Security Tokens in MMOs

Battle.net Authenticator

Battle.net Authenticator

Account security in massively multi-player games is a big concern. If you play World of Warcraft, you know how often accounts are compromised. In the last 6 months we’ve had our guild bank emptied twice when high-ranking members had their accounts compromised, and a handful of our lesser ranking members have had their hacked characters’ inventory and gear liquidated and traded to, presumably, gold resellers. Blizzard isn’t alone in this problem, of course. Even NCSoft’s Aion, a very recent MMO release, is having major issues with this. Simple truth of the matter is no MMO account is safe from being hacked, phished or brute forced and compromised when all we use is traditional username/password schemes.

However, there is a solution to this; authenticators. Blizzard and Square Enix both sell a hardware key fob solution to secure accounts (in the case of Blizzard, there is a free iPhone app that does the same thing.) Essentially, it adds a second, randomly generated password to your account that changes every ~30 seconds. So, you login with your traditional username/email and password, press the button on your key fob, and enter the code to login to the game or access your account management settings.

If you’re familiar with Paypal’s Security Key program, it’s essentially the same thing.

Obviously, there are great benefits towards using security tokens like these to secure online accounts. Someone could lift your username and password from a phishing scam, but they still couldn’t access any important element of your account without the random token. No two key fobs will generate the same code at the same time, so it’s nearly impossible to brute force. Even a keylogger installed on a player’s computer is rendered useless, unless the hacker is somehow watching your input in real time and enters your token as you do within that 30 second window (not likely.)

Blizzard and Square have tried to push players towards getting their accounts secured with authenticators by offering perks like vanity pets and increased storage space for your characters, but I’m still surprised at how many players are completely clueless that these devices exist. That might be changing in the case of Warcraft, where word on the street is Blizzard will be requiring the use of these security tokens with or perhaps even before the Cataclysm expansion is released. This means Blizzard will either be shipping these devices out for free, or will be bundling them in with the Cataclysm retail box.

Bizarrely, the community seems divided on the issues of whether this is a good thing or not. I don’t see the negative, outside of the minor inconvenience of having to remember where your device is, and the pain of getting your account reset if your device is lost (or, as was the case of a few friends of mine, when they upgraded their iPhone firmware and rendered their security tokens broken. [This issue should be fixed now, though.]) I love the idea of the security token mechanism, and I expect virtually every MMO going forward to begin supporting this kind of authentication, perhaps even mandatorily.

Until we get there, though, there are a few stop-gap solutions companies like Blizzard could put into place to help secure accounts without investing in new hardware.

Password Case Sensitivity — The most obvious flaw in Blizzard’s security system is the fact that their passwords are case-insensitive. So, if you’re a clever player, and you used a variety of capitalization in your password to help protect it from brute force attacks, those efforts are for not. Seriously, who thought this was a good idea? You dramatically cripple the effectiveness of your security system by not including this.

Login Strikes — It’s an obnoxious feature when you forget your password, but it’s a great way of combating brute force attacks. Banks use it all the time for online account access. Essentially, you have X attempts to login before logins are disabled for Y minutes. So, if someone is brute forcing your password, they only have a very narrow window of attempts before they’re locked out from trying for awhile. Hackers use automated scripts full of combinations of commonly used passwords, dictionary words, and frequent number combinations to throw at a authentication system like an MMO’s to try and guess what your password is.

My only guess as to why Blizzard in particular hasn’t included this particular function is that our accounts are getting slammed with brute force attempts far more often than we may realize. If this is the case, we could potentially be frequently locked out of our own accounts because of these anonymous attacks, causing an increased number of calls to these companies support centers. In this case, the only way these companies could combat this problem is by offering a means of changing your username, which can be difficult from a technical standpoint, introduces a level of complexity to the system, increases the odds of players forgetting their usernames (and thus, potentially increases support center calls.) In the case of Blizzard, username changing isn’t an option, as you now login with your email address instead of a username with the Battle.net system.

Still, this would be an option for many MMO developers, and an option worth serious consideration.

OpenID — Here’s an interesting thought that crossed my mind; why not allow players to use OpenID to identify themselves? Decentralize security from your database and put it in the hands of the more tech savvy players. Obviously, it wouldn’t be an option for most of the market’s player base, but it could be an interesting experiment and lead to some fascinating innovation by the community. Allow players to build their own authentication mechanisms and secure their accounts through their own means, whether it’s usernames and passwords, or image-based schemes, or riddles, or whatever. Crowd-source your security.

Finally, there are two other avenues we could investigate to improve the current security token scheme we’re seeing. These are USB-Based Security Tokens and a Standardized Token System. One complaint I hear against security key fobs is that they require you to keep track of them, and require you to go out of your way to input the code. Granted, this only adds a few seconds to the login process, but it is an obnoxious element. Instead, why not use a USB key approach? The player plugs their security token into a free USB port. The game detects the hardware key, and inputs their randomized token for them during the login process. This still requires you to know where your key is, but assuming you only play from your home, you can just leave it in a USB slot and not have to worry about it. This might be a complicated for web-based account management though, but using browser plugins (*shudder*) it would be possible to still take advantage of the token system.

Also, considering that more and more MMO developers will begin introducing and perhaps requiring security tokens, wouldn’t it make sense to have a standardized token system for all MMOs? Our key chains could potentially be full of these things (if you’re an MMO addict like I am!) in a few years to come. If a third party stepped up and said, hey, we’ll sell your company branded security token hardware for your games, offer a simple API to integrate it into your authentication process, and allow players to use a single key to access all their MMO accounts, this company would make a fortune. Seriously. Somebody out there needs to get off their asses and do this.

So, there’s some random food for thought on MMO security. What would you suggest developers do to secure player’s accounts? Do you like the security token approach? Why or why not?

° Top     # Permalink to this article