Update: 22 July 2024 for Release v197
There are several ways to increase security around e-tickets. These options are mainly used to discourage the (illegal/unwanted) reselling or sharing of tickets to other people.
As with all security measures, this will bring more complexity to the user experience, so use these features wisely and only when there is a high risk of ticket sharing/reselling.
The options as described below only work when you are using the Peppered confirmation email and Peppered e-tickets.
Secure tickets
Secure tickets have a barcode that will show only xx minutes before the event. This makes it harder to share these barcodes with other people in advance.
The working principle is that all Peppered e-tickets have an “available from” field. The date in that field causes a barcode to be shown or hidden. If the date is in the future, the e-ticket will hide the barcode and communicatie the date in a message (”barcode will be available from xx-xx-xx”)
When displaying a Peppered e-ticket, the “available from” field is leading.
- If date is in past: show barcode
- if date is in future: show message “ticket not yet available”, no barcode
- if there is no date: show message “ticket not available”, no barcode
The way this “available from” date is set differs per ticketing system:
Secure tickets with Ticketing system leading
For Ovatic and Itix, this date is passed on from the ticketing system. Both systems have a setting per event to activate secure tickets (in Ovatic called “just-in-time” tickets) and to fill in the time before the start of the event that the barcode should be active. This date is automatically transferred to each ticket in Peppered.
Secure tickets in Peppered
For other ticketing systems, barcodes are always visible by default. You can, however, activate secure tickets in Peppered by checking the box “secure tickets” at the event in the Peppered Dashboard. This does two things:
- The setting forces the visitor to log in to access the e-tickets.
- The barcode will be hidden on the e-ticket untill the “availablility time"
You can configure the “Secure e-tickets availability (minutes)” field in the e-tickets part of the Control Panel. This is a central setting that will be used for all e-tickets for all events that have the option "secure tickets" switched on.
This setting will also work for “Secure tickets with Ticketing system leading” (see above) to force the extra log-in step.
As of Release v198 secure tickets will only show the name and customer number. These tickets require the visitor to login into their account, so personal data on those secure tickets is safely stored behind the login.
SMS verification
All tickets can be placed behind an SMS wall. This means that you need to fill in a special code before you can access your e-ticket.
This code will be send by SMS to the number you entered during the order process.
For this wall to work, we need three things:
- A setting (”SMS verification”) on the event level. This will activate the “phone number” input field before finalising the order, and hide the “send tickets to my home address” option.
- A valid Message bird API connection, which can then be added to the Peppered Dashboard in the API connections module. (More info on setting up a Messagebird account at the bottom of this article)
- Name of the sender and message text in the “SMS validation” section in the Control Panel
The phone number for the SMS verification does not have to be the phone number as stored in the account, although if there is a phone number in the account, it will show as a placeholder in the last order step. You can, however, change this number into any number you like. The phone number will be stored with the order, so when you change your phone number in your account, it will not change the phone number as stored with the order. That number cannot be changed due to security reasons.
Before viewing the e-tickets, you can request a code. The SMS with the code is sent directly to the phone number upon loading the page. After filling in the code on the website, the e-tickets are unlocked.
This can be used in combination with a forced log-in and the "available from" time setting (see "secure tickets" above).
Template texts for the SMS flow:
FE3_order_sms_verification_intro: Intro text for the SMS verification step in the order process.
FE3_order_sms_verification_edit Label for the phone number edit link in the SMS verification step in the order process.
FE3_order_sms_verification_save Label for the save button in the SMS verification step in the order process.
FE3_sms_verification_intro Intro text for SMS verification
FE3_sms_verification_button Label for SMS verification button.
FE3_sms_verification_resend Label for SMS verification resend button
FE3_sms_verification_error_expired Error message for expired SMS verification code.
FE3_sms_verification_error_invalid_code Error message for invalid SMS verification code.
FE3_sms_verification_error_generic Error message for generic SMS verification error.
Dynamic barcodes (Ovatic only)
Dynamic barcodes refresh every 20 seconds. Old codes are invalid, so you need to have the barcode live on your screen at the door.
Peppered creates a new barcode every 20 seconds, and securely embeds the current time in the barcode string, together with some other information like the “integrator secret” and an “Identifier”.
Ovatic scanners read the barcode, compare the embedded time with current time, and if current time is same or at max 20 sec later, and the secret and identifier are valid, the barcode will be valid.
- In Ovatic, the event needs to have the option “smart tickets” activated.
- In Peppered, The “Smart Tickets Integrator Secret” needs to be configured. You can get a secret from Ovatic. This is unique for each website. Configure the secret in /dashboard?cat=control_panel&action=check&module_code=OVATIC_CONNECTOR
- In the same module, configure the “Smart Tickets Origin Identifier”. This is always the same (as it is always Peppered that creates the barcode). It is always 5412
This can be used in combination with a forced log-in (see "secure tickets" above)
This can be used in combination with the SMS verification
Disable the option to change your e-mailadress
If you want to avoid visitors changing their e-mail address so they cannot "sell" their website account (including e-tickets) to somebody else, just go to your "visitor account fields" module and set the e-mail field to "read only".
The Message Bird API
First, sign-up for Messagebird at https://messagebird.com/
You need to use the "Verify API" from their start page:
You will be prompted to arrange for the necessary financial means before you can start sending SMS messages.
When you took care of that, you should have access to the API keys for test and live environment via the "Developer Dashboard":
Copy this API key into your Dashboard in the "API connections" module. There should already be a "Messagebird" entry in there, which is empty.
Use the Test API key during test, and change to the live Key when ready.