Time to Get Rid of my Authenticator

Even though I haven’t played WoW in ages, I still have my authenticator on my key ring. My office key ring, to be exact. That might be weird, carrying it around at work, but it had something to do with load balancing. I hate large key rings, so I have several small ones. At the time I picked up my authenticator, I had recently gotten my office keys, and that key ring was still mostly empty. That’s also the reason I never removed the authenticator, even after I stopped playing: it gave the keys some extra weight and volume that made me feel less likely to forget or lose them (it has worked so far!). Naturally, after all these years, it’s become a bit worn:

I'll use the chance to show off my keyring.

I’ll use the chance to show off my key ring.

Note the nice electronic office key that says “I’m a computer scientist, I use doors that need almost a second of thinking time before you may turn the key after putting it into the lock!”. One second doesn’t sound like much, but try it… nobody waits that long before turning a key unless they have to. It’s surprisingly disruptive. Oh, and sometimes it doesn’t work at all and you need to pull it out, wait 5 seconds, then try again. There’s also a MacGuyveresque mini ballpoint pen in a tube on the key ring. Because you never have a pen when you need it (naturally, now that I do, I never have paper to write on). Also there’s a bottle opener. Nice during the day for the few soft drinks that come with crown caps and even better during the night for beer. We tend to work long enough in summer that we sometimes end the evening with a beer or two at work, on our terrace. Actually, sometimes we have one even before we’re done… Hey, it’s Germany! Besides, the opener was a promotional gift by Opera (the web browser developer). They got cheated by their supplier though, I think. Their logo and slogan (“opening the web”) wore off within weeks.

But back to the authenticator. It still works and the front doesn’t look too bad, either. However, the back makes me worry a bit more:

I think that number might've been important...

I think that number might’ve been important…

Removing a broken authenticator from your battle.net account seems to be an obscure work of black magic. At least processes how to do it seem to change over time. At some point, I’m pretty sure that code on the back side, which you needed when you registered the key fob, was also required to remove it again, or at least saved you a lot of hassle (there still must’ve been ways to deal with lost or broken authenticators). These days, it doesn’t seem to be strictly required any more, but if your authenticator breaks, it’s still a lengthy and annoying process to get rid of it on your account. Seeing how I haven’t logged into a Blizzard game in months, I don’t see much reason to keep it secured with this authenticator. In fact, at the moment, the risk of getting hacked worries me less than the risk of locking myself out of an account I might want to use again at some point in the future.

Speaking of authenticators, do they even still sell the key fobs? I couldn’t find them in the battle.net store. Is it all smartphone apps these days? I’m a bit paranoid about the Android one, not the least because I imagine it can spectacularly break (like other such apps) if for some reason you lose the random seed or need to reinstall. I also heard it goes all crazy and judgmental on you if you use it on a rooted phone. Most importantly, it feels a lot less secure than a stand-alone key fob. Finally: can the app manage more than one battle.net account at a time? I have two accounts, one for each side of the ocean, with different games bound to them. If I get around to them again, I’d prefer to have an authenticator that can manage both accounts.

7 thoughts on “Time to Get Rid of my Authenticator

  1. Heh, I put my authenticator on my key ring for a little while, until I realized that I did not actually need it anywhere except at my desk at home. So it is hung up on a peg there. And even then, with the way Blizzard has worked thing, I only need it about once a week. So long as I authenticate from my machine, it assumes logons from that IP address are authenticated for 5-7 days.

    And yeah, that number on the back, it’s kind of important.

    1. The problem with Internet in Germany is that you have forced disconnects every 24h, with some providers even every 12h. It’s been that way ever since flat modem/ISDN rates started to appear in the late 90ies. The providers seem to be horribly worried about people setting up servers on static IPs, so they disconnect you every 24h so you get a new IP from their range. I guess they want to make sure they can sell static IP contracts at a premium… So I needed my authenticator all the time. (Though still mostly at home, that’s true.) Since my net also sometimes went down in the middle of a boss fight for no apparent reason, I got pretty fast at logging in and using the authenticator. Too bad there are no Olympics for that.

      And about that serial number… it’s obviously very important to register. Whether you need it afterwards depends on their policy, I guess.

      When I searched around for information, I realized there are lots of posts with strange or downright wrong claims about authenticators. (This is the Internet, after all.) But I couldn’t find a single post that tried to explain how authenticators work on a technical level. Maybe if I have time, I’ll try to write an instructional “this is how they work, and what the serial is for, and where the numbers in your key fob come from” post. That might be a genuinely useful thing to have around.

  2. At least in the North America region I heard they have the physical item store back up on the website, including authenticators, they weren’t available for quite a while from Blizzard (but may have been from Amazon.com, etc). Can’t speak to anywhere else but if not, it might be back up soon. If you’re just looking to remove the authenticator from your account, though, you should be able to do that, just “lose” the authenticator and proceed.

    1. Removing is actually not too bad. My authenticator still works, so I can simply log in and remove it from my account. Thankfully, you only need the serial number to register a key fob type authenticator, not to remove it.

    2. In terms of how they work, the serial number on the fob is known to the host server and has the ability to create the same code as your fob so it’ll know if the one you use is correct or not. That’s why it should only be necessary for setting up the connection, being required to remove seems like more of a “we want to be sure you’re holding it on your hand at the time” possession verification kind of thing. That’s why I’d suggest that you “lose” it when doing the disconnect, avoids the awkwardness of a partial serial number but may require a bit more effort for them to verify your identity as the account holder.

      Here’s the link to the product the authenticator is based off if you’re looking for more info:
      http://www.vasco.com/products/client_products/single_button_digipass/digipass_go6.aspx

      1. That’s what I wanted to say. It’s not only not required technically, but also not procedurally by Blizzard (at least not any more).

        And I’m writing on a post about “how do they work” at the moment. I’ll have to see whether I can make the technical details behind how their security works understandable enough to make it a worthwhile post.

Leave a Reply