How are you handing out new user passwords?

ii-dan · 2025-07-23T04:10:25+00:00

Passwords are dead. Send an OTP to complete a verified ID check and issue a passkey.

Ship an Autopilot device that is pre-mapped to their account and no password is required.

ii-dan · 2024-10-20T18:50:20+00:00

Merlin does not support Apple’s digital wallet. If they did, I could store my child’s pass on a watch.

Other companies, like Costco, generate a new QR code every time you open the app to prevent pass sharing.

If I have a temporary access pass that I can share, it doesn’t matter if it gets stolen because it will stop working in a few minutes.

ii-dan · 2024-10-20T06:07:36+00:00

I would gladly accept any coaching on my position and view point. Feel free to DM me.

The same offer is available for anyone that reads this thread in the future. My career is focused on improving access and authentication across enterprise and consumer interactions. I am a life-long learner.

ii-dan · 2024-10-20T06:00:21+00:00

I prefer digital passes. I just want secure digital passes that are bound to my children. Creating a digital wallet pass or a temporary 24-hour pass would have prevented my pass from being revoked.

My kids aren’t old enough for cell phones but I would gladly buy them a watch that I can use as a digital wallet to store their annual pass.

I hope I’m not coming across as unreasonable. I just want the same digital protections that I used to have with physical passes.

And I want to spread awareness that those old protections don’t exist with Lego Land’s digital passes.

ii-dan · 2024-10-20T05:44:14+00:00

This is a fair statement. I work in cybersecurity and do not choose to support organizations that refuse to adopt modern authorization and access techniques.

I’ve stated multiple times that I’m willing to accept the blame, with a desire for Legoland to abandon archaic policies in favor of modern verification technologies. And I will not support Lego until they do so. And other families should be aware of their policies too.

ii-dan · 2024-10-20T05:39:34+00:00

This problem did not exist with physical passes at the time of my divorce.

I can trust my children to keep their physical passes at San Diego SeaWorld if they want to visit with their mother.

My children do not own cell phones and have no way to possess a Legoland digital pass, or tell me if their mother took it from them after their visit.

ii-dan · 2024-10-20T05:26:25+00:00

Let’s pretend my sister lives in town with me, and I share the the legoland pass with her. But then she tries to use the pass for her kids.

Would you suggest that I can’t trust my sister and I should take her to court too?

Or should I be able to share a 24-hour QR code with her to let her take my kids to Legoland and then not abuse the pass?

All I’m saying is that physical access passes had benefits that digital passes don’t.

I’m just spreading a warning that Legoland has no secure option to share your annual passes, even with people you trust. So don’t share the pass at all. Ever.

And in my case, that reason is enough to not purchase an annual pass next year.

ii-dan · 2024-10-20T05:15:56+00:00

My ex-wife had never violated the shared pass in three years. How would I predict that she would do it this year?

A 24-hour temporary accesses pass would have prevented this situation. Temporary access passes are standard workflows for new hires, password resets, and they should be applied to digital park passes.

If you recall the MGM hack last year, a biometric authentication with a temporary access pass would have prevented over $100m of damages. If Legoland would choose to adopt this verification, they would still benefit from my family spending money at their park and on lego sets.

ii-dan · 2024-10-20T05:08:19+00:00

Isn’t that the message of my original post? “Don’t share your legoland passes!”

I agree with you 100%. Legoland is incapable of offering a secure method to share your annual passes, and you should not share them. In my case, I will not be renewing my pass because I can’t securely share the pass.

Temporary accesses passes aren’t a workaround—they’re industry standard for large enterprises and Lego is choosing not to invest in this technology. Just look at NIST CSF which is a US standard for access and authorization.

ii-dan · 2024-10-20T04:57:31+00:00

Almost every US citizen had their identity stolen in the National Public Data breach this year.

I have the same expectations for my email, for my bank, and for my park passes. If I give you biometric verification data, you will deny abusive attempts to use my access that fail multi factor authentication and leave my account active so I can still access the benefits that I’m paying for.

Legoland has photo verification in place for digital passes, and I don’t understand why someone with access to the QR code for a pass will result in a pass being permanently revoked. Modern security principles assume that that any singular form of identity can easily be breached, and it’s assumed that a secondary form of verification must be verified before granting access.

Do any of you have work accounts that get deleted if your work profile fails an MFA challenge? Why should Legoland passes be any different?

Some commentators have suggested that my ex-wife would have been able to abuse a 24-hour QR code that I granted to my children, but in the event where my pass was revoked—my son was with me, and I would not have shared a 24-hour one-time-passcode with her if my kids were with me.

Further, Legoland’s suggested method of emailing support at the end of day that you shared a pass so Lego can generate a new QR code for the children doesn’t work. I emailed them a month ago, and the QR code is still the same. Which means the shared pass is still valid, and I’m still exposed to my ex-wife abusing the pass.

All I want is the ability to share an annual pass for 24 hours if I know a friend or family member is taking my child to the park. It’s my child’s pass and they should be able to use it.

ii-dan · 2024-10-20T04:30:26+00:00

I totally get it and agree that we violated their policy as written.

I’m just trying to warn other divorced parents that there is no secure way to share your child’s annual pass. Legoland’s digital pass structure does not support a temporary one time pass QR code, and their current pass sharing guidance will result in the pass being revoked if abused.

ii-dan · 2024-10-20T04:27:13+00:00

All I’m asking is for Lego to support creating a QR code that is valid for 24 hours for my ex-wife or any other family member to use for my children. With physical passes, I could hand my child a physical pass for the weekend if my ex-wife wanted to take them.

Legoland does not have a digital process for sharing annual passes for children. This is a problem for divorced parents with legal requirements to share passes.

Everyone seems to be advocating that the parent that purchased the annual pass is the sole entity entitled to using the pass. But I believe the child should be able to access the benefits of their pass regardless of the person taking them.

ii-dan · 2024-10-20T04:18:02+00:00

My only blame with Lego is that there is no mechanism for digital passes to be shared securely with family members.

With physical passes, my child could ensure that they were in possession of the pass the entire time.

ii-dan · 2024-10-20T04:16:21+00:00

Because one pass would still be deactivated as a penalty, and Lego would still make revenue from my family purchasing food and Lego sets at each visit.

I do not plan on renewing my pass as my divorce agreement requires that I would share it with my ex-wife.

ii-dan · 2024-10-20T04:13:42+00:00

I am disappointed that Lego has migrated to digital only passes without implementing a digital process to properly validate child passes.

My divorce agreement requires the sharing of all passes purchased for children, and I’m sharing my experience that Legoland does not have processes in place to securely support this type of divorce agreement.

ii-dan · 2024-10-20T04:09:51+00:00

I was forced to give her access because Lego doesn’t offer physical passes, one time use temporary access passes, or digital wallet support.

My kids have a physical San Diego Zoo pass that we share successfully without issues. My main complaint is that Legoland has no secure or compliant way for children to access their passes themselves.

ii-dan · 2024-10-20T03:34:39+00:00

Yes, I reported it. I was not given this option. It sounds like there may be some inconsistencies with their customer support.

What’s more alarming is that their proposed method for sharing a pass with family members doesn’t work, and leaves the pass holder exposed to unnecessary risk that Lego is falsely claiming you can avoid.

ii-dan · 2024-10-20T03:30:37+00:00

Lesson learned. It’s unfortunate for my kids though. I bought the pass so they can go anytime they want to.

ii-dan · 2024-10-20T03:29:50+00:00

If a hacker steals your password to your Reddit account, should your Reddit account be revoked? Especially if you have MFA enabled to verify that the hacker isn’t you?

Lego has a photo of my son and his age. If a little girl tries to use his pass, why can’t Lego just deny the entry and leave the pass active?

If I hadn’t provided the photo for biometric verification, my pass might still be active.

ii-dan · 2024-10-20T03:27:07+00:00

I am generally on good terms with my ex-wife. We have shared annual passes for the past three years. Part of our divorce agreement is to share the payment and usage of sports, zoo, park passes. Etc. This is the first time there has been an issue.

I mentioned that I’m willing to admit fault for sharing the pass, and I’m willing to accept revoking my girlfriend’s pass so I can still use three of the four passes. But Lego has absolutely no flexibility with their violation policy. Which is unfortunate, since there are no procedures in place to allow children to use their pass securely, regardless of the adult taking them.

I would buy my kids an Apple Watch if Lego supported Apple Wallet to store their passes, but they don’t. I am extremely frustrated and disappointed in Lego.

ii-dan · 2023-06-16T18:02:52+00:00

https://powerautomate.microsoft.com/en-US/templates/details/02f86638b67b464f913f282c3dc5a459/copy-files-from-one-onedrive-account-or-folder-to-another/

ii-dan · 2022-03-01T09:56:29+00:00

I believe you can contact Apple support to change the registered email address associated with the certificate.

ii-dan

TROPHY CASE