n_t reports Support can and will remove 2FA via tickets

[Ice]

(you need an account to see links)

OP about user getting locked out of acct

Please log in to view spoilers.

Of course I take everything n_t says with a grain of salt but honestly... I want to be surprised but really it was probably only a matter of time for some shit like this to happen. Boy did I really believe for half a second TNT had turned over a new leaf by implementing 2FA. :/ This is such a joke and quite frankly so unacceptable after everything they said about using 2FA to keep your account secure. The user said they have NC logs so hopefully they can get it all set to rights but seriously wtf.

[I_royalty_I]

Why is that surprising though?
MFA is meant to keep your account safe from other people who are trying to take it. Any MFA that is implemented by a company, they should 99% of the time hold the keys to the castle for that authentication. In fact, just today I removed MFA auth from about 2 dozen employees who left out company last month. Depending out what kind of tools they use on the backend, it's just a simple matter of clicking and removing MFA. If you were a malicious actor who was trying to get into an account though, you wouldn't be able to do that and would be forced to go through the auth process.

This isn't anything groundbreaking at all. I support them being able to do this, sucks for the person who got locked out of their account though. It is kind of wild that TNT would remove it in a situation like this, but if the person who targeted the account had all the right info, how is TNT to know the difference.

[Ice]

Why is that surprising though?
MFA is meant to keep your account safe from other people who are trying to take it. Any MFA that is implemented by a company, they should 99% of the time hold the keys to the castle for that authentication. In fact, just today I removed MFA auth from about 2 dozen employees who left out company last month. Depending out what kind of tools they use on the backend, it's just a simple matter of clicking and removing MFA. If you were a malicious actor who was trying to get into an account though, you wouldn't be able to do that and would be forced to go through the auth process.

This isn't anything groundbreaking at all. I support them being able to do this, sucks for the person who got locked out of their account though. It is kind of wild that TNT would remove it in a situation like this, but if the person who targeted the account had all the right info, how is TNT to know the difference.

Given the track record of support literally not knowing night from day yeah I rather put the onus on myself to keep my backup codes safe. I'd much rather lose access to my account completely due to my own fault than make it a precedent that you can roll up to support and get them to remove your 2FA 🤷*♀️ if I'm in the minority here then sure. But regardless especially in OP's case where it doesn't sound like their original email was recreated if it was on an old defunct hotmail extension so whoever put a ticket in must have pulled the wool over support's eye in some other manner. (And still, the whole og email rule is absolutely batshit in the first place but hey talking to support when your own stuff is on the line is basically like talking to a wall anyway...) Either way technically speaking yeah TNT should have the power to remove 2FA in extreme circumstances but still the issue lies with lack of proper logic being executed at any point in time to tell whether or not someone really should be granted access to an account. #justneopetssupportthings 🥴

[TsUNaMy WaVe]

Rip that person's account.
But also, that's really sad... people using support to get into other people's accounts is nothing new, but the fact it still happens even with 2FA is outrageous. Though from the post it's unclear if this person actually had it activated?
Either way, a depressing story all around

[DrSloth]

Why bother inplementing 2fa if they are gonna act like this left and right? Definetly something useless that just make an extra step for logging in every time

[I_royalty_I]

Given the track record of support literally not knowing night from day yeah I rather put the onus on myself to keep my backup codes safe. I'd much rather lose access to my account completely due to my own fault than make it a precedent that you can roll up to support and get them to remove your 2FA 🤷*♀️ if I'm in the minority here then sure. But regardless especially in OP's case where it doesn't sound like their original email was recreated if it was on an old defunct hotmail extension so whoever put a ticket in must have pulled the wool over support's eye in some other manner. (And still, the whole og email rule is absolutely batshit in the first place but hey talking to support when your own stuff is on the line is basically like talking to a wall anyway...) Either way technically speaking yeah TNT should have the power to remove 2FA in extreme circumstances but still the issue lies with lack of proper logic being executed at any point in time to tell whether or not someone really should be granted access to an account. #justneopetssupportthings 🥴

I hear ya there. I’d much rather control my own MFA, just because I’m paranoid and would trust Google or Microsoft auth over anything somebody else puts together.
The MFA is relatively new which means whoever hit this account must have been hitting actives.. which is definitely shitty. There are plenty of inactive accounts out there, no need to target the actives that are keeping the site going.

I’ve definitely had a lot of luck working through support to get access to things in the past, but long inactive accounts that nobody will miss. The OG email thing makes it easier while harder at the same time. So many defunct mail extensions. Even if you’re the OG owner of the account, they don’t usually budge on needing to use the OG to contact them.

[Buizel]

TNT does everything in their power to go for the "Worst Security on the Internet" award and push people away from the site. I've never seen support for any site be so topsy turvy with their policies and such.

[Dero]

This is depressing and worrying at the same time.
Something worth noting is that the hotmail.com domain still exists and new accounts can either choose @(you need an account to see links).com or @hotmail.com with them, so it could be a necrod email case?
Which raises the question, is the ONLY way to keep your account safe to have whatever number of linked emails in the past and present time still active and with access on (and properly secured)? Or will they break through that as well with a sob story

[Bat]

Either that, or try to find a way to delicately phrase the following request in a support ticket:

Hey, Neopets team! Could you please permanently erase my account's registration e-mail address from your records and only use the e-mail address I'm currently using for all time in perpetuity? Thanks!

[I_royalty_I]

Either that, or try to find a way to delicately phrase the following request in a support ticket:

I don’t think they’d comply with a request like that. They’d have no way to “confirm who the original owner” of the account is if they do that.
Unless they did this but made it so you had to know what the OG email was and then they can confirm and wipe it as an account that is associated with your account anymore. It’s a fine line to walk and points can be made for both sides of the coin.