Feature Request: Support for the new Battle.Net Mobile Authenticator

[Aerodin]

Hello,

Blizzard is disabling their legacy auth services and all users going forward from January 5th-ish and on will have these legacy auths removed from their accounts and a password reset email sent to them.

The email recommends removing all previous authenticators and then installing the Battle.net Mobile app which has a built in authenticator in it.

Any chance we can get a guide or method to import the new code into Aegis? I'd rather have all my 2FA codes in one central spot vs having to rely on an external app for just the Blizzard account.

[bryanvobo]

Disclaimer: I'm just another concerned Aegis user, what I say here could be incorrect.

I don't think this feature request is possible. Aegis only supports HOTP and TOTP methods, and the new Battle.net Authenticator appears to be SMS based.

From one of their support pages :

Can I use the same Authenticator Serial Number to secure more than one Battle.net Account? The Battle.net Authenticator requires a phone number be attached to an account, and a phone number can only be attached to a single Battle.net Account. Can I set up the same Authenticator Serial Number in more than one smartphone? Your unique Authenticator is tied to your mobile device and we do not support setting up the same Serial Number on more than one device. I don't have a mobile phone number A mobile phone number is required to set up and use the Battle.net Authenticator. I'm not receiving the text message during setup Battle.net Phone Notifications are designed for text-enabled mobile phones. Messaging apps like iMessage (iOS) or WhatsApp (iOS, Android) are not supported. Phone notifications cannot be used with Voice over IP (VoIP), and VoIP numbers that are transferred to a local provider are not eligible for the service.

I'm discouraged and disappointed by Blizzard for abandoning TOTP and requiring their own mobile app with an active phone number.

[Aerodin]

They still have the 8 digit number but use a SMS/notification as the primary method with an option to reveal and use the 8 digit token manually instead so there should still be a way to generate 8 digit tokens.

Here is an example from the actual app: https://imgur.com/a/7cahtcz

There is an option to show the serial number and recovery codes as well.

Update: Thank you PS245 and BryonVobo - I was able to remove my old authenticator and add a new one via the API and get the codes in a 2FA app of my choice and confirmed it works. Will see if this also passes a legitimate authenticator on January 5th.

On Tue, Dec 5, 2023, 7:49 PM Bryan von Bose @.***> wrote:

Disclaimer: I'm just another concerned Aegis user, what I say here could be incorrect.

I don't think this feature request is possible. Aegis only supports HOTP and TOTP methods, and the new Battle.net Authenticator appears to be SMS based.

From one of their support pages https://us.battle.net/support/en/article/000024520#faq :

Can I use the same Authenticator Serial Number to secure more than one Battle.net Account? The Battle.net Authenticator requires a phone number be attached to an account, and a phone number can only be attached to a single Battle.net Account. Can I set up the same Authenticator Serial Number in more than one smartphone? Your unique Authenticator is tied to your mobile device and we do not support setting up the same Serial Number on more than one device. I don't have a mobile phone number A mobile phone number is required to set up and use the Battle.net Authenticator. I'm not receiving the text message during setup Battle.net Phone Notifications are designed for text-enabled mobile phones. Messaging apps like iMessage (iOS) or WhatsApp (iOS, Android) are not supported. Phone notifications cannot be used with Voice over IP (VoIP), and VoIP numbers that are transferred to a local provider are not eligible for the service.

I'm discouraged and disappointed by Blizzard for abandoning TOTP and requiring their own mobile app with an active phone number.

— Reply to this email directly, view it on GitHub https://github.com/beemdevelopment/Aegis/issues/1239#issuecomment-1842039375, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJP7QISUFNQU2JO7SBRBNG3YH7TN5AVCNFSM6AAAAABAITGMVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBSGAZTSMZXGU . You are receiving this because you authored the thread.Message ID: @.***>

[ps245]

It would appear they're invalidating secrets generated with the old API and new one requires oauth support. A current workaround is to extract the data from the app or do the request through the new API.

[alexbakker]

Just like before: Support for communicating with the Battle.net API can't be added to Aegis. Updating Aegis' Battle.net importer to support importing from the new app is fine, of course.

[bryanvobo]

I followed the directions in the third link from @ps245 (thank you!) and was able to create a new TOTP secret via the new API. Blizzard has not abandoned TOTP but they are requiring that you add a phone number to your account that is SMS-capable.

---

While following the directions in the python-bna comment, the initial JSON response I got was:

{
  "url": "https://account.battle.net/creation/",
  "requireHealup": true
}

I had to add my mobile phone number to my Battle.net account, verify it with the 6-digit code that they texted to me, and then POST /v1/authenticator again to get:

{
  "serial": "<serial>",
  "restoreCode": "<restoreCode>",
  "deviceSecret": "<40characterHex>",
  "timeMs": <timestamp>,
  "requireHealup": false
}

---

The thing that prompted all of this is that I got an email on December 5 with the subject:

Your Battle.net Authenticator is Changing, <username>.

[James-E-A]

they are requiring that you add a phone number to your account that is SMS-capable

Not only that, but they say (and I quote) that your carrier must be “post-paid”. Bah!