Jump to content

MULTI FACTOR AUTHENTICATION !!


Recommended Posts

1 hour ago, Bree Giffen said:

So who is using this new authentication? How’s it working for you? Half interested minds want to know.

I've set it up for all of my accounts that have Billing info.  I usually only log this account in to the Dashboard for stuff and it only asked for an authentication token the first time that I went to the Account History page - and that was roughly 26 or so hours ago. 

So, IMO, since the token doesn't seem to ever expire - even after closing the browser tab and re-opening it -- I'd say it doesn't really meet MY definition of proper 2FA.

  • Like 1
Link to comment
Share on other sites

If their MFA algorithm detects the same IP# when relogging or signing out and back, why does it need to ask for another token?   Does the account thief share your same IP#?  You might want to move out of the dormitory in that case.

My banks ask for a new MFA token only if my IP# has changed, or the browser type has changed, or it's been 5-10 days since I last logged in.  Seems pretty standard to me.

 

Edited by Jaylinbridges
  • Like 1
Link to comment
Share on other sites

Apparently, our MFA cookies have a long shelf life.  They stay chewy and gooey for over 24 hours.  I checked to see if changing my IP via a VPN had any impact on the cookie, and it did not.  I was able to still access all of my account information after logging in with my VPN without needing to enter a new token.  I'm not sure what can be done about that, it goes beyond my paygrade, and I'm not sure how much of a vulnerability it would be, as someone might be tempted to snatch a cookie from the jar 🙃 

Edited by Istelathis
  • Like 1
Link to comment
Share on other sites

IMHO. MFA should be transactional and not tied to where you are or a specific time. When you need to do something that requires a login you should use your token, always. The issue I think today, is that so many things on the dashboard currently do not require that login so they are using some time related thing to be the key to re-ask. It is an early implementation, I am sure it can be improved on.

  • Sad 1
Link to comment
Share on other sites

12 hours ago, Chris Nova said:

We should have a going away party for those leaving SL once they are forced to download an authenticator app 🥳

 

Calm down, it will never happen. 

Can we put in dibs for their transferrable items?

  • Haha 2
Link to comment
Share on other sites

Well this IS fun!

I have 2FA on everything I can, I use Authy because it's backed up.  Glad SL joined the club.

I use a different password for each account everywhere, and store them in Bitwarden.  They are random-generated and as long as I can make them, often 60+ characters or so, including upper and lower case and numbers and special characters, except where idiots don't allow them.

Now my master password for bitwarden is actually a passphrase of some 40+ characters that I can type blindingly fast.

My email is Protonmail, because I want end-to-end anti-misgovernment encyption.

And my email address is different for each account everywhere too.  I use anonaddy.com.  That way when I get a spam I know just what cretin sold my credentials, which is one reason I operate a google-free and microsoft-free zone (to the extent that is possible given the pseudo-monopoly status)

Do I feel safe?  No.  And to be honest, I have nothing to hide.

  • Like 3
  • Thanks 1
  • Haha 2
Link to comment
Share on other sites

45 minutes ago, Anna Nova said:

 

Do I feel safe?  No.  And to be honest, I have nothing to hide.

You do have things to hide, as do we all - bank details,  social security number,  tax records, health records and loads more sensitive and personal information.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

1 hour ago, Anna Nova said:

Well this IS fun!

I have 2FA on everything I can, I use Authy because it's backed up.  Glad SL joined the club.

I use a different password for each account everywhere, and store them in Bitwarden.  They are random-generated and as long as I can make them, often 60+ characters or so, including upper and lower case and numbers and special characters, except where idiots don't allow them.

Now my master password for bitwarden is actually a passphrase of some 40+ characters that I can type blindingly fast.

My email is Protonmail, because I want end-to-end anti-misgovernment encyption.

And my email address is different for each account everywhere too.  I use anonaddy.com.  That way when I get a spam I know just what cretin sold my credentials, which is one reason I operate a google-free and microsoft-free zone (to the extent that is possible given the pseudo-monopoly status)

Do I feel safe?  No.  And to be honest, I have nothing to hide.

I’ve never heard of Protonmail until now. Thank you!

  • Like 1
Link to comment
Share on other sites

20 minutes ago, bigmoe Whitfield said:

always becareful with such services,  they claim end to end, unless YOU hold the keys for the encryption you never know.

This is good advice.

I especially like Protonmail because they are domiciled in Switzerland.  Swiss secrecy laws are very strict.  It is possible for the UK GuvThugs to get my IP address, but they have to prove they already have evidence of an offence in Swiss law to the Swiss court. Since I am not breaking the law this would take malicious intent on the part of the GovThugs.  The few times the Swiss courts have told Proton to release information to Interpol et al, it was for terrorism-related stuff.  And I only eat dead politicians.:D

Link to comment
Share on other sites

2 hours ago, Maitimo said:

You do have things to hide, as do we all - bank details,  social security number,  tax records, health records and loads more sensitive and personal information.

To be sure those are things that need to be confidential, but as the <expletive deleted> misgovernment (in my case the British Uncivil Dis-service) knows them already, and is the leakiest place for data in the known universe, that's a lost cause.  They couldn't even keep the names of their Afghan interpreters from being sent to the Taliban...

Link to comment
Share on other sites

17 minutes ago, Anna Nova said:

Swiss secrecy laws are very strict.

Didn't stop the German government of buying data leaks on tax evaders from informants in Switzerland. Yes it's illegal - but when was the last time criminals cared about the law?

Link to comment
Share on other sites

On 9/22/2021 at 11:30 AM, Sid Nagy said:

I, and only I decide what comes on my smartphone and what not. Because I'm the one who pays the bills for it.
And I don't see why I should.
Therefore the moment LL forces me to put an identification app for them on my smartphone, I'm done with SL.
They already take and sometimes pay money from and to me for 14+ years without any problems, so please don't start making some now.
So I hope it stays with being optional.

I am hoping they decide to use email I don't have a smartphone.

  • Like 2
Link to comment
Share on other sites

My man who plays a few MMOs says one of them has a physical security token they send you and use it to access the game. They are unique up to 10 accounts and generates a # on it's screen you input onto the website. Some banks use them and I did a mock-up of one what a SL version could look like. This version of the token currently does not exist for SL.

 

SL_Secutiy_Key_Moc_Up.png.bcece787a181952c22cb396bbca3a914.png

Edited by Kimmi Zehetbauer
Battling the computer and the computer won.
Link to comment
Share on other sites

27 minutes ago, Catrie said:

How does that negate them having a physical authenticator/authenticator app for years?

I was just providing information you may not have been aware of since you mentioned possibly going back to WoW. Just in case you might want to rethink going back. It's not looking too good for Activision Blizzard these days.

Link to comment
Share on other sites

23 hours ago, Istelathis said:

@Luna BlissI use mine for just about everything, but rarely for phone calls 🙃  A handy flashlight for when I am walking my dog or the power goes out, a camera when I want to take a picture, a place to keep my grocery list, music for while I am out walking, a TV for when I am waiting in the car or for an appointment.  I like that I can scan products at a store with it, check out reviews, and compare prices at other stores as well.  The GPS is really nice also, I use that all of the time. Plus for when the Internet does go out, I can turn it into a wireless router and browse the Internet on my computer.

Having access to a super computer (compared to what I owned before) in my pocket is nice,  especially considering how cheap it is.

lol same for me...seems I rarely actually make phone calls with it.

I never thought of using it as a hot spot when the internet goes out...could be very handy when I absolutely have to have access to my desktop.

  • Like 1
Link to comment
Share on other sites

41 minutes ago, Kimmi Zehetbauer said:

My man who plays a few MMOs says one of them has a physical security token they send you and use it to access the game. They are unique up to 10 accounts and generates a # on it's screen you input onto the website. Some banks use them and I did a mock-up of one what a SL version could look like. This version of the token currently does not exist for SL.

 

SL_Secutiy_Key_Moc_Up.png.bcece787a181952c22cb396bbca3a914.png

I worked for the main dial up internet provider the 90s in a call center & at one point something similar was introduced to access our machines.  It just generated random characters & you had to type them into the computer.  I was really bad about forgetting it at home, misplacing it altogether, or leaving it my pocket & running it thru the washer, etc.  😑 

Link to comment
Share on other sites

7 minutes ago, Silent Mistwalker said:

I was just providing information you may not have been aware of since you mentioned possibly going back to WoW. Just in case you might want to rethink going back. It's not looking too good for Activision Blizzard these days.

Oh, I'm well aware of this.  In fact, I used to work for them.  So, I'm all too familiar with it.  I also still have friends that work there. Personally, I'd play on a private server first before I ever gave Blizz my money again. 

  • Like 3
Link to comment
Share on other sites

2 hours ago, Catrie said:

Oh, I'm well aware of this.  In fact, I used to work for them.  So, I'm all too familiar with it.  I also still have friends that work there. Personally, I'd play on a private server first before I ever gave Blizz my money again. 

That whole situation saddens me. I cancelled my sub, cancelled my D2 preorder, and am playing GW2 now until Blizz gets their crap together. They are currently fixing things in games to appease people when they should be focusing more on their actual employees. That whole thing just….annoys me. No king reigns forever. 
 

Sorry I got the topic off track but I needed to say that. Carry on.

  • Like 2
Link to comment
Share on other sites

9 minutes ago, LittleMe Jewell said:

I'm at almost 48 hours since I last provide a token and can still access all financial pages.

Have you rebooted your pc since then? If you haven't completely broken the connection what you are experiencing is possible.

Link to comment
Share on other sites

3 minutes ago, Silent Mistwalker said:

Have you rebooted your pc since then? If you haven't completely broken the connection what you are experiencing is possible.

Nope and haven't closed the browser tab either -- though I did close it day before yesterday and that also did not force expire the token.

IMO - If the token never expires when the browser tab is closed or after some (hopefully fairly short) amount of time, then the 2FA is somewhat broken.  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...