Why Does SL Not Have 2 Factor Authentication For Accounts?

[Alwin Alcott]

2 hours ago, Chris Nova said:

Hacking, phishing, I don’t care.

that's a reason it's not worth discussing this. It's not the same. Safety tools in hands of idiots will still fail to work.

[Qie Niangao]

11 hours ago, Rolig Loon said:

I dunno either, frankly, but that's really my point, Qie.  Before you start applying a solution, you need to first demonstrate whether it's necessary or not.  If you begin by saying, "We have a handy solution.  I wonder if we have a problem to use it on?" you may be going to extra work or -- heaven forbid -- actually creating more problems for yourself.  To quote our apocryphal mothers, "If all your friends were jumping off the roof, would that mean it's a good idea for you to do it too?"  Maybe the answer is yes, but not unless you've thought it through and balanced the risks and benefits carefully.

Possibly, but mum didn't have Accenture's advice about roof-jumping.

Is the theory that practically all financial services firms (and many others) have somehow fallen victim to 2FA snake-oil sales? Or is there something special about Second Life that makes it uniquely safe from the consequences of compromised authentication?

Sure, most users don't have enough in SL accounts to be worth swindling directly, and most haven't linked other financial accounts for direct transfer, but this isn't about those people, however much they seem to want to make it about themselves. Why they're so very against letting others have the option, I just cannot fathom.

I wonder, though, if there might be a stopgap for the truly at-risk (and maybe it's already in place?) : Does SL+Tilia provide a way to limit an account so it can only ever disburse L$s or US$s to Linden Lab or one pre-selected PayPal account, and lock the arrangement from being changed without executing a physical, notarized legal instrument? Obviously, on a per-account basis, this would cost orders of magnitude more than 2FA, but there's only maybe a few thousand accounts that conduct enough SL business to want such protection.

Developing the special-purpose ultra-secure software to implement such strict account limits might cost less than integrating plug-and-play off-the-shelf 2FA used by everybody else in the industry. (Wanna bet?)

[Jax Leeder]

In my humble opinion there should indeed be 2FA but it should only be triggered when logging in from a different IP address from the one LL previously had a logon from that account on (and at a minimum of 30 days too just to keep tabs).

2FA should not be mandatory - if people do not wish to take the extra steps to secure their account then they can elect not to and then deal with the consequences.

There should not be a bonus award in L$ for having 2FA active as that will get abused by multiple account creators.

Basically - provide the framework to secure the account and payment info for that who wish to use it and then let people make up their own minds.

Edited July 26, 2021 by Jax Leeder

[Chris Corvinus]

2 hours ago, Alwin Alcott said:

that's a reason it's not worth discussing this. It's not the same. Safety tools in hands of idiots will still fail to work.

Of course they are not the same but both have the goal of obtaining information and in that way, they are related. Making 2FA optional allows idiots to keep being idiots and the rest of us the option to add a layer of protection for our accounts that we all know works.

[Love Zhaoying]

15 hours ago, Silent Mistwalker said:

Did you hurt your back reaching that far? I'm teasing.

No, was quite serious. And you?

[Love Zhaoying]

15 hours ago, Silent Mistwalker said:

So.... now what? 

2FA for transfers. From the Viewer. If it is "too far" for YOU- sorry, but my opinion is just as valid.

[Silent Mistwalker]

11 hours ago, Innula Zenovka said:

That, I see, was a debit card attached to her bank account, which would necessarily be less secure than a credit card.    I'm surprised that she didn't at least have to enter her CVV number manually, but it seems it's  not for cards like that.    So that's the difference between her and Cristiano's friend whose account was broken into but the thief couldn't get into Tilia.

We don't know what happened in the end -- at  the time of her final update, LL were being very helpful and it's unclear whether the $1700 actually left her account -- but I don't think this is a typical case by any means.

Furthermore, and while I'm not trying to blame her for what happened to her, I think that If you go though the story, you'll see that she admits she was somewhat careless, to say the least, in her approach to account security.

This is not a typical case, I think, and I don't think it's safe to base many general assumptions on it.

Using a debit card for any purchases, you must enter a CVV. I don't use credit cards. Can't afford one and don't have the credit to get one.

[Silent Mistwalker]

10 hours ago, Rowan Amore said:

CVV numbers are most definitely on debt cards.  No where does it ask for that when purchasing Ls.  Neither with a credit or debit card.  Perhaps, instead of having 2fa, they could require that when making a Lindens purchase.

When did LL drop that from the info? I've always had to enter a CVV for almost 18 years.

[Rowan Amore]

Just now, Silent Mistwalker said:

When did LL drop that from the info? I've always had to enter a CVV for almost 18 years.

When I purchase Ls it doesn't ask, never has.  It may when entering your payment info for the first time but that would be the only place it does.

[Silent Mistwalker]

10 hours ago, Solar Legion said:

2FA solution for those who want it: Require it for Website log in/L$ Purchase through the Market (or direct item purchase through the MP) .... and - get this - shut off the ability to purchase L$ using any of your existing payment methods, through the Viewer.

Thank you. I'll never buy Ls again since I only ever purchased them through the viewer. Don't give a damn what any one says about the exchange. That is MY preferred method and I will NOT change it for anyone just because they think they know what is best for me. 

[Alwin Alcott]

3 minutes ago, Silent Mistwalker said:

When did LL drop that from the info? I've always had to enter a CVV for almost 18 years.

 

1 minute ago, Rowan Amore said:

When I purchase Ls it doesn't ask, never has.  It may when entering your payment info for the first time but that would be the only place it does.

i think it is handled by the card provider, not by LL,  to have a security added. I'm pretty sure i had to verify the use of my Visa with the app a few times before being able to buy.... and last years.. nothing to provide anymore.

[Silent Mistwalker]

8 hours ago, Chris Nova said:

I'm assuming the person hasnt clicked any suspicious links on their phone either. But generally when an attacker tries to access someone's account (that is 2FA enabled) from a different location, that person would get a sms code sent to their phone, hindering the attacker. You already know how it works.

And just how am I supposed to get a code that is sent via SMS WHEN I DON'T OWN A CELL PHONE. 

JFC. Let's just line up all the poor folks that like logging into SL and shoot them all so you don't have to bother with us.

Why do people have to suck so much.

[Silent Mistwalker]

4 hours ago, Love Zhaoying said:

No, was quite serious. And you?

 

4 hours ago, Love Zhaoying said:

2FA for transfers. From the Viewer. If it is "too far" for YOU- sorry, but my opinion is just as valid.

I never said your opinion wasn't valid.

I'm done. I'm done being laughed at. I'm done living in the hell humans created.

[Kimmi Zehetbauer]

One note --- I noticed a game my man was playing uses a "Security Code" which is a 4 digit number that is separate from the log-ins. When he buys gold in world on that game, it will ask to input the code before proceeding. That could probably be incorporated on the SL client.

9 minutes ago, Silent Mistwalker said:

And just how am I supposed to get a code that is sent via SMS WHEN I DON'T OWN A CELL PHONE. 

JFC. Let's just line up all the poor folks that like logging into SL and shoot them all so you don't have to bother with us.

Why do people have to suck so much.

Some assume everyone has a smart phone. There's like 43 of us on the planet that don't have one and chose not to have one.

Last year I had to change banks due to 2FA since I don't use a cell. I closed my account and moved on.

[bigmoe Whitfield]

12 hours ago, Rowan Amore said:

I'm in no way asking for 2fa just to log into SL. There is no need for that IMO.  But, if you allow purchasing Ls through the viewer, then it seems it would be easy enough to have a popup window to verify before that purchase can be made.  It has always struck me as odd that you must be logged into the website AND reenter your password to purchase Ls yet that is not required for viewer purchases.  Why?

I'm not going to accept otherwise from LL,  they require it for login like other mmo's and such. or.  they make it optional.  I prefer mandatory, but I'm a stricter for security as it's my background with companies I've worked sysop/security/support for.    I really really never see how people can be this trusting in this day and age when it comes information,  My account has real life information also tied to it, it was required at one point,  think I want that in the open too?    to many variables.  time to stop being so lax,  I'm sorry if I ruffle any tails with this, but I'm not going to lay down until we have 2fa.

[Kimmi Zehetbauer]

11 minutes ago, bigmoe Whitfield said:

I'm not going to accept otherwise from LL,  they require it for login like other mmo's and such. or.  they make it optional.  I prefer mandatory, but I'm a stricter for security as it's my background with companies I've worked sysop/security/support for.    I really really never see how people can be this trusting in this day and age when it comes information,  My account has real life information also tied to it, it was required at one point,  think I want that in the open too?    to many variables.  time to stop being so lax,  I'm sorry if I ruffle any tails with this, but I'm not going to lay down until we have 2fa.

Not all MMO's require it.  Some require inputting a "Security Code" for doing financial transaction, even inside the game.

[Silent Mistwalker]

Now that I have finally been able to fix my desktop after having to do without it for over 3 months because the CPU fan was dying, I was going to start logging in again today. Key word being was. I don't see a point in doing so any more since at some point I'll no longer be able to log in since I won't be able to receive any SMS codes. I'm just sorry I wasted 18 years of my life.

[Drenda]

27 minutes ago, Kimmi Zehetbauer said:

One note --- I noticed a game my man was playing uses a "Security Code" which is a 4 digit number that is separate from the log-ins. When he buys gold in world on that game, it will ask to input the code before proceeding. That could probably be incorporated on the SL client.

If this 4 digit code is always the same, chosen by you or SL, it is just the same as a PIN number used at ATM's for credit and debit cards.  That would not need a cell phone, landline phone, or email account to get the 2fa code, which is usually good for just a few minutes.  Why is that not an easier method?  

Of course Sid will use 0000 and others will used 1234 or 7777.  But how is someone going to guess your PIN code with 9999 possibilites, or make it a 5 digit, 99999 choices?

as far as not having a cell/smart phone - every financial insitution I deal with has many choices for sending the 2fa code:  A home phone (wired or internet), a cell/smart phone, or email.  If you have none of these, I guess it's the  US Mail, or smoke signals.

Most credit cards still send the initial PIN number by US mail, btw

Edited July 26, 2021 by Drenda

[Innula Zenovka]

32 minutes ago, Silent Mistwalker said:

Using a debit card for any purchases, you must enter a CVV. I don't use credit cards. Can't afford one and don't have the credit to get one.

Thanks.     That leaves me wondering, then, how whoever broke into the account of the woman who posted on Reddit was able to buy $1,700US worth of L$ without knowing what her CVV was.      There's part of the story missing, I'm sure, but the more I think about it, this woman's loss seems to represent a perfect storm of  unsafe settings and careless behaviour, I'm afraid.  

Can someone who has recently bought L$ via Tilia please confirm what the steps are?  If Tilia store your CVV number along with card number and expiry date, that sounds extremely dangerous and I'd be surprised if it's the case.

 

[Innula Zenovka]

40 minutes ago, Silent Mistwalker said:

And just how am I supposed to get a code that is sent via SMS WHEN I DON'T OWN A CELL PHONE. 

JFC. Let's just line up all the poor folks that like logging into SL and shoot them all so you don't have to bother with us.

Why do people have to suck so much.

Usually there's a variety of options available -- besides SMS, I've been sent verification codes by  email, automated landline call, and downloadable apps.

[Drenda]

12 minutes ago, Innula Zenovka said:

Can someone who has recently bought L$ via Tilia please confirm what the steps are?

Sorry, I did it before Tilia separated from LL, with a bank credit card, and only entered my SL password.  But in the viewer, which is also Tilia, you just enter the dollar amount and it goes thru in a few seconds.

 

[Innula Zenovka]

Just now, Drenda said:

Sorry, I did it before Tilia separated from LL, with a bank credit card, and only entered my SL password.  But in the viewer, which is also Tilia, you just enter the dollar amount and it goes thru in a few seconds.

 

So when you used it, the site remembered your card details and didn't ask you for any further confirmation (e.g. CVV number) the next time you used it, but simply asked you to re-enter your SL password?  That's really insecure.    

[Rowan Amore]

23 minutes ago, Innula Zenovka said:

Thanks.     That leaves me wondering, then, how whoever broke into the account of the woman who posted on Reddit was able to buy $1,700US worth of L$ without knowing what her CVV was.      There's part of the story missing, I'm sure, but the more I think about it, this woman's loss seems to represent a perfect storm of  unsafe settings and careless behaviour, I'm afraid.  

Can someone who has recently bought L$ via Tilia please confirm what the steps are?  If Tilia store your CVV number along with card number and expiry date, that sounds extremely dangerous and I'd be surprised if it's the case.

 

The one and only time I have to enter my CCV number was when I initially set up my payment info on the website.  Whenever I purchase Ls in game, I simply purchase them, no other verification needed.  If you logged into SL, knowing only my password for SL, you could make a purchase of Ls.  On the website, the do ask you to input your password again but no other info and certainly no CCv.

[Silent Mistwalker]

28 minutes ago, Innula Zenovka said:

Usually there's a variety of options available -- besides SMS, I've been sent verification codes by  email, automated landline call, and downloadable apps.

All of which have their own issues and can't be fully depended on. If it is something (a service) that has to be paid for, not going to happen. 

Emails don't always arrive in a timely manner. I don't know of anyone who would want to have to wait 3 days for an email just to log into the grid only to have the code in the email expire before it ever arrives. Had that happen many times (not for SL obviously).

Landline can't be tied up during husband's work hours since he works from home.

If I'm not familiar with the software or the company, it isn't going on my pc. Been there, lost a pc, not happening again.

People place far too much trust in tech and depend on it way too much these days, as if it were infallible when it isn't.

[Coffee Pancake]

2FA should be used 

• When logging into the SL viewer the first time (it already forgets your login details under certain conditions).
• Logging in from a different geographic region (even if on the same computer)
• Changing key details on your SL account (password, email address, PIoF etc)
• Buying L$ in the viewer.
• Buying & selling L$ on the SL exchange.
• Buying L$ to complete a SLM checkout.

2FA schemes could include more than one of the following.

• Code sent to the email address associated with the account.
• SMS message.
• Google authenticator app.
• Code / "this is me" confirmation shown in the SL iOS app.

There should be no reason why everyone couldn't pick and use one of the 2FA schemes with their account.

2FA needs to be opt in, but heavily encouraged. To that end there should be a clear tangible reward unlocked by opting into 2FA that remains unlocked so long as 2FA is in use with that account (not a one time perk). The reward doesn't have to be an addition to the base 'free' package - 2FA is the feature.

Remove payment info on file/used markers entirely, enabling 2FA adds a profile / account marker 'verified' , the 'verified' flag is show in profile and detected by script. It would be required to sell L$ to US$ 

Social "sticks" should be employed & can be coupled to measures intended to reduce the more egregious uses for throw away accounts. Accounts without 2FA don't get full access to create a profile, no pictures, no picks, no website links, daily caps on ability to join groups, receiving L$ from other avatars, etc .. basically all the anti grief, harassment, group botting things we have been after for years.

AGAIN - There should be no reason why everyone couldn't pick and use one of the 2FA schemes with their account.

 

The hard part will be getting everyone to update the email address they have with LL and procedures for dealing with users who become disassociated from their chosen 2FA method.

LL should not reinvent the wheel on this one, all the problems have already been solved. Just look at what steam (for example) does and copy that verbatim.