Jump to content

Extra Authentication per License Key


MZX-22

Recommended Posts

I'm suggesting an extra authentication per License key because I'm sure there's others like me that manages a large amount of License keys while providing IT Service for family & friends.

What I'm proposing is to add a Password Authentication that works along side both sets of keys; with & without ID.

Key: <MBAM Key>
ID: <Optional MBAM ID>

Password: <Custom set password or passphrase>
This would be a minimum of 20+ characters long, and can be anything the user sets.

This gives back control to License key owners to deactivate all devices on a License key, as I've experienced unauthorized devices, then re-activate on the 1 device it belongs to using the Key + ID + Custom set Password.

 

Link to post
Share on other sites

You should already be able to do this as long as you're signed up at My.Malwarebytes.com as documented here and here.  You can see all active devices/subscriptions and manage/deactivate each individually or all at once and accessing the site is obviously password protected and also requires an email address.

Edited by exile360
Link to post
Share on other sites

I have done that, the problem is exactly where it says: If you turn on the device within 24 hours of deactivating, your device is automatically reconnected to your license key.

The unauthorized devices automatically re-connected. I can't stop unauthorized users without seeking support from Malwarebytes. But I believe adding a 3rd authentication passcode which gives the owners the ability to change, would solve this problem.

Link to post
Share on other sites

Ah, I see.  Yes, unfortunately if a license key has been stolen then you would need to contact Support (and you'd need to anyway, really, since they could have easily copied the license key info to use elsewhere/in the future, even if they weren't able to automatically reactivate the device(s)).

Basically, if a key has been compromised, any number of people might have access to it at that point, so the key should be cancelled/blacklisted and a new license key issued to the owner to replace it, otherwise repeated incidents of unauthorized devices being activated will be very likely, especially if it's someone malicious (i.e. a hacker who publishes/sells license keys and other data on the dark web etc.).

Link to post
Share on other sites

Right, and I understand that. Thus my suggestion for the passcode authentication. It would render having the working keys useless, and drastically kill off the illegal eBay sales because if they attempt a sale, buyers would immediately open a dispute that the keys don't work.

Link to post
Share on other sites

Unfortunately most of the bad keys being sold on ebay and the like are coming from keygens and aren't even current 3.x license keys.  They deliberately use older style 1.x/2.x license keys to attempt to bypass the modern license key validation systems that Malwarebytes has implemented in 3.x, hoping that they will work/import over to the 3.x version once they update/upgrade to the latest version (this is where many of them fail and stop working because they can't validate online via the 3.x licensing system since it tracks all license keys that are issued/sold anywhere, including by legitimate 3rd party sellers).

Link to post
Share on other sites

Yes, and majority of my keys are older style which includes the ID. But it's a hassle to replace every key. Not only for myself, but for any other older key out there.

Being older keys was a given since the eBay listings advertise them as Lifetime, and we all know Malwarebytes no longer sell them that way.

Link to post
Share on other sites

Right, and since they're older keys nothing implemented after would work for validation so adding a new password validation to licenses/subscriptions would only affect newer 3.x format keys/subscriptions (the ones with no ID's) so it wouldn't change anything for you, or for the sellers on ebay trying to push outdated license keys from keygens etc.

Link to post
Share on other sites

Because to change anything for validation for older format keys, the code would have to be changed in the older versions of MBAM that they were originally created for (1.x/2.x) which isn't going to happen (and the sellers would still be providing pre-patched/older versions that didn't include the new validation checks even if they did create a new build of each older version for this purpose).

It would only be useful for the online validation system for newer format license keys in the current online validation system which already handles full license key validation anyway which renders the entire purpose of another validation check moot, at least for the case of those fake/keygen created license keys like you find on ebay etc.

Link to post
Share on other sites

I still see it working because I noted, it requires the owner to input the password. So there could be a warning that it's for v3 only, and could render v2 unworkable. Even if it still activated v2 or older, this still causes problems to eBay listings that advertises the v3 lifetime licenses.

Any owner that finds their way to the MBAM console, and upgrading their software to v3, this will help give us the control to protect our Licenses and control the 1 device that should be getting its activation.

Link to post
Share on other sites

That's the problem, their junk keys still activate 1.x/2.x versions, so they install and activate with those versions then install v3 over the top (they generally include downloads/instructions for this procedure) which allows them to activate then try to validate with v3.  Of course as soon as they hit the v3 license validation server it tells them that their license key is invalid, then the user usually contacts Malwarebytes Support who explain to them what the deal is and recommends they contact ebay/PayPal to get their money back and avoid such sellers in the future since lifetime keys haven't been available for several years now.

For current valid licensees, it wouldn't work because of the internal licensing system which isn't designed to process 3 inputs/strings, just the max of 2.  Again, they might be able to do something going forward for future v3 license keys, but it wouldn't be backwards compatible with older MB3 program versions and existing/past license keys (especially since even trying to do so would create a massive barrage of instant support requests from existing licensed users asking what's going on with all this new password stuff).  It would be a logistical nightmare, and the bad guys would just do the same thing they've been doing to try and pirate keys/sell bad keys by blocking the validation servers in the HOSTS file and using older builds of Malwarebytes to activate which make it seem to work until the user upgrades to the latest build and tries to validate/activate (either getting an error that it can't contact the license server if blocked via the HOSTS file, or being told their key is invalid if they used the 1.x/2.x activation method without a server block).

Link to post
Share on other sites

1 hour ago, exile360 said:

That's the problem, their junk keys still activate 1.x/2.x versions, so they install and activate with those versions then install v3 over the top (they generally include downloads/instructions for this procedure) which allows them to activate then try to validate with v3.  Of course as soon as they hit the v3 license validation server it tells them that their license key is invalid, then the user usually contacts Malwarebytes Support who explain to them what the deal is and recommends they contact ebay/PayPal to get their money back and avoid such sellers in the future since lifetime keys haven't been available for several years now.

I don't think this is true at all. My 1.x/2.x format keys at the same, and they activate/validate on v3 just fine. I replaced my Laptop & Desktop, transferring the key over and installing v3 fresh. I didn't have to install 1.x or 2.x first, then upgrade.

I strongly believe the generated keys aren't keys from out of the blue, they're from active 1.x/1.2 keys that users like myself still have active. And of course the current system wouldn't allow for it. It'd have to be re-developed or upgraded in a way that would accomplish this. Thus I'm making this suggestion. I feel strongly this gives License owners better control to secure their keys, rather than everyone having go through the process of getting the keys replaced when it's discovered to be compromised.

Again, just a suggestion. For all I know Malwarebytes just prefer replacing the keys one at a time as they're reported. I of course don't like it because I want to cause disruption to the piracy scene.

Link to post
Share on other sites

No, they're not stolen/active keys.  They get blacklisted all the time without impacting legitimate users/licenses.

Again, a password could be used for new licenses, but any change to activation/validation cannot affect existing licenses, especially older 1.x/2.x format keys.  As for activating your existing key, yes, they activate with 3.x, however 3.x validates it through the online licensing system to verify that it is a known key (not just a properly formatted one, but one that the company knows they actually issued, thus not created by a keygen).

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.