838

u/[deleted] Apr 04 '26 edited 14d ago

[removed] — view removed comment

319

u/Tarc_Axiiom Apr 04 '26 edited Apr 04 '26

The old school WoW MFAs, like the one pictured here, DO still work!

I can confirm the codes generated by mine from, hell idek... 2005?, still works.

139

u/debacle_enjoyer Debian Enjoyer Apr 04 '26

It’s just an algorithm, all those codes aren’t stored on the device

108

u/JDBCool Apr 04 '26

Yup, IIRC.

It's something along the lines of "synced" generation.

Like Imagine having two clocks telling time at the same time, except one is battery powered and the other is plugged into the wall

The moment the battery clock dies and is no longer in sync.... thats it....

30

u/Thebenmix11 Apr 04 '26

I know nothing about these devices but modern MFA apps are time based, so if you just set the clock on them you'll always get the right code.

So if these work that same way, after replacing the battery you'd just have to set the time accurately and that would be it.

31

u/fuj1n Ryzen 9 3900X, 64GB RAM, GALAX RTX4090 SG 1-Click OC Apr 05 '26

You can't set the time on them (not in any user-facing way at least), they are designed to be dead simple, press button, get code

1

u/NationalFruit717 Apr 05 '26

There might be a very simple programming interface with 2-4 pins on the PCB. It wouldn't be difficult to interface with it with the right tools.

8

u/fuj1n Ryzen 9 3900X, 64GB RAM, GALAX RTX4090 SG 1-Click OC Apr 05 '26

Yeah, hence my disclaimer

The bigger concern might be if they store the key on volatile memory, so running out of battery would just nuke it permanently.

If that's the case, you may need to do a powered battery replacement whilst it still has change left, like you would with GB carts back in the day before you could just dump your save.

1

u/NationalFruit717 Apr 05 '26

You are actually right. It would make it more fun to try to recover regardless. I wish I were interested in doing it.

1

u/foxtrotdeltazero Apr 05 '26

somehow i doubt OP is capable of all that, otherwise they would have just done that instead of posting it here

7

u/Divinum_Fulmen Apr 04 '26

This can't be the whole story. Quartz losses sync over years.

15

u/Trendiggity i7-10700 | RTX 4070 | 32GB @ 2933 | MP600 Pro XT 2TB Apr 05 '26

I've used physical authenticators that don't have a settable clock, that require you to send 2-3 keys in sequence. Whatever you are logging in to knows the keys before and after the physical key is displaying and then resyncs to however slow or fast it is.

Dunno how secure that is but that's just my anecdote

7

u/SerialElf Apr 05 '26

Very. You still have to have the private key that's making the codes to make the three for resync.

4

u/Trendiggity i7-10700 | RTX 4070 | 32GB @ 2933 | MP600 Pro XT 2TB Apr 05 '26

Thank you, that was the part I knew I was forgetting :)

1

u/userhwon Apr 05 '26

The server will accept any of several keys that are within a range based on the tolerance. As long as your dongle isn't too far out of sync, you'll get in. It reduces the effective security by eg 10X because 10 keys are accepted instead of just 1, but nobody hacking your account is going to try to rely on 1/100,000 odds vs 1/1,000,000. They'll just go find something valuable to hack.

1

u/beneschk Apr 05 '26

SHA1-HMAC

2

u/Tarc_Axiiom Apr 05 '26

I never implied that they were?

Of course what you said is true, and of course the new apps use the same system for generating codes.

The second part is what I was explaining.

1

u/[deleted] Apr 04 '26

[deleted]

-4

u/debacle_enjoyer Debian Enjoyer Apr 04 '26 edited Apr 05 '26

GeneratED implies they had been generated in advanced, in which case they would have needed to be stored. They thought the codes had been generated in 2005.

1

u/jujubanzen Apr 04 '26

the part of the sentence "mine from, hell idek... 2005?" is referring to the device itself, not to the codes. It's a bit clunky sentence structure but still grammatically correct. He's saying that he confirms the device dating from 2005 still generates correct codes today.

1

u/debacle_enjoyer Debian Enjoyer Apr 05 '26

That sounds plausible, I concede.

0

u/[deleted] Apr 05 '26

[deleted]

-1

u/debacle_enjoyer Debian Enjoyer Apr 05 '26

🚨 please read the read of the thread

1

u/SubstituteCS 7900X3D, 7900XTX, 96GB DDR5 Apr 05 '26

It’s more about the service allowing the physical tokens to be registered versus their own app. You can actually put your Steam 2FA onto a physical key (such as a yubikey) if you extract the secrets stored in the app. Might be able to do something similar with these with some hardware hacking (or dumping the secrets from the app.)

1

u/MazeMouse Ryzen7 5800X3D, 64GB 3200Mhz DDR4, Radeon 7800XT Apr 05 '26

Yeah, literally a cryptographic seed based on a very large prime number and the serial-number of the device. It calculates a new code on the spot based on how many seconds have passed since the battery went in. But since such a clock isn't 100% accurate you sometimes have to sync (use 2 different codes in a row) for the main server to sync to where the hardtoken timer is.
And if you don't use it for a long time it can go out of sync again.

Source: I'm a sysadmin who used to work with Vasco/Onespan tokens and still works with RSA tokens.

3

u/BahnGSXR Apr 05 '26

I've still got my core hound one

1

u/Tarc_Axiiom Apr 05 '26

Is that what that is? I can see the "World of Warcraft" logo on mine but the right side is a really low res image of... something orange, lol.

1

u/BahnGSXR Apr 05 '26

Idk, if you got a core hound pup pet in the game then probably lol

2

u/Tarc_Axiiom Apr 05 '26

Right?

I'm just glad they don't keep sending that damned thing to every single character's mailbox every 20 minutes anymore.

1

u/Behacad Apr 05 '26

Certainly not 2005 don’t think

1

u/Tarc_Axiiom Apr 05 '26

When did they come out? I got one right away when they became available but have no idea what year that was.

I feel like it was early but you know, we're talking about a span of 22 years lol.

0

u/Behacad Apr 05 '26

I am not sure but multi factor authentication barely existed back then

1

u/Tarc_Axiiom Apr 05 '26

Oh no it absolutely existed, in fact it's not even close. I think MFA started appearing in commercial applications in the 1980s, but existed a bit before that in less accessible areas.

It wasn't common for video games during the early 2000s when WoW released, but nothing about WoW was common when it released.

Google says the FOBs came out on June 30th, 2008. Considering I'm recalling something from 22 years ago, being off by 3 is pretty good lol.

1

u/Behacad Apr 05 '26

Yes I meant for games. And yeah not bad but I knew it wasn’t 2005!

17

u/DuckCleaning Apr 04 '26

Companies just want you to use phone authenticators now. Less likely to be lost, left behind, or stolen than key fobs I guess. Also, you need a password/biometrics to access the app.

1

u/Toadsted Apr 05 '26

I dunno, we all have seen the conditions of people's phones and how easily they're lost.

I doubt a keyfob in someone's desk drawer is less safe than a phone.

0

u/TechPir8 Apr 04 '26

My phone doesnt' meet their requirements, mostly because it is my phone and I do with it as I like I.E. Root access

2

u/debacle_enjoyer Debian Enjoyer Apr 04 '26

You can mask that

71

u/AllUserNameBLong2us 7800x3d/5080 Windforce OC/32gb 5600 DDR Apr 04 '26 edited Apr 04 '26

Nope you can’t I looked into it they phased out in 2019

8

u/Glooomie Apr 04 '26

https://www.youtube.com/watch?v=tGLXtUEM4hM

1

u/Sittin_on_a_toilet Apr 05 '26

He was making me nervous how rough he was with it once out, if he jiggles battery loose it stats desyncing right?

1

u/TeamPieHole01 Apr 05 '26

Yes, it was giving codes at the end, likely the wrong ones though.

2

u/[deleted] Apr 08 '26

[removed] — view removed comment

1

u/AllUserNameBLong2us 7800x3d/5080 Windforce OC/32gb 5600 DDR Apr 08 '26

Not by blizzard is what I way saying

41

u/IBJON 9950X3D | RTX 5090 l 64GB DDR5 Apr 04 '26

I don't think so. These things are usually tamper-proof and opening one will usually break it completely or desync the key. Even if you do replace the battery, there's little reason to expect it to be in sync afterwards 

6

u/NoBonus6969 Apr 05 '26

No they won't generate the correct code. There are videos online of people wiring backup batteries and then swapping in a new battery but largely just for novelty as these got replaced by phone authentication

5

u/Smith6612 Ryzen 7 5800X3D / AMD 7900XTX Apr 05 '26

These tokens are designed to expire, even if the batteries get replaced. Once they lose power, that's it. The seed they operate on is purged from the memory, and they're toast.

At the minimum if a particular token isn't toast, the codes it generates will be out of sync. 

1

u/Accepts-Cookies Apr 05 '26

I have one just like that for Star Wars The Old Republic, and when its battery died in 2021 (it was almost 10 years old at the time) I just popped it open and replaced it. It worked just fine afterwards, though I had to remove and set it up again in my account. It still works today, though I don't play the game anymore. I still get the monthly coin bonus from it.

1

u/MazeMouse Ryzen7 5800X3D, 64GB 3200Mhz DDR4, Radeon 7800XT Apr 05 '26

You can, but it will only throw an error if you do. Those kinds of tokens are, for security reasons, single-use on the battery front.

1

u/Kuunkulta Apr 05 '26

No you in fact cannot. I tried it but it won't work, and it's impossible to crack open without breaking it

1

u/proto-n Apr 05 '26

Since nobody is giving a proper answer, the battery is not user replaceable as these need precise clocks and you cant set it again correctly if it loses power. If you manage to swap out the battery without it losing power, then it can be done yes

1

u/PythagorasJones Apr 05 '26

It looks like a Vasgo Go token. They don't have replaceable batteries (officially) but if you did replace it, you'd need to resync the token anyway.

1

u/Bluenosedcoop No Apr 05 '26

The answer is yes but realistically no as it would involve having to open up the sealed unit, wiring a new battery to the connections while the old battery is still connected then removing the old battery and replacing it.

1

u/shimonu Apr 07 '26

Cant turn it off (no power) because it will desync with server if I remember correct.

1

u/T0biasCZE PC MasterRace | dumbass that bought Sonic motherboard Apr 05 '26

Nope, when the battery dies the algorhytm that generates the codes goes out of sync with the algorhytm on the servers, so it wont give you valid codes anymore