Ice
10-14-2022, 03:43 AM
Hey folks! To everyone's pleasant surprise on 10/13/22 TNT rolled out Two-Factor Authentication (2FA) for our Neopets accounts. This has been something long requested and a dire need with Neopets's non-existent security. But it is finally here and hopefully support has explicit instructions on not to mess with it. :D If you've never used 2FA before, are unsure how to add it to your Neopets accounts, or are curious about some of the different authenticator applications available, hopefully this small guide helps you out! Of course being that this feature is incredibly new, we are not sure yet as to how stable (or effective) it will be. If anything changes drastically in the coming days, updates will be made.
Disclaimer: I am no cybersecurity expert and am merely sharing my personal thoughts and advice as an avid Neopets player who wishes to remain as safe as possible. I always encourage people to do research on their own as needed and if anything I have is wrong, please correct me!
What is Two-Factor Authentication?
2FA is a form of Multi-Factor Authentication (MFA) where your login is contingent on being able to provide more than one (in this case, two) type of authentication to prove you should be granted access to your account. The three commonly accepted factors are: something you know (ex. password), something you have (ex. a physical object), and something you are (ex. fingerprint or facial recognition). Neopets is now giving the option to bolster your security by requiring #2 - a "physical" object - alongside knowing your password. The "physical" object in this case is a time-based one-time password (TOTP). I say "physical" in quotes because since the TOTP is just a real-time generated token that expires after a short period of time (usually ~30s) and can only be used once, it is just a digital number code. However, you receive these codes via an Authenticator Application that you download to a physical device you own like your phone or tablet. Some of these apps let you back up your data via cloud/account login, but for the most part since the codes are linked to a physical device, no one but YOU should ever have access to them.
But what if you lose/break your device? That is where the backup codes come in. I cannot stress this enough! SAVE YOUR BACKUP CODES! Backup codes are also one-time use and for Neopets, if you have to login to your account using a backup code because you cannot access your authenticator app, 2FA will automatically be deactivated and you'll have to re-link it (to a new device, assuming that was the issue). Once you re-enable 2FA on your account, you'll be issued a new set of backup codes which you should immediately save again. (The old ones will no longer work.) As mentioned above, some authenticator apps provide their own form of backup in case you can no longer access your device, but you should still treat your Neopets backup codes like gold.
Getting Started with 2FA on Neopets
If you haven't re-logged in since the change or navigated to the homepage, you won't be prompted to set up 2FA until you do so. Navigating to the homepage will give you the following dialogue sequence, but the control panel can also be accessed from Preferences > 2-Factor Authentication. ([Only registered and activated users can see links]) It's a very simple step by step process but I've included screenshots so you can see what it entails.
Enter your current password (if it's not longer than 6 characters, you must change it to one that is at least 8 characters before being able to enable 2FA.)
Download the authenticator application of your choice (a few suggestions will be listed below).
Add a new account (usually the big + button) by either scanning the QR code or manually entering the setup key.
Once your authenticator application is generating TOTPs, enter the 6-digit token (make sure you have enough time before it expires) and click Activate.
Generate your emergency backup codes and SAVE THEM IMMEDIATELY. You will be able to generate new ones from the 2FA control panel but it's all about risk mitigation.
To actually enable 2FA on your account you must check the box confirming you've received your backup codes then click Enable 2FA.
Congrats you should be all good to go! :)
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
Neopets 2FA Guidelines
All this information can be read on the 2FA control panel ([Only registered and activated users can see links]) under your site preferences, but I've copy and pasted it here as well.
Enabling 2-Factor Authentication:
In order to use 2-Factor Authentication on Neopets, you must use an authenticator app on an eligible mobile device. If you don't already have an authenticator app on your device, any app that supports Time-based One-Time Password (TOTP) should work, such as Google Authenticator for Android/iOS or Microsoft Authenticator for Android/iOS/Windows devices.
To enable 2FA using your mobile device:
Enter your Neopets password in the prompt at the top of this page, and click 'Enable 2FA'.
You will be presented with a popup with instructions for setting up an authenticator app.
To add your account to your authenticator app, you can either:
Scan the on-screen QR code (if your app supports it).
Manually enter the secret key, provided beneath the QR code.
(You may save this key if you wish to set up your account on multiple devices!)
Depending on the app, you may be asked to follow additional steps to complete configuration.
Once your Neopets account has been configured in your authenticator app, enter the security code that has been generated by your app.
Click Activate.
If your verification is successful, you will now be prompted to generate your emergency backup codes.
Read the information provided before proceeding, and once you are ready, click Generate.
You will be given six 8-digit backup codes. Once you have recorded these, check the box to confirm that you have received them.
Click Enable 2-FA.
You will now have 2FA enabled for your Neopets account!
Logging in with 2-Factor Authentication:
After enabling 2FA for your Neopets account, you will be prompted to verify your authorization after entering your Neopets password upon every login attempt thereafter.
To authorize log-in using your authenticator app:
Enter your username and password at login, and you will be prompted to authorize with 2FA.
Open your authenticator app used to enable 2FA.
Enter the 6-digit security code that has been generated by your app.
If your verification is successful, you will proceed to your Neopets account as normal!
(Note: Time-based security codes will re-generate periodically. If your attempt fails, ensure that you have entered the most recent code.)
To authorize log-in using an emergency backup code:
Enter your username and password at login, and you will be prompted to authorize with 2FA.
Click Use Emergency Backup Code at the bottom of the popup.
Enter one of your 8-digit emergency backup codes.
If your verification is successful, you will be given a notice that 2FA has been disabled on your account.
You may choose to re-enable 2FA at this time, following the normal enabling steps, or you may proceed to your Neopets account.
(Note: If you Do Not choose to re-enable 2FA, it will remain disabled until you enable it from the preferences page.)
Emergency Backup Codes:
When you are enabling 2FA for your account, you will be given a set of randomly generate one-time use emergency backup codes.
Here is everything you need to know about your emergency backup codes:
If you use one of your backup codes, 2FA will be automatically disabled on your account!
The purpose of these codes is to allow to access your account in the event that you no longer have access to your authenticator app. (new/broken phone, deleted account from app, etc.)
Upon using one of your emergency backup codes, you will be directed to this page to re-enable 2FA after logging in.
It is advised that you do so at this time, otherwise 2FA will be disabled indefinitely.
If you do not have a mobile device on hand to enable 2FA, there are also browser extensions you can use to set up 2FA.
If 2FA has been disabled, you will generate new backup codes upon re-enabling 2FA, and thus your previous codes will be rendered invalid.
If you lose your emergency backup codes, you may generate a new set of codes at any time from the preferences page.
While it is true that you may only ever usefully use 1 backup code at a time, you are provided with 6 codes as an extra security measure.
It is advised that you do not store all 6 codes in the same place, which will decrease the likelihood of you losing all of them at once.
As a security measure, you will not be able to use an emergency backup code to disable 2FA from the preferences page.
If you lose access to both your authenticator app and your emergency backup codes, you will need to contact support ([Only registered and activated users can see links]) to regain access to your account.
Disabling 2-Factor Authentication:
If you decide that you no longer wish to use 2FA on your Neopets account, you may disable the feature at any time.
IMPORTANT! You must disable 2FA in your Neopets preferences prior to removing your Neopets account from your authenticator app.
To disable 2FA:
Enter your Neopets password and your 6-digit authenticator code* in the prompt at the top of this page.
Click 'Disable 2FA'
If your verification is successful, 2FA will now be disabled for your Neopets account!
Once you have disabled 2FA in your Neopets preferences, you may now follow appropriate steps in your authenticator app to remove your Neopets account.
*If there is any reason that you no longer have access to the device/authenticator that was used to enable 2FA on your account, please contact support ([Only registered and activated users can see links]) for further assistance.
Which Authenticator Application to Use
Now the million dollar question - which authenticator app should you download? In the end of course it boils down to personal preference. There are many free options but the big three that get mentioned the most (and all ones I have personally used for various reasons) are: Authy ([Only registered and activated users can see links]), Google Authenticator ([Only registered and activated users can see links]), and Microsoft Authenticator ([Only registered and activated users can see links]). I will briefly go over the major features of each and then explain my pick - which is curated for my play style and might not necessarily align with yours. (Example images from PCMag because it's almost 5AM and I'm too tired to take my own screenshots ㅠㅠ)
Authy
[Only registered and activated users can see links]
Features:
Encrypted cloud back up offered
Linked to a phone number/email (good/bad - good to transfer between devices/backup data, bad as you can potentially be compromised virtually)
Visually sleek with custom icons and color coordination, accounts presented in a grid formation, 1 click required to switch between account codes
Has a search bar
Multi-device enabled (recommended to NOT utilize this - a breach earlier this year compromised 93 users who had multi-device enabled)
In-app protection offered (ex. biometrics required to unlock app when launching)
Seems to store more metadata about you (good/bad - good to prove it's you, but also bad to prove it's you lol)
Google Authenticator
[Only registered and activated users can see links]
Features:
No way to recover/transfer data in case of device loss (mitigated by export/import functionality but only while you still have your device)
No frills interface, accounts presented in single column list format, shows all codes concurrently
Has a search bar
In-app protection offered (ex. biometrics required to unlock app when launching)
Really doesn't seem to transfer any data about you
As long as you keep your device to yourself, no one will ever get your codes lol
Microsoft Authenticator
[Only registered and activated users can see links]
Features:
Cloud backup offered
Can be linked to your Microsoft account
Slight visuals in interface, accounts presented in single column list format, some codes shown concurrently with option to hide while others require several clicks to switch between accounts
No search bar
In-app protection offered (ex. biometrics required to unlock app when launching)
Other features like registering to a work or school account, password generator/management
Probably saves just as much metadata as Authy
So for me, my decision came more out of functional necessity in terms of usability more than fancy bells and whistles or the ability to have a cloud backup. I use Microsoft Authenticator for like five different work related accounts so to keep my personal and work things separate, that's out. Then between Google Authenticator and Authy which do I use? Both! The biggest thing for me came down to: what are the chances, however minuscule, that my single device could be tracked down to multiple different accounts that need to remain separate? Reading this Authy article ([Only registered and activated users can see links]) from a few years ago really made the decision for me.
The Authy app is also used in combination with the Authy API, a Twilio cloud service that allows businesses to implement two-factor authentication to protect their customers. We build and distribute the Authy app for free so that API customers — companies like Twitch, Pinterest, Transferwise, Uphold, and Gemini, among others — don’t need to develop their own 2FA apps.
It’s in this scenario, when the Authy app is used in conjunction with the Authy API, some user data is beneficial to the businesses trying to protect your account. Advanced authentication systems leverage a number of signals (e.g., device type, wireless carrier, and IP address) to ensure that incoming authentication attempts are actually coming from legitimate users. For instance, you might create your account on a web browser on a Mac from an IP address associated with AT&T internet services then use the Authy app coming from the same wifi network address on an iPhone. A request then coming from an Android device in China would be flagged as suspicious. The more an application knows about legit users as they log in, the better the protection it can provide. This is especially important with so many illegitimate parties using increasingly inventive approaches to take over online accounts.
To put it simply - for the best protection of "you" Authy sounds like the way to go. Of course hopefully things never get to that point, but maintaining a real identity by connecting through your home IP/devices regularly can give Authy the proper trail to vet who you are with the metadata they collect. Thus, my personal five accounts that I login to regularly from home were added to Authy.
That being said, I have something stupid like 100+ accounts I need to lock down so I will be throwing them into Google Authenticator (plsprayforme). From a couple internet searches, the way I understand it is that the TOTP is generated locally in each side - once on your personal device and once on Neo's end. The code generator is an algorithm that takes the current time + your specifics that are stored in the QR/setup code from your original linking, hence the time sensitivity. If the token your phone generated matches the one Neo has for that moment in time, congrats it's you. Since Neopets is generating the QR code specific to your account and you're just storing that into your authenticator app and it's just a bunch of math being calculated in the background, I can't see how Neopets could reasonably see what other accounts you're storing on your device. (But that is all my very unprofessional opinion.) Regardless, for holding bulk, unassociated accounts in a no frills way, I think Google Authenticator will do the trick.
Other Options:
2FAS ([Only registered and activated users can see links])
Duo Mobile ([Only registered and activated users can see links])
LastPass Authenticator ([Only registered and activated users can see links])
That was a lot of text and I apologize but I hope this helps answer some questions or gives you some jumping points to do your own digging and decide what the best course of action is for you. If anyone has any corrections or other helpful information to share, please do so!
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
Disclaimer: I am no cybersecurity expert and am merely sharing my personal thoughts and advice as an avid Neopets player who wishes to remain as safe as possible. I always encourage people to do research on their own as needed and if anything I have is wrong, please correct me!
What is Two-Factor Authentication?
2FA is a form of Multi-Factor Authentication (MFA) where your login is contingent on being able to provide more than one (in this case, two) type of authentication to prove you should be granted access to your account. The three commonly accepted factors are: something you know (ex. password), something you have (ex. a physical object), and something you are (ex. fingerprint or facial recognition). Neopets is now giving the option to bolster your security by requiring #2 - a "physical" object - alongside knowing your password. The "physical" object in this case is a time-based one-time password (TOTP). I say "physical" in quotes because since the TOTP is just a real-time generated token that expires after a short period of time (usually ~30s) and can only be used once, it is just a digital number code. However, you receive these codes via an Authenticator Application that you download to a physical device you own like your phone or tablet. Some of these apps let you back up your data via cloud/account login, but for the most part since the codes are linked to a physical device, no one but YOU should ever have access to them.
But what if you lose/break your device? That is where the backup codes come in. I cannot stress this enough! SAVE YOUR BACKUP CODES! Backup codes are also one-time use and for Neopets, if you have to login to your account using a backup code because you cannot access your authenticator app, 2FA will automatically be deactivated and you'll have to re-link it (to a new device, assuming that was the issue). Once you re-enable 2FA on your account, you'll be issued a new set of backup codes which you should immediately save again. (The old ones will no longer work.) As mentioned above, some authenticator apps provide their own form of backup in case you can no longer access your device, but you should still treat your Neopets backup codes like gold.
Getting Started with 2FA on Neopets
If you haven't re-logged in since the change or navigated to the homepage, you won't be prompted to set up 2FA until you do so. Navigating to the homepage will give you the following dialogue sequence, but the control panel can also be accessed from Preferences > 2-Factor Authentication. ([Only registered and activated users can see links]) It's a very simple step by step process but I've included screenshots so you can see what it entails.
Enter your current password (if it's not longer than 6 characters, you must change it to one that is at least 8 characters before being able to enable 2FA.)
Download the authenticator application of your choice (a few suggestions will be listed below).
Add a new account (usually the big + button) by either scanning the QR code or manually entering the setup key.
Once your authenticator application is generating TOTPs, enter the 6-digit token (make sure you have enough time before it expires) and click Activate.
Generate your emergency backup codes and SAVE THEM IMMEDIATELY. You will be able to generate new ones from the 2FA control panel but it's all about risk mitigation.
To actually enable 2FA on your account you must check the box confirming you've received your backup codes then click Enable 2FA.
Congrats you should be all good to go! :)
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
Neopets 2FA Guidelines
All this information can be read on the 2FA control panel ([Only registered and activated users can see links]) under your site preferences, but I've copy and pasted it here as well.
Enabling 2-Factor Authentication:
In order to use 2-Factor Authentication on Neopets, you must use an authenticator app on an eligible mobile device. If you don't already have an authenticator app on your device, any app that supports Time-based One-Time Password (TOTP) should work, such as Google Authenticator for Android/iOS or Microsoft Authenticator for Android/iOS/Windows devices.
To enable 2FA using your mobile device:
Enter your Neopets password in the prompt at the top of this page, and click 'Enable 2FA'.
You will be presented with a popup with instructions for setting up an authenticator app.
To add your account to your authenticator app, you can either:
Scan the on-screen QR code (if your app supports it).
Manually enter the secret key, provided beneath the QR code.
(You may save this key if you wish to set up your account on multiple devices!)
Depending on the app, you may be asked to follow additional steps to complete configuration.
Once your Neopets account has been configured in your authenticator app, enter the security code that has been generated by your app.
Click Activate.
If your verification is successful, you will now be prompted to generate your emergency backup codes.
Read the information provided before proceeding, and once you are ready, click Generate.
You will be given six 8-digit backup codes. Once you have recorded these, check the box to confirm that you have received them.
Click Enable 2-FA.
You will now have 2FA enabled for your Neopets account!
Logging in with 2-Factor Authentication:
After enabling 2FA for your Neopets account, you will be prompted to verify your authorization after entering your Neopets password upon every login attempt thereafter.
To authorize log-in using your authenticator app:
Enter your username and password at login, and you will be prompted to authorize with 2FA.
Open your authenticator app used to enable 2FA.
Enter the 6-digit security code that has been generated by your app.
If your verification is successful, you will proceed to your Neopets account as normal!
(Note: Time-based security codes will re-generate periodically. If your attempt fails, ensure that you have entered the most recent code.)
To authorize log-in using an emergency backup code:
Enter your username and password at login, and you will be prompted to authorize with 2FA.
Click Use Emergency Backup Code at the bottom of the popup.
Enter one of your 8-digit emergency backup codes.
If your verification is successful, you will be given a notice that 2FA has been disabled on your account.
You may choose to re-enable 2FA at this time, following the normal enabling steps, or you may proceed to your Neopets account.
(Note: If you Do Not choose to re-enable 2FA, it will remain disabled until you enable it from the preferences page.)
Emergency Backup Codes:
When you are enabling 2FA for your account, you will be given a set of randomly generate one-time use emergency backup codes.
Here is everything you need to know about your emergency backup codes:
If you use one of your backup codes, 2FA will be automatically disabled on your account!
The purpose of these codes is to allow to access your account in the event that you no longer have access to your authenticator app. (new/broken phone, deleted account from app, etc.)
Upon using one of your emergency backup codes, you will be directed to this page to re-enable 2FA after logging in.
It is advised that you do so at this time, otherwise 2FA will be disabled indefinitely.
If you do not have a mobile device on hand to enable 2FA, there are also browser extensions you can use to set up 2FA.
If 2FA has been disabled, you will generate new backup codes upon re-enabling 2FA, and thus your previous codes will be rendered invalid.
If you lose your emergency backup codes, you may generate a new set of codes at any time from the preferences page.
While it is true that you may only ever usefully use 1 backup code at a time, you are provided with 6 codes as an extra security measure.
It is advised that you do not store all 6 codes in the same place, which will decrease the likelihood of you losing all of them at once.
As a security measure, you will not be able to use an emergency backup code to disable 2FA from the preferences page.
If you lose access to both your authenticator app and your emergency backup codes, you will need to contact support ([Only registered and activated users can see links]) to regain access to your account.
Disabling 2-Factor Authentication:
If you decide that you no longer wish to use 2FA on your Neopets account, you may disable the feature at any time.
IMPORTANT! You must disable 2FA in your Neopets preferences prior to removing your Neopets account from your authenticator app.
To disable 2FA:
Enter your Neopets password and your 6-digit authenticator code* in the prompt at the top of this page.
Click 'Disable 2FA'
If your verification is successful, 2FA will now be disabled for your Neopets account!
Once you have disabled 2FA in your Neopets preferences, you may now follow appropriate steps in your authenticator app to remove your Neopets account.
*If there is any reason that you no longer have access to the device/authenticator that was used to enable 2FA on your account, please contact support ([Only registered and activated users can see links]) for further assistance.
Which Authenticator Application to Use
Now the million dollar question - which authenticator app should you download? In the end of course it boils down to personal preference. There are many free options but the big three that get mentioned the most (and all ones I have personally used for various reasons) are: Authy ([Only registered and activated users can see links]), Google Authenticator ([Only registered and activated users can see links]), and Microsoft Authenticator ([Only registered and activated users can see links]). I will briefly go over the major features of each and then explain my pick - which is curated for my play style and might not necessarily align with yours. (Example images from PCMag because it's almost 5AM and I'm too tired to take my own screenshots ㅠㅠ)
Authy
[Only registered and activated users can see links]
Features:
Encrypted cloud back up offered
Linked to a phone number/email (good/bad - good to transfer between devices/backup data, bad as you can potentially be compromised virtually)
Visually sleek with custom icons and color coordination, accounts presented in a grid formation, 1 click required to switch between account codes
Has a search bar
Multi-device enabled (recommended to NOT utilize this - a breach earlier this year compromised 93 users who had multi-device enabled)
In-app protection offered (ex. biometrics required to unlock app when launching)
Seems to store more metadata about you (good/bad - good to prove it's you, but also bad to prove it's you lol)
Google Authenticator
[Only registered and activated users can see links]
Features:
No way to recover/transfer data in case of device loss (mitigated by export/import functionality but only while you still have your device)
No frills interface, accounts presented in single column list format, shows all codes concurrently
Has a search bar
In-app protection offered (ex. biometrics required to unlock app when launching)
Really doesn't seem to transfer any data about you
As long as you keep your device to yourself, no one will ever get your codes lol
Microsoft Authenticator
[Only registered and activated users can see links]
Features:
Cloud backup offered
Can be linked to your Microsoft account
Slight visuals in interface, accounts presented in single column list format, some codes shown concurrently with option to hide while others require several clicks to switch between accounts
No search bar
In-app protection offered (ex. biometrics required to unlock app when launching)
Other features like registering to a work or school account, password generator/management
Probably saves just as much metadata as Authy
So for me, my decision came more out of functional necessity in terms of usability more than fancy bells and whistles or the ability to have a cloud backup. I use Microsoft Authenticator for like five different work related accounts so to keep my personal and work things separate, that's out. Then between Google Authenticator and Authy which do I use? Both! The biggest thing for me came down to: what are the chances, however minuscule, that my single device could be tracked down to multiple different accounts that need to remain separate? Reading this Authy article ([Only registered and activated users can see links]) from a few years ago really made the decision for me.
The Authy app is also used in combination with the Authy API, a Twilio cloud service that allows businesses to implement two-factor authentication to protect their customers. We build and distribute the Authy app for free so that API customers — companies like Twitch, Pinterest, Transferwise, Uphold, and Gemini, among others — don’t need to develop their own 2FA apps.
It’s in this scenario, when the Authy app is used in conjunction with the Authy API, some user data is beneficial to the businesses trying to protect your account. Advanced authentication systems leverage a number of signals (e.g., device type, wireless carrier, and IP address) to ensure that incoming authentication attempts are actually coming from legitimate users. For instance, you might create your account on a web browser on a Mac from an IP address associated with AT&T internet services then use the Authy app coming from the same wifi network address on an iPhone. A request then coming from an Android device in China would be flagged as suspicious. The more an application knows about legit users as they log in, the better the protection it can provide. This is especially important with so many illegitimate parties using increasingly inventive approaches to take over online accounts.
To put it simply - for the best protection of "you" Authy sounds like the way to go. Of course hopefully things never get to that point, but maintaining a real identity by connecting through your home IP/devices regularly can give Authy the proper trail to vet who you are with the metadata they collect. Thus, my personal five accounts that I login to regularly from home were added to Authy.
That being said, I have something stupid like 100+ accounts I need to lock down so I will be throwing them into Google Authenticator (plsprayforme). From a couple internet searches, the way I understand it is that the TOTP is generated locally in each side - once on your personal device and once on Neo's end. The code generator is an algorithm that takes the current time + your specifics that are stored in the QR/setup code from your original linking, hence the time sensitivity. If the token your phone generated matches the one Neo has for that moment in time, congrats it's you. Since Neopets is generating the QR code specific to your account and you're just storing that into your authenticator app and it's just a bunch of math being calculated in the background, I can't see how Neopets could reasonably see what other accounts you're storing on your device. (But that is all my very unprofessional opinion.) Regardless, for holding bulk, unassociated accounts in a no frills way, I think Google Authenticator will do the trick.
Other Options:
2FAS ([Only registered and activated users can see links])
Duo Mobile ([Only registered and activated users can see links])
LastPass Authenticator ([Only registered and activated users can see links])
That was a lot of text and I apologize but I hope this helps answer some questions or gives you some jumping points to do your own digging and decide what the best course of action is for you. If anyone has any corrections or other helpful information to share, please do so!
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]
[Only registered and activated users can see links]