This is a very interesting question. Most players are convinced that Blizzard makes a loss on sales of authenticators, and it's very difficult finding information to the contrary unless you know someone who works in the industry.
There have been plenty of alternatives available, so I was always curious why Blizzard chose authenticators. For example, in-game virtual keyboards (for PIN codes or passwords) are highly successful in other MMORPG's and inexpensive to implement (but, there's no direct profit to be made by doing this). Unfortunately, despite the cost of the device, there's also the chance that you might lose your token, damage it, or have battery issues and until a replacement is shipped, you're locked out of your account.
Two-factor authentication can also be made available through other sources (besides specific mobile devices) for free. For example, a soft token through a webpage or a second PC.
The Blizzard authenticator is in fact a Vasco Digipass Go 6, a cheaper model of token. There's a wowwiki entry on the authenticator as well.
(Just a quick note by the way. Hardware tokens are really just small LCD clocks with a factory-encoded key. Software tokens are the same - a very basic timer application that generates a code at specific intervals based on a uniquely assigned key/seed. They don't communicate back to any centralized servers or anything like that.. yes, some people actually believe that. They're just small standalone clock algorithm and a decoder. They're not hard to create either.. a basic soft-token apps literally take 1-2 hours to program and there's even plenty of open source examples online.)
There are certain plans where you can get the Mobile Authenticator for "free", but generally the Blizzard software tokens for mobile phones cost $0.99 (you also pay for download charges.) That's $1 to Blizzard for a simple 500 kb software app. Not bad.
Hardware authenticators cost $6.50 in the US, where free shipping is available. I'll use that as a base, even though they're more expensive in other countries (£4.80 or 6 Euros plus shipping can cost upwards to £10.00 or more.)
Online retailers sell the hardware token for $10 individually, but you can purchase these yourself from resellers in bulk for about $5.
I wanted to know how much manufacturers paid for something like this though, so I contacted a source in the manufacturing industry. His response: "Bill of materials? In volume, pennies."
Apparently, the components needed for this type of token shouldn't be more than $0.90 (including the casing). So, let's say the cost of manufacturing (well, assembling) is $1 per unit at the most, and Blizzard aesthetics (i.e. "a sticker") costs $1.. even though you know that these cost a fraction of a cent. At the very most these tokens cost $3 in total to manufacture, but in reality though, they're far less. Since they ship in bulk, individual transportation costs would also be in pennies. (Note: I was also told that "tokens are cheaper to make than crappy dollar-store calculators" if that helps put things into perspective.)
So yeah.. I think it's safe to say that both Blizzard and Vasco are definitely making a significant profit on authenticator sales. I'd be really interested in seeing their contract, but I'm assuming that Blizzard takes in the larger half of their split.
I think the reason why people think Blizzard is taking a loss is because they don't understand the technology and imagine the authenticator being a very expensive piece of new technology (with a satellite uplink that decodes passwords directly from Blizzard). After all, the Blizzard sticker makes it look very cool and shiny. Or maybe, they just don't know how much it truly costs to manufacture and ship goods. Or they see online retailers selling the model for $15-30 each, and assume retail prices are just slightly above manufacturing costs.
Or maybe they just forgot the saying "there's no such thing as a free lunch". This reminds me of Blizzcon actually.. it's said that the 2009 Blizzcon was a "substantial loss" for the company.. but I wonder what they mean by that? Sure, it cost a lot up front.. but how much did they reap in longterm revenue and marketing potential?
Anyways, I just want to correct a common misgiving that Blizzard is taking a loss on authenticator purchases. It's almost as ridiculous as those claims that Blizzard has "never had a security breach" because "they're required by law to announce data breaches, which they never have so logically there's never been a breach." =]
* UPDATE (03/15/2011):
Found this project online, it's a more expensive and complicated type of token/authenticator (active proximity, not passive) for unlocking SmartPhones.
This token can be built in volume for about $0.75 USD each. It's definitely more complicated than the Vasco Digipass (which is just a fancy clock with an algorithm), but it gives you a really good idea of component costs before assembly. A really good example nonetheless for those unbelievers. =]
Talk to an electrical engineer, and they'll tell you how much things really cost.
To help put things into perspective, do you have technical support experience? How long does it take you to install a new harddrive, memory, an operating system, or scanning for viruses? Staples charges $50 for a HD, $40 for memory, $100 for an O/S install, and $200 for a scan/removal. PC users with no experience believe that these prices are reasonable.. but you know better don't you? =]
* ANOTHER UPDATE:
And here's official proof directly from Vasco, the manufacturers, themselves.
This is a 2006 document detailing the Digipass line. In 2004, the cost per token was ~$3.50. In 2005, it was ~$3.00 each. And in 2006, it cost ~$2.00 each per token. They have probably made improvements in manufacturing technology since then, and bulk sales have definitely increased quite substantially so you could assume that their DigiPass Go 6 tokens cost $2 at the very most to manufacture (parts, construction, etc.)
The ASP (Average Selling Price) is also quite interesting. Apparently, wholesale distributors sell these things for 5-20x what they cost to manufacture.