The question wasn't asked directly for Online Authenticator, but someone asked for WinAuth on the forums :
you can use the program if you wish, but I should make clear that we obviously won't endorse it nor support or encourage its use. source
In short, you can use Online Authenticator, you won't get banned or anything, but you won't receive any support from Blizzard.
You can use Online Authenticator like any other Battle.Net Authenticator. Be it official ones or any desktop port out there. You will be able to play World of Warcraft, Starcraft and Diablo 3 without any problems !
Official Blizzard device and app requires to always carry your phone or your keychain with you. Sure it isn't so bad, but if you tend to forgot your phone like me, it can be a pain in the ass...
Some desktop ports also exists, but they must be installed on the computer, so there's no way you can use them to connect when you're at a friend's house or in an internet cafe.
With Online Authenticator, you can connect to the website from anywhere and get your connection code ! No need to carry anything with you, you can connect from any computer.
The source code of the website and the algorithm implementation we are using are freely accessible, you can check them for any kind of suspicious content.
However, since Online Authenticator is a website, we can't prove you anymore thant Paypal, Google, Amazon or anyone else that we are effectively using these exact version of the application. We can only give you our word !
We are using it, our friends are using it, other people are using it. And since the Authenticator is only an additional layer of security, as long as your other login information are secured, everything should be fine.
In short : It clearly adds a layer of security to your account, but nothing can't be broken.
The keychain and Mobile Authenticator are secure as long as your device isn't lost or stolen. The keychain is the most secure, since there's no way to retrieve any information from it, it is the same for the iPhone a non-rooted Android version of the Mobile Authenticator. If your Android phone is rooted, someone can gain access to the necessary information to recreate your Authenticator. Another security issue is the new "Restore" feature which enables anyone with access to your phone to recreate your Authenticator somewhere else.
A desktop port can't be "stolen" without your computer, but since the Authenticator is on the exact same place than your other information, if someone has access to your computer, he has access to everything he needs.
Finally, Online Authenticator is a web application, so it can be cracked without you knowing it. But, if your password is strong and your username isn't directly related to you, you have two big advantage over the other solution :
- If someone hacks your Online Authenticator account, he doesn't know what Battle.Net account is related.
- If the attackant knows you're using Online Authenticator, he must still find your username and password to obtain your code.
We've tried to use the best security possible to protect your data. First of all, the login information and your Authenticator secret key and serial are stored on two seperate hosts. If one of them is corrupted, it will still be a long way to access the other part. Besides, login information are stored in a database and the Authenticators are stored in files on the disk.
Second of all, the files containing the Authenticators have randomly generated names to anonymyse them. If someone gain access to the files, he won't be able to match them to a user without also corrupting the host where the database server is found
Third of all, the Authenticator files are encrypted with a secret key and decrypted only when needed.
No, the Online Authenticator is totally standalone. You can generate a new Authenticator in a very simple way and then register it to your Battle.Net account.
You can also import your actual Authenticator like described in the next question.
If you have a keychain Authenticator, you can't import it. You must deassociate it from your account and create a new one.
If you have an iPhone / Androit Authenticator, you cannot simply import it for now if your phone isn't rooted, but we plan to add the "Restore" feature really soon !
When the "Restore" feature will be added, it will simply be a matter of copying a code to import your Mobile Authenticator...
For now, it will be really difficult but not impossible. As soon as the "Restore" feature will be implemented, this will be a piece of cake ! See the precedent question for details...
In short : Yes !
However, we plan to add some kind of paying features in the not so distant future. For example, the possibility to lock the account after a certain number of unsuccessful connexion attempt or the possibility to add a second password to the account.
To support us and help Online Authenticator, you can make a donation
If you have any more questions, feel free to contact us !