Why the Resistance to Authenticators?


Over at the World of Warcraft Livejournal Community, frequent poster zhiva_the_mage brings up a very interesting point by claiming that authenticators and migrating to Battle.net won’t necessarily add much more security to your account, mostly due to the nature of how they work: your World of Warcraft account allows you to keep both authentication factors secret (your username and password are both things that you create), whereas your Battle.net account uses your e-mail address (public) as well as a password (private). Standing on its own, that would imply that a Battle.net account is less secure than a WoW account because one of your authentication factors is now public.

Add the authenticator and now you have a third authentication factor, one that’s now private, essentially returning you to the previous model, and its security.

This is true if you were staring at it from straight ahead, but it discounts to some degree the level of security that an authenticator adds to your account as opposed to a private username. They pale in comparison when you look at levels of security. Whereas a private username relies on security through obscurity, an authenticator adds an authentication factor that is not only a numeric code with RSA encryption behind it, but it changes regularly. They’re simply orders of magnitude difference in levels of security, and the presence of an authenticator makes the privacy of a username pale in comparison.

Don’t get me wrong, ideally all three authentication factors would be private and you would be able to log in with a private username, a private password, and an RSA encrypted authenticator code, but given Blizzard’s plans for Battle.net (a la a Steam-like service where you can connect with friends and likely make game purchases) an e-mail address is another way to create unique users.

update – another LJ user, strangetwn-god, points out that I failed to mention a very important concept at this stage of the article: why a “private” username isn’t really private, and why it keeping it secret, as in the ever-present “security through obscurity” model is inherently flawed. He points out:

A dictionary, a phone book, and a perl script can discover a few million usernames over the course of an afternoon. Discovering a specific username if you have personal information likewise can be done in a minimal quantity of time. The sad thing is, a dictionary and a phonebook will also grab at least 50% of the passwords even with all the abundant warnings to not do that.

Of course, dictionary attacks are no longer really needed given browser vulnerabilities and social engineering hacks that can return hundreds of username/password combinations anyway.

He hit the important points, but it’s also worth mentioning that with username/password combinations much more security is inherently given, both by the system and by the user, to the password. Frankly, you’ll never hear anyone ever put up a MoTD when you log in to WoW that says “a Blizzard employee will never ask for your username.” Username dialogs are never starred out to avoid shoulder surfers picking up on them, and users don’t immediately rush to change their usernames when they get the feeling someone else knows it or they hear of a security threat.

It’s not an excuse for not making it as obscure as possible, but it’s definitely a legitimate point. Your username is not secret, most users don’t treat it like it’s a secret the same way they treat their passwords, and while it may not be a direct rationale for moving to a blatantly public authentication favor like an e-mail address, you’re certainly not losing any real security by going in that direction.

Livejournal user Arwenoid makes a very interesting response to the notion that Blizzard has horrible security because of the need for authenticators and the number of people who have had their accounts hacked that I think is worth re-posting:

People seem to think that blizzard has terrible security. They don’t, THEY’VE never been hacked (well, that we know of.)

This is YOUR account, and therefore, your responsibility. This isn’t victim blaming, this is about personal responsibility. The only way people are going to get your password is through your actions anyway — and don’t get me wrong, there are some damn clever ways that people use to get your passwords — but they’re not getting them from Blizzard, they’re getting them from *you*.

Seriously, authenticators are $6. They even ship to Canada now — I picked up a couple when my partner’s account got hacked. No big deal, some minor inconvenience, one missed raid, and he got everything back. It’s just a warcraft account.

What surprises me is that more banks don’t require authenticators for their logins. You know, something that’s actually important.

She’s absolutely, completely, and positively right. The end-user will always-always be the weakest link in any information security system, simply by nature of the fact that there are always more users than operators.

To that end, let’s look at the security around the authenticator and why the direct comparison doesn’t really add up, although the original poster does have a point also:

Authenticators are essentially branded RSA keyfobs, which almost every organization that’s serious about remote access uses to secure everything from VPN and remote access accounts to internal systems that protect personally identifiable data (I work in an organization like this – I can’t tell you what we use them for, but suffice to say it’s important and personal data) – the problem is that forcing people to get RSA keyfobs for access to external services presents a significant logistical challenge to most companies that have large user-bases for their web services, and requires an infrastructure upgrade to suppport RSA-authenticated login at all times.

However, all of those things are do-able, and because of the nature of RSA encryption and the fact that your keyfob is essentially changing your password every 30 seconds or so, makes it a very very attractive option for banks and credit unions and such, companies who probably already use them internally for their own employees to protect data security on the inside.

There are a number of companies who are actually closely watching Blizzard’s use of of RSA keyfobs with their playerbase to see if it’s feasible for them and their users. The other mindset with a number of these services is that the cost of the added security simply doesn’t outweigh the support and logistical requirements on the organization, or alternatively they — directly to your point — would rather spend their information assurance budgets to make sure they don’t screw up internally than worry about their users screwing up and getting themselves hacked, thus exposing a lot of data to the individual, but nothing of consequence to the organization.

It’s an order of magnitude issue: does the company spend security dollars making sure all of their users, each with access to a small amount of data but collectively make up a lot of data, are each as secure as they can be (which may not be much), or do they spend the money on their own internal employees and processes? Which is the bigger bang for their buck? Blizzard – and most companies – agree it’s the latter.

1 Comment so far

  1. buffd.net (unregistered) on October 13th, 2009 @ 9:54 pm

    Why the Resistance to Authenticators? | Azeroth Metblogs…

    A technical look at the authenticator, how it makes your account safer, and some of the resistance behind not using them. …

Terms of use | Privacy Policy | Content: Creative Commons | Site and Design © 2009 | Metroblogging ® and Metblogs ® are registered trademarks of Bode Media, Inc.