You may have received a message from Battlenet saying that your old authenticator will be deprecated and that you now have to use the Battlenet mobile app and set up a new OTP authentication from there. Essentially, they are forcing you to install their app on your phone. Most users will just shrug it off, as they already have plenty of apps for specific services—there’s the PlayStation Network app, the Steam app, and now, the Battlenet app. No big deal, right?
In fact, to some extent, using a separate device, like a smartphone, for authentication on another device, such as a computer, may even be beneficial. If your PC is compromised and your accounts are stolen because of some shady free skins website, at least your authenticator will remain safe, since it’s on a separate device. For many, smartphones have become essential. People are comfortable using their phone numbers for logins, as it means they don’t need to remember passwords—if they forget one, it’s quickly reset via text message. They’re also fine using the same login and password for all websites, including email. However, this means if one of those sites gets hacked, the hacker can potentially take over all their accounts, leaving them constantly locked out. For example, if someone used their Facebook account to log into multiple websites and Facebook gets banned or they have trouble logging in, they could lose access to all those services.
Even though most people are okay using different apps for each service or website, this setup can quickly backfire. If their phone or SIM card is stolen, or if they change phones, they often lose access to their authenticators because they didn’t back them up. Unfortunately, many people don’t prioritize good IT hygiene, but for those of us who care about security, this isn’t acceptable.
Personally, I’m not a fan of having separate apps for each service, especially when a fully functional website is available. While some services force the use of an app due to more robust features, many of the apps are simply not as convenient as using a website. For example, you can’t compare several product listings in one place using an app as easily as you can on a website. And when it comes to authenticator apps, I prefer using them on a computer, not a phone.
The reasons are simple. If I have to install a different app for every service, it becomes tedious. Additionally, I often have multiple accounts on the same service (such as several Facebook or Steam accounts), which makes managing all these apps even more complicated. Even though some apps, like Steam’s, support multiple accounts, it’s still a hassle. Another issue is that I’d have to manually type in the authentication codes on my computer, which adds unnecessary friction to the process. Plus, creating backups of authenticator apps on my phone is harder than it should be. In contrast, authenticators on computers are easier to back up and keep safe.
One of the biggest concerns is the risk of losing access to my authenticators if my smartphone breaks or is stolen. Smartphones have the highest probability of being lost, stolen, or damaged compared to other personal items, and I don’t want to risk losing access to critical accounts because of a phone mishap.
I use authenticator apps on my computer (mainly on Linux, though I occasionally use Windows) because I can store them securely and back them up easily. Even though it may be less secure to keep the authenticator on the same device, I ensure my authenticator apps are password-protected and stored on encrypted drives for peace of mind.
Now, back to the Battlenet authenticator. The previous Battlenet authenticator, which they now refer to as “Legacy,” showed you the secret code that allowed you to use any authenticator software you wanted. Most authenticators for services use the same algorithm—TOTP (Time-based One-Time Password), typically SHA-1 or SHA-512. While Twitch was once the exception, using a proprietary authentication system, even they switched to the TOTP protocol years ago. This means you can use a single authenticator app for all your services, and there are many options for this, such as Google Authenticator, OTP for Android, and OTP clients for Linux and Windows.
The new Battlenet authenticator, however, doesn’t provide the secret code and restricts you to using only one authenticator tied to a single phone number. This is problematic because it makes it difficult to use an authenticator app of your choice across multiple services. But there’s a workaround.
Here’s how you can extract the secret key from the new Battlenet authenticator and use it with any OTP app of your choice:
Log into your Battlenet account through your browser (I’m still using the Legacy authenticator).
Go to your account settings and ensure that you have a phone number set up (you can detach it later).
Detach the Legacy authenticator and confirm with an OTP code.
Open a new browser tab and go to the Blizzard website that hosts the official Battlenet authenticator API.
Click on the “Authorize” button and enter the client ID (this is the same for everyone).
Ensure that the “Authenticator” option is checked and click “Authorize.”
After authentication, click “Create and Add a New Authenticator,” then “Try it out” and “Execute.”
If everything works, you’ll see a response with a serial number, restore code, and most importantly, the device secret (this is the code you need).
Copy and store the device secret securely (it will be in hexadecimal format).
Convert this code from hexadecimal to base32 using an online converter.
Finally, paste the base32 string into your OTP client and you’re set.
This method allows you to continue using OTP software like OTP Client or other apps, without needing the Battlenet mobile app. Despite the changes, Battlenet is still using the same OTP protocol they have been using all along.
However, it’s clear that their goal with this change is to force more people to use their mobile app, likely to encourage them to spend more on battle passes and skins. Another likely reason is to limit the number of cheaters by requiring phone numbers for authenticator setups, making it harder to create multiple accounts for farming.
While the change to Battlenet’s authenticator is a bit frustrating, there are still ways around it, and you can manage your authentication with third-party apps like Keypass XC. This software, originally designed as a password manager, also supports OTP generation, allowing you to securely manage all your authenticators on both Linux and Windows. By using a portable version of Keypass, I can easily manage my authenticators across devices, ensuring that I don’t lose access to any of my accounts, even if my phone is lost or damaged.