Jump to content

Security for Client - Suggestions (MFA follow up)


Recommended Posts

:D Congratulations on MFA (Mutli-Factor Authentication) !!! :D

          First and foremost, I want to thank whomever finally put in place MFA for web end logins. This was something that has been desperately needed since... Well, forever.  Reading this mornings  post over the news was exciting however, bitter-sweet. Clients still do not offer MFA support, and this can be a problem. I am aware that the weakest point of access has been "beefed" up with his new upgrade but client security is a must. 

My suggestion is, please add an option in the client to notify via e-mail when a user has logged in to the account. This is something that is fundamental and much needed. At the moment, residents can only achieve this with scripts made by other residents and these scripts (many of them) are faulty and outdated. 

Thank you,

-Cutie Banana 

  • Like 1
  • Sad 1
Link to comment
Share on other sites

18 minutes ago, Cutie Banana said:

scripts made by other residents

Just for reference, and because I wouldn't trust a closed-source LSL script to do anything related to security. . .

string myEmail = "test@example.com";
default
{
  attach(key ID)
  {
    if(ID)
    {
      // you should always wear this script, so use rlv to prevent yourself from accidentally detaching it:
      llOwnerSay("@detach=n");
      llEmail(myEmail,"Secondlife Login",
        "You have logged in or attached your security device\n"+
         llGetTimestamp()
      );
    }
  }
}

nothing "faulty or outdated" about something that simple.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

What web account operations require MFA now?  To "top up" your $L from your web account you need to Buy Lindens. Is this not MFA protected?

With no MFA to login your Viewer (including TPV's) operational yet, the present MFA seems almost cosmetic.  I can top off my lindens in the Viewer anytime, and transfer those Lindens to anyone anytime.  Or buy that 1,000,000 $L gold prim on the MP from the viewer. 

Not sure why LL released a woefully incomplete MFA as the starter.  Was it near quarterly review time and someone needed to show some progress?

Edited by Jaylinbridges
  • Like 2
Link to comment
Share on other sites

1 hour ago, Kimmi Zehetbauer said:

The client could pop-up a window when trying to top-up your Lindens.

Yes, do whatever you want with the buying L$ process through the viewer. Protect that at any cost, put that in your sole focus...

... that'll be enough distraction from harming all other operations. 

  • Haha 1
Link to comment
Share on other sites

1 hour ago, Jaylinbridges said:

What web account operations require MFA now?  To "top up" your $L from your web account you need to Buy Lindens. Is this not MFA protected?

With no MFA to login your Viewer (including TPV's) operational yet, the present MFA seems almost cosmetic.  I can top off my lindens in the Viewer anytime, and transfer those Lindens to anyone anytime.  Or buy that 1,000,000 $L gold prim on the MP from the viewer. 

Not sure why LL released a woefully incomplete MFA as the starter.  Was it near quarterly review time and someone needed to show some progress?

Maybe to get input on bugs and stuff. As some activate it and run into issues --- they could report those bugs and gradually start on other stuff like the client.

Link to comment
Share on other sites

2 hours ago, Quistess Alpha said:

Just for reference, and because I wouldn't trust a closed-source LSL script to do anything related to security. . .

string myEmail = "test@example.com";
default
{
  attach(key ID)
  {
    if(ID)
    {
      // you should always wear this script, so use rlv to prevent yourself from accidentally detaching it:
      llOwnerSay("@detach=n");
      llEmail(myEmail,"Secondlife Login",
        "You have logged in or attached your security device\n"+
         llGetTimestamp()
      );
    }
  }
}

nothing "faulty or outdated" about something that simple.

Highly appreciate this (and will be using this for myself) , however I do think this should be implemented on client due to accessibility. Many residents are coming back to Second Life or some users have never edit scripts, etc.  For language barriers, difficulty for some residents... I highly recommend Second Life to make this addition into their preference settings. Perhaps even with  additional built in security features for the client.

However, I am not sure this will convey because most of the settings are stored locally.... 

 

I don't believe a resident should have to purchase a script, search for a script or make a post on a forum for security.  

Edited by Cutie Banana
Link to comment
Share on other sites

3 hours ago, Cutie Banana said:

:D Congratulations on MFA (Mutli-Factor Authentication) !!! :D

          First and foremost, I want to thank whomever finally put in place MFA for web end logins. This was something that has been desperately needed since... Well, forever.  Reading this mornings  post over the news was exciting however, bitter-sweet. Clients still do not offer MFA support, and this can be a problem. I am aware that the weakest point of access has been "beefed" up with his new upgrade but client security is a must. 

My suggestion is, please add an option in the client to notify via e-mail when a user has logged in to the account. This is something that is fundamental and much needed. At the moment, residents can only achieve this with scripts made by other residents and these scripts (many of them) are faulty and outdated. 

Thank you,

-Cutie Banana 

https://jira.secondlife.com/secure/Dashboard.jspa

  • Like 1
Link to comment
Share on other sites

2 hours ago, Jaylinbridges said:

Not sure why LL released a woefully incomplete MFA as the starter.  Was it near quarterly review time and someone needed to show some progress?

I'm hoping it's part of a strategy to release early and often.

There is no reason MFA shouldn't be added everywhere it can be.

  • Haha 1
Link to comment
Share on other sites

Just now, Coffee Pancake said:

I'm hoping it's part of a strategy to release early and often.

There is no reason MFA shouldn't be added everywhere it can be.

I do have one question. How would LL add MFA to their viewer? Also how would you add it to the TPVs? 

Link to comment
Share on other sites

Just now, Sammy Huntsman said:

Would each TPV have to add their own MFA or how does that work? 

If MFA was added to the viewer I would expect it in the Linden viewer first and TPV's would just add that code unchanged to their respective projects.

We might tweak / tidy up the UI XML a little for thematic purposes.

  • Like 1
Link to comment
Share on other sites

2 hours ago, Jaylinbridges said:

With no MFA to login your Viewer (including TPV's) operational yet, the present MFA seems almost cosmetic.  I can top off my lindens in the Viewer anytime, and transfer those Lindens to anyone anytime.  Or buy that 1,000,000 $L gold prim on the MP from the viewer. 

Even with the MFA turned on, it is not yet needed for doing any L$ transactions - buy or sell - or to review your LindeX Order History and cancel any pending orders.  They specifically chose not to integrate it with the LindeX at this time.  I assume because it is more complicated due to being able to buy L$ inside the viewer -- and as you mentioned, someone was likely up against some sort of  a timeline where some kind of progress had to be shown.

 

Link to comment
Share on other sites

4 hours ago, LittleMe Jewell said:
7 hours ago, Jaylinbridges said:

What web account operations require MFA now?  To "top up" your $L from your web account you need to Buy Lindens. Is this not MFA protected?

With no MFA to login your Viewer (including TPV's) operational yet, the present MFA seems almost cosmetic.  I can top off my lindens in the Viewer anytime, and transfer those Lindens to anyone anytime.  Or buy that 1,000,000 $L gold prim on the MP from the viewer. 

Not sure why LL released a woefully incomplete MFA as the starter.  Was it near quarterly review time and someone needed to show some progress?

 

Interesting. 

Assuming based on Linden Lab's own explanation of where you will see it used, it leads me to believe that they are still working on implementing it throughout their site. The fact they did not mention the pages lets me know they are aware it is not fully complete. However, this is just my thoughts...  I am hopeful that we will see this change in the most critical points such as purchasing Linden and the client etc. ... However I do feel that is a bigger challenge.

Putting something out incomplete is better than having nothing at all, at least in my opinion. 

Hopefully we see improvements next quarter, tehe 

 

mfasl.png

Edited by Cutie Banana
Link to comment
Share on other sites

On 9/23/2021 at 8:32 PM, Quistess Alpha said:

Just for reference, and because I wouldn't trust a closed-source LSL script to do anything related to security. . .

string myEmail = "test@example.com";
default
{
  attach(key ID)
  {
    if(ID)
    {
      // you should always wear this script, so use rlv to prevent yourself from accidentally detaching it:
      llOwnerSay("@detach=n");
      llEmail(myEmail,"Secondlife Login",
        "You have logged in or attached your security device\n"+
         llGetTimestamp()
      );
    }
  }
}

nothing "faulty or outdated" about something that simple.

Oh my god this is brilliant. Thank you!

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...