MULTI FACTOR AUTHENTICATION !!

[Coffee Pancake]

 

Edited September 22, 2021 by Coffee Pancake

[Sammy Huntsman]

I will have to do it tomorrow, when my phone is fully charged. 

 

[Kimmi Zehetbauer]

At least it's opt-in --- especially for the 34 of us that don't have smart phones.

[Jaylinbridges]

So the only way to use their MFA is thru a smartphone or mobile device?  No email option, no voice mail or text mail option to a home phone?   That means if my smartphone breaks, or I drop it, and I need to do a process transfer, or any operation using the secondlife.com account page I would be out of luck until I get a new phone?  Can SL transactions even be checked if you have MFA and your mobile device is lost or broken?   No thanks, until they don't rely on only batteries to get my money.  At least it is opt-in.

 

[Anna Salyx]

5 minutes ago, Jaylinbridges said:

So the only way to use their MFA is thru a smartphone or mobile device?  No email option, no voice mail or text mail option to a home phone?   That means if my smartphone breaks, or I drop it, and I need to do a process transfer, or any operation using the secondlife.com account page I would be out of luck until I get a new phone?  Can SL transactions even be checked if you have MFA and your mobile device is lost or broken?   No thanks, until they don't rely on only batteries to get my money.  At least it is opt-in.

Text/Email are inherently less safe for various reasons that come down to if an account is compromised it's trivial in most cases to compromise those too.

As for the concern about it being tied to a single device:  I have Google Authenticator cloned to two devices, and you can also clone it to Chrome desktop (which I don't do).  So if my phone is broke or stolen or out of battery or whatever, I have a backup I can use.   

Authy  allows for cloning/synching between app and desktop and I do that too..  Windows Authenticator also has ways I'm fairly sure to synch between mobile app and the desktop but since I don't use that one, I can't say for certain.  So, you are not wholly reliant on one piece of hardware for your security.    It's a little extra work but it eases those worries.  at least for me it does.

[Jaylinbridges]

14 minutes ago, Kimmi Zehetbauer said:

especially for the 34 of us that don't have smart phones.

There might be more than that.  85% of people who were INTERVIEWED BY TELEPHONE claim they now own a smartphone.  But they didn't ask if they also had a broadband internet connection.  Hi-speed internet would narrow it down a bit for SL users.   Of course poor people that don't have any telephone are ignored.  Also not an SL user.  I would think there are more SL users that have broadband internet at decent computers, but still do not have a smartphone with a camera etc.  Just because the average age of SLers is higher than the average country population. 

[Buttacwup Float]

In my personal opinion there is zero reason not to do this. None. Not just on Second Life but for every single service you access online. Your mail, your bank, Facebook, other games you play, all of them. If you have an account with a log in you should be using a strong, wholly unique password for each account and a form of second authentication when it is offered. This form of security is simply an essential part of being online these days.

[Coffee Pancake]

27 minutes ago, Buttacwup Float said:

In my personal opinion there is zero reason not to do this. None. Not just on Second Life but for every single service you access online.

It's not a panacea to online security, nothing is, but it's significantly better than just a password .. especially if that password is one you can type from memory.

Hopefully it wont be long before this initial offering is supplemented with an email option as an alternative / fallback.

[Rowan Amore]

1 hour ago, Jaylinbridges said:

So the only way to use their MFA is thru a smartphone or mobile device? 

For now, yes.

In future releases we plan to extend MFA’s protections to additional pages on secondlife.com, the marketplace, and the viewer. We are also exploring an email-based implementation.

[Solar Legion]

Just now, Rowan Amore said:

For now, yes.

In future releases we plan to extend MFA’s protections to additional pages on secondlife.com, the marketplace, and the viewer. We are also exploring an email-based implementation.

All the while, likely breaking more and more things along the way ...

If they have managed to not break anything - even on a time delay - lovely.

Not holding my breath.

[NeoBokrug Elytis]

Authy has a desktop app, I can't remember if it requires a telephone number.

Bitwarden/Vaultwarden has TOTP support as well.

[LittleMe Jewell]

Will be reporting a bug.  I set it all up two hours ago and it says it is turned on.  However, I just now logged out and went to log in again and it did not ask for a token.  I logged out and then logged in on another browser and it did not ask for the token.  I repeated the log out and then logged in on a third browser and it did not ask for a token.

I'm pretty sure that is NOT the way it is suppose to work

 

[Solar Legion]

4 minutes ago, LittleMe Jewell said:

Will be reporting a bug.  I set it all up two hours ago and it says it is turned on.  However, I just now logged out and went to log in again and it did not ask for a token.  I logged out and then logged in on another browser and it did not ask for the token.  I repeated the log out and then logged in on a third browser and it did not ask for a token.

I'm pretty sure that is NOT the way it is suppose to work

 

From the way they have it phrased ... They opted for a page by page/section by section implementation. In other words, they found a way to mess things up.

Log in, then try to access say ... your billing information or payment methods.

While you're at it, test to see if they allow for a few seconds leeway when the current code is about to expire as nearly all other 2FA using services do.

Edited September 22, 2021 by Solar Legion

[LittleMe Jewell]

I'd say there are still a few kinks to work out.

When I first went to the MFA Settings page after setting it up, it gave me the ability to 'Disable with Token' and 'Disable with Email' in case I lost access to my Authenticator app.  Just now I went back to that page and no longer have the "email" option, yet the email on my account is valid and confirmed (and I do receive SL messages to that email).  

This is what the page now shows:

 

I then logged out again and back in -- as the message above says -- and still did not get asked for an authenticator token, but the 'email' option is back.

 

[LittleMe Jewell]

10 minutes ago, Solar Legion said:

From the way they have it phrased ... They opted for a page by page/section by section implementation. In other words, they found a way to mess things up.

Log in, then try to access say ... your billing information or payment methods.

Ahh, that is indeed it. 

I interpreted it to mean that I had to authenticate to get to my Dashboard in general, but not to the MP or the forums, etc...

 

ETA:  After entering a new authenticator token to get to my account billing history, I then closed the tab.  Opened a new tab to my Dashboard and can still get to my account billing history.  IMO, if the tab closes, the authentication should automatically expire. 

Next test will be to see if it expires overnight, with the tab still open and on the financial page.

Edited September 22, 2021 by LittleMe Jewell
added more comments

[Solar Legion]

1 minute ago, LittleMe Jewell said:

Ahh, that is indeed it. 

I interpreted it to mean that I had to authenticate to get to my Dashboard in general, but not to the MP or the forums, etc...

Which of course means that - just as was warned - they'd find a way to bork things or implement it in a wonky manner.

2FA - for places that use it/actually warrant it - is supposed to be done on log in. Optionally to verify it is indeed the actual user for accessing/making changes to sensitive site segments beyond that (some places do it, some don't).

They've 'secured' individual rooms while waiting on the main door/gate. Absolutely backwards.

[LittleMe Jewell]

2 hours ago, Jaylinbridges said:

So the only way to use their MFA is thru a smartphone or mobile device?  No email option, no voice mail or text mail option to a home phone?   That means if my smartphone breaks, or I drop it, and I need to do a process transfer, or any operation using the secondlife.com account page I would be out of luck until I get a new phone?  Can SL transactions even be checked if you have MFA and your mobile device is lost or broken?   No thanks, until they don't rely on only batteries to get my money.  At least it is opt-in.

 

Initially, this bothered me as well.  However, if you turn it on, you only actually have to enter a code for the financial pages on your Dashboard.  Since there is a way to turn it off via email and that method can be accessed without having to enter a token, I'm not as bothered as I was initially.

 

[Solar Legion]

1 minute ago, LittleMe Jewell said:

Initially, this bothered me as well.  However, if you turn it on, you only actually have to enter a code for the financial pages on your Dashboard.  Since there is a way to turn it off via email and that method can be accessed without having to enter a token, I'm not as bothered as I was initially.

 

It also remains to be seen if they implemented the opt-in process to include manually setting up the key as you would have to do for 2FA PC side apps like Authy (which has both a smartphone and a PC app).

If they only allow for setup via scanned QR code .... yet another implementation failure.

[Alwin Alcott]

2 hours ago, Buttacwup Float said:

 there is zero reason not to do this. None.

there is no, none, non, geen, absoluut geen, reason for you to decide for others that there is no reason.

[Maryanne Solo]

It's been a requirement with my day job for a year and a half now. 
A former day job and probably my next one require fingerprint/recognition sign ins.
I don't mind MFA via mobile phone but they are under NO illusion my phone is strictly for
the safety of family members NOT for the employer to utilise willy nilly. 😋

[bigmoe Whitfield]

 

[suzyst]

FFS it's irritating enough having to sign in twice just to respond to anything on these forums, Now they want us to start farting around with phones?  Claiming somethin is "industry standard " is microsoft speak for we can't be bothered fixing the bugs.

[bigmoe Whitfield]

3 minutes ago, suzyst said:

FFS it's irritating enough having to sign in twice just to respond to anything on these forums, Now they want us to start farting around with phones?  Claiming somethin is "industry standard " is microsoft speak for we can't be bothered fixing the bugs.

it is industry standard, lots of games even use 2fa/mfa now,  many big business, I work for a fortune 50 company and we do nothing without it,  we've had some hold overs, but  they too even came around,  because we require it.  the internet is going this same way and the ones that are not wanting to comply and move forward will end being left behind,  like playing games on old hardware, there becoems the point where they wont work on systems and get blocked,  I'm sorry, but things move forward.

[suzyst]

3 minutes ago, bigmoe Whitfield said:

it is industry standard, lots of games even use 2fa/mfa now,  many big business, I work for a fortune 50 company and we do nothing without it,  we've had some hold overs, but  they too even came around,  because we require it.  the internet is going this same way and the ones that are not wanting to comply and move forward will end being left behind,  like playing games on old hardware, there becoems the point where they wont work on systems and get blocked,  I'm sorry, but things move forward.

And just who gave "industry" the right to control how we do things? I don't recall seeing Industry on any ballot papers.  I'm pretty sure Tim Berners-Lee didn't have the profits of mobile phone companies in mind when he created the web. The way forward is not compliance with what industry wants, we've seen what sort of idiots we end up with in politics going down that road, the way forward is revolution, Greta Thunberg showed us that.

[bigmoe Whitfield]

38 minutes ago, suzyst said:

And just who gave "industry" the right to control how we do things? I don't recall seeing Industry on any ballot papers.  I'm pretty sure Tim Berners-Lee didn't have the profits of mobile phone companies in mind when he created the web. The way forward is not compliance with what industry wants, we've seen what sort of idiots we end up with in politics going down that road, the way forward is revolution, Greta Thunberg showed us that.

well it's going this way for a reason the bad apples have ruined it for every one and security measures are having to become common place in today's world and it's not going to go away, sorry.  this is now life.