I’m filing this as a bug report knowing that it’s not a bug after having talked with support, but this is definitely an issue that I consider to be a bug.
For 10 years, I’ve used the Battle.net Authenticator without issue and have not ONCE had my account hacked. I also use a 32-character password with all 4 character types (upper and lower case letters, numbers, and symbols) and am even considering switching to a passphrase (not sure if the login system supports spaces though)
In all the time I’ve had my account, I’ve never needed to provide my phone number, least of all as a way to prove my identity.
I received an email 2 weeks ago that the Mobile app is available and I need to move off the authenticator to the Mobile app. So I downloaded the mobile app, and uninstalled the authenticator. Oops. I didn’t yet setup the mobile app before I uninstalled the authenticator.
So I engaged support and got the authenticator removed from my account. Logged in on the mobile app, found where I go to setup the authenticator under the mobile app, proceed through the steps, enter my phone number. Get told to use a post-paid number…
Bug 1: I am using a post-paid number. My phone number, however, was ported out from its original carrier, Verizon, back in 2014 when Google Voice became a thing. This was a post-paid number on Verizon, and it’s STILL a post-paid number on Google Voice. But unfortunately, some phone number verification systems think it isn’t. This depends heavily on the tools being used at the backend to verify phone numbers, and is not something that I (or probably even the Blizzard devs) can affect. Some systems work fine with this number even when those systems require a post-paid number, some don’t. I don’t know all of the details around what goes into this verification, but the one Blizzard uses is one that thinks it’s not post-paid, even though it is.
NOTE: To reiterate, this is NOT a “Google Voice” number. I ported my Verizon phone number to Google Voice. If I ever changed my number via Google Voice’s website, they would release my number back to Verizon and Verizon could assign it to one of their customers again.
I have a post-paid number from my phone carrier, T-Mobile, as well. But I do not give it out to anyone except for my immediate family, and it’s only for emergency use. I will not use this number for the Battle.net Mobile App’s Authenticator.
Justification: SIM Swap (aka SIM Swap Fraud) - See this excellent post by Mozilla for more info: https://blog.mozilla.org/en/privacy-security/mozilla-explains-sim-swapping/
I don’t trust any phone carrier to keep my SIM card secure. It’s just been proven over and over again that it’s too easy to trick their customer service reps into swapping the SIM. The phone carriers use more public information than Blizzard does to verify identity, and since the information is public, it’s far more likely that some dilweed in India will convince my carrier to swap my SIM to their phone in order to take over my accounts (plural), than it is that someone would be able to convince a Blizzard employee to remove the authenticator from my account.
So, to me, this requirement to provide a post-paid number (again, I have), is surfacing a bug in the backend phone verification system Blizzard uses.
Bug 2: Requiring a phone number, in and of itself, is (again, to me) a bug. I’ve never needed one for the Authenticator dedicated app, and so having to provide one now is lowering the security of my account, rather than increasing the security.
Even many banks now have discontinued requiring a phone number for SMS codes. Yeah yeah, many still do, but this method of verification is going the way of the dodo within the next few years as far as I’m concerned (and good riddance!).
Because of this requirement, I’m not using the authenticator from the mobile app. Period. I just flat out refuse to provide a less secure method of verifying my identity and would rather chance it with my super strong password and/or pass phrase (if that’s even a possibility).
I asked support about getting a physical authenticator… No dice, they aren’t sold anymore and they get requests every day to remove those authenticators due to dead batteries.
Note that I practice good security hygiene. I haven’t been tricked into sharing my personal details with people in over 25 years, I use a password manager, every account I have uses its own unique password, and I haven’t had ANY account hacked since I switched to a password manager and reset all of my passwords to be unique per-site 5 years ago.