A post on wow.com mentioned the possibility of Blizzard making all battle.net accounts require an authenticator to login. I started typing an all encompassing response on just some of the reasons aside from logistics that this is a bad idea and realized that if there is a limit on comments, I was quickly approaching it. As such, I made a one sentence comment and a link to this post. My comment as I originally intended is below:
tl;dr: Authenticators: because DRM worked really well for the music industry
Will mandatory Authenticators solve anything? Yes and no. It means the hay day hackers enjoy now will end. Yay, a break from gold farmers. However, in the process Blizzard will lose accounts. Upgrading to Battle.net is one thing; it can be done online with a simple verification email. Upgrading to a physical method of tracking players (while not literally tracking, it more or less boils down to the same thing) is a whole other ball of wax. Not only would you have to coordinate methods of reaching people physically en masse, but then there are other problems.
The reason the authenticators are not attacked right now is because it’s easier to find another sucker than it is to actually hack accounts. If you mandate another level of authentication, then a diligent hacker will now mandate another level of social and programming engineering. A hacker (or group) will eventually crack or get their hands on the code. Even if they do not, there are other methods for acquiring the one login needed to change authenticators to a dupe and now they can log in while you go through tech support wondering what happened. By that time, you probably won’t even have an account left.
There is always a line between freedom and oppression. That line in between that we call security is a fickle one. Ultimate oppression could be easily implemented, limiting us to one computer at a time without an account change. Ultimate freedom is to have as few forms of authentication as possible and ability to log in from anywhere. It doesn’t help that Blizzard forcibly makes their games towards that freedom end, even more so than steam and other game companies, while trying to also be on the other end of the spectrum with security *at the same time*.
Hackers will only work as hard as the weakest link requires to achieve their goals. That is still, and will forever be, people. Whether it is people programming the Authenticators, or people using them, there will always be a way because we are asking people that we have never seen, heard, smelt, or touched to trust that we are the same person whom they have not seen, etc., that we previously identified ourselves to be.
‘Tis the price of success. Just as many claim Windows is less secure than MacOS, WoW is inherently less secure than other games. It really is just that simple. More popularity means more people able to be exploited and more people working to exploit said popularity which means more opportunities to be exploited for all. There are more viruses and exploits for Windows simply because more people use it and thus more people wish to exploit as many as possible with minimum effort. There is more account hacking in WoW than other MMOs because more people play and thus more people to be exploited.
In the end, maybe even more than a year from now, but still before the end, Authenticators will not be required or Blizzard will be out of business. There will be loss as some find the level of inconvenience (both physically and monetarily) to be greater than the appreciation gained. Even if you make the authenticator free, you are still paying to play a game where you have to keep up with another device.
Either way, Blizzard is and will be dealing with a great many unsatisfied customers and needs to work towards balancing what they want with reality. Requiring an Authenticator is just a request to stab themselves because they lack the innovation for a better solution or the backbone to stand up for themselves. Seriously, the same day this article about authenticators comes about, there is another article about how people abuse the billing department to get what they want. The customer is always right so give me free stuff. Really?
I can’t wait to talk to the person who’s never played WoW, but was finally talked into buying it now that he has some disposable monthly income and his friends play. He will go home with a shiny new box, then sign up for a battle.net account, install the game, and download the patches, then need an authenticator, activate the authenticator, and use it before even seeing level 1? Do you think this person will perhaps feel slightly like calling it a complete loss and quitting before even making a character as the costs in time and money collectively add up to more hassle than its potential (in his mind) worth?
DRM tried to limit music to keep it from being pirated, but in the end, the inconvenience and politics of the decision led to many finding other ways of acquiring music. Mp3s are essentially freeware and people don’t mind paying for them, but people are more likely to pay for versions they can use anywhere than only on their computers. Hackers immediately upped what they had to do to get around DRM.
Authenticators, likewise, try to limit where I can use my WoW account. I don’t mind paying for it, but people are more likely to pay for versions they can use with as much freedom as possible. Hackers will also up the ante to continue their way of life. Authenticators could also lead many to find other games that may not be the same music, but the tune is familiar enough that the lack of stressing over my account(s) (checking and battle.net) may be make those tunes more soothing and enjoyable.
/soapbox
Oh and don’t interpret incorrectly, I have the BlackBerry app, but I really hope Blizzard doesn’t do this. I barely even scratched the surface of why this is a bad idea and didn’t even get into the logistical nightmare of making this happen and how many people will quit in frustration over it.