Here is my guide on how to attach an authenticator to a Battle.net account

Reposting my comment (see #38) as a new issue.

Hello everyone. Thanks to @BillyCurtis and @Gigafrost, I made it too! I have wrapped up both their methods, tested, and rewrote them for people who still are facing issues. Here is my guide on how to attach an authenticator to a Battle.net account.

Before Starting...

1. This guide is only made for attaching a new authenticator.
2. I have only tested this on a Windows machine.
3. Everything here is based on my own results, and may differ for you.

Perquisites

1. Have a phone number linked to your Battle.net account.
2. Check if you have an attached authenticator to your Battle.net account and go ahead detaching it by going to account.battle.net > Security > Battle.net Authenticator - click "Detach" > and confirm by clicking "Detach" again. If you do not have an attached authenticator, skip this and go to Step 1.

Step 1. Retrieve SSO Token

• Go to account.battle.net/login/en/?ref=localhost. Log in, and ignore the "404" error. From the URL bar, look for the "ST=" entry and copy the SSO token following it.
  • This is how the SSO Token should look like: EU-u33pyxqgx5l73zu936oujss6mabeyhry-1177987422 or US-u33pyxqgx5l73zu936oujss6mabeyhry-1177987422
  • The token starts with either "EU" or "US" depending from which country you logged in from.
  • If you received an error with the SSO Token in steps to follow, use a VPN to change the beginning format of the token. For example, if you received an error with an SSO Token that starts with "EU", then use a VPN to route your connection to the United States (make sure that you are at us.account.battle.net/login/en/?ref=localhost (or eu.account.battle.net/login/en/?ref=localhost if you are routing your connection from the United States to an EU country)) and retry Step 1 to retrieve an SSO Token that starts with "US" (or "EU"). This will not affect your Battle.net account region/payments/pricings or any similar settings and is intended for the authenticator only.

Step 2. Get Bearer Token

• Replace <SSO_TOKEN> with the SSO Token you retrieved from Step 1 in the following command and execute it to obtain the Bearer Token.
• Open CMD.
  • Run:

     curl -X "POST" "https://oauth.battle.net/oauth/sso" -H "content-type: application/x-www-form-urlencoded; charset=utf-8" -d "client_id=baedda12fe054e4abdfc3ad7bdea970a&grant_type=client_sso&scope=auth.authenticator&token=<SSO_TOKEN>"
    

    • Response that you should be getting:
      {"access_token":"XXX","token_type":"bearer","expires_in":0,"scope":"auth.authenticator","sub":"XXX"}
• Save the response somewhere safe, keep CMD open, and go ahead to Step 3.

Step 3. Attach a New Authenticator

• Replace <BREARER_TOKEN> with the Bearer Token you retrieved from Step 2 in the following command and execute it to attach an authenticator to your Battle.net account and obtain Device Secret.
  • Run:

     curl -X "POST" "https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator" -H "accept: application/json" -H "Authorization: Bearer <BEARER_TOKEN>"
    

    • Response that you should be getting:
      {"serial":"XXX","restoreCode":"XXX","deviceSecret":"XXX","timeMs":0,"requireHealup":false}
• Now you have successfully attached an authenticator to your Battle.net account.
• Save the response somewhere safe too and read Additional Notes below.

Additional Notes

• Save both responses from Step 2 and Step 3 somewhere safe. Do NOT save it in your password manager as it may cause a security risk. Treat them like backup/recovery credentials. Feel free to save SSO Token too.
• You can close CMD now.

Step 4. Setup the Attached Authenticator to a TOTP URL

• After you have obtained deviceSecret, convert it from hex to base32 using cryptii.com/pipes/hex-to-base32.
• Place deviceSecret with the following TOTP URL with the newly obtained Device Secret, and you should have a working TOTP URL.
  • otpauth://totp/Battle.net?secret=deviceSecret&digits=8
• Lastly, paste the TOTP to an authenticator app or a password manager that supports TOTP.

Credits

• #38 (comment) by @BillyCurtis.
• #38 (comment) by @Gigafrost.

[Dobbelklick]

Worked perfectly. I only had a problem with getting the SSO token because I didn't log out before using the first link.

[Archelius92]

Step 3 is not giving me a response, it comes back as blank

@Archelius92 Working fine on my end. Make sure you have a phone number linked to the Battle.net account and that there's no attached authenticator to it and try again

[hannibal-lee]

it is so useful,thanks!!!!

[digikwal]

Reposting my comment (see #38) as a new issue.

Hello everyone. Thanks to @BillyCurtis and @Gigafrost, I made it too! I have wrapped up both their methods, tested, and rewrote them for people who still are facing issues. Here is my guide on how to attach an authenticator to a Battle.net account.

Before Starting...

1. This guide is only made for attaching a new authenticator.
2. I have only tested this on a Windows machine.
3. Everything here is based on my own results, and may differ for you.

Perquisites

1. Have a phone number linked to your Battle.net account.
2. Check if you have an attached authenticator to your Battle.net account and go ahead detaching it by going to account.battle.net > Security > Battle.net Authenticator - click "Detach" > and confirm by clicking "Detach" again. If you do not have an attached authenticator, skip this and go to Step 1.

Step 1. Retrieve SSO Token

• Go to account.battle.net/login/en/?ref=localhost. Log in, and ignore the "404" error. From the URL bar, look for the "ST=" entry and copy the SSO token following it.

  • This is how the SSO Token should look like: EU-u33pyxqgx5l73zu936oujss6mabeyhry-1177987422 or US-u33pyxqgx5l73zu936oujss6mabeyhry-1177987422
  • The token starts with either "EU" or "US" depending from which country you logged in from.
  • If you received an error with the SSO Token in steps to follow, use a VPN to change the beginning format of the token. For example, if you received an error with an SSO Token that starts with "EU", then use a VPN to route your connection to the United States (make sure that you are at us.account.battle.net/login/en/?ref=localhost (or eu.account.battle.net/login/en/?ref=localhost if you are routing your connection from the United States to an EU country)) and retry Step 1 to retrieve an SSO Token that starts with "US" (or "EU"). This will not affect your Battle.net account region/payments/pricings or any similar settings and is intended for the authenticator only.

Step 2. Get Bearer Token

• Replace <SSO_TOKEN> with the SSO Token you retrieved from Step 1 in the following command and execute it to obtain the Bearer Token.

• Open CMD.

  • Run:

     curl -X "POST" "https://oauth.battle.net/oauth/sso" -H "content-type: application/x-www-form-urlencoded; charset=utf-8" -d "client_id=baedda12fe054e4abdfc3ad7bdea970a&grant_type=client_sso&scope=auth.authenticator&token=<SSO_TOKEN>"
    

    • Response that you should be getting:
      {"access_token":"XXX","token_type":"bearer","expires_in":0,"scope":"auth.authenticator","sub":"XXX"}

• Save the response somewhere safe, keep CMD open, and go ahead to Step 3.

Step 3. Attach a New Authenticator

• Replace <BREARER_TOKEN> with the Bearer Token you retrieved from Step 2 in the following command and execute it to attach an authenticator to your Battle.net account and obtain Device Secret.

  • Run:

     curl -X "POST" "https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator" -H "accept: application/json" -H "Authorization: Bearer <BEARER_TOKEN>"
    

    • Response that you should be getting:
      {"serial":"XXX","restoreCode":"XXX","deviceSecret":"XXX","timeMs":0,"requireHealup":false}

• Now you have successfully attached an authenticator to your Battle.net account.

• Save the response somewhere safe too and read Additional Notes below.

Additional Notes

• Save both responses from Step 2 and Step 3 somewhere safe. Do NOT save it in your password manager as it may cause a security risk. Treat them like backup/recovery credentials. Feel free to save SSO Token too.
• You can close CMD now.

Step 4. Setup the Attached Authenticator to a TOTP URL

• After you have obtained deviceSecret, convert it from hex to base32 using cryptii.com/pipes/hex-to-base32.

• Place deviceSecret with the following TOTP URL with the newly obtained Device Secret, and you should have a working TOTP URL.

  • otpauth://totp/Battle.net?secret=deviceSecret&digits=8

• Lastly, paste the TOTP to an authenticator app or a password manager that supports TOTP.

Credits

• #38 (comment) by @BillyCurtis.
• #38 (comment) by @Gigafrost.

Great guide, thank you very much!!

Had nothing to do, so here's a script to help with the steps:

Battle.net TOTP Generator