Two Factor Authenication (2FA)

[JanuarySwan]

Lost my post.  

Edited April 17, 2021 by JanuarySwan

[JanuarySwan]

24 minutes ago, Solar Legion said:

No, it doesn't.

A Validation Code (and similar) is not the same thing as the tokens used in the types of Two-Factor Authentication systems being discussed. At all.

Things like this are what this thread is discussing in terms of applications. Ditto the E-Mailed/SMSed codes.

Do not conflate 2FA systems with One Time/Validation/etc Code systems.

ETA: There are far more things to worry over if one does not even have a throwaway e-mail address these days than a 2FA Code (for anything).

This, coming from someone who has been against the idea of 2FA seemingly creeping into more and more systems.

I wasn't saying it did...but more could it...and even more to the point...that it needs options is all and what are those possible options.  

And, if it gives us more security, I'm not sure why you would be against it.  Then perhaps you don't like the way it currently is...so what is better but also has options for those who do not have a cell phone?

I don't see why it couldn't be set with one's own phone keypad like a bank pin number?

I've had sites send me a text message but they never gave me an email option also is why I'm asking.  

Edited April 17, 2021 by JanuarySwan

[Solar Legion]

7 minutes ago, JanuarySwan said:

I wasn't saying it did...but more could it...and even more to the point...that it needs options is all and what are those possible options.  

And, if it gives us more security, I'm not sure why you would be against it.  Then perhaps you don't like the way it currently is...so what is better but also has options for those who do not have a cell phone?

I don't see why it couldn't be set with one's own phone keypad like a bank pin number?

I've had sites send me a text message but they never gave me an email option also is why I'm asking.  

It could not. The code type precludes the code being valid for such a length of time (well aside from the fact that we're talking about a code that would be asked for more than once, even if you did tell it to remember the device - see Amazon's implementation as well as most password storing systems, among others).

If you mean a traditional telephone keypad ... Again, no. Wholly different system. There is a reason I linked to Authy. Look at it.

Some banks use text, phone call and/or e-mail as code options.

As for why I'd be against it? Do note the way I phrased that - creep - and you'll have some idea as to why. It simply is not needed for all and sundry nor are some of the tings people push to have it alongside merit such measures.

Your actual Bank/PayPal accounts, some game accounts, a person's Steam account .... There are a fair few examples out there of accounts that should be secured by 2FA. They're actual, serious targets.

[JanuarySwan]

17 minutes ago, Solar Legion said:

Some banks use text, phone call and/or e-mail as code options.

Mine has voice recognition now too.  

 

17 minutes ago, Solar Legion said:

There is a reason I linked to Authy. Look at it.

Okay.  There are some of us who do know others who do not have cell phones in their life.  But, I will look at that.  I'm not up to speed really as to what this 2FA is. 

Some sites were getting lazy about sending email codes and were only sending text for awhile and that is irksome to do that as the world is not only one way.  

Thanks for your time.  

Edited April 18, 2021 by JanuarySwan

[Kimmi Zehetbauer]

5 hours ago, Ati Thei said:

2) Every smartphone allows you change the font/UI size

3) Android/iOS can even read you the message.

There's no discrimination. 

Not everyone has a smart phone or want one.

[Kimmi Zehetbauer]

4 hours ago, Qie Niangao said:

Wow. Pray for cataracts, so you can get nice new artificial lenses. If you're among those who can fuse images with "monovision" so one eye can have perfect near vision and the other perfect distant vision, you'll never again need glasses for anything. And each surgery takes just a few seconds to perform, it's amazing.

I agree it's not worth getting a smartphone just for this, but it's very unlikely they'd pick an authentication method that doesn't have a desktop app as well as smartphone. In general, though, a smartphone doesn't need to be a big investment, especially if you only need wifi connectivity. I have a couple old phones with no sim cards at all, that I can still use for Google Voice calling and all the data I could want on open wifi networks. A long way from 5G, but I'd feel really helpless without some sort of smartphone in my pocket.

My man had cataract surgery and opted for long distance lens --- he loves not wearing glasses!

[Gabriele Graves]

Nvm, redundant post.

Edited April 18, 2021 by Gabriele Graves

[LittleMe Jewell]

3 hours ago, Solar Legion said:

You know, the stuff that can take a few days - at minimum - to arrive

Given USPS performance over the past couple of years, I'm pretty sure that a full week is the new minimum for any delivery, no matter how close.

I totally feel for anyone that ever has to actually rely on that.

 

[Crim Mip]

This along with making your log-in something other than your user name would help a lot. It's pretty stupid that half the information needed to log into somebody's account is right there inworld for anyone to see. You're log-in name shouldn't be discoverable inworld by any means. That would cut a lot of phishing attacks right there.

[Wulfie Reanimator]

On 4/17/2021 at 11:46 AM, Bitterthorn said:

Reed did directly say it would be opt in. 

10 hours ago, JanuarySwan said:

Well, sometimes that happens.  Debit cards, credit cards are sent snail mail...some things are worth waiting for especially since this is an opt-in supposedly.  

 

Let's not start rumors. Reed didn't say that it would be opt-in. He said:

On 4/16/2021 at 9:35 PM, Reed Linden said:

I am still scoping out how I expect this to work so there's nothing set in stone, but my intention is to keep it as non-intrusive as possible. I envision it being opt-in.

 

Edited April 18, 2021 by Wulfie Reanimator

[RunawayBunny]

I know some people hate it but i think it is necessary..

Especially you are holding L$ in your account and have to pay expenses. Having a 2FA puts your mind a little ease against keylogger etc... This must be optional for the people who needs it.

[Kathrine Jansma]

2FA done right is a good thing, no doubts there. But most 2FA is done in a terrible way.

A few of the really common pitfalls.

• offer SMS only (or worse: demand SMS to a mobile phone only)
• offer a push TAN app on some proprietary non jailbroken mobile phones only.
• Use TOTP from RFC 6238 but modify it slightly so only your own app can generate the codes
• Have a support hotline that ignores 2FA and just asks some trivial knowledge based questions to recover credentials
• Have a password recovery process that just asks for the 2FA key and common knowledge (turning 2FA into single factor again)
• Try to do WebAuthn and have users run away from the complexity of setting things up properly
• Allow only a single hardware token per user for 2FA (you need at least two, or you end up with the password recovery process ending up as 1FA, it only works with a single token in a corporate environment where the IT can establish identity out of band)
• Have super aggressive timeouts like 5 minutes between 2FA (e.g. shop on the marketplace and get asked 2FA code for login and again 5minutes later for checkout), thats what some banks do due to PSD2 regulations in the EU.
• Ask the payment industry to do it (you end up with junk like Verified by Visa (https://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf )
• Ask the government to do it (you end up with hyper complex junk like the german eID system, safe but unusable)
• Ask the smart card industry to do it (you end up with a smart card based system that needs new cards every year as a source of income)

If i was to decide upon 2FA or auth system options, i would probably go with ALL the following:

• Offer TOTP as a good secure baseline system: Good enough, works everywhere.
• Offer SMS or some App for people that really want it. Because people know it.
• Offer WebAuthn for the technology savy people that want hardware tokens or have high values in their account. Good tech, strange crypto, a bit high entry barrier still.
• Allow linking accounts to external ID providers via OpenID connect or social logins/services in order to have a third factor for password/2FA recovery.
• Do some basic risk based assesment when to ask for 2FA (e.g. logging in, buying/selling RL currency, large transactions > 25.000 L$, land changes, many account data changes).

The hard part is not really the tech. The hard parts are "Ease of Use/UX and Password Recovery."

 

[bigmoe Whitfield]

account password gets compermised in a big leak some place,   the same password you might use for SL, trust me, people do this...   you have 2fa enabled on your email account and your SL account,  guess what they will never get ahold of, yep, both of those, but it will require you to think about what you need to have,  the day is coming, I'm in my 40's and see this myself,  that,  you will need soon a data connected device.

[Kimmi Zehetbauer]

12 hours ago, Crim Mip said:

This along with making your log-in something other than your user name would help a lot. It's pretty stupid that half the information needed to log into somebody's account is right there inworld for anyone to see. You're log-in name shouldn't be discoverable inworld by any means. That would cut a lot of phishing attacks right there.

My man plays League of Legends and another MMO and the accounts username is different then the avi's name in world. Just doing that would be a big help and no 2FA needed there!

[FairreLilette]

3 hours ago, bigmoe Whitfield said:

you will need soon a data connected device.

What if that is not logical for certain people to have a cell phone if that is what you mean?  Plus, with the cost of cell phones, to avoid discrimination, people on low incomes should then get a phone for free but that doesn't help those who are handicapped.  I read a bit more about Google App last night as we can supposedly get a kind of key.  Then, I'm looking up what these keys are and I was lost as some sites said Google keys were free with tokens and others said Google keys one has to pay for.  So, anyhow if someone could let me know what kind of key I need and how much, could you please let me know what website is the one with correct info on keys for Google app I'd really appreciate it.

Edited April 18, 2021 by FairreLilette

[Wulfie Reanimator]

One of the most rudimentary forms of 2FA is an email verification whenever a new device is trying to log in, which can optionally be saved as a trusted device. Kind of like "remember my password," except it's "remember my computer." Last I checked, SL doesn't even have that. (The "remember me on this computer" checkbox does the opposite, that's meant to allow you to stay logged in and it doesn't protect your account if someone else somewhere else is trying to log in.)

[Solar Legion]

10 minutes ago, FairreLilette said:

What if that is not logical for certain people to have a cell phone if that is what you mean?  Plus, with the cost of cell phones, to avoid discrimination, people on low incomes should then get a phone for free but that doesn't help those who are handicapped.  I read a bit more about Google App last night as we can supposedly get a kind of key.  Then, I'm looking up what these keys are and I was lost as some sites said Google keys were free with tokens and others said Google keys one has to pay for.  So, anyhow if someone could let me know what kind of key I need and how much, could you please let me know what website is the one with correct info on keys for Google app I'd really appreciate it.

You are seeing information on wholly different systems/programs and conflating the two. You pay (at a certain point) for "keys" for certain Google APIs. You do not pay for Two-Factor Authentication code applications.

This is the Smartphone app Google offers for Two-Factor Authentication. I do not use it for the few things i do use 2FA for. I use an application that is based on and compatible with systems that use it, that allows me to use my Phone or my PC to get the code.

[bigmoe Whitfield]

7 hours ago, Solar Legion said:

You are seeing information on wholly different systems/programs  and  conflating the two. You pay (at a certain point) for "keys" for certain Google APIs. You do  not  pay for Two-Factor Authentication  code  applications.

This  is the Smartphone app Google offers for Two-Factor Authentication. I do not use it for the few things i  do  use 2FA for. I use an application that is  based  on and  compatible with  systems that use it, that allows me to use my Phone  or my PC to get the code.

Becareful with Pc based authentication, unless you can trust the source from where it came from.

[Silent Mistwalker]

On 4/17/2021 at 4:28 PM, JanuarySwan said:

Well, sometimes that happens.  Debit cards, credit cards are sent snail mail...some things are worth waiting for especially since this is an opt-in supposedly.  

You're going to wait a week just to be able to login to SL? That's either dedication or insanity.

[Silent Mistwalker]

On 4/17/2021 at 4:48 PM, Gabriele Graves said:

If 2FA is done the way I outlined in my previous post, you don't need a phone.  You can install an authenticator on your PC such as WinAuth and use that instead.  There are equivalent programs for all operating systems. No SMS or email necessary.

Install yet another app just to be able to log in to SL? WTH?

[Silent Mistwalker]

23 hours ago, Kimmi Zehetbauer said:

Not everyone has a smart phone or want one.

Or can afford one.

[Rathgrith027]

3 minutes ago, Silent Mistwalker said:

Install yet another app just to be able to log in to SL? WTH?

 Authenticators are very light and don't need to be run in the background and are also available for PC as stated already. It's not that big of a deal. I have one on my linux system which uses about 100MB of RAM.

That and "Another app"? What other app do you need for SL? All you need is a viewer, unless I'm missing something.

Edited April 19, 2021 by Rathgrith027

[Silent Mistwalker]

Just now, Rathgrith027 said:

 Authenticators are very light and don't need to be run in the background and are also available for PC as stated already. It's not that big of a deal. I have one on my linux system which uses about 100MB of RAM.

That and "Another app"? What other app do you need for SL? All you need is a viewer, unless I'm missing something.

That's not the point.

Read the thread please.

[Rathgrith027]

Just now, Silent Mistwalker said:

That's not the point.

Read the thread please.

What am I missing here? You're complaining about having to use a authenticator program, which is a 2FA Method. Don't be a smartass.

[RunawayBunny]

I still don't understand why people argue about it. 2FA usually optional in everywhere (google, digital ocean, amazon) you can turn it off if you don't like it..

Is there a specific reason for not wanting it? It is useful for some people.