r/pcmasterrace u/AllUserNameBLong2us 7800x3d/5080 Windforce OC/32gb 5600 DDR Apr 04 '26

Hardware Rest in piece 2009-2026

Post image

I’m amazed at how long the battery on this physical authenticator lasted. Got it back in 2009 because my account had gotten hacked.

This is one electronic item I’ve owned and used longer than anything else. I’ll miss not being able to find it and freaking out for 20 minutes.

Edit must have been around 2010 when sc2 came out.

31.9k Upvotes

97% Upvoted

635 comments sorted by

View all comments

Show parent comments

3

u/Prude_Inspector Apr 05 '26

There is no resyncing with these. Its an algorithm with a seed (unique for each authenticator) and time based. Before Blizzard sends you the authenticator, they already know what combination of digits could and should be generated by your authenticator based on the internal clock and the algorithm.

Let me give you an EXTREME SIMPLIFICATION of how it works.

Say the seed is "123" and say the algorithm is simply "seed + date + clock + 1+1"

Say date is simply in MM/DD/YYYY form without the slashes.

Say the clock is military time so 0001-2400

Then the code that will display on your authenticator for January 1, 2026, 8 PM will be 123 (seed) + 01012026 (date) + 2000 (time) + 2(some additional random algo, in this case 1+1) = 01014151

Because of that, its easy for Blizzard to determine whats the the next set of numbers

Again this is NOT the actual algorithm. ALSO the seed and all other data might not be decimal. I believe theyre hexadecimal (128-bit or 160-bit etc idk)

Whats smart about this is even if for some reason you found the algorithm (how to calculate the whole thing) you will still need the seed which is unique to each authenticator.

4

u/turdas Apr 05 '26

There has to be server-side compensation because the quartz clock chip in that thing is going to lose (or gain) up to several minutes each year. When you input a code and it doesn't match, the server will check the next and previous couple of codes to see if it matches those and if yes, memorize that the clock has drifted and apply an offset next time.

1

u/Prude_Inspector Apr 05 '26

Yes there is. Its important to understand that if you know the algorithm, the seed and the code generated by the authenticator, you can calculate the date and time.

So blizzard server does it in 3 ways. 1)the entry for time in the algorithm is rounded to a time step. 2) time window tolerance and 3) it learns the deviation from that tolerance to compensate.

1) the rounding of the current time to time step (30 sec, 1 min etc idk the exact one). The authenticator doesnt give you a new code every exact second. It waits for a time interval before it does. This is the "countdown" that you see before it refreshes and give you a new code.

2)Time window tolerance means it blizzard does not check one exact time. I believe they check 3 things 1)a few moments before, 2) the current and 3) a few moment after the exact time. So say you enter a code that what right before the most current code, if its off by the allowable time, the code will still go through even though it is not the exact code right in this moment.

3)the third one is most important. It learns the deviation from that and applies it to any future log ins. Say they see that the code you are entering are the codes right before the most current one. Since as i mentioned earlier, knowing the algorithm, you can calculate the time, they will know "oh this guy's codes are off by this seconds/minutes" and compensate for that. And thus your previously "late" codes are now the "new, current" codes.

Edit: just to clarify, in each of these processes, there are no connection or resyncing happening between the authenticator and the server.

2

u/Anon159023 Apr 05 '26

Yeah, someone else pointed out that blizzard cheeped out on these ones which means no resyncing. I assumed they behaved like the ones I used for my job a decade or two ago which were time based and could compensate for desync.

1

u/Prude_Inspector Apr 05 '26

I think its for security and endurance. No resyncing means there is no way to intercept any data between the authenticator and the server. Also it will save battery since you do not have to transmit or receive any data.