Quote Originally Posted by 'Vyndree',index.php?page=Thread&postID=187964#post 187964
The problem is that actual programs can be reverse engineered to figure out the algorithm of the phone-authenticator. Let's hope they use a seperate algorithm for the physical authenticator and the phone version.

Granted, given enough data anything can be reverse engineered. I just don't like making it easier to do.
I don't know exactly how the Blizzard authenticator works, but from my limited Cryptographic understanding:
1. Yes given enough data anything can be reverse engineered, but we're talking about exponential growth here. They must have designed the program to not be able to be reverse engineered faster than a couple of years with a supercomputer etc. This is just what they use in online banking.
2. The algorithm of the phone-authenticator can be viewable by public and yet the authenticator can still be secure. This is a principle of "no security through obscurity." What they have and everyone else doesn't is a "secret key", but what's in the phone-authenticator is a public key. They use the secret key to verify whether this number is accurate or not, but the public key can be announced and it still won't break the security.