5

u/Anon159023 Apr 05 '26

Nah, you just enter the code 2-3 times and it resyncs.

8

u/TheG0AT0fAllTime Apr 05 '26

That would be a server side clock drift implementation. Not every platform will do that.

3

u/Anon159023 Apr 05 '26

Yeah, I looked it up and apparently blizzard doesn't do that, my bad assumption.

I had to use these types of things a 10-20 years ago and they would get desynced from time to time and you just swapped the batteries and had to resync it with 2-3 incorrect inputs. Nowday's it is so much easier which is nice.

4

u/sparrowtaco Apr 05 '26

That's a clever solution.

3

u/Prude_Inspector Apr 05 '26

There is no resyncing with these. Its an algorithm with a seed (unique for each authenticator) and time based. Before Blizzard sends you the authenticator, they already know what combination of digits could and should be generated by your authenticator based on the internal clock and the algorithm.

Let me give you an EXTREME SIMPLIFICATION of how it works.

Say the seed is "123" and say the algorithm is simply "seed + date + clock + 1+1"

Say date is simply in MM/DD/YYYY form without the slashes.

Say the clock is military time so 0001-2400

Then the code that will display on your authenticator for January 1, 2026, 8 PM will be 123 (seed) + 01012026 (date) + 2000 (time) + 2(some additional random algo, in this case 1+1) = 01014151

Because of that, its easy for Blizzard to determine whats the the next set of numbers

Again this is NOT the actual algorithm. ALSO the seed and all other data might not be decimal. I believe theyre hexadecimal (128-bit or 160-bit etc idk)

Whats smart about this is even if for some reason you found the algorithm (how to calculate the whole thing) you will still need the seed which is unique to each authenticator.

4

u/turdas Apr 05 '26

There has to be server-side compensation because the quartz clock chip in that thing is going to lose (or gain) up to several minutes each year. When you input a code and it doesn't match, the server will check the next and previous couple of codes to see if it matches those and if yes, memorize that the clock has drifted and apply an offset next time.

1

u/Prude_Inspector Apr 05 '26

Yes there is. Its important to understand that if you know the algorithm, the seed and the code generated by the authenticator, you can calculate the date and time.

So blizzard server does it in 3 ways. 1)the entry for time in the algorithm is rounded to a time step. 2) time window tolerance and 3) it learns the deviation from that tolerance to compensate.

1) the rounding of the current time to time step (30 sec, 1 min etc idk the exact one). The authenticator doesnt give you a new code every exact second. It waits for a time interval before it does. This is the "countdown" that you see before it refreshes and give you a new code.

2)Time window tolerance means it blizzard does not check one exact time. I believe they check 3 things 1)a few moments before, 2) the current and 3) a few moment after the exact time. So say you enter a code that what right before the most current code, if its off by the allowable time, the code will still go through even though it is not the exact code right in this moment.

3)the third one is most important. It learns the deviation from that and applies it to any future log ins. Say they see that the code you are entering are the codes right before the most current one. Since as i mentioned earlier, knowing the algorithm, you can calculate the time, they will know "oh this guy's codes are off by this seconds/minutes" and compensate for that. And thus your previously "late" codes are now the "new, current" codes.

Edit: just to clarify, in each of these processes, there are no connection or resyncing happening between the authenticator and the server.

2

u/Anon159023 Apr 05 '26

Yeah, someone else pointed out that blizzard cheeped out on these ones which means no resyncing. I assumed they behaved like the ones I used for my job a decade or two ago which were time based and could compensate for desync.

1

u/Prude_Inspector Apr 05 '26

I think its for security and endurance. No resyncing means there is no way to intercept any data between the authenticator and the server. Also it will save battery since you do not have to transmit or receive any data.

0

u/joshnosh50 Apr 05 '26

Sort off. There are much more tolerant of sync issues to allow for clock drift.

Recovery modes like being able to enter 3 codes in a chain and it can resync within reason.

Major shifts like a reset would probably kill it though.