FlexAuth: Portable authentication for Battle.net

I’ve just released my first Android app, called FlexAuth. It’s mostly an excuse to learn Android development, but it does something useful, too - it serves as a souped-up mobile authenticator for Blizzard’s Battle.net login infrastructure. If you’d like the gory details, there’s a specification floating around on the internet that’ll help you understand the protocol.

Mobile authenticators work by transforming a seed value (called the “token secret”) + the current time into your 8-digit authentication code. FlexAuth lets you set up multiple authenticators by providing the secret, or will let you have Blizzard generate one for you.

Why would you need this?

  • You want to use a mobile authenticator, but don’t want to be locked out if you ever lose your phone (just setup a new token with your registered token secret).
  • You want to use multiple mechanisms to log in - maybe you need token authentication in a script, or you want to have the same authenticator values on multiple mobile phones.
  • You already have a token secret from another source and want to use it on your mobile phone.

Obviously, these won’t apply to most people, but some folks will definitely find it useful.

Using it

  1. Menu -> Add Account
  2. Enter a name for this token/account. It can be whatever you’d like.
  3. Either enter a serial + secret, or you can use the already-provided one, or generate a new one.
  4. Save the token. You’ll notice that auth codes start generating right away.
  5. It is highly recommended that you back up your token secret. If you uninstall the app, wipe your phone, etc, then you will lose the secret, and consequently lose the ability to generate auth codes. To back up a code, click into the token’s details, and long press on the secret to copy it. You can then paste it into a note or email or whatnot. To restore a token, simply generate a new token and use your backed up secret. It will generate compatible auth codes.

All that said, a word of caution</a>: Never ever ever run authenticator software on the same machine that you’re logging in on. It’s bad, it’s dumb, and you shouldn’t do it. Keep your authentication token generation on a separate device if you value your account.

If any particular same-machine authentication scheme gained any measure of popularity, it would be targeted by malware and your authenticator would be useless. Don’t do it.

Other than that, enjoy!