MULTI FACTOR AUTHENTICATION !!

[Richardus Raymaker]

Bad mfa implementation. This why i hate it. Because the force you to use a smartphone. Something that's never in range. The need to implement e-mail version. Or just not implement it. 2fa is only made to annoy users. If you use your brains 2fa is nit needed to. Never did feel i need it.

 

Just reading, and that's a big security risk, never use the build in sl web browser ! It's less secure and less control. Also a tiny font.

Quote

Consider using the inworld viewer setting Use the built-in browser for Second Life links only (Me > Preferences > Setup), which will make it easier to spot when you receive a link to a website pretending to be part of

 

Edited September 22, 2021 by Richardus Raymaker

[Sid Nagy]

6 hours ago, LittleMe Jewell said:

Will be reporting a bug.  I set it all up two hours ago and it says it is turned on.  However, I just now logged out and went to log in again and it did not ask for a token.  I logged out and then logged in on another browser and it did not ask for the token.  I repeated the log out and then logged in on a third browser and it did not ask for a token.

I'm pretty sure that is NOT the way it is suppose to work

 

Cut them some slack.
Afteral we are talking about a LL implementation.
"NEVER the first time right" is part of their TAO, no?

Edited September 22, 2021 by Sid Nagy

[Chris Corvinus]

Only humans complain about something that’s optional. It’s why aliens won’t visit us.

[Sid Nagy]

I, and only I decide what comes on my smartphone and what not. Because I'm the one who pays the bills for it.
And I don't see why I should.
Therefore the moment LL forces me to put an identification app for them on my smartphone, I'm done with SL.
They already take and sometimes pay money from and to me for 14+ years without any problems, so please don't start making some now.
So I hope it stays with being optional.

Edited September 22, 2021 by Sid Nagy

[Sid Nagy]

2 minutes ago, Chris Nova said:

Only humans complain about something that’s optional. It’s why aliens won’t visit us.

Most of the times optional is the first step towards mandatory.
Only just a matter of time.

Edited September 22, 2021 by Sid Nagy

[Buttacwup Float]

2 hours ago, Richardus Raymaker said:

Bad mfa implementation. This why i hate it. Because the force you to use a smartphone. Something that's never in range. The need to implement e-mail version. Or just not implement it. 2fa is only made to annoy users. If you use your brains 2fa is nit needed to. Never did feel i need it.

 

Just reading, and that's a big security risk, never use the build in sl web browser ! It's less secure and less control. Also a tiny font.

 

Maybe if everyone had MFA on their email that would be a good option. Something you know, something you have in your possession. A token, a phone call, a prompt on a phone, your fingerprint, your face. Email, text messages etc are not always in your possession.

[Buttacwup Float]

3 hours ago, suzyst said:

And just who gave "industry" the right to control how we do things? I don't recall seeing Industry on any ballot papers.  I'm pretty sure Tim Berners-Lee didn't have the profits of mobile phone companies in mind when he created the web. The way forward is not compliance with what industry wants, we've seen what sort of idiots we end up with in politics going down that road, the way forward is revolution, Greta Thunberg showed us that.

Go back over the past year and read about Solar Winds. Read about the issues that arose out of that with Microsoft Exchange. Then go and read about all of the recent ransomware attacks. That is what MFA is meant to help prevent.  It also helps to prevent your account from being compromised through phishing or in some cases carelessness. You might think your account isn't one people are after, but getting your account in one place actually is important. So many people don't use MFA across all accounts but do use exceedingly similar or weak passwords across accounts that it opens up the possibility when getting one account they can get more and more. Ask anyone that had their identity stolen, or fell victim to their account being compromised from a data leak. Once bad actors find a way in they will search for the paths of least resistance to find more. I know this isn't something most people think about, but it is something everyone should be doing for all of their online accounts. 

[Alwin Alcott]

31 minutes ago, Buttacwup Float said:

  It also helps to prevent your account from being compromised through phishing or in some cases carelessness.

Phishing isn't in some cases carelessness, but always.
It's the user who should be in a double check mode, not the computer.

 

34 minutes ago, Buttacwup Float said:

 I know this isn't something most people think about, but it is something everyone should be doing for all of their online accounts. 

behind every tree hides a bear, and under every rock is a snake... sorry i'm not going to live like that.
It's optional, no matter your opinion that we all should. For quite some people it's even impossible.

[wesleytron]

10 hours ago, Kimmi Zehetbauer said:

At least it's opt-in --- especially for the 34 of us that don't have smart phones.

3 minutes ago, Alwin Alcott said:

It's optional... For quite some people it's even impossible

And for some us, we live in an area where there is no mobile/cellphone reception, so it's not an option.

Edited September 22, 2021 by wesleytron

[Catrie]

Honestly, they should have had this for years now.  They deal with currency that can be converted to real world currency.  This should have been one of the first things implemented.  If someone broke into a big store's account and took all their Linden, it has real world implications. 

Blizzard has had authenticators for years now,  so has ArenaNet.  I recently decided to play GuildWars2 again and had to get my old authenticator removed.  I haven't played on there for at least 7 years.  If I ever decide to go back to WoW, I'll have to do the same thing. 

 

If you don't want to use it, don't.  However, to me, it's just common sense to help secure my account and something I've done for years with other online games. 

[Jules Catlyn]

I think they should implement authentication by fax and maybe even telegraph! I only have a landline and use dial up internet so i feel left out. I even have to turn off half my lights to play SL so my diesel generator does not overheat!! I am excited though, we are supposed to get indoor plumbing next year!!!

*Sent from an Android device*

[bigmoe Whitfield]

sometimes I get very confused by SL users in general when it comes to matters of security and matters of hardware.   but ya'll choices, so keep using them as long as you can.

[Chris Corvinus]

 

2 hours ago, Sid Nagy said:

I, and only I decide what comes on my smartphone and what not. Because I'm the one who pays the bills for it.
And I don't see why I should.
Therefore the moment LL forces me to put an identification app for them on my smartphone, I'm done with SL.
They already take and sometimes pay money from and to me for 14+ years without any problems, so please don't start making some now.
So I hope it stays with being optional.

The fear factor is strong with you. Get a grip, man. You’re being ridiculous. Any app you put on your phone is optional.

[Sid Nagy]

I think that you perfectly understand what I mean, but choose (for whatever reason) to act as if that is not the case.
Kudos for you man.

Edited September 22, 2021 by Sid Nagy

[Pixie Kobichenko]

I haven’t had a phone of my own since hubby began working from home well over a year ago because I do not want to voice chat.  Not phone calls, Skype, SL- I really dislike interacting in person with neighbors as well- my anxiety is literally that bad.  So dropped my number from the plan & saved the $10 a month for spending on other things.  If anyone needs to get ahold of me they have several outlets via my iPad & I can answer when I feel like it.  Or not.  If the power goes out or Mr. Landlord needs to fix something- there’s hubby’s cell. If LL were to force implement the need to receive a code via text to log in then I suppose I will never log in as opposed to very randomly.  I’m sure my paltry expenditures in SL won’t be missed- but I’ve no doubt there’s many, many more with their own reasons for not wanting something like this. 

Edited September 22, 2021 by Pixie Kobichenko

[Chris Corvinus]

3 minutes ago, Pixie Kobichenko said:

I haven’t had a phone of my own since hubby began working from home well over a year ago because I literally do not want to voice chat.  Not phone calls, Skype, SL- I really dislike interacting in person with neighbors as well- my anxiety is literally that bad.  So dropped my number from the plan & saved the $10 a month for spending on other things.  If anyone needs to get ahold of me they have several outlets via my iPad & I can answer when I feel like it.  Or not.  If the power goes out or Mr. Landlord needs to fix something- there’s hubby’s cell. If LL were to force implement the need to receive a code via text to log in then I suppose I will never log in as opposed to very randomly.  I’m sure my paltry expenditures in SL won’t be missed- but I’ve no doubt there’s many, many more with their own reasons for not wanting something like this. 

It’s optional. Stop spreading fear around. 
Everyone really needs to chill out with this idea that LL is going to implement forced 2FA later down the road. Forced 2FA doesn’t exist. It’s always been optional. Seriously, cut it out.

[Qie Niangao]

In SL, MFA is still optional, as is Microsoft's move to get rid of account passwords for now, but eventually passwords as an authentication secret will vanish everywhere. They simply do not work and never have.

Long before the Lab makes MFA mandatory (if that even happens within the SL product lifespan), they'll surely get it working with any of the many desktop authenticator apps that can be enabled by text instead of QR code. (Or maybe they already have this, I didn't play with it that much.)

For now I only set it up for an alt's account, just to ride out the first wave of bugs.

Edited September 22, 2021 by Qie Niangao

[AydenKent]

So glad this has been added, hopefully it will result in less phishing attempts but to be honest those who get caught by phishing will probably not read about MFA in the first place.

[Emma Krokus]

It sometimes seems to me that, as security measures increase, there seems to be ever more of a shift to blame the victim for stupidity / negligence. While those that steal from others (where monetary or otherwise) are almost admired for their cleverness in circumventing security measures...

A bit of a slippery slope...

 

[Richardus Raymaker]

It's optional now. But i know companies good enough that the are going to force it to users. That's the problem. Most fear can be fixed by implementing the e-mail version like steam uses before the force it.

[Pixie Kobichenko]

1 hour ago, Chris Nova said:

It’s optional. Stop spreading fear around. 
Everyone really needs to chill out with this idea that LL is going to implement forced 2FA later down the road. Forced 2FA doesn’t exist. It’s always been optional. Seriously, cut it out.

You did see the IF in my statement?  IF LL were to implement something mandatory.  IF.  Speculative, theoretical  IF.  
How about you stop responding to things folks didn’t say?  Respond to what was said?  That’d be nifty.

Or you could be so gracious as to respond first on any thread that might pique your interest & lay the ground rules on what we’re allowed to express?

1 hour ago, Pixie Kobichenko said:

If LL were to force implement the need to receive a code via text to log in then I suppose I will never log in as opposed to very randomly.

 

Edited September 22, 2021 by Pixie Kobichenko
Eye twitchy revamp & edit of final thought.

[ShibariKate]

20 minutes ago, Richardus Raymaker said:

It's optional now. But i know companies good enough that the are going to force it to users. That's the problem. Most fear can be fixed by implementing the e-mail version like steam uses before the force it.

That already happened at Paypal in August, and it was a disaster, Because tens of thousands of people complained, who did not have a cell phone, and could not access their private account information as a result. Paypal reversed this after 3 weeks of being inundated with calls and posts on their forums...

 

There needs to be alternatives to account for people who do not have cell phone, or iPads, or use "apps", which is a lot more people, than anyone realizes. And I am part of that crowd. Really getting annoyed with the MFA system being implemented and companies never taking people like myself into account. IF i could afford a phone or these so-called "apps", Then I would gladly do so. I cannot. So what happens to those of us in the same boat when MFA becomes mandatory ?

Just one more thing that is leaving a bad taste lately from LL. Maybe they should be "fixing" things first like group chats, and so on, before they start to implement these idiotic processes....🤔

Edited September 22, 2021 by ShibariKate

[Brilliant Price]

Read the details and whilst I don't mind the two step approach it looks like SL have opted for the most complicated setup procedure around. Downloading apps, scanning QR codes (so long as you have a camera) or enter a huge string password, and then dancing through several hoops to get it activated. Meanwhile most banks and other accounts with sensitive info just send a code via sms text and bingo I'm in. No faffing about no fuss.

Oh well it is SL afterall

 

 

[Sid Nagy]

36 minutes ago, ShibariKate said:

Just one more thing that is leaving a bad taste lately from LL. Maybe they should be "fixing" things first like group chats, and so on, before they start to implement these idiotic processes....🤔

They are working towards a Tilia online bank IMHO independent from SL. Just like Paypal is (at least in Europe).
So they need adequate security in place to proceed.
This optional extra identification is likely only a first step.

I have the strong feeling that LL's main interest isn't SL's future but rolling Tilia further out.
SL proceeds a nice stash of cash to finance those efforts. So the use of tape and shiny and the lack of a SL development roadmap to keep it going are explained.
We are cash cows, nothing more.

Edited September 22, 2021 by Sid Nagy

[Istelathis]

The two step authentication process has been in use for a while now, I am glad SL implemented it and wish they provided the option for actually logging into SL itself rather than just the website.  It provides an extra layer of security, which I find a little refreshing.  As far as how it works on other services, when I try to log in from a remote location my phone will ping me asking for authorization which is actually kind of nice.

If you have a google account, and want to see something scary, look at the history of where people have tried to log into your account.  Chances are you will see a few from far away lands.  After I saw mine a few years ago, I started to use the multi-factor authentication on most of my services.  

Edited September 22, 2021 by Istelathis