What exactly do you lose if you get rid of the auth?
I mean i have never shared my account, do not go to gold selling sites, and do not open ANY mail from blizz, not even my weekly play time reports.
So why do i even need one?
From what I understand to even be able to use the protection part(ie authenticator) which was never a problem in the past - the user now has to use a phone number? I have an authenticator with 6-8 different accounts(mail etc), none of which requires a phone number to use.
Hard to say. I’ve never been compromised. But I know people who have (or claim to have been) hacked. Anecdotally in the case of one guildmate who was - we suspect it was because of a VERY weak password.
How would the bad guys even know the email address they might run a brute-force password attack on?
Well… because Blizzard (inadvertantly) gave it to them at least one time I know of.
In 2012 (Blizzard detected the breach on 4 August, but waited until 9 August to notify the community) some bad actors broke into Blizzard corporate servers and got a copy of a list of all email addresses for Battle.net users outside China. Also accessed was information about the security questions and account authenticators used by players on North American servers. As well as players in the US and Canada this includes people in Latin America, Australia, New Zealand, and Southeast Asia.
The digital ne’er-do-wells also stole a cryptographically scrambled list of the passwords used on North American Battle.net accounts. The technique Blizzard used to conceal these passwords (the Secure Remote Password (SRP) protocol) made them hard (but not impossible) to unscramble. I would hope nobody is still using the same PW they had in 2012 - but not betting against it.
The hackers also captured sensitive data related to dial-in and smartphone app-based two-factor authentication.
So, yeah, even if you do everything right and never get suckered into a phishing scam or use ABCDEF1234 as your password, without an auth you can still be somewhat vulnerable.
I’ve got 19 years of effort into this game and want to protect that - so I do what it takes to secure the account as best I can.
I even use a random password generator to make me a new PW every month - changing it the same day I change the ones I use for work.
What kind of passwords do I use? Something like this: h5vF/XrY]E^.Z&B$Tfs%mb
There are strong password generators online like this one that will create one for you: https://passwordsgenerator.net/
You can also use a PW manager service like 1password.com
I don’t ask “why do I need to secure my account?”
I ask why wouldn’t you want to secure your account.
Yeah…let’s just pretend that the outrage from that comment was about the affordability of phones… 
1 Like
I’m with you here:
The Blizzard Auth can be activated on any device if you have the code, that’s it’s biggest downfall. Because the Auth setup recommends taking a picture of the code to save in case you need to find it later, which for people who use the cloud can accidently release said picture publicly.
This is also garbage, because it requires you to use a dodgy site that they use to get all your data. There is no way at all that any SMS hijacking can occur unless you willingly access the wrong site and give out your info to the wrong person.
It even says so in the articles.
100% sure OP did not even read the articles, or does not understand them, because if you log in to Google, Apple, bank sites or any site that can use 2FA using a legit link there is no way they can intercept you.
It’s when you log in to a dodgy link that transfer you back to the real link and acts as a proxy in between the user and the real site, that is when things go south.
If you click the wrong link or a suspicious link, that’s all on you.
And no matter how much security a company puts in place, the minute you hit the wrong link and they start recording what happens between you and the company you are trying to access, it’s game over.
Adding more security is far better than removing it, it’s up to you to ensure you do not give out your data.
1 Like
What it comes down to is that any security system can be defeated with enough time and effort. The difference is that sophisticated attacks require some inside information or access such as an SIM card or bribing a telco employee. While my Blizz account is important to me, I seriously doubt that it is important enough for someone to make a directed attack on my two factor security. I’d be much more worried about my bank account or SSN account. Even physical authenticators are vulnerable to “man in the middle” attacks.
It the 2FA is compromised as a general phishing attack, well, I still say, one’s bank account is the greater issue. Right now all my accounts are set up so that I’m notified of password changes or other actions that would indicate my account has been hijacked.
If my cell phone number has been compromised I think I’d notice the cessation of all alerts, texts and calls as the hijacker can’t selectively decide what content is being redirected.
In short, assuming neither the NSA nor a criminal organization has not targeted me, the existing protection is good enough barring some stupid clicks on my part.
Yes. But would you go to my link to fill out a questionnaire about your mother’s maiden name, the street you grew up on, and the name of your first pet?
I will then let you know which Hogwarts House you would be sorted into.
1 Like
Joking aside, this is how they get you, they play at your by doing these “What bread are you?” until you give enough details so they can attack you. It’s literally in the name of the game, it’s called phishing, as in, they fish until they get enough details from you to steal your stuff.
1 Like
No I wouldn’t. And that’s where the most important aspect of security comes in, having at least a bit of sense. Likewise my “secret” questions and answers to reset passwords are all fictitious so even if someone knows me from social media, it won’t help them answer the questions to take over my account.
This is my biggest issue. Because anyone who has your # knows half your login info.
Take Amazon, I use an email address to login that NOBODY knows, so on top of my password, I have an unknown username to everyone also. Amazon always asks me to add a phone # for SMS, but thankfully gives me the option to decline. Anything that forces a phone for “security” is a joke, because like I said, giving out half your login information is LESS secure.
2 Likes
Complicating matters, as I mentioned above, in 2012 some bad actors broke into Blizzard corporate servers and got a copy of a list of all email addresses for Battle.net users outside China. Also accessed was information about the security questions and account authenticators used by players on North American, Latin American, Australian, New Zealander, and Southeast Asian players.
So unless long-time players changed their email addresses since the breach, half their login info has been floating around for quite some time.
Oooo the cats are cute !
1 Like
It was about mobile gaming. Only soccer moms and 10 year olds play mobile games.
The audience of blizzard, generally speaking, doesn’t play mobile games. It was mainly a Computer gaming company. No one wanted to play diablo immortal on a bloody cell phone or a tablet lol. They all wanted to play it on their 1 thousand dollar computer.
They have released some mobile titles in recent years, like warcraft rumble. But why would I play that when I can play world of warcraft on my big old computer monitor lol.
It is all marketing. They did that because mobile gaming makes billions of dollars. But I Honestly don’t consider the average person who plays mobile games a gamer. Candy crush and all that stuff doesn’t really count.
But the mobile market is huge. I will always miss the days of the 3DS and Playstation Vita and all that stuff. With actual portable games on them. Your average Iphone game doesn’t count.
I hate my phone. But I haven’t had a job that doesn’t require it in some way. The offline world is slowly fading away. I use my phone for like 2 things. Texting and talking, which I barely do anyways because I hate most average people these days. And google maps. Oddly enough the most important thing on there. I am super directionally clueless.
Most other stuff though I would rather just do online. Oh I can’t beat this game. You went down to a store and got a nintendo power magazine. Way more charm and coolness than just looking it up on gamefaqs. Other general knowledge and resources. Library.
As mentioned, I use my phone for a couple of things. And for authenticating my wow account. There is this cool key chain thing that I press a button, and a jumble of numbers comes up lol. It is my authenticator dongle. I will be frustrated if I have to start doing authentication through my phone though. As far As I am aware, blizzard no longer makes the authenticator dongles anymore. But yah.
I honestly would just rather do through the blizzard authenticator dongle. Which Is what I have.
I personally wouldn’t want to have to go the mobile phone authenticator route.
I honestly can’t even tell you the last time anything asked for my approval. But I do find it easier to use the app when something does ask. I don’t have to type in numbers anymore. I just hit “approve” on the notification that pops up on my lock screen.
Said the same thing till my 2nd physical auth died and they are not making them anymore and haven’t for long time…use too could get them off Amazon but they jumped high in price there …right now there is a physical one on amazon for $60 dollars…https://www.amazon.com/Blizzard-BATTLE-NET-Authenticator-PC/dp/B005NH6IEW/ref=sr_1_2?crid=1WXWL818X9D5T&keywords=world+of+warcraft+authenticator&qid=1702225967&sprefix=world+of+warcrafth+au%2Caps%2C119&sr=8-2&ufe=app_do%3Aamzn1.fos.17d9e15d-4e43-4581-b373-0e5c1a776d5d
Yah and physical authenticator dongles can die. But phones can also die. Or get lost or stolen.
With my authenticator dongle, it never leaves my area where I play my game. I just feel like having it on my phone, it just is way to much risk. I am a pretty private guy to. I pretty much have no social media. But I find that stuff stupid. We basically embrace modern socialism and communism now because of that, and I am not a big fan. As well as everything being super automated and all that as well. And political correctness. To heck with all that jargon.
But 60 bucks is steep. But I guess If I got desperate enough, I would do that. But I can’t stand amazon either. Soon we will have to buy everything off of amazon. Nothing else will even exist sooner or later. That and ebay. And of course grub hub and all that to with oober eats. It is just laziness and I quite frankly find it boring. Least if I go to like men’s warehouse for a new suit, or best buy for a new video game, I have it instantly. Or a grocery store. Doing stuff online just takes to long, and no one in power handles any problems like normal adults. And customers don’t act like normal customers either. Amazing.
Spicey Mcdouble Sandwich
I just made McD’s another billion
1 Like
I’m curious are we still grandfathered in? Or will come January those of us with a working mobile authenticator (within the bnet app after migrating) have our authenticators removed because we never handed over a phone number?
I personally also strongly object to the SMS requirement. As a security professional it is a glaring weakness in an otherwise solid ToTP set-up they have and I dislike enabling practices like this. It would be one thing if I was confident in Blizzard maintaining the strongest practices including a concern for my privacy and they made no moves to strong-arm people to retain their storage of the phone number as I actually am in favor of reasonable, minor, privacy-respecting bot-fighting practices.
However I’m simply not confident they/the third parties they contract with to carry out these services 1) actually would delete it on their end after I request it and 2) aren’t chomping at the bit to sell every bit of data on me including things like this to FB and other data brokers for pennies. 3) That if I do supply it to them, remove it, that it still cannot be potentially used by an attacker as evidence they are me (much like many companies allow recovery with the last used email, last used phone number I would bet would be acceptable to blizzard support to prove ownership with a quickly cooked up story). This goes with 1, I think they’d retain a record.
I am not in favor of having it on my cell phone or tablet but that is the way it is now…I went though two of the key chain types cause I didn’t want it on my cell phone…but now I have too or pay $60 bucks which I am not…