August 30, 2017 What’s the difference between the security options for PPS?

Overview

When you use our pay-per-scene system – that is,

  • To top-up your Pay Per Scene Wallet (PPS-W) account
  • To buy a scene using PPS Direct (PPS-D)
  • To pay for Private Playdate time

– we provide two ways to verify it’s really you making this purchase (online, there’s a risk someone else could be logging as you 😨).

We have other several security measures to reduce the chance of this happening, but it can still occur (see our FAQ on How did my account get hacked?). For example;

If someone got access to your abbywinters.com account, they cannot do any damage to you directly, but they can download shoots you have bought.

If you have PPS-Wallet credit in your account, they can spend down that credit – meaning you miss out on spending that credit on scenes you like!

Thus, a secure password is very important, a password that you do not use on other sites is always best (you should never use the same password more than once!). Using 1Password or LastPass (free password managers) is strongly recommended, so you never need to remember complicated passwords.

Beyond a username and password, we also have an additional security requirement for PPS accounts called Second Factor Authentication (abbreviated as “2FA”).

A username and password is considered one factor authentication. Generally considered to be poor security, though convenient and well-established online. Because we’re dealing with your money, we want to take as few risks as possible (while still being practical), so we require an additional “factor” to prove it’s really you.

You might already use two-factor authentication for online banking – you’re sent an SMS code to enter when logging in? Or, you have a small key-ring with numbers on it that changes every minute? Or when you log on to Facebook from a different computer, or when you forget your password for your Gmail account…

Those are examples of second factors of authentication (the first factor is the username/password, or equivalent). Here’s a good blog post about 2FA for non-technical people (and this is a slightly more technical explanation).

On abbywinters.com we offer two options for two-factor authentication (2FA) for Pay Per Scene accounts:

  1. GMBill security question (not recommended 😦)
  2. One Time Passwords (OTP) (recommended 🙂)

GMBill security questions (default; not recommended 😦)

This process asks for your username and password (the first factor), and a piece of data from your account when you first registered it with our biller GMB (the second factor). Some example second-factor questions might be:

  • When does your credit card expire? (MM/YYYY)
  • What are the last four digits on your credit card?
  • What is your email address?

Technically, this is considered “multi-factor authentication”, not “second-factor authentication”. It’s better than just a username-and-password, but not as good as our other method, a One Time Password second factor.

It works well in principle, but what if you made a typo when joining? Contacting Customer Support will always resolve this, but if you get two questions wrong in a row, you will need to re-add your credit card details at GMB, to verify it’s really you (here’s what to do if you get two security questions wrong). That’s annoying.

Overall, GMB security questions work, but it can be frustrating and is not as secure as we would like (and, what if someone knows this data about you?).

One Time Passwords (Recommended! 🙂)

For each purchase, you’re asked to enter a code from an app on your smartphone, as the second factor of authentication.

ABOVE: A screenshot of Google Authenticator smartphone app. This user has two accounts registered for 2FA – the blurred out bits are the names of the websites. The six-digit numbers are the “one time passwords” that expire in 30 seconds (to be replaced by new one time passwords). The blue wedges indicate how much time is left before the one time passwords expire – about 6 seconds in this case.

We recommend using the Authy or Google Authenticator smartphone apps to generate these codes. These apps are free, secure, simple, and work reliably on iPhone and Android.

You can use Google Authenticator (or similar apps) to secure many other online services, for example, Gmail, Amazon, Facebook, Instagram, LastPass, and so on.

More and more sites are using this technology, because it’s considered Best Practise. In the future, more and more sites will require this.

Read more about One Time Passwords on Wikipedia.

Switching to use One Time Passwords (OTP) on abbywinters.com

All accounts use GMBill security questions by default when they are created, and need to be manually switched to use the more-secure OTP method instead. Takes less than five minutes to get that set up:

  1. Visit your Preferences page  on abbywinters.com (that link will work if you are logged in)
  2. On the Pay Per Scene tab, PPS Wallet top up and PPS Direct scene purchase security panel, select the option 2-Factor Authentication.
  3. Answer the one-time security question
    1. Contact Customer Support if you’re not able to answer this. They’ll identify you, and give you the info you need.
  4. Install the One Time Password app on your smart phone
    1. Simple and easy: We recommend Google Authenticator (on Google Play store; on iOS Apple store)
    2. More powerful and still easy: We recommend Authy (on Google Play store; on iOS Apple store)
    3. In fact there are many apps that can be used – Duo Mobile and LastPass Authenticator are two more options.
  5. Add AW PPS as an authentication source
    1. A QR code (a white square with small black squares inside, more info) appears on screen
    2. In the OTP app on your smartphone, add a new site (plus button)
    3. Select “Scan a barcode”. The smartphone’s camera activates.
    4. Align the QR code on screen in the viewfinder of your smartphone. Should only take a second to be recognised.
    5. abbywinters.com is added to your OTP app as “AW PPS (username)”. You can rename this if you wish.
    6. A six digit number is shown for 30 seconds, then is replaced with a new six-digit number (this happens forever) – these are the one time passwords.
  6. As prompted, enter the current one time password (six digit code)
    1. As currently shown in your OTP app
  7. The page on abbywinters.com shows a “Success!” message
    1. Second-factor One Time Passwords are now set up!

What now?

When you go to make a charge to your credit card (ie, top-up your Pay Per Scene Wallet) from now on, you’ll be asked for the six-digit number shown in your OTP app (which changes every 30 seconds).

Your OTP app keeps this in sync with our servers, so only someone with access to your phone and your username & password can make a charge to your card (hopefully, that’s only ever you!).

You’ll need to re-authenticate like this for each charge we make to your credit card.

To change back to the less-secure GMB Security questions

😦

This is not recommended, as the GMB Security Questions are less-secure than the One Time Password method.

To change back to the GMB security Questions, visit your Preferences page (that link will work if you are logged in), Pay Per Scene tab, and choose from the two options, GMBill security questions (instead of OTP).

Simply select GMBill security questions, and from then on you’ll be asked the security questions instead of the second-factor authentication number – however, again, this is not recommended!).

We currently offer a free scene token to encourage you to make this switch, but we may not do that forever. While it might seem like you can get unlimited scene tokens for switch back and forth, we’ve already thought of that, sorry. 🤯