Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: [GUIDE] 2FA Overview + Authenticator App Review

  1. #1
    Ice's Avatar
    Joined
    Aug 2012
    Posts
    2,843
    Pronouns
    She/Her
    Userbars
    100
    Thanks
    11,503
    Thanked
    9,183/2,696
    DL/UL
    21/0
    Mentioned
    937 times
    Time Online
    116d 6h 32m
    Avg. Time Online
    40m

    [GUIDE] 2FA Overview + Authenticator App Review

    Hey folks! To everyone's pleasant surprise on 10/13/22 TNT rolled out Two-Factor Authentication (2FA) for our Neopets accounts. This has been something long requested and a dire need with Neopets's non-existent security. But it is finally here and hopefully support has explicit instructions on not to mess with it. If you've never used 2FA before, are unsure how to add it to your Neopets accounts, or are curious about some of the different authenticator applications available, hopefully this small guide helps you out! Of course being that this feature is incredibly new, we are not sure yet as to how stable (or effective) it will be. If anything changes drastically in the coming days, updates will be made.

    Disclaimer: I am no cybersecurity expert and am merely sharing my personal thoughts and advice as an avid Neopets player who wishes to remain as safe as possible. I always encourage people to do research on their own as needed and if anything I have is wrong, please correct me!

    What is Two-Factor Authentication?
    2FA is a form of Multi-Factor Authentication (MFA) where your login is contingent on being able to provide more than one (in this case, two) type of authentication to prove you should be granted access to your account. The three commonly accepted factors are: something you know (ex. password), something you have (ex. a physical object), and something you are (ex. fingerprint or facial recognition). Neopets is now giving the option to bolster your security by requiring #2 - a "physical" object - alongside knowing your password. The "physical" object in this case is a time-based one-time password (TOTP). I say "physical" in quotes because since the TOTP is just a real-time generated token that expires after a short period of time (usually ~30s) and can only be used once, it is just a digital number code. However, you receive these codes via an Authenticator Application that you download to a physical device you own like your phone or tablet. Some of these apps let you back up your data via cloud/account login, but for the most part since the codes are linked to a physical device, no one but YOU should ever have access to them.

    But what if you lose/break your device? That is where the backup codes come in. I cannot stress this enough! SAVE YOUR BACKUP CODES! Backup codes are also one-time use and for Neopets, if you have to login to your account using a backup code because you cannot access your authenticator app, 2FA will automatically be deactivated and you'll have to re-link it (to a new device, assuming that was the issue). Once you re-enable 2FA on your account, you'll be issued a new set of backup codes which you should immediately save again. (The old ones will no longer work.) As mentioned above, some authenticator apps provide their own form of backup in case you can no longer access your device, but you should still treat your Neopets backup codes like gold.

    Getting Started with 2FA on Neopets
    If you haven't re-logged in since the change or navigated to the homepage, you won't be prompted to set up 2FA until you do so. Navigating to the homepage will give you the following dialogue sequence, but the control panel can also be accessed from Preferences > 2-Factor Authentication. ((you need an account to see links)) It's a very simple step by step process but I've included screenshots so you can see what it entails.

    1. Enter your current password (if it's not longer than 6 characters, you must change it to one that is at least 8 characters before being able to enable 2FA.)
    2. Download the authenticator application of your choice (a few suggestions will be listed below).
    3. Add a new account (usually the big + button) by either scanning the QR code or manually entering the setup key.
    4. Once your authenticator application is generating TOTPs, enter the 6-digit token (make sure you have enough time before it expires) and click Activate.
    5. Generate your emergency backup codes and SAVE THEM IMMEDIATELY. You will be able to generate new ones from the 2FA control panel but it's all about risk mitigation.
    6. To actually enable 2FA on your account you must check the box confirming you've received your backup codes then click Enable 2FA.
    7. Congrats you should be all good to go!




    Neopets 2FA Guidelines
    All this information can be read on the (you need an account to see links) under your site preferences, but I've copy and pasted it here as well.



    Which Authenticator Application to Use
    Now the million dollar question - which authenticator app should you download? In the end of course it boils down to personal preference. There are many free options but the big three that get mentioned the most (and all ones I have personally used for various reasons) are: (you need an account to see links), (you need an account to see links), and (you need an account to see links). I will briefly go over the major features of each and then explain my pick - which is curated for my play style and might not necessarily align with yours. (Example images from PCMag because it's almost 5AM and I'm too tired to take my own screenshots ㅠㅠ)

    Authy

    Features:
    • Encrypted cloud back up offered
    • Linked to a phone number/email (good/bad - good to transfer between devices/backup data, bad as you can potentially be compromised virtually)
    • Visually sleek with custom icons and color coordination, accounts presented in a grid formation, 1 click required to switch between account codes
    • Has a search bar
    • Multi-device enabled (recommended to NOT utilize this - a breach earlier this year compromised 93 users who had multi-device enabled)
    • In-app protection offered (ex. biometrics required to unlock app when launching)
    • Seems to store more metadata about you (good/bad - good to prove it's you, but also bad to prove it's you lol)


    Google Authenticator

    Features:
    • No way to recover/transfer data in case of device loss (mitigated by export/import functionality but only while you still have your device)
    • No frills interface, accounts presented in single column list format, shows all codes concurrently
    • Has a search bar
    • In-app protection offered (ex. biometrics required to unlock app when launching)
    • Really doesn't seem to transfer any data about you
    • As long as you keep your device to yourself, no one will ever get your codes lol


    Microsoft Authenticator

    Features:
    • Cloud backup offered
    • Can be linked to your Microsoft account
    • Slight visuals in interface, accounts presented in single column list format, some codes shown concurrently with option to hide while others require several clicks to switch between accounts
    • No search bar
    • In-app protection offered (ex. biometrics required to unlock app when launching)
    • Other features like registering to a work or school account, password generator/management
    • Probably saves just as much metadata as Authy


    So for me, my decision came more out of functional necessity in terms of usability more than fancy bells and whistles or the ability to have a cloud backup. I use Microsoft Authenticator for like five different work related accounts so to keep my personal and work things separate, that's out. Then between Google Authenticator and Authy which do I use? Both! The biggest thing for me came down to: what are the chances, however minuscule, that my single device could be tracked down to multiple different accounts that need to remain separate? Reading this (you need an account to see links) from a few years ago really made the decision for me.

    The Authy app is also used in combination with the Authy API, a Twilio cloud service that allows businesses to implement two-factor authentication to protect their customers. We build and distribute the Authy app for free so that API customers — companies like Twitch, Pinterest, Transferwise, Uphold, and Gemini, among others — don’t need to develop their own 2FA apps.

    It’s in this scenario, when the Authy app is used in conjunction with the Authy API, some user data is beneficial to the businesses trying to protect your account. Advanced authentication systems leverage a number of signals (e.g., device type, wireless carrier, and IP address) to ensure that incoming authentication attempts are actually coming from legitimate users. For instance, you might create your account on a web browser on a Mac from an IP address associated with AT&T internet services then use the Authy app coming from the same wifi network address on an iPhone. A request then coming from an Android device in China would be flagged as suspicious. The more an application knows about legit users as they log in, the better the protection it can provide. This is especially important with so many illegitimate parties using increasingly inventive approaches to take over online accounts.
    To put it simply - for the best protection of "you" Authy sounds like the way to go. Of course hopefully things never get to that point, but maintaining a real identity by connecting through your home IP/devices regularly can give Authy the proper trail to vet who you are with the metadata they collect. Thus, my personal five accounts that I login to regularly from home were added to Authy.

    That being said, I have something stupid like 100+ accounts I need to lock down so I will be throwing them into Google Authenticator (plsprayforme). From a couple internet searches, the way I understand it is that the TOTP is generated locally in each side - once on your personal device and once on Neo's end. The code generator is an algorithm that takes the current time + your specifics that are stored in the QR/setup code from your original linking, hence the time sensitivity. If the token your phone generated matches the one Neo has for that moment in time, congrats it's you. Since Neopets is generating the QR code specific to your account and you're just storing that into your authenticator app and it's just a bunch of math being calculated in the background, I can't see how Neopets could reasonably see what other accounts you're storing on your device. (But that is all my very unprofessional opinion.) Regardless, for holding bulk, unassociated accounts in a no frills way, I think Google Authenticator will do the trick.

    Other Options:


    That was a lot of text and I apologize but I hope this helps answer some questions or gives you some jumping points to do your own digging and decide what the best course of action is for you. If anyone has any corrections or other helpful information to share, please do so!


  2. The Following 33 Users Say Thank You to Ice For This Useful Post:

    Aero (10-15-2022),Ariealle (10-14-2022),Buizel (10-14-2022),Cat Purrson (10-14-2022),♥ Cerberus ♥ (04-22-2023),chii3d (10-14-2022),Cinnamoroll (10-14-2022),DarkSkies (10-14-2022),♥ Dita ♥ (10-14-2022),DrSloth (10-14-2022),Ember (10-14-2022),Fiore (10-17-2022),Flordibel (10-14-2022),Hall (10-16-2022),Houndoom (10-14-2022),howdy (10-16-2022),j03 (10-14-2022),kittyray (10-14-2022),Lyrichord (10-16-2022),NeopetLandy (09-22-2023),Rachy Queen (10-14-2022),♥ Rokon ♥ (10-14-2022),sanrio (10-15-2022),Sephora (10-15-2022),Shawn (05-29-2023),Slowpoke (10-20-2022),Strat (10-15-2022),Synth Salazzle (10-14-2022),Teakwood (10-14-2022),Unown (10-15-2022),Vaebae (01-19-2023),♥ Wooloo ♥ (10-14-2022),Zenitsu (10-14-2022)

  3. #2
    Houndoom's Avatar
    Joined
    Apr 2020
    Posts
    876
    Pronouns
    she/her
    Userbars
    55
    Thanks
    1,548
    Thanked
    2,059/696
    DL/UL
    54/0
    Mentioned
    250 times
    Time Online
    101d 22h 23m
    Avg. Time Online
    1h 42m
    Ahhh thank you so much for this guide! I've always used text as my 2fa so a break down of which app to use and how is so so useful to me. Off to try out Authy now c:

  4. The Following 2 Users Say Thank You to Houndoom For This Useful Post:

    Ice (10-14-2022),Zenitsu (10-14-2022)

  5. #3
    Zenitsu's Avatar
    Joined
    Jan 2020
    Posts
    1,075
    Pronouns
    he/him 🧍
    Userbars
    74
    Thanks
    21,280
    Thanked
    5,825/1,387
    DL/UL
    42/0
    Mentioned
    430 times
    Time Online
    245d 6h 3m
    Avg. Time Online
    3h 51m
    Great guide! Thanks so much for putting in the effort and typing this all out. I have been using Google Authenticator for some time now but wasn't really aware of the fact that it is indeed just connected to the device itself. For some reason, I thought it was connected to an e-mail I used to sign up with. I might just go ahead and do the switch all together and move to Authy.
    Slowpoke! 💧🌊💙ㅤㅤㅤㅤㅤㅤBrittany Buizel GangㅤㅤㅤㅤㅤㅤK-Pop Idol Icy 🧊 ㅤㅤㅤㅤㅤㅤㅤAri 🌸ㅤㅤ Bat Fanclub *squeak* 🦇
    💻💊😎 Join the Nyanomatrix. ㅤㅤDuke & Ditah 🐕 Clefairy ⚡ 😭 Wooloo 🐑 Howdy 🤠🐦



  6. The Following User Says Thank You to Zenitsu For This Useful Post:

    Ice (10-14-2022)

  7. #4
    Saiyan Race
    j03's Avatar
    Joined
    Dec 2011
    Posts
    13,722
    Userbars
    166
    Thanks
    5,907
    Thanked
    33,078/6,609
    DL/UL
    23/36
    Mentioned
    3,867 times
    Time Online
    563d 5h 38m
    Avg. Time Online
    3h 13m
    Straight-forward, informative and even in-depth with all details involved with this system. Thanks so much for putting this together for everyone @(you need an account to see links) !

    I've been reading about some minor bugs here and there, which I'm sure TNT will correct over time.
    (you need an account to see links)
    (you need an account to see links)(you need an account to see links)

    ------------------------
    [02/24/2013] Stealth CORE is made into the first standalone Neopets auto-player.
    ------------------------


  8. The Following 2 Users Say Thank You to j03 For This Useful Post:

    Ice (10-14-2022),Zenitsu (10-14-2022)

  9. #5
    DarkSkies's Avatar
    Joined
    Sep 2021
    Posts
    3,049
    Pronouns
    She
    Userbars
    99
    Thanks
    7,785
    Thanked
    5,817/2,268
    DL/UL
    31/0
    Mentioned
    404 times
    Time Online
    83d 8h 12m
    Avg. Time Online
    2h 9m
    Awesome thanks for the guide!! I already have used Authy and Microsoft Authenticator and precisely was thinking what to do with the shells and how to distribute. Just as you Microsoft is oriented towards work so that's out for now.

    Sorry if I missed this, but if I went for 2 different authenticators would you suggest to use different devices too? Let's say one for main ones and anonther for the shells. Or it really doesn't matter?? I of course would love to only use one device for simplicity (laziness), but better be safe than sorry (as safe as one can be lol)








    ~~ Shooting stars ~~

    Many thanks to:

    @(you need an account to see links) for the Wolf Ryu and @(you need an account to see links) for the Kousetsu puppy <)
    @(you need an account to see links) for my howling wolf and @(you need an account to see links) for my wolf pumpkin <3
    @(you need an account to see links) for my custom userbars and @(you need an account to see links) for the lovely popsicle/lycanroc bar ^^
    @(you need an account to see links) for my star puppy and @(you need an account to see links) for my Rockruff avatar :3


  10. The Following User Says Thank You to DarkSkies For This Useful Post:

    Ice (10-14-2022)

  11. #6
    Ice's Avatar
    Joined
    Aug 2012
    Posts
    2,843
    Pronouns
    She/Her
    Userbars
    100
    Thanks
    11,503
    Thanked
    9,183/2,696
    DL/UL
    21/0
    Mentioned
    937 times
    Time Online
    116d 6h 32m
    Avg. Time Online
    40m
    Thank you everyone! I'm really glad it is helping others out.

    @(you need an account to see links) at the end of the day I think there are potential pros and cons to splitting devices.

    On one hand, having to babysit and refer to two different physical devices is more work depending on how often you need to look up codes and more devices to take care of inherently raises the risk of losing/damaging one (supposedly). But it also kind of has that double edged goodness where if one gets lost/broken, if not backed up in some way the data of at least one of them will be protected by virtue of being physically separate. So security experts seem to advise never to put all your eggs in one basket for such a reason, but it is always going to be a tradeoff in some way unless you are a crazy meticulous and careful person with your devices. (But of course unforeseen accidents can always happen.)

    With respects to wanting to split them to protect your identity (hide IP/device similarities) - obviously I'd say if your secondary "cheater" device for example only connects to internet through VPNs then that would be a potential step up in cloaking your identity. If it'll be connecting to the same network as your other device, I don't think it'll really do anything to help on that front. :o

  12. The Following 2 Users Say Thank You to Ice For This Useful Post:

    DarkSkies (10-14-2022),Zenitsu (10-14-2022)

  13. #7
    Rokon's Avatar
    Joined
    May 2022
    Posts
    788
    Pronouns
    She/They
    Userbars
    67
    Thanks
    1,318
    Thanked
    2,931/769
    DL/UL
    5/0
    Mentioned
    105 times
    Time Online
    23d 20h 54m
    Avg. Time Online
    50m
    Thank you for taking the time to write this up.

    I had no idea that Google's authenticator couldn't back things up or attach them to your account -- it's really making me rethink using it. (Then again my phone is practically glued to my body at all times, so maybe it won't be a big deal?)



    Thank you so much, (you need an account to see links)!
    RBY styled Vulpix Ryu bar made by (you need an account to see links)! Thank you!

  14. The Following 2 Users Say Thank You to Rokon For This Useful Post:

    Ice (10-14-2022),Zenitsu (10-14-2022)

  15. #8
    Bui bui!
    Buizel's Avatar
    Joined
    Sep 2013
    Posts
    3,467
    Pronouns
    She/her
    Userbars
    104
    Thanks
    10,226
    Thanked
    11,227/2,795
    DL/UL
    67/0
    Mentioned
    704 times
    Time Online
    349d 16h 18m
    Avg. Time Online
    2h 10m
    +repped!

    A wonderful guide and it helped me understand Neo's 2FA more in depth so I can add it to my accounts now!



    Ryu adoptable made by Stardust
    Waving Buizel avatar made/animated by Da Plushee Boree
    Buimeleon made by Hare
    Static User bar & Anarchy Buizel made by honeycomb
    Name User bar made by Lyrichord
    Buizel Ryus made by Zapdos & GWN, respectfully
    Cutey Buizel made by Wooloo
    Buizel gif User bar made by Zenitsu
    Vector Buizel made by Hollow
    Ryu Buizel User bar made by Dero
    Christmas Buizel made by DankRUSE


    National Dex Number: 418
    Type: Water
    Sea Weasel Pokemon
    (you need an account to see links)

  16. The Following 2 Users Say Thank You to Buizel For This Useful Post:

    Ice (10-14-2022),Zenitsu (10-14-2022)

  17. #9
    chii3d's Avatar
    Joined
    Feb 2018
    Posts
    1,056
    Userbars
    77
    Thanks
    1,956
    Thanked
    2,611/893
    DL/UL
    1/0
    Mentioned
    172 times
    Time Online
    30d 15h 30m
    Avg. Time Online
    19m
    Thank you. I was dreading having to figure this out myself. We have 2FA at work but it is on a keychain that I didn’t have to set up. You broke it down nice and easy.


    thank you to hearts for my pumpkin, Lyrichord for my userbar, and Great White North for my snail ryu!

  18. The Following User Says Thank You to chii3d For This Useful Post:

    Ice (10-14-2022)

  19. #10
    Aero's Avatar
    Joined
    Sep 2020
    Posts
    1,660
    Pronouns
    she/her
    Userbars
    86
    Thanks
    6,298
    Thanked
    4,422/1,352
    DL/UL
    14/0
    Mentioned
    188 times
    Time Online
    84d 21h 38m
    Avg. Time Online
    1h 35m
    I have a question. I used the QR code directly and my iPhone had some way to give me the authentication number to set up 2FA. Should I have not done that and downloaded one of the linked Authenticators here instead?



Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •