Well, that makes me sad. I've had one interaction with the AH, and it was that one. It was after I'd had my account hacked (which we can talk about some other time...) and I needed to regear my character. Still no chest piece :(
I did have an authenticator. I used the Dial-In Authenticator, as I didn't like the idea of an authenticator being tied to my phone (I do change phones, but not telephone numbers). Apparently, it didn't trigger. I played Diablo at a conference on the East Coast, and I live on the West, and it didn't trigger then either. My guess is that it just doesn't work.
The dial-in authenticator apparently doesn't work with Diablo, the only ones that work are the physical authenticator and the smartphone app. (source: various forum posts, nothing I can find right now).
I'm not convinced there's any actual security breach, but Blizzard has been doing a pretty terrible job of explaining the authenticators to their players.
"While no security method is 100% fool-proof (even Authenticators), please note that it is possible that players reporting to have been compromised while an Authenticator was attached to their Battle.net account may have been using the Dial-in Authenticator. The Dial-in Authenticator does not provide the same level of protection as the Battle.net Authenticator or Battle.net Mobile Authenticator app, and -- more importantly -- is not currently supported for Diablo III."
It's madness that they have an "authenticator" that isn't supported in their later games. "World of Warcraft Dialer" would have been a more accurate, and descriptive, naming. For users that don't troll the forums, there is no reason to believe the dial-in doesn't work with D3.
