Jump to content

Recommended Posts

10 hours ago, Drayke Newall said:

That is my point in the whole thing. I have nothing against the 2FA method in that it provides security on top of passwords, just in its inconvenience and that without it being used on every account it becomes more and more vulnerable.

I've wanted to stay out of this since the last similar thread but one element that is missing for me and which seems to be mistaken by many is that 2FA is NOT a code that is sent to a phone or displayed on a token!

Some people's experience may be only that, others somewhat more. 2FA is a security principle of which the second factor could be a OTP code but does not have to be. Pedantic yes but it's an important point as far as I'm concerned.

Windows Hello for example can leverage certificates with biometrics. Difficult to use? Not unless sitting in front of the PC is considered difficult (and that's just one example of unobtrusive second factor).

Also, it seems that a large number of users seen reluctant to protect the viewer and if all they want to do is login and chat then I can understand their mindset but I've only seen Gabriele draw attention to the inventory as an important asset. That was certainly mine! Money I could have replaced but loss of intellectual property in scripts, animations, objects etc. that were of my creation would have ended my business operation.

Account takeover could also lead to related issues around fraud, either financial that affects the nonchalant player directly or others with whom that person would normally interact. Back to my example with assets. I would share content, edit rights and so on.

LL remain ridiculously behind the times by not offering methods available. Whether people want to use them would no doubt remain a personal choice and in that I have no issue with people who do not wish to apply better controls, just as long as they quit ranting about telling others that SL should not have better authentication security beyond avatar name and password!

Edited by Bradford Mint
  • Like 1
  • Haha 2
Link to post
Share on other sites
  • Replies 197
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

That's okay. I have zero income too and I live on my own (I've talked about it in previous threads). I understand. I'm not saying it to just you, even though your post prompted my response. The

2FA is sorely needed and I'm very glad to hear it is in the works. My hope is that one of the options will be software 2FA (such as Google authenticator app or other similar option) or even better lin

A major thing I learned over decades working on cybersecurity as a systems and network admin...  If you want your users to buy in to your security policy, you make compliance with it the easiest way t

Were it any other company I'd have simply shrugged and not bothered to say anything. The last thing I want is a poor implementation, a broken one, one that removes the plethora of Viewer choices and many other things that could very well happen with a botched handling of this.

And if you really think such would not happen, you're either incredibly new here or simply have not been paying attention at all over the years.

The method(s) used/offered are not my major concern. Being optional is a lesser concern. It needs to be done right, without breaking anything at all (including being able to use TPVs) or shelved until such a time as it can be done right.

  • Like 1
Link to post
Share on other sites

The only way it's a but acceptable is if the send e-mail with a code. Overall cursing on 2FA especially when you need to go grab your phone from somewhere. The way steam is doing it is pretty good and not so annoying.

But i do not deny that it can be a good thing.

Edited by Richardus Raymaker
Link to post
Share on other sites
18 minutes ago, Gabriele Graves said:

not to send codes over insecure transport mechanisms.

Maybe mail all users a modern Enigma machine (or RSA fob if you want to be in the late 1990's), so they have a secure thing.

  • Haha 2
Link to post
Share on other sites
1 minute ago, Love Zhaoying said:

Maybe mail all users a modern Enigma machine (or RSA fob if you want to be in the late 1990's), so they have a secure thing.

Of course it's also completely ignoring the length of time an email can take to be received.

Link to post
Share on other sites
11 hours ago, Evah Baxton said:

RSA SecurID SID700 hardware token

my bank gave me a similar device for internet banking

is a TOTP device. Each device has its own unique internal hash seed - no two devices have the same seed.  It has an internal clock. The current time is hashed with the seed to produce a code on the little screen. So produces a One Time code only for that device in that moment (changes every minute)

the device is solar powered and can't be plugged into anything

log in the bank website, id and password like normal. Then turn on the device. It gives the code and enter it into the signin page when asked

on its own the device is not enough, as the villain needs my sign-in name and password as well. But my bank says to treat the device exactly the same as house keys and car keys

 

a thing that Linden could do, is sell a Linden branded one of these to those who want them.  Linden send it to you in the RL. Then have to use the Linden TOTP viewer for ever after for the account that the TOPT device is assigned to

if lose the TOTP or wish to cancel it then call Support, same as what happened when I lost my first bank TOTP device. I had to call my bank Support line, proof that I was the account holder - know the secrets that I gave when I opened my account - and they canceled the TOTP and sent me another one

 

 

Edited by Mollymews
  • Like 1
  • Haha 2
Link to post
Share on other sites
5 hours ago, Mollymews said:

...

a thing that Linden could do, is sell a Linden branded one of these to those who want them.  Linden send it to you in the RL. Then have to use the Linden TOTP viewer for ever after for the account that the TOPT device is assigned to

...

Congratulations, you just described one of the many ways that implementation could be botched.

"Want 2FA? You can only use our Viewer to do it. What's that? You don't run Windows (or Mac)? Well to bad!" Alternately adding in a total shut down of the TPV directory, etc.

No.

  • Like 2
  • Thanks 2
Link to post
Share on other sites

I read that part of Molly's post as an optional choice.  If you use the Linden viewer, you would be able to choose that option for 2FA.  If you used another viewer, they would provide different 2FA options and probably wouldn't sell TOTP devices.  I didn't read it as locking out TPVs and having to use the Linden viewer.  No way in hell I'd be OK with that.

Link to post
Share on other sites
1 minute ago, Gabriele Graves said:

I read that part of Molly's post as an optional choice.  If you use the Linden viewer, you would be able to choose that option for 2FA.  If you used another viewer, they would provide different 2FA options and probably wouldn't sell TOTP devices.  I didn't read it as locking out TPVs and having to use the Linden viewer.  No way in hell I'd be OK with that.

Phrasing matters as does LL's track record with suggestions.

Offered as one of many options is one thing and not an issue. The concern/worry is that such would not be the case.

  • Thanks 2
Link to post
Share on other sites
12 hours ago, Drayke Newall said:

I fully agree and have said in all my posts 2FA is a good extra layer of security. What my point has always been however is that if that security is inconvenient and 90% of people are not going to use it no matter how much they are told it is worth while then it has a greater flaw than just its known security ones.

That is my point in the whole thing. I have nothing against the 2FA method in that it provides security on top of passwords, just in its inconvenience and that without it being used on every account it becomes more and more vulnerable.

Re: Inconvenience.

I proposed a method of a kind of hypothetical 2FA but received no answer.

So, I will pose it again.

What about a 2FA system that is easy such as sending out several auto-generated "code" names that the user would pick from as the first factor.  So, let's say it's me and 12 choices are sent me to choose from, examples:  Dfair03r, fairrette66hvo, 9fair33gp, and so on and so on.  Then I click on one, and then am prompted to write it down because I will need it again to finish the 2FA process and once clicked all those choices disappear from the screen.  The second factor would be that when I choose a code name, let's say I picked Dfair03r, when I picked that and then an auto-generated code was sent to my email.  So, I go to email and see the code.  Next, I go back to the page and type in the code name I selected plus the code I received in my email, and done.  No one knows the code name I picked as it will never show anywhere.  If another device tries to log in, it will ask for the username code and the email code - 2 factors it would have to know.  

I think what I am proposing here sounds rather easy and no one has to own a phone.

Edited by FairreLilette
  • Haha 1
Link to post
Share on other sites
3 minutes ago, FairreLilette said:

Re: Inconvenience.

I proposed a method of a kind of hypothetical 2FA but received no answer.

So, I will pose it again.

What about a 2FA system that is easy such as sending out several auto-generated "code" names that the user would pick from as the first factor.  So, let's say it's me and 12 choices are sent me to choose from, examples:  Dfair03r, fairrette66hvo, 9fair33gp, and so on and so on.  Then I click on one, and then am prompted to write it down because I will need it again to finish the 2FA process and once clicked all those choices disappear from the screen.  The second factor would be that when I choose a code name, let's say I picked Dfair03r, when I picked that and then an auto-generated code was sent to my email.  So, I go to email and see the code.  Next, I go back to the page and type in the code name I selected plus the code I received in my email, and done.  No one knows the code name I picked as it will never show anywhere.  If another device tries to log in, it will ask for the username code and the email code - 2 factors it would have to know.  

Your proposal sounds a little confusing.

But your account password is the first factor; a code sent to your email would already be the second factor. Selecting names/words/phrases is kind of unnecessary.

  • Like 2
Link to post
Share on other sites
7 minutes ago, Wulfie Reanimator said:

Your proposal sounds a little confusing.

But your account password is the first factor; a code sent to your email would already be the second factor. Selecting names/words/phrases is kind of unnecessary.

I'm not so sure as it (an auto-generated thingy) would give us a code name made out of our username that only we would know.  See, the thing is, our usernames show here and then all someone needs is our password basically.  I like the idea of having a hidden name no one else knows and if someone tries to log into our account from another device they could not know that code name unless they are a mind reader.  My hypothetical is also because I've read some of this thread and it's saying 2FA is not hack-proof.  I'm wondering if some kind of code name/username would be better and less hack proof because it would never be shown.  

Edited by FairreLilette
Link to post
Share on other sites

Let's be clear about the hackability of 2FA.  The likelihood of being hacked is significantly higher if codes are being sent to you over cell or internet somehow.  If you are generating your own codes on a device/PC the risk of 2FA being hacked is far, far smaller.

Link to post
Share on other sites
5 minutes ago, Rowan Amore said:

Just the fact I've often not received codes in my email in a timely fashion makes this a horrible idea.  

 

People will stop thinking it's a good idea the first time they have to wait 3 - 5 days for the email to finally hit their inbox. It happens far more often than many think. They're really not going to like it the first time the email gets lost in transmission. That does happen, too. It's happened to me many times in the past 20 years.

I don't think anyone is going to want to have to wait days or even weeks before they can log into the grid due to the fact that the internet is not perfect and things do get delayed or lost in the ether.

Edited by Silent Mistwalker
Link to post
Share on other sites
31 minutes ago, Rowan Amore said:

Just the fact I've often not received codes in my email in a timely fashion makes this a horrible idea.  

Since 2FA is optional, it would not be completed until one receives the code.  So, in essence it's on hold, holding the code name UNTIL one puts in both when they have both codes - picked out their hidden code name and received their email code or one could say then their optional text phone code.  Then, the official 2FA process would begin and be completed.  I do not see why one needs their email code immediately, especially since the code name is hidden and not known to anyone but the user themselves in my hypothetical.  I don't understand this fear of waiting a few days for an email code when we have no protection now.  In other words, selecting a code name is just the beginning but doesn't need to be or isn't completed until one puts in both and 'then' it begins.

Edited by FairreLilette
  • Haha 1
Link to post
Share on other sites
7 minutes ago, Silent Mistwalker said:

 

People will stop thinking it's a good idea the first time they have to wait 3 - 5 days for the email to finally hit their inbox. It happens far more often than many think. They're really not going to like it the first time the email gets lost in transmission. That does happen, too. It's happened to me many times in the past 20 years.

I don't think anyone is going to want to have to wait days or even weeks before they can log into the grid due to the fact that the internet is not perfect and things do get delayed or lost in the ether.

The issue also is sometimes there is a time limit on the code.  I've had that problem more than a few times.

  • Like 1
Link to post
Share on other sites
1 minute ago, FairreLilette said:

Since 2FA is optional, it would not be completed until one receives the code.  So, in essence it's on hold, holding the code name UNTIL one puts in both when they have both codes - picked out their hidden code name and received their email code or one could say then their optional text phone code.  Then, the official 2FA process would begin and completed.  I do not see why one needs their email code immediately, especially since the code name is hidden and not known to anyone but the user themselves in my hypothetical.  I don't understand this fear of waiting a few days for an email code when we have no protection now.  In other words, selecting a code name is just the beginning but doesn't need to be completed until one puts in both and then it begins.

So you expect us to wait days to purchase Ls or log in?  Umm...no.

  • Thanks 1
Link to post
Share on other sites
12 minutes ago, Rowan Amore said:

The issue also is sometimes there is a time limit on the code.  I've had that problem more than a few times.

I've never seen any code sent by email that didn't have a time limit on it, usually [within] 24 hours.

Edited by Silent Mistwalker
  • Like 1
Link to post
Share on other sites
18 minutes ago, Silent Mistwalker said:

I've never seen any code sent by email that didn't have a time limit on it, usually [within] 24 hours.

With my hypothetical, it is doing away with the need for an immediate email or text code.  What my hypothetical does is give one a preliminary user code name that is different from their user name which shows on websites - it's a hidden code name no one sees.  So, that is why I said it will prompt one to write it down because they will need the user code name again once they actually do the 2FA process after they have received their other code either by email or phone.  Once both codes are readied, then they sign up for 2FA putting both those in at once (both the user code name and email/phone code) and then 2FA begins.  This kind of process would eliminate anyone knowing anyone's code name the website is actually using on any website as it would never show nor was it emailed nor sent to a phone.  

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...