JanuarySwan Posted April 17, 2021 Share Posted April 17, 2021 (edited) Lost my post. Edited April 17, 2021 by JanuarySwan Link to comment Share on other sites More sharing options...
JanuarySwan Posted April 17, 2021 Share Posted April 17, 2021 (edited) 24 minutes ago, Solar Legion said: No, it doesn't. A Validation Code (and similar) is not the same thing as the tokens used in the types of Two-Factor Authentication systems being discussed. At all. Things like this are what this thread is discussing in terms of applications. Ditto the E-Mailed/SMSed codes. Do not conflate 2FA systems with One Time/Validation/etc Code systems. ETA: There are far more things to worry over if one does not even have a throwaway e-mail address these days than a 2FA Code (for anything). This, coming from someone who has been against the idea of 2FA seemingly creeping into more and more systems. I wasn't saying it did...but more could it...and even more to the point...that it needs options is all and what are those possible options. And, if it gives us more security, I'm not sure why you would be against it. Then perhaps you don't like the way it currently is...so what is better but also has options for those who do not have a cell phone? I don't see why it couldn't be set with one's own phone keypad like a bank pin number? I've had sites send me a text message but they never gave me an email option also is why I'm asking. Edited April 17, 2021 by JanuarySwan 1 Link to comment Share on other sites More sharing options...
Solar Legion Posted April 18, 2021 Share Posted April 18, 2021 7 minutes ago, JanuarySwan said: I wasn't saying it did...but more could it...and even more to the point...that it needs options is all and what are those possible options. And, if it gives us more security, I'm not sure why you would be against it. Then perhaps you don't like the way it currently is...so what is better but also has options for those who do not have a cell phone? I don't see why it couldn't be set with one's own phone keypad like a bank pin number? I've had sites send me a text message but they never gave me an email option also is why I'm asking. It could not. The code type precludes the code being valid for such a length of time (well aside from the fact that we're talking about a code that would be asked for more than once, even if you did tell it to remember the device - see Amazon's implementation as well as most password storing systems, among others). If you mean a traditional telephone keypad ... Again, no. Wholly different system. There is a reason I linked to Authy. Look at it. Some banks use text, phone call and/or e-mail as code options. As for why I'd be against it? Do note the way I phrased that - creep - and you'll have some idea as to why. It simply is not needed for all and sundry nor are some of the tings people push to have it alongside merit such measures. Your actual Bank/PayPal accounts, some game accounts, a person's Steam account .... There are a fair few examples out there of accounts that should be secured by 2FA. They're actual, serious targets. Link to comment Share on other sites More sharing options...
JanuarySwan Posted April 18, 2021 Share Posted April 18, 2021 (edited) 17 minutes ago, Solar Legion said: Some banks use text, phone call and/or e-mail as code options. Mine has voice recognition now too. 17 minutes ago, Solar Legion said: There is a reason I linked to Authy. Look at it. Okay. There are some of us who do know others who do not have cell phones in their life. But, I will look at that. I'm not up to speed really as to what this 2FA is. Some sites were getting lazy about sending email codes and were only sending text for awhile and that is irksome to do that as the world is not only one way. Thanks for your time. Edited April 18, 2021 by JanuarySwan 1 Link to comment Share on other sites More sharing options...
Kimmi Zehetbauer Posted April 18, 2021 Author Share Posted April 18, 2021 5 hours ago, Ati Thei said: 2) Every smartphone allows you change the font/UI size 3) Android/iOS can even read you the message. There's no discrimination. Not everyone has a smart phone or want one. 1 2 Link to comment Share on other sites More sharing options...
Kimmi Zehetbauer Posted April 18, 2021 Author Share Posted April 18, 2021 4 hours ago, Qie Niangao said: Wow. Pray for cataracts, so you can get nice new artificial lenses. If you're among those who can fuse images with "monovision" so one eye can have perfect near vision and the other perfect distant vision, you'll never again need glasses for anything. And each surgery takes just a few seconds to perform, it's amazing. I agree it's not worth getting a smartphone just for this, but it's very unlikely they'd pick an authentication method that doesn't have a desktop app as well as smartphone. In general, though, a smartphone doesn't need to be a big investment, especially if you only need wifi connectivity. I have a couple old phones with no sim cards at all, that I can still use for Google Voice calling and all the data I could want on open wifi networks. A long way from 5G, but I'd feel really helpless without some sort of smartphone in my pocket. My man had cataract surgery and opted for long distance lens --- he loves not wearing glasses! 1 Link to comment Share on other sites More sharing options...
Gabriele Graves Posted April 18, 2021 Share Posted April 18, 2021 (edited) Nvm, redundant post. Edited April 18, 2021 by Gabriele Graves Link to comment Share on other sites More sharing options...
LittleMe Jewell Posted April 18, 2021 Share Posted April 18, 2021 3 hours ago, Solar Legion said: You know, the stuff that can take a few days - at minimum - to arrive Given USPS performance over the past couple of years, I'm pretty sure that a full week is the new minimum for any delivery, no matter how close. I totally feel for anyone that ever has to actually rely on that. Link to comment Share on other sites More sharing options...
Crim Mip Posted April 18, 2021 Share Posted April 18, 2021 This along with making your log-in something other than your user name would help a lot. It's pretty stupid that half the information needed to log into somebody's account is right there inworld for anyone to see. You're log-in name shouldn't be discoverable inworld by any means. That would cut a lot of phishing attacks right there. 3 Link to comment Share on other sites More sharing options...
Wulfie Reanimator Posted April 18, 2021 Share Posted April 18, 2021 (edited) On 4/17/2021 at 11:46 AM, Bitterthorn said: Reed did directly say it would be opt in. 10 hours ago, JanuarySwan said: Well, sometimes that happens. Debit cards, credit cards are sent snail mail...some things are worth waiting for especially since this is an opt-in supposedly. Let's not start rumors. Reed didn't say that it would be opt-in. He said: On 4/16/2021 at 9:35 PM, Reed Linden said: I am still scoping out how I expect this to work so there's nothing set in stone, but my intention is to keep it as non-intrusive as possible. I envision it being opt-in. Edited April 18, 2021 by Wulfie Reanimator 1 Link to comment Share on other sites More sharing options...
RunawayBunny Posted April 18, 2021 Share Posted April 18, 2021 I know some people hate it but i think it is necessary.. Especially you are holding L$ in your account and have to pay expenses. Having a 2FA puts your mind a little ease against keylogger etc... This must be optional for the people who needs it. 2 Link to comment Share on other sites More sharing options...
Kathrine Jansma Posted April 18, 2021 Share Posted April 18, 2021 2FA done right is a good thing, no doubts there. But most 2FA is done in a terrible way. A few of the really common pitfalls. offer SMS only (or worse: demand SMS to a mobile phone only) offer a push TAN app on some proprietary non jailbroken mobile phones only. Use TOTP from RFC 6238 but modify it slightly so only your own app can generate the codes Have a support hotline that ignores 2FA and just asks some trivial knowledge based questions to recover credentials Have a password recovery process that just asks for the 2FA key and common knowledge (turning 2FA into single factor again) Try to do WebAuthn and have users run away from the complexity of setting things up properly Allow only a single hardware token per user for 2FA (you need at least two, or you end up with the password recovery process ending up as 1FA, it only works with a single token in a corporate environment where the IT can establish identity out of band) Have super aggressive timeouts like 5 minutes between 2FA (e.g. shop on the marketplace and get asked 2FA code for login and again 5minutes later for checkout), thats what some banks do due to PSD2 regulations in the EU. Ask the payment industry to do it (you end up with junk like Verified by Visa (https://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf ) Ask the government to do it (you end up with hyper complex junk like the german eID system, safe but unusable) Ask the smart card industry to do it (you end up with a smart card based system that needs new cards every year as a source of income) If i was to decide upon 2FA or auth system options, i would probably go with ALL the following: Offer TOTP as a good secure baseline system: Good enough, works everywhere. Offer SMS or some App for people that really want it. Because people know it. Offer WebAuthn for the technology savy people that want hardware tokens or have high values in their account. Good tech, strange crypto, a bit high entry barrier still. Allow linking accounts to external ID providers via OpenID connect or social logins/services in order to have a third factor for password/2FA recovery. Do some basic risk based assesment when to ask for 2FA (e.g. logging in, buying/selling RL currency, large transactions > 25.000 L$, land changes, many account data changes). The hard part is not really the tech. The hard parts are "Ease of Use/UX and Password Recovery." 4 Link to comment Share on other sites More sharing options...
bigmoe Whitfield Posted April 18, 2021 Share Posted April 18, 2021 account password gets compermised in a big leak some place, the same password you might use for SL, trust me, people do this... you have 2fa enabled on your email account and your SL account, guess what they will never get ahold of, yep, both of those, but it will require you to think about what you need to have, the day is coming, I'm in my 40's and see this myself, that, you will need soon a data connected device. 1 Link to comment Share on other sites More sharing options...
Kimmi Zehetbauer Posted April 18, 2021 Author Share Posted April 18, 2021 12 hours ago, Crim Mip said: This along with making your log-in something other than your user name would help a lot. It's pretty stupid that half the information needed to log into somebody's account is right there inworld for anyone to see. You're log-in name shouldn't be discoverable inworld by any means. That would cut a lot of phishing attacks right there. My man plays League of Legends and another MMO and the accounts username is different then the avi's name in world. Just doing that would be a big help and no 2FA needed there! Link to comment Share on other sites More sharing options...
FairreLilette Posted April 18, 2021 Share Posted April 18, 2021 (edited) 3 hours ago, bigmoe Whitfield said: you will need soon a data connected device. What if that is not logical for certain people to have a cell phone if that is what you mean? Plus, with the cost of cell phones, to avoid discrimination, people on low incomes should then get a phone for free but that doesn't help those who are handicapped. I read a bit more about Google App last night as we can supposedly get a kind of key. Then, I'm looking up what these keys are and I was lost as some sites said Google keys were free with tokens and others said Google keys one has to pay for. So, anyhow if someone could let me know what kind of key I need and how much, could you please let me know what website is the one with correct info on keys for Google app I'd really appreciate it. Edited April 18, 2021 by FairreLilette Link to comment Share on other sites More sharing options...
Wulfie Reanimator Posted April 18, 2021 Share Posted April 18, 2021 One of the most rudimentary forms of 2FA is an email verification whenever a new device is trying to log in, which can optionally be saved as a trusted device. Kind of like "remember my password," except it's "remember my computer." Last I checked, SL doesn't even have that. (The "remember me on this computer" checkbox does the opposite, that's meant to allow you to stay logged in and it doesn't protect your account if someone else somewhere else is trying to log in.) Link to comment Share on other sites More sharing options...
Solar Legion Posted April 18, 2021 Share Posted April 18, 2021 10 minutes ago, FairreLilette said: What if that is not logical for certain people to have a cell phone if that is what you mean? Plus, with the cost of cell phones, to avoid discrimination, people on low incomes should then get a phone for free but that doesn't help those who are handicapped. I read a bit more about Google App last night as we can supposedly get a kind of key. Then, I'm looking up what these keys are and I was lost as some sites said Google keys were free with tokens and others said Google keys one has to pay for. So, anyhow if someone could let me know what kind of key I need and how much, could you please let me know what website is the one with correct info on keys for Google app I'd really appreciate it. You are seeing information on wholly different systems/programs and conflating the two. You pay (at a certain point) for "keys" for certain Google APIs. You do not pay for Two-Factor Authentication code applications. This is the Smartphone app Google offers for Two-Factor Authentication. I do not use it for the few things i do use 2FA for. I use an application that is based on and compatible with systems that use it, that allows me to use my Phone or my PC to get the code. 1 Link to comment Share on other sites More sharing options...
bigmoe Whitfield Posted April 19, 2021 Share Posted April 19, 2021 7 hours ago, Solar Legion said: You are seeing information on wholly different systems/programs and conflating the two. You pay (at a certain point) for "keys" for certain Google APIs. You do not pay for Two-Factor Authentication code applications. This is the Smartphone app Google offers for Two-Factor Authentication. I do not use it for the few things i do use 2FA for. I use an application that is based on and compatible with systems that use it, that allows me to use my Phone or my PC to get the code. Becareful with Pc based authentication, unless you can trust the source from where it came from. Link to comment Share on other sites More sharing options...
Silent Mistwalker Posted April 19, 2021 Share Posted April 19, 2021 On 4/17/2021 at 4:28 PM, JanuarySwan said: Well, sometimes that happens. Debit cards, credit cards are sent snail mail...some things are worth waiting for especially since this is an opt-in supposedly. You're going to wait a week just to be able to login to SL? That's either dedication or insanity. 1 Link to comment Share on other sites More sharing options...
Silent Mistwalker Posted April 19, 2021 Share Posted April 19, 2021 On 4/17/2021 at 4:48 PM, Gabriele Graves said: If 2FA is done the way I outlined in my previous post, you don't need a phone. You can install an authenticator on your PC such as WinAuth and use that instead. There are equivalent programs for all operating systems. No SMS or email necessary. Install yet another app just to be able to log in to SL? WTH? Link to comment Share on other sites More sharing options...
Silent Mistwalker Posted April 19, 2021 Share Posted April 19, 2021 23 hours ago, Kimmi Zehetbauer said: Not everyone has a smart phone or want one. Or can afford one. Link to comment Share on other sites More sharing options...
Rathgrith027 Posted April 19, 2021 Share Posted April 19, 2021 (edited) 3 minutes ago, Silent Mistwalker said: Install yet another app just to be able to log in to SL? WTH? Authenticators are very light and don't need to be run in the background and are also available for PC as stated already. It's not that big of a deal. I have one on my linux system which uses about 100MB of RAM. That and "Another app"? What other app do you need for SL? All you need is a viewer, unless I'm missing something. Edited April 19, 2021 by Rathgrith027 2 Link to comment Share on other sites More sharing options...
Silent Mistwalker Posted April 19, 2021 Share Posted April 19, 2021 Just now, Rathgrith027 said: Authenticators are very light and don't need to be run in the background and are also available for PC as stated already. It's not that big of a deal. I have one on my linux system which uses about 100MB of RAM. That and "Another app"? What other app do you need for SL? All you need is a viewer, unless I'm missing something. That's not the point. Read the thread please. Link to comment Share on other sites More sharing options...
Rathgrith027 Posted April 19, 2021 Share Posted April 19, 2021 Just now, Silent Mistwalker said: That's not the point. Read the thread please. What am I missing here? You're complaining about having to use a authenticator program, which is a 2FA Method. Don't be a smartass. 1 Link to comment Share on other sites More sharing options...
RunawayBunny Posted April 19, 2021 Share Posted April 19, 2021 I still don't understand why people argue about it. 2FA usually optional in everywhere (google, digital ocean, amazon) you can turn it off if you don't like it.. Is there a specific reason for not wanting it? It is useful for some people. 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now