Two Factor Authenication (2FA)

[Solar Legion]

What your hypothetical does is unnecessarily complicate the entire process. That is the long and short of it.

[Kathlen Onyx]

18 minutes ago, FairreLilette said:

With my hypothetical, it is doing away with the need for an immediate email or text code.  What my hypothetical does is give one a preliminary user code name that is different from their user name which shows on websites - it's a hidden code name no one sees.  So, that is why I said it will prompt one to write it down because they will need the user code name again once they actually do the 2FA process after they have received their other code either by email or phone.  Once both codes are readied, then they sign up for 2FA putting both those in at once (both the user code name and email/phone code) and then 2FA begins.  This kind of process would eliminate anyone knowing anyone's code name the website is actually using on any website as it would never show nor was it emailed nor sent to a phone.  

Holy cow! If this was the process at my bank I'd be rich as I'd never figure out how to actually GET the money out! Of course I'm joking but really? Do we need really need more stringent verification than even what a banking organization uses?

[FairreLilette]

30 minutes ago, Sam1 Bellisserian said:

Holy cow! If this was the process at my bank I'd be rich as I'd never figure out how to actually GET the money out! Of course I'm joking but really? Do we need really need more stringent verification than even what a banking organization uses?

Eliminating the factor that anyone would actually know the code name (user name) on any website is somewhat intriguing.  Just think, you are on Amazon and your user name is jane_holy_cow BUT the website has changed that name into a secret one that you clicked on to choose from several options such as 4Ajanlyco7eq plus there is a second code it needs also.  However, these two codes are only needed when another device attempts to log into your account, one that you haven't synced.    

What 2FA does is attempt to lock out other devices we haven't authorized, not the ones we have.  

Edited April 24, 2021 by FairreLilette

[Wulfie Reanimator]

50 minutes ago, FairreLilette said:

Eliminating the factor that anyone would actually know the code name (user name) on any website is somewhat intriguing.  Just think, you are on Amazon and your user name is jane_holy_cow BUT the website has changed that name into a secret one that you clicked on to choose from several options such as 4Ajanlyco7eq plus there is a second code it needs also.  However, these two codes are only needed when another device attempts to log into your account, one that you haven't synced.    

What 2FA does is attempt to lock out other devices we haven't authorized, not the ones we have.  

Oh, I get it now. You're advocating for private/hidden usernames. That's fair, it's kinda silly when services expose half the login credentials. At least, some of those places use email-only login and/or 2FA.

But auto-generated codes/usernames is still needlessly convoluted.

[FairreLilette]

6 minutes ago, Wulfie Reanimator said:

That's fair, it's kinda silly when services expose half the login credentials. 

I think so too. 

But, how then could a name change happen into a secret name where it isn't sent to one's email or phone?  I thought perhaps that might be helpful as it wouldn't be recorded anywhere; we'd have to write it down and then put in both codes when we are ready to have 2FA begin to do it's thing.  But, remember, what I wrote is a hypothetical and one would need to take just my idea and make it work with their knowhow.  I am not a geek, so I could never really make up a complete hypothetical.  I know some Photoshop.  The rest of computers, not much.  

Anyhow, I like the idea of no one really would know the user name the website is using except ourselves as it wouldn't be the name that shows.  How to do it, I have no idea really.

Edited April 24, 2021 by FairreLilette

[Kathlen Onyx]

One thing people tend to forget is that as technology grows more complicated the older generations will be left out in the cold. Hell, half the people I help on the phones can't even create a simple password without having to reset it every time they log in.  I'm all for technology but when you start requiring such complicated processes for every day use it gets tricky.  Think this doesn't apply to you? It will because you will eventually be that person.  Dementia, health issues, or simple forgetfulness will make what may seem to be a simple process at your age now seem much more complicated.

[Kimmi Zehetbauer]

11 minutes ago, Sam1 Bellisserian said:

One thing people tend to forget is that as technology grows more complicated the older generations will be left out in the cold. Hell, half the people I help on the phones can't even create a simple password without having to reset it every time they log in.  I'm all for technology but when you start requiring such complicated processes for every day use it gets tricky.  Think this doesn't apply to you? It will because you will eventually be that person.  Dementia, health issues, or simple forgetfulness will make what may seem to be a simple process at your age now seem much more complicated.

One of my nieces is a LMFT and uses EMDR using a pulsar box to do the bilateral stimulation and the old box she was using was a simple one she just turned it on and it worked. When it went kaput she got a new one and it has a screen on it and stuff. Now it takes her 29 hours to get the right settings for her client. So technology is not always better.

[Da5id Weatherwax]

For banking I use an app on my phone that authenticates via a combo of the IMEI of my device and a biometric. The only functional attack on this is MITM, which I know the code is set up to detect as much as possible - Not 100% perfect but better than most. I still have the option to CALL them and say "lock it all down" - If I do that then any transactions using ANY online auth method are frozen.

That level of security and making it convenient/easy to use is expensive. Not for me, the customer, but for the company implementing it. If LL go that far I'd expect to see it on the Tilia-side only, for L$ cashouts or purchases. Only when real money is being transferred. If LL want a wider implementation of 2FA they will go for a method that would be cost-effective to implement on the scale they envision - it will be weaker, but it will still be better than name+pass.

[Mollymews]

7 hours ago, Solar Legion said:

Congratulations, you just described one of the many ways that implementation could be botched.

"Want 2FA? You can only use our Viewer to do it. What's that? You don't run Windows (or Mac)? Well to bad!" Alternately adding in a total shut down of the TPV directory, etc.

No.

you are right. When think about it a bit more then I was a bit narrow in my previous thought

is not a big deal to allow TPVs to provide TOTP sign-in. TPVs do sign-in now and don't pass user signin credentials to their own server. So adding a TOPT code to the existing credentials doesn't change the security level insofar as TPVs are concerned

 

[Mollymews]

12 hours ago, bigmoe Whitfield said:

2fa in yubikey would also be an option for myself, but I'm gonna need a few yubikeys because of the 4 active accounts. 

is possible that one device can be assigned to more than one account

would require that we proof ownership of all the accounts assigned to the device, but I think that would be a pretty standard requirement

same as my bank. I have 3 different accounts with my bank for different purposes. They all use the same login credentials: id + password + topt code

edit explain more

in the SL case then the accounts are a bit more separate. Each has its own id + password. The id at least being different. But isn't a biggie to know that multiple id's can be assigned to the same topt device 

Edited April 24, 2021 by Mollymews

[bigmoe Whitfield]

42 minutes ago, Mollymews said:

is possible that one device can be assigned to more than one account

would require that we proof ownership of all the accounts assigned to the device, but I think that would be a pretty standard requirement

same as my bank. I have 3 different accounts with my bank for different purposes. They all use the same login credentials: id + password + topt code

edit explain more

in the SL case then the accounts are a bit more separate. Each has its own id + password. The id at least being different. But isn't a biggie to know that multiple id's can be assigned to the same topt device 

I just want my accounts secured, sms/2fa/yubi,  combinations of things if possible.   basically how I've got it right now.  I've got things set so it uses passwords with untypeable charsets,  randomly generated over 1gb in strength.   I'd love to have a 2fa solution that let me be able to remember my passwords,  I can not even login from work to check emails and such,  because of how the internet has become and new jobs "can you sign into your email account and accept all the documents we have sent" um no, password manager is what I have to tell them,  several of them have not been happy because "you are too secure, you should lesson your requirements"   no I'm not the paranoid type, I just,  prefer certain aspects stay mine.

[Drayke Newall]

20 hours ago, Bradford Mint said:

I've wanted to stay out of this since the last similar thread but one element that is missing for me and which seems to be mistaken by many is that 2FA is NOT a code that is sent to a phone or displayed on a token!

Some people's experience may be only that, others somewhat more. 2FA is a security principle of which the second factor could be a OTP code but does not have to be. Pedantic yes but it's an important point as far as I'm concerned.

Where did anyone imply that 2FA is only a code? No one has said that. The difference is, the most common 2FA method is a code via email or sms.

There is a reason why that is the case as well. No software or web company is going to spend money with biometric 2FA unless it is physically built into a device and doing so would have worse take up than the code 2FA method.

[Alwin Alcott]

5 hours ago, bigmoe Whitfield said:

I just want my accounts secured, sms/2fa/yubi,  combinations of things if possible.mine.

i want ilok  ( because i have that already   )

[bigmoe Whitfield]

1 hour ago, Alwin Alcott said:

i want ilok  ( because i have that already   )

then we have some people that want nothing,  which boggles my mind they believe they are immune.

[Gabriele Graves]

That's OK, they can have some of that really convenient but really strong security instead 😁

[Alwin Alcott]

30 minutes ago, Gabriele Graves said:

That's OK, they can have some of that really convenient but really strong security instead 😁

 since nothing can reach the protection you want,  and nobody says anything that is of your levels, how you protect yourself here now? Must be a terrifying experience to login on SL/forums.

Edited April 25, 2021 by Alwin Alcott

[Gabriele Graves]

14 minutes ago, Alwin Alcott said:

 since nothing can reach the protection you want,  and nobody says anything that is of your levels, how you protect yourself here now? Must be a terrifying experience to login on SL/forums.

Nothing you have written represents how I feel or my stance on security at all.  If you had properly read my posts you would know that.

Criticise my opinions on security all you want but how about you stop making it personal?

Edited April 25, 2021 by Gabriele Graves

[CandyCole]

Just being able to set an alias forum name on here would be a start.

Create the account with your real SL username, then option to change the displayed forum name.

Hopefully most people using the forum do so with an alt account which does not handle money within SL.

[Bradford Mint]

4 hours ago, Drayke Newall said:

Where did anyone imply that 2FA is only a code? No one has said that. The difference is, the most common 2FA method is a code via email or sms.

There is a reason why that is the case as well. No software or web company is going to spend money with biometric 2FA unless it is physically built into a device and doing so would have worse take up than the code 2FA method.

My post said that's it's a mistake made by many. Please read a little harder. Just about everyone was fixated on codes by SMS, email or token.

As to biometrics, I'm really not going to get into it for good reason or the other methods available. I'll just keep snacking on the popcorn and watch with amusement

[bigmoe Whitfield]

4 hours ago, CandyCole said:

Just being able to set an alias forum name on here would be a start.

Create the account with your real SL username, then option to change the displayed forum name.

Hopefully most people using the forum do so with an alt account which does not handle money within SL.

the forum software uses the SL database to make account for the forum with, it's intergration and doing what you suggested will break or cause issues.   I've had the pleasure of working with xenforo and intergrating with with a game using the name table in the database  and if we left alias on,  it really REALLY borked things, because it will update the game account in the game too. ugh. 

[Drayke Newall]

4 hours ago, Bradford Mint said:

My post said that's it's a mistake made by many. Please read a little harder. Just about everyone was fixated on codes by SMS, email or token.

As to biometrics, I'm really not going to get into it for good reason or the other methods available. I'll just keep snacking on the popcorn and watch with amusement

Then I suggest next time dont quote someone if you are making a general statement. Especially when what you quote doesn't mention anything at all about codes or what your argument is about.

[Bradford Mint]

9 minutes ago, Drayke Newall said:

Then I suggest next time dont quote someone if you are making a general statement. Especially when what you quote doesn't mention anything at all about codes or what your argument is about.

Or I could just ignore your request... It did, you interpreted badly

[Nova Convair]

Usernames have nothing to do with 2FA. If your login data is leaked or phished it's completely irrelevant.
2FA prevents loss of account here and even the worst 2FA method is 100 times better than no 2FA.

It's about time that SL will use that. In europe it's already mandantory for all sales and money transfer services so the whining about 2FA - I can't even hear you. 😎

If you wan't 100% safety - sell your computer. Oh and put some work into it - I have a 2nd 2FA method defined for every of my 2FA's. If the smartphone gets eaten or the key breaks through in the middle or whatever - that makes the difference between just flipping over to the new phone or vanish into the void of digital non existence. 😁