Is it secure?

All authenticators just provide another layer of security. None are 100% effective.

A separate physical/keychain device provides the best protection. Although still subject to any man-in-the-middle attack, there is no way to get at the secret key stored within it. If you are at all concerned, you should look at getting one of these for the service you are trying to protect.

Apps running on an iPhone and non-rooted Android devices are fairly secure. Normally there is no way to get at the secret key stored on those devices, however, if your phone were stolen or physically accessed it is possible for someone to get your authenticator information.

A rooted-Android phone can have your secret key read off it by someone with access. The key is not encrypted and so should be considered risky.

WinAuth stores you secret key in an encrypted file on your computer. Whilst it cannot therefore provide the same security as a separate physical device, as much as possible has been done to protect the key on your machine. As above, physical access to your machine would be the only way to compromise any authenticator.

I typed in the code but it says it is invalid

Right-click and choose “Sync Time”. Try the next code.

The code is generated both from the secret key you originally typed/copied into WinAuth as well as the current time. In order for the codes to match, the time needs to be the same on your computer and the servers. However, the time on your computer might change, so WinAuth remembers the difference in time so it can always adjust to generate the correct code.

WinAuth checks the time each day and whenever the clock on your computer changes. However, sometimes the times can get out of sync and so has to be corrected manually. The Sync Time option recalculates the time difference.

I forgot my password

Your password is used to encrypt the authenticator data. If you can’t remember it then you cannot access your authenticators.

If you have a backup of the configuration file, from c:\Users\<username>\AppData\Roaming\WinAuth (Windows 7/8.x), then you can just restore it. However this won’t work if you are using a new computer (or re-installed Windows) and used the “Encrypt to only be useable on this computer”.

If you had made an export copy, you can click Add and choose Import. You will first need to rename the existing winauth.xml file in c:\Users\<username>\AppData\Roaming\WinAuth otherwise it’ll just keeping asking you for your old password.

It is always a good idea to write down the Secret Key you originally add to create a new authenticator. If you still have a copy of that key you can click Add for a new authenticator and enter the same key.

If you didn’t write down the keys and don’t have a backup, then you will need to contact the Support for the services you use and request they remove the authenticator from your account.

I’m concerned this might be a virus / malware / keylogger

WinAuth has been around and used since mid-2010 and has been downloaded by thousands of users. It was originally written as an alternative to the public domain Blizzard Mobile Authenticator.

It has always been open-source allowing everyone to inspect and review the code. A binary is provided, but the source code is always released simultaneously so that you can review the code and build it yourself.

No personal information is sent out to any other 3rd party servers. It never even sees your account information, only your authenticator details.

There are no other executables installed on your machine. There is no installer doing things you are unable to monitor. WinAuth is also portable so you can run it from anywhere.

I found WinAuth on another website, is it the same thing?

WinAuth is only uploaded to winauth.com and the source code is hosted on GitHub at https://github.com/winauth/winauth. It is not published anywhere else, so please do not download any other programs claiming to be WinAuth.

Where does WinAuth save my authenticator information?

Your authenticator data is saved by default to a file in your Windows account profile, e.g. c:\Users\<username>\AppData\Roaming\WinAuth\winauth.xml (for version 3.x) or c:\Users\<username>\AppData\Roaming\Windows Authenticator\authenticator.xml (for version 2.x). The file is encrypted with your password (unless you have explicitly chosen to not do this) and can also be protected so that it is locked to your computer or Windows account. This means, even if your computer were compromised , the file could not be opened anywhere else.

How can I use WinAuth on multiple PCs?

WinAuth was designed to be portable, although the default mode is to run on a single PC.

If you were always using WinAuth on the same PCs, it is recommended you install WinAuth on both computers and clone your authenticators onto each. Right-click each authenticator in WinAuth and choose “Show Secret Key” or “Show Serial and Restore Code”. Copy down the values. On the other PC, use the Add button and add each one from the code you copied down. (In WinAuth 3.1 you can use the Export/Import feature)

The reason to do this is so that you can enable the additional Windows “Encrypt to only be useable on this computer” in Change Protection, so that your authenticator data is locked to that PC, and if the configuration file is unreadable if it were opened or stolen by a malicious application.

However, if you want to run WinAuth in true portable mode, or a USB stick for example, then you first need to copy the WinAuth.exe file onto your USB stick. Next, open Explorer and go to c:\Users\<username>\AppData\Roaming\WinAuth (Windows 7/8.x) and copy or move the winauth.xml file from there into the same folder as winauth.exe on your USB stick. When you then run WinAuth from the USB stick it will run in portable mode and will not write any data to that computer. This means it can be taken and used anywhere.

Make sure that you do NOT have the “Encrypt to only be useable on this computer” enabled before you copy the file and also that you are using a secure password.


Battle.net / World of Warcraft / Diablo III

Is this against the TOS (Terms of Service)? Could I get banned?

No. Whlist Blizzard does not support or endorse WinAuth, they are not against its use.

“As you may have already seen from the small related section on the creator’s website, you can use the program if you wish, but I should make clear that we obviously won’t endorse it nor support or encourage its use.” (source)

Will it work with Mists of Pandaria or Diablo III?

WinAuth provides security for your Battle.net account and so can secure any games that make use of authenticator. This includes all version of World of Warcraft, Starcraft 2 and Diablo III.

Do I need to have the existing Mobile Authenticator app or keychain to use WinAuth?

No. WinAuth is completely independent and can register a new authenticator code with the Battle.Net servers. You don’t need to have or have used the official app beforehand.

When I add an authenticator it asking for a 10 digit serial number, but WinAuth is showing a 12 or 14 digit number?

There are two different types of authenticator: the physical keychain device and the Mobile authenticator. WinAuth works like the Mobile Authenticator, so you must make sure that is the one you are adding to your Battle.Net account.

I created an authenticator with WinAuth. Can I switch to using the iPhone/Android app?

With the Restore feature added in the official app, you can copy your authenticator between devices. In WinAuth, use the menu to show the “Restore Code” and then that can be added into the official app.

Of course, this means you can also copy your official app authenticator to WinAuth, by getting the Restore code and then using the “Restore…” feature in WinAuth.