To that end, there's something all of you need to understand up front. The Authenticator that Blizzard sells is not guaranteed proof against having your account hacked. Blizzard, to be fair, never says it is. The company could be doing more to teach users how to protect themselves (more on that in a bit), but it doesn't claim the Authenticator is a bulletproof vest.
The Battle.net Authenticator adds a second "factor" to an existing account in order to create a two-factor authentication system. In addition to a normal password, users must enter an eight-digit number. The original (and still available) Battle.net Authenticators were physical keyfobs that displayed a sequence every thirty seconds; Blizzard has augmented these physical devices with mobile applications. Codes cannot be used twice; a successful code will be invalid if used again.
The Authenticator offers an additional layer of protection if your password is guessed via brute force techniques or accidentally shared with the wrong people.
What the Battle.Net Authenticator Does NOT Do:
If your system has been fundamentally compromised by a keylogger or other trojan, the Authenticator isn't going to save your butt.
The Blizzard Authenticator uses a SecurID-style mechanism; the keys themselves are supplied by Vasco, not RSA. While the exact implementation details are unknown, SecurID-type protection systems are vulnerable to man-in-the-middle attacks. Such attacks occur when a malevolent party inserts itself into a transaction between client and host and is able to essentially eavesdrop on the conversation.
In simplest terms, a program that can insert itself between your system and Blizzard's servers and intercept your authentication code before it's transmitted to Blizzard can immediately turn around and use that code to access your account without your knowledge.