The codes generated are always random and can be generated more than one time, so keeping a list of passcodes generated doesn’t help. They aren’t like the old scratch lists where you can just scratch them off as you use them (I would consider those lists to have passcodes that are more Event based rather than time based). The probability of how often a passcode comes up is as random as possible given the algorithms used.

thank you for the detailed feedback!

So the way I understand you, with VASCO, the “master key” is more like a “master list” that the customer (Blizzard or whichever company) gets, that lists for each device the relation between the serial number and the device key? I thought that might be another possibility when I wrote the text, so I just guessed which version I found more likely. It makes sense that way too, though. So it’s a bit like a one-time pad. Though in an abstract way, it’s pretty much the same: the “master key” is not a single key, but a list, but it still gives the company a way to get from S/N to key, and if the key/list is compromised… well, bad things happen.

Though from a theoretical point, a list (which is just like a one-time pad) is of course safer in than any key-based cryptography, because if I remember my basic classes right, it’s provably unbreakable… if the list is truly randomly generated, but at that point it gets complicated again, of course. I wouldn’t be surprised if a company like VASCO takes the random-number generation part for those lists very seriously.

I hope you’ll enjoy other posts on this blog too! Though they’re rarely that technical and howto-ish.

Secondly, let me put the full disclaimer out there. I work for VASCO, i have worked for VASCO for a long time and I’m a technical person, some would even call me an engineer, although today I do a lot less engineering than I previously have. The comments I make here are my own personal views. I can not comment directly on what any of our customers use or do not use, so I can’t directly comment on the Blizzard devices.

Ok with those things out of the way, the one big comment I have for you is with regards to the hardware tokens. You mention that the devices use a “master key” and that the serial number is used in combination to generate each device’s unique key. In some token manufacturers this is correct. With VASCO, this is not correct. Instead VASCO programs every single device with its own unique key right from the factory. This has a few advantages. First, there is no master key you can use or you can find to try and reverse the password generation algorithms. Second, if you manage to get the secret key of a single device, it will not work and has no relation to any secrets on any other device. I’m sure you can find other advantages to this method, but just to set the record straight, these are the ones I will toss out there.

I think you have hit the nail on the head with this post. The end result being, the convenience verse security. The choice for any person is how much convenience do I need verse how much security do I want, and in the end how much will it cost me to do one thing over another. Hopefully after people read your post they will have more than enough information to make that informed decision.

Thanks for the post and for letting me comment on it.
-Will

I think this one’s a lot better than that one. (Not that it takes much.) Definitely took more time to write!