Battle.net authenticators limited to one account
by Gregg Reece 
Oct 7th 2010 at 8:00PM
This is not retroactive. If you already have two accounts linked to a single authenticator, everything will still work as it does right now until you unlink that authenticator. The full blue post detailing the changes is behind the cut below.
Lylirra on the authenticator changesTo help keep Battle.net accounts as secure as possible, we've recently changed how Battle.net authenticators can be used. Going forward, Battle.net authenticators can now only be associated with one Battle.net account at a time. No changes are being made to how many game licenses a single Battle.net account can support. You can still have multiple World of Warcraft accounts under a single Battle.net account, for instance, and all game licenses linked with a Battle.net account will still be protected if an authenticator is in use.
Those of you who currently have more than one Battle.net account associated with a single authenticator will be able to maintain your existing setup without needing to do anything. This change will only affect new authenticator attachments. But, if at some point you decide to detach the authenticator from any of your Battle.net accounts for any reason, you won't be able to reattach it if it's already associated with another Battle.net account.
For more information on the Battle.net authenticator and mobile authenticator application (available for free with many mobile carriers), please visit http://us.blizzard.com/support/article/blizzardauth
Those of you who currently have more than one Battle.net account associated with a single authenticator will be able to maintain your existing setup without needing to do anything. This change will only affect new authenticator attachments. But, if at some point you decide to detach the authenticator from any of your Battle.net accounts for any reason, you won't be able to reattach it if it's already associated with another Battle.net account.
For more information on the Battle.net authenticator and mobile authenticator application (available for free with many mobile carriers), please visit http://us.blizzard.com/support/article/blizzardauth
Like I said at the beginning, this isn't something what will impact too many people, as a majority of players will only have a single Battle.net account, and all existing authenticator setups are grandfathered in.
Filed under: News items, Account Security
Reader Comments (Page 1 of 3)
ScytheNoire Oct 7th 2010 8:10PM
wow, really, the first comment and it's a racist one
Malchon Oct 7th 2010 8:15PM
*snip*
Edited by the really nice people that work at WoW Insider who realize the thing you're commenting on is gone.
(cutaia) Oct 7th 2010 10:47PM
Haha...WoW Insider needs a better comment deletion system that gets rid of the replies, too. Now this poor guy just looks like he's randomly spouting racial slurs, instead of replying with disgust to someone else who did it.
Rufio Oct 7th 2010 11:14PM
As per (cutatia), Malchon was refuting the initial slanderous comment - which was thankfully banhammer'd.
Malchon Oct 8th 2010 12:53AM
Yeah they (thankfully) took away the original post, but now I look like the racist one. :(
Glad they booted the one guy though.
Gregg Reece Oct 8th 2010 11:24AM
Fixed that for ya.
Malchon Oct 8th 2010 4:56PM
Thanks, Gregg. :)
tulipblossom Oct 7th 2010 8:18PM
I'm glad that they're taking steps to make accounts even more secure. I feel like there are a lot of ways to improve account security and I hope that we'll see more changes like this in the future.
I think I remember reading that they recently changed it, so that you have to know the secret question and answer to put an authenticator on an account. If that's accurate, then that's a good move, as well. While it may not prevent those who have been phished from getting an authenticator slapped on their account by a hacker, it will definitely help to prevent that sort of thing from happening to some victims.
frosty Oct 7th 2010 8:32PM
Actually, they changed it to send you an email where you have to validate by clicking the link.
I think this is definitely a good thing, but for those with multiple account it may require getting another authenticator.
Whilst I would still prefer another physical device, I have been using the open-source Windows authenticator at http://code.google.com/p/winauth that can handle multiple authenticators, so will be useful when this change comes in.
MikeLive Oct 7th 2010 8:54PM
Wait, an open-source, third-party Authenticator? That seems to make very little sense. That means the algorithm has been reverse-engineered, which means all a scammer has to do is get a hold of your serial number once, add the Authenticator, then you're screwed. Even if you get your account back, you'll have to use a different device (which for many who use their iPhone/Android phones, particularly in countries where the keychain isn't sold, pretty damn inconvenient).
Keith Oct 7th 2010 9:20PM
Good security never depends on keeping the algorithm safe. It always depends on keeping the key safe.
frosty Oct 7th 2010 9:49PM
@mikelive The serial number itself is irrelevant, but I agree the 160-bit key must be secured. And it is encrypted it on my machine. The algorithm for the Android/iPhone authenticator has been documented, and as Keith has said, knowing the algorithm itself should not matter (unless it has a weaknesses, obviously).
I use it because I can clone the key from my Android and run a backup/alternative version on my desktop. I would still recommend a physical keychain device for best security, but for me, this makes it much more convenient.
bdew Oct 8th 2010 2:29AM
Oh wow, didn't know that existed.
I guess i can stop using my emulated (with java/me SDK) mobile authenticator now :)
Spark Oct 8th 2010 2:07PM
-----
MikeLive Oct 7th 2010 8:54PM
Wait, an open-source, third-party Authenticator? That seems to make very little sense. That means the algorithm has been reverse-engineered, which means all a scammer has to do is get a hold of your serial number once, add the Authenticator, then you're screwed.
-----
Blizzard has apparently gone with implementing an open standard; OATH HOTP [1]. Your serial number is not the secret it is simply a reference to a 160bit key. Now, Blizzard's implementation software token implementation (specifically the method to generate and communicate that secret between your device and their authentication server(s)) has possible issues. And that's what the scammer needs - your 160bit key.
This touches on why this desktop authenticator is something of a bad idea. One of the problems one is trying to avoid is compromise of one's account if the game client system gets compromised. If an attacker is able to install a keylogger, then they can also copy your key if it exists on that same system. A separate authenticator avoids this. Being an another multi-purpose device is better. Dedicated hardware is best.
[1] http://en.wikipedia.org/wiki/HOTP
tulipblossom Oct 7th 2010 8:19PM
Oi. :(
MusedMoose Oct 7th 2010 8:20PM
Not cool at all, man. What's wrong with you?
hugybear Oct 7th 2010 9:10PM
hmm, yeah, looking forward to figuring out which authenticator goes to which account... the wont be a pain it the butt at all.
BugVoodoo Oct 7th 2010 9:20PM
I run into that problem when my boyfriend and I share a computer to play WoW. We both have authenticators, and we both got them early on so they look the same.
I simply put a dot of nail polish on the back of my authenticator (not over the serial number, obviously) to distinguish between the two.
If you don't have any nail polish, borrow some from a sister, wife, girlfriend, neighbor's ex-roomate, etc. You only need a drop!
Ladies, if you're like me and don't usually wear nail polish because it's a pain in the rear, most big stores ending in -mart will have a tiny little bottle for under a buck.
Ronin Oct 7th 2010 9:26PM
Or you could use a piece of tape and write the name of the account on it. Or attach a tag to the ring. Or...
Gendou Oct 7th 2010 9:41PM
My wife and I each have an authenticator of the "Molten Core" variety.
They are both on a chain (she uses the chain that came with my Raynor Dogtag USB Drive), but mine also has a "Horde" keychain from Jinx on it.
She's still trying to figure out what kind of keychain she wants for hers.