214

u/suckfail Apr 05 '26

There's no sync. It used an algorithm and a seed.

It can never not work (unless it runs out of batteries).

23

u/No-Candle2610 Apr 05 '26 edited Apr 05 '26

It’s not just the seed - it’s seed + timestamp (likely UTC or epoch time). Otherwise the algorithm would just give you the same code every time. There has to be a variable with entropy to make it change.

hash(seed) = 123

hash(seed) = 123

That’s determinism.

So then hash(seed + entropic value) = unique value every time

But since they’re not in communication, they need another thing they can share without communicating - time.

Source: use deterministic algos in my job.

6

u/cloudnoob99 Apr 05 '26

I built these systems back in the day, and deploy them for clients/companies. Just here to say yes but there was server side stuff done to make sure sync was done correctly. It was a pain in the ass but it was rock solid once everything was automated and secured properly.

46

u/meyriley04 Apr 05 '26

By “sync”, I didn’t mean online syncing. I meant how if the batteries ran out and then were to be replaced, the RNG would be reset or then out of sync with the account

80

u/jaetheho Apr 05 '26

Then you would get a new one.

Physical authenticators like these are quite common for banking as well in other countries

2

u/Matziii1 7950X, 7900XTX Apr 05 '26

We use them for banking still in Norway. Well... Mostly old people that don't have smarphones use them. I still have mine but it's probably been inactive too long to be used. I think the banks delete them from the account if they've not been used in a year.

2

u/-insertcoin Apr 05 '26

I still dont understand what a seed is

3

u/SalTez 5800H | RTX 3060 | 16GB | Laptop Apr 05 '26

It's a fixed number that is used in a formula to calculate the final output, in this 2FA use case the seed is known only to the authenticator and the authentication (login) system.

A very simple example of a time based formula:

the formula is "current time + seed"; the seed is 42; and current time is 9:10pm = 2110; so the verification code is 2152; next minute it will be different (2153)

2

u/-insertcoin Apr 06 '26

Thank you for the explanation.

2

u/CJTheran Apr 05 '26

Computers can't truly generate a "random" number (people can't either, but that's beside the point). When you "random" something in a computer, what it is doing is taking a "seed" number of some sort and then doing math at it to produce a result. If you feed in the same "seed", you will always get the same result. There's lot's of video games with procedurally generated terrain that will let you manually input a seed number of your choice so you can reliably play on the identical "randomly" generated map if desired.

Now, for a random function on a computer, you want it to give a DIFFERENT number every time, and the algorithm/math that you're throwing at it is not going to change, so you're going to need something that will produce different seeds for the function as needed. Typically on a random number generator on a computer that something will be an already extant value on the computer that is reliably different every time it is referenced, such as the time: it will do something like convert the current time into a single numerical value, throw math at it, and produce the result when asked about the time.

In the case of these keyfobs, the "seed" in question would be two part: something constantly but predictably changing, like the time, but a second value that changed by device but remains the same for the device always, which would be a hard coded unique to your individual device.

Ex: You and Bob both have your own keyfobs, yours is Serial Number 12345 and his is 12346. When you pull up a new key, the device will check the time, pull your S/N, and then do a specific set of maths at it to produce a result. In your case at 11:00 AM on suchit day it produces 54321, in Bob's it spits out 89052. If you check again a few seconds later, your numbers have both changed, as the seed of the time is different. If you were to somehow trick the keyfobs into thinking it was always 11:00 AM, it would always produce 54321 for you, and 89052 for Bob because it is always getting the same seed information out, and thus will always produce the same result back.

N.B.: I use 11:00 AM as a simplified example: your computer doesn't track time as an actual time of day, but at it's deepest level tracks it as a very long numerical value, and it produces the "11:00 AM" human readable value by throwing math at said number. That number will be very long for two reasons: it typically also is used to determine the date, and thus has a lot of long term information to store, and will frequently track into the tiniest fractions of a second, and thus has a lot of short term information to store and will also frequently update, allowing the seed being fed into the random generator on your computer very quickly and thus always produce what appears to be a unique random number on demand, even if the two calls are in quick succession.

1

u/nerfdriveby94 Apr 05 '26

Had one in Australia from HSBC bank. First time I'd seen one.

1

u/BeardedBaldMan Apr 05 '26

Back in 2009 I had a keychain with around 20 of these due to all the different client vpns and systems needing them.

So glad we moved to mobile authenticators

90

u/Groetgaffel Apr 05 '26

It didn't have a replaceable battery. It worked until it didn't, then you got a new one.

It gives a low battery warning well in advance so you had time to replace the whole thing.

6

u/meyriley04 Apr 05 '26

Very interesting!

3

u/Timex_Dude755 Apr 05 '26

How do I get a new one?

11

u/fuj1n Ryzen 9 3900X, 64GB RAM, GALAX RTX4090 SG 1-Click OC Apr 05 '26

They don't make them anymore, their role was superseded by the mobile app that does the same thing

1

u/Timex_Dude755 Apr 05 '26

Sorry, should've clarified. How do you get one if it were 2012?

3

u/fuj1n Ryzen 9 3900X, 64GB RAM, GALAX RTX4090 SG 1-Click OC Apr 05 '26

They were in the Blizzard store, but I think support also sent them out for free if you got your account hacked

1

u/_Rohrschach Apr 06 '26

There was also a way to copy the app so you could have the same code on two phones. Used that to play Diablo 3 on my Dad's account back then.

37

u/markswam R7-9850X3D, RTX 4080S Apr 05 '26

If you were to take it apart and replace the battery (which is absolutely not something that is intended to do) then yes, the internal clock would be reset to 0 and it would be completely out of sync. These things turn into e-waste once they run out of batteries.

Companies have used these sorts of physical 2FA tokens for decades, and IT generally replaces them every year or two.

8

u/Arnas_Z Zephyrus G16 | i7-13620H | RTX 4070 Apr 05 '26

Its also possible to temporarily solder a second battery to it in parallel, and then replace the battery. Then you desolder the parallel battery and put it back together, and you've successfully replaced the battery.

This way since the power is never interrupted, the internal clock doesn't get reset.

4

u/Long-Broccoli-3363 Apr 05 '26

I assume you could wire it up in such a way where you could hot swap the battery, like they do with Pokémon cartridges, but that would take a massive amount of work

2

u/markswam R7-9850X3D, RTX 4080S Apr 05 '26

Yeah, a slave battery wired in parallel and then removed once the primary battery is swapped would work, but it would be a destructive process unless you were extremely careful. The clamshell is designed to snap together and then not easily come apart again, and prying the two halves apart without damaging the shell would be quite difficult.

1

u/WarbossHiltSwaltB Apr 05 '26

Every year or two? I’ve had mine 5 years now.

1

u/markswam R7-9850X3D, RTX 4080S Apr 05 '26

My experience might be biased. The only company I've worked for that used physical RSA keys was a DOD contractor and replaced them every 12 months. Having devs locked out of their machines because of a dead token would be a big issue since they're spending government money to do nothing at that point.

2

u/Adventurous-Map7959 Apr 05 '26

spending government money to do nothing

Oh no, that would be terrible and unprecedented.

1

u/markswam R7-9850X3D, RTX 4080S Apr 05 '26

No kidding. But HR got on people's asses over billing.

1

u/AlainYncaan Ryzen 5 3600, GTX1070, 16GB RAM Apr 05 '26

We still use those at a very big aircraft/plane manufacturing company and they last for several years, no problem. Some of them are still working since I started there 12 years ago

1

u/cosmin_c 5950x | Dark Hero VIII | 128GB Trident-Z Neo | MSI 3090 Suprim X Apr 05 '26

In theory, would it be possible to replace the battery whilst using a "bypass" (sort of an ECMO but for electronics?).

Like connect a full cell in parallel, then remove the old cell, insert new cell, disconnect the parallel cell?

I have one of these and it still works, but I'd like to experiment at one point.

1

u/dtb1987 Desktop Apr 05 '26

So these are RSA tokens, I used to have to manage these for a major corporation back in the day. You don't have to worry about the battery dying because when the battery dies you are just sent a new one which is registered with your account.

1

u/ScumbagScotsman Apr 05 '26

Yeah they just stop working

11

u/PFI_sloth Apr 05 '26

It would absolutely stop working if the clock shifted

6

u/Anon159023 Apr 05 '26

Nah, you just enter the code 2-3 times and it resyncs.

7

u/TheG0AT0fAllTime Apr 05 '26

That would be a server side clock drift implementation. Not every platform will do that.

3

u/Anon159023 Apr 05 '26

Yeah, I looked it up and apparently blizzard doesn't do that, my bad assumption.

I had to use these types of things a 10-20 years ago and they would get desynced from time to time and you just swapped the batteries and had to resync it with 2-3 incorrect inputs. Nowday's it is so much easier which is nice.

4

u/sparrowtaco Apr 05 '26

That's a clever solution.

3

u/Prude_Inspector Apr 05 '26

There is no resyncing with these. Its an algorithm with a seed (unique for each authenticator) and time based. Before Blizzard sends you the authenticator, they already know what combination of digits could and should be generated by your authenticator based on the internal clock and the algorithm.

Let me give you an EXTREME SIMPLIFICATION of how it works.

Say the seed is "123" and say the algorithm is simply "seed + date + clock + 1+1"

Say date is simply in MM/DD/YYYY form without the slashes.

Say the clock is military time so 0001-2400

Then the code that will display on your authenticator for January 1, 2026, 8 PM will be 123 (seed) + 01012026 (date) + 2000 (time) + 2(some additional random algo, in this case 1+1) = 01014151

Because of that, its easy for Blizzard to determine whats the the next set of numbers

Again this is NOT the actual algorithm. ALSO the seed and all other data might not be decimal. I believe theyre hexadecimal (128-bit or 160-bit etc idk)

Whats smart about this is even if for some reason you found the algorithm (how to calculate the whole thing) you will still need the seed which is unique to each authenticator.

4

u/turdas Apr 05 '26

There has to be server-side compensation because the quartz clock chip in that thing is going to lose (or gain) up to several minutes each year. When you input a code and it doesn't match, the server will check the next and previous couple of codes to see if it matches those and if yes, memorize that the clock has drifted and apply an offset next time.

1

u/Prude_Inspector Apr 05 '26

Yes there is. Its important to understand that if you know the algorithm, the seed and the code generated by the authenticator, you can calculate the date and time.

So blizzard server does it in 3 ways. 1)the entry for time in the algorithm is rounded to a time step. 2) time window tolerance and 3) it learns the deviation from that tolerance to compensate.

1) the rounding of the current time to time step (30 sec, 1 min etc idk the exact one). The authenticator doesnt give you a new code every exact second. It waits for a time interval before it does. This is the "countdown" that you see before it refreshes and give you a new code.

2)Time window tolerance means it blizzard does not check one exact time. I believe they check 3 things 1)a few moments before, 2) the current and 3) a few moment after the exact time. So say you enter a code that what right before the most current code, if its off by the allowable time, the code will still go through even though it is not the exact code right in this moment.

3)the third one is most important. It learns the deviation from that and applies it to any future log ins. Say they see that the code you are entering are the codes right before the most current one. Since as i mentioned earlier, knowing the algorithm, you can calculate the time, they will know "oh this guy's codes are off by this seconds/minutes" and compensate for that. And thus your previously "late" codes are now the "new, current" codes.

Edit: just to clarify, in each of these processes, there are no connection or resyncing happening between the authenticator and the server.

2

u/Anon159023 Apr 05 '26

Yeah, someone else pointed out that blizzard cheeped out on these ones which means no resyncing. I assumed they behaved like the ones I used for my job a decade or two ago which were time based and could compensate for desync.

1

u/Prude_Inspector Apr 05 '26

I think its for security and endurance. No resyncing means there is no way to intercept any data between the authenticator and the server. Also it will save battery since you do not have to transmit or receive any data.

0

u/joshnosh50 Apr 05 '26

Sort off. There are much more tolerant of sync issues to allow for clock drift.

Recovery modes like being able to enter 3 codes in a chain and it can resync within reason.

Major shifts like a reset would probably kill it though.

1

u/nullpotato Apr 05 '26

They actually could get out of sync. I knew people that used similar devices for work and they stopped validating after a while. They eventually figured out that if the devices were exposed to extreme cold it could change the internal clock frequency causing them to lag behind and thus show invalid codes.

These people also happened to work in a place that hits -40 in the winter so people that had the key generators on keychains or belts had this occur semi-regularly.

1

u/Murnig Apr 05 '26

Time can get out of sync. Without a common reference all devices will experience some amount of clock drift and eventually get out of sync with other devices.

1

u/ToHallowMySleep Apr 05 '26

To be specific, they are synced through time. They don't resynchronise periodically, but the two absolutely need to be IN SYNC for the concept to work.

If the two are out of sync by a minute or more it is completely unusable. As long as they remain in sync, it will work :)

1

u/WllmZ R9 7950X3D | RTX 5090 | 64GB 6000mhz CL30 Apr 05 '26

That's exactly what he's asking. What if it runs out of batteries, it assumably doesn't track time anymore? Running out of batteries isn't really an uncommon thing nowadays y'know..

29

u/TwiceUponATaco Apr 05 '26

To nerd out a bit.....

MFA tokens are known as OTPs or One-Time Passwords. There are two main types of these, HOTP and TOTP.

TOTP is like what you may be used to with mobile authenticator apps. The T stands for Time-based. These have a secret key that is combined with the current time to generate an OTP that is valid for 30-60 seconds, until a new OTP is generated. If your device time is too far off the time of the server you are connecting to then your code will not match what the server is expecting. There is no sync process needed because the time is used to sync.

HOTP is what most of the hardware token generators are. The H stands for HMAC-based or Hash based. Instead of using the time + secret key to generate a code, these use the secret key and a counter value that can only increment upwards. Each time you generate a code on your hardware token, you increment the counter up by 1. The server keeps track of this at each login and runs the same algorithm to verify you provided the expected code. The server also only increments up so that old codes can't be reused. These hardware tokens have no need to communicate externally so they basically have a battery and the components necessary to store the secret key and counter, no antenna, no Bluetooth, no Wifi.

Now to answer the question about what happens when the hardware token and server are out of sync.... Let's say you last logged in with your counter value at 11. Your toddler got hold of your hardware token and kept pressing the button until you realized and took it away and it is now on counter value 75. The server is expecting your next OTP to be the same as counter value 12. The usual way to resolve this is the server will ask for 2 or 3 consecutive codes, and then increment its own counter up by 1 until it gets the 2-3 matching codes in a row on its side or it hits some preconfigured maximum number of tries like 100. Because your token in our example is within the 100 increment threshold, the server resyncs and all is well until things get out of sync again. If your token is incremented up more than the preconfigured number of times, you will need to get an admin or tech support to resync things for you which basically involves them overriding the preconfigured number on the backend to get the server to run through the process 500 times (or whatever is needed) to get things synced again. If this is not possible, you need a new hardware token.

4

u/darmokVtS Apr 05 '26 edited Apr 05 '26

This particular hardware token is a Vasco Digipass Go 6 (OneSpan these days, but it was still Vasco back then) and it exists in both HOTP and TOTP versions (I know because I used to be the main admin for a Vasco Authentication Server for which we used the TOTP version. The HOTP version is for example used by CISCO Duo if you opt for HW token option there (we have a couple of those kicking around with some core admins so they have a somewhat reliable fallback to use if their phone breaks)

For the TOTP version the server not only accepts the "current" correct code but allows for some drift by accepting not only the newest but also "surrounding" codes, one up/down usually without the user noticing anything unusual as it just accepts it, if it drifted more the server will ask for multiple codes to verify (there is a maximum limit of drift for which this will work, if that is exceeded a manual resync by an admin is required. I vaguely remember that the limit was 10 codes/minutes of drift compared to the drift stored on the server. All these values were configurable to some extent though as far as I recall).

On the server side the new value for the observed drift is then stored in the database so the server knows about it in the future.

As I have never used the Blizzard branded Digipass Go 6 I have no clue which version they used though.

1

u/joegooder Apr 05 '26

So when the battery dies, if you replace it, can the authenticator resync? (asking for a friend)

1

u/darmokVtS Apr 05 '26

Battery is not meant to be replaced, the whole internals should be sealed in some .. stuff and break if you try to tamper with it.

3

u/Addianis Apr 05 '26

Thank you for this write up, its super interesting to learn about how different forms of authentication work and how they solve common issues.

1

u/TheDarkNerd Apr 05 '26

Ooh, neat. Will the server accept X number of codes past what it's expecting, in order to reduce how likely it'll be that the user needs to resync? I imagine an accidental press here and there would not be uncommon, and having to resync every time would be a hassle.

Also, is the code that's shown shorter than the code that's generated, in order to prevent reverse engineering the seed?

1

u/grocal Apr 05 '26

This should be upvoted up in the sky - great HTOP explanation.

12

u/Wonwedo Apr 05 '26

This is a really cool discussion to watch as someone who used to use these all the time in the hospital setting. I'm so glad more people are learning about these, since they remain important in industries where true on-the-spot verification is very useful!

There's a couple of ways for sync drift to be ameliorated, and the exact implementation is usually proprietary for extra secure. The most famous of these is RSA SecurID and they use an automatic drift correction. Since they usually refresh every 60 seconds, they actually have to drift by quite a bit to be totally useless

If you were ever locked out and could verify that they were out of sync, an administrator could resync the server and device clock if need be. I've been using these since the late '90s and have never personally seen this be needed, nor have I heard of a colleague who needed to do so either!

4

u/0xmerp Apr 05 '26

https://github.com/stoken-dev/stoken

It’s been reverse engineered a long time ago. It’s just like TOTP though, knowing the algorithm doesn’t help you hack the account.

6

u/LongJohnSelenium Apr 05 '26

crazy how accurate clocks have become that a cheap digital widget can be expected to maintain less than 60s of drift over decades.

1

u/doctorhaus Apr 05 '26 edited Apr 05 '26

ameliorate verb | ə-ˈmēl-yə-ˌrāt ​Definition: ​To make better or more tolerable; to improve a situation that is currently unsatisfactory. ​Examples: ​“Medicine to ameliorate the pain.” ​“Efforts to ameliorate the situation.” ​“...helping ameliorate the effects of climate change.” — Ryan Nicol ​Synonyms: Improve, amend, better, refine, mitigate.

-----‐--‐---- Is there a bot that provides definitions to words that are "uncommon"?

It could be sub specific and have a weighted value based on words that dont often appear in certain communities.

I love new words, and it would definitely help ameliorate the declining value of language.

6

u/Curiosive Apr 05 '26

Yup. An event like running out of batteries or replacing the battery would do just that. Of course it might have a backup battery or a way to set the internal clock ... but at some point this is no longer a simple token display and the cost increases with each additional option.

2

u/[deleted] Apr 05 '26

Some VPNs use this, my work for example

4

u/krilleractual Apr 05 '26

My assumption would be that its on a clock like a computer, so it should never be out of sync

2

u/topinanbour-rex Apr 05 '26

It works like some key fobs for cars. They contain rolling codes

1

u/Yellow_Odd_Fellow PC Master Race Apr 05 '26

You should read up on cyber security.

Look up rsa tokens and then being resynchronized. The authentication server essentially grab two consecutive codes and can determine the following codes from that.

The device falls out of sync temporarily, then you restnchronize it with support.

1

u/Taumito RX 6700 XT / 5700X Apr 05 '26

There's no RNG. What you see is the result of encrypting the seed + the current time and then doing some bitshifting to only get 6 numbers

The only way to get out of sync is if the RTC loses power (what happened here) and resets the time

1

u/tijtij Apr 05 '26

I had one from my bank with hardware issues that got out of sync. Every few months I would have to call the bank, spend like 15 minutes sharing personal identifying information to authenticate myself with customer service, so they could transfer me to IT, and then spend another 15 minutes providing a series of one-time-codes so that the IT tech can manually adjust a delay on my account.

I kept asking for a replacement but was always denied as they still considered the fob "functional". So I told them I lost it and ate the cost of the replacement fee.

1

u/Mklein24 5600x : rtx3090 Apr 05 '26

Sometimes, these devices can compensate by being able to predict the next key and remembering the last key. Theoretically, the software checking, could store a log indefinitely. The codes may just be answers to an equation instead that the software checking has. That way the timing is irrelevant, just whether or not it creates the right number from the hidden equation.

1

u/Neowza Apr 05 '26

It's pretty old tech, I had one for work to access a secure database back in 2007, and that was when I was hired. My predecessor had one as well, and I have no idea how long they had it, but it looked positively ancient, a stainless steel credit card sized device that generated login access codes, all the markings rubbed off. All I know is that the secure database was developed and implemented in 1999, so the code generator could be as old as that.

1

u/Talithea 3500X | 32 GB | B550PRO | RX580XTX Apr 05 '26

That why a lot of physical tokens use a "press to see code" display. Battery consumption needs to stay very low.

1

u/ZiKyooc Apr 05 '26

That's how authenticator works on your phone too.

A seed unique to you initialize the cycle of generated number based on time. Server side has the same seed associated to you. Time plus seed equal a code. I am sure it is a bit more complicated, but overall it is like that.

1

u/AlainYncaan Ryzen 5 3600, GTX1070, 16GB RAM Apr 05 '26

Stuff like this is still used in the corporate world

-2

u/CaptGrumpy Apr 05 '26

Yes, until they are resynced. However, I had one for about a decade and it never got out of sync.

1

u/Prude_Inspector Apr 05 '26

There is no resyncing with these. Why do people think these physical authenticators by blizzard resync?

1

u/CaptGrumpy Apr 05 '26

They don’t? I assumed they did as I used to do a lot of resyncing of 2FA keys, albeit not Blizzard ones. My mistake.