I have two issues with authenticators. First, what happens if the battery dies? On PayPal, you can have multiple authenticators to prevent having to send faxes and prove you are you, if one of them gives up the ghost. IIRC [1], Blizzard only allows one authenticator, and if that one decides to take a dirt nap, it is very difficult to regain control of an account.
Blizzard's authenticators are OK, they are rebranded VASCO DigiPass Go 6 models (PayPal uses DigiPass Go 3s.) For the money, they are a great buy.
My other issue is that the software authentication is for a number of phones and Java based, but none for Windows Mobile, nor Android. It would be nice to see an Android app that can do this functionality. Combine this with mobile authentication, and this would be a solid winner with some failsafe-ness built in. Of course, if someone loses their phone, that could be a problem, but that is why one would have software authentication as well as a device that gets tucked away somewhere safe.
Best of all worlds would be standard offline authenticator software (OATH compatible, etc) that is built into the iPhone OS, Android, and other phone operating systems. It would be seeded via a SMS handshake, then the user can just pull up the application, enter a PIN to unlock the app, copy the number showing on the screen either into a window asking for it, or append it to one's password, and have secure, standard offline access regardless of application.
[1]: I could be completely wrong, but I didn't find any documentation to state otherwise.
Also, do they plan on putting them out other ways for free if they try this. When I looked into one you had to buy the thing from Blizzard for like $25 or something.
The authenticator is hardly $25. In the US, it's $6.50 with free shipping, and in the EU it's EUR6.99 also with free shipping. The price covers the cost of the physical unit and (obviously) the shipping. Blizzard's hardly making a killing on these.
For mobile authenticators, the Blizzard Website has more detail. The short version is that the Mobile Authenticator is available on a wide range of phones, depending on provider. Support isn't universal, though.
That said, the only time Blizzard could make Authenticators mandatory would be at a game-changing event, like the release of the next expansion. If they go ahead and do that, they'd probably throw Authenticators in the box, to automatically have near-total distribution. Their biggest concern is probably whether they can source a few million of them.
The long and short of it is that account theft is a big problem, both for Blizzard and for people who play WoW. Not everyone has a locked-down system, and phishers are using tactics formerly reserved for actual banks to try to get account info. Players have to deal with having their account possibly stolen, Blizzard has to deal with perpetual requests (some possibly fraudulent!) to restore characters/items, and the game as a whole suffers from the RMT that goes on.
I, for one, welcome our Keyfob and Mobile-Authenticating Overlords.
To do nothing is to be nothing.