Two Factor Authenication (2FA)

[Rat Luv]

15 minutes ago, Kimmi Zehetbauer said:

It should NOT be required --- have it as an option for those who really want it.  The "requirement" may knock out many residents who chose not to use it. SL has done fine for almost 20 years without it.

I never had any problems online banking, and then my bank introduced 2FA and told us it was the ultimate security check.

Then a while later I got a text at 4am, asking if I was happy to proceed with a payment of £300 to someone in Queens in New York 

So I sat there until 5am, totally shattered, talking to the fraud team and had to go without my debit card for a week. And then I cleared my cookies and had to go through the 2FA process again 

[Buttacwup Float]

47 minutes ago, Kimmi Zehetbauer said:

It should NOT be required --- have it as an option for those who really want it.  The "requirement" may knock out many residents who chose not to use it. SL has done fine for almost 20 years without it.

The security landscape of being on the internet changed forever in the last 18 months. You simply cannot compare it to anything before. It's no longer a question of if you will become a target it is when. If your account gets compromised now, the people that have compromised it are as likely to do nothing as they are to do something malicious. You might not even know you have been hacked. They keep your credentials in a back pocket waiting for later. In my opinion, the best argument to make security mandatory is to help reduce the uncertainty that comes from people who don't think they need it.

[Kimmi Zehetbauer]

28 minutes ago, Rat Luv said:

I never had any problems online banking, and then my bank introduced 2FA and told us it was the ultimate security check.

Then a while later I got a text at 4am, asking if I was happy to proceed with a payment of £300 to someone in Queens in New York 

So I sat there until 5am, totally shattered, talking to the fraud team and had to go without my debit card for a week. And then I cleared my cookies and had to go through the 2FA process again 

There's a difference between a bank and playing a toon in a game/virtual world. I left a bank due to 2FA when using a ATM machine at their own branch.  I fired them and went to another. If some shenanigans go on, their fraud department will call the house phone to alert me. I did get a call at 2am one night and found out ordered some model train stuff on the phone from a train shop. $350  for a miniature version of UP's 4014 steam engine?

[Kimmi Zehetbauer]

2 minutes ago, Buttacwup Float said:

The security landscape of being on the internet changed forever in the last 18 months. You simply cannot compare it to anything before. It's no longer a question of if you will become a target it is when. If your account gets compromised now, the people that have compromised it are as likely to do nothing as they are to do something malicious. You might not even know you have been hacked. They keep your credentials in a back pocket waiting for later. In my opinion, the best argument to make security mandatory is to help reduce the uncertainty that comes from people who don't think they need it.

I disagree.

[Buttacwup Float]

I am fairly passionate about the addition of two factor authentication to Second Life and really any online services. I think it should be one of, if not the top priority for Linden Lab. I agree with what others have said as well about not having account names display in world, I think that would be another smart change to make.

Here are some thoughts I have on when a second factor would be needed:

• Anytime you buy, sell or cash out Linden Dollars you should be required to authenticate with both factors.
• Anytime you change or update billing, contact or other information in your account you should be required to authenticate with both factors.
• When you log in to Second Life using a viewer. This should optionally save for up to 30 days and should be tied to an account, on a specific machine, using a specific viewer. 
• When you log in to any Second Life web property (account, market etc) with the same rules as above. Per account, browser and machine.
• I think it would be nice to move toward an option to authenticate anytime you do a L$ transaction but I don't think that is as essential.

Oh and lets not forget that there really are no Alts in Second Life so every account you have needs a unique token. Security is inconvenient, that is the whole point. I would actually love to see LL be forward thinking and allow for biometric authentication as a second or even optional third factor. 

[Rowan Amore]

31 minutes ago, Buttacwup Float said:

not having account names display in world,

WTH?

[Jenna Huntsman]

44 minutes ago, Buttacwup Float said:

• Anytime you buy, sell or cash out Linden Dollars you should be required to authenticate with both factors.
• Anytime you change or update billing, contact or other information in your account you should be required to authenticate with both factors.
• When you log in to Second Life using a viewer. This should optionally save for up to 30 days and should be tied to an account, on a specific machine, using a specific viewer. 
• When you log in to any Second Life web property (account, market etc) with the same rules as above. Per account, browser and machine.
• I think it would be nice to move toward an option to authenticate anytime you do a L$ transaction but I don't think that is as essential.

1. Agree

2. Agree

3. Ehh - I want this personally, but I feel like not everyone does. Maybe this should be an option when enabling 2FA?

4. Agree

5. That's probably a bit too much, especially if you've already set it up on login.

Bear in mind though that LL have been working on the SSO project over the past year as well, so it's likely the only times you'd have to authenticate is when signing in to the web properties, or signing into the viewer. The 2FA token would be shared between the main SL website and MP thanks to SSO.

[Dragon Mommy]

2 hours ago, Love Zhaoying said:

I was shocked to learn, some companies are moving away from the more strong password requirements (my company included)!

It's actually a really difficult line to walk! If you make the requirements too high people reuse passwords like crazy. If you make them too low passwords get cracked in minutes. Password managers help. Sometimes. 

Some companies are opting to allow easier to remember passwords because of this. 

[Drayke Newall]

7 hours ago, Love Zhaoying said:

...someone can replicate your phone using phishing, so they get the same 2FA code on their phone as yours..!?

Has nothing to do with replicating your phone.

6 hours ago, Bitterthorn said:

The most common way it is breached is phone number spoofing or someone using social engineering to get your phone service to port your number elsewhere, taking control of any 2FA you have connected to your text messages. 

Why do you make it sound so hard to do by even suggesting things like actually grabbing the 2FA code?

4 hours ago, RunawayBunny said:

-User has to ignore all warning given by Chrome (Installing add-on:

You seem to be under the impression that the end user downloads the chrome addon and not the hacker, I never said that  

We are also talking about people that are clueless about PC security as well. For example, those that have one password for all accounts or those people that seem to think that having RL info in their SL profile (public) is a good idea. Where from that data they do a basic search to find your identity online and grab your email from say your facebook account. All this without even hacking at the moment as half of the info (username) required is already (stupidly) provided by LL.

I am not sure how much I can say on here but I will spell it out briefly for all the people here how easy it is to bypass. If I get banned for this I blame all of you  . Hopefully Linden Lab if they do make a 2FA will fix this issue by at least making it harder by not reusing cookies or cookie validating. Microsoft however haven't been able to, as they reuse cookies.

1. Hacker gets your email and begins fishing  . HTTPS means nothing now as hackers are using it so the entire thing hangs on a user checking the domain in the bowser prior to entering data - lets face it how many of us do that regularly?.
2. User logs in with the 2FA code, Hacker captures the fish including session cookie token (SSO).

This token is not your 2FA key or your phone or anything but, the cookie that the website uses to keep you logged in for a period of time after the 2FA code is accepted. After some magic using browser addons hacker has your account.

No need for 2FA simply using common phishing and something the website already provides. There are ways to make this harder but so long as they can grab that cookie data they have your account completely bypassing 2FA.

As always, if a hacker wants your account you stand no chance in them not having it. They will get it one way or another. Like I said before, 2FA is good in that it provides another layer of security but unfortunately, there are people always smarter than the 2FA creators. Whilst yes there is some luck involved in the phishing, there are equally dumb people.

Edited April 20, 2021 by Drayke Newall

[Buttacwup Float]

8 minutes ago, Bitterthorn said:

It's actually a really difficult line to walk! If you make the requirements too high people reuse passwords like crazy. If you make them too low passwords get cracked in minutes. Password managers help. Sometimes. 

Some companies are opting to allow easier to remember passwords because of this. 

Easier passwords, longer rotations...and the addition of other factors to reduce risk. I think we see an even bigger push towards biometrics. You generally always have that with you.  : )

[FairreLilette]

What about a separate username/log-in for Tilia, the Lindex and/or buying lindens?  Or perhaps a 3-digit pin could be given our username to use the aforementioned which, if mailed to our homes, would probably only take a few days within the U.S.  I like this idea better as 2FA sounds complicated with the tokens and keys.  I read a bit but it was my first read and it seemed complicated.  If someone could explain tokens and keys a bit, I'd appreciated it.

I'm not for any kind of text message 2FA, no tracphone, no smartphone, no cell phone whatsoever should be forced upon anyone.  

Edited April 20, 2021 by FairreLilette

[Buttacwup Float]

3 minutes ago, FairreLilette said:

What about a separate username/log-in for Tilia, the Lindex and/or buying lindens?  Or perhaps a 3-digit pin could be given our username to use the aforementioned which, if mailed to our homes, would probably only take a few days within the U.S.  I like this idea better as 2FA sounds complicated with the tokens and keys.  I read a bit but it was my first read and it seemed complicated.  

I'm not for any kind of text message 2FA, no tracphone, no smartphone no cell phone whatsoever should be forced upon anyone.  

A mailed code is very different from a second factor. Second factors should be available at any login, not just once. Those are used to verify identity, not for authentication.

Edited April 20, 2021 by Buttacwup Float
clarity

[Drayke Newall]

3 minutes ago, FairreLilette said:

What about a separate username/log-in for Tilia, the Lindex and/or buying lindens?  Or perhaps a 3-digit pin could be given our username to use the aforementioned which, if mailed to our homes, would probably only take a few days within the U.S.  I like this idea better as 2FA sounds complicated with the tokens and keys.  I read a bit but it was my first read and it seemed complicated.  If someone could explain tokens and keys a bit, I'd appreciated it.

I'm not for any kind of text message 2FA, no tracphone, no smartphone no, cell phone whatsoever should be forced upon anyone.  

Some companies like banks actually use a pin as well as password to bypass the need for 2FA. In this case you need to enter both the pin and the password along with the username to access the account. The pin is not provided automatically or randomly generated like 2FA is and is selected by the user. In essence it forms a double password one completely numerical and the other alphanumerical.

[FairreLilette]

1 minute ago, Drayke Newall said:

Some companies like banks actually use a pin as well as password to bypass the need for 2FA. In this case you need to enter both the pin and the password along with the username to access the account. The pin is not provided automatically or randomly generated like 2FA is and is selected by the user. In essence it forms a double password one completely numerical and the other alphanumerical.

Okay, I mention it because I like the idea of us having another username for our "banking" needs here, so maybe that could be done if we just add three numbers to the end of our username - somehow, that only we know.

[Drayke Newall]

3 minutes ago, FairreLilette said:

Okay, I mention it because I like the idea of us having another username for our "banking" needs here, so maybe that could be done if we just add three numbers to the end of our username - somehow, that only we know.

Doing anything with the username is useless as far as Second Life goes. So long as LL continue to not separate the account name (login name) and the user name (your SL identity i.e. FairreLilette) a person automatically has half of the data they need to access your account, meaning they only need a password now.

[FairreLilette]

15 minutes ago, Drayke Newall said:

Doing anything with the username is useless as far as Second Life goes. So long as LL continue to not separate the account name (login name) and the user name (your SL identity i.e. FairreLilette) a person automatically has half of the data they need to access your account, meaning they only need a password now.

Then we'd have to somehow be able to have our username changed for the banking part then perhaps by selecting one of several options it could auto-generate such as it would give me choices:  fairre8, fairette25, fair0082, etc, etc, to choose from, and I pick one, and then we'd have a code like a password we could put in there that's different from our viewer log-in password.  But, we'd need an email option too for the code.

Sorry, if this sounds goofy.  If someone could simply explain how keys and tokens work in a few sentences then I might understand it a bit.  I was completely lost reading about it but then I'm been going through some rough times with my GPU and EEP that my mind is numb from of it.

Edited April 20, 2021 by FairreLilette

[RunawayBunny]

38 minutes ago, Drayke Newall said:

You seem to be under the impression that the end user downloads the chrome addon and not the hacker, I never said that  

Not sure what you mean tbh.. If you have access to victims computer why bother with it? Just ask them if you can borrow their phone and get 2FA key your self.

30 minutes ago, Drayke Newall said:

Where from that data they do a basic search to find your identity online and grab your email from say your facebook account.

This is a pure luck.. If you rely on this (guessing game) it is going to take significant time. Using brute force might be better option just saying.

[Drayke Newall]

45 minutes ago, RunawayBunny said:

Not sure what you mean tbh.. If you have access to victims computer why bother with it? Just ask them if you can borrow their phone and get 2FA key your self.

Who said anything about accessing someone's computer? Gaining access to your second life account does not require access to your computer at all. You simply use a phishing email where the link redirects to a server that has the same appearance of SL login and you have their data. No intrusion into the PC at all.

I dont want to explain more than 'a browser addon' just in case saying exactly how to hack the account bypassing 2FA gets me banned.

Quote

This is a pure luck.. If you rely on this (guessing game) it is going to take significant time. Using brute force might be better option just saying.

You underestimate hackers. Why would a hacker use brute force to obtain access to a few accounts instead of doing their homework and pick easy targets. Brute force attacks dont work much anymore due to restricted login try's. If a hacker wants to target everyone then they would just hack LL servers and obtain your data that way.

It is precisely what phishing does as well, gets the easy targets and leaves the harder ones alone.

Also, yes I would say usually some luck is involved but when you have SL profiles public and people put their real name, age, city and even down to their cats name a person would have everything they need to find your email address. Add to that those people that include their RL photo and they can even match you to your facebook account via photo to ensure it is you. A simple script run by tampermonkey addon in chrome to search all public profiles on SL's website containing RL data would quickly get all profiles with RL data in them.

Also, considering Facebook has been hacked recently this year with half a billion user account details taken along with their email addresses (used for logins) simply from matching data from SL profiles of those silly people with RL info on them would allow them to find the person and get their email from the facebook hacked data that is probably already on the darkweb. Some people even have their facebook link to their RL self or group or shop listed in their SL profile which due to the facebook hack this year would be simple to find the details if they were part of it.

Might take a while, but not as long as you think.

Edited April 20, 2021 by Drayke Newall

[RunawayBunny]

1 minute ago, Drayke Newall said:

Who said anything about accessing someone's computer? Gaining access to your second life account does not require access to your computer at all. You simply use a phishing email where the link redirects to a server that has the same appearance of SL login and you have their data. No intrusion into the PC at all.

I understand what you mean.. yes 2FA or any form of security can't protect those users. They eventually learn to protect themself by checking URL or ignoring suspicious emails and links.

5 minutes ago, Drayke Newall said:

You underestimate hackers. Why would a hacker use brute force to obtain access to a few accounts instead of doing their homework and pick easy targets.

This is actually user error if user not taking their time to secure their account and using same password for every service they use it is their problem. I wonder how many people doing it.. I don't know.

[Drayke Newall]

19 minutes ago, RunawayBunny said:

I understand what you mean.. yes 2FA or any form of security can't protect those users. They eventually learn to protect themself by checking URL or ignoring suspicious emails and links.

This is actually user error if user not taking their time to secure their account and using same password for every service they use it is their problem. I wonder how many people doing it.. I don't know.

• 90% of internet users are worried about getting their passwords hacked.
• 53% of people rely on their memory to manage passwords.
• 51% of people use the same passwords for both work and personal accounts.
• 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords.
• The password “123456” is still used by 23 million account holders. The password "password" is the second most common.
• 33% of account-compromise victims have stopped doing business with companies and websites that leaked their credentials.
• An analysis of more than 15 billion passwords reveals the average password has eight characters or less.
• “Eva” and “Alex” are the most common names in passwords.
• Abu Dhabi is the most commonly used city name in passwords.
• 51% of respondents have fallen prey to a phishing attack on a personal account, while 44% of respondents have been a victim of the same attack at work.
• 78% of Gen-Z users use the same password for several online accounts.

Save Your Data with Empowering Password Statistics | DataProt

• Unfortunately, an astounding 83.15% of respondents said they use the same password for multiple sites.

Password Security Report: 83% of Users Surveyed Use the Same Password for Multiple Sites (cyclonis.com)

Unfortunately for your first point it is answered above in blue of which I say "are you sure?" for your second point it is answered in orange. As I said before, people are clueless about account security hence why 2FA isn't as secure as people think.

Edited April 20, 2021 by Drayke Newall
removed space at end of post

[Gabriele Graves]

58 minutes ago, Drayke Newall said:

• 90% of internet users are worried about getting their passwords hacked.
• 53% of people rely on their memory to manage passwords.
• 51% of people use the same passwords for both work and personal accounts.
• 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords.
• The password “123456” is still used by 23 million account holders. The password "password" is the second most common.
• 33% of account-compromise victims have stopped doing business with companies and websites that leaked their credentials.
• An analysis of more than 15 billion passwords reveals the average password has eight characters or less.
• “Eva” and “Alex” are the most common names in passwords.
• Abu Dhabi is the most commonly used city name in passwords.
• 51% of respondents have fallen prey to a phishing attack on a personal account, while 44% of respondents have been a victim of the same attack at work.
• 78% of Gen-Z users use the same password for several online accounts.

Save Your Data with Empowering Password Statistics | DataProt

• Unfortunately, an astounding 83.15% of respondents said they use the same password for multiple sites.

Password Security Report: 83% of Users Surveyed Use the Same Password for Multiple Sites (cyclonis.com)

Unfortunately for your first point it is answered above in blue of which I say "are you sure?" for your second point it is answered in orange. As I said before, people are clueless about account security hence why 2FA isn't as secure as people think.

Ironically 2FA would increase the security of those in all of those clueless scenarios you listed.

Edited April 20, 2021 by Gabriele Graves
to make it clearer what this is referring to

[Gabriele Graves]

4 hours ago, Silent Mistwalker said:

I can see having it for real money transactions. I can't see having it just to be able to log on to the grid. For those who do not or rarely buy Ls there is no need for 2FA. If they are not cashing out I don't see a need for 2FA. I can see it for those who do leave their debit/credit card info on account but not for those who do not save their card info for convenience. 

This is why it should not be mandatory across the board.

L$ are real money transactions as far I am concerned.  I buy them with RL currency and can spend them, therefore in my eyes they have value and I would like to be able to protect that with 2FA just as if it were USD.  Same with the website, even if I don't keep my my credit card on there, if I lose control of my account someone could put a stolen CC number on there and change my account name or buy L$ and send it to other accounts for money laundering.  I would lose control of my inworld presence if they change the password which includes all the things I value in my inventory.  All these things are preventable with 2FA even if they have your password through a website data breach.  I want to protect all of these cases.

I support your call for your choice to continue as you are but my choice should also be respected.

[Gabriele Graves]

3 hours ago, Rowan Amore said:

WTH?

I think they are alluding to the idea that your login name gives you access to your account but isn't your avatar name.  Your avatar name is different and only that is displayed inworld.  This protects your actual login name from other people trying to gain access because looking at the inworld avatar name would yield no clue of what it is.  Some services use email addresses for the login name for example and you have a different name that everyone else can see but your email address is never exposed to the other users.

[Drayke Newall]

26 minutes ago, Gabriele Graves said:

Ironically 2FA would increase the security of those in all of those clueless scenarios you listed.

Right - so 2FA will prevent hackers getting into your account if they use a phishing scheme, despite me already showing how hackers can bypass it using that method... yep ok whatever.

[Gabriele Graves]

2 minutes ago, Drayke Newall said:

Right - so 2FA will prevent hackers getting into your account if they use a phishing scheme, despite me already showing how hackers can bypass it using that method... yep ok whatever.

Your last post wasn't about phishing, it was about bad passwords which 2FA can help with, hence my post.

Nothing can help with phishing, it is literally using the user against their own best interests.  There will never be a solution to that so it is pointless discussing that with regards to other security measures.  For everything else 2FA helps.

Edited April 20, 2021 by Gabriele Graves