Tryst’s 2FA Options and Answers

Tryst has been pushing a 2-step login for the past year. They’re clearly quite tired of dealing with hacked accounts. Accounts get hacked to due easily-cracked passwords or someone clicks on a link from a non-Tryst email that’s made to mimic a Tryst email.

How Not to Get Hacked (or reduce your chances)

The first key is having a strong password, which Tryst also recommends.

I always recommend using a strong password generator even though it normally means you’ll never be able to remember it and need to copy the password somewhere.
https://passwords-generator.org/
https://delinea.com/resources/password-generator-it-tool
https://www.calculator.net/password-generator.html

And if you don’t trust an online password generator, make sure to add an extra place or two to any password they give you, so you can add your own number, letter, or symbol to keep it completely unique.

While a lot of people also recommend password apps, I do not. Passwords on a piece of paper is not hackable. A document on your computer with a list of your passwords is not 100% secure if your whole computer gets hacked, but is more secure than any password app. You also won’t have to rely on a third-party server’s being up all the time. If all you use is your phone, a text note with your passwords is very easy to maintain. Whatever non-app method you use, make sure you have copies backed up somewhere safe, especially if you keep an electronic list.

If you decide to use a password app, you will have to rely on their backups, which are usually frequent and in multiple locations as their own failsafe.

Update: Johanna Potente suggested downloading a password vault that stays local, on your own machine. These could be spreadsheets, or a small program that manages the info you enter into it. For extra security, you can download these vaults to an encrypted USB drive, you only need to remember the encryption password to open the vault and access all of your passwords. There are several free options if you search, or you can create your own with your own spreadsheet program.

The second key is not clicking on any email that purports to be from Tryst. I have a Tryst ad and constantly get those emails too. Fortunately, the email address on my Tryst ad leads to an auto-response and I never look at the emails received unless I’m hunting down someone who didn’t pass screening.

If you think you can afford to ignore the email messages coming directly from your ad, create an email address just for that ad (e.g. YourName.Tryst@domain.com), set it to an auto-response that sends readers to your website, and you cut your risk of being hacked from a phishing email down to 0%.

It’s also a really easy way of doing your stats at the end of the month if you can see the exact amount of legit inquiries vs time-wasters, or if there was a common question or whatever. Creating a separate email address for every advertising platform is a great way of gathering hard numbers for your marketing efforts. And again, never answering any email captured by that address means not being phished.

I’m not sure why Tryst doesn’t offer this as a solution but it is a safety measure that you can do if you think you can afford to. Personally, I feel the serious clients will go to your website first before contacting you, but everyone’s business is different. (The auto-response is always a great way to weed out the stupid. In 2023, many men still do not know what an auto-response is and if you’re that dumb, I really won’t be able to help you.)

Tryst’s 2FA Options

Tryst has offered a number of options, which they sometimes also refer to as Multi-Factor Authentication/MFA. Tryst explains the general terms and a general overview of how the various methods work. They offer a little more detail buried in their FAQ, none of which addresses any privacy concerns.

Several of these options means that Tryst has paid to partner with the technology to offer it. That’s how serious they are about locking down your account. It becomes cumbersome just to access a sex work advertising platform. These apps can also raise serious privacy concerns, which is a big deal for sex workers in the US. Tryst hasn’t addressed any privacy concerns whatsoever, in fact, they recommend providers utilizing more than one type of 2FA key. (I think that’s overkill.)

I admit to resenting this being forced on us as of September 1, 2023. I also understand that one hacked account can put the whole site at risk if the hacker knows what they’re doing (though so far, the interest seems to be on scamming clients out of money). I understand perfectly well that creating a digital trail linking your online activity and/or personal information just to log into a sex work site is a risk some will not want to take. I’m curious to see how many paying advertisers Tryst loses on Sep. 1. (My only hope is that horny straight guys stop using it as a dating site if it gets more annoying to log into.)

For an unregulated business, we endure quite a bit of ad-hoc regulation to be able to work. Of course, the ability to work without needing to rely on an advertising platform is the ideal: whether you’ve SEOd your site, have fully utilized social media, or found another mix of methods; freedom from ad platforms is a great goal to have.

I have signed up for one option and have successfully used it. I’ll discuss my choice when we get to it. This doesn’t mean I like it, because I don’t. I picked the least evil and simplest option.

The strongest security you can get is by compartmentalizing your electronic trail. Choose one of the methods offered and use it solely for your work accounts. Do not use these apps on whatever accounts you access for your personal life. Log out each and every time you’re finished with an app or Tryst, clear your cache and cookies before logging into your personal accounts.

If you advertise with Eros, it’s highly likely they’re going to follow in Tryst’s footsteps, as they’ve been warning about scammers for a while. Currently, they require an email verification code to sign in, which is a common and simple 2FA option Tryst does not offer for reasons they never address.

How Does It Actually Work?

Most of these options offer both a desktop/laptop and phone version. Once again, you have to consider what else is one your device and how you use that device. The different apps offer mildly different ways of authentication, but it works based on QR codes. Tryst will create a QR code, your app reads it, communicates with Tryst, and you enter a numerical code the app gives you (and Tryst), and Tryst confirms the code. You’re logged in. I highly recommend reading each website thoroughly for details on how the app works after you’ve decided which one you want to try. Tryst answers a little more detail in their FAQ.

I have not signed up to every option to test them because I do not want to do that.

The first time you log in via the app, Tryst will give you an emergency recovery code. In case your account gets hacked anyway, this code will let Tryst know it really is you logging in. You are to keep the code somewhere safe. Tryst suggests on a piece of paper.

Yes, all this high-tech bullshit for a sex work advertising platform is ultimately secured with words written on a piece of paper.

It really reminds me of this scene from The Simpsons.

Tryst warns you that if you lose the code, you probably will not be able to recover your account. This is the same type of backup security that electronic crypto wallets use, though Tryst’s code is much shorter.

Reading QR codes is easy with a phone: you point the phone at the code. Reading QR codes on a desktop is a little more complicated and involves more apps. Tryst’s FAQ says it can offer a URL to copy and paste if you can’t read the QR code.

This obviously points to using your phone for the app, but consider if you mix work and personal on your phone or not. Same with your computer. What you do really depends on how you have your work set up. This is something that requires consideration.

Once you’ve signed up and used it to log into Tryst, records are created that you will not be able to destroy, even if you delete your account with Tryst or the app. Having a dedicated work phone is always the best answer but I’m aware not everyone can do that.

Not to mention the obvious but…your phone isn’t actually surgically-grafted to your hand. What happens if you lose it and the authentication app on it? Other than a random person being able to easily access your account; you’re just as easily shut out even if that doesn’t happen. (Hence, the emergency passcode written on a piece of paper, which really begs the question of: why bother with the app at all?)

The Options

1Password

1Password is an app that acts both as a password manager and authenticator for sites that require 2FA. They offer a business option and personal-use option. If you were to use this app, choose the personal option, not business. It’s cheaper as a personal option at $36/yr. Yes, you have to pay for an app to access your escort advertising. I know.

1Password is quite happy to install itself in every single factor of your life, from personal information to bank account info to your medical records to authenticating you with Tryst. You pay for the privilege of having a random company gather NSA-level information about you.

I avoid things like this like the plague they are, but if you think it’s convenience personified, go for it. It is a Canadian company.

Google Authenticator

If you already utilize Google Analytics or Gmail (or other Google properties) in your work, this might be an easy fit. If you avoid Google, you’ll also want to avoid this app.

It is a simple app to use, whether on phone or desktop/laptop. There’s even an Authenticator Chrome extension that will read the QR code for you.

It collects a fair amount of data.

It’s very straightforward to understand the benefits and drawbacks of this app. Using it depends on your comfort level with Google. Because it’s Google, you can be assured it will snoop and connect as much information about you as possible, including that you’re using it to log into Tryst. Google is a US-based company.

Microsoft Authenticator

What can be said for Google can be said for Microsoft Authenticator. Microsoft is a US-based company that respects your privacy every bit as much as Google does. (Or Apple, for that matter.) Personal data is gold to companies like these. Using their apps is giving them your gold for free in order to sign into a hooker site.

Authy

Authy is an app powered by the US-based customer management company Twilio. Though the parent company itself is all about gathering and managing customer data for companies, the app seems to be a straightforward version of a 2FA app.

This is the one I put on my phone, but it also has a desktop/laptop version. It asked me for a phone number and email address. I verified both to install the app. Logging into Tryst was exactly as Tryst described: they created a QR code, the app read it and gave me a number, which I entered into Tryst. That was it.

I’m not pretending this app isn’t collecting data that I’m not aware of, but the app only requested permission to use my camera in order to view the QR code. Tryst the website appears as a little square on the app. Presumably, if I used this app for other sites, they would also have a little square with their name on it. Just click the square and the 2FA process begins. There’s not much else to the app.

Security Keys/Passkeys

Basically, these are souped-up USB devices — actual, physical objects that contain electronic code. But of course you have to buy a special one; a plain old USB drive with your passcode info on it won’t suffice.

Tryst recommends the cheapest Yubico key on offer, which is $25 (most of the keys start at $50). This is affordable enough, but that’s not the end. The key works with only with the built-in security methods on your devices, which is where the multi-factor authentication comes into play. (Key + device + authenticator app + Tryst’s own protocols)

By built-in security, Tryst makes it clear that means biometrics. Your face scan, your fingerprint. Not your passcode. Logging in this way activates your special key and reassures it that only you are accessing the codes stored in it, then it can work with authentication apps and Tryst.

Your biometrics. To log onto a hooker website.

I hope to god you don’t already use your biometrics to unlock any of your devices but if you do, be aware that in the US, your biometrics are not protected information. Police can collect your biometrics all day long (i.e. mugshots, fingerprints, DNA). They cannot compel you to unlock your phone or computer if it’s locked with a passcode.

You can Google all day on these issues, and the answer doesn’t vary much, even in different states.

Let’s put aside the biometrics horror show, and look at the keys a little more.

These keys can also work with cryptocurrency, though I do not believe they function as wallets. It’s simply that they offer a higher level of security for the wallet you already have. You can check compatibility with various apps on their website.

The downside is now you have a thing to lose. If you lose tiny things (like USB drives), on the regular, this may not be the best option for you. Because if you go the multi-factor route and lose the key, you’re almost certainly going to be shut out of your account permanently.

The upside is what I’ve mentioned: you can use this key for multiple work-related accounts. It’s probably partitioned enough that you could use it for work and personal, but this is just a guess. I’m not certain.

The key can work with your phone or desktop/lap. It uses a specific connector, not a plain old USB connection. Tryst recommends using only the latest devices for security purposes but they also do not offer to pay for you to upgrade your devices, so take that with a big shaker of salt.

If you aren’t sure what connections your device offers, feel free to Google the make/model of your device and check. Or contact the key company and request assistance if it’s not in their FAQs.

The keys are an excellent idea in theory, but that theory falls apart because they require biometrics to access their functions.

If you already use your biometrics to unlock your devices, and don’t wish to roll them back (or can’t), then the key might be a good option. You buy it once and use it forever. You’re already fucked by the biometrics requirement, might as well have fun with it.

Remember that Tryst will give you an emergency passcode to write on a piece of paper.

Because paper is hacker-proof and Tryst knows it.

Final Thoughts

Really didn’t even have to tighten my tinfoil hat on this one. Some states now require ID verification just to access porn sites. How much longer before escort sites are wiped off the Internet? Or access to them? Tryst is worried about Tryst being stable and secure. They aren’t looking further down the road in a country where they aren’t based (a country whose idiotic laws are the whole reason they came into being in the first place).

Requiring elaborate, invasive, and potentially self-incriminating methods just to run an escort ad is going to cause unintended consequences for US users. Or, I guess the consequences will be very intentional, from the perspective of law-makers and police. It’s only a matter of time.

We already know that Eros is compromised. We know that sex workers from other countries are regularly detained and sent back to their country of origin for the crime of showing their face online in connection with their sex work. We are forced to use cryptocurrency to pay for ads because banks will shut us down and credit card companies have already shut down these payment avenues.

How to protect against hackers? Education instead of apps. Make sure everyone knows app-free ways of not falling for phishing emails, or how to create very strong passwords and where to keep them (piece of paper!).

Tryst has long used an unnamed service to automatically check our passwords against a list of known passwords from other data breaches (it’s from one of the authenticator services they signed up with, but forgot which one offered that). I have always found that a little disturbing, and it’s something they’ve never addressed, but it’s far less invasive than their new requirements.

Tryst is offering everyone 20 credits to “upgrade” to 2FA before Sept. 1. They should offer a free Platinum month to everyone, at the very least (150 credits).

For those who don’t know, Tryst offers a free plan to everyone; and the next step up is 35 credits/month. This 20 credit bonus is not much bonus. They give out 25 credits every Christmas.

Even the least offensive app is a step I’ve not taken before and absolutely did not want to take. I don’t make much money from Tryst but I get appointments from there and would like more (I always want more). They’re holding our income hostage to create a tighter electronic trail (or leash) between our personal and professional lives. Those whose income completely depends upon Tryst are the ones who most likely don’t have the economic freedom to pay for the necessary electronic compartmentalization to neutralize the effects of using any of these methods.

Tryst has tried very hard to listen to sex worker concerns, and to support sex workers worldwide. Tryst stuck their necks out to create Switter, which had to close after two years due to legal issues, and the potential for even more issues (which always cost money).

All of which makes the 2FA requirement feel ugly. They may not intend to do anything but keep the site and users secure (and maybe lower their IT bills by not having to pay to fix emergency hacking situations). The unintended consequence is holding potential income hostage, for nothing valuable in exchange. The unintended consequence is being able to tie the personal and professional together much more easily for random companies and law enforcement. It makes Tryst feel one step closer to every other ad platform without our best interests in mind.

Additional thought: I forgot to mention that all these companies that Tryst has partnered with (except 1Password) are US-based. Which means they’re subject to US laws and anti-trafficking hysteria. Which means that at any time they could decide to end the partnership with Tryst, or turn user logs over to the police. Then what? Not good for Tryst, not good for any Tryst user in the US.

The Yubio key requires an application to interact with, as far as I can tell, which means one of the apps Tryst has partnered with. If those companies stop allowing use with Tryst, the key is also rendered useless for logging into Tryst. (This is my understand of how it functions, I could be wrong.)

It’s my opinion that in attempting to heighten security, Tryst has instead made their site, and users, less secure due to the dependence on US-based companies. I assume it’s because their largest user-base is in the US, and these companies like to make apps for everything. It’s a decision that solves one problem while creating the opportunity for a much bigger problem.

Important Update

Turns out that Twilio, who owns and operates the Authy app, is also involved with OneReach. OneReach is described in the PDF linked in the Tweet below as a “demand-deterrence” platform, dedicated to the service of police in anti-prostitution efforts.

On page 80 of 2019 PDF, you can read about One Reach/Twilio:

OneReach / Twilio — A front-end and application programming interface for integrating voice call and text messaging into 3rd-party applications. The back-end that is used for some demand deterrence platforms.

I’m not claiming this is deliberate on Tryst’s part, I doubt it. Nor do I have any idea how connected Authy, Twilio, and OneReach actually are. But the connection is there, and has been there for years. The companies themselves don’t have a lot of public overlap, at least not what I found with a little searching.

OneReach openly works with the LAPD, and refers to human trafficking on its website. Twilio doesn’t seem to mention OneReach in any recent news. That doesn’t mean they don’t sell data or services from any of their products (Authy being one of them) to OneReach or law enforcement.

More research needs to be done because I have a lot of questions about the companies’ involvement with each other. Law enforcement and anti-trafficking efforts seem to feel they’re all very cozy together, though.

Goddamnit.

a quick update

I added a little update at the bottom of my burnout post. After even more time away from life as Amanda, and other positive life changes, I’ve made a decision based on many personal revelations and much thought.

The comments are turned off on this blog from now and forever. I will Tweet every now and then, but am never going to engage with anyone on Twitter again. If you have my email address, you can use it, but I probably won’t respond. I’m not interested in mainstream media, not unless an exceptional opportunity arises. By “exceptional”, of course I mean “paid” and by “paid” I mean “well-paid” which means it probably won’t happen at all.

I’m in the process of gathering materials (and thoughts) for a few more escort-related books. I can see a minimum of two and a maximum of six coming out over the next year or two, depending on several factors. Ebooks, produced as professionally as possible, perhaps with POD options. I’m not going to bother doing print runs again. It’s more hassle than I feel like doing, certainly more upfront costs for me, though I know sex workers love to build actual libraries (I’m one them). That means I’ll be forced to buy myself POD copies too. 🙁

Speaking of print books, I’m selling out the last of my copies of Book 2. Haters are encouraged to buy out my remaining stock at full retail price to hold a bonfire or whatever. I’m both a sex worker and a writer. My type of people like getting paid.

Book updates/news/notes will posted on Twitter, of course. I’ll finally use it as book promotion like I should have been doing all along.

I’ll do my best to publish helpful information, because sex workers certainly deserve to have options, and the experiences of others in order to make decisions. I’m even going to write a book for clients and it’s probably not going to be anything like what you’d expect from me, for good or ill.

I’m aware my acknowledged audience is tiny, I’m also aware that I’ve helped shaped this industry, whether acknowledged or not (usually not, and usually while being completely ripped off, sometimes by people who claim to be of higher ethical standards than I). I’m also aware all of this is spectacularly bad timing, but my life has been nothing if not badly-timed, so this is completely on-brand.

Whatever comes, there will always be men wishing to indulge in paid sex and/or companionship, and there will always be women wishing to offer it. And the concepts of providing are eternal, even if current society or the technology changes.

And then I’m done with producing books (as Amanda).

There are other things I’m working on and places I see myself going that don’t involve any of you, or Amanda. I like that.

I’m sure there will be one final concluding essay to all this before I go, for those who have followed me this long. My story arc will be concluded, as it were, as gracefully as I might be able. It may not be nice but it will be honest.

There is so much clarity that comes with distance and time.

Sex work burnout: a very long journey

Burnout. Every career has its version and sex work probably has higher rates because the work is so much more personal, because sex workers shoulder such a huge portion of the work individually. A stripper cannot outsource her work and make a living. An escort can outsource some of her administrative work, but has to make more money in order to pay for that luxury. We cannot clone our selves to go meet clients. Scaling up or out is impossible. At best, we can make and sell content for passive income, or raise our rates. We still have to do the actual work though, whether writing, photographing, interacting, and showing up.

This is a novella-length essay of my journey into and out of burnout. I’m still in the process but am through the worst and on my way out. Take what you find valuable, if anything, and I sincerely hope it helps you. This is not a “poor Amanda” essay, some of these issues have been self-caused and it has taken solid moments of clarity to realize this. Avoid my mistakes and do better.

There are many ways to organize this and I felt chronologically would be best for you. It’s not how the feelings and experiences are organized in my head, but you don’t live in my head. I’ve done my best to make the steps of the journey clear to both of us.

Read more

face or no face?

Vanessa D’Alessio wrote a great piece over at TitsandSass around the issue of showing your face in conjunction with your online escort work. My response got eaten by the Intertubes, I think. Instead of reposting, I decided to expand on it a little here.

This article has been at the back of my mind since I read it last week. My arc has been slightly different than hers. When I started stripping, I was fairly out and allowed myself to be photographed, topless, for one of my club’s websites (back when the Internet was indeed tubes that connected computers using gerbils and string). They never removed the picture despite repeated requests, even after I left stripping and began escorting. (It was later removed only because they redid their site.)

Read more

hobbyists in the mist

Over the years, I’ve run into hobbyists online in non-escort settings. EBay, various message boards about real hobbies, non-escort blogs, dating sites and the like. It is proof that hobbyists do have something of an Internet life outside of posting on discussion/review boards. It’s also proof that an experienced escort can smell them through the computer screen long before they’ve made a complete ass of themselves.

It’s the grossly-entitled reek they emit that gives it away. They see women as inferior and expect that anything they say is gospel. They forget that the rest of the Internet is a free world and my livelihood doesn’t depend on catering to their flagging egos. I love to enrage them because it’s so easy. They never twig that I’m an escort and recognize what they are. They only know that I’m keeping the pussy away from them, not doing what they tell me to do, and not falling in love with them. For free, of course.

They lust after any semi-appealing female who crosses their radar, seeming to think that every woman will react with the same enthusiasm that working escorts do. They’re shocked when I tell them to fuck off (and it is so, so much fun to do this). I’ve even caught them attempting to rate and review me and other civilian women on whatever site. Why do they think women want to put up with this for free? Oh, right. Hobbyists.

Sometimes they’re even smart enough to not use the same handles on every board. Certainly not always. I’ve no doubt if I went searching for specific phrases I’d probably figure out their escort board handles pretty quickly but I’ve never had that much curiosity.

They find out that challenging me with money doesn’t work (like the out-of-state dating site guys who want to meet me and take me to dinner, but only with the guarantee of sex because they don’t want to waste money on me) and it blows their minds. They rage and whinge about how I set my boundaries during whatever short bout of contact we have online. I find their other online profiles (“travel dating” sites are now popular) with pictures and hilarious self-description, I pass the links around for others to laugh at. In my experience, real clients rarely leave such an Internet trail of stupidity. Hobbyists usually do, spreading all over the Net like a viral outbreak. The stupider they are, the better. They readily oblige.

The most fun is getting to act offended and enraged at every little sexist thing that they write, threaten to have them reported and/or banned from the site, get to tell them where and how to get off (certainly not with me), etc. They have no idea where I’m coming from, and they discover they really can’t do anything to me. They have no power over me. I’m just some random chick, probably a Nazi-feminist, who thinks all men are sexually harassing her, and causing a big stink about their attitudes. They go in search of easier prey. I’m sure I’m responsible for some of the beliefs among hobbyists that American women are emasculating men. (Don’t be so easily emasculated, is my response.)

Oddly enough, I’ve yet to personally interact with an online male jerk who wasn’t a hidden hobbyist. I’ve sometimes been able to sniff out a client (though none of mine) and they behave themselves. I’ve interacted with quite a few civilian men and they behave themselves, more or less, within a range of normal male behavior. The outright, miserable assholes are always hobbyists. Always. I think it’s because hobbyists are MRAs who admit to paying for it.

I would love to tell hobbyists to behave themselves when interacting with women who don’t care about earning a “10” from them, but then, I doubt any of those read this blog. Nor would they get it. Or care.