2FA backups could be improved

Most websites that offer 2FA also offer a way to get into your account if your phone is lost, damaged, or stolen. Blizzard is no exception… but you guys do it fairly poorly.

Just for comparison’s sake:

A few months ago, Steam only allowed you to generate a single recovery code for your account: if you had 2FA enabled for your Steam account and you lost your phone, then you could use this one code to get in, provided you knew to generate the code and write it down someplace safe. As of today, Steam will now generate and provide you with thirty codes (each of them single-use) as a backup. Multiple codes means multiple chances to recover your account if you’ve written a code or two down wrong, or if something goes wrong while trying to get back in.

Github does even better: they generate sixteen backup codes, but they actually let you review those codes any time you like without having to generate new ones – good for double-checking that you’ve written them down properly. Steam, by contrast, doesn’t let you view your codes again once they’re generated. Several sites also let you see when you generated (ideal) or last viewed (not so ideal) your backup codes; Github shows when they were last viewed; Steam doesn’t show any date.

Microsoft allows you to register multiple 2FA and fallback options for logging in. Discord allows you to use an authenticator app with SMS as a fallback option and a dozen or so recovery codes.

You guys, on the other hand, only generate one backup code, you require me to also write down the serial number to my account (why??), and you offer no other 2FA options or fallback/recovery options. There’s only this one app, there’s only one backup code, and it’s not made clear on the site whether I can even view that code again without you generating a new one and invalidating the existing one. Writing down the serial number (what, like, the database ID?) for my account is bizarre. (Are these codes I would use to log in, or codes I would use to set the authenticator up on another phone? Because if I’m logging in, then you already know what account I’m trying to get into without my providing a serial number. What if I don’t have another phone I can use?) With all this taken together, using your mobile authenticator feels much more like a liability than a security measure.

1 Like