Two Factor Authenication (2FA)

[Kimmi Zehetbauer]

To help keep Reed Linden's thread (Buy Fee Change Discussion) on the rails- thought I put up a seperate one for the 2FA concerns.

2 hours ago, Reed Linden said:

For me personally, I'm super excited to be working on Two Factor Authentication this year, and some updates to our web account management to give you all more options to interact with your in-world avatar/region/etc from the web. 
 

Although Reed mentioned in the other thread that the new 2FA would probably be an opt-in and non-intrusive as possible, there are some of us that lack smart phones or only have old school phones.

Here's my take. The issue would be if the top brass of LL decided to make it mandatory, like some MMORPGs have. I gave up one of those games when they went to that option. First was opt-in, then became mandatory.  Although I rarely play in SL, I don't want to have to worry about that if I decide to return. Also  a friend has heavily invested in running a live music club (She took it over from me) and doesn't read the mboards.

Edited April 16, 2021 by Kimmi Zehetbauer
Can't spell.

[LittleMe Jewell]

25 minutes ago, Kimmi Zehetbauer said:

there are some of us that lack smart phones or only have old school phones.

For all of my financial related websites, I have the option of getting a text to my phone, getting an email sent to me, or even getting a robot call to my phone.  Hopefully, even with opt-in, LL allows for all of those options.

I would like to see 2FA mandatory for buying L$ if it will pull money from my payment method, but not necessarily mandatory if it is just pulling money from my USD balance.  I already have to re-enter my password to buy L$.

I would like to be able to opt-in for login to my Dashboard.  

I don't think I'd want it enabled at all for login via the viewer.

I'm still up in the air on how I feel about MP purchases -- but then again, I never do MP purchases from inworld.

Edited April 16, 2021 by LittleMe Jewell

[Dragon Mommy]

2FA is sorely needed and I'm very glad to hear it is in the works. My hope is that one of the options will be software 2FA (such as Google authenticator app or other similar option) or even better linking to a physical key. Text message or email as two step is not as secure. (Though still better than none.)

 

Edited April 17, 2021 by Bitterthorn
Typo

[Qie Niangao]

4 hours ago, LittleMe Jewell said:

I don't think I'd want it enabled at all for login via the viewer.

I think I would. Assuming it's optional, I think I'd enable it, so it needed more than a password the first time it's used on a different machine. I don't change PCs that often, and I'd kinda like to know if suddenly my account were being used from somewhere new.

On the other hand, if I've authenticated my account for something on a machine, it ought to stay authenticated on that machine for other stuff. So, Multi-Factor Authentication + Single Sign On that works.

(Technically, SMS text messaging isn't secure enough for anything financial, but maybe it's still better than nothing as an additional factor, I really don't know.)

[LittleMe Jewell]

1 minute ago, Qie Niangao said:

I think I would. Assuming it's optional, I think I'd enable it, so it needed more than a password the first time it's used on a different machine. I don't change PCs that often, and I'd kinda like to know if suddenly my account were being used from somewhere new.

On the other hand, if I've authenticated my account for something on a machine, it ought to stay authenticated on that machine for other stuff. So, Multi-Factor Authentication + Single Sign On that works.

 

I could handle that for viewer login.  I just wouldn't want to enable it for the viewer and then have to use it for EVERY FREAKIN LOGIN

[Solar Legion]

1 hour ago, Bitterthorn said:

2FA is sorely needed and I'm very glad to hear it is in the works. My hope is that one of the options will be software 2FA (such as Google authenticator app or other similar option) or even better linking to a physical key. Text message or email as two step is not as secure. (Though still better than none.)

 

If they are dead set on adding in 2FA I seriously hope that if they offer options for it (and do stick to making it opt-in) that they either avoid a physical key like the plague or have it as yet another option to use on top of SMS, E-Mail and an Application.

I cannot stress that enough. I also cannot stress enough that the software route needs to be as broad a set of potential systems as possible.

[FairreLilette]

The only way I'd mind it is if it was a cell phone code only as I do not text, explaining my extreme far-sightedness in the other thread which makes it difficult for me to see things up close - so I do not text at all period.  My phone is mostly for 911 emergency calls.  Otherwise, I message my family and friends through FB.  There need to be more than just one way to receive the code to put in is what I am saying.  There needs to be both a code for cell phone OR email with a choice to choose one or the other otherwise it's discriminatory against those with a visual handicap.  

Edited April 17, 2021 by FairreLilette

[Kimmi Zehetbauer]

8 hours ago, Bitterthorn said:

2FA is sorely needed and I'm very glad to hear it is in the works. My hope is that one of the options will be software 2FA (such as Google authenticator app or other similar option) or even better linking to a physical key. Text message or email as two step is not as secure. (Though still better than none.)

 

Hopefully it's only an option or many may get knocked out.  SL did fine for almost 2 decades without it.

[Dragon Mommy]

17 minutes ago, Kimmi Zehetbauer said:

Hopefully it's only an option or many may get knocked out.  SL did fine for almost 2 decades without it.

Reed did directly say it would be opt in. 

[Evah Baxton]

2FA is awesome for important info. I find it horrible when it comes to paying bills. If somebody wants to login to my electric bill and view my usage and pay my bill, by all means, please do. 

Seriously. I wish that they would use 2FA smarter. Have an account for accessing important info that is 2FA enabled, but FFS, allow me an alternative to easily login to pay my bill or setup my CC from wherever I am by whomever I am asking to pay the bill. XD

[Gabriele Graves]

As long as there is an option to use an authenticator that uses the Time-based One-time Password Algorithm, is RFC 6238 compliant and not be forced to use SMS or email, I would be happy to have 2FA on, otherwise I'll leave it off.  It is a needed option but not if done badly.

[Doris Johnsky]

I can see 2FA for money exchanging, but to the viewer? What possible reason would there be to complicate things more than they are? Yes I've heard people have been hacked, although I've never met anyone who WAS hacked in 11 years. 

[Ati Thei]

18 hours ago, FairreLilette said:

The only way I'd mind it is if it was a cell phone code only as I do not text, explaining my extreme far-sightedness in the other thread which makes it difficult for me to see things up close - so I do not text at all period.  My phone is mostly for 911 emergency calls.  Otherwise, I message my family and friends through FB.  There need to be more than just one way to receive the code to put in is what I am saying.  There needs to be both a code for cell phone OR email with a choice to choose one or the other otherwise it's discriminatory against those with a visual handicap.  

1) You can correct it with glasses or contact lenses...

2) Every smartphone allows you change the font/UI size

3) Android/iOS can even read you the message.

There's no discrimination. 

[FairreLilette]

41 minutes ago, Ati Thei said:

1) You can correct it with glasses or contact lenses...

2) Every smartphone allows you change the font/UI size

3) Android/iOS can even read you the message.

There's no discrimination. 

1)  I'm at a 6+ prescription magnification eyeglasses now and need new eyeglasses now plus use enlarge font on my computer, so I need about a +11 to +12 magnification to work on things that are close-up I am so far-sighted with the far-sightedness of a hawk probably, making my near vision horrid.  There is no way I can see a small device, so me and my family set up another way.  We already tried and we are not going to go out and spend money on a smartphone when we can message with no added costs back and forth on FB.  I would never use a cell phone for the internet as it's way too small so it's quite an expense just to have to have to receive a code message.  

Edited April 17, 2021 by FairreLilette

[Qie Niangao]

2 hours ago, Doris Johnsky said:

I can see 2FA for money exchanging, but to the viewer? What possible reason would there be to complicate things more than they are? Yes I've heard people have been hacked, although I've never met anyone who WAS hacked in 11 years. 

Personally I'd be most concerned about in-world transfer of my "banker" alt's account, compounded with the ability to buy L$ in the viewer. I might not notice for weeks and the transfer would be long past traceable in seconds. Land theft would be annoying but presumably easier to detect and trace. Some people would worry about loss of IP (including scripts) and crypto "secrets" inside private closed-source scripts. Might be others.

As long as it stays opt-in, though, what's the downside?

As I mentioned above, I'd prefer that a 2FA sign-on on any SL site remain valid everywhere, including the viewer. Maybe that kind of single sign-on is asking a lot for third-party viewers, though, I don't know.

[Jenna Huntsman]

20 hours ago, Qie Niangao said:

I think I would. Assuming it's optional, I think I'd enable it, so it needed more than a password the first time it's used on a different machine. I don't change PCs that often, and I'd kinda like to know if suddenly my account were being used from somewhere new.

On the other hand, if I've authenticated my account for something on a machine, it ought to stay authenticated on that machine for other stuff. So, Multi-Factor Authentication + Single Sign On that works.

(Technically, SMS text messaging isn't secure enough for anything financial, but maybe it's still better than nothing as an additional factor, I really don't know.)

I'd second this. I'd like to be able to have 2FA protecting my account in it's entirety, not just on web properties. It definitely should be optional though, as I appreciate it's not for everyone.

[Qie Niangao]

35 minutes ago, FairreLilette said:

1)  I'm at a 6+ prescription magnification eyeglasses now and need new eyeglasses now plus use enlarge font on my computer, so I need about a +11 to +12 magnification to work on things that are close-up I am so far-sighted with the far-sightedness of a hawk probably, making my near vision horrid.  There is no way I can see a small device, so me and my family set up another way.  We already tried and we are not going to go out and spend money on a smartphone when we can message with no added costs back and forth on FB.  I would never use a cell phone for the internet as it's way too small so it's quite an expense just to have to have to receive a code message.  

Wow. Pray for cataracts, so you can get nice new artificial lenses. If you're among those who can fuse images with "monovision" so one eye can have perfect near vision and the other perfect distant vision, you'll never again need glasses for anything. And each surgery takes just a few seconds to perform, it's amazing.

I agree it's not worth getting a smartphone just for this, but it's very unlikely they'd pick an authentication method that doesn't have a desktop app as well as smartphone. In general, though, a smartphone doesn't need to be a big investment, especially if you only need wifi connectivity. I have a couple old phones with no sim cards at all, that I can still use for Google Voice calling and all the data I could want on open wifi networks. A long way from 5G, but I'd feel really helpless without some sort of smartphone in my pocket.

Edited April 17, 2021 by Qie Niangao

[FairreLilette]

18 minutes ago, Qie Niangao said:

Wow. Pray for cataracts, so you can get nice new artificial lenses. If you're among those who can fuse images with "monovision" so one eye can have perfect near vision and the other perfect distant vision, you'll never again need glasses for anything. And each surgery takes just a few seconds to perform, it's amazing.

I don't want to have surgery if you are speaking about Lasik correction or something.  And, I don't believe anyone should pray for cataracts as I had a family member who did not do too well with them and the surgery.

I said my peace about my situation and a phone code.  It's not for others to decide options for me or what I should pay in needing a device that's too small to be of any real use to me so I can get a phone code.  I'd like a 27" screen monitor, personally.  That's what I need.  

Edited April 17, 2021 by FairreLilette

[Kathrine Jansma]

1 hour ago, Ati Thei said:

1) You can correct it with glasses or contact lenses...

2) Every smartphone allows you change the font/UI size

3) Android/iOS can even read you the message.

There's no discrimination. 

Some people own no mobile phone at all.

[JanuarySwan]

1 hour ago, Kathrine Jansma said:

Some people own no mobile phone at all.

This is discrimination also.  If 2fa has an option to snail mail the code also then there is no discrimination.  Companies want so little employees though and artificial intelligence raises the profits creating profits to proportions pre-Covid never before seen due to not having to have so many employees.  But, with certain handicaps or incomes, there needs to be an alternative other than just the thought of cell phone.  

Edited April 17, 2021 by JanuarySwan

[Solar Legion]

.... Snail Mail is standard, non-electronic post. You know, the stuff that can take a few days - at minimum - to arrive, depending on what is sent, where it is sent from and where it is going.

Edited April 17, 2021 by Solar Legion

[JanuarySwan]

6 minutes ago, Solar Legion said:

.... Snail Mail is standard, non-electronic post. You know, the stuff that can take a few days - at minimum - to arrive, depending on what is sent, where it is sent from and where it is going.

Well, sometimes that happens.  Debit cards, credit cards are sent snail mail...some things are worth waiting for especially since this is an opt-in supposedly.  

[Solar Legion]

6 minutes ago, JanuarySwan said:

Well, sometimes that happens.  Debit cards, credit cards are sent snail mail...some things are worth waiting for especially since this is an opt-in supposedly.  

No, it doesn't.

A Validation Code (and similar) is not the same thing as the tokens used in the types of Two-Factor Authentication systems being discussed. At all.

Things like this are what this thread is discussing in terms of applications. Ditto the E-Mailed/SMSed codes.

Do not conflate 2FA systems with One Time/Validation/etc Code systems.

ETA: There are far more things to worry over if one does not even have a throwaway e-mail address these days than a 2FA Code (for anything).

This, coming from someone who has been against the idea of 2FA seemingly creeping into more and more systems.

Edited April 17, 2021 by Solar Legion

[bigmoe Whitfield]

Long as I'm provided with the best options for account security,  even if it's annoying, I'll use it.  well long as it uses googles 2fa app.

[Gabriele Graves]

2 hours ago, Kathrine Jansma said:

Some people own no mobile phone at all.

If 2FA is done the way I outlined in my previous post, you don't need a phone.  You can install an authenticator on your PC such as WinAuth and use that instead.  There are equivalent programs for all operating systems. No SMS or email necessary.

Edited April 17, 2021 by Gabriele Graves