Jump to content

What's the Point of Authenticator Keys?


ScarMortico

Recommended Posts

I apologize if this is a dumb question but in terms of extra security, what's the point of Authenticator keys?

 

If for example, someone sets up a authenticator key on their account along with your standard username and password, then once you go to log on to your SWTOR, you type in you username and password, then you press some button on your authenticator key, and it generates a random number that you have to type in. Now as far as some of you may know, the authenticator key app is free to acquire and the same for the other key if you got the collector's edition of SWTOR.

 

Ok, here's my question. Say if someone hacked a person's SWTOR account by the usual keylogger or some other type of method to obtain a person's username and password. Now all they need to do is an authenticator key they can get just from getting the free app on itunes or just get an authenticator key from somewhere else, press the button, generates random number, and boom your in. What's the point of it exactly? How does it really add that extra security?

Link to comment
Share on other sites

I apologize if this is a dumb question but in terms of extra security, what's the point of Authenticator keys?

 

If for example, someone sets up a authenticator key on their account along with your standard username and password, then once you go to log on to your SWTOR, you type in you username and password, then you press some button on your authenticator key, and it generates a random number that you have to type in. Now as far as some of you may know, the authenticator key app is free to acquire and the same for the other key if you got the collector's edition of SWTOR.

 

Ok, here's my question. Say if someone hacked a person's SWTOR account by the usual keylogger or some other type of method to obtain a person's username and password. Now all they need to do is an authenticator key they can get just from getting the free app on itunes or just get an authenticator key from somewhere else, press the button, generates random number, and boom your in. What's the point of it exactly? How does it really add that extra security?

 

Your account binds to one certain authenticator.

Link to comment
Share on other sites

Now all they need to do is an authenticator key they can get just from getting the free app on itunes or just get an authenticator key from somewhere else, press the button, generates random number, and boom your in. What's the point of it exactly? How does it really add that extra security?

 

Each key has a different set of numbers bound specifically to that account. There are a lot of numbers for each key.

 

You cannot just use any key to get access to an account it has to be the specific key and its numbers for that account.

 

The numbers are also assigned randomly, there isn't a pattern. So good luck to any one hacking the key. Key logging won't help with this with the amount of random numbers assigned.

Edited by Deyjarl
Link to comment
Share on other sites

Each "key" has a serial of which only one exists. You tie that serial to your account and only that authenticator will work on your account same with the app version just handled a tab bit different in set up. Not sure why you thought it would work the way you thought it did ....
Link to comment
Share on other sites

Ok now I'm lost. How does that work exactly? :confused:

 

There is a serial on the back, that authenticator is now set up to generate a number that needs to be entered into the account to gain access.

 

As there are tens of thousands of different authenticator serials out there the odds of someone getting the right one for your account is astronomical. You'd have better luck getting struck by lightening while cashing in a winning lottery number then getting the right authenticator with the account.

 

considering that you'd need to push the button to get a number generated, some hacker in not going to sit there and try to type it in manually to get into your account, waste of time for them.

Edited by Fizbanic
Link to comment
Share on other sites

Each authenticator has a unique algorithm based on which it generates numbers. Think of it a key to a safe deposite box. Even if a thief is in your house, he can't open it.

 

The only way for a hacker to steal your account if you have an authenticator on it, is to physically steal your device, which obviously it's very unlikely to happen.

Edited by Chomag
Link to comment
Share on other sites

I suggest you read up on one-time passwords: http://en.wikipedia.org/wiki/One-time_password

 

The number that comes up isn't random; it's computationally generated using the time and a base seed (which I think is the serial number or derived from it); it's unique to a particular hardware key or software install.

 

When you register your authenticator it asks for the current value displayed and the serial number of the key (afaicr), so the server can synchronize itself with your sequence. When you login and enter the value currently displayed, the authentication server compares it against what it's calculated you'll be currently displaying - if they match, the authentication succeeds.

Edited by HELhikari
Link to comment
Share on other sites

I suggest you read up on one-time passwords: http://en.wikipedia.org/wiki/One-time_password

 

The number that comes up isn't random; it's computationally generated using the time and a base seed (which I think is the serial number or derived from it); it's unique to a particular hardware key or software install.

 

When you register your authenticator it asks for the current value displayed and the serial number of the key (afaicr), so the server can synchronize itself with your sequence. When you login and enter the value currently displayed, the authentication server compares it against what it's calculated you'll be currently displaying - if they match, the authentication succeeds.

 

Exactly. The code you see on your authenticator is generated from the time, the serial number of the device, and an algorithm. Each code is only good for a few seconds, or however long they want it to be.

 

This is why governments and banking institutions use this same system.

 

The only minor issue is the device falling out of sync with the internet... ie the time on the device is not the same as it is on their end.

Link to comment
Share on other sites

I apologize if this is a dumb question but in terms of extra security, what's the point of Authenticator keys?

 

If for example, someone sets up a authenticator key on their account along with your standard username and password, then once you go to log on to your SWTOR, you type in you username and password, then you press some button on your authenticator key, and it generates a random number that you have to type in. Now as far as some of you may know, the authenticator key app is free to acquire and the same for the other key if you got the collector's edition of SWTOR.

 

Ok, here's my question. Say if someone hacked a person's SWTOR account by the usual keylogger or some other type of method to obtain a person's username and password. Now all they need to do is an authenticator key they can get just from getting the free app on itunes or just get an authenticator key from somewhere else, press the button, generates random number, and boom your in. What's the point of it exactly? How does it really add that extra security?

 

As others have touched on the nuts and bolts of how they work and why they're good, I'll just add in that these are becoming more and more popular because 2011 has seen a TON of security breaches.

 

Sony's was pretty big news back in May. They've had multiple breaches since then. And Steam had a breach. And Turbine had a breach. All of these breaches compromised passwords and as a result also exposed customer payment information.

 

It's a pretty decent move on Bioware's part to do the authentication keyfob.

Edited by SnoggyMack
Link to comment
Share on other sites

There is a serial on the back, that authenticator is now set up to generate a number that needs to be entered into the account to gain access.

 

OH, that number in the back of the key? I remember typing that one in but didn't know that code would actually be useful if someone tried to access my account.

 

Damn you people are smart :D.

Link to comment
Share on other sites

OH, that number in the back of the key? I remember typing that one in but didn't know that code would actually be useful if someone tried to access my account.

 

Damn you people are smart :D.

No, that code won't be useful to anyone attempting to access your account.

 

That code told the server how to calculate what number would be displayed on your authenticator at the given time you press the button.

Link to comment
Share on other sites

×
×
  • Create New...