Like many WoW players, including Lodur over at World of Matticus, I'm earn my not insubstantial paycheck as an IT Manager. Unlike Lodur, I don't think that this authenticator change is a good idea. While I don't have any issues with the technologies being used to help ease the burden of using an authenticator, I do see a few potetial pitfalls ahead of us.
Now, all this is being said with no real testing on my part. I didn't spend hours and hours running parse logs, examining my firewall, or trying to do things like spoof my MAC address (or run through a routing host like PingFree). In fact, my concerns aren't technical at all, but lean towards more of the Social Engineering side of hacking.
Changing mid-stream is bad
Ask anyone who works in Customer Service, and they'll probably tell you that changing the way someone operates is generally a path to heartache and failure. Anyone who upgraded users to the 'Ribbon' feature in Office probably experienced this. It's not that there was a reduction in fucntionality, but the way it looked was simply different. Heck, it was dedidedly better than the previous version, but things just didn't look the same.
Now with security measures, this is even more extreme. You want people to follow them, embrace them, love them even. It doesn't matter what it is, they have to do it every time. How many of us, just out of habit, erased our username when logging onto WoW because we hit Tab and then entered our Authenticator Code - KNOWING that it wasn't there any more - we just habitually did it.
Making a habit something that is hit or miss
So now, years later, Blizzard has finally gotten (I'd hope) the majority of the userbase accustomed to using an authenticator. It doesn't matter if it's on your phone, your iPad, or a dongle - you're using it. Yeah, it's a pain in the ass when you get DC'd in the middle of a boss fight and you have to pull up the application on your iPhone (I assume, I use a dongle), but you're used to it. Hell, as soon as I DC I'm already reaching for the thing.
So now it seems that Blizzard has changed the way this works. I don't know if it's live yet, but based upon the blue post I read, sometimes you'll have to use it - and others you won't. Based on Lodur's findings, it'll be only the first time you log in after a reboot. I don't know how accurate this is, but it sounds feasable.
So here's my concern
Now you've got a bunch of folks that reluctantly agreed to use the bloody authenticator in the first place. They get used to not having to enter the code, and now - they're hacked. Seeing the box pop up every time, having to enter the code every time - this was reinforcement of good behavior. Now? It's hit or miss. What if you're a player that doesn't read the forums, or blogs, or anything else? Am I going to get an email in my BNet account about this? How will I know it's not another phishing attempt? How long will it be before someone writes an application that will cause an authenticator window to pop up?
Now granted, part of my job is to do network security, so I'm naturally paranoid and suspicious. I'm sure that the good folks at Blizzard have thought this out from a technical standpoint - but the thought of not having some kind of indication that you've actually authenticated securely seems like an oversight to me. Maybe just putting some kind of notice on your latency meter - I don't know.