Jump to content

Coming soon! Email login Notifications!

bigmoe Whitfield

By bigmoe Whitfield,
in Second Life Web

 Share
You are about to reply to a thread that has been inactive for 776 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

bigmoe Whitfield

bigmoe Whitfield

Posted
  • Author
Posted
10 minutes ago, Coffee Pancake said:

Email notifications is a welcome addition ... my only issue with it is .. well .. it's email. Who uses email.

I'm old, I have 30 or so email address, many for different things,  I like my email lists,   lol.   so I use it.  I will always use it.    I have one of the very first hotmail accounts when the service launched, so shows you how long I've actually had email.    well, I think I have a gopher address some place too,   lol.

  • Like 1
  • Haha 1
Link to comment
Share on other sites
Istelathis

Istelathis

Posted
Posted (edited)

It is good to see LL is providing people more security options for their accounts.  I was really happy when they introduced MFA to some of our account pages, and am looking forward to it being implemented to the viewer itself.  Email notifications are a nice addition for account security.

 

Seeing that I sometimes get a bit selfish, and like to push for more changes rather than just be happy with what we get 😜 It would be great if we had an extra page in our account information to show where there have been attempts to log into our account, complete with the date, device, and so on.. 

Edited by Istelathis
Link to comment
Share on other sites
LittleMe Jewell

LittleMe Jewell

Posted
Posted
25 minutes ago, Coffee Pancake said:

Email notifications is a welcome addition ... my only issue with it is .. well .. it's email. Who uses email.

I do still use email a lot, though I am getting more used to messages on my phone asking for verification of stuff.  My primary credit card actually does both -- sends a text message and an email when they want to confirm if a purchase was me.  I actually prefer systems that do both -- for those times when one or the other isn't working right.

  • Like 1
Link to comment
Share on other sites
Chic Aeon

Chic Aeon

Posted
Posted
44 minutes ago, LittleMe Jewell said:

I do still use email a lot, though I am getting more used to messages on my phone asking for verification of stuff.  My primary credit card actually does both -- sends a text message and an email when they want to confirm if a purchase was me.  I actually prefer systems that do both -- for those times when one or the other isn't working right.

And not everyone has a cell phone (yes, I know but true and on purpose) AND some folks cannot receive text messages on their cell phones.   So email is definitely the more inclusive choice. 

 

Most of the big platforms (like STEAM) use email checking on new devices.   Discord also.  Happily it is JUST when you switch computers although clearing cookies each day like some folks I know, might make the checking kick in.   I keep my cookies saved as I am lazy. 

  • Like 3
Link to comment
Share on other sites
bigmoe Whitfield

bigmoe Whitfield

Posted
  • Author
Posted
2 minutes ago, Chic Aeon said:

And not everyone has a cell phone (yes, I know but true and on purpose) AND some folks cannot receive text messages on their cell phones.   So email is definitely the more inclusive choice. 

 

Most of the big platforms (like STEAM) use email checking on new devices.   Discord also.  Happily it is JUST when you switch computers although clearing cookies each day like some folks I know, might make the checking kick in.   I keep my cookies saved as I am lazy. 

 

The time is coming though where not having a phone that can text and receive email is going to leave people in the dirt and it's not going to be fun,  the world is coming more and more "connected"  at some point people will have to get a very dumb android device to keep going with their online lives.   

  • Like 3
Link to comment
Share on other sites
Nick0678

Nick0678

Posted
Posted (edited)
2 hours ago, LittleMe Jewell said:

My primary credit card actually does both -- sends a text message and an email when they want to confirm if a purchase was me.

Can i have your CC number? i promise you wont get any annoying phone notifications at all!

200w.webp?cid=ecf05e47z21vk1nkyuo1jk07v7

Edited by Nick0678
  • Haha 1
Link to comment
Share on other sites
Henri Beauchamp

Henri Beauchamp

Posted
Posted (edited)
15 hours ago, Coffee Pancake said:

my only issue with it is .. well .. it's email. Who uses email.

I do !!!   And no, I do not use any ”smart” phone (not even owning a mobile phone either), any ”social media” (Twitter, Facebook & Co), any messaging application, so email is the primary mean of communication for me on Internet !

However, I'd like this additional ”security” feature (*) to be made optional and opt-in only: I do not want to be bothered with unsolicited emails (AKA SPAM) when I connect with another ”computer” (most often on another VM on the same computer), or just another OS, or with a new dynamic IP, another viewer, or whatever !

(*) I really do not care about it, like I do not care about (and do not want to be bothered with) MFA: I am paranoid enough that I took all necessary security measures on my end for years already !

Edited by Henri Beauchamp
  • Like 2
  • Thanks 1
Link to comment
Share on other sites
Nick0678

Nick0678

Posted
Posted
54 minutes ago, Kyle Blackwood said:

If a logon is attempted from a new computer (or IP address) then it should trigger a 2FA before it is allowed access.

I have a new computer fingerprint and IP on every reboot so nope. If they want 2FA there should also be an opt out for those who don't want such nonsense when playing an MMORPG game.

  • Thanks 1
Link to comment
Share on other sites
Max Quirky

Max Quirky

Posted
Posted (edited)

I can see the issue that those with VPNs would face but SL accounts are targetted for phishing scams and some people fall for them. Having the 2FA before the logon is permitted protects the account and the access to payment systems which could otherwise be used.

Yes making it optional would be wise

1) I want to secure my accound and do not mind 2FA

2) I do not want to secure my account

But the default should to be secure and those who wish to opt out do so at their own risk.

Many online games do not permit such opting out though and ask for 2FA each time a new device of IP is noticed or even on each logon for some games. This 2FA should never be seen as a nusiance - it's there to protect you from your account being stolen and with the best will in the world nobody cen be 100% sure they will never have an account hijacked.

As SL permits someone to purchase up to $1999 worth of L$ I'd rather have access to that ability protected behind 2FA so that someone does not gain access somehow and then launder it through multiple alts, stores, MP etc.

Edited by Kyle Blackwood
  • Haha 1
Link to comment
Share on other sites
LittleMe Jewell

LittleMe Jewell

Posted
Posted
3 hours ago, Kyle Blackwood said:

I can see the issue that those with VPNs would face but SL accounts are targetted for phishing scams and some people fall for them. Having the 2FA before the logon is permitted protects the account and the access to payment systems which could otherwise be used.

Yes making it optional would be wise

1) I want to secure my accound and do not mind 2FA

2) I do not want to secure my account

But the default should to be secure and those who wish to opt out do so at their own risk.

Many online games do not permit such opting out though and ask for 2FA each time a new device of IP is noticed or even on each logon for some games. This 2FA should never be seen as a nusiance - it's there to protect you from your account being stolen and with the best will in the world nobody cen be 100% sure they will never have an account hijacked.

As SL permits someone to purchase up to $1999 worth of L$ I'd rather have access to that ability protected behind 2FA so that someone does not gain access somehow and then launder it through multiple alts, stores, MP etc.

If someone cares enough, they will enable the MFA on their account.  If that is done, even if someone else logs into their account, they will not be able to access any of the Financial pages or the Email page without the MFA happening.

Thus, since I have MFA turned on for my accounts, I'm perfectly fine with LL sending an email 'after the fact' if a login happens from an unknown IP.

Those that choose to not use MFA have their reasons and if their account is compromised, it is not anyone's fault except theirs.  It is not our job to protect everyone else if they choose not to add protection layers to their account.

  • Like 1
Link to comment
Share on other sites
Prokofy Neva

Prokofy Neva

Posted
Posted (edited)
On 2/23/2022 at 5:21 PM, bigmoe Whitfield said:

well we've got the mfa, and now this.     MFA needs a bit of improvement and it then needs the viewer side token too,  I'm all for security,  but  with how many people make issues up with extra security,  it should be optional for them.

 

 

This is more of a nuisance than a boon. Why?

Because each time Windows does an update, or you are forced to clear cookies because something isn't working somewhere, your system as treated as a "new location".

It's not as if your IP address is as dynamic as imagined -- this "dynamism" is often invoked as a reason not to block IP addresses of griefers because then "an entire dorm" or "an entire apartment building" might be blocked. The reality is, they are in a lone suburban house basement in Michigan and that's not an issue, but ok.

The address changes just enough out of a list of recognizable variables for that company that it's enough for Google and other companies that already have this policy to start firing off to you emails that you are "logging in from a new location". Of course you aren't, really, but the system thinks you are. 

If all it does is tell you that, and says to do nothing if you are really you, great. Except Yahoo, for example, and others are among those that demand you put in a password again or answer a question. So it becomes a huge annoyance. 

I don't know when all this insanity with passwords is going to end. But not soon enough. And meanwhile, we can add SL to the things that will be sending us worried messages that someone has logged on from a different location....

Edited by Prokofy Neva
  • Like 2
Link to comment
Share on other sites
Max Quirky

Max Quirky

Posted
Posted
15 hours ago, LittleMe Jewell said:

If someone cares enough, they will enable the MFA on their account.  If that is done, even if someone else logs into their account, they will not be able to access any of the Financial pages or the Email page without the MFA happening.

Thus, since I have MFA turned on for my accounts, I'm perfectly fine with LL sending an email 'after the fact' if a login happens from an unknown IP.

Those that choose to not use MFA have their reasons and if their account is compromised, it is not anyone's fault except theirs.  It is not our job to protect everyone else if they choose not to add protection layers to their account.

I see what you say about limiting access to details on the account page of the site but (as far as I am aware) a successful phishing attack would enable someone to logon to the viewer, purchase L$ then transfer those L$ to others without any form of MFA intervention. This could result in a loss of up to $1,999 per account. That's what I am on about being protected against in addition to any mostly redacted information on the website itself.

  • Haha 1
Link to comment
Share on other sites
LittleMe Jewell

LittleMe Jewell

Posted
Posted (edited)
8 hours ago, Kyle Blackwood said:

I see what you say about limiting access to details on the account page of the site but (as far as I am aware) a successful phishing attack would enable someone to logon to the viewer, purchase L$ then transfer those L$ to others without any form of MFA intervention. This could result in a loss of up to $1,999 per account. That's what I am on about being protected against in addition to any mostly redacted information on the website itself.

If someone does not have MFA, then yes, a successful phishing attack would allow someone to get L$ that way.  However, an email, even after the fact, can be useful.  If the user opens up a Fraud Support ticket with LL, it is possible that they can get the money back before it has successfully been taken out of SL.   Processing credit out of SL takes a few days at the minimum.

Edited by LittleMe Jewell
  • Like 1
Link to comment
Share on other sites
Paulsian

Paulsian

Posted
Posted (edited)

Nice, I like it. It is kind of scary knowing other residents already know the login name part vs email address for log in. 

I guess it would only notify residents if a log in was successful and not if someone attempted to log in and failed, if it did from there sl could monitor the machine trying to access accounts using most common passwords and try to block the machine?

Maybe the email could say "so and so ip attempted to access your account and fail at so and so time" was this you? Yes or No. If No, contacts LL, auto blocks that ip from trying to access account, which would prevent multiple emails. 

I kind of don't like clicking links in email so if there was a way for the unsuccessful login attempts to notify the resident in world using a notification system that is like internal email maybe virtual mail? Something that stands out and shakes the screen like a region reset for official urgent messages for those using the official sl viewer would ideal. If log in was successful from ip other than trusted, an email without the option to monitor/resolve in world would be sent. 

Edited by Paulsian
  • Haha 1
Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 776 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...