Ask AI
How can we help? 👋

Secure e-tickets, dynamic barcodes, SMS verification

Updated: 22 July 2024 for V197 | Release Notes - June 2024


There are several ways to increase security around e-tickets. These options are mainly used to discourage the (illegal/unwanted) reselling or sharing of tickets to other people.

To enhance e-ticket security, options include secure tickets with delayed barcode visibility, SMS verification for access, and dynamic barcodes that refresh every 20 seconds.

Implementing these features can prevent unauthorized sharing and reselling of tickets, but may complicate user experience. Settings for secure tickets and SMS verification must be configured in the Peppered Dashboard, and the Message Bird API is required for SMS functionality.

As with all security measures, this will bring more complexity to the user experience, so use these features wisely and only when there is a high risk of ticket sharing/reselling.

🚧
Take note! The options as described below only work when you are using the Peppered confirmation email and Peppered e-tickets.

About Secure Tickets

Secure tickets have a barcode that will show only XX minutes before the event. Making it harder to share these barcodes with other people in advance.

How secure tickets will look if set up correctly
How secure tickets will look if set up correctly

The working principle is that all Peppered e-tickets have an “available from” field. The date in that field causes a barcode to be shown or hidden. If the date is in the future, the e-ticket will hide the barcode and communicate the date in a message ”barcode will be available from xx-xx-xx”.

When displaying a Peppered e-ticket, the available from field is leading.

  • If date is in past: Show Barcode
  • If date is in future: Show message “ticket not yet available” - No Barcode shown
  • If there is no date: show message “ticket not available” - No Barcode shown

The way the available from date is set differs per ticketing system:

Secure tickets with Ticketing system leading

For Ovatic and Itix, this date is passed on from the ticketing system. Both systems have a setting per event to activate secure tickets (in Ovatic called “just-in-time” tickets) and to fill in the time before the start of the event that the barcode should be active. This date is automatically transferred to each ticket in Peppered.

Secure tickets in Peppered

For other ticketing systems, barcodes are always visible by default. You can, however, activate secure tickets in Peppered by checking the box “secure tickets” at the event in the Peppered Dashboard. This does two things:

  1. The setting forces the visitor to log in to access the e-tickets.
  1. The barcode will be hidden on the e-ticket until the availablility time.

You can configure the Secure e-tickets availability (minutes) field in the e-tickets part of the Control Panel. This is a central setting that will be used for all e-tickets for all events that have the option "secure tickets" switched on.

💡
Take note! This setting will also work for “Secure tickets with Ticketing system leading” (see above) to force the extra log-in step.
 
🚧
Take note! As of V198 | Release Notes - July 2024 secure tickets will only show the Name and Customer number. These tickets require the visitor to login into their account, so personal data on those secure tickets is safely stored behind the login.

SMS Verification

All tickets can be placed behind an SMS wall. This means that you need to fill in a special code before you can access your e-ticket.

This code will be send by SMS to the number you entered during the order process.

For this wall to work, we need three things:

  • A setting (”SMS verification”) on the event level. This will activate the “phone number” input field before finalising the order, and hide the “send tickets to my home address” option.
  • A valid Message bird API connection, which can then be added to the Peppered Dashboard in the API connections module. (More info on setting up a Messagebird account at the bottom of this article)
  • Name of the sender and message text in the “SMS validation” section in the Control Panel

The phone number for the SMS verification does not have to be the phone number as stored in the account, although if there is a phone number in the account, it will show as a placeholder in the last order step. You can, however, change this number into any number you like. The phone number will be stored with the order, so when you change your phone number in your account, it will not change the phone number as stored with the order. That number cannot be changed due to security reasons.

Before viewing the e-tickets, you can request a code. The SMS with the code is sent directly to the phone number upon loading the page. After filling in the code on the website, the e-tickets are unlocked.

This can be used in combination with a forced log-in and the "available from" time setting (see "secure tickets" above).

Template texts for the SMS flow:
  • FE3_order_sms_verification_intro: Intro text for the SMS verification step in the order process.
  • FE3_order_sms_verification_edit: Label for the phone number edit link in the SMS verification step in the order process.
  • FE3_order_sms_verification_save: Label for the save button in the SMS verification step in the order process.
  • FE3_sms_verification_intro: Intro text for SMS verification.
  • FE3_sms_verification_button: Label for SMS verification button.
  • FE3_sms_verification_resend: Label for SMS verification resend button.
  • FE3_sms_verification_error_expired: Error message for expired SMS verification code.
  • FE3_sms_verification_error_invalid_code: Error message for invalid SMS verification code.
  • FE3_sms_verification_error_generic: Error message for generic SMS verification error.

Dynamic Barcodes (Ovatic only)

Dynamic Barcodes refresh every 20 seconds. Old codes are invalid, so you need to have the barcode live on your screen at the door.

How dynamic barcodes will look if set up correctly
How dynamic barcodes will look if set up correctly

Peppered creates a new barcode every 20 seconds, and securely embeds the current time in the barcode string, together with some other information like the “integrator secret” and an “Identifier”.

Ovatic scanners read the barcode, compare the embedded time with current time, and if current time is same or at max 20 sec later, and the secret and identifier are valid, the barcode will be valid.

  • In Ovatic, the event needs to have the option “smart tickets” activated.
  • In Peppered, The “Smart Tickets Integrator Secret” needs to be configured. You can get a secret from Ovatic. This is unique for each website. Configure the secret in /dashboard?cat=control_panel&action=check&module_code=OVATIC_CONNECTOR
  • In the same module, configure the “Smart Tickets Origin Identifier”. This is always the same (as it is always Peppered that creates the barcode). It is always 5412

This can be used in combination with a forced log-in (see "secure tickets" above)

This can be used in combination with the SMS verification

Disable Option to change e-mail address

If you want to avoid visitors changing their e-mail address so they cannot "sell" their website account (including e-tickets) to somebody else, just go to your "visitor account fields" module and set the e-mail field to "read only".

The setting to turn off visitors being able to change their own email address
The setting to turn off visitors being able to change their own email address

The Message Bird API

First, sign-up for Messagebird at https://messagebird.com/

You need to use the "Verify API" from their start page:

The overview of Messagebird on their start page
The overview of Messagebird on their start page

You will be prompted to arrange for the necessary financial means before you can start sending SMS messages.

When you took care of that, you should have access to the API keys for test and live environment via the "Developer Dashboard":

Copy this API key into your Dashboard in the "API connections" module. There should already be a "Messagebird" entry in there, which is empty.

Use the Test API key during test, and change to the live Key when ready.


Related articles

Did this answer your question?
😞
😐
🤩