Most websites that offer 2FA also offer a way to get into your account if your phone is lost, damaged, or stolen. Blizzard is no exception… but you guys do it fairly poorly.
Just for comparison’s sake:
A few months ago, Steam only allowed you to generate a single recovery code for your account: if you had 2FA enabled for your Steam account and you lost your phone, then you could use this one code to get in, provided you knew to generate the code and write it down someplace safe. As of today, Steam will now generate and provide you with thirty codes (each of them single-use) as a backup. Multiple codes means multiple chances to recover your account if you’ve written a code or two down wrong, or if something goes wrong while trying to get back in.
Github does even better: they generate sixteen backup codes, but they actually let you review those codes any time you like without having to generate new ones – good for double-checking that you’ve written them down properly. Steam, by contrast, doesn’t let you view your codes again once they’re generated. Several sites also let you see when you generated (ideal) or last viewed (not so ideal) your backup codes; Github shows when they were last viewed; Steam doesn’t show any date.
Microsoft allows you to register multiple 2FA and fallback options for logging in. Discord allows you to use an authenticator app with SMS as a fallback option and a dozen or so recovery codes.
You guys, on the other hand, only generate one backup code, you require me to also write down the serial number to my account (why??), and you offer no other 2FA options or fallback/recovery options. There’s only this one app, there’s only one backup code, and it’s not made clear on the site whether I can even view that code again without you generating a new one and invalidating the existing one. Writing down the serial number (what, like, the database ID?) for my account is bizarre. (Are these codes I would use to log in, or codes I would use to set the authenticator up on another phone? Because if I’m logging in, then you already know what account I’m trying to get into without my providing a serial number. What if I don’t have another phone I can use?) With all this taken together, using your mobile authenticator feels much more like a liability than a security measure.
2 Likes
EPIC allows user to add multiple 2FA and using account VERIFIED e-mail which you can fallback or even choose as primary. This is what I also don’t get. What the purpose for Blizzard to verify the e-mail if you can’t even use it as a fallback? I mean a user will have their Blizzard account password and access to e-mail, what more do you need? And the requirement for Blizzard for scan of identification is absurd! NO publisher does this except for Blizzard. And I do not trust my scan copy of ID solely based on MANY stupid decision, including how this 2FA works without a fail safe to fallback.
It year 2021, and you can’t even do 2FA right.
The point of 2FA is a separate device that is NOT your computer. Emails are very very commonly compromised. People also give email passwords to others at times.
Blizzard does not allow transfer or sales of Bnet accounts (which you don’t own). In order to grant access they want to know it is the actual account holder who is requesting the changes. That is why ID is required if a person can’t otherwise prove they are the account holder (authenticator or SMS Protect).
They actually do 2FA the correct way - separate from your password and email that are used to log in.
Again, was there something you needed help with besides bumping old threads?
And any IT security expert can tell you, phone even has worth security breach than PC. You kow how many SIM card clone scams there are? Google it yourself, it not without flaws and so does most of the system.
Blizzard’s inability of having a fallback when one looses their phone number legitimately is NOT doing the 2FA correctly. Are you telling me Blizzard is the only one correct, while Google, Facebook, EPIC, Steam, etc or did it incorrectly of having a method of fallback?
And as the ID requirement - how does one proof the Blizzard account is correspond to ID card? As ID card was NOT an requirement when sign-up a new account. Not to mention people with the same names, and people can change their names which makes the system even more flawed. If a hacker hacked both a user’s Blizzard and e-mail account. You think they won’t be able to pull off a fake scan ID?
And yes, I bump an old thread simply imply the 2FA Blizzard need to be improved. Period.
When you create or update an Account, you must:
- provide Blizzard with accurate and up to date information that is personal to you, such as your name, address, phone number, and email address. Additionally, in order to play certain Games or use certain features offered on the Platform, you may also be required to provide Blizzard with payment information (such as credit card information). Blizzard’s retention and/or use of your personal information is subject to Blizzard’s Privacy Policy, located here. Blizzard shall also have the right to obtain non personal data from your connection to the Platform; and
The ID matches the information required by the contract you agreed to. Again, feel free to find a lawyer.
I am not sure what you are going for. Blizzard is not going to give you access to an account that you are not the registered user of. If you disagree, don’t agree to the contract to begin with. If you do not wish to submit ID (with various parts covered as per the instructions) then they won’t grant you access. Period.
The 2FA works as intended. You need a code from a separate device to log into your account. If you want to remove it - without current access, you need to prove you are the account holder.
Quoting on updated and revised T&C will not lead anyways. I’ve signed on 2000 when Diablo2 came out. It did not comply with that. And I’ve paid my over online account with different names with my credit card, which Blizzard easily accepts, so spare me the hypocrite. What I’m going for is simple, read on.
The 2FA is NOT working as intend why the recovery procedure is in a loop. I have plenty method of proofing the account is mine - I have original physic game disc including keys of my Diablo2+Exp/3, StarCraft 2 AND WarCraft3. I have my credit card that I used to PAY for online purchase which I’m can accept to buy a small gift again, but NOT a scan - I will only trust the Verisign portal API, but not over some support with an image. I have a log of public IPs which I can share with Blizzard which will correspond on their system for the past 2-years.
End of the day, Blizzard simply has a failed 2FA that need to be improved and are over the privacy/GDPR boundary period.
1 Like
Of course it will. You had to agree to it to use the modern Battlenet platform. Otherwise you can’t even play.
You also agreed the terms can change - that was part of the agreement. You clicked “agree” every time those change went through.
Again, you really need to consult a lawyer if you think the terms are illegal.
If having 2FA that can’t be removed without proving you are the account holder is your issue - the it IS working. It is preventing someone who can’t prove account holder status from accsssing it.
You can cherry pick my statement all you want, it just proofs it not working.
-
Your quoted T&C on create/update account IS irrelevant when a person can change the account names any time without 2FA. A hack who has hacked account, can easily change the name and use some other poor guys lost/stolen ID and does what he want with the account after.
-
You mentioned you used Gmail somewhere. There IS a fallback and emergency mechanism on Google. Do you deny even that? And do you really think Blizzard’s method is correct, while a Cloud SaaS giant like Google is not?
Clearly the players could benefit from another more secure Mobile Authentication service that allows anyone with a cell phone pre paid or not to secure their account. Clearly you don’t remember when Blizzard was hacked because they were using outdated frame work software (At least that’s what was reported at the time by news sources). Do you have any IT experience? Or are you just speaking scripted talk that blizzard tells you to say? Because honestly that’s the way almost all MVP’s sound.
I’m absolutely livid that I can’t further secure my account because I use cricket wireless. Blizzard is the ONLY gaming service where I have this problem. And if I get hacked because they failed me as a customer not only will I quit playing but I’ll tell everyone I know that they have lax security for accounts.
I use a complex password and without the ability to further protect my account it just tells me they don’t care about the customer but only about the money we give them.
They can either step up and be willing to admit they are wrong and actually listen to the customers for once, or as usual put their heads in the sand while customers get frustrated to the point they don’t come back/ re sub.
In customer service work the customer is the #1 priority. Without happy customers you lose money. It’s clear they don’t actually care about the customer and they absolutely all need to take a customer service seminar.
Are you aware of the statistics of for every 1 customer that speaks up there are at least 25 or more that feel the same way but are afraid to say anything?..
Clearly they are not understanding basics of customer service and they will continue to lose customers because of this.
Of course I do. The 2012 partial compromise released minimal login information, no personal or financial information, and resulted in no lost accounts. Thankfully Blizzard keeps the data separate and stores passwords as salted hash. They also very quickly notified players so they could update their accounts.
MVPs don’t work for Blizzard. They are other players who say what they want, within the rules of the forum. If you mean most tend to be somewhat polite and dry/informational, then yes, we do sound similar I guess. That is what happens when you spend a lot of time giving simple information. It is not very exciting.
You bumped a thread about taking OFF the Authenticator, not putting one on. The last necro poster was angry Blizzard required ID to access the account and remove the Auth. 
Your issue is related to the new phone requirements that were added. Those are actually very recent. You should have made your own thread, or joined one of the ones about Cricket numbers. Your post is lost under this thread given the thread is old and not about your complaint.
P.S. I agree the new phone number requirement to use the Authenticator is a bad idea and prevents people from using the Mobile Auth to secure their accounts. I do get why they did it, but I think they threw the baby out with the bathwater so to speak.