How is Two Factor not on SL?

[Madelaine McMasters]

21 minutes ago, sirhc DeSantis said:

Nuke Log in with saved password ( across viewers ) - I mean. What moron does that.

..raises both hands and flails them about!

Mind you I live alone, my Mac is password protected, sleeps after one minute of inactivity, requires the password when waking, and my sugar momma account (the only one with PIOF) isn't in the list of saved passwords.

[Qie Niangao]

5 hours ago, sirhc DeSantis said:

I gave up on this after being told it is my civic duty to have a tracker phone ( hi Qie if you can read this on what planet you live on)

Same planet. It's a question of millenium.

I can't get my head around the idea that the null set doesn't describe the intersection of SL users and those not carrying a smartphone. Who are these people? and whoever they are, how could they, of all people, not appreciate the drive for improved account security?

[Fionalein]

6 hours ago, Qie Niangao said:

I can't get my head around the idea that the null set doesn't describe the intersection of SL users and those not carrying a smartphone. 

Calling folks Luddites who do not live in the weird paradigma of the only country that counts as well as industrialized and third world sounds .... arrogant. Smartphones are mostly useless toys that just waste way too much energy in both production and use... those little "Throw away after a year" gizmos have children's blood on them - why should I support that crap without a need just to support my own vanity? In case you wonder who on the Forums does not own one - I for example don't.

Edited March 30, 2019 by Fionalein

[Qie Niangao]

Those positions would all be defensible from an off-the-grid yurt. But from Second Life users? Of all the uses of energy and exploitations of unsavory materials and labor practices in the manufacture of technology (routers, servers, power distribution, etc., etc.), gaming and entertainment must be the hardest to justify. And yet here we are.

[Kurshie Muromachi]

I'd only make 2FA an option. I've only recently heard about something coming along that's been in the works. It's called FIDO2/WebAuthn. Looks like something worth keeping an eye on. It's not just something you use for SL but any sites and even your own OS desktop. There's also an NFC small range swipe verification method.

"FIDO2 is an extension of FIDO U2F, and offers the same level of high-security based on public key cryptography. FIDO2 offers expanded authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication. With these new capabilities, the YubiKey can entirely replace weak static username/password credentials with strong hardware-backed public/private-key credentials. These credentials cannot be reused, replayed, or shared across services, and are not subject to phishing and MiTM attacks or server breaches."

https://www.yubico.com/solutions/fido2/

Don't want to buy a Yubico? You can make your own with an open source option.

https://github.com/solokeys/solo

[Dean Haystack]

Ask yourself this, what happens if your phone suddenly gets broken/lost/stolen?

I used 2FA before, but ever since a few years ago when my phone died and I had massive headaches to get back all my stuff that was protected with it, never again.

[Choji Kiko]

On 3/27/2019 at 4:34 AM, ThorinII said:

By the way, I just checked the password I'm using for my SL account on that site:

So why would I need a second authentification?

I would advise against typing your password into any field asking to see how secure it is. It seems akin to mailing a hundred dollar bill to Frank's Banks which promises to tell you whether or not it's counterfeit and promises it won't use your cash on the internet.

[cykarushb]

Theres no reason to not have it as optional. Many other games and sites online have optional 2fa. Its a very successful way to keep peoples accounts secure from the most common of attacks. People logging in from anything other than where you normally log in. Even if you fall for a keylogger style attack on your own PC and they get your password, they cant login from where they are without also having access to your phone.

I dont really know how many people are actually trying to steal SL accounts anyway, but again, no reason to not have it as optional.

[Crim Mip]

Barring two factor authentication, a great deal of added security could be had if your account log in was separate from your user name and couldn't be looked up by anyone other than LL. It would prevent account spoofing and a lot of phishing attacks since there'd be no way to spoof the actual account log-in name. Keep the unchangable user name and the changable display name, just don't use those to log in with and make it so there was no reverse lookup possible other than by LL. That way, even if somebody found out your inworld user name and password, it still wouldn't do them any good.

[Liffento Eldritch]

None of you guys have noticed that a lot of sites has an option to send codes to your e-mail as well, not just phones so phones would not be required if the option to send the code to your e-mail and it only needs to be done one time as you select to remember this device.

[Wulfie Reanimator]

What I find most worrying is that people are actually arguing against this and speaking like they think it would be a mandatory feature. Especially when SL is a platform where you can cash out real money. There's many incentives to steal accounts, whether to drain the lindens or sell the account forward (especially old ones). I don't even want to try guessing how much money my main account has spent along with its history (items/friendships), and I can't even protect it beyond one password? (Your username could be considered a second password, but not on SL where everybody knows it.)

It's not even about me being dumb and using a simple password or clicking on a phishing link. What if LL's database is compromised and my password/hash gets leaked? (Like the 660K passwords leaked in 2006!) I can't protect myself from that. It wouldn't be a problem if I had 2FA where knowing my username/password isn't enough.

On 4/30/2019 at 9:54 PM, Dean Haystack said:

I used 2FA before, but ever since a few years ago when my phone died and I had massive headaches to get back all my stuff that was protected with it, never again.

This would actually suck, yeah, but the potential of that happening is a small price for some to pay, when they could easily stand to lose a lot more than a temporary inconvenience.

On 3/27/2019 at 4:10 PM, Alyona Su said:

Your account security is your responsibility, not Linden Lab

...What? Of course it's the responsibility of the platform to keep your credentials secure and private! You obviously can't hold them accountable for you giving away your password (knowingly or not), but they are also legally obliged to protect your data. While 2FA isn't something they're obligated to give, it's a pretty dang simple thing to add as an option and it would be a really tough new layer of security. (And again, giving you more/better tools to help secure your own account.)

Edited June 22, 2019 by Wulfie Reanimator

[bigmoe Whitfield]

18 hours ago, Liffento Eldritch said:

None of you guys have noticed that a lot of sites has an option to send codes to your e-mail as well, not just phones so phones would not be required if the option to send the code to your e-mail and it only needs to be done one time as you select to remember this device.

Yeah let's not get into this one,  The phone/sms is fine, email, no that's purely a gimmick I wish would die.  I'd rather none of the information be in any email sent to me,  If the service get's compermised and my backup code or active code in email is in there during it and the system will let it be used, because email 2fa typically does not time out,  unless the company is smart and VERY few are smart enough to make them time out.   Yeah pass on this idea.  Sticking with my phone/backup phone for auth is fine.

[Crim Mip]

I'd be happy if they'd separate the log in name/password entirely from your user/display name. There is absolutely no excuse having half the information you need to log in with be in world viewable by anyone. Link the in world user name to the login name so people always know who they are dealing with, but they shouldn't be the same. This change alone would likely stop most phishing attacks.

[Wendy Starfall]

I always thought that not having (optional) multi-factor authentication was kind of grossly negligent. 🙊

There are good reasons to have multi-factor. Check these facts:

• payment info is required for uploading mesh models
• payment info can be used to purchase L$ currency
• L$ currency can be traded for US$
• US$ credit can be processed to PayPal or Skrill

<dramatization> So, as a creator I need to have my payment info on file (correct me if I'm wrong) to upload my mesh models. I could use a different account to upload my mesh, but then this account would already be known due to it being the creator, so it is known where my payment info lives. The creations I sell for spacebux, which I trade for freedom dollars to buy breadies, meaning if anyone brute-forced themselves into ZEN garden, they could swap out the payment info and process my breadies to their PayPal or Skrill account. </dramatization>

However, there may be hope?

After all, the fees for processing credit recently increased by 100% of their previous rate, maybe soon there is enough of a budget to finance the development for implementing such exotic security feats as MFA? 🤔

Personally, I'd like to see the TILIA INC. AUTHENTICATOR APP so people can authenticate with their RL mugs by staring into iPhone. SL users would love that! 👍

[Fionalein]

25 minutes ago, Wendy Starfall said:

 Personally, I'd like to see the TILIA INC. AUTHENTICATOR APP so people can authenticate with their RL mugs by staring into iPhone. SL users would love that! 👍

Only the voice verification fetishists would like that 

 

 

Edited July 9, 2019 by Fionalein

[Qie Niangao]

3 hours ago, Wendy Starfall said:

TILIA INC.

I just realized the irony of all those Tilia threads full of self-proclaimed privacy advocates, yet some of the same posters argue on this thread that none of us may ever use 2FA to secure our SL login credentials lest it lead to smartphone use -- the gateway drug to CARD PLAYING, DANCE PARLOURS, and POOL HALLS.

[bigmoe Whitfield]

12 hours ago, Fionalein said:

Only the voice verification fetishists would like that 

 

 

you going to get my front facing camera fixed?  back one works, but that's awkward to hold.

[Alyona Su]

My alt is at Web Group Linden meeting right now, just thought I'd mention that it is said that 2FA is on the roadmap and among the things being worked on, though no e.t.a.

[SorrowDragon]

On 3/27/2019 at 1:21 AM, Candice LittleBoots said:

The thing is .. I DO NOT WANT 2 factor authentication. I despise it. It is impractical. I do not want to need my mobile telephone to log into SL.

However, having a user log in name that is not our actual avatar name would be beneficial, as then not one of the two criteria required to currently log in is known to others.

Regarding passwords I, for one, am capable of making a usable password which would take a computer about 2 trillion years to crack   https://howsecureismypassword.net/

 

 

1. Two-Factor is optional on most websites that use it.. So if you don't like it or don't want to protect your account, then don't enable it.

2. It doesn't matter how strong or complicated you make your password, the majority of lost accounts are done not by someone brute-forcing a password (aka, using a computer or inputting random passwords), rather it's through hacks where your account data, such as your username along with your password is stolen directly from Linden Lab's servers or stolen through hidden malware/key loggers or man-in-the-middle attacks. So regardless if your password was 100 characters long, contained random capitals and lower case letters, numbers, symbols, etc.. all the person who stole your account info would need to do is simply copy and paste it.

Number 2 is the #1 reason for two-factor authentication. regardless if a hacker stole your password, it is useless as they won't be able to pass the two-factor authentication step, and if you get a text with a code at a time when you didn't attempt to log in, lets you immediately know your account info is compromised and/or someone is attempting to steal your account, so then you can change your password, etc.

Personally, I own land in SL, i receive lots of rent and tier payments, Personally I would love to have the peace of mind of having a two-factor authentication option for Second Life as It would be added protection from someone stealing my account info and stealing the hundreds or thousands of dollars worth of lindens off my account.

[Anna Nova]

On 3/29/2019 at 7:08 AM, Qie Niangao said:

It's painful to see the same misconceptions about 2FA coming up over and over. Does this happen everywhere, or is SL just "special" about it?

In almost every application 2FA is opt-in, and it certainly would be for SL....

It starts that way, and then some moron like the UK's Banking Regulator make it mandatory.

[Anna Nova]

On 2/5/2020 at 10:53 PM, Alyona Su said:

My alt is at Web Group Linden meeting right now, just thought I'd mention that it is said that 2FA is on the roadmap and among the things being worked on, though no e.t.a.

Let's just hope it's Soon(tm).

[Jet Dallas]

I see no need for 2FA within SL. Yes some accounts get "hacked" but that is more down to the users themselves divulging their account details via phishing.

I am pretty sure that LL like all other companies have weighed up the pros and cons. Sometimes it's just too much hassle for all concerned to introduce 2FA when the actual number of account issues are minuscule compared to the number of active accounts. Also this would probably break the entire bot system - which might not be a bad thing come to think of it.

I have 2FA on several sites and services. My own bank does not provide 2FA and has no intention of doing to based on the data they have as it would introduce more problems than it solved and I agree with them on that point (they do have password and then random passphrase security though).

2FA is not the cure all - sometimes it actually makes things worse (when people lose access to the token generator etc).

Edited May 23, 2020 by Jet Dallas

[Wulfie Reanimator]

7 hours ago, Anna Nova said:

It starts that way, and then some moron like the UK's Banking Regulator make it mandatory.

To be fair, there's a bit of a difference between mommy's Facebook and your actual financial safety-net.

My bank has had mandatory two-factor authentication for as long as I've been alive, in the form of a physical "number card" with like 300 number-pairs, from which the bank asks you to fill in a specific number. Only recently they added a mobile option which is less of a hassle.

6 hours ago, Jet Dallas said:

I see no need for 2FA within SL. Yes some accounts get "hacked" but that is more down to the users themselves divulging their account details via phishing.

I am pretty sure that LL like all other companies have weighed up the pros and cons. Sometimes it's just too much hassle for all concerned to introduce 2FA when the actual number of account issues are minuscule compared to the number of active accounts.

2FA as an option is the modern standard for good reasons. With 2FA I could give you my password and you still couldn't log in.

People are dumb. You can always exploit people, but 2FA makes it just a little bit harder for those who want it. Do you even have stats to back up the "miniscule" rates, or is it just one of those "it hasn't happened to me or my friends or I never hear about it" things?

People don't generally steal accounts to keep them, because they know they can't. They steal them for the money and leave. Some might temporarily use the account for something like spamming, or trying to resell the account, but I would imagine those are less common because spamming is easier with new accounts and reselling can't be that profitable since LL will lock the account anyway.

Edited May 23, 2020 by Wulfie Reanimator

[Taiga Cloud]

Heyos, I have watched a lab gab series from april or so. They said its close to be implemented. I still do not see the ability to protect the account further than with a single password, yet i am required to hand out all my infos to tillia. The priorities are kinda obvious on LL end

 

Is there any news regarding a user benefit with two factor authentication?