August 30, 2017 What’s the difference between the security options for PPS?

Overview

Some abbywinters.com accounts require you to manually ask us to charge your credit card:

  • To top-up your Pay-Per-Scene Wallet (PPS-W) account
  • To buy a scene using PPS Direct (PPS-D)
  • To pay for Private Playdate time

Beyond the typical username-and-password, we provide two ways to verify it’s really you making this purchase.

Security methods

We have other several security measures to reduce the chance of this happening, but it can still occur (see our FAQ on How did my account get hacked?). For example;

If someone got access to your abbywinters.com account, they cannot do any damage to you directly, but they can download shoots you have bought.

If you have PPS-Wallet credit in your account, they can spend down that credit – meaning you miss out on spending that credit on scenes or Playdates you like!

Thus, a secure password is important, a password that you do not use on other sites is always best (you should never use the same password more than once!). Using 1Password or LastPass (free password managers) is strongly recommended, so you never need to remember complicated passwords.

Beyond a username and password, we also have an additional security requirement for PPS accounts called Second Factor Authentication (abbreviated as “2FA”).

A username and password is considered one factor authentication. Generally considered to be poor security, though convenient and well-established online. We want to take fewer risks with your money (while still being practical), so we require an additional “factor” to prove it’s really you.

You might already use two-factor authentication for online banking – you’re sent an SMS code to enter when logging in? Or when you log on to Facebook from a different computer, or when you forget your password for your Gmail account…

Those are examples of second factors of authentication (the first factor is the username/password, or equivalent). Here’s a good blog post about 2FA for non-technical people.

We offer two options for two-factor authentication (2FA) for Pay Per Scene accounts:

  1. GMBill security question (not recommended 😦)
  2. One Time Passwords (OTP) (recommended 🙂)

GMBill security questions (default; not recommended 😦)

This process asks for your username and password (the first factor), and a piece of data from your account when you first registered it with our biller GMB (the second factor). Some example second-factor questions might be:

  • When does your credit card expire? (MM/YYYY)
  • What are the last four digits on your credit card?
  • What is your email address?

This is better than just the single factor of username-and-password, but not as good as our other method, a One Time Password second factor.

It works well in principle, but what if you forget which credit card you used? Contacting Customer Support will always resolve this, but if you get two questions wrong in a row, you will need to re-add your credit card details at GMB, to verify it’s really you (here’s how to do that).

Overall, the GMB security questions work, but it can be frustrating and is not as secure as we would like.

One Time Passwords (Recommended! 🙂)

For each purchase or top-up, you’re asked to enter a one-time password  – a six digit number – from an app on your smartphone or computer, as the second factor of authentication.

ABOVE: A screenshot of the Google Authenticator smartphone app. This user has two accounts registered for 2FA – the blurred out bits are the names of the websites. The six-digit numbers are the “one time passwords” that expire in 30 seconds (to be replaced by new one time passwords). The blue wedges indicate how much time is left before the one time passwords expire – about 6 seconds in this case.

Read more about One Time Passwords on Wikipedia.

Choosing a One-Time Password app

abbywinters.com does not make One-Time Password (OTP) apps – they are common tools in the computer industry. We do not get any kickbacks by recommending the specific apps we recommend. These OTP apps are all free, secure, simple, and work reliably on iPhone and Android. OTP apps can be on your computer, or on your smart phone.

The name of our site does not need to mentioned (by default it’s listed as “AW PPS”, you can edit this).

Google Authenticator: Simple and easy. This is what we use at abbywinters.com HQ. Recommended. Only for smartphones (Apple iOS and Android).

On Google Play storeOn iOS Apple store

Authy: More powerful and still easy. Also works on Windows PC’s and MacOS, download from Authy.

On Google Play store | On iOS Apple store

Other suitable smartphone apps include;

Yubico make a physical USB key that does the same thing, widely considered to be the most secure approach to 2FA (works, but probably overkill for us).

WinAuth is an application for your Windows computer, and Authy can be used on MacOS.

Switching to use One Time Passwords (OTP) on abbywinters.com

All accounts use GMBill security questions by default when they are created, and need to be manually switched to use the more-secure One-Time-Password (OTP) method instead. Takes less than five minutes to get that set up:

  1. Choose a 2FA application
    1. See “Choosing a One-Time Password app” above
    2. Get it installed and set up
  2. Visit your Preferences page  on abbywinters.com
    1. That link will work if you are logged in
  3. On the Pay Per Scene tab, PPS Wallet top up and PPS Direct scene purchase security panel, select the option 2-Factor Authentication.
  4. Re-add your credit card details in GMBill
    1. Follow the supplied instructions
    2. Check the How can I update my credit card? FAQ page on GMB’s site for more detailed instructions
  5. Add AW PPS as an authentication source
    1. We’ll assume you’re using a smartphone app; apps on your computer are similar, but slightly different
    2. A QR code (a white square with small black squares inside, more info) appears on screen – see example below.
    3. In the OTP app on your smartphone, add a new site (plus button)
    4. Select “Scan a barcode”. The smartphone’s camera activates.
    5. Align the QR code on screen in the viewfinder of your smartphone. Should only take a second to be recognised.
    6. abbywinters.com is added to your OTP app as “AW PPS (username)”. You can rename this if you wish – long-press to edit.
    7. A six digit number is shown for 30 seconds, then is replaced with a new six-digit number. This happens forever – these are the one time passwords.
  6. As prompted, enter the current one time password (six digit code)
    1. As currently shown in your OTP app
  7. The page on abbywinters.com shows a “Success!” message
    1. Second-factor One Time Passwords are now set up!

ABOVE: An example of the QR shown at step 3 of the 2FA setup. Your QR code will look different to this.

What now?

When you go to make a charge to your credit card (ie, top-up your Pay Per Scene Wallet) from now on, you’ll be asked for the six-digit number shown in your OTP app (which changes every 30 seconds).

Your OTP app keeps this in sync with our servers, so only someone with access to your phone and your username & password can make a charge to your card (hopefully, that’s only ever you!).

You’ll need to enter the one-time password for each charge we make to your credit card.

To change back to the less-secure GMB Security questions 😦

This is not recommended, because the GMB Security Questions are less-secure than the One Time Password method.

To change back to the GMB security Questions, visit your Preferences page (that link will work if you are logged in), Pay Per Scene tab, and choose from the two options, GMBill security questions (instead of OTP).

Simply select GMBill security questions, and from then on you’ll be asked the security questions instead of the second-factor authentication number – however, again, this is not recommended!).

We currently offer a free scene token to encourage you to make this switch, but we may not do that forever. While it might seem like you can get unlimited scene tokens for switch back and forth, we’ve already thought of that, sorry. 🤯