Security for Client - Suggestions (MFA follow up)

[Yu Suki]

 Congratulations on MFA (Mutli-Factor Authentication) !!! 

          First and foremost, I want to thank whomever finally put in place MFA for web end logins. This was something that has been desperately needed since... Well, forever.  Reading this mornings  post over the news was exciting however, bitter-sweet. Clients still do not offer MFA support, and this can be a problem. I am aware that the weakest point of access has been "beefed" up with his new upgrade but client security is a must. 

My suggestion is, please add an option in the client to notify via e-mail when a user has logged in to the account. This is something that is fundamental and much needed. At the moment, residents can only achieve this with scripts made by other residents and these scripts (many of them) are faulty and outdated. 

Thank you,

-Cutie Banana 

[Quistess Alpha]

18 minutes ago, Cutie Banana said:

scripts made by other residents

Just for reference, and because I wouldn't trust a closed-source LSL script to do anything related to security. . .

string myEmail = "test@example.com";
default
{
  attach(key ID)
  {
    if(ID)
    {
      // you should always wear this script, so use rlv to prevent yourself from accidentally detaching it:
      llOwnerSay("@detach=n");
      llEmail(myEmail,"Secondlife Login",
        "You have logged in or attached your security device\n"+
         llGetTimestamp()
      );
    }
  }
}

nothing "faulty or outdated" about something that simple.

[Kimmi Zehetbauer]

The client could pop-up a window when trying to top-up your Lindens. Some MMOs do that.  I could see this in the official viewer and FS. Not sure in Singularity since that one hasn't had an update for some time.

[Jaylinbridges]

What web account operations require MFA now?  To "top up" your $L from your web account you need to Buy Lindens. Is this not MFA protected?

With no MFA to login your Viewer (including TPV's) operational yet, the present MFA seems almost cosmetic.  I can top off my lindens in the Viewer anytime, and transfer those Lindens to anyone anytime.  Or buy that 1,000,000 $L gold prim on the MP from the viewer. 

Not sure why LL released a woefully incomplete MFA as the starter.  Was it near quarterly review time and someone needed to show some progress?

Edited September 23, 2021 by Jaylinbridges

[Lillith Hapmouche]

1 hour ago, Kimmi Zehetbauer said:

The client could pop-up a window when trying to top-up your Lindens.

Yes, do whatever you want with the buying L$ process through the viewer. Protect that at any cost, put that in your sole focus...

... that'll be enough distraction from harming all other operations. 

[Kimmi Zehetbauer]

1 hour ago, Jaylinbridges said:

What web account operations require MFA now?  To "top up" your $L from your web account you need to Buy Lindens. Is this not MFA protected?

With no MFA to login your Viewer (including TPV's) operational yet, the present MFA seems almost cosmetic.  I can top off my lindens in the Viewer anytime, and transfer those Lindens to anyone anytime.  Or buy that 1,000,000 $L gold prim on the MP from the viewer. 

Not sure why LL released a woefully incomplete MFA as the starter.  Was it near quarterly review time and someone needed to show some progress?

Maybe to get input on bugs and stuff. As some activate it and run into issues --- they could report those bugs and gradually start on other stuff like the client.

[Yu Suki]

2 hours ago, Quistess Alpha said:

Just for reference, and because I wouldn't trust a closed-source LSL script to do anything related to security. . .

string myEmail = "test@example.com";
default
{
  attach(key ID)
  {
    if(ID)
    {
      // you should always wear this script, so use rlv to prevent yourself from accidentally detaching it:
      llOwnerSay("@detach=n");
      llEmail(myEmail,"Secondlife Login",
        "You have logged in or attached your security device\n"+
         llGetTimestamp()
      );
    }
  }
}

nothing "faulty or outdated" about something that simple.

Highly appreciate this (and will be using this for myself) , however I do think this should be implemented on client due to accessibility. Many residents are coming back to Second Life or some users have never edit scripts, etc.  For language barriers, difficulty for some residents... I highly recommend Second Life to make this addition into their preference settings. Perhaps even with  additional built in security features for the client.

However, I am not sure this will convey because most of the settings are stored locally.... 

 

I don't believe a resident should have to purchase a script, search for a script or make a post on a forum for security.  

Edited September 23, 2021 by Cutie Banana

[LittleMe Jewell]

3 hours ago, Cutie Banana said:

 Congratulations on MFA (Mutli-Factor Authentication) !!! 

          First and foremost, I want to thank whomever finally put in place MFA for web end logins. This was something that has been desperately needed since... Well, forever.  Reading this mornings  post over the news was exciting however, bitter-sweet. Clients still do not offer MFA support, and this can be a problem. I am aware that the weakest point of access has been "beefed" up with his new upgrade but client security is a must. 

My suggestion is, please add an option in the client to notify via e-mail when a user has logged in to the account. This is something that is fundamental and much needed. At the moment, residents can only achieve this with scripts made by other residents and these scripts (many of them) are faulty and outdated. 

Thank you,

-Cutie Banana 

https://jira.secondlife.com/secure/Dashboard.jspa

[Coffee Pancake]

2 hours ago, Jaylinbridges said:

Not sure why LL released a woefully incomplete MFA as the starter.  Was it near quarterly review time and someone needed to show some progress?

I'm hoping it's part of a strategy to release early and often.

There is no reason MFA shouldn't be added everywhere it can be.

[Sammy Huntsman]

Just now, Coffee Pancake said:

I'm hoping it's part of a strategy to release early and often.

There is no reason MFA shouldn't be added everywhere it can be.

I do have one question. How would LL add MFA to their viewer? Also how would you add it to the TPVs? 

[Sammy Huntsman]

2 minutes ago, Coffee Pancake said:

I'm hoping it's part of a strategy to release early and often.

There is no reason MFA shouldn't be added everywhere it can be.

Would each TPV have to add their own MFA or how does that work? 

[Coffee Pancake]

Just now, Sammy Huntsman said:

Would each TPV have to add their own MFA or how does that work? 

If MFA was added to the viewer I would expect it in the Linden viewer first and TPV's would just add that code unchanged to their respective projects.

We might tweak / tidy up the UI XML a little for thematic purposes.

[LittleMe Jewell]

2 hours ago, Jaylinbridges said:

With no MFA to login your Viewer (including TPV's) operational yet, the present MFA seems almost cosmetic.  I can top off my lindens in the Viewer anytime, and transfer those Lindens to anyone anytime.  Or buy that 1,000,000 $L gold prim on the MP from the viewer. 

Even with the MFA turned on, it is not yet needed for doing any L$ transactions - buy or sell - or to review your LindeX Order History and cancel any pending orders.  They specifically chose not to integrate it with the LindeX at this time.  I assume because it is more complicated due to being able to buy L$ inside the viewer -- and as you mentioned, someone was likely up against some sort of  a timeline where some kind of progress had to be shown.

 

[Yu Suki]

4 hours ago, LittleMe Jewell said:

7 hours ago, Jaylinbridges said:

What web account operations require MFA now?  To "top up" your $L from your web account you need to Buy Lindens. Is this not MFA protected?

With no MFA to login your Viewer (including TPV's) operational yet, the present MFA seems almost cosmetic.  I can top off my lindens in the Viewer anytime, and transfer those Lindens to anyone anytime.  Or buy that 1,000,000 $L gold prim on the MP from the viewer. 

Not sure why LL released a woefully incomplete MFA as the starter.  Was it near quarterly review time and someone needed to show some progress?

 

Interesting. 

Assuming based on Linden Lab's own explanation of where you will see it used, it leads me to believe that they are still working on implementing it throughout their site. The fact they did not mention the pages lets me know they are aware it is not fully complete. However, this is just my thoughts...  I am hopeful that we will see this change in the most critical points such as purchasing Linden and the client etc. ... However I do feel that is a bigger challenge.

Putting something out incomplete is better than having nothing at all, at least in my opinion. 

Hopefully we see improvements next quarter, tehe 

 

Edited September 24, 2021 by Cutie Banana

[Karl Herber]

On 9/23/2021 at 8:32 PM, Quistess Alpha said:

Just for reference, and because I wouldn't trust a closed-source LSL script to do anything related to security. . .

string myEmail = "test@example.com";
default
{
  attach(key ID)
  {
    if(ID)
    {
      // you should always wear this script, so use rlv to prevent yourself from accidentally detaching it:
      llOwnerSay("@detach=n");
      llEmail(myEmail,"Secondlife Login",
        "You have logged in or attached your security device\n"+
         llGetTimestamp()
      );
    }
  }
}

nothing "faulty or outdated" about something that simple.

Oh my god this is brilliant. Thank you!