Jump to content

Recommended Posts

21 minutes ago, sirhc DeSantis said:

Nuke Log in with saved password ( across viewers ) - I mean. What moron does that.

..raises both hands and flails them about!

Mind you I live alone, my Mac is password protected, sleeps after one minute of inactivity, requires the password when waking, and my sugar momma account (the only one with PIOF) isn't in the list of saved passwords.

Share this post


Link to post
Share on other sites
5 hours ago, sirhc DeSantis said:

I gave up on this after being told it is my civic duty to have a tracker phone ( hi Qie if you can read this on what planet you live on)

Same planet. It's a question of millenium.

I can't get my head around the idea that the null set doesn't describe the intersection of SL users and those not carrying a smartphone. Who are these people? and whoever they are, how could they, of all people, not appreciate the drive for improved account security?

Share this post


Link to post
Share on other sites
Posted (edited)
6 hours ago, Qie Niangao said:

I can't get my head around the idea that the null set doesn't describe the intersection of SL users and those not carrying a smartphone. 

Calling folks Luddites who do not live in the weird paradigma of the only country that counts as well as industrialized and third world sounds .... arrogant. Smartphones are mostly useless toys that just waste way too much energy in both production and use... those little "Throw away after a year" gizmos have children's blood on them - why should I support that crap without a need just to support my own vanity? In case you wonder who on the Forums does not own one - I for example don't.

Edited by Fionalein
  • Like 2

Share this post


Link to post
Share on other sites

Those positions would all be defensible from an off-the-grid yurt. But from Second Life users? Of all the uses of energy and exploitations of unsavory materials and labor practices in the manufacture of technology (routers, servers, power distribution, etc., etc.), gaming and entertainment must be the hardest to justify. And yet here we are.

Share this post


Link to post
Share on other sites

I'd only make 2FA an option. I've only recently heard about something coming along that's been in the works. It's called FIDO2/WebAuthn. Looks like something worth keeping an eye on. It's not just something you use for SL but any sites and even your own OS desktop. There's also an NFC small range swipe verification method.

"FIDO2 is an extension of FIDO U2F, and offers the same level of high-security based on public key cryptography. FIDO2 offers expanded authentication options including strong single factor (passwordless), strong two factor, and multi-factor authentication. With these new capabilities, the YubiKey can entirely replace weak static username/password credentials with strong hardware-backed public/private-key credentials. These credentials cannot be reused, replayed, or shared across services, and are not subject to phishing and MiTM attacks or server breaches."

https://www.yubico.com/solutions/fido2/

Don't want to buy a Yubico? You can make your own with an open source option.

https://github.com/solokeys/solo

Share this post


Link to post
Share on other sites

Ask yourself this, what happens if your phone suddenly gets broken/lost/stolen?

I used 2FA before, but ever since a few years ago when my phone died and I had massive headaches to get back all my stuff that was protected with it, never again.

  • Like 3

Share this post


Link to post
Share on other sites
On 3/27/2019 at 4:34 AM, ThorinII said:

By the way, I just checked the password I'm using for my SL account on that site:

So why would I need a second authentification?

I would advise against typing your password into any field asking to see how secure it is. It seems akin to mailing a hundred dollar bill to Frank's Banks which promises to tell you whether or not it's counterfeit and promises it won't use your cash on the internet.

  • Like 3

Share this post


Link to post
Share on other sites

Theres no reason to not have it as optional. Many other games and sites online have optional 2fa. Its a very successful way to keep peoples accounts secure from the most common of attacks. People logging in from anything other than where you normally log in. Even if you fall for a keylogger style attack on your own PC and they get your password, they cant login from where they are without also having access to your phone.

I dont really know how many people are actually trying to steal SL accounts anyway, but again, no reason to not have it as optional.

  • Like 3

Share this post


Link to post
Share on other sites

Barring two factor authentication, a great deal of added security could be had if your account log in was separate from your user name and couldn't be looked up by anyone other than LL. It would prevent account spoofing and a lot of phishing attacks since there'd be no way to spoof the actual account log-in name. Keep the unchangable user name and the changable display name, just don't use those to log in with and make it so there was no reverse lookup possible other than by LL. That way, even if somebody found out your inworld user name and password, it still wouldn't do them any good.

Share this post


Link to post
Share on other sites

None of you guys have noticed that a lot of sites has an option to send codes to your e-mail as well, not just phones so phones would not be required if the option to send the code to your e-mail and it only needs to be done one time as you select to remember this device.

  • Haha 1

Share this post


Link to post
Share on other sites
Posted (edited)

What I find most worrying is that people are actually arguing against this and speaking like they think it would be a mandatory feature. Especially when SL is a platform where you can cash out real money. There's many incentives to steal accounts, whether to drain the lindens or sell the account forward (especially old ones). I don't even want to try guessing how much money my main account has spent along with its history (items/friendships), and I can't even protect it beyond one password? (Your username could be considered a second password, but not on SL where everybody knows it.)

It's not even about me being dumb and using a simple password or clicking on a phishing link. What if LL's database is compromised and my password/hash gets leaked? (Like the 660K passwords leaked in 2006!) I can't protect myself from that. It wouldn't be a problem if I had 2FA where knowing my username/password isn't enough.

On 4/30/2019 at 9:54 PM, Dean Haystack said:

I used 2FA before, but ever since a few years ago when my phone died and I had massive headaches to get back all my stuff that was protected with it, never again.

This would actually suck, yeah, but the potential of that happening is a small price for some to pay, when they could easily stand to lose a lot more than a temporary inconvenience.

On 3/27/2019 at 4:10 PM, Alyona Su said:

Your account security is your responsibility, not Linden Lab

...What? Of course it's the responsibility of the platform to keep your credentials secure and private! You obviously can't hold them accountable for you giving away your password (knowingly or not), but they are also legally obliged to protect your data. While 2FA isn't something they're obligated to give, it's a pretty dang simple thing to add as an option and it would be a really tough new layer of security. (And again, giving you more/better tools to help secure your own account.)

Edited by Wulfie Reanimator
  • Like 2

Share this post


Link to post
Share on other sites
18 hours ago, Liffento Eldritch said:

None of you guys have noticed that a lot of sites has an option to send codes to your e-mail as well, not just phones so phones would not be required if the option to send the code to your e-mail and it only needs to be done one time as you select to remember this device.

Yeah let's not get into this one,  The phone/sms is fine, email, no that's purely a gimmick I wish would die.  I'd rather none of the information be in any email sent to me,  If the service get's compermised and my backup code or active code in email is in there during it and the system will let it be used, because email 2fa typically does not time out,  unless the company is smart and VERY few are smart enough to make them time out.   Yeah pass on this idea.  Sticking with my phone/backup phone for auth is fine.

Share this post


Link to post
Share on other sites

I'd be happy if they'd separate the log in name/password entirely from your user/display name. There is absolutely no excuse having half the information you need to log in with be in world viewable by anyone. Link the in world user name to the login name so people always know who they are dealing with, but they shouldn't be the same. This change alone would likely stop most phishing attacks.

  • Like 2

Share this post


Link to post
Share on other sites

I always thought that not having (optional) multi-factor authentication was kind of grossly negligent. 🙊

There are good reasons to have multi-factor. Check these facts:

  • payment info is required for uploading mesh models
  • payment info can be used to purchase L$ currency
  • L$ currency can be traded for US$
  • US$ credit can be processed to PayPal or Skrill

<dramatization> So, as a creator I need to have my payment info on file (correct me if I'm wrong) to upload my mesh models. I could use a different account to upload my mesh, but then this account would already be known due to it being the creator, so it is known where my payment info lives. The creations I sell for spacebux, which I trade for freedom dollars to buy breadies, meaning if anyone brute-forced themselves into ZEN garden, they could swap out the payment info and process my breadies to their PayPal or Skrill account. </dramatization>

However, there may be hope?

After all, the fees for processing credit recently increased by 100% of their previous rate, maybe soon there is enough of a budget to finance the development for implementing such exotic security feats as MFA? 🤔

Personally, I'd like to see the TILIA INC. AUTHENTICATOR APP so people can authenticate with their RL mugs by staring into iPhone. SL users would love that! 👍

Share this post


Link to post
Share on other sites
Posted (edited)
25 minutes ago, Wendy Starfall said:

 Personally, I'd like to see the TILIA INC. AUTHENTICATOR APP so people can authenticate with their RL mugs by staring into iPhone. SL users would love that! 👍

Only the voice verification fetishists would like that ;)

 

 

Edited by Fionalein
  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
3 hours ago, Wendy Starfall said:

TILIA INC.

I just realized the irony of all those Tilia threads full of self-proclaimed privacy advocates, yet some of the same posters argue on this thread that none of us may ever use 2FA to secure our SL login credentials lest it lead to smartphone use -- the gateway drug to CARD PLAYING, DANCE PARLOURS, and POOL HALLS.

  • Haha 2
  • Confused 1

Share this post


Link to post
Share on other sites
12 hours ago, Fionalein said:

Only the voice verification fetishists would like that ;)

 

 

you going to get my front facing camera fixed?  back one works, but that's awkward to hold.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...