Today, 9/19, is the 6th Anniversary of Gamepedia's launch. Join us for an all-day Mega Stream on the Gamepedia Twitch channel! In addition, all users who log in during the anniversary week will receive a special achievement.

Blizzard Mobile Authenticator

From Wowpedia
Jump to: navigation, search
Were you looking for Blizzard Authenticator (key fob device)?

The Blizzard Mobile Authenticator, previously known as Mobile Authenticator, is a small mobile phone application that functions similarly to the Blizzard Authenticator key fob device. However, it cannot be used in conjunction with the other device, one or the other can be used, but not both.[1] On March 27, 2017, the authenticator was renamed from the brand to the Blizzard brand.

The application is free for iOS devices and Android phones, but costs US$0.99 for other mobile phones. As with many iOS apps, it requires the Wi-Fi connection during setup (or re-setup or re-sync to restore the app) on the iPod touch and the iPad with Wi-Fi.

How having an authenticator affects your log in

Each time you log onto your account from a different computer, you will need to enter your authentication number. (This includes the first time you log on after getting your authenticator). After you have authenticated on a computer you can continue to log in from that point without worrying about entering an authentication number every time you log in. (It will still pop up from time to time, just to be safe.)

The way the authenticator protects you is if someone (say from a different city or country) steals your login password they would not be able to log in from their own computer, because your WoW account is authenticated to the computer you play on (or last played on).

NOTE: "Computer" is used above for simplicity. What the authenticator pays attention to is your IP address when you log in. This address is different if you play WoW on a different computer in your house or take your laptop to a different access point (say WiFi in a hotel) to play.

Unsupported Mobile Devices

It is possible to install and use the mobile authenticator on many mobiles which are not officially listed as supported by Blizzard. Most mobile phones are capable of running the basic java authenticator application, information on installing the authenticator on unsupported devices can be found here.[dead link - archived copy]

Originally Blizzard officially supported the mobile authenticator for Windows Phone and Blackberry but were later discontinued and no longer updated.

  • The first version for the Blackberry was released on March 8, 2010 while the last version was on February 28, 2011.
  • The first version for Windows Phone was on July 5, 2011 while the last version was on July 15, 2011.

End of official J2ME Support

The J2ME (Java) version of the Mobile Authenticator is only available for download until December 13, 2011.[2] After this date already downloaded versions will still work but no new downloads are possible.

Versions for Android, Windows Phone 7 and iPhone are not affected and stay available for download.


Main article: Mobile Authenticator Specification

The initialization of a Mobile Authenticator is done via an RSA encrypted request to Blizzards initialization servers including an one time pad key for encryption of the response. The server generates an 160-bit key which is later used for code generation and a serial number is connected to that key. Both things are stored on the server and are also sent back to the client (encrypted with the one time pad key from the request).

The code generation is done via encrypting the current time (milliseconds since 1970/01/01 0:00 UTC divided by 30,000) with HMAC-SHA1 using the key from the initialization. From the result are some bytes selected and displayed as current authenticator code.

Security Vulnerability

Because of a weak one time pad key generation algorithm on the client side, an attacker who is able to capture the encrypted initialization response between server and client device can fully compromise the security of the Mobile Authenticator[3]. The reason is, that the one time pad key used for encryption of the server response only depends deterministic from the current time on the client device. Normally that time shouldn't differ too much from the common time. So an attacker only needs to guess some time values, calculate the corresponding one time pad keys, use them for decryption of the captured server response and check, whether one of the results make sense (because of the known format of the included serial number, it is easy to say, whether a result makes sense or not). If he finds such a result, it is very likely that he guessed the correct one time pad key and now knows the authenticator ID and the secret code calculation key from the decrypted response.

To prevent this attack even if there is no real randomness (e. g. hardware random generator) is available on the client device, there should be used aside from the current time also some kind of user generated randomness (pressing random buttons on the device, ...) for creating the one time pad key used for encryption of the initialization data.

Desktop ports

It is possible to reimplement the specification to run the Mobile Authenticator also directly on the PC. It is difficult to say, whether this is less secure or not in comparison to running it on a real mobile device. Of cause an attacker could read out the necessarily stored secret code calculation key from the PC via a trojan and so breaks the security of such a PC authenticator. But with a trojan on the PC of the victim, the attacker could also read the typed authenticator code when the victim is logging into the game, interrupting the connection of the victim and using the current authenticator code by itself for immediate game login (maybe with a bot) while preventing further game logins of the victim via the trojan.

List of desktop ports with public source code availability:

It is also possible to run Blizzards implementation within a mobile phone emulator on the desktop.

An online version also exists and is publicly available since November 2011. The source code of the PHP implementation are published, but this is not the case for the website. This kind of online application are less secure than a desktop port, but, as an advantage, you can retrieve your code from anywhere.


  • This application was announced on March 31st, 2009 on the US official forums and June 2nd, 2009 on the EU official forums.[4][5]
  • The Mobile Authenticator app was not available in mid to late September 2009 for some reason. Several blue posts stated this fact, but no reason was given.
  • All Android based phones can download and use the Mobile Authenticator app listed in the Android Market regardless of whether the phone is listed as being supported here.


External links