atomic_fungus (atomic_fungus) wrote,
atomic_fungus
atomic_fungus

#2060: Authentication!

The Battle.Net authenticator arrived this afternoon.

The Escort now has over 500 miles on its new engine; it's time for an oil change. I went to AutoZone for oil and filter, and also took one of the oil pails with to empty into their waste oil tank.

AZ recycles oil for free. Actually, they get paid for the used oil, and the company which buys the oil from them sells the used oil to other companies. I don't mind giving them the used oil, because I have no other way of disposing of it.

The "pail" is a cat litter pail, one with a hinged lid. It works fairly well for storing waste oil. I've got two of them; one is still full and will have to be taken to AZ and emptied soon.

ANYway:

The authenticator is not very big. It's thumb-sized, perhaps 1/4" thick. There's a button on it; when you press the button, the LCD display shows a six-digit number.

You start up WoW and enter your regular password. Then it pops up another window asking for an authenticator code; so you press the button, read the six-digit code, and type it into the box on the screen. If you type it correctly, you're logged in.

Here's how it keeps someone from stealing your account. Let's say you visit a dubious web site and somehow a keylogger gets into your machine. Someone can have a look at the data from your machine and then just type in your password, and steal everything your characters have.

That's what happened to the guild master: her password was grabbed by a keylogger.

BUT: if you're using the authenticator, just the password alone isn't enough. Even if the hacker has an authenticator of his own, it's still not going to give the right number, so he can't log into your account.

I really don't know how this works. I know that the authenticator dongle has a number generator inside which follows a certain algorithm to generate a unique code each time the button is pressed. Somehow the login server at Blizzard can tell a valid code from an invalid one; and the algorithm incorporates the serial number of the dongle in order to prevent any two random dongles from generating the same code.

It's probably something like how UNIX deals with passwords. When you set a password, UNIX runs the password through a "trap door" algorithm, which encrypts the password in a way which is very, very difficult to unscramble. It stores this encrypted version of your password; and the next time you enter that password, it takes the text you enter and runs it through the algorithm...and then compares that result with the already-scrambled password that's associated with your user ID. If they match, you're logged in.

One way might be that the dongle has a clock in it. If that were so, it could use the clock data to generate a timecode, mash it up with the serial number and a CRC code, and then present it as a six-digit number. The server--knowing the serial number and the algorithm used to to the "mash up"--could then take the number given by the user and mash up similar data from a local source. If it matches, logging in is allowed. (Probably the clock would look at date and hour, because you don't want your users to be unable to login because the clock in the dongle drifted. Even one minute's difference would keep the codes from matching.)

I'm probably wrong about that; but it's fine. I have an idea of how it works, and I'd rather not know the details. Because if I could learn them, anyone could, and could generate a hack to get around it.

However they do it, it's neat, and it adds an extra layer of security that makes it that much harder for a hacker bastard to steal your account. It's cheap and it's not that difficult to use.

* * *

The weather was chilly and windy today. If it hadn't been so windy it would have been fine, but that damn wind was just too strong and it made it too cold, even when the sun was shining.

So I decided to put off changing the oil in the Escort until Sunday or even Monday, depending on how I feel.

* * *

...I just realized I've been playing WoW all freakin' day, except for when I went to get the oil change stuff. And now it's after 10:30 PM and I still haven't had a shower.

Well, it's the first time in months that I played WoW longer than a couple hours at one sitting. I don't know what that means.
Subscribe

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 0 comments