MFA coming to the Viewer

[LittleMe Jewell]

4 minutes ago, Istelathis said:

Yep, for some games it also even only requires it when you are logging in from a different IP address or computer so it isn't even that much of a hassle.  I'm not sure how LL has it setup, I am asked to enter the token whenever I want to log into my account on the website and look at security settings such as my password.  But, I do delete all of my cookies when closing out of the browser so I am not sure if it does that for everyone else.

If you don't delete cookies then it only asks every 30 days, I think.  

Their blog article states that for the viewer, if you have it remember the password, then you only have to give a token every 30 days.  If you don't have the viewer remember the password, you'll have to give a token every time.

I don't let the viewer remember passwords - only account names. Thus it will be a bit more of a PITA for me, but only a bit.

Edited May 5, 2022 by LittleMe Jewell

[Cali Souther]

I understand the need for security,  but I am so tired of authentication...   every single time you go to sign into something,  you have to enter a code from your phone.

Some websites seem to forget what your "secret question" actually was (Verizon) --- making it a giant hassle every single time you go to login.

I just hope it's optional when it comes to Firestorm.

[LittleMe Jewell]

4 minutes ago, Cali Souther said:

I understand the need for security,  but I am so tired of authentication...   every single time you go to sign into something,  you have to enter a code from your phone.

Some websites seem to forget what your "secret question" actually was (Verizon) --- making it a giant hassle every single time you go to login.

I just hope it's optional when it comes to Firestorm.

The way I read the blog post, once Firestorm releases their version that is MFA compliant, then it will only be optional on the viewer if you do NOT enable MFA at all on your account.

If you enable it on your account, at some point you won't be able to use a browser that is not MFA-enabled.

However, nothing yet indicates that LL will force everyone to use MFA.

Edited May 5, 2022 by LittleMe Jewell

[Myntz Mysterious]

The QR Code is normally just to setup the app, its typically a one time thing for the most part. 2FA over email is NOT secure method, all it takes is to have your email compromised then the security is out the window.

Thing to note! Make sure you have your recovery method in place for the app when using 2FA. You may very well need it when you upgrade/replace your phone. I got locked out of all my accounts because I forgot my recovery password. Will never make that mistake gain! 😫

[Love Zhaoying]

22 minutes ago, LittleMe Jewell said:

The QR code is simply ONE method of setting up the authenticator.  It never uses the QR code again.  Instead of the QR code scanning, there is always a secondary way via entering a string of characters into the authenticator app to set it up. 

Once the authenticator is set up -- either on the pc or your phone (or both), then you will simply enter the number that the app shows you into the SL page or viewer.  The number the app shows typically changes every 60 seconds.

I did not notice the information in the QR code also being displayed human-readable.  What did I miss, where was it?

[LittleMe Jewell]

3 minutes ago, Love Zhaoying said:

I did not notice the information in the QR code also being displayed human-readable.  What did I miss, where was it?

 

Here is what I get on the screen for an account that I have not yet set up MFA for - notice the highlighted part below the QR code.

 

For manual setup, you open your authenticator app -- either on your phone and/or pc -- click whatever is needed for adding a new app, and then enter that code.

Edited May 5, 2022 by LittleMe Jewell

[Istelathis]

I never said the QR code was needed every time for the app   I was speaking of the setup process, I was working from memory of setting it up and how to use an application to scan QR codes to get their data to input into your mfa authenticator to set it up.  The knowledge base shows that the QR code is not the only way to setup the authenticator, which is even easier

 

[LittleMe Jewell]

1 minute ago, Istelathis said:

I never said the QR code was needed every time for the app

Some of the comments by others have given the impression that they think they must scan a QR code each time to authenticate.

[Madelaine McMasters]

58 minutes ago, Love Zhaoying said:

It can be fun to lie on security questions. You just have to remember your lie.

I do lie, but those lies are also a vulnerability unless I use different lies for every website. That would require me to maintain a lie list somewhere that's 3-5 times longer than my password list, and there are no automated tools to do that.

Edited May 5, 2022 by Madelaine McMasters

[Istelathis]

The thing that worried me about challenge questions, is how easy it is to get that information if the person has their account linked to forums such as this.  It is easy enough to give out simple answers that people could use to answer those challenge questions.  Various general topics often have people providing them, and it is pretty easy for the subject in any thread to get people to give answers such as the name of their first pet, which high school they went to, their favorite color, and so on.  

I remember one forum I was on, there was a member always asking personal questions such as above, and it set off my spidey senses, especially after a thread of theirs was asking what people's credit score was, this person was banned a few weeks after as I imagine the mods caught on to the possibility that this person may be getting information from others, those that were supplying answers and were not aware those answers could be used to compromise their accounts.  

Edited May 5, 2022 by Istelathis

[Silent Mistwalker]

1 hour ago, LittleMe Jewell said:

No you do not.  MFA can be done totally on the pc. 

With the installation of yet another program I do not want or need on my pc. 

 

 

[LittleMe Jewell]

12 minutes ago, Silent Mistwalker said:

With the installation of yet another program I do not want or need on my pc. 

 

 

There is that.  To enable MFA does require installing something somewhere.

Good news though -- there is still no mention of LL forcing anyone to use MFA, so you don't have to use it.

Edited May 5, 2022 by LittleMe Jewell
spelling

[Love Zhaoying]

26 minutes ago, LittleMe Jewell said:

 

Here is what I get on the screen for an account that I have not yet set up MFA for - notice the highlighted part below the QR code.

 

For manual setup, you open your authenticator app -- either on your phone and/or pc -- click whatever is needed for adding a new app, and then enter that code.

Got it. Missed the bit highlighted.

Similarly, it was hard for me to find the link in the "verify your email" page which I had to do first; it is almost as if LL doesn't want people to find things on their web pages!  It's not like I just started using the innerwebs!

[Love Zhaoying]

18 minutes ago, Madelaine McMasters said:

I do lie, but those lies are also a vulnerability unless I use different lies for every website. That would require me to maintain a lie list somewhere that's 3-5 times longer than my password list, and there are no automated tools to do that.

Guess I'd make lies that were related to the website name, which is also a useful password strategy.

[Love Zhaoying]

12 minutes ago, Istelathis said:

after a thread of theirs was asking what people's credit score was

Makes sense, why steal people's personal information if they have rotten credit?

[Silent Mistwalker]

2 minutes ago, LittleMe Jewell said:

There is that.  To enable MFA does require installing something.

There is still no mention of LL forcing anyone to use MFA, so you don't have to use it.

I never said LL was going to force anyone to use MFA. I know I don't have to use it. Now. We'll see what the future brings, if I'm still breathing.

[Madelaine McMasters]

18 minutes ago, Love Zhaoying said:

Guess I'd make lies that were related to the website name, which is also a useful password strategy.

I have a strategy for generating answers that's based on the questions. For example, I often use most pertinent words of the question as the answer, but I've been foiled by sites that don't allow any words in the question to appear in the answer. The designers of these systems are well aware they're highly flawed. That they my subvert attempts to make the system manageable is proof of that. Still, they persist. This is an indication to me that their comfort as "security experts" is more important than keeping customers safe.

Many of the challenge question systems store the answers in plain text, so that human operators can intervene when necessary. This, of course, makes customers vulnerable to both those human operators and hacking.

ETA: It wouldn't be terribly difficult to discern my strategy from seeing my answers from one hacked website. If my system is easy enough for me to understand, it's easy enough for anyone to understand.

Edited May 5, 2022 by Madelaine McMasters

[Istelathis]

8 minutes ago, Love Zhaoying said:

Makes sense, why steal people's personal information if they have rotten credit?

Even the hackers don't want people with bad credit, what a world we live in.

[Silent Mistwalker]

4 minutes ago, Istelathis said:

Even the hackers don't want people with bad credit, what a world we live in.

Yay! Then I will continue with not having any credit at all!

[Istelathis]

6 minutes ago, Silent Mistwalker said:

Yay! Then I will continue with not having any credit at all!

We are spared from the hacker menace!  🙃  They may actually get bad credit, just looking at our credit!  (or not, not disclosing it here)

It reminds me of when I had a beat up car, and never having to worry about someone stealing it, or for that matter backing into it.  There was some security in having that car, better than the alarms some of them now have built in.  Perhaps with advanced holographic technology developed in the future, people can arrange such sound security systems as that 😝  Park your expensive car anywhere, and make it look like a 1985 Ford Escort, complete with rust 😛  

Edited May 5, 2022 by Istelathis

[Silent Mistwalker]

1 minute ago, Istelathis said:

We are spared from the hacker menace!  🙃  They may actually get bad credit, just looking at our credit!  (or not, not disclosing it here)

It reminds me of when I had a beat up car, and never having to worry about someone stealing it, or for that matter backing into it.  There was some security in having that car, better than the alarms some of them now have built in.  Perhaps with advanced holographic technology developed in the future, people can arrange such sound security systems as that 😝  Park your expensive car anywhere, and make it look like a 1985 Ford Escort, complete with rust 😛  

No, thank you. People depend on tech too much as it is. They have no clue how lost they will be when it all goes away. 

https://www.wfmz.com/weather/nasa-says-be-prepared-for-the-sun-to-disrupt-our-technology-in-a-few-years/article_8f724fae-fcf3-11ea-8d93-2bb5d305402c.html

https://astronomy.com/news/2022/03/a-solar-storm-could-knock-out-the-internet--an-electrical-engineer-explains-how

https://www.history.com/news/a-perfect-solar-superstorm-the-1859-carrington-event

https://www.technologyreview.com/2020/02/05/349121/how-can-the-solar-cycle-threaten-technology-on-earth/

[Istelathis]

15 minutes ago, Silent Mistwalker said:

They have no clue how lost they will be when it all goes away. 

I hope if it does happen, a month's provisions will be enough.  I remember when Covid first hit and the stores being absolutely wiped out, especially with toilet paper.. what a mess that was.  Thankfully, I have always kept enough food stored away in case of an emergency, nothing that will endure a severe event that lasts for over a month, but enough to get through natural disasters if the local infrastructure is down for a short period of time.  

I never counted on the toilet paper though..  my oh my, that was quite a fiasco.. people were buying it up and selling it for outrageous prices.  I learned from that mistake, and got a bidet.

If the Internet goes out, I always have opensim If the power goes out, well, I'm going to have to go back to reading books and playing pen and paper RPGs.  

In a massive event though, I'm borked.  

[Love Zhaoying]

52 minutes ago, Madelaine McMasters said:

ETA: It wouldn't be terribly difficult to discern my strategy from seeing my answers from one hacked website. If my system is easy enough for me to understand, it's easy enough for anyone to understand.

Yeah, but for me they'd have to hack at least 2 websites.

[Madelaine McMasters]

5 minutes ago, Love Zhaoying said:

Yeah, but for me they'd have to hack at least 2 websites.

I'm not terribly worried about being hacked, but I do think a lot of the security technology is just theater. Since websites have gravitated towards using e-mail addresses as usernames, I suspect it's become easier to find people. I do online business with three banks and even more credit card companies. My username (my e-mail address) is exactly the same at all of them.

Oops.

 

[LittleMe Jewell]

3 minutes ago, Madelaine McMasters said:

websites have gravitated towards using e-mail addresses as usernames

I 100% HATE this happening.  For some sites doing this, I have started generated unique emails for each one.