Jump to content

It is time for Linden Labs to put in two factor authentication


You are about to reply to a thread that has been inactive for 1942 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

The problem I have encountered with SMS and email is that delivery is not guaranteed and even when it is delivered, may not arrive in a timely fashion.
More than once I have been left waiting for the code to arrive and for whatever reason the code just does not turn up until a long time later.
People don't realize that these methods can take a long time to deliver and may not show up at all sometimes.
So without even going into the lack of security around these things, I would not like SMS or email based tokens.

I find the best way of obtaining tokens is the Google Authenticator (GA) way using a time-based key which you setup with a master key shown as a QRcode or text on the web page where you are setting up the 2FA itself.  You don't have to use GA or even a phone, there are other apps that are compatible and available for most operating systems.
As long as you have the master key (which Google does its best to hide but can even then still be obtained), you can always setup an alternative to GA and the phone.

You cannot possibly be locked out of your account if you have the password and a master key for generating 2FA tokens.
You just have to protect this information, which I do with an offline encrypted password vault.

This has proven to be always available when I needed it and unfailing reliable for a good number of years.

Edited by Gabriele Graves
changed codes to tokens for consistency and corrected spacing.
Link to comment
Share on other sites

On 5/5/2016 at 10:06 AM, Rhonda Huntress said:

Getting a list of account names is easy since we all have ours over our heads and on display in groups for anyone to read.

This.  Yes, we should have 2 factor identification, but LL hasn't even given us the two private data items that almost EVERY OTHER WEB SITE has, a private user account name and a password.  Having both would not prevent phishing, of course, but it would be at least a tiny step forward from the 1990s.  With the only key piece of data being the account password, SL accounts are terribly vulnerable.

  • Like 3
Link to comment
Share on other sites

On 9/6/2018 at 6:03 AM, Lindal Kidd said:

  With the only key piece of data being the account password, SL accounts are terribly vulnerable.

the numbers of hacked accounts show the opposite.

It's nearly all phishing. And you can't blame LL for that.

 

  • Like 3
Link to comment
Share on other sites

3 minutes ago, Ethan Paslong said:

the numbers of hacked accounts show the opposite.

It's nearly all phishing. And you can't blame LL for that.

 

It's not a question of blame, that's entirely irrelevant.  The issue is about best protecting assets and the appropriate tools are not provided.

 

  • Like 2
  • Haha 1
Link to comment
Share on other sites

12 minutes ago, Bradford Mint said:

It's not a question of blame, that's entirely irrelevant.  The issue is about best protecting assets and the appropriate tools are not provided.

 

I dont think they can, that''s the whole problem, they had a heck of a time when they changed the login system years ago. 

Link to comment
Share on other sites

Just now, bigmoe Whitfield said:

I dont think they can, that''s the whole problem, they had a heck of a time when they changed the login system years ago. 

It wouldn't have to impact the viewer client if an out of band push authentication was to be sent to a smartphone app. If the back end login process is so messy that it can't accommodate an intermediate challenge then that says a lot about the authentication mechanism behind the scenes.

So begs the question, what has been learned?  Is 2FA available for Sansar?  (I went there just once, didn't see any reason to stay and didn't see 2FA)

  • Haha 1
Link to comment
Share on other sites

The simple answer is "get one" if you want to use easy 2FA. Just like you need a suitable GPU for shadows.

We need to stop playing to the lowest common denominator to avoid implementing best practice but alternate options are available for those without a mobile device.

Just have a desktop soft token instead. No big deal at all.

  • Haha 2
Link to comment
Share on other sites

48 minutes ago, Bradford Mint said:

It's not a question of blame, that's entirely irrelevant.  The issue is about best protecting assets and the appropriate tools are not provided.

 

for me it is irrelevant to ask for a system that's totally not needed because it works perfect as it is.

Link to comment
Share on other sites

4 hours ago, Bradford Mint said:

Fine for you, maybe you don't transact large funds or have valuable assets but for those to whom it is important is no reason not to offer it.

I don't always lock my car on the drive, does that mean cars shouldn't have or don't need door locks?!

You don't always lock your car, thus making it easier for folks to steal things out of the car or even the car itself, yet you fuss about wanting more security in SL - interesting.

 

Create a super strong password and be smart about the things you click on so that you don't hit a phishing link and have good security software on your computer to help you avoid getting anything bad downloaded.  

 

  • Like 2
Link to comment
Share on other sites

5 minutes ago, LittleMe Jewell said:

You don't always lock your car, thus making it easier for folks to steal things out of the car or even the car itself, yet you fuss about wanting more security in SL - interesting.

It's about risk management and mitigation.  That particular car is in monetary terms, worth half the value of one tyre, or 2/3rd of a tank of fuel. Another car is a classic convertible worth far more but I don't bother locking that one either because it gets parked in low risk areas and never has the roof up.  It relies on other security mechanisms than a door lock when you can just jump in!

On the other hand, my transactions within SL have been of far higher value.

The problem with being smart is that social engineering can catch people out, even the smart ones so to mitigate that risk, we implement other security factors to assist. 2FA is not a panacea but is just another important tool that should be offered. You can have the strongest password you like but if you're coerced into entering it or malware sniffs it, it's not going to help you much.

There remains no excuse today for a platform provider not to offer extra authentication beyond username/password on a platform that deals with assets of value.

  • Haha 1
Link to comment
Share on other sites

4 hours ago, Bradford Mint said:

The problem with being smart  There remains no excuse today

Could not agree more. So  when are you going to buy me a tracking - sorry - smartphone?

To ahem protect your assets. As a C2G olde skool oh dear Leftie I rather like seeing social Darwinism at work. Separates the Women from the ...

Link to comment
Share on other sites

Like I said, a smartphone is just one platform upon which to host an authenticator, if you want a different platform, that's fine too.  You can have a soft token on your desktop if you're concerned about the data leakage from a smartphone and that's just one direct replacement that would also offer push authentication.  Other token types abound.

As to me buying you one, i'm sure you can afford $36 for a new smartphone?

There are so many other ways that you are tracked anyway but that's a different topic, this one is about LL getting with the program and offering more modern authentication for those that want it.

Besides, once you install the authenticator, you can turn off wifi, don't need the SIM card, how do you think it's going to be tracked with no data connection?

Edited by Bradford Mint
  • Haha 1
Link to comment
Share on other sites

6 hours ago, Bradford Mint said:

Besides, once you install the authenticator, you can turn off wifi, don't need the SIM card, how do you think it's going to be tracked with no data connection?

Wrong,  if they are not using a time based sync and if thye were smart they would use the google authenticator. but you need to keep the phone least on wifi to sync,  trust me, I've got 2 phones, one does my authj, the other is well my phone,  if I leave the auth phone offline totally, it loses sync and none of the codes work and I would never use another authenticator  besides googles

Link to comment
Share on other sites

Time-based tokens are just fine and most adhere to the same standard algorithm (RFC6238, Time-base OTP), so pretty much any software that says it generates tokens to that standard will do.  The worst a third-party token generator can do send the token it generates for you to somewhere else at the same time.  However that is useless unless another party also has your other credentials and makes an attack during the token lifetime window.  Even then it only makes it about as secure as sending tokens through email.  So, of course you should choose a well-known, reputable generator for your operating system if you can.  You still have to protect your master key but that is (hopefully) generated by the vendor (such as LL) to be long enough and random enough to be impossible to guess .  However, it is also much easier to protect than a password because you never have to enter it online.

Edited by Gabriele Graves
clarity
Link to comment
Share on other sites

6 hours ago, bigmoe Whitfield said:

Wrong,  if they are not using a time based sync and if thye were smart they would use the google authenticator. but you need to keep the phone least on wifi to sync,  trust me, I've got 2 phones, one does my authj, the other is well my phone,  if I leave the auth phone offline totally, it loses sync and none of the codes work and I would never use another authenticator  besides googles

So your device suffers a drift, then either put a SIM card in and turn the data off so that it derives clock from the network or leave wifi on, this really isn't an issue and I was addressing the paranoia of having a smartphone based soft token.

There's still no reason to not be offered stronger authentication, these are made up, imaginary reasons to avoid doing something better.  OCRA based tokens are but one 2FA mechanism, others exist.

Again, the request is there to have it available, nobody is suggesting that it should be forced on those who still believe that passwords alone are good enough.

  • Haha 1
Link to comment
Share on other sites

23 hours ago, Bradford Mint said:

We need to stop playing to the lowest common denominator

The Lab know thier customers, and I think it's the Lab's strong intention to allow as many legacy systems as possible. A sizable proportion of SL seems to be non-gamers and a huge chunk of those are on Potatos.

If you stop thinking about them SL becomes a wasteland with tumbleweeds blowing down the streets of Bay City.

 

  • Like 3
Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 1942 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...