Hoping that this request could be considered. Once upon a time Blizz made physical authenticators, several years ago the product was discontinued as noted in these forums. However, since then no replacement has been made and no hardware authentication has been added to secure accounts.
Some have argued that cell phones are prevalent and Blizz loses money making the hardware, while others argued that it was outdated technology.
Losing money does not change the fact that hardware auth is far more secure than a cell phone. And hardware auth, unlike the Blizzard specific product is anything but outdated. The US Government, and governments around the world use hardware auth instead of mobile auth. It’s quite likely even Activision/Blizzard employees use them. If they are bought by Microsoft, they definitely will use them. Trillions of dollars in assets around the world are kept secure using hardware auth technology. And it’s time Blizzard allows us to use that technology as well.
If security is truly the goal I’d hope that the small investment (yes, I’m aware that by small I may mean a $1M+) in this feature would be worth the expense. Personally I use Yubikeys, but I’d love to see a much broader implementation.
Customer Support has no insight into the reasons management selected a purely software-based 2FA system. Nor do they accept suggestions to be forwarded to the people who are responsible for that decision.
You want to post in General Discussion, where it has a chance to be brought to the attention of the people who make this kind of decision.
First thing, Blizzard did not manufacture these. They were manufactured by Vasco, and they were their line of Digipass Go 6. Vasco has continued manufacturing, and they even have a 7.
However, as Vasco manufactured these for more important real world applications (military, banking, etc), Blizzard was always running short on stock. Blizzard’s needs were filled after the more important entities. They decided to not continue with the physical authenticators, instead opting for the mobile option.
Not exactly. They sold the Authenticators for the cost that Vasco charged. They neither made nor lost money on them.
Functionally, the mobile authenticator performs the exact same as the physical one, but the mobile is able to be updated/adapted/etc. The true security comes in how people handle the physical authenticator vs. their mobile device. People generally protect their mobile device a lot better, and Blizzard spent a lot of time removing authenticators due to players losing it, batteries running dead, device failing, and so on.
Of course it is. Also, convenience, cost, availability, malleability, support, and dozens of other factors go into the decision.
I really can’t improve on the answers above as I have no information about why this decision was made - but all the points are valid.
From my own player’s perspective of having one, and from contacts back in the day - working here, the mobile app seems to be an improvement.
They are small - they could get lost easily - and were.
They also don’t have an infinite battery. While mine lasted twice as long as the ‘estimated’ shelf-life of 5 years, it did eventually die. When they died, it was typically without warning.
As long as your phone is secure, it’s every bit as safe and effective as the key fob. Protip: Don’t EVER let anyone that just contacts you install anything on your phone - ever. While not specific to our players, it’s a common tactic of scammers to try to get on your phone. If they do that, they have the keys to the kingdom - just as if you let them have remote access to your PC, only moreso - since that is where most security lives today.
I’m glad I read that. My original authenticator has been working, but that’s probably because I took a break from the game for several expansions. So, I decided to switch to the app after I saw this. You have to use the authenticator to remove it from your account and when I pushed the button, nothing came up. A brief moment of panic and then the code appeared. But at least it lived long enough to retire it.
Same here. I did not want to go away from the physical but then it got lost in a move so I had to. I am so glad I did as the mobile authenticator is actually so much easier to deal with than the physical one was.
That has gone back and forth a few times, Nok. There was really no difference in the number of accounts based on type - just the timeframe and rules in place when it was applied.
Things may have changed since I last looked into it, but using it on more than one account is a nightmare.
Because a phone number is required to set it up and phone numbers can only be used on one account, it’s a convoluted process of removing/disabling SMS numbers on one account so that it can be added to another account. Then, removing/disabling on the 2nd account to that it can be readded to the 1st account. And all over again for a 3rd account.
I’d love to use my auth on my secondary account, but I don’t because of all that.
I believe I’ve found the page they’re talking about. It seems to be a resale of what was leftover as the official one has ‘Currently unavailable’. I’d think they’re would be on their last legs regardless of how long the keyfob been out.
Agreed. With how long it’s been since the physical ones stopped being made, I’d be rather wary of how long they’ve been sitting around and how little life they may have left.
phone authenticator is the same. the physical one would be less secure (but ya cant put a bad app on a keyfob).
they wont make hardware ones when the phone does the same task. those trillions of dollars of assets arent video games. make your comparison similar at least.
cell phone security is up to the user. its up to YOU, not blizz or anyone else to use common sense on what you download to your phone
edit to add - the chip in the phone that generates the code has far more security that the 8 year old keyfob
I am afraid I totally disagree with you there. My keychain is not connected to the internet in any way. It can NOT be tampered with or changed. It relies totally on physical security, which I have total control over. My phone relies on both internet security and physical security. Two routes to possible compromise or misuse.
I really prefer the keychain and am sad that eventually mine won’t work anymore. I do realize that the battery will die, or I could drop it somewhere, but that is hardly a big concern in my own house I mostly worry a cat will bat it under something!
When it comes down to it, I think you are correct. There are a number of real world examples of fob use and security in certain risk managment situations that demostrate how effective it can be. There are also any number of examples of phone compromises through apps or links, even ones with no user interaction (there is a whole market out there, ostensibly aimed at nation states, but also…well who knows who buys that stuff). Those markets will grow, bad actors will continue being creative, and the good guys will continue hardening the systems.
But, security is a balance. And in the end, when balancing against other stuff, a reasonable approach is one that is most effective against most situations for the most users that should win. Blizz’s approach chose that. Most people have phones. Phone use for most everything will continue to grow. Heck eventually your ID is gonna be on the phone. Adapting to that reality is both good security and business sense. Blizz made the right call.
That said, there was a reason I wanted to find a way to continue the life of my old fob. But it got retired.
Of course, command line web browsing is a thing too, and it’s pretty secure! But I’m not (edit: reasonably) interacting with this website or many others with it! Hah! And that is okay.
100% accurate. The instant a device connects to a network, it is inherently less secure. Mobile authenticator apps make things more flexible and convenient, which are generally the antithesis of secure.
I think the overall point when it comes to Blizzard, is that security is paramount, but this is still a game and that level of lockdown security is not needed. It would be nice, of course, but taking those resources away from more important real-world situations is not necessary.
There’s also the thought that if a game is using the same technology as the governments and banks, then the hackers can work on breaking through that technology in a low-risk environment like WoW. Perfecting the technology on a game could lead to more efficient hacks of those real-life systems.
The point re: practicing on low risk targets to perfect for use against actual targets is a good one. I’m certain the industry has seen that played out a time or two, especially in cases of vendor specific security solutions.
And there is always the balance betwen usability and security.
