Coffee Pancake Posted September 22, 2021 Share Posted September 22, 2021 (edited) Edited September 22, 2021 by Coffee Pancake 7 4 Link to comment Share on other sites More sharing options...
Sammy Huntsman Posted September 22, 2021 Share Posted September 22, 2021 I will have to do it tomorrow, when my phone is fully charged. 1 Link to comment Share on other sites More sharing options...
Kimmi Zehetbauer Posted September 22, 2021 Share Posted September 22, 2021 At least it's opt-in --- especially for the 34 of us that don't have smart phones. 9 1 Link to comment Share on other sites More sharing options...
Jaylinbridges Posted September 22, 2021 Share Posted September 22, 2021 So the only way to use their MFA is thru a smartphone or mobile device? No email option, no voice mail or text mail option to a home phone? That means if my smartphone breaks, or I drop it, and I need to do a process transfer, or any operation using the secondlife.com account page I would be out of luck until I get a new phone? Can SL transactions even be checked if you have MFA and your mobile device is lost or broken? No thanks, until they don't rely on only batteries to get my money. At least it is opt-in. 5 Link to comment Share on other sites More sharing options...
Anna Salyx Posted September 22, 2021 Share Posted September 22, 2021 5 minutes ago, Jaylinbridges said: So the only way to use their MFA is thru a smartphone or mobile device? No email option, no voice mail or text mail option to a home phone? That means if my smartphone breaks, or I drop it, and I need to do a process transfer, or any operation using the secondlife.com account page I would be out of luck until I get a new phone? Can SL transactions even be checked if you have MFA and your mobile device is lost or broken? No thanks, until they don't rely on only batteries to get my money. At least it is opt-in. Text/Email are inherently less safe for various reasons that come down to if an account is compromised it's trivial in most cases to compromise those too. As for the concern about it being tied to a single device: I have Google Authenticator cloned to two devices, and you can also clone it to Chrome desktop (which I don't do). So if my phone is broke or stolen or out of battery or whatever, I have a backup I can use. Authy allows for cloning/synching between app and desktop and I do that too.. Windows Authenticator also has ways I'm fairly sure to synch between mobile app and the desktop but since I don't use that one, I can't say for certain. So, you are not wholly reliant on one piece of hardware for your security. It's a little extra work but it eases those worries. at least for me it does. 3 Link to comment Share on other sites More sharing options...
Jaylinbridges Posted September 22, 2021 Share Posted September 22, 2021 14 minutes ago, Kimmi Zehetbauer said: especially for the 34 of us that don't have smart phones. There might be more than that. 85% of people who were INTERVIEWED BY TELEPHONE claim they now own a smartphone. But they didn't ask if they also had a broadband internet connection. Hi-speed internet would narrow it down a bit for SL users. Of course poor people that don't have any telephone are ignored. Also not an SL user. I would think there are more SL users that have broadband internet at decent computers, but still do not have a smartphone with a camera etc. Just because the average age of SLers is higher than the average country population. 1 Link to comment Share on other sites More sharing options...
Buttacwup Float Posted September 22, 2021 Share Posted September 22, 2021 In my personal opinion there is zero reason not to do this. None. Not just on Second Life but for every single service you access online. Your mail, your bank, Facebook, other games you play, all of them. If you have an account with a log in you should be using a strong, wholly unique password for each account and a form of second authentication when it is offered. This form of security is simply an essential part of being online these days. 4 3 1 Link to comment Share on other sites More sharing options...
Coffee Pancake Posted September 22, 2021 Author Share Posted September 22, 2021 27 minutes ago, Buttacwup Float said: In my personal opinion there is zero reason not to do this. None. Not just on Second Life but for every single service you access online. It's not a panacea to online security, nothing is, but it's significantly better than just a password .. especially if that password is one you can type from memory. Hopefully it wont be long before this initial offering is supplemented with an email option as an alternative / fallback. 1 Link to comment Share on other sites More sharing options...
Rowan Amore Posted September 22, 2021 Share Posted September 22, 2021 1 hour ago, Jaylinbridges said: So the only way to use their MFA is thru a smartphone or mobile device? For now, yes. In future releases we plan to extend MFA’s protections to additional pages on secondlife.com, the marketplace, and the viewer. We are also exploring an email-based implementation. 1 Link to comment Share on other sites More sharing options...
Solar Legion Posted September 22, 2021 Share Posted September 22, 2021 Just now, Rowan Amore said: For now, yes. In future releases we plan to extend MFA’s protections to additional pages on secondlife.com, the marketplace, and the viewer. We are also exploring an email-based implementation. All the while, likely breaking more and more things along the way ... If they have managed to not break anything - even on a time delay - lovely. Not holding my breath. 6 Link to comment Share on other sites More sharing options...
NeoBokrug Elytis Posted September 22, 2021 Share Posted September 22, 2021 Authy has a desktop app, I can't remember if it requires a telephone number. Bitwarden/Vaultwarden has TOTP support as well. Link to comment Share on other sites More sharing options...
LittleMe Jewell Posted September 22, 2021 Share Posted September 22, 2021 Will be reporting a bug. I set it all up two hours ago and it says it is turned on. However, I just now logged out and went to log in again and it did not ask for a token. I logged out and then logged in on another browser and it did not ask for the token. I repeated the log out and then logged in on a third browser and it did not ask for a token. I'm pretty sure that is NOT the way it is suppose to work 1 3 Link to comment Share on other sites More sharing options...
Solar Legion Posted September 22, 2021 Share Posted September 22, 2021 (edited) 4 minutes ago, LittleMe Jewell said: Will be reporting a bug. I set it all up two hours ago and it says it is turned on. However, I just now logged out and went to log in again and it did not ask for a token. I logged out and then logged in on another browser and it did not ask for the token. I repeated the log out and then logged in on a third browser and it did not ask for a token. I'm pretty sure that is NOT the way it is suppose to work From the way they have it phrased ... They opted for a page by page/section by section implementation. In other words, they found a way to mess things up. Log in, then try to access say ... your billing information or payment methods. While you're at it, test to see if they allow for a few seconds leeway when the current code is about to expire as nearly all other 2FA using services do. Edited September 22, 2021 by Solar Legion 1 Link to comment Share on other sites More sharing options...
LittleMe Jewell Posted September 22, 2021 Share Posted September 22, 2021 I'd say there are still a few kinks to work out. When I first went to the MFA Settings page after setting it up, it gave me the ability to 'Disable with Token' and 'Disable with Email' in case I lost access to my Authenticator app. Just now I went back to that page and no longer have the "email" option, yet the email on my account is valid and confirmed (and I do receive SL messages to that email). This is what the page now shows: I then logged out again and back in -- as the message above says -- and still did not get asked for an authenticator token, but the 'email' option is back. 1 Link to comment Share on other sites More sharing options...
LittleMe Jewell Posted September 22, 2021 Share Posted September 22, 2021 (edited) 10 minutes ago, Solar Legion said: From the way they have it phrased ... They opted for a page by page/section by section implementation. In other words, they found a way to mess things up. Log in, then try to access say ... your billing information or payment methods. Ahh, that is indeed it. I interpreted it to mean that I had to authenticate to get to my Dashboard in general, but not to the MP or the forums, etc... ETA: After entering a new authenticator token to get to my account billing history, I then closed the tab. Opened a new tab to my Dashboard and can still get to my account billing history. IMO, if the tab closes, the authentication should automatically expire. Next test will be to see if it expires overnight, with the tab still open and on the financial page. Edited September 22, 2021 by LittleMe Jewell added more comments 1 Link to comment Share on other sites More sharing options...
Solar Legion Posted September 22, 2021 Share Posted September 22, 2021 1 minute ago, LittleMe Jewell said: Ahh, that is indeed it. I interpreted it to mean that I had to authenticate to get to my Dashboard in general, but not to the MP or the forums, etc... Which of course means that - just as was warned - they'd find a way to bork things or implement it in a wonky manner. 2FA - for places that use it/actually warrant it - is supposed to be done on log in. Optionally to verify it is indeed the actual user for accessing/making changes to sensitive site segments beyond that (some places do it, some don't). They've 'secured' individual rooms while waiting on the main door/gate. Absolutely backwards. 3 Link to comment Share on other sites More sharing options...
LittleMe Jewell Posted September 22, 2021 Share Posted September 22, 2021 2 hours ago, Jaylinbridges said: So the only way to use their MFA is thru a smartphone or mobile device? No email option, no voice mail or text mail option to a home phone? That means if my smartphone breaks, or I drop it, and I need to do a process transfer, or any operation using the secondlife.com account page I would be out of luck until I get a new phone? Can SL transactions even be checked if you have MFA and your mobile device is lost or broken? No thanks, until they don't rely on only batteries to get my money. At least it is opt-in. Initially, this bothered me as well. However, if you turn it on, you only actually have to enter a code for the financial pages on your Dashboard. Since there is a way to turn it off via email and that method can be accessed without having to enter a token, I'm not as bothered as I was initially. 1 Link to comment Share on other sites More sharing options...
Solar Legion Posted September 22, 2021 Share Posted September 22, 2021 1 minute ago, LittleMe Jewell said: Initially, this bothered me as well. However, if you turn it on, you only actually have to enter a code for the financial pages on your Dashboard. Since there is a way to turn it off via email and that method can be accessed without having to enter a token, I'm not as bothered as I was initially. It also remains to be seen if they implemented the opt-in process to include manually setting up the key as you would have to do for 2FA PC side apps like Authy (which has both a smartphone and a PC app). If they only allow for setup via scanned QR code .... yet another implementation failure. 2 Link to comment Share on other sites More sharing options...
Alwin Alcott Posted September 22, 2021 Share Posted September 22, 2021 2 hours ago, Buttacwup Float said: there is zero reason not to do this. None. there is no, none, non, geen, absoluut geen, reason for you to decide for others that there is no reason. 8 1 Link to comment Share on other sites More sharing options...
Maryanne Solo Posted September 22, 2021 Share Posted September 22, 2021 It's been a requirement with my day job for a year and a half now. A former day job and probably my next one require fingerprint/recognition sign ins. I don't mind MFA via mobile phone but they are under NO illusion my phone is strictly for the safety of family members NOT for the employer to utilise willy nilly. 😋 2 Link to comment Share on other sites More sharing options...
bigmoe Whitfield Posted September 22, 2021 Share Posted September 22, 2021 1 Link to comment Share on other sites More sharing options...
suzyst Posted September 22, 2021 Share Posted September 22, 2021 FFS it's irritating enough having to sign in twice just to respond to anything on these forums, Now they want us to start farting around with phones? Claiming somethin is "industry standard " is microsoft speak for we can't be bothered fixing the bugs. 2 1 1 Link to comment Share on other sites More sharing options...
bigmoe Whitfield Posted September 22, 2021 Share Posted September 22, 2021 3 minutes ago, suzyst said: FFS it's irritating enough having to sign in twice just to respond to anything on these forums, Now they want us to start farting around with phones? Claiming somethin is "industry standard " is microsoft speak for we can't be bothered fixing the bugs. it is industry standard, lots of games even use 2fa/mfa now, many big business, I work for a fortune 50 company and we do nothing without it, we've had some hold overs, but they too even came around, because we require it. the internet is going this same way and the ones that are not wanting to comply and move forward will end being left behind, like playing games on old hardware, there becoems the point where they wont work on systems and get blocked, I'm sorry, but things move forward. 1 1 1 Link to comment Share on other sites More sharing options...
suzyst Posted September 22, 2021 Share Posted September 22, 2021 3 minutes ago, bigmoe Whitfield said: it is industry standard, lots of games even use 2fa/mfa now, many big business, I work for a fortune 50 company and we do nothing without it, we've had some hold overs, but they too even came around, because we require it. the internet is going this same way and the ones that are not wanting to comply and move forward will end being left behind, like playing games on old hardware, there becoems the point where they wont work on systems and get blocked, I'm sorry, but things move forward. And just who gave "industry" the right to control how we do things? I don't recall seeing Industry on any ballot papers. I'm pretty sure Tim Berners-Lee didn't have the profits of mobile phone companies in mind when he created the web. The way forward is not compliance with what industry wants, we've seen what sort of idiots we end up with in politics going down that road, the way forward is revolution, Greta Thunberg showed us that. 3 1 Link to comment Share on other sites More sharing options...
bigmoe Whitfield Posted September 22, 2021 Share Posted September 22, 2021 38 minutes ago, suzyst said: And just who gave "industry" the right to control how we do things? I don't recall seeing Industry on any ballot papers. I'm pretty sure Tim Berners-Lee didn't have the profits of mobile phone companies in mind when he created the web. The way forward is not compliance with what industry wants, we've seen what sort of idiots we end up with in politics going down that road, the way forward is revolution, Greta Thunberg showed us that. well it's going this way for a reason the bad apples have ruined it for every one and security measures are having to become common place in today's world and it's not going to go away, sorry. this is now life. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Please take a moment to consider if this thread is worth bumping.
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now