Value of two-factor authentication in MMOs

Cypherpunks everywhere know that using two-factor authentication, when done right, is inherently more secure.

Nothing can be said against the security of wisely-used one-factor authentication, but care must be taken to ensure the ongoing security of that factor. If you use a password, you need to choose a secure one – and if you don’t change it regularly, it logically gets weaker, too.

I know of at least one WoW player who is positively paranoid about exposing their passwords to someone, even though they don’t exhibit that behaviour elsewhere.

And then, of course, there’s the people who complain about having their accounts hacked, even though they used a secure password like their birthday. Or abcde.

A mitigating factor against people being too stupid to use passwords securely, then, is needed. And that’s where two-factor authentication comes along.

Two-factor authentication, in essence, means that there you need to prove your own identity by two different means. This isn’t like using two different passwords. The common examples for factors include “things the user knows” – like a password, PIN, etc, “things the user has”, like some form of physical security token, and “things the user is”, i.e. biometric verification methods.

Biometric verification is more “comfortable” to use, but does have two major drawbacks:

  1. it requires specialized equipment (in most cases)
  2. it is vulnerable to replay attacks

So, mainly for reasons of practicality, owning an authentication token is the best method of getting a second factor into the mix.

But why would a company like Blizzard, for example, cough up the effort to actually enable something like authenticators – not only via device, but by mobile phone, too – and then go ahead and reward players (in the form of an in-game pet, but nevertheless) for using an authenticator – merely to save people from their own stupidity?

Simple enough: to help battle against “economic” abuse, and to help protect their own interests by having to deal with less “hacked account” cases.

Even though the latter reason might just be enough to implement it, the former is actually the most important one. Gold farming is a serious problem for online gaming companies, and even underdeveloped economies like that of WoW can suffer greatly from such manipulation.

If you want to read a fictional example of a near-future vision on the importance and concepts of gold farming, you should read up on Cory Doctorow’s “For The Win”. Even though it’s a bit over the top compared to the current state of the game, it might very well be similar in the years to come.

Of course, the authentication token Blizzard distributes does seem to have reliability problems, the mobile authenticator – a Java application – seems to work fairly well, and, compared to the DIGIPASS Go 6 authenticators used by Blizzard, actually has a reverse-engineered spec available.

Even though the DIGIPASS algorithm was, to the author’s knowledge, not broken so far, the fact that the developing company does not disclose the DIGIPASS source code to non-customers, along with a rather cheeky attitude, should serve as sufficient indicators to avoid their products.