From Diablo Wiki
An Authenticator is a device/program that a battle.net player may use for increased account security.
The Battle.net Authenticator
A Blizzard Authenticator is basically a program that generates a key based on an algorithm that is tied to the authenticator's serial number. If a battle.net account has an attached authenticator, then the player will be asked to enter in a number produced by the program in order to complete the login process. The number the authenticator draws up is random, and every login will require a fresh number. The numbers are six digits long.
The authenticator comes in two forms: the physical dongle, which is pictured to the right, or a downloadable program for use with mobile phones and other specific devices, referred to as a mobile authenticator.
Recent Changes to the Authenticator
For a bit of convenience, Blizzard has enacted a measure so that if a player logs in consistently from a single IP, then after a few logins, the user won't be asked to enter an authenticator number again until the account is logged into on a different IP.
The One That Got Away
A few years ago, scammers and hackers found a way to circumvent the security of the authenticator by logging the keystrokes of a person entering their unique authenticator number into their login screen. The program logging the keys would then redirect the information to the scammer, and they were able to use that number to log in. This was called a "man-in-the-middle" exploitation. It was quickly patched and fixed by Blizzard.
The authenticator must be manually attached by the player to their battle.net account. There are options within the account page on battle.net to do this. It requires the user to find the serial number on the back of the authenticator dongle, or if they are using a mobile authenticator, the key that they received for that. Afterwards, the user will not be able to log into the account without the authenticated numerical password. The authenticator can be stripped from the account, but this necessitates the user doing it manually, and also requires the serial number on-hand.
It is important to note that it is incredibly difficult to find the serial number for a mobile authenticator after the player loses it. It isn't printed anywhere on their phone, nor is it saved in a physical location after it is discarded, unlike the dongle authenticator. It is highly advised for mobile users to keep the serial number for their authenticator stored somewhere in a physical location.
Where to Purchase
Blizzard sells authenticators directly from their online store, and come in either a StarCraft or WarCraft theme, currently. It is expected that they will begin offering Diablo-themed authenticators once the game is released.