Free Authenticator: Instructions

[Nilinor]

Ok, all you people moaning about "BLIZZ WANTS MONEY ON AUTHENTICATOR!!!!" is getting annoying, seeing how you can get FREE VERSIONS with android or Iphone.

"But Nilinor! I dont have one of those phones, so I haz to buy it lolz"

Thats wonderful, I bought mine, so what? I rather have a physical copy then a phone copy that if I lose im kinda screwed anyways. Besides contrary to what you believe, they are made and sold at a LOSS so whatever, I know your going to bitch anyways so here you go.

http://developer.android.com/sdk/index.html <<< Straight from android site, get that

That is an emulator to test/use the Android OS on your COMPUTER! Guess what, you NOW have an android device on your computer! WOW!! Now for step 2, you actually need the authenticator program, hmm...

http://www.filecrop.com/Battle.net-A...cator-apk.html < There is one there. Check it first for virus' blah blah, never know what people try to fuck with, but you should know BASIC security by now

Now for some delicious copy/pasta

0. Requirements:
Windows PC (I am using Windows 7 Home Premium 64bit)
Java SDK (Google Java SDK, I am using Java 7 SDK and Java 7 JRE)
Android SDK (Google Android SDK and get the installer package)
The Android .apk for Blizzard Authenticator (This one might be a bit trickier but depending on request I will post a link to a mirror)

1. Install everything
Install everything accepting default options

2. Open Android SDK
Open the Android AVD Manager
Click Tools and click Manage SDK

3. Install ALL the things
Let it find everything that needs to be installed. click "Select New" and hit install packages. This will take a LONG time.

4. Create and android virtual device
Exit out of the manage sdk window, in the Android Virtual Device Manager (AVD Manager) window click new.
You can name it whatever you like
For target I chose android 2.3.3 but you can probably use anything 2.3 and up (I wouldn't suggest android 3.0)
For SD card I entered 1024 (1 gig)
I checked snapshot
On the skin I Selected WVGA854
I also changed the device RAM size to 1024

Hit create AVD and the device should start

4. Installing authenticator
First copy your authenticator APK to (Where you installed the SDK)\platform-tools\

This is where we HAVE to jump in to command line (Sorry)
Press windows key + r and type CMD then press enter navigate to (where you installed the sdk)\platform tools.
Now type adb install .\authenticator.apk

At this point if you are getting issues about "Network connection" close the device and re start it.

With this you have a completely free authenticator that works.

QUIT COMPLAINING ABOUT 6.50.

[florestan]

gratz, your approach does completely defeat the point of having an authenticator in the first place.

The authenticator has to be logically separate from the computer you use to run Diablo - access to the authenticator must not be possible if/when your computer is fully compromised.

For a physical device this is trivially true, for a smartphone (that you might hook up with your computer to synchronize apps, firmware & data and which probably can be jailbroken) this is not necessarily true but running the authenticator on your compromised computer itself is just stupid.

[Chrysia]

gratz, your approach does completely defeat the point of having an authenticator in the first place.

The authenticator has to be logically separate from the computer you use to run Diablo - access to the authenticator must not be possible if/when your computer is fully compromised.

For a physical device this is trivially true, for a smartphone (that you might hook up with your computer to synchronize apps, firmware & data and which probably can be jailbroken) this is not necessarily true but running the authenticator on your compromised computer itself is just stupid.

Several things wrong with this. First of all, a full compromise does not mean that they are physically hijacking your computer. If they are, you have more serious problems than your WoW account.

Second, every time you do a fresh install of the app, even on the same device, even if it's from your iTunes backup of it, it generates a new serial that has to be tied to the account, so they can't just steal that auth app and have it work.

Third, it is one more thing they'd have to copy to work through your security. The only way they'd be able to do it would be to crack the authenticator, which would require live access to your machine, or for your computer to be compromised when you added the authenticator, giving them access to the serial number. You'd be screwed with the physical authenticator at that point anyway.

[namelessone]

Yeah, this is awesome idea. It's like equipping your door with the most complex code lock that exists and then writing a code on it with a sharpie.

[Nilinor]

Hey, this is for the people that bitch about paying for an authenticator, I don't use this. I have a real authenticator I got about 4 years ago, but people are getting annoying with their "wah blizz trying to rip us off bs"

Even still, an emulated program on your computer is still better then no authenticator at all. The number is still random, the serial number is never the same, and as the poster so eloquently said above, if they are able to break through that on your computer, you have more serious issues then just your wow account. The worst they could do to you is block your login and re-type the security key before it resets, at which point physical or a real phone authenticator would be useless as well.

-edit-

@synthaxx
I figured by now there are other versions or better ways to do this as well, but this was the one I was familiar with and didn't want to research other ways to do it, I mean if the rest of the populace that complain about authenticators dont wanna do basic research, I dont think I should go out of my way to do it for them further then what I already know.

[florestan]

Several things wrong with this. First of all, a full compromise does not mean that they are physically hijacking your computer. If they are, you have more serious problems than your WoW account.

no physical hijack necessary to exploit an authenticator on an emulated phone, they can just use it the same way you do.
It's absurd to assume that an attacker with the ability to install a keylogger on your computer could not launch the phone emulation software on your computer. The latter does probably require less permissions than the first (as it takes place entirely in userspace).

The approach discussed in the OP gives the same level of security as locking the door but hiding its key under the doormat - if the attacker has access to the door, he also has access to the mat. You are just hoping he is too lazy to look for the key once he notices that the door is locked.

Second, every time you do a fresh install of the app, even on the same device, even if it's from your iTunes backup of it, it generates a new serial that has to be tied to the account, so they can't just steal that auth app and have it work.

my point was that this authenticator id could possibly be read from the phone when it is hooked up to the computer (and as the authenticator's algorithm has to be expected to be known to the attacker the id is all he really needs to clone it).

in contrast to a smartphone the authenticator dongle requires physical access for someone to get the id which makes it imo significantly stronger than the smartphone app (unless you never hook your phone up to your computer).

[Deleted]

gratz, your approach does completely defeat the point of having an authenticator in the first place.

The authenticator has to be logically separate from the computer you use to run Diablo - access to the authenticator must not be possible if/when your computer is fully compromised.

For a physical device this is trivially true, for a smartphone (that you might hook up with your computer to synchronize apps, firmware & data and which probably can be jailbroken) this is not necessarily true but running the authenticator on your compromised computer itself is just stupid.

So the same malware will be able to go through all of those virtual emulators and get to the emulated authenticator app as well?

If you've caught such an elaborate thing, your wow account is the least of your worries.


A fucking keylogger won't be able to do these things.

[Azaril]

Ok, all you people moaning about "BLIZZ WANTS MONEY ON AUTHENTICATOR!!!!" is getting annoying, seeing how you can get FREE VERSIONS with android or Iphone.

"But Nilinor! I dont have one of those phones, so I haz to buy it lolz"

Thats wonderful, I bought mine, so what? I rather have a physical copy then a phone copy that if I lose im kinda screwed anyways. Besides contrary to what you believe, they are made and sold at a LOSS so whatever, I know your going to bitch anyways so here you go.

Instead of doing all of that,

Install http://bluestacks.com/

Follow setup instructions.

Once you are done installing, the blueStacks app player opens up.
Look for the shortcut "1Mobile Market" and click.
If you do not see that, you'll notice a floating bar at the top of the monitor. Click the App Stores icon and then click the 1Mobile Market.

Open the Market and search for Blizzard Authenticator and install.

[Structures]

theres also a dial in authenticator for normal cell phones.

[Nerph-]

Your approach works with Windows Mobile (as long as it ships with Java support, and provided you ignore the parts specific to Android), but honestly, for Windows desktop, the simpler solution is Winauth; http://code.google.com/p/winauth/

Also free, but no pissing about with an SDK that you honestly don't need.

I was just about to post this link because I missed this post.

There really is no need to start emulating and stuff on your PC. http://code.google.com/p/winauth/ is really the free simple solution.

[Serpenth]

theres also a dial in authenticator for normal cell phones.

They've stated many times that this is not as safe as the physical or mobile authenticator app.

[Choptimus]

I'll stick to not using an authenticator, thanks.

[Nerph-]

I'll stick to not using an authenticator, thanks.

Thanks for letting us know, however this thread is for people wanting an authenticator but either not being able to buy one, not willing to buy one or not knowing of the free options they have. There really was little (or no) point in your post letting us know you're not going to use one.

[Deleted]

gratz, your approach does completely defeat the point of having an authenticator in the first place.

The authenticator has to be logically separate from the computer you use to run Diablo - access to the authenticator must not be possible if/when your computer is fully compromised.

For a physical device this is trivially true, for a smartphone (that you might hook up with your computer to synchronize apps, firmware & data and which probably can be jailbroken) this is not necessarily true but running the authenticator on your compromised computer itself is just stupid.

It's still great advice if you dont want the authenticator in the first place but want to use the RMAH. They plan to make it mandatory to have one for it, hopefully it wont pass as its sort of illegal but in case it does, thanks OP.

[Mudkiper]

Or just spend like £4 on a one :<.

[Deleted]

Or just spend like £4 on a one :<.

Why would anyone want to spend even 1 cent on something they dont want? Its like saying hey, theres a bum on your lawn, why not pay him $5 to leave instead of calling the cops..

[Choptimus]

Thanks for letting us know, however this thread is for people wanting an authenticator but either not being able to buy one, not willing to buy one or not knowing of the free options they have. There really was little (or no) point in your post letting us know you're not going to use one.

So basically the exact same thing as your comment, except in far less words.

Thanks.

[Nerph-]

gratz, your approach does completely defeat the point of having an authenticator in the first place.

The authenticator has to be logically separate from the computer you use to run Diablo - access to the authenticator must not be possible if/when your computer is fully compromised.

For a physical device this is trivially true, for a smartphone (that you might hook up with your computer to synchronize apps, firmware & data and which probably can be jailbroken) this is not necessarily true but running the authenticator on your compromised computer itself is just stupid.

When you get keylogged, all they get is your password, if you used a desktop authenticator they'd also log your code, but that code is useless after 30 seconds and is unique. It's not like the people who created the keylogger have access to your computer and can run the authenticator application and get a valid code to then login.

I agree it's in theory not as safe as an authenticator on a keyfob or on your phone, but you're making the desktop authenticator sound a lot less safe than it actually is.

---------- Post added 2012-06-10 at 06:02 PM ----------

So basically the exact same thing as your comment, except in far less words.

Thanks.

Except I already contributed to the thread with information about the thread topic. You didn't. And my reply to your post was actually still on topic and informative telling you what this thread is about.

Thanks.

[Deleted]

It's still great advice if you dont want the authenticator in the first place but want to use the RMAH. They plan to make it mandatory to have one for it, hopefully it wont pass as its sort of illegal but in case it does, thanks OP.

illegal? Hardly..

use the RMAH without a authenticator would just be plain stupid.

For what reason would it be illegal ? - "Oh no, blizz makes us buy an authenticator to milk us for more monies!" - Sup, authenticators are sold for the same price it costs them to make it, zero gain.

Also, get off it already, its stupid not to use a authenticator when its possible for anything really - since all this "internet theft" is so common these days we live in - you would be plain stupid not to do whatever you can do shield yourself.

An emulated app like the OPs shows, but I hope people wont use it - because I can just see the issues with this "I got an authenticator on my emulator on my computer thats infects with whatever russian porn sites they attech when I browse for a new wife.. WHY DID I GET HACKED BLIZZARD, I HAD AN AUTHENTICATOR.." - I really hope that blizzard will just redirect it back into your face saying that its your own damn fault and use common sense for once.

1.Get the app for your phone, store the install ID somewhere so you can reclaim it if your phone gets lost or some shit happens.

2.Buy the physical authenticator.

Edit :

The thing about that the authenticator is 100% safe is not the case, its a token like any other - and its not 100% random, it goes through a system, it can be broken, but it requires alot of info to do it.

[Mudkiper]

Why would anyone want to spend even 1 cent on something they dont want? Its like saying hey, theres a bum on your lawn, why not pay him $5 to leave instead of calling the cops..

You don't want your account to be protected. Ok. I don't want a key for my house, I'll just remove the door.