SWTOR Switches Security Key to Standard Authenticator


While not officially announced, BioWare, the developers of SWTOR (Star Wars: The Old Republic) recently put up a post on their forums that their Mobile Security Keys would be Temporarily Unavailable.

This, as it turns out, was because they were upgrading their back-end server software to support their new RFC 6238 TOTP authenticator mobile applications.

Previously, SWTOR had been using a branded version of the Vasco DIGIPASS product, providing both physical hardware tokens as well as an Android and iOS software mobile app.


This new authenticator app is immediately available from the App and Play stores and provides a stylized authenticator similar to that of the Battle.net Mobile Authenticator. However, the secret key and code generation follow the RFC 6238 TOTP standard so could be replaced with Google Authenticator on a mobile device, or WinAuth on Windows.

All users are able to switch to the new authenticator by removing the current one from their accounts and registering for a new security key. A secret key code is provided that has to be typed into the new mobile application (ed: a QR would be better). Whilst doing that, clicking Add -> Authenticator in WinAuth and entering the same secret key will provide a convenient and secure backup in case your phone is lost or just out of battery.

There is no word yet if accounts using the old authenticator will be required to be switched in the future.

Steam Guard Mobile

Steam have released a Beta version of a Steam Guard two-factor authenticator on their mobile app. Currently all users on the website and Steam client are verified using a email sent to their registered email address. The email contains a code, which when entered into the Steam website, authorizes the computer for access to that steam account.

With the release of the new Steam Guard mobile authenticator, users can instead open the app on their mobile device to see a decaying code, which can be used as the 2FA code for Steam or the Steam website.

Steam Guard

Steam Guard is currently in Beta, but access can be granted by joining the Steam Guard Mobile group and waiting for the next round of invites.

The Mobile Steam Guard uses a standard time-based one-time password (RFC 6238) to generate the hash from the user’s secret key. However, Steam’s implementation differs from the standard in generating the actual displayed code. Rather than creating a 6 or 8 digit base10 code, Steam keeps compatibility with their existing email codes to create a 5 character string. This string is created from a specific set of 26 letters or digits.

Adding Steam GuardSteam Guard is added by using the Steam app downloaded from the Android or iOS app stores, where it can be configured to use “codes by phone” rather than the previous “codes by email”.

The app uses Steam’s WebAPI to register the mobile device with the Steam servers and generates a key that is used as the input into the HMAC-SHA1 algorithm in order to generate the 5 digital alphanumeric string. As standard, the string appears for 30 seconds, although the implementations can give some flexibility in the acceptance of adjacent codes.

Since Steam are using a standard TOTP implementation, it can be added into WinAuth as a new authenticator type. Starting with the 3.2 Beta, Steam authenticators are now usable in WinAuth.

The Steam Guard authenticator is set up in WinAuth as if it were a new mobile device. The process, as in Steam’s own mobile app, requires a verification of a new device by sending a one-time code to the registered email address. The authenticator must also be activated by a further code again sent to the user’s email address.


The 3.2 Beta version of WinAuth can be downloaded from the Downloads pages.

WildStar offers free mount to use an authenticator


WildStar, the new MMORPG from Carbine, recently announced an incentive to players to make use of two-factor authentication by adding a free mount to those accounts that use an authenticator.

Read their announcement here

From 10th July 2014, any accounts that are secured with 2FA will have the new Retroblade Mount added to their account. Players who already use an authenticator will find the new mount in their inventory from 10th July.

Carbine are adding this along with other perks, such as a 2% XP boost, Cybernetic Eyepatch, and in-game title, in an attempt to get more players to take charge in securing their own accounts.

Whilst they haven’t gone as far as making authenticators mandatory, and unlikely as there are still players who would not be able, or would be unwilling, to add an authenticator, it is a way to increase the awareness and importance of account security.

Recent discussions on the WildStar forums have been focused around the 2FA process, its weaknesses or how it could be improved. These are all issues that come up again and again because of incidents of account hacking, botting and gold-selling.

WildStar’s authenticator process is not unusual, and includes the use of a rotating keypad for the code entry. A source of irritation for some players, but another level of protection for others.

Carbine have been criticized for lacking IP-based protection within the game. If account details are stolen, they can be used from anywhere in the world with no additional confirmation. This is different than other big name MMOs, such as Blizzard’s World of Warcraft, where an unrecognized IP must be validated if an account does not use an authenticator.

An authenticator can only be removed by using the code from the authenticator that is currently attached to your account. However, there is a potential security issue where the same code that was last used to log into the game can again be used. If a trojan on the user’s computer is able to intercept login details, it can also immediately access the website and permanently remove the authenticator from the account. However, the user will still receive a notification email, and so should be aware if they receive such a message and should immediately access their account or contact WildStar’s support.

There is also another potential security issue with accessing customer support. Users have commented on the forums that after contacting Carbine support to request an authenticator be removed, it was, with no additional request for proof of identity. This is a potential issue if an email account is compromised, as the attacker could perhaps remove an authenticator without the user’s knowledge.

There are still no confirmed incidents of accounts being hacked whilst using an authenticator. Common passwords, password re-use and account phishing are the common attacks and allowing access to user accounts. Adding an authenticator is one of the best ways to protect an account. Even the best security practices in the world cannot always guard against exploits and vulnerabilities in 3rd party software, such as Flash, Windows or even the servers themselves, as recently seen with the heartbleed bug.

For users who cannot use a smartphone, WinAuth exists as an alternative. Although it does not have the same physically protected storage as at non-rooted Android phone or iPhones, it does provide encryption and password protection of secret keys, as well as locking the data to the Windows account or installation.

Something is better than nothing. Get one, cupcake.

RuneScape replaces JAG with 2FA authenticator


RuneScape announced recently they were removing their JAG security in favour of using a time-based one-time code authenticator.

See the official announcement.

There are many apps for smartphones, including Android, iPhone and Windows phone that are able to keep you secret key secure. This is one of the advantages and points about two-factor authenticator (2FA), that the device that generates the code is separate from the device that uses it.

Use of authenticator technology has become a necessary part of online gaming, where social engineering still ranks as the main attack and to which many gamers often and unintentionally fall victim.

Adding and using an authenticator is a quick and painless process. When logging in on an untrusted device you are asked for a six digit code, which you get by just opening your authenticator app.

However, not everyone has a smartphone and some users would like a backup or alternative way to generate their authenticator codes.

WinAuth has been around since 2010 and has been used with other gaming services, such as Blizzard’s Battle.net including World of Warcraft, Diablo III and Starcraft. WinAuth also supports Trion’s Rift and GuildWars 2.


WinAuth, like all authenticator apps, stores the secret key on the device and requires that the key is kept private. Encryption is done using a password as well as using Windows own built-in account protection that can lock data to an account or specific computer. This way, if the file is stolen from you, and even if they knew your password, a hacker could still not access the authenticator data.

So if you do run WinAuth on the same computer as games are installed, make sure to add a password in use the “encrypt to only be useable on this computer” protection.


You should make a backup in case you ever delete your Windows account or re-install Windows, as otherwise your authenticator will be permanently lost. This can be done simply by right-clicking your authenticator in WinAuth and choosing “Show Secret Key…”. Write the code down on a piece of paper and put it somewhere safe.

Common Issues

The RuneScape wiki has a guide explaining how to add an authenticator and use WinAuth on a computer or laptop. Armoede also has written a useful post with some troubleshooting help.

Most common issues with WinAuth, are:

1) There is no specific RuneScape authenticator, it uses the standard implementation, which in WinAuth is called the “Google Authenticator”. So that’s the one you need when you click the Add button.

2) When adding your new authenticator, you must click OK to save it.

3) If you get an invalid code, it is most likely a clock issue. Right-click your authenticator in WinAuth and choose Sync Time. Then get a new code and try again.

4) To see your code, click the Refresh icon on the right. Your code will show for 10 seconds. Or, you can right-click and choose “Auto Refresh”, where the code will always be visible.

New Trojan Intercepts Battle.net Authenticators

Battle.net Authenticator


Blizzard recently issued a warning regarding a potential new Trojan that could sniff the emails, passwords and authenticator codes.

They went on to say that this is different from many previous attacks, as it would intercept the login credentials of the user and in real-time pass them onto their malicious servers, which would then log into the owner’s account.

This type of attack had been seen previously in 2012, but only for a small number of accounts.

It is worth noting that this type of Man-In-The-Middle attack equally compromises users who have authenticators and those who don’t, and also affects anyone even using the official mobile authenticator on a mobile device.

Latest updates are that the trojan was included in a fake Curse Client download, hosted on a fake Curse website. The website itself was appearing high up in Google searches, and so unsuspecting users were downloading the file.

Uninstalling the fake Curse client and running the latest MalwareBytes are now know ways to clean and remove the trojan.

Protecting yourself against this type of attack can be difficult due to their nature. It goes without saying to be careful about what you download and have your anti-virus / anti-malware protections up to date.

However, even the best people can sometimes make mistakes or be fooled by more elaborate malware.

Be more aware by watching out for typical warning signs that might indicate you have a problem. For instance, that you failed to login when you are sure you entered all the correct information. When a trojan like this steals your credentials, it will use them immediately but pass invalid ones to Blizzard, and so your own login attempt fails. This is because Battle.net is designed so an authenticator code can only be used once (for that particular time), and the trojan ensures that it gets in first.

Not that you should freak out every time you mistype your password, but perhaps if it happens you should just think if you have downloaded anything recently. You can also run “msinfo32″ to see if there are any Startup Programs or Running Tasks you don’t recognize.

Despite this, having an authenticator is still a lot safer than not.

iPhone Google Authenticator update – don’t lose the keys


Many people woke up recently to the news that their iPhone’s Google Authenticator app had been automatically updated with an improved look and some bug fixes. Unfortunately it also came with a bug that wiped all previous authenticator data. Ouch!

This issue is just an irritant to some users, who would be able to restore from a recent backup automatically by iTunes, but I’m betting there are users who didn’t have a recent backup or hadn’t done one since they had last added an authenticator.

When was the last time your device backed up? And when was the last time you checked to see if it would restore properly?

We put a lot of faith into automatic recovery systems, and when things work, they can work well. But when they don’t, it’s too late and can cause a lot of headaches.

Two-factor authentication (2FA) is becoming a necessary feature of so many sites and services, but it must be treated like all security systems, it isn’t infallible. You need to ask yourself the worst case, “What would I do if I lost my phone?”.

If you had lost your house keys, hopefully you or your spouse/partner/roommate would have a spare (backup) set, or you could call a locksmith to let you in. It’s inconvenient, but not the end of the world. No one imagines they aren’t ever going to get back into their house because they lose a key.

There is of course the other aspect, which that now potentially someone has access to your keys (if they were stolen or just found) and your house is not as secure as it was before. You might consider changing the locks.

No different with the Google authenticator app on your phone. If you lose the phone, or the data within it, you need to be able to get it back quickly and possibly treat it as a security risk.

So how do you back up your phone?

With an iPhone, you have two choices. Backup when syncing to iTunes (or manual backup) and the automatic iOS backups to iCloud. The iCloud backup is the simplest for most people, which is done daily but only when you are connected to the internet and on to a power source. If you go into Settings > iCloud > Storage and Backup, at the bottom you can see when the backup was last done.

Android has a similar approach. Google services running on your phone keep an automatic backup of your app settings to their servers. If you go into Settings, choose your Google Account, you can see when the last sync was done. If you click that, you can also check what is being synced, and you need to make sure it includes App Data. This includes your authenticator data.

For Android, there are also 3rd party options that can give you much more control over the backup and restore process. For instance, you could selectively restore one app at a time, and even choose from a history of backups. Something not possible with the automatic Google approach. Apps like Titanium Backup or Carbon can do low level backups, although you’ll get the best features if your phone is rooted.

Check your phone is making recent backups. Make manual backups. Don’t lose the keys.



Photo credit: Mark Hunter

Doesn’t this defeat the whole point of an authenticator?


WinAuth isn’t trying to be a replacement for a physical authenticator key chain device or even a mobile phone with an authenticator app running on it. It is an alternative or backup solution.

If you are looking the absolute best security for the service you are using, it should be a physical YubiKey, RSA token or DigiPass. They cannot be compromised and the keys within them cannot be stolen. They, of course, can actually be physically stolen or misused, but then all authenticators are still vulnerable to physical access. If I steal it off you (and I know your password) I can access your information.

Multiple authenticators

But can you imagine having a key ring with 15 key fob devices hanging off it. Suddenly it is very impractical.

Enter the smartphone. Now you have a device that can be configured through software to run the same technology. You can have your Google Authenticator app. Microsoft authenticator app. Bitcoin authenticator app. Battle.net mobile authenticator app. Rift authenticator. Lots and lots of applications. All storing their secret data on the smartphone. Unencrypted. Wait, what? Yes, Google, and other developers of the Android authenticator apps don’t actually encrypt the secret keys used to seed your authenticator. It’s there, in an SQLite file. They claim this is fine as apps cannot access each others configuration data, but they can if the phone is rooted. And with the right permissions could read everything you have.

Stolen phones

And what if someone grabs / steals / borrows your phone. Be honest, do you have a password locked phone? Probably not. Those apps can be run, no passwords needed, codes are visible. Your phone could even be rooted and the secret keys read right off.

Fortunately your phone probably has an automated backup running on it. Syncing to the cloud. Right? When did you last test that? Does it actually have all your recent data? How long does it take from your phone being stolen to you being able to recreate a recent copy of your phone with all your apps and previous data, so that you can open up one of your authenticator apps? Longer than it would take someone to issue a password reset on your Google account and enter the authenticator code from your phone? Probably not.

But this is the best we have. A separate device performing the function of the two-factor authorization. Good. Unencrypted data. Subject to physical vulnerabilities and unprotected access. Potentially long restore times. Bad.

Winauth 3.0

So add your authenticators into WinAuth too. Now you have a backup on your computer. They cannot be accessed without your password. It cannot be brute forced. Each authenticator can have an additional password to spread the chance of compromise. Even if the file were copied it would be unreadable as it was locked to your Windows installation. Someone actually has to sit at your computer in order to use it. You might notice.

Same device you might use to access your account. Bad. Encrypted and protected data. Reduced physical access and protected access. Synced to your Dropbox / Drive account for immediate recovery. Good.

Sometimes security is a balance.



Photo credit: Edwin Sarmiento, West Midlands Police