MULTI FACTOR AUTHENTICATION !!

[LittleMe Jewell]

1 hour ago, Bree Giffen said:

So who is using this new authentication? How’s it working for you? Half interested minds want to know.

I've set it up for all of my accounts that have Billing info.  I usually only log this account in to the Dashboard for stuff and it only asked for an authentication token the first time that I went to the Account History page - and that was roughly 26 or so hours ago. 

So, IMO, since the token doesn't seem to ever expire - even after closing the browser tab and re-opening it -- I'd say it doesn't really meet MY definition of proper 2FA.

[Jaylinbridges]

If their MFA algorithm detects the same IP# when relogging or signing out and back, why does it need to ask for another token?   Does the account thief share your same IP#?  You might want to move out of the dormitory in that case.

My banks ask for a new MFA token only if my IP# has changed, or the browser type has changed, or it's been 5-10 days since I last logged in.  Seems pretty standard to me.

 

Edited September 23, 2021 by Jaylinbridges

[Istelathis]

Apparently, our MFA cookies have a long shelf life.  They stay chewy and gooey for over 24 hours.  I checked to see if changing my IP via a VPN had any impact on the cookie, and it did not.  I was able to still access all of my account information after logging in with my VPN without needing to enter a new token.  I'm not sure what can be done about that, it goes beyond my paygrade, and I'm not sure how much of a vulnerability it would be, as someone might be tempted to snatch a cookie from the jar 🙃 

Edited September 23, 2021 by Istelathis

[Buttacwup Float]

IMHO. MFA should be transactional and not tied to where you are or a specific time. When you need to do something that requires a login you should use your token, always. The issue I think today, is that so many things on the dashboard currently do not require that login so they are using some time related thing to be the key to re-ask. It is an early implementation, I am sure it can be improved on.

[Maitimo]

12 hours ago, Chris Nova said:

We should have a going away party for those leaving SL once they are forced to download an authenticator app 🥳

 

Calm down, it will never happen. 

Can we put in dibs for their transferrable items?

[Anna Nova]

Well this IS fun!

I have 2FA on everything I can, I use Authy because it's backed up.  Glad SL joined the club.

I use a different password for each account everywhere, and store them in Bitwarden.  They are random-generated and as long as I can make them, often 60+ characters or so, including upper and lower case and numbers and special characters, except where idiots don't allow them.

Now my master password for bitwarden is actually a passphrase of some 40+ characters that I can type blindingly fast.

My email is Protonmail, because I want end-to-end anti-misgovernment encyption.

And my email address is different for each account everywhere too.  I use anonaddy.com.  That way when I get a spam I know just what cretin sold my credentials, which is one reason I operate a google-free and microsoft-free zone (to the extent that is possible given the pseudo-monopoly status)

Do I feel safe?  No.  And to be honest, I have nothing to hide.

[Maitimo]

45 minutes ago, Anna Nova said:

 

Do I feel safe?  No.  And to be honest, I have nothing to hide.

You do have things to hide, as do we all - bank details,  social security number,  tax records, health records and loads more sensitive and personal information.

[Chris Corvinus]

1 hour ago, Anna Nova said:

Well this IS fun!

I have 2FA on everything I can, I use Authy because it's backed up.  Glad SL joined the club.

I use a different password for each account everywhere, and store them in Bitwarden.  They are random-generated and as long as I can make them, often 60+ characters or so, including upper and lower case and numbers and special characters, except where idiots don't allow them.

Now my master password for bitwarden is actually a passphrase of some 40+ characters that I can type blindingly fast.

My email is Protonmail, because I want end-to-end anti-misgovernment encyption.

And my email address is different for each account everywhere too.  I use anonaddy.com.  That way when I get a spam I know just what cretin sold my credentials, which is one reason I operate a google-free and microsoft-free zone (to the extent that is possible given the pseudo-monopoly status)

Do I feel safe?  No.  And to be honest, I have nothing to hide.

I’ve never heard of Protonmail until now. Thank you!

[bigmoe Whitfield]

1 hour ago, Chris Nova said:

I’ve never heard of Protonmail until now. Thank you!

always becareful with such services,  they claim end to end, unless YOU hold the keys for the encryption you never know.

[Fionalein]

Thanks for keeping 2FA opt in.

[Anna Nova]

20 minutes ago, bigmoe Whitfield said:

always becareful with such services,  they claim end to end, unless YOU hold the keys for the encryption you never know.

This is good advice.

I especially like Protonmail because they are domiciled in Switzerland.  Swiss secrecy laws are very strict.  It is possible for the UK GuvThugs to get my IP address, but they have to prove they already have evidence of an offence in Swiss law to the Swiss court. Since I am not breaking the law this would take malicious intent on the part of the GovThugs.  The few times the Swiss courts have told Proton to release information to Interpol et al, it was for terrorism-related stuff.  And I only eat dead politicians.

[Anna Nova]

2 hours ago, Maitimo said:

You do have things to hide, as do we all - bank details,  social security number,  tax records, health records and loads more sensitive and personal information.

To be sure those are things that need to be confidential, but as the <expletive deleted> misgovernment (in my case the British Uncivil Dis-service) knows them already, and is the leakiest place for data in the known universe, that's a lost cause.  They couldn't even keep the names of their Afghan interpreters from being sent to the Taliban...

[Willow Seljan]

I would rather use email since I do not have a smartphone nor do I have the money to buy one. I am housebound and only have house land line phone not everyone owns a smartphone.

[Fionalein]

17 minutes ago, Anna Nova said:

Swiss secrecy laws are very strict.

Didn't stop the German government of buying data leaks on tax evaders from informants in Switzerland. Yes it's illegal - but when was the last time criminals cared about the law?

[Willow Seljan]

On 9/22/2021 at 11:30 AM, Sid Nagy said:

I, and only I decide what comes on my smartphone and what not. Because I'm the one who pays the bills for it.
And I don't see why I should.
Therefore the moment LL forces me to put an identification app for them on my smartphone, I'm done with SL.
They already take and sometimes pay money from and to me for 14+ years without any problems, so please don't start making some now.
So I hope it stays with being optional.

I am hoping they decide to use email I don't have a smartphone.

[Kimmi Zehetbauer]

My man who plays a few MMOs says one of them has a physical security token they send you and use it to access the game. They are unique up to 10 accounts and generates a # on it's screen you input onto the website. Some banks use them and I did a mock-up of one what a SL version could look like. This version of the token currently does not exist for SL.

 

Edited September 23, 2021 by Kimmi Zehetbauer
Battling the computer and the computer won.

[Catrie]

On 9/22/2021 at 11:01 AM, Silent Mistwalker said:

 

https://www.ign.com/articles/sec-activision-blizzard-federal-investigation

How does that negate them having a physical authenticator/authenticator app for years?

[Silent Mistwalker]

27 minutes ago, Catrie said:

How does that negate them having a physical authenticator/authenticator app for years?

I was just providing information you may not have been aware of since you mentioned possibly going back to WoW. Just in case you might want to rethink going back. It's not looking too good for Activision Blizzard these days.

[Luna Bliss]

23 hours ago, Istelathis said:

@Luna BlissI use mine for just about everything, but rarely for phone calls 🙃  A handy flashlight for when I am walking my dog or the power goes out, a camera when I want to take a picture, a place to keep my grocery list, music for while I am out walking, a TV for when I am waiting in the car or for an appointment.  I like that I can scan products at a store with it, check out reviews, and compare prices at other stores as well.  The GPS is really nice also, I use that all of the time. Plus for when the Internet does go out, I can turn it into a wireless router and browse the Internet on my computer.

Having access to a super computer (compared to what I owned before) in my pocket is nice,  especially considering how cheap it is.

lol same for me...seems I rarely actually make phone calls with it.

I never thought of using it as a hot spot when the internet goes out...could be very handy when I absolutely have to have access to my desktop.

[Pixie Kobichenko]

41 minutes ago, Kimmi Zehetbauer said:

My man who plays a few MMOs says one of them has a physical security token they send you and use it to access the game. They are unique up to 10 accounts and generates a # on it's screen you input onto the website. Some banks use them and I did a mock-up of one what a SL version could look like. This version of the token currently does not exist for SL.

 

I worked for the main dial up internet provider the 90s in a call center & at one point something similar was introduced to access our machines.  It just generated random characters & you had to type them into the computer.  I was really bad about forgetting it at home, misplacing it altogether, or leaving it my pocket & running it thru the washer, etc.  😑 

[Catrie]

7 minutes ago, Silent Mistwalker said:

I was just providing information you may not have been aware of since you mentioned possibly going back to WoW. Just in case you might want to rethink going back. It's not looking too good for Activision Blizzard these days.

Oh, I'm well aware of this.  In fact, I used to work for them.  So, I'm all too familiar with it.  I also still have friends that work there. Personally, I'd play on a private server first before I ever gave Blizz my money again. 

[Chris Corvinus]

2 hours ago, Catrie said:

Oh, I'm well aware of this.  In fact, I used to work for them.  So, I'm all too familiar with it.  I also still have friends that work there. Personally, I'd play on a private server first before I ever gave Blizz my money again. 

That whole situation saddens me. I cancelled my sub, cancelled my D2 preorder, and am playing GW2 now until Blizz gets their crap together. They are currently fixing things in games to appease people when they should be focusing more on their actual employees. That whole thing just….annoys me. No king reigns forever. 
 

Sorry I got the topic off track but I needed to say that. Carry on.

[LittleMe Jewell]

16 hours ago, Istelathis said:

Apparently, our MFA cookies have a long shelf life.  They stay chewy and gooey for over 24 hours.

I'm at almost 48 hours since I last provide a token and can still access all financial pages.

[Silent Mistwalker]

9 minutes ago, LittleMe Jewell said:

I'm at almost 48 hours since I last provide a token and can still access all financial pages.

Have you rebooted your pc since then? If you haven't completely broken the connection what you are experiencing is possible.

[LittleMe Jewell]

3 minutes ago, Silent Mistwalker said:

Have you rebooted your pc since then? If you haven't completely broken the connection what you are experiencing is possible.

Nope and haven't closed the browser tab either -- though I did close it day before yesterday and that also did not force expire the token.

IMO - If the token never expires when the browser tab is closed or after some (hopefully fairly short) amount of time, then the 2FA is somewhat broken.