Blizzard Mobile Authenticator
- For the physcial device, see Blizzard Authenticator.
The Blizzard Mobile Authenticator, previously known as Battle.net Mobile Authenticator, is a security mobile application that functions similarly to the Blizzard Authenticator key fob device. However, it cannot be used in conjunction with the other device, one or the other can be used, but not both. With an update on March 27, 2017, the authenticator was renamed from the Battle.net brand to the Blizzard brand.
Logging into World of Warcraft
Launching World of Warcraft without the Blizzard Battle.net desktop app will prompt the user to enter in the authenticator code (after signing in) while the desktop app automatically logs the user into WoW, bypassing the authentication requirement.
Disconnecting from World of Warcraft and reentering the credentials instead of restarting WoW from the desktop app will still prompt the user for the code.
It was possible to install and use the mobile authenticator on many other devices which are not officially supported by Blizzard. Most mobile phones are capable of running the basic java authenticator application. The information on installing the authenticator on unsupported devices can be found here.[dead link - archived copy]
- The first version for the Blackberry was released on March 8, 2010, while the last version was on February 28, 2011.
- The first version for Windows Phone was on July 5, 2011, while the last version was on July 15, 2011.
End of official J2ME support
The J2ME (Java) version of the Battle.net Mobile Authenticator is only available for download until December 13, 2011. Since the date, already downloaded versions would still work but no new downloads are possible. The versions for Android, Windows Phone 7 and iPhone were not affected and were still available for download.
The initialization of an authenticator is done via an RSA encrypted request to the Blizzard initialization servers including a one-time pad key for encryption of the response. The server generates an 160-bit key which is later used for code generation and a serial number is connected to that key. Both things are stored on the server and are also sent back to the client (encrypted with the one-time pad key from the request).
The code generation is done via encrypting the current time (milliseconds since 1970/01/01 0:00 UTC divided by 30,000) with HMAC-SHA1 using the key from the initialization. From the result are some bytes selected and displayed as the current authenticator code.
Because of a weak one-time pad key generation algorithm on the client side, an attacker who is able to capture the encrypted initialization response between server and client device can fully compromise the security of the Battle.net Mobile Authenticator. The reason is, that the one-time pad key used for encryption of the server response only depends deterministic from the current time on the client device. Normally that time shouldn't differ too much from the common time. So an attacker only needs to guess some time values, calculate the corresponding one time pad keys, use them for decryption of the captured server response and check, whether one of the results make sense (because of the known format of the included serial number, it is easy to say, whether a result makes sense or not). If he finds such a result, it is very likely that he guessed the correct one-time pad key and now knows the authenticator ID and the secret code calculation key from the decrypted response.
To prevent this attack even if there is no real randomness (e. g. hardware random generator) is available on the client device, there should be used aside from the current time also some kind of user-generated randomness (pressing random buttons on the device, ...) for creating the one time pad key used for encryption of the initialization data.
It is possible to reimplement the specification to run the authenticator also directly on the computer. It is difficult to say, whether this is less secure or not in comparison to running it on a real mobile device from an application which is directly supported by Blizzard. An attacker could read out the necessarily stored secret code calculation key from the computer via a virus and so breaks the security of such a computer authenticator. But with a virus on the victim's computer, the attacker could also read the typed authenticator code when the victim is logging into the game, interrupting the connection of the victim and using the current authenticator code by itself for immediate game login (possibly with a bot) while preventing further game logins of the victim via a virus.
List of desktop ports with public source code availability:
It is also possible to run Blizzards implementation within a mobile phone emulator on the desktop.
An online version also exists and has been publicly available since November 2011. The source code of the PHP implementation are published, but this is not the case for the website. This kind of online application is less secure than a desktop port, but, as an advantage, one can retrieve their code from anywhere.
Notes and trivia
- It was revealed on March 27, 2009, that Blizzard was working on this mobile app. A few days later, it was officially announced and released on March 31, 2009 on the US official forums and June 2, 2009 on the EU official forums.
- This app was not available in mid to late September 2009 due to some unknown reason. Several blue posts stated this fact, but no reason was given.
- This app cannot be used in conjunction with the physical device, one or the other can be used, but not both.
- Previous versions
- ^ | 2009-08-26 07:38 by Orlyia
- ^ Battle.net Mobile Authenticator – Java Version Support Update. Blizzard Entertainment (2011-11-11). Archived from the original on 2011-11-13.
- ^ Seclists.org: 2010/09/20: Battle.net Mobile Authenticator MITM Vulnerability
- ^ Eliah Hecht 2009-03-27. iPhone authenticator now in app store, for free. WoW.com. Archived from the original on 2009-06-11.
- ^ | 2009-04-01 06:49 by Nethaera
- ^ | 2009-06-02 19:12 by Ancilorn
- ^ Orlyia 2009-08-26. Re: iPhone Blizz Authenticator. Archived from the original on 2010-01-23.