WoW Authenticator

[tcpa41]

Hello guys,I'm thinking about implementing WoW Authenticator in Mangos.

So,to kick off, does someone know how to activate the enter digital code screen in the client? I think that server must send back some additional auth required flag to client after the client requests authentication. Am i correct?

[Neo2003]

As I suspect this authenticator is just an ActiveCard solution, you would have to run an ActiveCard server to have the proper challenge/response from the server side. And then you would need to declare the tokens for this service to recognize the tokens sent code.

So in 2 words: forget it.

Neo2003

[tcpa41]

Dunno about it,i didn't say it should be a pure blizlike authentication. Look at this scheme.

Part 1 is quite easy,problems arise with part 2,how should we make client throw such auth window as in this video

[Nerzhul]

Authenticator appears when you put the name of your B.Net account, certainly with a RPC command

[tcpa41]

Erm if I understood correctly,you type in your B.Net acc name,don't press connect but the authenticator window pops out?

[Seppron]

My blizz authenticator works like this

1. I type in my email and password and presses connect.

2. An authenticator window pops up

3. Pressing my authenticator and a code will show up, the code changes every 20-30 sec.

4. The code will disaper if i dont writ it in 10-15 sec, and if i press it again the same code will pop up.

5. I write in the code and then i will be able to log in.

next time you start the game you will be able to write it in before you press connect.

I wouldt try to make one.

[TOM_RUS]

There's a flag in realm packet, that forces client to show "Enter pin" popup.

AuthSocket.cpp

pkt << uint8(securityFlags);            // security flags (0x0...0x04)

if(securityFlags & 0x01)                // PIN input (no idea wtf is that)
{
   pkt << uint32(0);
   pkt << uint64(0) << uint64(0);      // 16 bytes hash?
}

if(securityFlags & 0x02)                // Matrix input (The9 matrix cards)
{
   pkt << uint8(0);
   pkt << uint8(0);
   pkt << uint8(0);
   pkt << uint8(0);
   pkt << uint64(0);
}

if(securityFlags & 0x04)                // Security token input (aka authenticator)
{
   pkt << uint8(1);
}

[Vapula]

Basically, the authenticator is a timed token generator.

You've a token sequence X1, X2, ..., Xi where Xi=f(Xi-1).

The authenticator is nothing but a simple microcontroller with a timer set to 30 seconds, an interrupt on the button and a screen.

On each timer interrupt, it updates its internal value. When you push the button, it power up the display and keeps active for some time. The rest of the time, it's in "sleep" mode which allows to lower it's power consuption.

Blizzard-side, when you've an authenticator, the server saves the time stamp and the Xi for that time stamp. when you log in, it computes f(f(f(...f(X)))), saves it with the new time stamp and check the value you've entered. Well, it keeps Xi-1 and also compute Xi+1 and test for the three values.

Without knowing the actual function, it'd be impossible to implement the official authenticator. But the authenticator mecanism can be implemented with a custom made authenticator...

We could have our own algorithm and mangos-authenticator programs for Windows, Linux, MacOS/X, Android and iPhone/... We may even design a small authenticator system with a cheap PIC or AVR microcontroller, a quartz (for precise timing), 2 capacitors, a transistor (to control the power of the LCD display) and an LCD display. Add a press button, a battery and you're done.

mangos-authenticator would also require a web-side administration which should allow to add an authenticator, remove it and emergency-remove (battery down for example, with a confirmation by E-Mail).