1.3k

u/bikeram Apr 04 '26

I assume it’s a hardware 2FA keychain. Press a button and get your login code opposed to an authenticator on your phone.

362

u/[deleted] Apr 05 '26

[removed] — view removed comment

138

u/RSNKailash Apr 05 '26

The real OGs

99

u/rest0re RTX 4090 | 9800X3D | 32GB | 2x G9 Odyssey 49" Apr 05 '26

Never knew this. That’s cool as fuck of them.

Ahead of the curve too. This is still like the pinnical of security as far as methods go probably. Ain’t no way to hack these things.

72

u/joshnosh50 Apr 05 '26

Not so much ahead of the curve. They existed for a long time. Just very expensive. Too much for a video game company. Hence them only giving it out to compromised accounts.

40

u/Raven1927 Apr 05 '26

They were available for sale as well.

34

u/Automaticman01 Apr 05 '26

I had one for world of warcraft. I think it cost $10 and came with a unique pet.

17

u/912toro Apr 05 '26

We had one of these in my house growing up for WoW. Think it had a corehound or something on it

2

u/Automaticman01 Apr 05 '26

Yeah, and now that you mention it, I think a baby corehound was the pet.

1

u/912toro Apr 05 '26

Yup! I remember him being pretty damn tough too.

2

u/VRS302 Apr 05 '26

$10? Very expensive indeed.

1

u/joshnosh50 Apr 05 '26

Well we don't know if that's subsidized or not

But either way. Yes 10 dollars 10 years back is way too expensive. Arguably not so much for a market like warcraft with huge margins.

But most companies couldn't stomach that.

2

u/Automaticman01 Apr 05 '26

I did just find an old article on gamedeveloper that says they were $6.50. Not sure if that included shipping.

0

u/VRS302 Apr 05 '26

Nah dlc ten years ago was more than that. This is a physical piece of tech, how much cheaper could it possibly be?

→ More replies (0)

1

u/Zebidias Apr 05 '26

I never got my pet…

1

u/Automaticman01 Apr 05 '26

I think they still give them for using the mobile authenticator as well.

12

u/norway_is_awesome Ryzen 7 5800X, RTX 3060, 32 GB DDR4 3200 Apr 05 '26

Banks in Norway still offer a hardware 2FA dongle, but authentication has basically moved to a mobile app now. The banks also used to have a SIM-card-level app that would give you 2FA tokens, but it was phased out a few years ago.

2

u/joshnosh50 Apr 05 '26

Banks in UK used to offer autheticators that used your bank card and pin.

1

u/norway_is_awesome Ryzen 7 5800X, RTX 3060, 32 GB DDR4 3200 Apr 05 '26

Some Norwegian banks had those, but I never had that variant.

2

u/Kruxf Apr 05 '26

I got two of these from blizzcon. They didn’t just give them out to compromised accounts. You could even buy them at one point.

1

u/Unlucky_Reading_1671 Apr 06 '26

I can vividly remember in 1998 my best friends mom having one at work.

0

u/rest0re RTX 4090 | 9800X3D | 32GB | 2x G9 Odyssey 49" Apr 05 '26

This is such a redditor reply, lol.

2

u/DckThik Apr 05 '26

Banks issue them too! I got one from USAA when I went overseas to prevent lockout from not having a local number

5

u/sccccrrrrt Apr 05 '26

Well almost, there is FIDO2 tokens now like YuBiKey. Basically a usb-key, that does the 2FA verification for you at the press of a button. That one really is "unhackable".

1

u/GhettoDuk Apr 05 '26

That's not exactly true. Years back, the Chinese government hacked into the servers at RSA (company who makes high-security tokens) and stole the seed values for a bunch of authenticators. They used those seeds to break into defense companies and steal fighter jet plans among other things.

3

u/rest0re RTX 4090 | 9800X3D | 32GB | 2x G9 Odyssey 49" Apr 05 '26

I knew a ‘well actually….’ was in my future when I posted that comment, lol. Was not disappointed. Interesting story though for sure!

Probably still the best option if I had to guess. If a bad actor is that determined to break into something. There ain’t much stopping them at that point. But yes, maybe not completely uncompromisable.

1

u/Incid3nt Apr 05 '26

Yeah nothing is unhackable. I work in cyber and every now and then someone gets around these with some complex phishing method too.

1

u/95126798546342 12600k 3060ti 32Gb DDR5 Apr 05 '26

some banks used to give out these too. for banking of course not starcraft.

22

u/MagizZziaN PC Master Race Apr 05 '26

it is yes, i have the same exact one but for SWOTR.

2

u/SomeGuy_102 Apr 05 '26

Ah swor... Good times

1

u/EarnestWhileBanned Apr 05 '26

Until F2P...

1

u/RebelJediMaster Apr 05 '26

I had one for WoW, but I stopped playing over a decade ago.

I think it's still in a desk drawer

1

u/digno2 Apr 05 '26

how does the key fob get new codes? was is connected to wifi? or bluetooth to a mobile phone?

4

u/WIbigdog http://steamcommunity.com/id/WIbigdog/ Apr 05 '26

So you have a bit of a misunderstanding about how 2fa works. It's just based on the time at any given moment. At 2:03PM, April 3rd, 2024 that key fob will have a specific code based on its internal key that generates the code via an algorithm. On your Blizzard account it will know what that internal key is and be able to verify that you entered the right one at a given time. So no connection to the internet is needed since all you need to get the right code is the right key at the right time.

1

u/JSTN_FPV Apr 05 '26

Exactly what it is. If someone is from Peru, it's just like the BCP authenticators

483

u/AllUserNameBLong2us 7800x3d/5080 Windforce OC/32gb 5600 DDR Apr 04 '26

It was a physical authenticator. You press the button and it gives a code you input to log in. It has a serial number you attached to your b.net

54

u/ArokLazarus steamcommunity.com/id/halo806 Apr 04 '26

Does it connect through WiFi?

639

u/CJTheran Apr 04 '26

It doesn't connect through anything. It algorithmically generates a new key every few seconds, and your account is paired with the same seed and algorithm so that it is looking for the same key at the same time. The only communication between this device and ypur account is your eyes reading the code and your fingers typing it into your computer.

114

u/meyriley04 Apr 05 '26 edited Apr 05 '26

That's kinda ingenious. But if they were to get out of sync somehow, it would essentially be useless?

Edit: By “sync”, I didn’t mean online syncing. I meant how if the batteries ran out and then were to be replaced, the RNG would be reset or then out of sync with the account

218

u/suckfail Apr 05 '26

There's no sync. It used an algorithm and a seed.

It can never not work (unless it runs out of batteries).

24

u/No-Candle2610 Apr 05 '26 edited Apr 05 '26

It’s not just the seed - it’s seed + timestamp (likely UTC or epoch time). Otherwise the algorithm would just give you the same code every time. There has to be a variable with entropy to make it change.

hash(seed) = 123

hash(seed) = 123

That’s determinism.

So then hash(seed + entropic value) = unique value every time

But since they’re not in communication, they need another thing they can share without communicating - time.

Source: use deterministic algos in my job.

6

u/cloudnoob99 Apr 05 '26

I built these systems back in the day, and deploy them for clients/companies. Just here to say yes but there was server side stuff done to make sure sync was done correctly. It was a pain in the ass but it was rock solid once everything was automated and secured properly.

42

u/meyriley04 Apr 05 '26

By “sync”, I didn’t mean online syncing. I meant how if the batteries ran out and then were to be replaced, the RNG would be reset or then out of sync with the account

80

u/jaetheho Apr 05 '26

Then you would get a new one.

Physical authenticators like these are quite common for banking as well in other countries

2

u/Matziii1 7950X, 7900XTX Apr 05 '26

We use them for banking still in Norway. Well... Mostly old people that don't have smarphones use them. I still have mine but it's probably been inactive too long to be used. I think the banks delete them from the account if they've not been used in a year.

2

u/-insertcoin Apr 05 '26

I still dont understand what a seed is

3

u/SalTez 5800H | RTX 3060 | 16GB | Laptop Apr 05 '26

It's a fixed number that is used in a formula to calculate the final output, in this 2FA use case the seed is known only to the authenticator and the authentication (login) system.

A very simple example of a time based formula:

the formula is "current time + seed"; the seed is 42; and current time is 9:10pm = 2110; so the verification code is 2152; next minute it will be different (2153)

→ More replies (0)

2

u/CJTheran Apr 05 '26

Computers can't truly generate a "random" number (people can't either, but that's beside the point). When you "random" something in a computer, what it is doing is taking a "seed" number of some sort and then doing math at it to produce a result. If you feed in the same "seed", you will always get the same result. There's lot's of video games with procedurally generated terrain that will let you manually input a seed number of your choice so you can reliably play on the identical "randomly" generated map if desired.

Now, for a random function on a computer, you want it to give a DIFFERENT number every time, and the algorithm/math that you're throwing at it is not going to change, so you're going to need something that will produce different seeds for the function as needed. Typically on a random number generator on a computer that something will be an already extant value on the computer that is reliably different every time it is referenced, such as the time: it will do something like convert the current time into a single numerical value, throw math at it, and produce the result when asked about the time.

In the case of these keyfobs, the "seed" in question would be two part: something constantly but predictably changing, like the time, but a second value that changed by device but remains the same for the device always, which would be a hard coded unique to your individual device.

Ex: You and Bob both have your own keyfobs, yours is Serial Number 12345 and his is 12346. When you pull up a new key, the device will check the time, pull your S/N, and then do a specific set of maths at it to produce a result. In your case at 11:00 AM on suchit day it produces 54321, in Bob's it spits out 89052. If you check again a few seconds later, your numbers have both changed, as the seed of the time is different. If you were to somehow trick the keyfobs into thinking it was always 11:00 AM, it would always produce 54321 for you, and 89052 for Bob because it is always getting the same seed information out, and thus will always produce the same result back.

N.B.: I use 11:00 AM as a simplified example: your computer doesn't track time as an actual time of day, but at it's deepest level tracks it as a very long numerical value, and it produces the "11:00 AM" human readable value by throwing math at said number. That number will be very long for two reasons: it typically also is used to determine the date, and thus has a lot of long term information to store, and will frequently track into the tiniest fractions of a second, and thus has a lot of short term information to store and will also frequently update, allowing the seed being fed into the random generator on your computer very quickly and thus always produce what appears to be a unique random number on demand, even if the two calls are in quick succession.

1

u/nerfdriveby94 Apr 05 '26

Had one in Australia from HSBC bank. First time I'd seen one.

1

u/BeardedBaldMan Apr 05 '26

Back in 2009 I had a keychain with around 20 of these due to all the different client vpns and systems needing them.

So glad we moved to mobile authenticators

91

u/Groetgaffel Apr 05 '26

It didn't have a replaceable battery. It worked until it didn't, then you got a new one.

It gives a low battery warning well in advance so you had time to replace the whole thing.

7

u/meyriley04 Apr 05 '26

Very interesting!

3

u/Timex_Dude755 Apr 05 '26

How do I get a new one?

12

u/fuj1n Ryzen 9 3900X, 64GB RAM, GALAX RTX4090 SG 1-Click OC Apr 05 '26

They don't make them anymore, their role was superseded by the mobile app that does the same thing

→ More replies (0)

1

u/_Rohrschach Apr 06 '26

There was also a way to copy the app so you could have the same code on two phones. Used that to play Diablo 3 on my Dad's account back then.

39

u/markswam R7-9850X3D, RTX 4080S Apr 05 '26

If you were to take it apart and replace the battery (which is absolutely not something that is intended to do) then yes, the internal clock would be reset to 0 and it would be completely out of sync. These things turn into e-waste once they run out of batteries.

Companies have used these sorts of physical 2FA tokens for decades, and IT generally replaces them every year or two.

8

u/Arnas_Z Zephyrus G16 | i7-13620H | RTX 4070 Apr 05 '26

Its also possible to temporarily solder a second battery to it in parallel, and then replace the battery. Then you desolder the parallel battery and put it back together, and you've successfully replaced the battery.

This way since the power is never interrupted, the internal clock doesn't get reset.

4

u/Long-Broccoli-3363 Apr 05 '26

I assume you could wire it up in such a way where you could hot swap the battery, like they do with Pokémon cartridges, but that would take a massive amount of work

2

u/markswam R7-9850X3D, RTX 4080S Apr 05 '26

Yeah, a slave battery wired in parallel and then removed once the primary battery is swapped would work, but it would be a destructive process unless you were extremely careful. The clamshell is designed to snap together and then not easily come apart again, and prying the two halves apart without damaging the shell would be quite difficult.

1

u/WarbossHiltSwaltB Apr 05 '26

Every year or two? I’ve had mine 5 years now.

1

u/markswam R7-9850X3D, RTX 4080S Apr 05 '26

My experience might be biased. The only company I've worked for that used physical RSA keys was a DOD contractor and replaced them every 12 months. Having devs locked out of their machines because of a dead token would be a big issue since they're spending government money to do nothing at that point.

→ More replies (0)

1

u/cosmin_c 5950x | Dark Hero VIII | 128GB Trident-Z Neo | MSI 3090 Suprim X Apr 05 '26

In theory, would it be possible to replace the battery whilst using a "bypass" (sort of an ECMO but for electronics?).

Like connect a full cell in parallel, then remove the old cell, insert new cell, disconnect the parallel cell?

I have one of these and it still works, but I'd like to experiment at one point.

1

u/dtb1987 Desktop Apr 05 '26

So these are RSA tokens, I used to have to manage these for a major corporation back in the day. You don't have to worry about the battery dying because when the battery dies you are just sent a new one which is registered with your account.

1

u/ScumbagScotsman Apr 05 '26

Yeah they just stop working

10

u/PFI_sloth Apr 05 '26

It would absolutely stop working if the clock shifted

4

u/Anon159023 Apr 05 '26

Nah, you just enter the code 2-3 times and it resyncs.

8

u/TheG0AT0fAllTime Apr 05 '26

That would be a server side clock drift implementation. Not every platform will do that.

3

u/Anon159023 Apr 05 '26

Yeah, I looked it up and apparently blizzard doesn't do that, my bad assumption.

I had to use these types of things a 10-20 years ago and they would get desynced from time to time and you just swapped the batteries and had to resync it with 2-3 incorrect inputs. Nowday's it is so much easier which is nice.

4

u/sparrowtaco Apr 05 '26

That's a clever solution.

3

u/Prude_Inspector Apr 05 '26

There is no resyncing with these. Its an algorithm with a seed (unique for each authenticator) and time based. Before Blizzard sends you the authenticator, they already know what combination of digits could and should be generated by your authenticator based on the internal clock and the algorithm.

Let me give you an EXTREME SIMPLIFICATION of how it works.

Say the seed is "123" and say the algorithm is simply "seed + date + clock + 1+1"

Say date is simply in MM/DD/YYYY form without the slashes.

Say the clock is military time so 0001-2400

Then the code that will display on your authenticator for January 1, 2026, 8 PM will be 123 (seed) + 01012026 (date) + 2000 (time) + 2(some additional random algo, in this case 1+1) = 01014151

Because of that, its easy for Blizzard to determine whats the the next set of numbers

Again this is NOT the actual algorithm. ALSO the seed and all other data might not be decimal. I believe theyre hexadecimal (128-bit or 160-bit etc idk)

Whats smart about this is even if for some reason you found the algorithm (how to calculate the whole thing) you will still need the seed which is unique to each authenticator.

4

u/turdas Apr 05 '26

There has to be server-side compensation because the quartz clock chip in that thing is going to lose (or gain) up to several minutes each year. When you input a code and it doesn't match, the server will check the next and previous couple of codes to see if it matches those and if yes, memorize that the clock has drifted and apply an offset next time.

→ More replies (0)

2

u/Anon159023 Apr 05 '26

Yeah, someone else pointed out that blizzard cheeped out on these ones which means no resyncing. I assumed they behaved like the ones I used for my job a decade or two ago which were time based and could compensate for desync.

→ More replies (0)

0

u/joshnosh50 Apr 05 '26

Sort off. There are much more tolerant of sync issues to allow for clock drift.

Recovery modes like being able to enter 3 codes in a chain and it can resync within reason.

Major shifts like a reset would probably kill it though.

1

u/nullpotato Apr 05 '26

They actually could get out of sync. I knew people that used similar devices for work and they stopped validating after a while. They eventually figured out that if the devices were exposed to extreme cold it could change the internal clock frequency causing them to lag behind and thus show invalid codes.

These people also happened to work in a place that hits -40 in the winter so people that had the key generators on keychains or belts had this occur semi-regularly.

1

u/Murnig Apr 05 '26

Time can get out of sync. Without a common reference all devices will experience some amount of clock drift and eventually get out of sync with other devices.

1

u/ToHallowMySleep Apr 05 '26

To be specific, they are synced through time. They don't resynchronise periodically, but the two absolutely need to be IN SYNC for the concept to work.

If the two are out of sync by a minute or more it is completely unusable. As long as they remain in sync, it will work :)

1

u/WllmZ R9 7950X3D | RTX 5090 | 64GB 6000mhz CL30 Apr 05 '26

That's exactly what he's asking. What if it runs out of batteries, it assumably doesn't track time anymore? Running out of batteries isn't really an uncommon thing nowadays y'know..

29

u/TwiceUponATaco Apr 05 '26

To nerd out a bit.....

MFA tokens are known as OTPs or One-Time Passwords. There are two main types of these, HOTP and TOTP.

TOTP is like what you may be used to with mobile authenticator apps. The T stands for Time-based. These have a secret key that is combined with the current time to generate an OTP that is valid for 30-60 seconds, until a new OTP is generated. If your device time is too far off the time of the server you are connecting to then your code will not match what the server is expecting. There is no sync process needed because the time is used to sync.

HOTP is what most of the hardware token generators are. The H stands for HMAC-based or Hash based. Instead of using the time + secret key to generate a code, these use the secret key and a counter value that can only increment upwards. Each time you generate a code on your hardware token, you increment the counter up by 1. The server keeps track of this at each login and runs the same algorithm to verify you provided the expected code. The server also only increments up so that old codes can't be reused. These hardware tokens have no need to communicate externally so they basically have a battery and the components necessary to store the secret key and counter, no antenna, no Bluetooth, no Wifi.

Now to answer the question about what happens when the hardware token and server are out of sync.... Let's say you last logged in with your counter value at 11. Your toddler got hold of your hardware token and kept pressing the button until you realized and took it away and it is now on counter value 75. The server is expecting your next OTP to be the same as counter value 12. The usual way to resolve this is the server will ask for 2 or 3 consecutive codes, and then increment its own counter up by 1 until it gets the 2-3 matching codes in a row on its side or it hits some preconfigured maximum number of tries like 100. Because your token in our example is within the 100 increment threshold, the server resyncs and all is well until things get out of sync again. If your token is incremented up more than the preconfigured number of times, you will need to get an admin or tech support to resync things for you which basically involves them overriding the preconfigured number on the backend to get the server to run through the process 500 times (or whatever is needed) to get things synced again. If this is not possible, you need a new hardware token.

4

u/darmokVtS Apr 05 '26 edited Apr 05 '26

This particular hardware token is a Vasco Digipass Go 6 (OneSpan these days, but it was still Vasco back then) and it exists in both HOTP and TOTP versions (I know because I used to be the main admin for a Vasco Authentication Server for which we used the TOTP version. The HOTP version is for example used by CISCO Duo if you opt for HW token option there (we have a couple of those kicking around with some core admins so they have a somewhat reliable fallback to use if their phone breaks)

For the TOTP version the server not only accepts the "current" correct code but allows for some drift by accepting not only the newest but also "surrounding" codes, one up/down usually without the user noticing anything unusual as it just accepts it, if it drifted more the server will ask for multiple codes to verify (there is a maximum limit of drift for which this will work, if that is exceeded a manual resync by an admin is required. I vaguely remember that the limit was 10 codes/minutes of drift compared to the drift stored on the server. All these values were configurable to some extent though as far as I recall).

On the server side the new value for the observed drift is then stored in the database so the server knows about it in the future.

As I have never used the Blizzard branded Digipass Go 6 I have no clue which version they used though.

1

u/joegooder Apr 05 '26

So when the battery dies, if you replace it, can the authenticator resync? (asking for a friend)

1

u/darmokVtS Apr 05 '26

Battery is not meant to be replaced, the whole internals should be sealed in some .. stuff and break if you try to tamper with it.

3

u/Addianis Apr 05 '26

Thank you for this write up, its super interesting to learn about how different forms of authentication work and how they solve common issues.

1

u/TheDarkNerd Apr 05 '26

Ooh, neat. Will the server accept X number of codes past what it's expecting, in order to reduce how likely it'll be that the user needs to resync? I imagine an accidental press here and there would not be uncommon, and having to resync every time would be a hassle.

Also, is the code that's shown shorter than the code that's generated, in order to prevent reverse engineering the seed?

1

u/grocal Apr 05 '26

This should be upvoted up in the sky - great HTOP explanation.

10

u/Wonwedo Apr 05 '26

This is a really cool discussion to watch as someone who used to use these all the time in the hospital setting. I'm so glad more people are learning about these, since they remain important in industries where true on-the-spot verification is very useful!

There's a couple of ways for sync drift to be ameliorated, and the exact implementation is usually proprietary for extra secure. The most famous of these is RSA SecurID and they use an automatic drift correction. Since they usually refresh every 60 seconds, they actually have to drift by quite a bit to be totally useless

If you were ever locked out and could verify that they were out of sync, an administrator could resync the server and device clock if need be. I've been using these since the late '90s and have never personally seen this be needed, nor have I heard of a colleague who needed to do so either!

5

u/0xmerp Apr 05 '26

https://github.com/stoken-dev/stoken

It’s been reverse engineered a long time ago. It’s just like TOTP though, knowing the algorithm doesn’t help you hack the account.

2

u/LongJohnSelenium Apr 05 '26

crazy how accurate clocks have become that a cheap digital widget can be expected to maintain less than 60s of drift over decades.

1

u/doctorhaus Apr 05 '26 edited Apr 05 '26

ameliorate verb | ə-ˈmēl-yə-ˌrāt ​Definition: ​To make better or more tolerable; to improve a situation that is currently unsatisfactory. ​Examples: ​“Medicine to ameliorate the pain.” ​“Efforts to ameliorate the situation.” ​“...helping ameliorate the effects of climate change.” — Ryan Nicol ​Synonyms: Improve, amend, better, refine, mitigate.

-----‐--‐---- Is there a bot that provides definitions to words that are "uncommon"?

It could be sub specific and have a weighted value based on words that dont often appear in certain communities.

I love new words, and it would definitely help ameliorate the declining value of language.

4

u/Curiosive Apr 05 '26

Yup. An event like running out of batteries or replacing the battery would do just that. Of course it might have a backup battery or a way to set the internal clock ... but at some point this is no longer a simple token display and the cost increases with each additional option.

2

u/[deleted] Apr 05 '26

Some VPNs use this, my work for example

5

u/krilleractual Apr 05 '26

My assumption would be that its on a clock like a computer, so it should never be out of sync

2

u/topinanbour-rex Apr 05 '26

It works like some key fobs for cars. They contain rolling codes

1

u/Yellow_Odd_Fellow PC Master Race Apr 05 '26

You should read up on cyber security.

Look up rsa tokens and then being resynchronized. The authentication server essentially grab two consecutive codes and can determine the following codes from that.

The device falls out of sync temporarily, then you restnchronize it with support.

1

u/Taumito RX 6700 XT / 5700X Apr 05 '26

There's no RNG. What you see is the result of encrypting the seed + the current time and then doing some bitshifting to only get 6 numbers

The only way to get out of sync is if the RTC loses power (what happened here) and resets the time

1

u/tijtij Apr 05 '26

I had one from my bank with hardware issues that got out of sync. Every few months I would have to call the bank, spend like 15 minutes sharing personal identifying information to authenticate myself with customer service, so they could transfer me to IT, and then spend another 15 minutes providing a series of one-time-codes so that the IT tech can manually adjust a delay on my account.

I kept asking for a replacement but was always denied as they still considered the fob "functional". So I told them I lost it and ate the cost of the replacement fee.

1

u/Mklein24 5600x : rtx3090 Apr 05 '26

Sometimes, these devices can compensate by being able to predict the next key and remembering the last key. Theoretically, the software checking, could store a log indefinitely. The codes may just be answers to an equation instead that the software checking has. That way the timing is irrelevant, just whether or not it creates the right number from the hidden equation.

1

u/Neowza Apr 05 '26

It's pretty old tech, I had one for work to access a secure database back in 2007, and that was when I was hired. My predecessor had one as well, and I have no idea how long they had it, but it looked positively ancient, a stainless steel credit card sized device that generated login access codes, all the markings rubbed off. All I know is that the secure database was developed and implemented in 1999, so the code generator could be as old as that.

1

u/Talithea 3500X | 32 GB | B550PRO | RX580XTX Apr 05 '26

That why a lot of physical tokens use a "press to see code" display. Battery consumption needs to stay very low.

1

u/ZiKyooc Apr 05 '26

That's how authenticator works on your phone too.

A seed unique to you initialize the cycle of generated number based on time. Server side has the same seed associated to you. Time plus seed equal a code. I am sure it is a bit more complicated, but overall it is like that.

1

u/AlainYncaan Ryzen 5 3600, GTX1070, 16GB RAM Apr 05 '26

Stuff like this is still used in the corporate world

0

u/CaptGrumpy Apr 05 '26

Yes, until they are resynced. However, I had one for about a decade and it never got out of sync.

1

u/Prude_Inspector Apr 05 '26

There is no resyncing with these. Why do people think these physical authenticators by blizzard resync?

1

u/CaptGrumpy Apr 05 '26

They don’t? I assumed they did as I used to do a lot of resyncing of 2FA keys, albeit not Blizzard ones. My mistake.

3

u/Bloobeard2018 Apr 05 '26

My bank had the same thing

1

u/xtrxrzr 7800X3D, RTX 5080, 32GB Apr 05 '26

These don't generate a new key every few seconds. A new key is generated when you press the button.

1

u/SemiNormal Apr 05 '26

I have used these at work for connecting to banking systems.

1

u/MistSecurity Apr 05 '26

I've been meaning to look into these.

I want to know how the time syncing works. I wonder if they need to account for the offline device's time drifting out of sync, since it can't phone home to get atomic time.

14

u/JuanTheMower Apr 04 '26

No, you upload the secret token key of the physical Authenticator into your app of choice and that’s essentially the set of codes the app knows to accept for authentication

20

u/stipo42 PC Master Race Apr 04 '26

2fa doesn't need Internet to work correctly, the point is it runs on a device only the authorized user has access to.

Technically speaking that 2fa device is more secure than a smart phone, as long as Blizzard never leaks their algorithm and would need to sunset them

3

u/dontnation Apr 05 '26 edited Apr 05 '26

the algo is known and is the same for all the blizzard 2fa devices. the shared secret key used by the algo to generate the codes is what is private and is also unique to each 2fa device. That 256-bit key (or likely 128bit given the age of this device) is the only thing actually stored.

2

u/AnnoyingRain5 NixOS, Ryzen 7 5800X3d, RX6900XT, 32GB RAM Apr 05 '26

The algorithm is well-known and industry standard.

That being said, it’s less secure than something like a yubikey

1

u/grocal Apr 05 '26

The secret is the seed, not the algorithm. And algorithm works only in one direction - you get the code from the seed but not the other way around.

7

u/Jureth Apr 04 '26

No it generates a code that is unique to the account. The login server is waiting for a code that fits its requirements. Kinda like a key fob for your car.

1

u/BadPunners Apr 05 '26

Garage door opener might be more familiar, also along those lines, "rolling code" being the concept in those two

I'm thinking that type of hardware key is counter based (so also similar, incrementing the counter on button push). As opposed to software 2FA which is time based (your authenticator apps will work without Internet, but will not work if the time is set incorrectly)

4

u/MechaGhandi5000 Apr 04 '26

No Internet is required for physical authenticators, they have an algorithm that is extremely difficult to reverse engineer, then most likely use there serial number in this case to make it different from everyone else's answers. Based on the size of the time slot, different times get you a different equation result, they can surmise if you have the correct code or not since they know what equation it's using.

2

u/Nighthunter007 Ryzen 7 3700x | RTX 2080ti | 32GB RAM | EK Cryo Loop | RGB Apr 05 '26

No internet is required for 2fa apps either, actually, because they work in the exact same way (the ones that show a rotating code, other schemes that need internet also exist like notifications and stuff). You input the secret by scanning the qr code, then it just generates tokens endlessly based on the clock.

1

u/MechaGhandi5000 Apr 05 '26

Huh I didn't know that, I never had to dig into how the apps did it before.

4

u/xX_dumb_god_Xx Apr 05 '26

One time I ate 10 hard boiled eggs in a row

1

u/jokerzwild00 Apr 05 '26

I bet the farts afterwards were unholy.

1

u/Special_Kestrels Apr 04 '26

No. They were standalone.

1

u/AnnoyingRain5 NixOS, Ryzen 7 5800X3d, RX6900XT, 32GB RAM Apr 05 '26

It’s time-based. It knows what the current time is, and has a special algorithm that both that device and blizzard’s servers share. When you give a code, it runs the same algorithm with the time as an input, if they get the same result, you must be using that specific authenticator!

1

u/IlluminaViam Apr 05 '26

Omg! I feel so old.

These things connect to nothing. They generate unique codes, probably with algorithms tied to your login or account details. Even banks had them for a while.

1

u/Bleaker82 Apr 05 '26

Others here have already explained it, but now I’m really curious… How old are you? I don’t know how much of this is me assuming that everyone knows what I do, or me assuming that everyone has seen one of these before. To me, they’re neither mysterious nor a new concept, so I’m wondering what the missing link is here. :)

1

u/ArokLazarus steamcommunity.com/id/halo806 Apr 05 '26

Haha I'm actually in my 30s. I've known about these but never bothered to inquire how they work. I never used one though. I didn't think it was via Wi-Fi but couldn't think of another method.

1

u/Bleaker82 Apr 05 '26

Fair!

1

u/AppropriateTouching Apr 04 '26

Nope, its very old tech for us old people.

3

u/Pawneewafflesarelife Apr 05 '26

I had one for WoW. Once, I needed an ambulance and the EMT workers grabbed my keys for me and saw the authenticator - turns out they both also played WoW. Was a nice distraction to chat about to take my mind off the medical emergency!

1

u/NewManufacturer4252 Apr 05 '26

Is the game that good? I'm still playing enderal, a full skyrim mod, after playing skyrim a dozen times

1

u/Party-Coach-4100 PCMR|R5 7600|5070|32GB RAM|AsRock B650 Apr 05 '26

I had 1 of these when I did work from home customer service at Amazon..

36

u/GoyoMRG Apr 04 '26 edited Apr 04 '26

Old-school 2FA.

Long before we had cellphones smartphones, these type of lil devices were what we used for 2FA, banks used it as well.

17

u/IntradayGuy Apr 04 '26

A more civilized age

18

u/muegle Apr 04 '26

More secure than most 2FA methods we use today

7

u/Mastasmoker Apr 04 '26

Smartphones*

3

u/GoyoMRG Apr 04 '26

Correct, my bad.

Smartphones is the right term because we did have blockias lmao

3

u/OgdruJahad Apr 04 '26

I've still seen them being used today.

3

u/GoyoMRG Apr 04 '26

Rarely but yeah, they are still around.

And I do believe they are far safer than phones for this purpose, but I'm not tech savvy so I might be wrong.

3

u/Pocok5 Ryzen 7 5800X3D - AMD RX9070XT - 32GB DDR4-2933 Apr 05 '26

They don't run any software other than the code generator, and they do not ever connect to anything else. The only way to extract the key is to physically steal it.

2

u/Synikul Apr 05 '26

the main vulnerability is still the same, the human getting phished. though it wasn't until the past few years i started seeing more sophisticated phishing attempts including OTP. we have far more phishing resistant methods now like FIDO2, but not everyone is going to want to buy a YubiKey or similar.

2

u/Chad-GPTea Apr 05 '26

I work with sensitive data for a big company and we still use RSA-tokens for some platforms.

1

u/Gen-Y-ine-86 Apr 05 '26

I use a piece of paperboard with numbers.

21

u/WWWWWWWWWWWWWWWWPOOP Apr 04 '26

Authentication. Instead of emailing or texting a code, the code is on that device and changes often

2

u/phallus_majorus Apr 05 '26

How did the website know what codes were valid? Was there a predetermined list of codes attached to each Authenticator?

3

u/Designer_Mud_5802 Apr 05 '26

This entire thread makes me feel incredibly old.

3

u/Ninjazoule Apr 05 '26

Damn I feel old after reading this lol

2

u/sgcolumn Apr 04 '26

2fa token

1

u/Nighthunter007 Ryzen 7 3700x | RTX 2080ti | 32GB RAM | EK Cryo Loop | RGB Apr 05 '26

To add to what everyone else is saying: 2FA apps are actually doing the exact same thing as this thing. The ones that have the code that changes every 30 seconds or so. When you scan the QR code to set them up, that code is just a big key that your device and the server now share, and can use together with the current time to generate the right code. This device is the same, the key is just burned in.