BlizzCon, the annual fan expo hosted by game studio Blizzard Entertainment, typically doesn’t struggle to sell out—and the event’s first wave of tickets did just that on Saturday, May 4. But it wasn’t until those tickets went on sale that the studio’s fans noticed a curious new rule for the event: you can’t enter without installing a third-party, non-Blizzard app.
On April 25, Blizzard announced its plan to require the AXS Ticket app, created by the AXS ticketing service, on either iOS or Android for all BlizzCon ticket purchasers. At its site, Blizzard explains:
The app displays a QR code (one code for all of your tickets), which changes at regular intervals to help guard against dupes and fraud. Because of that, we won’t be able to accept paper tickets, confirmation emails, or screenshots/photos of the QR code at BlizzCon registration.
The same site adds a caveat: “If for some reason you find yourself at the show with a dead mobile device or some other unexpected issue preventing you from accessing the app, don’t worry. Just head to the Solutions Desk at registration and they’ll help you out.” Blizzard has yet to clarify what the process of “help you out” will entail—as in, whether attendees will have to wait in a line and then manually enter AXS credentials into an official BlizzCon terminal to prove their purchases, since, again, traditional proof-of-purchase documents are apparently not going to work.
The news comes just as the dust has begun to fade on BlizzCon 2018’s biggest PR gaffe: the reveal of Diablo Immortal, a smartphone-only version of the classic dungeon-crawling series. Fans were surprised to see a smartphone version of the series instead of anything akin to “Diablo IV” for PCs. That disappointment grew upon the realization that Blizzard had offloaded development duties of a major series sequel to a completely different development studio, NetEase, which has already released Diablo-like games in China chock-full of microtransactions.
At last year’s event, the muted response to Diablo Immortal and its lack of ties to the PC prompted a Blizzard staffer to remark, “You guys all have phones, right?” This year’s addition of the AXS Ticket app, at the very least, will help Blizzard answer that question.
“Any number of things”
As with some two-factor authentication apps, AXS’ app advertises the ability to generate event-entry codes even if a device is offline, and those codes still correspond with an AXS account’s credentials. In spite of this promise, a quick peek at the AXS Ticket app on Google Play reveals more than 2,000 negative reviews piling up to a 2.2-star rating, with negative reviews dating back far enough to preclude the notion that this is the work of game fans’ review-bombing efforts. Those user complaints include the inability to access purchased tickets, the “offline” promise not working with certain ticket types, and greater concerns about information security. The app, as of press time, can ask users to open the following permissions:
- read your contacts
- approximate location (network-based)
- precise location (GPS and network-based)
- full network access
- prevent device from sleeping
- pair with Bluetooth devices
Some of these permission requirements relate to other non-BlizzCon services within the AXS app, including a ticket-resale marketplace and an event search system. But other settings, particularly about Bluetooth, have left us puzzled. Again, should an annoyed user wish to block AXS’ access to their device’s contact and location data and simply access AXS’ website for a temporary QR code, their only option as of press time is planning to wait at BlizzCon 2019’s Solutions Desk.
AXS has already spoken to this complaint by issuing an apparent form response to multiple Google Play reviews: “We understand your apprehension. Any number of things can happen to PDF or paper tickets. Whereas when you use the AXS app, you get a revolving digital barcode that is not just a ticket, but is your identity. We understand the frustration of needing to use an app, but hope you find the process easy and secure when it’s time for your event!”
We’re unsure exactly how the AXS Ticket app is immune to “any number of things” that might afflict a PDF or screenshot of a vendor’s unique QR code. And clearly Blizzard hasn’t fallen entirely in love with digital-only ticketing services, as BlizzCon will still revolve around physical badges, not constant phone scans. Additionally, our information security reporting team can neither point to examples of rampant QR code fraud at events, nor flatly declare that there are no such vulnerabilities in the wild. Neither Blizzard nor AXS mention anything about price-inflating scalpers in their push for the app, by the way, and AXS’ app makes abundantly clear that ticket resales are not just allowed but downright encouraged within the app.
It’s another setback for a game developer that is already struggling with the frank admission that it won’t have a “major frontline release” for the rest of 2019, though BlizzCon’s November timing does leave it room to get fans excited about whatever the company has in store in 2020.
In an email, Blizzard Corporate Communications Manager Dustin Blackwell provided the following statement to Ars:
After working with AXS for over a year on our ticketing for the Blizzard Arena Los Angeles, we decided to work with them for BlizzCon as well, given the good ticketing and access experiences they’ve been able to provide for our esports events. Their ticketing system is fully app-based, and that provides some additional security benefits, such as helping to avoid ticketing scams by ensuring that the person who purchased (or received via transfer) the ticket is the only person who has access to that ticket—i.e., so someone can’t claim to sell you a ticket but not actually transfer it to you. The app does use a QR code, but as a security measure, the code updates every 60 seconds, so printing it out is not an option.
Blackwell also reiterated the company’s promise to help attendees at the Solutions Desk—and the fact that attendees will immediately transition to a physical badge upon entry.
https://arstechnica.com/?p=1500755