Two Factor Authenication (2FA)

[Drayke Newall]

3 minutes ago, Gabriele Graves said:

Your last post wasn't about phishing, it was about bad passwords which 2FA can help with, hence my post.

Nothing can help with phishing, it is literally using the user against their own best interests.  There will never be a solution to that so it is pointless discussing that with regards to other security measures.  For everything else 2FA helps.

Erm.. read my last post again highlighted in blue... nothing to do with passwords but phishing stats.

Yes I agree, and have always stated in all my posts that 2FA adds an additional layer of security, but relying on it like some seem to, holding it as the be all and end all of security, is absurd. 

It also comes down to a chain of access. It doesn't help against bad passwords either. The whole point of 2FA is layer on layer of security. It is not there to protect bad passwords. The user still needs AAA passwords and different to other accounts hidden behind the 2FA. Without that you are still vulnerable.

If a user uses the same password on a non 2FA (be it having none or optional) email account that is linked to your SL account as well then, they simply access your email, request a password reset from SL and they have access to your account completely bypassing 2FA if it is not considered in development (i.e. some most websites log in automatically after a password reset without requesting 2FA codes). Even worse is email 2FA where they would have the code anyway as it was sent to email.

Then lets not forget to mention 2FA can be bypassed if you have 3rd party login options (OAuth) whereby you use a facebook account for sign in to a different account (thankfully not implemented for SL).

2FA can be bypassed many ways. Sure it will help but there are people in this thread that seem to think it is impossible to get your account unless through brute force or spoofing. That is not the case.

For me personally, I am more in favour of dual passwords i.e pin and password over 2FA as 2FA requires security outside of itself (and is annoying) to work whereas dual passwords require 2 unique passwords imputed making it near impossible unless phishing/trojan is involved or the end user is one again an idiot and uses the same passwords everywhere.

[Gabriele Graves]

1 minute ago, Drayke Newall said:

Erm.. read my last post again highlighted in blue... nothing to do with passwords but phishing stats.

OK, let's do this by the numbers.  Regardless of highlighting, you made 11 bullet points.  7 of which are examples of bad password practices.  2 of which mentioned phishing, one of those was about people not changing their passwords (i.e. now they have a bad password).  So regardless of what you meant, the majority of your bullet points were examples of bad password practices and that is what I was referring to.

[Gabriele Graves]

6 minutes ago, Drayke Newall said:

It doesn't help against bad passwords either.

Yes, it absolutely does.  If you use a bad password that can be determined by a third-party, the 2FA challenge will stop most attempts to access your accounts.

[Gabriele Graves]

9 minutes ago, Drayke Newall said:

If a user uses the same password on a non 2FA (be it having none or optional) email account that is linked to your SL account as well then, they simply access your email, request a password reset from SL and they have access to your account completely bypassing 2FA if it is not considered in development (i.e. some most websites log in automatically after a password reset without requesting 2FA codes). Even worse is email 2FA where they would have the code anyway as it was sent to email.

Then lets not forget to mention 2FA can be bypassed if you have 3rd party login options (OAuth) whereby you use a facebook account for sign in to a different account (thankfully not implemented for SL).

2FA can be bypassed many ways. Sure it will help but there are people in this thread that seem to think it is impossible to get your account unless through brute force or spoofing. That is not the case.

Most of this is down to 2FA being implemented badly.  Of course you aren't going to get good security if you implement it badly.  These are all avoidable mistakes.

[Drayke Newall]

3 minutes ago, Gabriele Graves said:

So regardless of what you meant, the majority of your bullet points were examples of bad password practices and that is what I was referring to.

Arguing over semantics.

1 minute ago, Gabriele Graves said:

Yes, it absolutely does.  If you use a bad password that can be determined by a third-party, the 2FA challenge will stop most attempts to access your accounts.

And in 90% of cases if you use a bad password you are are also the same person that uses that bad password on your non 2FA email account allowing for a bypass to happen with them gaining access to your email account of which most only have one of.

2FA is like a band-aid on a wound, it protects on the surface but leaves you vulnerable to infection if you haven't stuck it down around the wound as well. Bad passwords is one of the reason 2FA was invented, leaving them bad and solely relying on 2FA is just stupidity. Granted you get extra security on that account but what of others?

3 minutes ago, Gabriele Graves said:

Most of this is down to 2FA being implemented badly.  Of course you aren't going to get good security if you implement it badly.  These are all avoidable mistakes.

LOL no. It is impossible for 2FA developers to develop for instances like OAuth and password reset bypassing. Password reset bypass is when a non 2FA email account is already hacked. As for OAuth "login with facebook account" this is equally impossible as it bypasses the 2FA aspect of the platforms account security and relies on Facebook sending an authorisation key to the site being accessed. It is also why any security expert will tell you to never use OAuth.

If either the email or facebook account has been already hacked then 2FA is worthless. Considering almost every platform, account or website have 2FA as optional, even if LL make it mandatory, you are still vulnerable on other accounts that are not 2FA activated.

Look, I am not against 2FA which you seem to think I am. I am simply saying that 2FA can never be 100% protection. People in this thread seem to think it is, they are wrong. That is my point it is worthless unless EVERYTHING is secured. Everything still relies on the end user. If they haven't secured all of their accounts with 2FA then they are vulnerable.

Once again if a hacker wants your account in the end they will probably get it.

[Gabriele Graves]

56 minutes ago, Drayke Newall said:

Arguing over semantics.

Yes you were.

Quote

And in 90% of cases if you use a bad password you are are also the same person that uses that bad password on your non 2FA email account allowing for a bypass to happen with them gaining access to your email account of which most only have one of.

Account bypasses cannot be done if account security including 2FA is implemented properly.

Quote

2FA is like a band-aid on a wound, it protects on the surface but leaves you vulnerable to infection if you haven't stuck it down around the wound as well. Bad passwords is one of the reason 2FA was invented, leaving them bad and solely relying on 2FA is just stupidity. Granted you get extra security on that account but what of others?

So 2FA was designed to help with bad passwords - so it does help then?  You changed your argument from before. 

2FA is another tool, if used well it can help, if not it doesn't - like all tools.  Metaphors about wounds and band-aids are invalid and are made to make 2FA seem bad without any substance.  I like the tool metaphor better.

Quote

LOL no. It is impossible for 2FA developers to develop for instances like OAuth and password reset bypassing. Password reset bypass is when a non 2FA email account is already hacked. As for OAuth "login with facebook account" this is equally impossible as it bypasses the 2FA aspect of the platforms account security and relies on Facebook sending an authorisation key to the site being accessed. It is also why any security expert will tell you to never use OAuth.

Yes, the one of the bad practices I talk about is allowing logging in via third-party services using OAuth or doing that from the user's perspective.  Clearly it isn't compatible with good security and 2FA.  I don't use any of my accounts to login to any service except the service that account is meant for.  People not following good practices is not the fault of the security tools available and that goes for services and users.  Google for example does not allow you to login using anything but a Google account.

Quote

If either the email or facebook account has been already hacked then 2FA is worthless. Considering almost every platform, account or website have 2FA as optional, even if LL make it mandatory, you are still vulnerable on other accounts that are not 2FA activated.

You are talking about one very specific chain of events where everything is lined up for the hacker beginning with one bad practice (OAuth).  That doesn't invalidate 2FA being useful in any way.  It just means those services and/or users made bad choices.

You are making big assumptions and gross generalisations about those other accounts people have.
It is very possible for someone to have a bad password or make a bad choice on one service but not on others.

Also, if someone doesn't have 2FA turned on, how is that the fault of the 2FA security?
You cannot help or do anything about the total clueless on the internet if they continue with terrible internet hygene.  For everyone else, tools like 2FA helps.

Quote

Look, I am not against 2FA which you seem to think I am. I am simply saying that 2FA can never be 100% protection. People in this thread seem to think it is, they are wrong. That is my point it is worthless unless EVERYTHING is secured. Everything still relies on the end user. If they haven't secured all of their accounts with 2FA then they are vulnerable.

Nobody to my knowledge has said in this thread that 2FA is 100% protection, it is only you that seem to think they are.

Quote

Once again if a hacker wants your account in the end they will probably get it.

Perhaps but with that reasoning we should not bother with any security.

Security is always a best effort, the better your security, the more people you cut out of being capable of gaining access to your accounts.  Again I don't see anyone saying differently on this topic.

Edited April 20, 2021 by Gabriele Graves

[Drayke Newall]

I cant be bothered responding to everything you posted so Ill just say this post and leave it as that. Its just a back and forth of me showing that 2FA is flawed, not used and most cases useless if it isn't implemented on every account and then you coming back with: no it is great and down to the user flaws - of which is my entire point, the user not using 2FA everywhere meaning 2FA can be compromised.

Quote

Security is always a best effort, the better your security, the more people you cut out of being capable of gaining access to your accounts.

I agree but security provided is only as good as what the user will accept. 2FA is not popular hence why 99% of sites make it optional. Even in this thread the majority dont like it and have even threatened to leave if it is mandatory. That fact alone shows that it isn't a good security practice. 2FA is intrusive, annoying, time consuming, a privacy risk and requires additional addons which you need to run or open and is why it is unpopular.

Additionally, 90% of Gmail users (official google data though may be slightly less now) dont use 2FA opening for basic hacking and bypassing of 2FA on other accounts that gmail account is linked to. Other data show that only 23% of people use 2FA, 41% say they dont use it due to inconvenience and 15% said they didn't use it due to privacy concerns. Both factors of which have already been brought up in the very thread. Whilst it might be good practice it simply is useless when no one uses it. Even Microsoft suffers the same problem begging people to use 2FA revealing last year that a million-plus of its accounts are compromised monthly.

You might say, like others in this thread have in response to @Alwin Alcott (I think it was him) "bah what privacy risk is there with 2FA?" Well ask twitter who were recently fined $250 million for using email and phone numbers given solely for 2FA reasons for marketing. Twitter faces $250 million FTC fine for misusing emails and phone numbers - The Verge

Then you have issues with the form of 2FA with even as far back as 2013 security experts saying (and still do) that SMS 2FA is useless due to accessing the account on the same device i.e. a smartphone, unsecure etc yet it is still the most common form of 2FA with 75% using SMS. Two-Factor Can’t Be Trusted Anymore For Online Banking: AusCERT (lifehacker.com.au) 

Then issues come with shared accounts and how 2FA access those, with additional programs needed just to share those to people in the same team, which then compromises the system further.

The fact is that yes, 2FA adds an extra layer of security but ONLY if it is mandatory of which the system is so unpopular no popular site (including big tech) has been game to make it so. Twitter using the 2FA data for marketing last year and being caught also didn't help 2FA's cause.

You can argue all you like that 2FA is good for security and I dont deny that but it is a flawed and useless method if no one uses it everywhere and on every account especially email like Gmail. If using email 2FA and your Gmail account is compromised that emails from the 2FA account are sent to then 2FA is bypassed with ease using password reset.

Edited April 20, 2021 by Drayke Newall

[Gabriele Graves]

You are conflating so many things together that don't make sense and taking out of context things that have been said. 

For example, in your chosen bit about Alwin, there is no privacy risk with 2FA when done with time-based TOTP and thus there doesn't have to be any privacy risk with 2FA.  My position has always been that 2FA should be done right.  All the things you point out are examples of when it is done wrong.  2FA needing phones that require giving your phone number to a service?  Done wrong.  So the Twitter example?  Done Wrong.

Still you are going on about people who are not using 2FA as an example of 2FA being a problem.  How exactly is that a problem with 2FA?  Hint:  It isn't.

I am not sure what your point is, you don't seem to be making one very cogently.

[Love Zhaoying]

7 hours ago, Bitterthorn said:

It's actually a really difficult line to walk! If you make the requirements too high people reuse passwords like crazy. If you make them too low passwords get cracked in minutes. Password managers help. Sometimes. 

Some companies are opting to allow easier to remember passwords because of this. 

I think our passwords will also not expire / expire less often in the future. No details on whether 2FA will now be required for any aspect of password set / change.

[Drayke Newall]

51 minutes ago, Gabriele Graves said:

For example, in your chosen bit about Alwin, there is no privacy risk with 2FA when done with time-based TOTP and thus there doesn't have to be any privacy risk with 2FA.  My position has always been that 2FA should be done right.  All the things you point out are examples of when it is done wrong.  2FA needing phones that require giving your phone number to a service?  Done wrong.  So the Twitter example?  Done Wrong.

Still you are going on about people who are not using 2FA as an example of 2FA being a problem.  How exactly is that a problem with 2FA?  Hint:  It isn't.

I am not sure what your point is, you don't seem to be making one very cogently.

No matter what method of 2FA is used it is still going to fail in uptake due to the inconvenience or user concern. You say that isn't 2FA's fault but it is as it is structured around an inconvenience whereby that inconvenience makes it undesirable to use. That is its fault and problem alone - its flaw.

Your comeback argument will be "well that doesn't matter as if people dont use it that is their fault". True, however how does that solve the issue of account security unless it is made mandatory of which is unpopular? A true security system would be one where it is the most secure and least annoying.

If 90% of people are not using 2FA (whatever its form) how is that done right? If I make a program that has a poor uptake due to it not being popular is that the end users fault for not liking the program or is it the program or developers fault for making a crap program that isn't liked? It is the latter and the same with 2FA.

Take eftpos for example, the most secure method is to insert a card into the bottom so the chip is read off the card and a pin is entered. Yet that is now gone due to inconvenience and tap and go is now considered just as secure if not more so and more convenient. 2FA is like the reverse of that where you have gone from convenience to inconvenience and its uptake is equally the reverse of tap and go.

What you think about which method is right or wrong is also meaningless, if something is the commonly accepted form due to the least inconvenience then that is what is going to take place.

As to your time-based TOTP.

EA's SWTOR game uses time-based TOTP via an app you download on your phone or comp. It proved to be so unpopular due to the inconvenience that they had to give people an incentive to use it via free in world purchasable currency given monthly of 200 credits. Blizzard also use an app time-based TOTP for WoW and did the same. Even with those incentives people still dont use it much.

You ask what my point is. My point is that no matter what 2FA there is it is flawed. SMS is flawed due to it being unsecure, email 2FA is flawed due to users potentially not having their email account equally protected and all of them a flawed due to lack of desirability. 

I am also not arguing against the use of 2FA the more security the better but thinking it is a viable and convenient security method that is going to actually achieve huge uptake is ludicrous.

:EDIT:

I dont know how else to explain it and think I have explained all I can, If you find it confusing and still use the excuse's you have used then I wont change your mind so I will agree to disagree and leave it at that.

Edited April 20, 2021 by Drayke Newall

[Gabriele Graves]

I am not trying solve account security just discussing 2FA.  If people don't want to secure their account, that's on them.  I am not trying to solve their security problems and never made any notion to.  Neither are you incidentally, all you are doing is pooh-poohing security in general without any solutions.

You are very incorrect about security overall.  Security is a continuum, at one end is very secure and at the other end is very convenient.  You cannot have secure and convenient.  Good security is always a pain.
 

[Drayke Newall]

25 minutes ago, Gabriele Graves said:

  You cannot have secure and convenient.  Good security is always a pain.

I literally gave you an example of just that - secure and convenient and you still say that. LMAO. Tap and go, pay wave, contactless payment etc is just as secure as EMV chips (its predecessor) on cards but more convenient.

That proves your statement is incorrect, but clearly you will always think otherwise.

Also I am not 'pooh-poohing' security just 2FA of which I am not at all trying to solve simply stating (discussing like you) that its is not that secure when the factors I raise are taken into consideration.

As I said I will just agree to disagree with you and leave it at that.

[Gabriele Graves]

51 minutes ago, Drayke Newall said:

I literally gave you an example of just that - secure and convenient and you still say that. LMAO. Tap and go, pay wave, contactless payment etc is just as secure as EMV chips (its predecessor) on cards but more convenient.

You gave no such thing but you believe that if you wish.

51 minutes ago, Drayke Newall said:

That proves your statement is incorrect, but clearly you will always think otherwise.

It proves nothing, however believe as you wish.

51 minutes ago, Drayke Newall said:

As I said I will just agree to disagree with you and leave it at that.

That sounds like a good idea at this point.

[Alwin Alcott]

2 hours ago, Gabriele Graves said:

 You cannot have secure and convenient.  Good security is always a pain.
 

As soon it gets unconvenient... or painfull by annoyance, to get into SL i'm pretty sure i will get more Netlix hours.

[Gabriele Graves]

1 minute ago, Alwin Alcott said:

As soon it gets unconvenient... or painfull by annoyance, to get into SL i'm pretty sure i will get more Netlix hours.

I wouldn't worry.  I fully expect that despite the "sky is falling" wailing in this topic, it will be optional.

[Silent Mistwalker]

[Kathrine Jansma]

21 hours ago, Love Zhaoying said:

I was shocked to learn, some companies are moving away from the more strong password requirements (my company included)!

Actually it is current best practice to move away from password complexity rules towards other measures. The current best practice is use a long and unique password for each service and do not enforce any complexity rules.

Thats at least the recommendation of US NIST, German BSI, and the UK.

Mandatory XKCD https://xkcd.com/936/

[Kathrine Jansma]

18 hours ago, Drayke Newall said:

Doing anything with the username is useless as far as Second Life goes. So long as LL continue to not separate the account name (login name) and the user name (your SL identity i.e. FairreLilette) a person automatically has half of the data they need to access your account, meaning they only need a password now.

Doing anything with the username is worthless for other reasons too. Lets imagine you use email instead, like all the other sites. Great! You just enabled trivial password spraying attacks.

So the only benefit of username = inworld name is that attacks on a specific users account gets a tiny bit harder. But it fails anyway if the password is strong enough so there is no benefit. Which is basically https://en.wikipedia.org/wiki/Kerckhoffs's_principle

So if your password is weak, no username trickery will save anything for long.

[Kathrine Jansma]

15 hours ago, Drayke Newall said:

For me personally, I am more in favour of dual passwords i.e pin and password over 2FA as 2FA requires security outside of itself (and is annoying) to work whereas dual passwords require 2 unique passwords imputed making it near impossible unless phishing/trojan is involved or the end user is one again an idiot and uses the same passwords everywhere.

Dual passwords are basically longer passwords. So why not simply require longer passwords?

[Walelu Summerwind]

2FA may be more secure in some situations.. banking, bills .. money things, but, let me tell ya, it's a bloody pain the the a**.. especially for email. I've lost 2 of my zoho emails because of the authenticator and those emails are associated with other accounts. 😒 as for SL, I use a good vpn and good blockers.

I imagine that 2FA is a good thing for creators and store owners.. but for everyday SL users, IMO, its a real pain.

[Kathrine Jansma]

16 hours ago, Gabriele Graves said:

Your last post wasn't about phishing, it was about bad passwords which 2FA can help with, hence my post.

Nothing can help with phishing, it is literally using the user against their own best interests.  There will never be a solution to that so it is pointless discussing that with regards to other security measures.  For everything else 2FA helps.

Well, WebAuthn claims to be phishing resistant. And it actually helps a bit for people that have some amount of common sense left. There are still some gulliable people that fall to ANY phishing attempts, but thats unfixable.

https://i.blackhat.com/USA-19/Thursday/us-19-Brand-WebAuthn-101-Demystifying-WebAuthn.pdf

[Da5id Weatherwax]

@Drayke Newall - I hear what you're saying, and let me say up front, with my RL experience in the field to back it up - there is no perfect cybersecurity. Ever. Not even completely air-gapping your systems is perfect.

HOWEVER

Yes, 2FA has flaws. I know exactly how the hacks you are talking about are done and, like you, I'm not going into details on a public forum with rules against posting howtos on such things.

The different methods of providing the "second token" all have different flaws, and different vulnerabilities. A thing they have in common, however, is that they universally have fewer vulnerabilities that are easy to exploit than do systems relying on a single token.

I do always read the domain name of a link before clicking on it. Even if an email address seems legit, if its about something relating to security I'll be giving it an extra level of scrutiny, including tracing the "received:" headers to make sure it originated from where it claims to, and even then I won't click links in it unless it's a mail-with-link I just requested and am expecting. But then, with my background I'm probably a lot more careful than most regular users. Users who are not like me when it comes to security - which basically means "everybody except security professionals and the clinically paranoid" - would gain a tangible increase in their online security with any of the current 2FA methods, even with their flaws. Since I am the kind of 'net user I am I'd probably gain a bigger benefit than most because my security on the accounts and devices 2FA might rely on is made tighter.

But you can't make the fact that a system has flaws be an argument against it on principle when even with its flaws it would still be a net benefit.

[Qie Niangao]

About all those password statistics:

Most of my "passwords" are for accounts I wish I didn't need. They're the exact opposite of secure. Frankly, anybody who wants to use my free personalized playlist, or read my free selection of articles of interest, or shop with my personal AI shopper: Knock out your bad selves!

[Evah Baxton]

I have Authy for a few accounts, DUO for one.

One of these:

And one of these:

So I purchased a keyring to organize them. Now my PC is telling me that my keyring needs a password! (That part was a joke.)

Seriously though, I get why they are there and I am used to them. Just frustrating sometimes.

[Drayke Newall]

9 hours ago, Da5id Weatherwax said:

But you can't make the fact that a system has flaws be an argument against it on principle when even with its flaws it would still be a net benefit.

I fully agree and have said in all my posts 2FA is a good extra layer of security. What my point has always been however is that if that security is inconvenient and 90% of people are not going to use it no matter how much they are told it is worth while then it has a greater flaw than just its known security ones.

That is my point in the whole thing. I have nothing against the 2FA method in that it provides security on top of passwords, just in its inconvenience and that without it being used on every account it becomes more and more vulnerable.