Third party authenticator support

Feedback Discussion
1 2 3 8 Next
I realize that this doesn't have anything to do directly with the Desktop App, but the limited selection of forums leaves this as the nearest option, and the answerer of my support ticket told me that the forums are the place to request this. I hope that it can get forwarded to the correct parties.

I would like to use a third party authenticator instead of the official Authenticator for Android. There are several applications that let you scan the QR code for a service which uses an authenticator -- like Amazon's AWS, GitHub, or Twitch -- and avoid having to download a company-specific app to generate codes for you. These applications are very handy because the growing number of accounts which use 2FA would otherwise cause a large number of custom authentication applications on users' phones, all essentially performing the same task.

One of these applications is called Authy. Another such app which is developed by Google is called Google Authenticator. Both of these (and others) can be found on the Google Play Store.

Can you guys please allow a way of using nonproprietary applications as authentication devices? I'm not a computer security expert, but I request that before dismissing this idea as insecure, you look into how and why it can be supported by services like AWS, whose users have a much higher ceiling on what they can lose should their 2FA be somehow compromised (somewhere around the "our entire company's infrastructure" level) than users of Thanks for reading!
Bumping this.
I concur. I am a tech nerd.... and have a couple of OTP apps that I'd like to be able to combine. For example: XBox Live, AWS, etc etc are already in my single OTP App.

The QR Code contains specific data to configure the OTP token.

I've read that the Battlenet Authenticator is HMAC-SHA1, 8 digits, and good for 15 seconds.... but staring at the mobile app -- it seems to be a 30 second token. If I knew how the token serial number and whatever else voodoo was combined in the seed value -- I could probably configure any OTP software that was compatible.

It'd be nice if Blizzard provided that information for third-party tokens.
I would love this. I am using Authy now, and am loving it. To have all my authenticators in one place would be ideal.

this would leave HUGE gaping holes in blizzards security, and it would make the Authenticator completely irrelevant.
TerranCorp -- Please explain how this is a huge security hole. I'd like to hear your thoughts and theories (seriously -- not trolling here).

Two-Factor Auth using a mathematical algorithm with a pre-defined and agreed upon seed value between client and server for a time-sensitive One-Time-Password is pretty standard. Amazon supports this for their cloud services using third party software. XBox Live supports 2FA with any software token which is capable of compatible configurations. More and more services are popping up that offer 2FA and they allow you to use third party OTP software to act as a software token.

The only real argument I can see would be that two separate devices should be used. If a client machine is owned with a trojan, the token configuration itself could be compromised if the OTP software is on the same machine. There's still the opportunity for a trojan/bot on an owned client machine to intercept the token part of the client login and block the client machine anyway -- if it were sophisticated enough. No need to even compromise your token seed, just intercept the user typing in the token.

If you already have SMS verification set up with Blizzard -- you can nuke the token off your account anyway.

Honestly -- imho -- I don't need an OTP application for every service I have clogging up my smart phone. I need one OTP application that can support all the accounts I use.
Bumping to add my support to this idea!
I'd love to see something like this. Even if it's not officially in the app at least a manual process to allow us to add it to Authy.

Two-factor authenticators are a standard now, and I would assume the mobile app is just a wrapper around the same tech. Let us use our preferred authenticator please.

There is a third party Windows authenticator called Winauth. I haven't used it, but it does show that this is not a completely closed off solution.

I would love to use Authy as well.
I agree. I prefer to have all my 2FA in one place. Support Authy please!

* Password protected backup of your auth keys on a remote server in case you lose your smartphone or it gets stolen. You can retrieve them again simply by installing the app, and restoring your authy account.
* Multiple OTP in one application, with an easy to scroll list.
* Pin lock before you can even open the authy app, which prevents someone who has nabbed your phone from opening it.
* When heartbleed ocurred, authy already had mechanisms in place to remotely update all of the authy clients certificates to prevent them from being affected.
* Pretty user interface!
* No need for any other applications. <-- This is the best part. I can uninstall google auth which is an awful piece of software.

I wish more 2fa-enabled sites supported Authy.

Support for Authy would be great. There's no reason to insist on a proprietary app when you're using a standard, open standard like TOTP. All that's needed is for our Hex Security Key to be accessible on our account page. People then have the choice of using the Blizzard Authenticator hardware, of Blizzards software, or another app that supports TOTP. And choice is good!

Too many proprietary apps to keep track of.

Standard compliant Two-Factor Authentication would allow users to use whichever authenticator client suits their needs.
Definitely would like to see 3rd party authenticators!
I agree, and would also love to see support for 3rd party authenticators like Google Auth or Authy.

Join the Conversation

Return to Forum