Blizzard—maker of the video games Diablo III and World of Warcraft—was sued last week in California over its two-factor authentication service. The complaint seeks class action status.
The concept of two-factor authentication should be familiar to anyone that has used RSA SecurID. When logging into an online service, users enter both a password and a single-use authentication code. Blizzard offers its customers the option of using authentication codes when logging into its Battle.net service. Players receive authentication codes via either a smartphone application or a key fob. While the authentication service and the smartphone application are free, Blizzard sells the optional key fob for $6.50.
Citing hacks of Battle.net accounts in May and August, the complaint alleges that Blizzard violated Delaware’s Consumer Fraud Act by failing to inform its customers at the initial point of sale that two-factor authentication “is necessary to ensure any modicum of security.” The complaint states:
If Battle.net account holders do not purchase [an authenticator], their Private Information is subjected to a drastically increased risk of being stolen, a fact that customers are made privy to only following the purchase of their games and the establishment of their Battle.net accounts. On information and belief, over $26 million has been spent by class members on authenticators.
In a statement to Forbes, Blizzard asserts that allegations are “based on a misunderstanding of the Authenticator’s purpose” and the “suit is without merit and filled with patently false information.”
If the suit is ultimately successful, it could raise troubling precedent for other online service providers such as Google, Facebook and Dropbox that also offer optional two-factor authentication to account holders.