and our progression.

    It's not fanboyism with me. It's me wanting to prevent my raiders (and myself) from being stressed out.

    To give a slightly vulgar analogy: Playing without an authenticator but thinking you won't get hacked because you're being careful is like using coitus interruptus (withdrawl) as a form of birth control and std protection.