Two Factor Authenication (2FA)

[Love Zhaoying]

1 hour ago, bigmoe Whitfield said:

still am amazed,  in this day and age with all these companies out there, adobe, ect, having these leaks and passwords and account names and password floating about, that one would want to secure their accounts so they would not lose them or lose the ability to access them.   what disconnect am I missing here?

Blockchain.

[Love Zhaoying]

3 hours ago, Qie Niangao said:

"lookup"? That's cheating, heathen! You should have it memorized. It's where I get all my passwords.

My new COVID chip implants will look it up with just a thought, I only need to take off my tinfoil hat first.

[Drayke Newall]

2 hours ago, bigmoe Whitfield said:

still am amazed,  in this day and age with all these companies out there, adobe, ect, having these leaks and passwords and account names and password floating about, that one would want to secure their accounts so they would not lose them or lose the ability to access them.   what disconnect am I missing here?

I am still amazed that people actually think that 2FA actually does something when it can be easily bypassed with phishing, a capture and simple chrome addon, especially when we are talking about people who are already silly enough to use one password for everything and due to LL's already lax security.

Additionally, if someone has gone to the effort of directly attacking and gaining LL login data from their servers or in your example adobe, they already have the skill to bypass 2FA which even a 10 year old could do especially if a hidden backdoor cookie virus is provided by them during the hack by altering SL website code.

2FA is simply an additional layer of security (usually against brute force attack) and unless LL actually also update to separate the account name and user name and people actually use different passwords for every account, even with 2FA they will get to the account.

Edited April 19, 2021 by Drayke Newall

[Silent Mistwalker]

8 hours ago, Gabriele Graves said:

Oh come on, don't be dramatic about it.  2FA/MFA is already security best practice for logging into websites where there is something of value to protect.  It is combining something you know (username + password) with something you have (a code generated on your device/PC only for example) which increases your security by magnitudes for just a small incovenience.  Pretty much any big name internet service already has it as an option.  You may not have encountered it before but millions of people out there are using it.

Good job you don't need one for it then.

If done right, the code wouldn't be necessarily needed every time you login.  Different companies have different policies on this ranging from once a day to a week to a month or even only when something changes like a login from a new PC, password change or when you buy something with your credit card, etc.

 

My point that everyone so nicely avoided was that the more programs you have on your PC the slower it runs and the more disk space you lose. Among other  things that no one has thought about. But what do I know. According to most people, I must be the stupidest human on the planet. So go  on with your bad selves. 

Edited April 19, 2021 by Silent Mistwalker

[Silent Mistwalker]

7 hours ago, bigmoe Whitfield said:

walmart has trakphones which are smart phones for 15 dollars usd.  

 

That you have to pay for every month. I don't have it to spare.

[Jenna Huntsman]

Just now, Silent Mistwalker said:

 

My point that everyone so nicely avoided was that the more programs you have on your PC the slower it runs and the more disk space you lose. Among other  things that no one has thought about. But what do I know. According to most people, I must be the stupidest human on the planet. So go  on with your bad selves. 

Computers don't run like that.

Yes, having another program installed uses disk space, but it won't impact performance unless it is actually running, and even then for a 2FA program the impact would be extremely low. There may be a tiny impact on HDD seek speed, but by that logic any videos or photos you have on your drive would also cause the same issue.

[Silent Mistwalker]

6 hours ago, Kimmi Zehetbauer said:

Some just don't care about them.There about 16 people around that are smart phone free or just have a flip phone, like we do.  It's used for it's intended purpose --- talking.

IF I had one it would be for emergencies only.

[bigmoe Whitfield]

6 minutes ago, Silent Mistwalker said:

 

That you have to pay for every month. I don't have it to spare.

pay? I've got a phone sitting right here.  not paying for it,  long as it touches wifi every once in a while to sync the time,  then it works fine,  it has zero cell ability,  just a touch phone that I use for 2fa.  so yes, it can be a one time cost.    heck even asking a person if they have a phone that you can get freely,  factory reset it and install  the 2fa and let it sync time once a week and tada?   there are so many options here,  people instantly "I GOT TO PAY FOR IT" wrong.  I can easily prove this that I do not pay for any usage on the other phone at all, it has no sim card, it costs me nothing.  

 

google 2fa is all it does for those wondering.

[bigmoe Whitfield]

okay guys I'm bowing out of the topic, So good bye.    @Keira Linden  is there a place to sign up for 2fa beta?  once it's beings?

[Silent Mistwalker]

15 minutes ago, bigmoe Whitfield said:

pay? I've got a phone sitting right here.  not paying for it,  long as it touches wifi every once in a while to sync the time,  then it works fine,  it has zero cell ability,  just a touch phone that I use for 2fa.  so yes, it can be a one time cost.    heck even asking a person if they have a phone that you can get freely,  factory reset it and install  the 2fa and let it sync time once a week and tada?   there are so many options here,  people instantly "I GOT TO PAY FOR IT" wrong.  I can easily prove this that I do not pay for any usage on the other phone at all, it has no sim card, it costs me nothing.  

 

google 2fa is all it does for those wondering.

I have to BUY  the phone first. No money. Then I have to pay for a card to refill the minutes every month so the damn thing will work for more than just 911 calls. No money.

 

Look, I'm not against 2FA. I've never said I was but people sure are taking it that way. But trying to force people into installing programs on their pcs or buy a cell phone just to be able to log into SL is ridiculous. I'm not doing it. End of.

[Wulfie Reanimator]

34 minutes ago, Silent Mistwalker said:

I have to BUY  the phone first. No money. Then I have to pay for a card to refill the minutes every month so the damn thing will work for more than just 911 calls. No money.

 

Look, I'm not against 2FA. I've never said I was but people sure are taking it that way. But trying to force people into installing programs on their pcs or buy a cell phone just to be able to log into SL is ridiculous. I'm not doing it. End of.

Authenticator apps (Google's or Valve's, for example) can work even without an internet connection or phone signal.

And 2FA can be done without requiring the user to install anything new on anything.

Edited April 19, 2021 by Wulfie Reanimator

[Silent Mistwalker]

10 minutes ago, Wulfie Reanimator said:

Authenticator apps (Google's or Valve's, for example) can work even without an internet connection or phone signal.

 

Regardless, I am not going to allow myself to be forced into using something I do not need or want. In case you missed it, I DO NOT HAVE THE MONEY TO EVEN BUY A PHONE WITH. I have zero income.  No, I will not go into the health reasons as to why I'm not working.

Quote

And 2FA can be done without requiring the user to install anything new on anything.

Tell that to  the person who suggested it in the first place.

[Wulfie Reanimator]

8 minutes ago, Silent Mistwalker said:

Regardless, I am not going to allow myself to be forced into using something I do not need or want. In case you missed it, I DO NOT HAVE THE MONEY TO EVEN BUY A PHONE WITH. I have zero income.  No, I will not go into the health reasons as to why I'm not working.

That's okay. I have zero income too and I live on my own (I've talked about it in previous threads). I understand.

8 minutes ago, Silent Mistwalker said:

Tell that to  the person who suggested it in the first place.

I'm not saying it to just you, even though your post prompted my response. There will be other people reading this (and other) threads who don't know anything about 2FA and if someone is saying one thing and nobody is countering it, it will leave an impression that there aren't alternatives.

Ultimately I wish @Linden Lab would ask for feedback on what kinds of 2FA people actually want instead of just picking whatever seems the most convenient to them, ideally through a poll with private free-form responses so we don't end up with a 200 page thread with people arguing with each other over personal preferences and niche cases.

Edited April 19, 2021 by Wulfie Reanimator

[Silent Mistwalker]

17 minutes ago, Wulfie Reanimator said:

That's okay. I have zero income too and I live on my own (I've talked about it in previous threads). I understand.

I'm not saying it to just you, even though your post prompted my response. There will be other people reading this (and other) threads who don't know anything about 2FA and if someone is saying one thing and nobody is countering it, it will leave an impression that there aren't alternatives.

Ultimately I wish @Linden Lab would ask for feedback on what kinds of 2FA people actually want instead of just picking whatever seems the most convenient to them, ideally through a poll with private free-form responses so we don't end up with a 200 page thread with people arguing with each other over personal preferences and niche cases.

Well at my age (over 60) I should hope I am "living on my own". Would kind of suck to live with my parents. I don't think the cemetery would allow me to pitch a tent to live in. 🤭

Thank you. For saying that and for saying your responses have been for the benefit of others, not just to rag on me. I don't like slamming the door in people's faces when they do that but I will.

@Linden Labdoes ask for feedback. The problem is, they rarely listen to it. Oh they hear it, but they don't really listen. Not unless you start throwing legalities and/or financial losses at them. For instance, someone mentioned state sales taxes. Um. No sales tax in my state and it's not the only state that does not charge sales tax. No, they get us through things like property taxes and road frontage tax. Live in a house on a corner? You pay twice as much because you have property abutting 2 streets, not just one. So you get penalized for living on  the corner.  It's kind of strange to me because I've seen so many streets built around existing houses (when I was young) and none of the home owners were asked if they wanted to be on a corner. The city planners just mapped out some streets around the houses and called it good. Anyway, sorry for rambling. What I was really getting to is that I agree with you on LL not only getting feedback from residents but also do their level best not to exclude long time residents from being able to log in simply because they can't afford to be nickel and dimed. Retention is just as important and vital as new customers, if not more so.

[Rowan Amore]

2 hours ago, Silent Mistwalker said:

 

That you have to pay for every month. I don't have it to spare.

Everyone in my house has a Tracfone.  I paid $99 for the phone, 1000 talk, 1000 text and a years service.  No other costs unless I run out of either and then I can add 1000 texts for $10.  No monthly bill and all the talk and text carry over to the next year.  A year of service costs $99.  One time a year.  

There's also Assurance Wireless.

Edited April 19, 2021 by Rowan Amore

[Kimmi Zehetbauer]

6 hours ago, bigmoe Whitfield said:

still am amazed,  in this day and age with all these companies out there, adobe, ect, having these leaks and passwords and account names and password floating about, that one would want to secure their accounts so they would not lose them or lose the ability to access them.   what disconnect am I missing here?

Was going to put something down --- but it's been said many times in the thread already.

[Love Zhaoying]

5 hours ago, Drayke Newall said:

it can be easily bypassed with phishing

...someone can replicate your phone using phishing, so they get the same 2FA code on their phone as yours..!?

[Dragon Mommy]

20 minutes ago, Love Zhaoying said:

...someone can replicate your phone using phishing, so they get the same 2FA code on their phone as yours..!?

There are a number of ways to bypass 2FA and the method of 2FA makes it either easier or harder. Token or app 2FA is more secure than text message. Physical key 2FA is also pretty secure. The most common way it is breached is phone number spoofing or someone using social engineering to get your phone service to port your number elsewhere, taking control of any 2FA you have connected to your text messages. This is why my work bans the use of text message 2FA, and we use token/app 2FA exclusively. Google will have more in depth info on the various kinds of attacks and breaches.

No method is 100%. It's important to always have strong unique passwords. Fact is that your data online is not secure. Services get hacked, information gets sold, etc. When 2FA is an option here I will gladly use whatever the most secure option is at the time. 

[Da5id Weatherwax]

A major thing I learned over decades working on cybersecurity as a systems and network admin...  If you want your users to buy in to your security policy, you make compliance with it the easiest way to go. If you make it a pain in the rear, people will do everything they can to work around it, because that's what people do, and your security initiative will crash and burn. For something like this, LL need to pick 2FA methods that are as secure as they can manage without introducing a significant level of inconvenience. Achieve that, and its an optimal solution that folks will buy into. Fail and they've either left it too insecure to be worth anything or they've made it such a pain that nobody will opt in and may bail on the environment altogether if it's made mandatory.

[RunawayBunny]

7 hours ago, Drayke Newall said:

I am still amazed that people actually think that 2FA actually does something when it can be easily bypassed with phishing, a capture and simple chrome addon, especially when we are talking about people who are already silly enough to use one password for everything and due to LL's already lax security.

"Simple chrome addon" you need decent luck to make it work:

-User have to visit your phishing website

-User has to be clueless about security threat related with add-ons installed outside chrome webstore.

-User has to ignore all warning given by Chrome (Installing add-on: https://support.google.com/chrome_webstore/answer/186213?hl=en#zippy=%2Cmedium-alert%2Clow-alert%2Chigh-alert).

If user ignoring all of this warnings nothing can protect this user.

[Gabriele Graves]

7 hours ago, Silent Mistwalker said:

My point that everyone so nicely avoided was that the more programs you have on your PC the slower it runs and the more disk space you lose. Among other  things that no one has thought about.

WinAuth is 5.8M on the disk.  Compared to anything else will you have installed have it has a negligible size.  It is freely available and so doesn't cost money.  Other equivalent programs are also tiny.  As has been said before it does not slow down your PC as it is only running when you need an access code, which should be infrequently if done right.  So you start it up, get a code and then quit it.  No network communication, no personal information need or sent anywhere, nothing - just a code generated on your PC, for you.

I would be against anything that forced people to have to buy anything to continue with their SL experience.

7 hours ago, Silent Mistwalker said:

But what do I know. According to most people, I must be the stupidest human on the planet.

I very much doubt that statement as truth.

Quote

So go  on with your bad selves. 

Very much uncalled for especially when people are trying to explain how this can work for you and other people.  I doubt you would like it very much if this was the other way around.

You may think we are trying to push an agenda on you but in reality most of what has been said in this topic by those of us who think it is a good idea is to correct misconceptions/misinformation and provide facts.  We already understand that some may not want it and agree with you that you shouldn't have to.  Your clue for that is that not one post has been calling for mandatory enforcement for your own good.  We just want the option for our own security.
 

Edited April 19, 2021 by Gabriele Graves

[Buttacwup Float]

IMHO. Two Factor authentication should be required in SL, or perhaps just required if you want to hold a Linden dollar balance at all. It is a basic need for online security these days, especially in an environment that exchanges a currency that can be tied to RL money. We see people regularly in groups that have their accounts compromised, and then start sending out more phishing links. 2fa doesn't remove the ability for someone top be phished, but it greatly reduces it. I think the amount of money changing hands in SL everyday warrants the use of security. I personally worry more about someone else getting phished and causing issues than I do falling victim myself. To help prevent that, I think 2fA should be required for all.

[Love Zhaoying]

4 hours ago, Bitterthorn said:

No method is 100%. It's important to always have strong unique passwords.

I was shocked to learn, some companies are moving away from the more strong password requirements (my company included)!

[Kimmi Zehetbauer]

1 hour ago, Buttacwup Float said:

IMHO. Two Factor authentication should be required in SL, or perhaps just required if you want to hold a Linden dollar balance at all. It is a basic need for online security these days, especially in an environment that exchanges a currency that can be tied to RL money. We see people regularly in groups that have their accounts compromised, and then start sending out more phishing links. 2fa doesn't remove the ability for someone top be phished, but it greatly reduces it. I think the amount of money changing hands in SL everyday warrants the use of security. I personally worry more about someone else getting phished and causing issues than I do falling victim myself. To help prevent that, I think 2fA should be required for all.

It should NOT be required --- have it as an option for those who really want it.  The "requirement" may knock out many residents who chose not to use it. SL has done fine for almost 20 years without it.

[Silent Mistwalker]

I can see having it for real money transactions. I can't see having it just to be able to log on to the grid. For those who do not or rarely buy Ls there is no need for 2FA. If they are not cashing out I don't see a need for 2FA. I can see it for those who do leave their debit/credit card info on account but not for those who do not save their card info for convenience. 

This is why it should not be mandatory across the board.