Jump to content

Two Factor Authenication (2FA)


You are about to reply to a thread that has been inactive for 279 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

10 hours ago, Drayke Newall said:

That is my point in the whole thing. I have nothing against the 2FA method in that it provides security on top of passwords, just in its inconvenience and that without it being used on every account it becomes more and more vulnerable.

I've wanted to stay out of this since the last similar thread but one element that is missing for me and which seems to be mistaken by many is that 2FA is NOT a code that is sent to a phone or displayed on a token!

Some people's experience may be only that, others somewhat more. 2FA is a security principle of which the second factor could be a OTP code but does not have to be. Pedantic yes but it's an important point as far as I'm concerned.

Windows Hello for example can leverage certificates with biometrics. Difficult to use? Not unless sitting in front of the PC is considered difficult (and that's just one example of unobtrusive second factor).

Also, it seems that a large number of users seen reluctant to protect the viewer and if all they want to do is login and chat then I can understand their mindset but I've only seen Gabriele draw attention to the inventory as an important asset. That was certainly mine! Money I could have replaced but loss of intellectual property in scripts, animations, objects etc. that were of my creation would have ended my business operation.

Account takeover could also lead to related issues around fraud, either financial that affects the nonchalant player directly or others with whom that person would normally interact. Back to my example with assets. I would share content, edit rights and so on.

LL remain ridiculously behind the times by not offering methods available. Whether people want to use them would no doubt remain a personal choice and in that I have no issue with people who do not wish to apply better controls, just as long as they quit ranting about telling others that SL should not have better authentication security beyond avatar name and password!

Edited by Bradford Mint
  • Like 1
  • Haha 2
Link to comment
Share on other sites

Were it any other company I'd have simply shrugged and not bothered to say anything. The last thing I want is a poor implementation, a broken one, one that removes the plethora of Viewer choices and many other things that could very well happen with a botched handling of this.

And if you really think such would not happen, you're either incredibly new here or simply have not been paying attention at all over the years.

The method(s) used/offered are not my major concern. Being optional is a lesser concern. It needs to be done right, without breaking anything at all (including being able to use TPVs) or shelved until such a time as it can be done right.

  • Like 1
Link to comment
Share on other sites

The only way it's a but acceptable is if the send e-mail with a code. Overall cursing on 2FA especially when you need to go grab your phone from somewhere. The way steam is doing it is pretty good and not so annoying.

But i do not deny that it can be a good thing.

Edited by Richardus Raymaker
Link to comment
Share on other sites

11 hours ago, Evah Baxton said:

RSA SecurID SID700 hardware token

my bank gave me a similar device for internet banking

is a TOTP device. Each device has its own unique internal hash seed - no two devices have the same seed.  It has an internal clock. The current time is hashed with the seed to produce a code on the little screen. So produces a One Time code only for that device in that moment (changes every minute)

the device is solar powered and can't be plugged into anything

log in the bank website, id and password like normal. Then turn on the device. It gives the code and enter it into the signin page when asked

on its own the device is not enough, as the villain needs my sign-in name and password as well. But my bank says to treat the device exactly the same as house keys and car keys

 

a thing that Linden could do, is sell a Linden branded one of these to those who want them.  Linden send it to you in the RL. Then have to use the Linden TOTP viewer for ever after for the account that the TOPT device is assigned to

if lose the TOTP or wish to cancel it then call Support, same as what happened when I lost my first bank TOTP device. I had to call my bank Support line, proof that I was the account holder - know the secrets that I gave when I opened my account - and they canceled the TOTP and sent me another one

 

 

Edited by Mollymews
  • Like 1
  • Haha 2
Link to comment
Share on other sites

5 hours ago, Mollymews said:

...

a thing that Linden could do, is sell a Linden branded one of these to those who want them.  Linden send it to you in the RL. Then have to use the Linden TOTP viewer for ever after for the account that the TOPT device is assigned to

...

Congratulations, you just described one of the many ways that implementation could be botched.

"Want 2FA? You can only use our Viewer to do it. What's that? You don't run Windows (or Mac)? Well to bad!" Alternately adding in a total shut down of the TPV directory, etc.

No.

  • Like 2
  • Thanks 2
Link to comment
Share on other sites

I read that part of Molly's post as an optional choice.  If you use the Linden viewer, you would be able to choose that option for 2FA.  If you used another viewer, they would provide different 2FA options and probably wouldn't sell TOTP devices.  I didn't read it as locking out TPVs and having to use the Linden viewer.  No way in hell I'd be OK with that.

Link to comment
Share on other sites

1 minute ago, Gabriele Graves said:

I read that part of Molly's post as an optional choice.  If you use the Linden viewer, you would be able to choose that option for 2FA.  If you used another viewer, they would provide different 2FA options and probably wouldn't sell TOTP devices.  I didn't read it as locking out TPVs and having to use the Linden viewer.  No way in hell I'd be OK with that.

Phrasing matters as does LL's track record with suggestions.

Offered as one of many options is one thing and not an issue. The concern/worry is that such would not be the case.

  • Thanks 2
Link to comment
Share on other sites

12 hours ago, Drayke Newall said:

I fully agree and have said in all my posts 2FA is a good extra layer of security. What my point has always been however is that if that security is inconvenient and 90% of people are not going to use it no matter how much they are told it is worth while then it has a greater flaw than just its known security ones.

That is my point in the whole thing. I have nothing against the 2FA method in that it provides security on top of passwords, just in its inconvenience and that without it being used on every account it becomes more and more vulnerable.

Re: Inconvenience.

I proposed a method of a kind of hypothetical 2FA but received no answer.

So, I will pose it again.

What about a 2FA system that is easy such as sending out several auto-generated "code" names that the user would pick from as the first factor.  So, let's say it's me and 12 choices are sent me to choose from, examples:  Dfair03r, fairrette66hvo, 9fair33gp, and so on and so on.  Then I click on one, and then am prompted to write it down because I will need it again to finish the 2FA process and once clicked all those choices disappear from the screen.  The second factor would be that when I choose a code name, let's say I picked Dfair03r, when I picked that and then an auto-generated code was sent to my email.  So, I go to email and see the code.  Next, I go back to the page and type in the code name I selected plus the code I received in my email, and done.  No one knows the code name I picked as it will never show anywhere.  If another device tries to log in, it will ask for the username code and the email code - 2 factors it would have to know.  

I think what I am proposing here sounds rather easy and no one has to own a phone.

Edited by FairreLilette
  • Haha 1
Link to comment
Share on other sites

3 minutes ago, FairreLilette said:

Re: Inconvenience.

I proposed a method of a kind of hypothetical 2FA but received no answer.

So, I will pose it again.

What about a 2FA system that is easy such as sending out several auto-generated "code" names that the user would pick from as the first factor.  So, let's say it's me and 12 choices are sent me to choose from, examples:  Dfair03r, fairrette66hvo, 9fair33gp, and so on and so on.  Then I click on one, and then am prompted to write it down because I will need it again to finish the 2FA process and once clicked all those choices disappear from the screen.  The second factor would be that when I choose a code name, let's say I picked Dfair03r, when I picked that and then an auto-generated code was sent to my email.  So, I go to email and see the code.  Next, I go back to the page and type in the code name I selected plus the code I received in my email, and done.  No one knows the code name I picked as it will never show anywhere.  If another device tries to log in, it will ask for the username code and the email code - 2 factors it would have to know.  

Your proposal sounds a little confusing.

But your account password is the first factor; a code sent to your email would already be the second factor. Selecting names/words/phrases is kind of unnecessary.

  • Like 2
Link to comment
Share on other sites

7 minutes ago, Wulfie Reanimator said:

Your proposal sounds a little confusing.

But your account password is the first factor; a code sent to your email would already be the second factor. Selecting names/words/phrases is kind of unnecessary.

I'm not so sure as it (an auto-generated thingy) would give us a code name made out of our username that only we would know.  See, the thing is, our usernames show here and then all someone needs is our password basically.  I like the idea of having a hidden name no one else knows and if someone tries to log into our account from another device they could not know that code name unless they are a mind reader.  My hypothetical is also because I've read some of this thread and it's saying 2FA is not hack-proof.  I'm wondering if some kind of code name/username would be better and less hack proof because it would never be shown.  

Edited by FairreLilette
Link to comment
Share on other sites

5 minutes ago, Rowan Amore said:

Just the fact I've often not received codes in my email in a timely fashion makes this a horrible idea.  

 

People will stop thinking it's a good idea the first time they have to wait 3 - 5 days for the email to finally hit their inbox. It happens far more often than many think. They're really not going to like it the first time the email gets lost in transmission. That does happen, too. It's happened to me many times in the past 20 years.

I don't think anyone is going to want to have to wait days or even weeks before they can log into the grid due to the fact that the internet is not perfect and things do get delayed or lost in the ether.

Edited by Silent Mistwalker
Link to comment
Share on other sites

31 minutes ago, Rowan Amore said:

Just the fact I've often not received codes in my email in a timely fashion makes this a horrible idea.  

Since 2FA is optional, it would not be completed until one receives the code.  So, in essence it's on hold, holding the code name UNTIL one puts in both when they have both codes - picked out their hidden code name and received their email code or one could say then their optional text phone code.  Then, the official 2FA process would begin and be completed.  I do not see why one needs their email code immediately, especially since the code name is hidden and not known to anyone but the user themselves in my hypothetical.  I don't understand this fear of waiting a few days for an email code when we have no protection now.  In other words, selecting a code name is just the beginning but doesn't need to be or isn't completed until one puts in both and 'then' it begins.

Edited by FairreLilette
  • Haha 1
Link to comment
Share on other sites

7 minutes ago, Silent Mistwalker said:

 

People will stop thinking it's a good idea the first time they have to wait 3 - 5 days for the email to finally hit their inbox. It happens far more often than many think. They're really not going to like it the first time the email gets lost in transmission. That does happen, too. It's happened to me many times in the past 20 years.

I don't think anyone is going to want to have to wait days or even weeks before they can log into the grid due to the fact that the internet is not perfect and things do get delayed or lost in the ether.

The issue also is sometimes there is a time limit on the code.  I've had that problem more than a few times.

  • Like 1
Link to comment
Share on other sites

1 minute ago, FairreLilette said:

Since 2FA is optional, it would not be completed until one receives the code.  So, in essence it's on hold, holding the code name UNTIL one puts in both when they have both codes - picked out their hidden code name and received their email code or one could say then their optional text phone code.  Then, the official 2FA process would begin and completed.  I do not see why one needs their email code immediately, especially since the code name is hidden and not known to anyone but the user themselves in my hypothetical.  I don't understand this fear of waiting a few days for an email code when we have no protection now.  In other words, selecting a code name is just the beginning but doesn't need to be completed until one puts in both and then it begins.

So you expect us to wait days to purchase Ls or log in?  Umm...no.

  • Thanks 1
Link to comment
Share on other sites

12 minutes ago, Rowan Amore said:

The issue also is sometimes there is a time limit on the code.  I've had that problem more than a few times.

I've never seen any code sent by email that didn't have a time limit on it, usually [within] 24 hours.

Edited by Silent Mistwalker
  • Like 1
Link to comment
Share on other sites

18 minutes ago, Silent Mistwalker said:

I've never seen any code sent by email that didn't have a time limit on it, usually [within] 24 hours.

With my hypothetical, it is doing away with the need for an immediate email or text code.  What my hypothetical does is give one a preliminary user code name that is different from their user name which shows on websites - it's a hidden code name no one sees.  So, that is why I said it will prompt one to write it down because they will need the user code name again once they actually do the 2FA process after they have received their other code either by email or phone.  Once both codes are readied, then they sign up for 2FA putting both those in at once (both the user code name and email/phone code) and then 2FA begins.  This kind of process would eliminate anyone knowing anyone's code name the website is actually using on any website as it would never show nor was it emailed nor sent to a phone.  

Link to comment
Share on other sites

You are about to reply to a thread that has been inactive for 279 days.

Please take a moment to consider if this thread is worth bumping.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...