Blizzard’s Battle.net Authenticator Goes One-Button

Blizzard’s Battle.net Mobile Authenticator app is now less of a faff, simply showing “Approve” and “Deny” buttons for authorising logins. Previously, it’d generate a code folks would need to type out while logging in to play Overwatch, StarCraft II, and whatnot. It’s a tiny change but removing any faff from security procedures is always good. If you already use the authenticator, hooray for less faff! If you don’t use it because you don’t like faffing about, mate, come on, how much simpler can it get?

Blizzard explain the new way in a blog post:

“Whenever a log in attempt occurs on your account you will be notified via the app and prompted to Approve or Deny the request. You can also approve log in requests with notifications on your mobile or smartwatch without even opening the app!”

That’s nice and simple, that. Blizzard do also point out that, by default, you only need to authenticate a device once per week.

Only the iOS and Android apps are updated so far, mind – not Windows 10 Mobile.

Valve have also been pushing two-factor authentication – using more than one component to verify access, such as chip + PIN on cards or password + authenticator – but a little more aggressively. They’ve introduced trading delays on Steam for folks not using their authenticator, pushing folks to start using it. Their motivation is a combination of losing accounts sucking for players and dealing with complaints about losing accounts sucking for customer support departments.

While we’re at it, you are also using something like KeePass or LastPass to generate and track unique and complex passwords for each account, right? Good, good.

From this site

22 Comments

  1. Premium User Badge

    Cross says:

    Having just written a 20 page paper on usability and security, i can just nod and smile, seeing this. This is definitely a step forward, insofar as it doesn’t compromise the security of the thing.

    • Cooper says:

      Is there a reason it wasn’t like this already?

      As far as I can see, the point of this was that if someone gained access to your account, they would also need to have stolen your phone.

      So rather than giving you a series of letters to type into your computer, this change just means your computer gives you the numbers and you check them against your phone and press a single button.

      The same process, but in reverse, reducing the user input to near minimal.

      Was it just poor design that meant it was the other way around to begin with?

      • LegendaryTeeth says:

        I think it started with a non-phone based code generator. A little keyfob thing you paid a couple bucks for. Moving to a phone made it cheaper, but it’s easier to compromise a general purpose phone than a keyfob with no buttons or network access.

        Moving to this push based button system adds to the attack surface: if the communications protocol they use is insecure, or you can trick them into sending the push to another device you control.

        It’s probably still fine, but then maybe sometime it won’t be and a whole bunch of accounts will get compromised at once. There’s always a tradeoff between security and convenience.

      • LionsPhil says:

        In addition to the above, don’t forget an intermediate form, compatable with dumbphones, is to send the code as an SMS message. Google will even offer voice calls to landlines where a robot will read it out, and you can print out a little card of one-time codes for if even that won’t work. (You don’t want to be locked out of your e-mail by your phone or the tower of tech it sits on failing, after all.)

      • Person of Interest says:

        The old design likely didn’t require any communication between Blizzard and your phone: the most common two-factor authentication system, used by Google Authenticator and such, is called TOTP ( link to en.wikipedia.org ) which only requires a one-time setup, and can then run completely offline.

        The new design requires more infrastructure on Blizzard’s end, since they now need servers to talk back and forth with your phone.

  2. Premium User Badge

    Aitrus says:

    Yup, Steam is holding up a big middle finger to those of us who don’t have mobile devices. Maybe that’s just 3 people, though.

    • Aerothorn says:

      I have a mobile device. It’s great! Does everything I need. But it isn’t a smartphone, so this stuff doesn’t work, and yes, the Steam decision is grueling.

      You can work around it by using a program called WinAuth, but it’s a lot of work for nothing (since then you aren’t making it that much more secure) and it has the nasty side effect of locking you out of Steam on anything other than your primary gaming device.

    • Solidstate89 says:

      Even if you have a smartphone, Valve only supports Android and iOS. I was on Windows Phone for years, and due to Gabe’s hard-on of hating all things MS related, they never released an app for that platform.

      I just recently switched to iOS so I went to go see about installing the Steam app – you’re not missing anything. It’s fucking awful. I entered my login credentials and then when I left the app to go look at the e-mail I received for Steam Guard and copy and paste the code…well, it cleared out all of my entered credentials for Steam.

      Uninstalled it immediately. Fuck the Steam app.

      • Cim says:

        You can’t say “only” IOS and Android… that’s somewhere around 97-98% of the entire smartphone market. It’s great that Windows Phone exists but not even Microsoft themselves seems all that confident about it any more. Asking for them to support an OS that small, with a that uncertain future, is asking a lot.

        Completely agree that the Steam app needs work though, the authentication stuff has been very reliable (at least for me). However, everything else from chatting to going offline rarely works as it’s intended.

        • nearly says:

          I see a lot of what Microsoft is doing these days as compromising. I was on Windows Phone for years and switched to Android about 6 months ago because I was due for an upgrade and it looked like my carrier wasn’t getting W10 mobile phones. I feel better about this decision as I see Microsoft finally edging their way out of the smartphone market but I was committed as long as it seemed like they were. Unfortunately, they didn’t have support from the carriers and I’m sure that made things a lot worse.

          It’s a shame because a lot of this isn’t that hard. I don’t know what the status of the project ended up being but I was under the impression that with Windows 10 they were making it trivially easy to port apps. Aside from that, 3rd party developers make a lot of things work before the actual developers find they have enough in their budget to have a person or two put an app on the Windows store (and then never update it). It just sucks when, say, Snapchat blocks the entire platform after other people put time and effort to enable it and then say they’re not going to bother with an app on Windows phone. At the end of the day, that kind of move is just worse for everybody and stifles competition to the big two. Strange decision when the aggressive pushing of Windows 10 is going to put the app store on a looot of screens this year even as Android is trying to get into the laptop/desktop space.

      • Phasma Felis says:

        The only person I know who ever owned a Windows phone got it by mistake. (She couldn’t remember which one I had, and guessed Android instead of Windows.)

        I’ve got to guess that that sort of thing accounts for most of their (few) sales. I can’t imagine why anyone would seriously look at the options available and choose Windows Mobile.

        • Phasma Felis says:

          That should say “guessed Windows instead of Android,” obviously.

    • Nihilexistentialist says:

      Hmmm? I get my steam 2FA codes via email.

      • ikehaiku says:

        While you can get 2FA via email (that’s what I do, don’t want extra apps on my low-end smartphone), it doesn’t remove the limitations Steam put (like for trading cards), only using the authenticator does.

    • ComicSansMS says:

      I had the same problem.

      Steam Desktop Authenticator saved my day:
      link to github.com

      I’m completely happy with that solution for now.

    • Poor People says:

      So is the Battle.net Authenticator. It may have extra support for Windows 10 Mobile, but from what the article indicates, you get shafted anyway if you don’t have a smartphone to authenticate.

  3. Leonick says:

    That’s nice, though with Blizzard it really isn’t a big boost to usability as they’ve always been good at it. Always allowing you to remember computers/networks and not enter your auth code every time. If you used the Battle.net launcher (unless it bugs itself) you don’t even need top log in to the games at all as it’s already authenticated.

    Meanwhile, on the occasions I feel like logging in to SWTOR, rare as that is these days, I always have to enter both password and authentication code as there’s no option to remember either of them.

  4. Xiyng says:

    Now Valve needs to do this. Half-enforcing mobile 2FA with an app that sometimes doesn’t give the code immediately is just annoying. And it doesn’t happen only when I do something important, it happens every time I try to even log in. After I had to turn on mobile 2FA, I’ve been very reluctant to restart my computer just because of the hassle that is Steam’s mobile 2FA.

    I was fine with the email version though, and I’d still like it very much. It was convenient, and added another layer of security. I can understand why they don’t consider it as secure, but in my opinion, if someone is using the same password everywhere, they’re just begging for trouble these days and it’s their problem if something bad happens. At minimum, email accounts should each have a different password from every other service, because your email account is pretty much the master key to every other service.

  5. tranchera says:

    I still have the Cataclysm dongle I got in 2010 on my keys. Luckily the Battle.net launcher basically logging all the games in automatically means I haven’t had to use it in a year or so.

  6. xinn3r says:

    Since when does Valve support PIN + card again?