Official Mobile Authenticator App
A network accelerator is required for all subsequent operations.
Android: Download Battle.net from Google Play Store.
iOS: Access the regional App Store link.
After installation, log into your account; the app will prompt you to enable the authenticator. You will receive push notifications for login attempts—tap to approve directly. If notifications fail, manually input the 8-digit verification code.
Mandatory Backup Step: Save your authenticator serial number and restore code. If you lose your phone or uninstall the Battle.net app, these codes are required to recover your 2FA access. Continue reading to learn how to extract a standalone TOTP secret for third-party authenticators.
Third-Party 2FA Applications
If your device lacks Google Play or you prefer external authenticator tools, you may bind Blizzard’s 2FA via official API endpoints. This process requires manual command execution (a Python script tool is attached at the end for users with a Python environment).
Step 1: Retrieve Session Token
Log into the Battle.net account portal. If the page returns error 404, ignore the error and copy the session token after
ST=in the URL (exclude the&symbol and all trailing text).
Example URL snippet:
https://account.battle.net/login/en/localhost?ST=US-1231ad5e6f78d2967d3790b7e55aa23d-1159911671&flowTrackingId=7270322d-f097-45e0-9393-6a3b2b9fcc0f
Token to extract: US-1231ad5e6f78d2967d3790b7e55aa23d-1159911671
Open Command Prompt, paste the curl command below and replace the
token=value with your extracted ST token:
curl -X "POST" "https://oauth.battle.net/oauth/sso" -H "content-type: application/x-www-form-urlencoded; charset=utf-8" -d "client_id=baedda12fe054e4abdfc3ad7bdea970a&grant_type=client_sso&scope=auth.authenticator&token=REPLACE_WITH_YOUR_ST_TOKEN"3. The API returns JSON data. Extract the access_token string (bearer token):
{
"access_token": "KRHNnEaUEig9epS23vUiNEtMaRtpnKpvm7",
"token_type": "bearer",
"expires_in": 7775999,
"scope": "auth.authenticator",
"sub": "1159911671"
}If you receive an invalid_token error, open a private browser window and re-log in to fetch a new ST token.
Step 2: Bind Authenticator via API
Execute this curl command, replacing the bearer value with your access_token:
curl -X "POST" "https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator" -H "accept: application/json" -H "Authorization: Bearer REPLACE_WITH_YOUR_ACCESS_TOKEN" -d ""Successful binding returns this JSON payload—store all three critical values securely:
serial: Authenticator serial numberrestoreCode: Recovery restore codedeviceSecret: 40-character raw device secret key
{
"serial": "US231106348012",
"restoreCode": "P06NQWR5J1",
"deviceSecret": "8123f17245d2056f214613f099e367e311d7231b",
"timeMs": 1734276868434,
"requireHealup": false
}Step 3: Retrieve 40-Device Secret Key for Pre-Bound Authenticators
If you already have an authenticator linked, the binding API will return an error. Use your serial number and restore code to re-fetch the device secret with this command:
curl -X "POST" "https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device" -H "accept: application/json" -H "Content-Type: application/json" -H "Authorization: Bearer REPLACE_WITH_YOUR_ACCESS_TOKEN" -d "{\"restoreCode\": \"REPLACE_RESTORE_CODE\", \"serial\": \"REPLACE_SERIAL_NUMBER\"}"The response will match the successful binding payload containing the 40-digit device secret.
Step 4: Extract TOTP Shared Secret
Use an online Base32 encoder tool to convert the 40-character device secret into Base32 format.
Import the Base32 string into third-party 2FA apps: Google Authenticator, Microsoft Authenticator, Authy, KeePassXC, 1Password, Bitwarden, LastPass, etc.
Configure algorithm settings: HMAC-SHA1, 30-second time step, 8-digit verification codes.
This backup TOTP entry eliminates lockout risk if the official Battle.net mobile app becomes inaccessible. After setting up the third-party authenticator, you may enable the security setting: Require authenticator for all logins and disable SMS verification on your account page to avoid deadlock scenarios requiring both mobile app push and manual authenticator codes.