Quote Originally Posted by 'Naylix',index.php?page=Thread&postID=153681#post1 53681
Ken:

You don't trust the authenticater, because the weakest element "becomes" the Blizzard helpdesk ?
I believe that logic is flawed, the Blizzard helpdesk doesn't become weaker, it is as it has always been. Authenticator or no authenticator.
Now there is another bit of information that someone could get his hands on, to make the helpdesk believe you're the owner of an account.

And if you read Belfaire's comments directly in the associated threads, you will find that: The authenticator was never removed from the account in question, the password was changed on the account by a person calling helpdesk and providing personal information AND the serialnumber from the Authenticator, and that the account most likely was accessed by someone other than the account-holder. Only the last bit is a little vague, but that is understandable.

You don't weaken a chain by adding a stronger link. The chain is the same as before. However, now you can be fairly certain the chain won't break where you added the stronger link.

/Naylix
This is the only thing that matters to me related to this issue: someone found another means of breaking through *a* security level and these means were assisted by the authenticator.

"the password was changed on the account by a person calling helpdesk and providing personal information AND the serialnumber from the Authenticator"

If a system is compromised (e.g. by a keylogger), it 's easy to get the Authenticator information. You enter the serial number of the authenticator to register it, so this information could be logged by an external program. The only benefit is that you only have to do this once and don't enter it every time you log in.
In fact, if a system is compromised, it wouldn't be difficult to just inject webpages into the browser(that look like the blizzard account pages) to ask the user to re-enter his serial number, just like they do with bank account hi-jacking.
If you have an idea of how social engineering works(or just know how to look for info on the internet), you will understand how it is not that difficult to find personal information.

[edit] In the end, the validator adds 'some kind' of indirect protection, since you don't have to re-enter your password constantly, but it also adds another piece of information (its serial) that someone could get just as easily as a password.