Introducing the Square Enix Security Token

[Eanae]

The way Blizzard's system works is as follows:

When you get the authenticator you tie it into your account. Upon doing this, you can never login to your account without your authenticator again. Basically, each authenticator will randomly generate a code which is good for 30 or so seconds before it becomes invalid. You have to use this code to login to your account.

Here's a post better explaining it:

The Blizzard Authenticator is a token that you can put for example on your keychain. It has a little display that, once your press the button will generate a 6-digit number that changes every minute.

This number is used as a 1-time password. This means the password is only valid once. When you use it to log in, the code becomes invalid and any hacker trying to access your account later with the same number won't be able to log in.

A hacker wanting to access your account will now, in addition to keylogging your username and password, have to physically break into your house and steal the authenticator to see what number it displays. But hackers are clever people. Isn't there any way for them to know which number the authenticator is going to display? The answer is no, and here's why.

Every authenticator has a little built-in clock. This clock keeps track of the number of seconds since, for example the WoW release date, Tigole's birthday or whenever. Each authenticator also has a unique key, which it uses to encrypt this number of seconds into what looks like a completely random number. There is no way, without knowing the encryption key, to guess what number is going to be displayed at any point in time. Even if the hacker has all the numbers you entered before, he can't extrapolate that into what number will be showing next.

The hacker also can't hack into the device itself to find out it's key, because it doesn't connect to the computer in any way. Even if the hacker were the mailman who delivered the authenticator to your house, he would have to open it up and extract the hardware that contained the key. These devices are generally tamper-resistant and will purge themselves when opened.

So, if the hacker can't know your 1-time password, how is Blizzard going to know? The difference is, Blizzard has the key for every authenticator they made. When you log in, blizzard looks up which authenticator is associated with your account, and finds the matching key. They then use this key to decrypt the number you entered into the number of seconds the authenticator has been counting. They then verify that this number matches the current time.

Even if the time on your authenticator doesn't exactly match the time on blizzard's server, they still allow you to log in within a minute or so of the defined time, just in case the clock in your authenticator is running a little slower or faster than normal. This still does not allow hackers to use the number from a minute ago, because when you log in successfully, that number is then disabled and prevented from being used again.

If you still think someone may eventually find a way around it, this security measure is used by businesses and government agencies around the world to provide security, and they have a lot more sensitive information to guard than the login information to a WoW account. This is a tested method that has proven itself to be secure.

[Indalecia]

Oh hell yeah!

[Corrderio]

Nice to see they're caring about security... in the most ass way possible.

I'm glad they're thinking of ways to prevent accounts from getting hacked, but the hell with paying money for something and a useless in-game item for extra security.

[MaachaQ]

I completely thought this was a fake post until I went to the POL site myself... just seems too good to be true.

When you get the authenticator you tie it into your account. Upon doing this, you can never login to your account without your authenticator again. Basically, each authenticator will randomly generate a code which is good for 30 or so seconds before it becomes invalid. You have to use this code to login to your account.

I wonder how they are going to get this thing to work with the consoles...

[Eanae]

I completely thought this was a fake post until I went to the POL site myself... just seems too good to be true.



I wonder how they are going to get this thing to work with the consoles...

How wouldn't they get it to work with the consoles? The authenticator is in no way hooked up to your computer or your internet connection.

[Amastacia]

Man, that's a pretty brilliant idea by some marketdroid at RSA/EMC.

Wonder how much of a premium is charged for the Squenix shell on a standard SecurID dongle.

[Riel]

Cracked within days/weeks just like every other (worthwhile) dongle in history. Next.

[BlackMoomba]

ftw

[Eanae]

Cracked within days/weeks just like every other (worthwhile) dongle in history. Next.

If you still think someone may eventually find a way around it, this security measure is used by businesses and government agencies around the world to provide security, and they have a lot more sensitive information to guard than the login information to a WoW account. This is a tested method that has proven itself to be secure.

Did you even read this post? Next.

[Demisses]

Not to troll but systems like these are used for the military's radios. The frequency (in this case code) jumps around until you key up the mic (or code) then every radio hopping on the correct time and frequencies will key in. The only difference with this is I'm sure the code wont switch 100 times a second lol

[Riel]

The only difference with this is I'm sure the code wont switch 100 times a second lol

And this still isn't completely sure. Perhaps I'm overestimating the RMT/douchebag community but the warez scene would make quick work of this shit.

edit: Security in obscurity, I guess. I'd rather just not be retarded.

[Corrderio]

It might be decent, but I just wonder if it'd be worth the price or not. And what would happen if you lost it, it broke, or something else. Would SE have a plan to replace it or would you be SoL on your character?

[Izzy]

Might be kind of annoying now that I wont be able to login to my wife's account unless I call her.

If you don't like it...don't buy it. They're not forcing this on everyone. If you're one of those people that lets 5 different people access your account, then you should not get this.

[Zumi]

Wonder if the battery lasts a long time. Cause it would suck not being able to log in and having to go out and buy a new one.

[Arthars]

this method is also used for internet banking in singapore

you click on device, display a string of random number, you key in on the website along with your user ID, and you go funds transfer. as for how it works, i guess people who have studied computer security will have a clearer picture about key encryption. I believe they use RSA for this, which uses a pretty complex algorithm. Obviously im not going into details because it takes me 30 mins to even do a simple helloworld encryption and decryption exam question.

1 of the safest and secured thingy for internet transaction and data exchange, so i approve this!

the amount of battery needed for this is very minimal, its been 5 years since i got the device for my internet banking, and its still running as of today.

There is also another approach, which is using text messages from your mobile phone subscriber. You click LOGIN from the screen on the internet banking page, and the bank sends you a SMS to your mobile, and you have to enter this pin within 3-5 mins before it expire, and you login. However i wouldnt think SE will do this because it will involve even more cost(both SE and our end). So i guess its a win-win situation for them using this device, PROFIT.

[Silenka]

As a special incentive, each Square Enix Security Token will come with an exciting in-game bonus which may just prove indispensible during your many adventures in Vana'diel!

This is the reason people who don't want this are going to get it anyway.

[Devek]

Cracked within days/weeks just like every other (worthwhile) dongle in history. Next.

Name one that has been cracked.

[Izzy]

The only thing that worries me is that they're not calling this "SecurID RSA" or whatever it's called. I really hope they didn't go out to some random knockoff company to implement this for them.

[Izzy]

And this still isn't completely sure. Perhaps I'm overestimating the RMT/douchebag community but the warez scene would make quick work of this shit.

edit: Security in obscurity, I guess. I'd rather just not be retarded.

If you or anyone you know manages to crack a SecurID keychain/password algorithm...you should be focusing on stealing many other things outside of FFXI.

[Riel]

RTFM. I'll drop it.

Anyways, I agree that this is another attempt to sell a--hopefully good, probably crappy--ingame item for cash.