Monday, April 5, 2010

I was writing my blog and I was struggling with the name of token.  I mean every day I say DIGIPASS or token, but I realized that most of my readers have no idea what a DIGIPASS is (unless they have talked to me).  So I started calling them Authenticator's.  Everyone in the gaming space knows this name now, thanks to Blizzard.  But I still get the random person that only knows the token device as an RSA SecurID (…"that we used way back in the day at some obscure high security government job…" I love those stories).  So I thought I'd put together a quick post on all of the names I have heard so far for one of these simple little devices:


·         Token (I remember when I first started at VASCO and people thought I was talking about token ring networks).
·         One Time Password device
·         Password Generation Device
·         VASCO DIGIPASS
·         RSA SecurID
·         Security Token
·         Security Dongle (shouldn't this be something you plug into your pc?)
·         Security FOB (or just FOB, which sounds like you have something stuck in your throat)
·         Two-factor Authentication Device
·         Blizzard Authenticator
·         ….and probably more...

Me personally, I'll probably stick with Authenticator or token or DIGIPASS (if you're a customer). I remember getting the email with the logo for the new Blizzard "Authenticators" (internally we were pushing for "Security Assistant", Authenticator is so much sexier, hence why I am not in marketing…lol). So pretty much after that day, they will always be known as Authenticators to me.

New titles and security thoughts

So recently I have been working with a number of developers that are getting ready to release titles.  Interestingly enough, most of these clients are now thinking about Account security before they send the game out to publishing.  This should be recognized as a huge shift in the gaming world.  Security was something we used to think about as an after thought, it's nice to see that people are starting to include security as a forethought.

So most online games are looking at some type of account security, be it hardware or mobile security or a combination of both.  The main thing most of these developers are looking at is how do I roll out the security and when?

As a security person, my first reaction is right away and before the user can even start playing the game.  So let's evaluate this.  If we give users the option to choose security or to start playing the game, most users, including me, are probably just going to start playing the game.  Then if I like the game or start to really invest some time or money into the game, I will take a harder look at my security.  The problem is that most users will never come back and take that second look at their security unless we force them or something bad happens.  And if we end up having something bad happen to the user, it costs us money and if we force the user to do something then we might lose them (which costs us money).

 So if we start right at the beginning with stronger authentication then the users will not have to think about it later.  Great, but what is the beginning?  Is it when the user picks up the box on the store shelf?  How about when the user registers for their account?  What about when the user registers to play a beta account and we allow them to transfer it over to a standard account?  For me the beginning is when the user has created their online account, be a forum user, an game account, or whatever the account is that is created for the game.  This is the point at which we need stronger authentication.

 So if the user registers for an account, do I ship them an Authenticator before I let them play (or pay)?  Well this is the next biggest question I get, "How do we get the devices to the user?".    There are a few schools of thought here. 

 First one is generally perpetuated by our users, "Put the device in the box".   Great thinking, but its not that easy as I'm sure we are all aware.  Our margins on the box and the materials in the box are very slim and putting anything new in the box could be very costly.  It is an interesting idea from the security perspective provided that we force the users to use the device, and we could even tie the serial of the game to the device in the box (great for IP protection or stopping account sharing).  Another problem with this is that we are seeing a huge rise in digital distribution. I read an article today that digital distribution will top 3 billion dollars and is expected to increase.  So it would appear that our users are moving more towards this method rather than our boxes and in this case we probably wont have many users getting the security devices we wanted them to have in the first place.

 The second one is a bit more interesting, which is to force the user to install a temporary software application on their mobile device.  This certainly gets around the cost problem in the box, but now we have to hope that all users have a mobile phone.  This doesn’t really work very well for our younger users.  But if we are marketing for the older crowd anyways, this is no longer a problem (or at least much less of a problem).  With digital distribution this certainly is a much more viable solution.  The main issues that you have here, is that it is generally more cumbersome for users to start using the game.  Then once they are in and using it, we have to worry about the security of their mobile devices and other issues around that (we'll talk about the security issues in some other post).

 So how about some new solutions?
·        What if we simply sold the authenticator at the store on it's own.  Like our pre-paid game cards (or as a replacement to them)?  Purchase the device and you get X credits, oh and by the way you need the number from the device to login to use the credits.
·        What if we text them passwords until they get their devices.  Ties the user to a mobile number, user doesn’t need to install any thing on the mobile device, and we are shipping them their hardware device while they start playing.

 I'm always interested in new ideas, I think I saw a new technology company out there that was putting security on SIM chips for phones.  VASCO has done this for a while, but this new company is making a sticker like device that goes over the SIM and offers additional functionality.  What if we were to use something like that (I would think people would start breaking their phones pretty quickly and then we would become phone repair gaming companies).  It's an interesting idea.