Why has physical authentication not been updated?

Hoping that this request could be considered. Once upon a time Blizz made physical authenticators, several years ago the product was discontinued as noted in these forums. However, since then no replacement has been made and no hardware authentication has been added to secure accounts.

Some have argued that cell phones are prevalent and Blizz loses money making the hardware, while others argued that it was outdated technology.

Losing money does not change the fact that hardware auth is far more secure than a cell phone. And hardware auth, unlike the Blizzard specific product is anything but outdated. The US Government, and governments around the world use hardware auth instead of mobile auth. It’s quite likely even Activision/Blizzard employees use them. If they are bought by Microsoft, they definitely will use them. Trillions of dollars in assets around the world are kept secure using hardware auth technology. And it’s time Blizzard allows us to use that technology as well.

If security is truly the goal I’d hope that the small investment (yes, I’m aware that by small I may mean a $1M+) in this feature would be worth the expense. Personally I use Yubikeys, but I’d love to see a much broader implementation.

1 Like

Customer Support has no insight into the reasons management selected a purely software-based 2FA system. Nor do they accept suggestions to be forwarded to the people who are responsible for that decision.

You want to post in General Discussion, where it has a chance to be brought to the attention of the people who make this kind of decision.

8 Likes

First thing, Blizzard did not manufacture these. They were manufactured by Vasco, and they were their line of Digipass Go 6. Vasco has continued manufacturing, and they even have a 7.

However, as Vasco manufactured these for more important real world applications (military, banking, etc), Blizzard was always running short on stock. Blizzard’s needs were filled after the more important entities. They decided to not continue with the physical authenticators, instead opting for the mobile option.

Not exactly. They sold the Authenticators for the cost that Vasco charged. They neither made nor lost money on them.

Functionally, the mobile authenticator performs the exact same as the physical one, but the mobile is able to be updated/adapted/etc. The true security comes in how people handle the physical authenticator vs. their mobile device. People generally protect their mobile device a lot better, and Blizzard spent a lot of time removing authenticators due to players losing it, batteries running dead, device failing, and so on.

Of course it is. Also, convenience, cost, availability, malleability, support, and dozens of other factors go into the decision.

14 Likes

I really can’t improve on the answers above as I have no information about why this decision was made - but all the points are valid.

From my own player’s perspective of having one, and from contacts back in the day - working here, the mobile app seems to be an improvement.

They are small - they could get lost easily - and were.

They also don’t have an infinite battery. While mine lasted twice as long as the ‘estimated’ shelf-life of 5 years, it did eventually die. When they died, it was typically without warning.

As long as your phone is secure, it’s every bit as safe and effective as the key fob. Protip: Don’t EVER let anyone that just contacts you install anything on your phone - ever. While not specific to our players, it’s a common tactic of scammers to try to get on your phone. If they do that, they have the keys to the kingdom - just as if you let them have remote access to your PC, only moreso - since that is where most security lives today.

10 Likes

I’m glad I read that. My original authenticator has been working, but that’s probably because I took a break from the game for several expansions. So, I decided to switch to the app after I saw this. You have to use the authenticator to remove it from your account and when I pushed the button, nothing came up. A brief moment of panic and then the code appeared. But at least it lived long enough to retire it.

2 Likes

Vasco estimated them at 7 years. Mine is 2010 and yes, I still use it. I do have SMS set up though so I can remove it myself if it dies suddenly :slight_smile:

I am not switching to the app until I absolutely HAVE to.

I was the same way till i lost the keyfob thank god i had sms i shouldve done it sooner it was so painless and smooth.

1 Like

Same here. I did not want to go away from the physical but then it got lost in a move so I had to. I am so glad I did as the mobile authenticator is actually so much easier to deal with than the physical one was.

1 Like

IIRC, the physical authenticator could only be used for one battle.net account whereas the phone authenticator can be used by up to three.

That has gone back and forth a few times, Nok. There was really no difference in the number of accounts based on type - just the timeframe and rules in place when it was applied.

2 Likes

Things may have changed since I last looked into it, but using it on more than one account is a nightmare.

Because a phone number is required to set it up and phone numbers can only be used on one account, it’s a convoluted process of removing/disabling SMS numbers on one account so that it can be added to another account. Then, removing/disabling on the 2nd account to that it can be readded to the 1st account. And all over again for a 3rd account.

I’d love to use my auth on my secondary account, but I don’t because of all that.

Physical FoBs are still available.

Go to Amazon and type in WoW Authentication in the search bar.

The FoB is $40 but it does work with your WoW accounts. Last year I did not own a cell phone so I bought one of these.

I think I paid $19 for mine last year. But like everything in life, it has gone up in price as well.

I have not had any issue using it but the game seldom asks me for the code anyway.

BTW my original FoB I bought in 2009 still works.

Vrak did touch on this in a different thread last week and I think it’s good information to keep in mind:

4 Likes

I believe I’ve found the page they’re talking about. It seems to be a resale of what was leftover as the official one has ‘Currently unavailable’. I’d think they’re would be on their last legs regardless of how long the keyfob been out.

2 Likes

Agreed. With how long it’s been since the physical ones stopped being made, I’d be rather wary of how long they’ve been sitting around and how little life they may have left.

1 Like

phone authenticator is the same. the physical one would be less secure (but ya cant put a bad app on a keyfob).

they wont make hardware ones when the phone does the same task. those trillions of dollars of assets arent video games. make your comparison similar at least.

cell phone security is up to the user. its up to YOU, not blizz or anyone else to use common sense on what you download to your phone

edit to add - the chip in the phone that generates the code has far more security that the 8 year old keyfob

I am afraid I totally disagree with you there. My keychain is not connected to the internet in any way. It can NOT be tampered with or changed. It relies totally on physical security, which I have total control over. My phone relies on both internet security and physical security. Two routes to possible compromise or misuse.

I really prefer the keychain and am sad that eventually mine won’t work anymore. I do realize that the battery will die, or I could drop it somewhere, but that is hardly a big concern in my own house :slight_smile: I mostly worry a cat will bat it under something!

2 Likes

Cleaning up old posts! :slight_smile:

1 Like

100% accurate. The instant a device connects to a network, it is inherently less secure. Mobile authenticator apps make things more flexible and convenient, which are generally the antithesis of secure.

I think the overall point when it comes to Blizzard, is that security is paramount, but this is still a game and that level of lockdown security is not needed. It would be nice, of course, but taking those resources away from more important real-world situations is not necessary.

There’s also the thought that if a game is using the same technology as the governments and banks, then the hackers can work on breaking through that technology in a low-risk environment like WoW. Perfecting the technology on a game could lead to more efficient hacks of those real-life systems.

Cleaning up old posts! :slight_smile:

3 Likes