How is Two Factor not on SL?

[Narugawanaisa Yumako]

Why Linden? 2019 and we still don't have good account protection or two factor authentication, its a simple randomly generated code sent to a mobile, hell sign up for google authentication services and offer that.

Linden Labs has account issue's almost daily that they deal with, why not just add extra layers of security for users and fix everything with a simple feature.

[Candice LittleBoots]

The thing is .. I DO NOT WANT 2 factor authentication. I despise it. It is impractical. I do not want to need my mobile telephone to log into SL.

However, having a user log in name that is not our actual avatar name would be beneficial, as then not one of the two criteria required to currently log in is known to others.

Regarding passwords I, for one, am capable of making a usable password which would take a computer about 2 trillion years to crack   https://howsecureismypassword.net/

 

This wouldn't be the first time I've said this:

Quote

Being able to change our user ID for logon purposes would be a positive forward step.

2FA using smartphones is an extremely poor idea, commonly championed by people who live their life in one single country. Should any change ever happen I hope it is an option, not compulsory. Nothing worse than being forced to do something which claims to be for my own good when I don't want it.

I log in and out of SL all the time, as I'm sure many do. I don't want it to turn into a palaver, otherwise it's likely I will begin to log in less and less. 

 

Edited March 27, 2019 by Candice LittleBoots
added link

[ThorinII]

To be honest, I despise Two-Factor-Authentification. It's very annoying. I even log in on websites that do use it as rarely as necessary because I don't see any sense in having to use my phone to authenticate the login credentials I enter on my computer. The passwords I use are very secure, there are no second credentials needed, in my opinion.

[ThorinII]

Just now, Candice LittleBoots said:

 https://howsecureismypassword.net/

By the way, I just checked the password I'm using for my SL account on that site:

Quote

It would take a computer about

34 thousand years

to crack your password

 

So why would I need a second authentification?

[Ethan Paslong]

1 hour ago, Narugawanaisa Yumako said:

Why

Linden Labs has account issue's almost daily that they deal with, why not just add extra layers of security for users and fix everything with a simple feature.

oh please go read the old thread about this in the GD, it ran for ages, there are no new views on this matter.

[Ethan Paslong]

little addition.. 99.99999999% of all troubles with accounts here are by phishing. More security won't help, the remaining 0.00000001% will still manage to get their details in the wrong hands, even when it's behind 25 different log in steps and confirmations.

[Richardus Raymaker]

2FA is only annoying. The want a mobile ohine number. And security + mobile phone is no security. The problem is still the user that use weak passwords or trap into phising mails.

Very happy there's no 2FA. And if the want to use it the code need ti be send by e-mail.

Edited March 27, 2019 by Richardus Raymaker

[Qie Niangao]

I agree that you should go read the other thread. For amusement. It's an hilarious compendium of misinformation about how modern 2FA works -- already bleeding-over into this thread. No matter how much the security-savvy may need it, you're never going to get it by posting in the Forums. If you ever get a chance to buttonhole Soft Linden for a chat, you might get somewhere.

(At the rate quantum computing is advancing now, we may have no viable encryption at all before SL goes 2FA. After that, I can't even imagine how difficult logging in to anything will be.)

[Shudo]

3 hours ago, Qie Niangao said:

If you ever get a chance to buttonhole Soft Linden for a chat, you might get somewhere

I have two collars in my inventory in anticipation for such events!

But, then, as the Lab staff can only use the Lab viewer I am never going to be able to chat for very long before either of the not-captured-as-they-dont-have-rlv bluenamed ones just teleport off chuckling, to make yellow snowballs engraved with my name, for next Christmas' events.

Edited March 27, 2019 by Shudo

[Alyona Su]

6 hours ago, Narugawanaisa Yumako said:

Why Linden? 2019 and we still don't have good account protection or two factor authentication, its a simple randomly generated code sent to a mobile, hell sign up for google authentication services and offer that.

Linden Labs has account issue's almost daily that they deal with, why not just add extra layers of security for users and fix everything with a simple feature.

Two-factor is unnecessary. How about you just use a really good password? I like to use family member names and dates with addresses like so: John.Doe!061087.831155W98765

If you start strong you stay strong. Your account security is your responsibility, not Linden Lab (or your Bank or any other secure anything you use) - oh, and consider this: do you use anything Google? Then your argument is an oxymoron of the most high. bahahahaha

[Coffee Pancake]

WIMPS!  3FA FTW

No.. but seriously, as much as this is a pain in the butt, an OPT IN android & apple app with deliberately low system requirements (supporting legacy devices) that could be used to authenticate a login on "new hardware / software combo" with account page option to flush all saved 2FA logins would be very welcome.

2FA does not require your phone number, but something SMS based as a optional fallback isn't a bad idea.

A "strong" password alone is not sufficient for something that is linked to your actual finances, and the vast majority not only have weak passwords, they have the same weak password / username / email combo for everything.

It's not a silly tech joke to suggest most passwords are some close variant of "Password1" .. if that was your password, contact me in world for help with a better one 😁

If you do nothing else but grumble in this thread, go to https://haveibeenpwned.com/ and put in your email addresses AND at the very very least, don't use your email password for anything else, EVER.

[Coffee Pancake]

36 minutes ago, Alyona Su said:

Two-factor is unnecessary. How about you just use a really good password? I like to use family member names and dates with addresses like so: John.Doe!061087.831155W98765

WRONG

All web services convert your STRONG password to a HASH and store that.

This is a HASH --->  9444202173dea67931888e6313d6cf6c

The weakness is that there may be different passwords that generate the same hash, aka a hash collision.

Take a weak hash and a decent gpu and a little time .. and substitute passwords can be generated easily.

 

[Alyona Su]

1 hour ago, CoffeeDujour said:

WRONG

All web services convert your STRONG password to a HASH and store that.

This is a HASH --->  9444202173dea67931888e6313d6cf6c

The weakness is that there may be different passwords that generate the same hash, aka a hash collision.

Take a weak hash and a decent gpu and a little time .. and substitute passwords can be generated easily.

 

1

Perhaps, but having the same password for multiple unrelated accounts is what happens anyway now, right? Because a password and login name together are way access the correct account.

I also should clarify the "not necessary" bit - I am meaning, toward the OP,  for *Second Life*. For your Bank? Absolutely!  LOL In short, my rhetoric is to say Second Life isn't *worth* the effort to implement by LL or use by most residents (because at it's most-basic construct, it is a video game (not literally, but you know what I mean)). And my comment about harping on security anything while using Google anything still stands as an oxymoron of the most high. ~snorts~

Edited March 27, 2019 by Alyona Su

[Coffee Pancake]

2 minutes ago, Alyona Su said:

Perhaps, but having the same password for multiple unrelated accounts is what happens anyway now, right? Because a password and login name together are way access the correct account.

You should have a different password for everything, and they should not contain anything with a standard format. No dictionary words, no dates, no 8 character and a number.

Use something like Keepass to store and generate passwords for you (chrome now has similar functionality built in). 

2 minutes ago, Alyona Su said:

I also should clarify the "not necessary" bit - I am meaning, toward the OP,  for *Second Life*. For your Bank? Absolutely!

SL is more often than not connect to your paypal which in turn goes to your bank. So yes. SL needs 2FA for exactly the reason you state.

 

 

[Alyona Su]

1 hour ago, CoffeeDujour said:

You should have a different password for everything, and they should not contain anything with a standard format. No dictionary words, no dates, no 8 character and a number.

My example was just that. I would use a different combination for each site. (I use LastPass with 14-digit generated passwords myself). And Chrome is the ultimate oxymoron (in my mind) LOL Your points aren't lost on me, in fact, I agree with you. But the two-factor authentication... how would that work, exactly IN SL? Here is what I mean:

You need your credentials to log into the grid. Two-factor there? You need your credentials to log into any of the many web sites - always, even if already logged into another LL property. Two-factor at each and every one of those? You need to *re-enter* your credentials for verification anytime you use the SL Exchange (and again if cashing out any credit) - two-factor there? I should think so, on THAT one.

But then: can they set-up two-factor authentication only for SL Exchange activities, but not the rest? Or - if two-factor authentication were applied across the board, to each and every one of those *separate* authentication processes it would become over-bearing. Even in those viewers still using the Web Profile (Catznip only for your own, at least) - and when I view my own profile I still have to login *again* even though I'm already live, in-world, on the viewer LOL (Yes, the rumor-mill says LL going back to "legacy" profiles, but I digress.)

So - my comments in this thread are not meant as general rule-of-thumb comments, but rather specific to Second Life and its properties and I've just demonstrated why, I believe, it would be a *LOT* of effort to implement by Linden Lab and a major pain in the backside, if not an outright back-lash by residents.

Edited March 27, 2019 by Alyona Su

[Shudo]

17 hours ago, CoffeeDujour said:

It's not a silly tech joke to suggest most passwords are some close variant of "Password1" .. if that was your password, contact me in world for help with a better one 😁

P@ssw0rd?

One unnamed large company I sometimes need to log into uses this as root password on an important server. SSH root enabled too.

Sigh.

Edited March 28, 2019 by Shudo

[Shudo]

8 hours ago, Alyona Su said:

Two-factor is unnecessary. How about you just use a really good password? I like to use family member names and dates with addresses like so: John.Doe!061087.831155W98765

Wasn't there discussion about the SL password being truncated at 8 characters a few months back? If my memory is correct in this, then even a 100 character password means nothing.

Your password is John.Doe, your hash is 25604070f3f546dd9a63d90e2bb6fabc

[Richardus Raymaker]

17 hours ago, CoffeeDujour said:

2FA does not require your phone number, but something SMS based as a optional fallback isn't a bad idea. 

And how do the send you a SMS without phone number ?

[Qie Niangao]

1 hour ago, Richardus Raymaker said:

And how do the send you a SMS without phone number ?

Sure, a phone number would be needed in the fallback scenario of using SMS, but that should be the least favored option in any 2FA set up today. It's still much more secure than no 2FA at all (and anyway it's not as if a phone number is still a useful secret for any purposes at all), but there are much better ways -- a timed authenticator app, for example.

[Candice LittleBoots]

So I have to buy a telephone to be able to access Second Life?

[Fionalein]

11 minutes ago, Candice LittleBoots said:

So I have to buy a telephone to be able to access Second Life?

Quitle likely - just keep in mind that most calls for 2FA come form a backward country that up to this day has not managed to introduce a national ID card  

[Qie Niangao]

20 hours ago, Candice LittleBoots said:

So I have to buy a telephone to be able to access Second Life?

It's painful to see the same misconceptions about 2FA coming up over and over. Does this happen everywhere, or is SL just "special" about it?

In almost every application 2FA is opt-in, and it certainly would be for SL. If you don't opt in, you're no worse off than you are now. If your L$ balance gets to be more than you're comfortable losing, or if your credit card is tied to your account and your credit limit is more than you'd care to lose, then you're already in pretty risky territory -- along with all the rest of us. That's why some of us who recognize this risk would appreciate an option to reduce it.

Once you've logged-in a device using 2FA, it will not be needed again on that device, or at least not until something changes (or is reset by you or the provider) to trigger a new authentication challenge.

Specifically to the question: Honestly, yes, anyone who doesn't have a smartphone of any kind at this point should drop whatever they're doing and get one. Get the cheapest prepaid plan unless/until there's need for more, but carry a phone. That's totally independent of whether 2FA is ever adopted. A smartphone is just table stakes for a modern life and such a valuable safety device that in this day and age it's almost irresponsible not to carry one (except for those in prison or other situations involving 24-hour supervision or while in a SCIF).

But as far as needing one to access a 2FA-capable Second Life, it's most likely that you could even opt-in to 2FA and use a non-phone-based authenticator (WinAuth for example), depending on the specific 2FA options the Lab would choose to support. Again, this would all be optional, but also again, none of this matters compared to the urgency of having a smartphone -- unless there's some overriding consideration, that would be the #1 priority for today.

[Fionalein]

1 hour ago, Qie Niangao said:

It's painful to see the same misconceptions about 2FA coming up over and over. Does this happen everywhere, or is SL just "special" about it?

The SL userbase is international, we usually have real personal data at risk in 2FA, not some throwaway US tokens.

1 hour ago, Qie Niangao said:

In almost every application 2FA is opt-in, and it certainly would be for SL.

Yeah, sure,  by now you should know the Lab better than that ....

[Qie Niangao]

2 hours ago, Fionalein said:

The SL userbase is international, we usually have real personal data at risk in 2FA, not some throwaway US tokens.

That's fine for you, but there are creators who carry balances representing a substantial share of their income, to say nothing of the linked credit card or merchant PayPal accounts. Granted, it's not quite as bad as a real bank account, but also the customer data that the Lab has on file could be used in real identity theft -- maybe not all by itself, but not only state actors are capable of fusing sources.

[sirhc DeSantis]

I gave up on this after being told it is my civic duty to have a tracker phone ( hi Qie if you can read this on what planet you live on) but IFF it is opt in - whatever. Opt out - dubious. Obligatory? Nope and another premium lost, ah well sobeit.

Better basic security? Nuke Log in with saved password ( across viewers ) - I mean. What moron does that.