Authenticator app coming to iPhones, iPods, and other mobile devices
by Adam Holisky 
Mar 19th 2009 at 4:32PM
According to the webpage, you only need a WiFi connection once to activate the authenticator application, and after that you're all set.
This comes right after the transition of the EU World of Warcraft account management to the new Battle.net account management. The US transition is reportedly done, although there has been no official world from Blizzard yet (however all their webpages have already changed over).
The app is not available for download yet via Blizzard or from the Apple store. But we'll let you know the second it goes up!
You can read the full FAQ after the break, or check out the Blizzard Support article.
Where do I get a Battle.net Mobile Authenticator?
The Battle.net Mobile Authenticator application can be found at this link depending on your mobile phone model and/or mobile service provider.
What is an Authenticator code and where do I see it?
The Authenticator code is an eight-digit numeric code that is produced when you select "View Code" in your Battle.net Mobile application. Each code is unique and is valid only once.
Do I need to have an active cell phone signal or access to a wireless network in order to use the Battle.net Mobile Authenticator? Why is airtime required for use?
Airtime is only required in order to enable your Battle.net Mobile Authenticator for the first time, or in the rare case when you may need to re-sync or reset the Authenticator. Once you have enabled the Authenticator, you do not need to be in range of an active cell phone signal or have access to wireless service in order to retrieve a code to log in.
Will this application work with an iPod touch?
Yes. However, you will need to have a valid Wi-Fi connection in order to enable the Battle.net Mobile Authenticator for the first time, or in the rare case when you need to re-sync or reset the Authenticator. Once the Authenticator is enabled, you do not need to have a network connection to generate a code to log in.
Can I use a Battle.net Mobile Authenticator and a Blizzard Authenticator at the same time?
You can only have one Authenticator attached to a Battle.net account at any given time.
How do I remove the Battle.net Mobile Authenticator?
You can remove the Mobile Authenticator through Battle.net Account Management. Please do not simply delete the application without first removing the Battle.net Mobile Authenticator from the associated account.
What happens if I lose my mobile phone after activating the Battle.net Mobile Authenticator?
Please contact Blizzard Customer Support if your phone is ever lost or stolen so that we can take appropriate action.
What happens if I delete my Battle.net Mobile Authenticator application from my mobile phone? Can I still log in to the associated account?
Unless you remove your Battle.net Mobile Authenticator from the account prior to deleting or overwriting the Battle.net Mobile Authenticator application, you will not be able to log in to the account. If you remove the Battle.net Mobile Authenticator application prior to removing it from the account, please contact Blizzard's Billing and Account Services team. Our representatives will be able to assist you with regaining account access by verifying certain secure information with you.
Will a Blizzard representative ever ask for my Battle.net Mobile Authenticator information?
Yes. Blizzard may ask for the serial number associated with your Battle.net Mobile Authenticator, typically to help you associate it to an account or to verify your ownership of that product.
Can I apply my Battle.net Mobile Authenticator to more than one account?
Yes! You're welcome to associate a single Battle.net Mobile Authenticator to as many accounts as you like. Please remember that you must have the mobile phone with the Battle.net Mobile Authenticator with you to log in to any of these accounts afterwards.
Please keep in mind that a single Authenticator will provide secure access to all of the World of Warcraft accounts associated with an individual Battle.net account.
Many thanks to Tlann for the tip!
Updated 5:05 p.m. EDT: Changed the note about the U.S. transition to Battle.net accounts.
Filed under: News items, Account Security
Reader Comments (Page 1 of 3)
Braundo Mar 19th 2009 4:36PM
Wow, that's a nice idea. Won't need to carry the Authenticator around if you find yourself trying to play the game away from home.
schmunkel98 Mar 19th 2009 4:39PM
Wouldn't this be open to hackers, thus defeating the point of the authenticator to begin with? I thought the whole idea of the authenticator was that it is an offline device.
Braundo Mar 19th 2009 4:42PM
@schmunkel: Unless a hacker somehow hacks into your iPhone/mobile device while it's running and runs the Authenticator app -- which I'm not sure is possible or not -- there's really no way that this could be "hacked". Unless, of course, your mobile device falls into unscrupulous hands, which is a problem even for the normal Authenticators.
Daye Mar 19th 2009 4:45PM
@schmunkel98: After re-reading it. You only access the internet once, and that is to download the program. Once you have it installed, your not connected to it anymore.
Could there be ways to hack it? Doubtful, but who knows..
The real question we should ask. is what is the price on this thing!
dukrous Mar 20th 2009 11:38AM
These keys work on a private/public shared key concept. The server gets your private key generated from your authenticator's information (all sorts of variables you have no access to but are unique per authenticator). Every time you log on, your authenticator generates its own public key depending on even more variables including the same ones used to generate the private key. When you transmit it, the server checks your public key against it's list of possible public keys that are valid at that specific point in time. If the key passes, you log on. If it doesn't, you don't.
While this system is nearly impossible to hack, there's always a possibility, but the amount of time it would take to 1) crack the algorithm, 2) decrypt all the variables used per specific device, and 3) develop an open version of the algorithm that accepts all the correct information specific to your key is probably longer than most people's lifetimes.
The easiest thing to do is physically steal the key after someone has learned your account name and password. This system only strengthens an already strong name/password system. If you still have a weak name/password combo, this helps a little bit but not for long.
Rosa Mar 19th 2009 4:50PM
thats so win, i love my ipod touch this just makes it that bit more awesome, because i never really fancied carrying around an authenticator before because i don't log onto my account away from home often, but i wouldn't attach one to my account because when i did need to log on away from home i couldn't do it, but now :)
im assuming its free?
Spoonman Mar 19th 2009 5:24PM
I highly doubt its gonna be free
Angry Joe Mar 19th 2009 6:07PM
Yeah, try to update your ipod touch and see how far free goes.
Carolyn Mar 19th 2009 4:47PM
Wow this is a really great idea!
Erika Mar 19th 2009 4:48PM
So could i use this for wow instead of a key chain one?
Hasteur Mar 19th 2009 4:52PM
NO NO NO NO!
The purpose of having a physical token is to have something that is difficult to replicate. Any software is inherently easier to reverse engineer and figure out how it works.
Candina@WH Mar 19th 2009 5:11PM
Actually, the physical token runs software that can be reverse engineered anyway.
Two token authentication requires you account/password and the code from the physical token.
The physical token (or software) have NO link to your account (is account agnostic). The association between the token and your account is 100% server side.
A hacker would have to reverse engineer the device, no big deal, then find the specific account that device was tied to.
And then they would have to steal your user name and password.
With the amount of data being lost by credit bureaus, banks, payment processors. Data that has direct financial impact on people. You are worried that some hacker is going to spend the time to hack your WoW account??????
Dude... decaf....
Aigarius Mar 19th 2009 5:43PM
The way it works is a well know public algorithm. The encryption key that it uses (a long random string of bits wired into the hardware) is the thing that makes physical authentication tokens unique and very hard to duplicate. ('very hard' = you need to be FBI or CIA to have enough resources to do it).
I welcome this development. WoW access does not need a real hardware token like my bank, a simpler two factor authentication is sufficient. And by using an iPhone it is no more hackable. Not remotely, over the Internet (like your desktop) anyway.
Improbable Mar 19th 2009 5:49PM
There's really nothing to reverse engineer. The authenticator, either the keychain version or the software thing, is basically a device that takes the current time and runs it through a complex equation that combines it with a unique key and provides an essentially random code.
Blizzard knows the unique key for your device, your device knows the unique key, but there is no way to infer that key from the outside, even if you know what access codes the authenticator is providing at given times.
Now, with the physical authenticator, you can only be hacked by someone with physical access to the device. With the software, there's exactly two additional weaknesses: First is intercepting the data when you and Blizz sync up and you get your unique key. This will only occur once, however, and should be encrypted. Second is if someone is able to remotely hack your device, but remotely hacking an iPhone/Blackberry/etc is not a trivial matter like planting a keylogger on a PC. Someone able to do this is after a whole lot more than your WoW account.
Gongonzabar Farbin Mar 19th 2009 4:56PM
It'd be tough to crack the authenticator because you'd probably have to crack two parts of the authentication system. I'm not an authoritative figure on this subject but how the authenticator probably works is by random number generators. They aren't truly random, but that's what the world of computers and mathematics calls them.
Random number generators work by generating a number using an input. Provided the same initial input and using the same random number generating algorithm, you will have the same output of numbers at any given time. So Blizzard and your authenticator will have the same algorithm to generate these numbers. It only needs to contact your device once so that it can provide the initial input. After that, the blizzard and your authenticator will keep generating the same numbers, which the user has to put in.
So to crack this, a hacker would need to 1) crack the algorithm used to generate these numbers and 2) be able to find out the seed for a particular authenticator. Maybe for each authenticator they may have a different algorithm too. Who knows? So wanna crack it? Good luck.
Candina@WH Mar 19th 2009 5:16PM
Also not an expert (Math is Hard!) But you have the gyst of it. Each Device has a unique seriel number embedded on it's chip. When you push the button, it creates a random number, probably based on some sort of hash algorhythem around blizzards master 'shared' key, the devices serial number, and some function of time.
when you associate the device to your account, you put in it's public key (it's external serial number).
Then you push your button, and a shared secret is created. You enter the shared secret in the box, blizz 'decrypts' the shared secret using it's private key and your public key and the time... and... Voila!
I can't wait, I hope the software is free....
decipherable Mar 19th 2009 4:58PM
I already upgraded my account to the battle.net. I have a US account. Maybe not all of the accounts are allowed to do it yet?
isaac.cajina Mar 19th 2009 5:05PM
I was able to move my account over in the US just fine. Logged into WoW with my email and everything.
Mortur Mar 19th 2009 5:08PM
The blizz authenticator is a Vasco DigiPass 6.
http://www.vasco.com/products/product.html?product=70
Its an encryption formula that takes 2 variables (the time, and the unique identification serial number) to form the number.
Unless Bliz has a way of preventing the serial number from being read by an outside source, then its hackable.
Candina@WH Mar 19th 2009 5:19PM
Yep. PGP = Pretty Good Privacy. (a common shared key encryption).
It is hackable. But, lets face it. Your username + password is hackable. Your username+password+token is exponentially less hackable.
To the point where it is not worth the criminals time to try. The value of the hacked account vs. the effort involved. /shrug