Authenticator App Support in PayPal (Finally)

As you hopefully know, PayPal supports two-factor authentication (2FA), and hopefully you have enabled that on your account(s). 2FA means that even if your email address and password are somehow compromised, a hacker won’t be able to log into your account without a second form of authentication, typically either an authenticator app, security key, biometric sensor, or via SMS message. However, SMS-based authentication is probably the least secure, as there have been a number of exploits allowing hackers to intercept messages intended for the victim’s phone number.

Until recently, PayPal really only offered one form of 2FA, which they call “2-step verification”: SMS. In the past, you could purchase a physical PayPal security key, which would generate one-time codes, similar to a Yubikey device. That doesn’t seem to be an option any longer. For new users and accounts, the only option found buried in their account settings was SMS/mobile phone “security key.” It was better than nothing…

Some savvy users managed to find a work-around to roll their own authenticator app support, by reverse-engineering PayPal’s system and creating scripts. But besides the user-unfriendliness of such an approach, there were other concerns, such as what happens if PayPal changes their system, would you be locked out of your account? How long is the key valid?

Well, those concerns are no more, as PayPal has finally, quietly (re)introduced authenticator app support to user accounts. It’s not necessarily obvious how to enable this, especially if you already had SMS-based 2FA enabled. Consider how important financial account security is, one would expect maybe a little more guidance here. Google, Facebook, Amazon — all the major tech companies already support authenticator apps and various other 2FA methods.

After logging into your account, you will see something like this:

By selecting the gear icon in the top right corner, you will open your account settings. Now you will select the security tab:

PayPal decides to call this “2-step verification”. If you haven’t enabled it before, then you have to enable it. Otherwise, it will say “Update”:

If you’re updating, you will see your previous SMS-based verification method listed as the primary device with the associated phone number. Nowhere is there any obvious mention of authenticator apps. You have to select “Add a device” under “Your backups”:

Finally, after all these steps, PayPal tells us that, yes, authenticator apps are supported:

If we select the authenticator app option, and choose “Next”, we get the standard QR-code scanning screen. Now if you have an authenticator app on your smartphone, you can simply scan the QR code shown on your screen, or you can enter the key manually if you don’t trust your phone’s camera, or have some other authenticator app like a Yubikey.

NOTE: At this point, it is also very useful to make a copy of the QR code or secret key for backup purposes. This allows you to set up another authenticator app in the future, or recover in case of losing/erasing your device. PayPal doesn’t provide recovery codes, unlike other services, so the responsibility to backup is yours alone. Alternatively, you could use an authenticator app with a built-in backup option (e.g. Authy). Always a good idea to test your backup/recovery strategy before you are forced to rely upon it.

To verify that all is working correctly, you will enter the 6-digit code shown in your authenticator app, and choose “Confirm”:

That’s it! Now that you have added the authenticator app as your “backup” 2-step verification device, you can make it the primary device, and delete the old SMS/mobile device.

Debugging Undefined Behavior in C++

Today I’m going to describe more strange issues we encountered in 0 A.D. last year. It was reported by some OS X users that they were unable to complete multiplayer games without an “out of sync” error occurring.

First, a little explanation of 0 A.D. multiplayer mode is needed.  Each player (client) runs a deterministic simulation of the game, producing a particular game state each turn. When a player or AI takes an action, they send their command(s) to all players, modifying the game state in the same way. The advantage of this approach is that only a small amount of data needs to be sent each turn, but each player must run an identical version of the game. The game state can be serialized into a binary blob of data, which can be passed into a hash function, the result being used to compare different states. This happens frequently and if the states differ between any two players, we call that an “out of sync error,” and the game is basically invalid.

Continue reading “Debugging Undefined Behavior in C++”

PCB Etching Tutorial

Another project this semester was to design an antenna for our electromagnetics class. I will go into more detail on that antenna in follow-up post, but basically, I chose to design a microstrip patch antenna. The simplest way to do that is with a double-sided copper clad board, turning it into a PCB by etching one side. What is left is a rectangular antenna of specified dimensions to work at a desired frequency (actually, it doesn’t have to be rectangular, but it is the simplest design).

This was my first time etching a PCB, which is a little daunting. It requires use of nasty chemicals, and from everything I read, it’s somewhat of an art that needs time and practice to perfect. That may be true, but I seem to have stumbled onto a method that works fairly well the first time. I was somewhat pressed for time, with finals and multiple projects, so I didn’t have a long time to experiment with this.

Continue reading “PCB Etching Tutorial”

Configurations and Display States in SolidWorks

In one of my classes this semester, our final project was to choose a Lego kit, model the pieces in SolidWorks 2014 and assemble them according to the instructions. I had previously used 3D modeling software like Blender or other programs where basic primitives are modified and combined into objects. SolidWorks and its solids-based modeling were new to me, yet a much better fit for mechanical and engineering applications. In a short time, I have learned that there is a fast, efficient way of doing whatever I want in SolidWorks, if I can find the option.

Photo of Lego minifigures
Continue reading “Configurations and Display States in SolidWorks”

A Windows Backup-compatible External HDD

A few years ago, I was setting up a backup plan for my home computer, when I encountered the lovely 4K sector incompatibility issue in Windows 7. It caught me entirely off guard, as I thought my OS was recent enough for MS to support something so critical. Think again!

I solved this at home, as explained in my earlier post, by avoiding Windows Backup in favor of a better, third party solution. Since then, we have encountered the same problem at work with Windows Server 2008 R2 and Windows Server Backup. Last year, we bought a batch of 2TB Seagate externals and they worked fine. When we bought new, visually identical ones more recently, they failed because they are native 4K drives — uh oh! Needless to say, we don’t plan on the headaches of updating a server to 2012 R2 to “solve” that.

Apparently it has grown difficult to reliably find a non-4K sector external HDD these days. How would you know where to look, it’s not exactly an advertised spec? After searching for a while, I found this great discussion over at Spiceworks, where some people have tried various brands and models of external HDDs. Western Digital has a formatting tool that supports some of its drives and allows formatting them in a special 512-byte compatibility mode (yay WD!)  Seagate appears to have no such tool.

Screenshot of Western Digital Quick Drive Format tool
Screenshot of fsutil in command prompt

So we bought one of these 3TB drives, hooked it up, formatted with WD’s tool and it works with Windows Server Backup in 2008 R2. WD to the rescue! The trick is to choose Vista compatibility, not XP, older is not better in this case:Then use fsutil to check if it worked, you should see Bytes Per Sector change from 4096 to 512, like so:Note this isn’t well-supported by anyone and might not work, use at your own risk and all that. But with luck you can continue using Windows Backup software with new external HDDs on Windows 7 or Server 2008. The alternatives are to upgrade Windows or use a different backup software, the latter is certainly worth considering!

Debugging a Chrome and jQuery Performance Issue

At work, we have a web application based on some common technologies: ASP.NET, MVC, and jQuery. One of the functions of the software is to provide data reports to clients in the form of charts, tables, and exportable documents. Recently, it was noted that under some conditions (long reports), a report dialog would appear to freeze. This behavior only occurred in Chrome browser, any version, but not in Firefox or IE.

Luckily, Chrome has excellent developer tools built in. They have become my starting point nearly every time I debug a web app. IE and Firefox have their own similar tools, accessible with the F12 hotkey or through menus. Typically there is a document inspector for the current page (allowing you to view source for individual elements), a network traffic analyzer, a profiler, and a script debugger. Each of these tools is invaluable when debugging web apps. If you wrote the web app yourself, you may already know exactly where to look in the code, but for the sake of this article let’s pretend you did not write it.

Why not use Visual Studio in this case, you might wonder? From what I’ve seen, Razor (what MS calls its technology for dynamically generating HTML from .NET) support isn’t great in the VS debugger, at least in the version we use. Especially when you involve the remote debugger, extraspecially when the remote debugger is working across different domains. You can spend hours trying to figure out how to get your debugging tools to work and maybe never find an answer, or you can use what simply works, which do you prefer?

Continue reading “Debugging a Chrome and jQuery Performance Issue”

Debugging GLSL shaders in 0A.D.

Today I want to discuss a graphics glitch that long plagued a project I work on, called 0 A.D.  The glitch was first noticed years ago, when major changes were made to the renderer system. Until recently, the cause was unknown and not a focus of our efforts. I will present the debugging techniques used to solve it.

First, a word about 0 A.D., since this may begin a series of posts on the project: it’s a free, open-source, cross-platform 3D real-time strategy game, built more or less from the ground up with an engine (Pyrogenesis) written in C/C++. We also use various third-party open-source libraries. The renderer is implemented in OpenGL and supports both the old fixed function pipeline and newer technology including both ARB and GLSL shaders (even GL ES 2.0 for mobile platforms!)

The bug is apparent in the following images:

Side-by-side view of 0 A.D. renderer glitch

Notice the texture at the base of the building appears to “flicker” as the camera moves? In Pyrogenesis, these models are called decals, they are flat and conform to terrain, and are used for enhancing the blending of e.g. buildings and resources with the terrain. Some experimenting led to the following observations:

Continue reading “Debugging GLSL shaders in 0A.D.”

A Practical Backup Solution

Computer backups are one of those things that everyone knows they need but nobody actually bothers to do on a regular basis. They are time-consuming and expensive, right? But how often do you rely on your computer, and how much is your data worth to you? People grudgingly pay hundreds or thousands of dollars to recover lost data when they don’t have a working backup, if that’s any indication. They spend untold hours and days reinstalling and recovering what they can and taking a loss on the rest, due to lack of planning.

Let me preface this by saying I am a huge proponent of regular backups and having a plan, there is nothing like the feeling of knowing, not just hoping, that you can recover in case of a disaster. It’s part of the Tao of Backup (sorry, I couldn’t resist).

Maybe 15-20 years ago you could get away with not having a proper backup, when your digital presence fit on a couple of floppy disks or a CD. I remember those days. But now we have photos, videos, software, documents, endless settings and customizations, we are talking gigabytes and terabytes that we accumulate over years. And it’s worth a lot to us, in fact it may be priceless. Music collections, photos of your family and friends, vacations you’ve been on, the only videos you have to remember a now lost family member… You can store a lot of this on the internet, but do you really want to trust companies to be good stewards of your data? That they will always be there when you need them?

Continue reading “A Practical Backup Solution”