Free Windows Authenticator OS

Warning: This app is not sanctioned by Blizzard, or tested in any manner – use at own risk! Blizzard have stated a stance of accepting that it works, but they prefer customers use the real sanctioned tools.

As the app runs on a pc, that app can be compromised as much as any other.

Wandering through the D3 and Blizzard discussions on security, I found a free Windows app which emulates the authenticators. Basically it is the same app as used on the mobile devices, except it is Windows software. And it is open source, currently v1.7.1314 and appears to be updated regularly.

screnshot of windows authenticator softwareRefs:

Wow, a pretty impressive give away of a useful function!

WinAuth uses the same algorithm as the Mobile Authenticator for Android and iPhone, and so generates the same codes when using the same serial number and secret key. One of the initial reasons to write it was to remove the dependency on having the phone available, but still use the same codes.

Whilst you cannot directly read the Mobile Authenticator’s private keys from an iPhone or non-rooted Android, you can now use the new Restore feature to copy your authenticator over to WinAuth.

Impressive, and now even less excuse not to have an additional line of account security for Blizzard games.

6 thoughts on “Free Windows Authenticator OS

  1. This makes me wary, a step closer to hackers being able to get through the authenticator to your precious copper. Is this endorsed by blizzard? My guess is no, because it is open source. I wouldnt touch it with a 10 foot pole. Scratch that, I wouldnt touch it with a 10 foot pole if I played on something other than a mac.

    I think they have it on a mobile device so that if your gaming computer is compromised the authenticator computer isnt.

  2. I’m sure it is not approved by Blizzard and everything open source has an underlying issue where the secrets are in plain view. I’m not even sure that this works, or that it isn’t a hack attempt in itself. In fact that would be a clever way to hack – create a tool for auth.

    Perhaps some extra digging might be good before using it?

  3. @typhoonandrew No, of course it’s not approved by Blizzard, it an independent open-source implementation of their Mobile Authenticator.

    Having the source code open does not put any secrets in plain view, that’s how encryption algorithms work. Just because you can see the code doesn’t make it any less secure. Actually , it makes it more secure because it can be peer-reviewed. If you are ignorant of what it and how it works, please don’t speculate, educate yourself.

    @shelly 20,000+ people have downloaded and there have been no reports of any “hacks” and no known accounts have been compromised whilst using an authenticator like this. You can run it on a separate machine, and is recommend, or within a VM. It then provides a good alternative method for those who won’t or can’t get the real authenticator.

  4. @Charlie Maggot – In fact I did read further to educate myself and there was not a very large amount of information out there about the project. I did search for other sources. The post was updated to point out Blizzard’s official stance (see the Refs area at the bottom of the post) and in that manner the links to the forums and discussions are present so that a reader can decide. What I did not do is retroactively edit the entire post as blog posts are a point in time, and at the time I was both excited and wary of the software. I think a warning is still valid, but the software remains an great and praise worthy project.

    The expertise required for an individual to review the code and make an educated choice is rare, and I’d suggest that only a very small percentage of the wow community have the capability or inclination to ascertain if the project is suspect or not. I don’t think experienced developers are the app’s target audience, so suggesting a review is odd. That said, fair point – I could be better educated about the tool, and I’ve been reading about encryption and system security as a hobbie for many years.

    My slightly skeptical approach is exactly why I use the real thing (an external auth) rather than the device auth or a software solution. Creating a hack as a project such as this strikes me as a great way to get access to a machine, by posing as a useful wow auth tool. It would not be the first time a website claimed to help with security but hurt the user.

Comments are closed.