Why Does SL Not Have 2 Factor Authentication For Accounts?

[Drayke Newall]

 

1 hour ago, Coffee Pancake said:

2FA shouldn't be in the slightest way optional IMO. This isn't about protecting your account or your virtual stuff, it's about adding one more step between an avatar and a bank account / credit card.

It is precisely about protecting your account nothing more. Your bank details are separate in that there should be security in those things (this being CCV) though, considering LL offer a subscription it requires them to save all card details so as they can continue to take the money monthly. This is why you dont have to add your CCV number every time like people have wondered why in this thread. That is their answer as to why CCV isn't needed for purchases.

This is done the same way by many subscription based or recurring payment companies that have additional purchases. No need to renter CCV even though that is the 2FA of your bank card.

1 hour ago, Coffee Pancake said:

No one is going to stop making or trading in SL if a requirement of buying L$ or cashing out is they need to type in a code from an email or poke an app on their phone. We should have been doing this for years already.

And you know this how? Why do you think people wont stop trading in SL because of the introduction of what many believe to be more of an annoyance than account security?

You say that no one is going to stop doing things in SL if mandatory 2FA is introduced and yet that fear of people not spending money is the same reason why no other company has ever made 2FA mandatory. They fear the loss of income from people not continuing with their product because of the awkwardness and annoyance of it.

Take Marketplace for example, some in this thread have said that every time you make a MP purchase you should have to do the 2FA dance even if using just Lindens. Many people (myself included) dont use the cart option on MP and do single purchase's as they find them.

Do you honestly think people will spend more or the same amount (if not leave entirely) on the MP if every time they have to enter a 2FA code. Say if a person is browsing MP and buys (with lindens) individually within 1 hour of browsing 10 items for an avatar mod they are making and do so because they are editing the avatar at the time. Waiting for a 2FA email, copy paste the code and submitting it 10 times... No thank you!

1 hour ago, Coffee Pancake said:

If you intentionally don't have that RL financial link in place, then sure, 2FA is mostly just extra steps - the one notable exception being it will alert you to your account being compromised should you receive an unexpected authentication request.

But making 2FA mandatory removes that option for people. If they dont have a financial link they still have to have 2FA, making your reasoning void.

Someone posted that reddit link about the person that lost $1700. I dont believe that for a second and if they did then I would be changing banks and be far more concerned with bank security than my second life account being hacked.

If my bank recorded (as they stated) 50 transactions in a day totalling to an amount of even $200 (they had $1700) my bank would have frozen my account and contacted me immediately in person on the phone of the suspicious activity. My bank has done this in the past and I was the person doing such activity on my own.

I have no issue with LL introducing 2FA but as stated in my edit it needs to not be mandatory, no incentives and no disincentives. If they do any of those, then they can expect people to do just as you have said they wont, leave SL and I will be one of the first after 18 years.

Edited July 27, 2021 by Drayke Newall

[Coffee Pancake]

LL could demand we complete a maze in world as part of the cash out procedure and we would. We do this just to enter some regions for fun!

Moan, complain, procrastinate, lament the choice of shrubbery .. sure .. but leave? LOL.

 

[Drayke Newall]

42 minutes ago, Coffee Pancake said:

Moan, complain, procrastinate, lament the choice of shrubbery .. sure .. but leave? LOL.

Your snide unhelpful comments aside, you are literally proposing in your previous posts that along with 2FA introduction LL need to remove features from people that dont use 2FA and give perks for those that do of which, there is only one perk that they can give that would have that incentive $L. 

So yes, leaving is the right avenue if they start such absurd practices as you suggest - like these you posted:

Quote

Accounts without 2FA don't get full access to create a profile, no pictures, no picks, no website links, daily caps on ability to join groups, receiving L$ from other avatars, etc  .. basically all the anti grief, harassment, group botting things we have been after for years

I asked in my previous post if you were being sarcastic, but based on your non-answer and later responses it seems you were not. What's included in the 'etc' you posted or what are you going to suggest next to incentivise 2FA? Limit the number of times a person can access their inventory, the amount of inventory space, how often you can edit your avatar, amount of text in a script, item rez limit... These can also be used to grief and harass. 🙄

If past history is anything to go by it's stupid ideas like these that LL take on board especially from people such as yourself (who creates a popular TPV) who have a little more clout than the average user. I had thought better of you... clearly I was wrong.

Edited July 27, 2021 by Drayke Newall
spelling

[Qie Niangao]

Opt-in seems fine to me. If mandatory 2FA would somehow reduce harassment and griefing and stuff then we could discuss the trade-offs, but in reality it wouldn't have any effect at all unless we're imagining authentication all the way to RL identity and location just to login, which would be a business-closing deterrence to sign-up (especially in some parts of the world).

Some folks have taken all their 2FA strawmen to heart. It's not going to need a smartphone; SMS is not the medium of choice for 2FA and hasn't been for years (at least not for the service providers, although some users will choose it out of habit); it's not going to cost anything; email transmission is nearly instantaneous once a message is sent; and 2FA is simply never going to be mandatory (it's just not, and it's silly—on either side—to keep raising this strawman as if it could ever be a reality).

If somehow it's rewarding to get all worked up and threaten to leave, could we maybe find a reason that bears some relationship to reality?

[Drayke Newall]

28 minutes ago, Qie Niangao said:

Opt-in seems fine to me. If mandatory 2FA would somehow reduce harassment and griefing and stuff then we could discuss the trade-offs, but in reality it wouldn't have any effect at all unless we're imagining authentication all the way to RL identity and location just to login, which would be a business-closing deterrence to sign-up (especially in some parts of the world).

Some folks have taken all their 2FA strawmen to heart. It's not going to need a smartphone; SMS is not the medium of choice for 2FA and hasn't been for years (at least not for the service providers, although some users will choose it out of habit); it's not going to cost anything; email transmission is nearly instantaneous once a message is sent; and 2FA is simply never going to be mandatory (it's just not, and it's silly—on either side—to keep raising this strawman as if it could ever be a reality).

If somehow it's rewarding to get all worked up and threaten to leave, could we maybe find a reason that bears some relationship to reality?

The argument wasn't just about making it mandatory (it would be to LL peril if they did this) and making it so would not stop harassment or griefing in any way.

The other argument at least I was having with Coffee was the proposal that incentives or disincentives be provided to make people want to use 2FA. Some games offer vanity pets or in game currency etc as incentives as literally this is the only way they can get people to use 2FA as it is that unpopular. This just cant work for SL and shouldn't be implemented as there are no incentives other than disincentives that LL can offer unless they go down the $L path which would not be wise for the economy and gaming the system.

As an example, SWTOR  game by EA have their 2FA incentive as 300 credits (which you normally have to buy) per month. Last time I talked to people that play that game they have multiple free accounts of which they then game the system by buying with their freely offered credit incentive marketplace items and sell those in game to make money which destroyed the economy.

As for emails being instantaneous that would depend. With many large companies, sites etc it can take 10 mins for the email to arrive or just not deliver at all which is why they always have a resend code button. The fact this button exists shows that its not a case of emails always come through. Then if you have hotmail linked to gmail so they come through one account, this adds even more time to the process. Then you also have the issues of things like authentication emails going to spam or being blocked due to spam or simply emails being unsecure due to phishing.

SMS is still generally the number 1 go to 2FA option both for users and companies as other than authenticator's it is the second most secure despite it not actually being secure according to research - that is to say it's better than email.

[Qie Niangao]

53 minutes ago, Drayke Newall said:

SMS is still generally the number 1 go to 2FA option both for users and companies as other than authenticator's it is the second most secure despite it not actually being secure according to research - that is to say it's better than email.

That's terrifying. The SS7 network is now widely compromised so I'd never advise anybody to choose SMS for anything even temporarily sensitive. Personally, I'd much rather take my chances with email transport (unless I needed the content to be reliably ephemeral... which, come to think of it, wouldn't be true of SMS either).

There are ways email can be delayed, but unless the user has done some abnormal "plumbing" (such as forwarding from one service to another), delays are most likely the sender's systems rather than propagation through the network. That "resend" button works, too.

While I don't see any benefit to incentivizing 2FA (use if you want, or not), I wouldn't be too worried about tanking the economy by offering some L$ reward, especially if it offset some real or perceived cost. The L$ is ridiculously stable, moving only very gradually under obvious control of Supply Linden. It's not that she buys L$s, but rather that she must sell a lot, judging by that unnatural stability. The weekly stipend L$ source is surely larger than any plausible 2FA incentive (unless it were trivial to game, which could be a concern), and just a few hours of the various Marketplace sinks can probably offset the total of legitimate 2FA incentives. (But again, I'm not seeing the point of doing it.)

 —

Unrelated, but I meant to say earlier: I wouldn't find using 2FA to setup login credentials to be "overkill" (regardless of whether L$s can be bought in the viewer). Again, this would be up to the account holder to decide, but if they wanted to require 2FA for a device's initial login on their account, it should be up to them. Some folks might want to protect their avatar identity and reputation. In fact I think that's a more specific application for SL, while the monetary account protection might be (mostly?) between Tilia and the banks.

[Innula Zenovka]

3 hours ago, Qie Niangao said:

Unrelated, but I meant to say earlier: I wouldn't find using 2FA to setup login credentials to be "overkill" (regardless of whether L$s can be bought in the viewer). Again, this would be up to the account holder to decide, but if they wanted to require 2FA for a device's initial login on their account, it should be up to them. Some folks might want to protect their avatar identity and reputation. In fact I think that's a more specific application for SL, while the monetary account protection might be (mostly?) between Tilia and the banks.

While I may seem sceptical about 2FA, I wholly agree with this.   

What I don't know, however, I have no information with which to work, is whether 2FA is an urgently-needed solution to a widespread problem that urgently needs addressing or whether it's simply something it would be nice to have as an option, provided it was voluntary and would probably make a lot of users feel more comfortable.

As an indication of how people feel, rather than because the two things may be connected (I have no idea if they are or not), which would people rather see fixed first

• Two Factor Authentication (optional) at log in
• Inworld Search
• Something else  (mesh uploads always seem to need fixing one way or another, for example)

I see 2FA as something nice to have if I wanted it, but it's not something to which I give much thought, though obviously I am also concerned about protecting both my L$ balance  and my in-world reputation, such as it is, but I wondering whether others share my sense of priorities.

Speaking personally, I can think of plenty of improvements and enhancements to the user's experience that I'd regard as more urgent than 2FA, but I'm very aware that my SL isn't much like other people's,  because how many of us spend most of our time in SL writing scripts or hanging out with other content creators discussing how to do cool stuff?   

Because I am concerned about having my account hijacked, I early on took advice on how to avoid this -- don't reuse or share passwords, or use easily guessable ones,  be aware of phishing techniques and so on -- and I have followed it ever since without giving it much more thought, because no one else has access to my computers, and all my passwords are generated and stored by LastPass, but maybe I'm in a minority here.

 

Edited July 27, 2021 by Innula Zenovka

[Love Zhaoying]

7 hours ago, Coffee Pancake said:

LL could demand we complete a maze in world as part of the cash out procedure and we would. We do this just to enter some regions for fun!

Moan, complain, procrastinate, lament the choice of shrubbery .. sure .. but leave? LOL.

 

I vote for a maze in a cornfield.

[Love Zhaoying]

1 minute ago, Innula Zenovka said:

Something else  (mesh uploads always seem to need fixing one way or another, for example)

 

[Drayke Newall]

1 hour ago, Qie Niangao said:

That's terrifying. The SS7 network is now widely compromised so I'd never advise anybody to choose SMS for anything even temporarily sensitive.

It was compromised well before even using it for 2FA. I the other thread about this topic I posted an article about how it was compromised but the usual people came in and said "so what 2FA is awesome even on SMS" so I gave up arguing it.

I do agree with you that the best 2FA is email due to its convenience over the others, however, still find the whole system a little odd considering email accounts are one of the most hacked services yet people use them to receive a code to access another account.

I however, like @Innula Zenovka have different passwords that are auto randomly generated and kept secure that has seen me never have an issue (touch wood) of account compromises. To be honest, I also believe 2FA to be a band-aid fix and wrong in that it gives a false sense of security for those people (lets face it the majority) that believe that 2FA means they can be lax on other forms of security such as strong passwords.

Likewise, I also believe LL should fix other security flaws prior to 2FA such as removing payment info on file tags, hiding usernames an using display names as the primary identifier etc. But that just will never happen.

1 hour ago, Qie Niangao said:

Unrelated, but I meant to say earlier: I wouldn't find using 2FA to setup login credentials to be "overkill" (regardless of whether L$s can be bought in the viewer). Again, this would be up to the account holder to decide, but if they wanted to require 2FA for a device's initial login on their account, it should be up to them. Some folks might want to protect their avatar identity and reputation. In fact I think that's a more specific application for SL, while the monetary account protection might be (mostly?) between Tilia and the banks.

I think you misunderstand me. I have no problem with allowing people to secure their account with 2FA. If they feel that need for more security because for instance, they want to only use one password on multiple accounts and it gives them piece of mind in having 2FA despite it actually not being the case then that should be allowed and encouraged. The more layers the better for those kind of accounts.

I am just against it being mandatory for those that dont need it and against incentives that offer something that greatly shifts to a bias such as monetary incentives and/or disincentives. Now things like what I believe twitch offer their userbase that use 2FA I have no issue with as it is throw-away in that, they give some unique emoji's to those 2fA secured accounts. Unfortunately LL have nothing like this that they could offer...

Come to think of it the only thing I can think of that wouldn't provide any form of advantage or bias over another user not using 2FA would be to offer those rarely used and forgotten voice morphs.

Edited July 27, 2021 by Drayke Newall

[Kimmi Zehetbauer]

My man plays a MMO and about 2 years ago they changed the accounts so the log in username is not the same as the toon's name in world. Not sure how much it would be for the Lab to implement something like that.

They also introduced 2FA for those who wished to opt in, but it relied only on a QR code, nothing else. But for some time they use a 4 digit security code to make purchases in world and the code restricted certain number combos like 1111 or 0000.

[Jaylinbridges]

I had to make another throw-away email account today, for some silly website that insists you can't use an email that is already registered with them to create an alt account.  Never mind that they encourage alt accounts, but want every alt to have a unique email address.

So I go to Yahoo mail "Create a New Account" and punch out another one.  To activate the email account they had to send me a 5 digit security code to my smart phone, their 2FA check I was not a robot or something.  It took me 3 tries to get the number entered correctly back on their registration website . So I can imagine the average stressed out SLer entering the 2FA code upon logging in every time.

Edited July 27, 2021 by Jaylinbridges

[Qie Niangao]

16 minutes ago, Jaylinbridges said:

So I can imagine the average stressed out SLer entering the 2FA code upon logging in every time.

Whoa, when did "every time" get into consideration? I mean, every time you use a brand new PC (and probably after upgrading to Windows 11), but has anyone been talking about doing this with every login? If so, why would that be on the table?

[Kathrine Jansma]

If you got a Windows 11 or Apple MacOS Box, the viewer could simply do some FIDO/WebAuthn stuff based on the device TPM and you are mostly done for 2FA without complex extra user input. Throw in some TOTP tokens (aka Google Authenticator) for people without phones or some email codes and App push/SMS for the people that really want to use a phone just because they are used to it.

But using MFA/2FA for simple logins is probably total overkill anyway.

The hard part is doing proper tech/user support and preventing the two horrible scenarios of 2FA. The tech part is easy:

• Attackers fast talking support into doing a password/2FA reset with just a single factor left...
• Being locked out of the account due to failing hardware tokens/phone number/email address lost without any reasonable way to claim it back.

 

[Drayke Newall]

5 hours ago, Qie Niangao said:

Whoa, when did "every time" get into consideration? I mean, every time you use a brand new PC (and probably after upgrading to Windows 11), but has anyone been talking about doing this with every login? If so, why would that be on the table?

Oh believe me, its been requested in this thread numerous times by people that you should have to use 2FA every time you log in (page 4 of this thread has some). As to why they believe such should happen, who knows... paranoia perhaps?

[Quistess Alpha]

6 hours ago, Jaylinbridges said:

had to make another throw-away email account today

FWIW with gmail you can add a tag to the end of your name (myemail+tag1@gmail.com, myemail+2gat@gmail.com...) and many services won't notice that different tags actually direct to the same email, so you can have an infinite number of "addresses" without the hassle of making a new account for each one. I often sign up for things with myemail+nameofthething@gmail.com which makes things easier to sort.

You can also add as many periods as you want to the email :

myemail@gmail.com == m.y..e.m.a.i.l@gmail.com

Edited July 28, 2021 by Quistess Alpha

[Kimmi Zehetbauer]

Some of us use other mail services or our own mail servers.

[InnerCity Elf]

Going by another platform I'm on and their forums, maybe they don't want their support flooded with support tickets from all the people who somehow manage to breathe and keep track of the logins of their current active accounts, but don't have access to the mails they used for registration of either that or any other account, change their phone numbers like other people their socks, forget their security question's answer, don't have an ID, forget their own user name, their own rl name ... 😁

They offer and I'm using 2FA there, though.

It's a small sacrifice for more peace of mind. I don't want to lose money, also, hackers could, and actually do cause other kinds of havoc.

I read often enough from people who got their accounts hacked to make it seem worth the effort of having to log in again after every windows update The 2FA there claims you're logging in from a new device after every windows update or unexpected laptop shutdown, and such. But at least, that shows me it's active and works. If anyone reads the logs, they must be thinking everyone, or at least the Windows users, on that platform is super rich, having new devices all the time 😄

It's a bit annoying, yes, and causes strain on your eyeballs from too much eye-rolling, but else, the additional few seconds will be worth it and probably take up less time than a compromised account would.

A bit like taking out an insurance that you pay for with your time directly vs indirectly paying with your time through an insurance premium.

Edited July 28, 2021 by Meccha Suki
Wasn't me, was my silly phone!

[Silent Mistwalker]

Somehow paying a bunch of scam artists for insurance doesn't reassure me very much. They are in business to make money, not make you feel safe. They get far more bang for your bucks than you ever will.

[Lindal Kidd]

On 7/27/2021 at 8:16 PM, Quistess Alpha said:

FWIW with gmail you can add a tag to the end of your name (myemail+tag1@gmail.com, myemail+2gat@gmail.com...) and many services won't notice that different tags actually direct to the same email, so you can have an infinite number of "addresses" without the hassle of making a new account for each one. I often sign up for things with myemail+nameofthething@gmail.com which makes things easier to sort.

You can also add as many periods as you want to the email :

myemail@gmail.com == m.y..e.m.a.i.l@gmail.com

I occasionally get email intended for another person, possibly because of that period thing. Google swears that it can't happen, and that I just get these because someone put in my email address instead of theirs, but I dunno. I am (fictitious example) lindal.h.kidd@gmail.com and the emails are for LINDALHKIDD@gmail.com.

[Kimmi Zehetbauer]

On 7/28/2021 at 7:30 AM, Silent Mistwalker said:

Somehow paying a bunch of scam artists for insurance doesn't reassure me very much. They are in business to make money, not make you feel safe. They get far more bang for your bucks than you ever will.

Cell phone carriers are know for the insurance scams. You pay so much per month and if the phone implodes --- got a chance you might get something inferior to the device you had.

[sissybillieboi]

On 7/24/2021 at 7:45 PM, Aria Aurelia said:

It needs to happen because it would stop certain scams from taking place in the future for sure.

 

On 7/25/2021 at 4:33 AM, Innula Zenovka said:

I'm simply asking if anyone  knows the scale of of the problem.     

That is, does anyone other than LL know how many accounts are compromised each year and what the damage is?   

I mean, all I know about accounts being stolen is that it's never happened to me or any of my friends (that I remember) in all the 14 or however many years I've been in SL, but that I now and again hear about it in the forums.

So I know for sure that it's happened at least once this year, to Cristiano's friend, who suffered the inconvenience of having to ask Support to reset their password and they lost some recently-acquired gacha items (though there's presumably a transaction record showing to whom they were transferred, so I assume LL were able to reunite the owner with their items), but that's all I know.   

It presumably happens more frequently than that, but I have no idea how often it does, and it's often good, I find, to have an idea of the magnitude of a problem before deciding how much time and effort to devote to fixing it.   

All I currently know about the  scale of the problem is that once every year or so I hear that a friend of a friend has had their account somehow compromised, and that it's happened once at least this year to Cristiano's friend.

Quite possibly it's happening all the time to someone and I never get to hear about it (no reason I should), but it's equally possible it's a misfortune that occurs once in a blue moon and  any resulting loss or damage is comparatively minor. 

I just don't know how urgent a problem it is, or whether it's worth fixing at all.     

LL, who have the facts, clearly don't think it's a serious enough problem to be worth fixing, so I'm wondering how big a problem it actually is in SL, because I'd like to know that before deciding if I think LL should devote much time and effort to something they clearly don't see as a priority.   

It may be that it's a grave problem that urgently needs attention, but it may equally well be no more than an occasional irritation, and I have no way of knowing which is the case, which is why I'm asking.     

When my credit card company recently introduced 2FA for online transactions, I welcomed it because, even though I've never myself been the  victim of credit  card fraud and identity theft, I know it's a very real danger because I know people who have been victims, and I know from news reports how frequently it happens, how much money is involved.     

I don't know, though, that SL accounts are anywhere near so attractive targets to fraudsters as are bank and credit card accounts, so what's an appropriate solution in one case may be overkill in the other.

Approximately how many accounts are compromised each year and with what results?   Anyone know?

 

 

Is there a thread where Linden's handling of account compromises Linden balance drains via um-authorized purchase during the compromise. I was compromised, an in 5 transactions in less then 3 minutes all to the same shady Store owner (lost 42k linden)?

Edited July 31, 2021 by sissybillieboi
Additons

[sissybillieboi]

Linden says sorry, no recovery of Linden possible. Lost 198.00 dollars us.

[bigmoe Whitfield]

On 7/27/2021 at 12:30 PM, Kathrine Jansma said:

If you got a Windows 11 or Apple MacOS Box, the viewer could simply do some FIDO/WebAuthn stuff based on the device TPM and you are mostly done for 2FA without complex extra user input. Throw in some TOTP tokens (aka Google Authenticator) for people without phones or some email codes and App push/SMS for the people that really want to use a phone just because they are used to it.

But using MFA/2FA for simple logins is probably total overkill anyway.

The hard part is doing proper tech/user support and preventing the two horrible scenarios of 2FA. The tech part is easy:

• Attackers fast talking support into doing a password/2FA reset with just a single factor left...
• Being locked out of the account due to failing hardware tokens/phone number/email address lost without any reasonable way to claim it back.

 

tpm is a good solution,  except I'm not upgrading a 5 year old VR system.   4.5ghz with 64gb ram all ssd's. on water.  dual 980ti's.   I have zero performance issues with any game built.   I have problems with SL, but we know the causes of those. so since I lack tpm in any form. because 5820k does not have it built in and my asus x99 does not have it built in,  and the module is not able to be bought for it, it means no windows 11.  so sticking with my phone for 2fa.  which we need.

[examining]

Do not remember if I already replied to this topic previously.

I often -on purpose or by mistake- have my cell phone reset to factory settings. Either way I forget to disable all that authenticator accounts in it before to proceed. Then I have to ask the email or virtual wallet or whatever else I secured with 2steps authenticator providers to disable it. (The 2steps security I mean).  If I am lucky I reset the authenticator and the account or I lose it.

Nevertheless I'd be glad to welcome this security to my avatars accounts.

Perhaps there might exist or I might discover a way not to forget to disable before to proceed.  Cause I can't afford to lose an avatar.

Edited August 1, 2021 by examining