If you have not ordered your Blizzard Authenticator yet then you might be out of luck for a while. The page shows that they are sold out. Here is my experience so far.
The token arrived in the mail and appears to be exactly the same as the pay-pal verisign authenticator with a rectangular case that says "blizzard" on it. Once you have your token in hand you log in to your WoW account page and link it to your account. There is a menu item there for this purpose. Immediately after linking the token and the account I logged into WoW and was prompted for my token's code. Awesome!
So what is it doing? The token has a display of six numbers. The first number is incremental and changes every minute and the other numbers are generated by a hash that the back-end server knows. This second factor of authentication makes an attacker on your account have to know your login name, password, and the current incremental number and then guess 99,999 possible combinations within the one minute interval in order to hack into your account.
If Blizzard is using the same Verisign back-end that Pay-pal uses then this is a rock-solid and highly effective system. I am very glad to have purchased one.
What about multiple accounts? It seems that we are able to link multiple accounts to one token. So when you dual box you don't have to two tokens in your pocket or leave one account unsecured.
Check out the token FAQs for more info.
Bradlee
P.S. I heard a brief mention of the authenticator on Security Now Episode #152 - link
Quoted from Security Now #152 Transcripts:
STEVE: In another bit of interesting news, and you may - you're clued into all of what's going on enough, you may have heard this. Blizzard, who makes World of Warcraft, has now adopted a bizarrely painted PayPal football for World of Warcraft authentication.
LEO: Yeah, somebody mentioned that to me, and I thought, that's - so when you play World of Warcraft now you can use your football to say this is me.
STEVE: Now, I don't know if you can register an existing PayPal token. What I found interesting was that they are offering this at a very low price. Just like PayPal, they're trying to encourage people to use this for authentication. $6.50.
LEO: Great deal.
STEVE: Unfortunately, they're all sold out.
LEO: Already.
STEVE: You go to their website, it's like $6.50. Oops, sorry, sold out.
LEO: Wow.
STEVE: So I don't know how many they had, how quickly they sold out, or any of the stats for that. But if we have World of Warcraft listeners, you should know that there is a way to increase the strength of your authentication using the technologies that we've talked about here many times. And it may well be, I mean, it does, it looks like the same technology that PayPal is using. I don't know, but it's worth exploring, whether an existing PayPal football might be transportable so that you'd be able to register that and wouldn't need to set up another one. I would think, I don't know, whether Blizzard is using, like, a VeriSign backend or whether they've implemented their own backend servers. It's impossible to say.
