WoW Insider: Can you, without going into details that would compromise the Authenticators, walk us through exactly how they work? Is the code usable only once, or is it available for a certain period of time after login? And what are the chances that someone could keylog the authenticator code and/or use it without the key?
Blizzard: We've partnered with Vasco, which uses the same security technology as many major banks use to protect transactions that run through their systems and supplies some of the toughest security currently available. The Blizzard Authenticator can be tied to an individual account or multiple accounts. It supplies a random digital code that must be entered at login, providing an additional layer of security to help prevent unauthorized account access. Each code is valid for a limited time and can only be used once, so the Blizzard Authenticator must be in the possession of the account holder to log in to the account.
When we first heard about the person who got their account hacked while using the Authenticator, it appeared that whoever hacked the account had gotten the Authenticator removed from the account (though since then, Belfaire has told us on the forums that's not the case). What exactly is necessary to remove the Authenticator from an account? How easy or hard would it be for a hacker to do that through social engineering?
In the particular case you mention, the Authenticator was indeed never removed from the account, as our customer support representative Belfaire indicated in early August. I can also confirm that we have no verified occurrences of an account being compromised that has a Blizzard Authenticator attached to it.
As for removing the Authenticator from an account, if you have the Authenticator handy, you can log into Account Management with it and disassociate it from your account directly. If the Authenticator is lost or missing, the account holder would be required to contact our support staff and we would assist on a case-by-case basis. Given the security concerns involved, information on the specific steps we follow is not something we publicize. However, our support team is dedicated to helping genuine cases without risking players' accounts.
Since releasing the Authenticator, have you seen a drop in the number of accounts reported hacked? Can you give us any numbers or percentages, either before or after the Authenticator's release, of how many hacked accounts you're seeing reported? Obviously there's no way to tell how many accounts are actually hacked, but from the reports we've seen (and from the fact that you've released the Authenticator in the first place), it seems like it's a widespread problem -- is that the case, according to your data?
We do not reveal compromised account data as a matter of policy, but from the first run of Blizzard Authenticators, we have zero verified cases of an account being compromised while a Blizzard Authenticator was attached to it.
The units are very hard to find -- what's the reason behind the supply problem? [Note: Obviously, at the time these questions were written, Authenticators were not in stock on Blizzard's website.] And is there a way that we could buy non-Blizzard authenticator keys from that same company and have them work?
As mentioned earlier, we've partnered with Vasco to provide the Blizzard Authenticator. The original release of the Blizzard Authenticator was limited, and it was extremely well received. We recently replenished our stock and are making the new batch available through the online Blizzard Store now. In regards to using other authenticators, due to the proprietary nature of the interaction between Blizzard's player accounts and the Authenticator, non-Blizzard Authenticators will not work.
Thank you very much.
Note: We also asked a question of Blizzard about why some GMs are able to restore all the items on hacked accounts and some are not (including what players can do to make sure that, if hacked, they can get their items recovered quickly), but Blizzard declined to answer, apparently because the question was not directly about the Authenticator.