What is the Authenticator?
The Authenticator is a small device (pictured right) or an iPhone/iPod Touch app that can be tied to your account and provide an extra layer of security. The application is free, but the physical Authenticator costs $6.50 with free shipping in the U.S. They are also available in other countries.
How does it work?
The Authenticator generates a code that you must enter after entering your username and password when logging into WoW or when accessing your account management screens. This code is a one use code that is valid only for a limited time. But it is valid for longer than it lasts on the Authenticator. A new code is generated every few seconds, but an unused code is valid for longer than that (I'm not sure how long). For more details about how the Authenticator works, please read our interview with Blizzard.
The scammer said he could get around the Authenticator.
Yes, he did. He said he could get around it once by obtaining a code through his phishing site and then he would have to use it to change the password or as a one time login to get your valuables and leave. He also said that he hadn't tested this as of yet, because after hacking into 50 accounts, none of them had Authenticators. His theory is that people have stopped using them because the hacking rate has gone down.
But you don't need Captain Obvious to tell you that the scammer wasn't being completely forthcoming here. First of all, he would have to know whether or not you have an Authenticator on your account before sending you the link. When you log into Blizzard Account Management, you have to enter an authenticator code only if you have one attached to your account. So the standard phishing link doesn't ask for one. But let's say he did know and sent you the appropriate code-stealing phishing link and he got a code from you. If he spent that one code on changing your password, he wouldn't be able to use it to login to the game. Also, he would need two consecutive codes to remove the Authenticator from your account for a total of 3 codes, since he would need to spend one code on logging into Account Management. Therefore, one code would allow him one game login only and he'd have to get his "business" done quickly before you tried to log in again, kicking him off.
Update: Some commenters have said things that made me do further testing on the one use claim by Blizzard. Here are the results:
- It is one use per account, so if you have the same authenticator on multiple accounts, you can use the same code on each account before it expires.
- It is one use per kind of login, so if you use the same code before it expires when you try to login to WoW, it will not work the second time.
- It is not one use per account per different type of login. This will allow the scammer to use the password to login to your account management and your account at the same time, if he does it quick enough. Once there, however, he will still not be able to remove the authenticator from your account for the reasons stated above.
I really, really don't want to discourage anyone from getting an Authenticator, but I must admit, they are a pain to use. You have to have it with you when you login. If you forget it at home, then your laptop is useless for playing WoW while you are traveling. If you keep it on your keychain or it's a phone app, then you have to have those nearby before you get comfy for your gaming session. I am also constantly entering in my code as my password and then having to start all over again with the login. But I still won't stop using it. It really is a minor inconvenience compared to the hassle involved with getting my account hacked. Yes, I practice safe computing, but I also make mistakes. We all do. Most of us have to use multiple keys to get into our homes and this is really similar. The added ickiness is well worth the peace of mind.
OK, I'm sold. Where can I get one?
Well, I have bad news if you are in the U.S. and don't have an iPhone or iPod Touch: they are currently sold out... again. And when they are in stock, they go quickly. But they are working on getting apps for other cellphones and they do get more Authenticators in periodically. Here are the appropriate links:
- U.S. Authenticator
- Canada, Australia, New Zealand and Latin America
- iTunes App Store (this link launches iTunes)
Be careful out there!