Any word on when multi-factor authentication will be required by viewers?

[Wiren1]

I saw in the May announcement that... "For now, if you try to log in with a Viewer that is not MFA-enabled, nothing will change, and you will still be able to log in without a token.  However, if you have opted in to MFA then a token will be required for all Viewer logins beginning in the near future."

I tested and found that the token is still currently not required. Any word on when this change will be enacted? Thanks.....

[Solar Legion]

Firestorm will require one every once in a while I have noticed.

How often will depend on the Viewer.

[Wiren1]

55 minutes ago, Solar Legion said:

Firestorm will require one every once in a while I have noticed.

How often will depend on the Viewer.

While it's true that after you set up MFA, Firestorm (being now MFA compatible) will then require it, you can still log into SL using other non-MFA compatible viewers with no issue. 

For instance, despite having MFA enabled on my account, I was able to log in using the very old Lumiya viewer on my cell phone, despite it obviously not having MFA capabilities.... so at this point, MFA does not really provide added security for in-world access (it does provide security for accessing your account on LL's website however).

I'm curious as to when LL will close that loophole, per their announcement I quoted above.  

Edited September 11, 2022 by Wiren1
clarification

[4longtail]

Hi

I'm all for extra safety and MFA, and have in installed and turned on...

question.. Why does the extra safety level of Multi-factor Authentication (MFA)  does not prevent that my account got hacked yesterday (changed PW this morning and created LL ticked) and someone just bought 6339 worth of gacha's multiple times and other stuff i dont find in my inventory, (leaving my account with 19 linden dollars) added with about 30 single star reviews in MP. I really hope LL can solve this and someone clever can think of something to prevent it. MFA did not help me in this case.

Sharona

[Alwin Alcott]

8 minutes ago, 4longtail said:

Hi

I'm all for extra safety and MFA, and have in installed and turned on...

question.. Why does the extra safety level of Multi-factor Authentication (MFA)  does not prevent that my account got hacked yesterday (changed PW this morning and created LL ticked) and someone just bought 6339 worth of gacha's multiple times and other stuff i dont find in my inventory, (leaving my account with 19 linden dollars) added with about 30 single star reviews in MP. I really hope LL can solve this and someone clever can think of something to prevent it. MFA did not help me in this case.

Sharona

If you made a ticket you did everything you could do at this moment.
Security is often as strong as the habbits and behaviour of the user, not the cleverness of another.

[4longtail]

17 minutes ago, Alwin Alcott said:

If you made a ticket you did everything you could do at this moment.
Security is often as strong as the habbits and behaviour of the user, not the cleverness of another.

 

17 minutes ago, Alwin Alcott said:

If you made a ticket you did everything you could do at this moment.
Security is often as strong as the habbits and behaviour of the user, not the cleverness of another.

17 minutes ago, Alwin Alcott said:

If you made a ticket you did everything you could do at this moment.
Security is often as strong as the habbits and behaviour of the user, not the cleverness of another.

 

[4longtail]

Just now, 4longtail said:

I always used a strong password, never ever shared my password, have Multiple Factor verification active, and try to be as careful as  I can with clicking on things, and this never happened before.. so with respect to the habits I should be ok i guess, the cleverness I refer to is making things to prevent these things, like may be putting a spending limit of for instance 1000 lindens on items per day (selectable, adjustable may be) would have saved me 5339 lindens for this instance.. as i never spend that amounts anyway... just a suggestion.. not really rocket science, just a little clever..  I don''t want to discuss the qualities of the one that did this to me, not really in a happy mood at the moment.

 

 

[Alwin Alcott]

30 minutes ago, 4longtail said:

just a suggestion

my advice, don't respond to forum issues inworld, unless the one that replies on the forum invites you. In your case it's pretty useless, nobody can help you. 

[4longtail]

44 minutes ago, 4longtail said:

Sorry I did not realize this(also about not contacting in world), never meant to say anything to offend anyone, or to be rude to anyone. Just like to make Second Life a little safer. Please reread my comments and tell me which are rude and I apologise for those instances too. I just like to know how this could have happened, try to suggest a new feature (or is it somewhere already) to make the resident user limit the amount of lindens spent per day in Marketplace. If larger amounts are needed for buying land, this feature could be turned off temporary by the resident.. I am willing to put effort in making this place better to anyone, not wanting to insult an experienced and helping person like yourself.

 

 

[Gabriele Graves]

1 hour ago, 4longtail said:

Hi

I'm all for extra safety and MFA, and have in installed and turned on...

question.. Why does the extra safety level of Multi-factor Authentication (MFA)  does not prevent that my account got hacked yesterday (changed PW this morning and created LL ticked) and someone just bought 6339 worth of gacha's multiple times and other stuff i dont find in my inventory, (leaving my account with 19 linden dollars) added with about 30 single star reviews in MP. I really hope LL can solve this and someone clever can think of something to prevent it. MFA did not help me in this case.

Sharona

When done right the only ways you can lose your account when you have MFA activated are:

1) Your MFA secret was accessible somehow to someone who also had your username/password enabling then to generate tokens for the challenge.

2) The service provider gave access to your account away after being manipulated through some kind of social engineering trick.

If MFA is done badly there can also be a third option:

3) The MFA challenge was not presented to protect your account properly and allowed someone to change the password/email settings, etc.

Nobody here can really tell you which option was the problem unfortunately.

Fairly recently I contacted support via a ticket and I was asked to provide a few pieces of security information before they would help.  It was something minor and I was not to trying to recover a lost account or do anything transactional or anything.
At no point during that security check was I asked to provide a MFA token or enter one as part of submitting a ticket which surprised me as the actual security check was for never changing static information that has far more potential to have been stolen and used than an MFA token.  If they had made me enter an MFA token before I was allowed to submit a new ticket or access an existing one then none of the other security information would have been necessary to proceed and the process would have been far more secure.

I was quite disappointed to be honest.

Now, I'm not saying that this is the way your account was compromised or that it would have been possible to do this way but it does serve to show that at least one part of the above implementation could be better in my opinion.
 

Edited September 27, 2022 by Gabriele Graves

[4longtail]

1) MFA secret known:  very unlikely I never shared a living (or dead) person my password

2) The service provider gave access:  I can not imagine why, they should have a good suspicion, for which I did not give any reason.

3) The MFA challenge never happened. It just occasionally randomly asks me for a challenge.. not every hour. may be once a day..

When i logged off about 6-8 hours later in 30 mins time they just filled the marketplace cart a few times, and just bought all kinds of silly gacha things, Probably because these can given to another avatar, and resold again for lindens to be made into real world money. I just have no way of seeing that these gachas were in my inventory and were given to which avatar. Linden Labs has that probably, but a switchable and adjustable spending limit in MP could have limit the damage to that amount

Also MFA does not get triggered more in unusual spending sprees on MP, so  I think MFA is good for long term protection for ones account, it does not do any good in losing all your lindens in half an hour, or more if you are a bit richer than I was..    May be one of the causes this is happening to me, and I bet others too, might be the silly Gacha things which I always avoided as the plague,  may be LL can make a policy to have those approved or limited.  The scammer also gave the 1 star reviews to get some returns of the sellers, pocketing their money too, so to double the gain.  May be users want to be able to switch off Marketplace completely I can imagine. I guess this change might not be popular for the moneymakers inside LL.

 

[Gabriele Graves]

I suppose there is another option.  They used a viewer using the old login APIs that aren't MFA aware.  I don't if that is even possible once you have enabled MFA but it might be, I certainly wouldn't expect this to be possible.

MFA challenges for the viewer are once every 30 days.  There is always the possibility that someone who can access your computer, locally or remotely (if your machine is compromised), could have logged in that way and was not challenged.  This doesn't seem likely without you noticing though.

It isn't possible to setup a new MFA aware viewer with an MFA enabled account on another computer without going through the MFA challenge once though.

[Wulfie Reanimator]

18 minutes ago, Gabriele Graves said:

I suppose there is another option.  They used a viewer using the old login APIs that aren't MFA aware.  I don't if that is even possible once you have enabled MFA but it might be, I certainly wouldn't expect this to be possible.

I think this is still the most recent update, meaning viewers without MFA will be able to log in without restrictions:

https://community.secondlife.com/blogs/entry/10698-extending-mfa-protection-to-viewer-login/

But this should be irrelevant to purchases made on MP, unless the viewer can automatically log you into the website, bypassing MFA.

Edited September 27, 2022 by Wulfie Reanimator

[Gabriele Graves]

Well that's kinda pointless for protecting the viewer at the moment then.

[Wulfie Reanimator]

25 minutes ago, Gabriele Graves said:

Well that's kinda pointless for protecting the viewer at the moment then.

Yup.

I imagine the point was to give TPVs some time to also implement MFA, otherwise people would be forced to use the LL viewer to get inworld. It's been 4 months though.

But again, this should not make it possible for someone to change your password (since the account page requires MFA even if you are already logged in).

Edited September 27, 2022 by Wulfie Reanimator

[Henri Beauchamp]

2 hours ago, 4longtail said:

1) MFA secret known:  very unlikely I never shared a living (or dead) person my password

Did you check your computer against a malware (here, likely of the key logging, or files stealing kinds) ?... If your password is really a strong one (I personally use a randomly generated password, and I am only using it under well secured Linux PCs, and thus do not need MFA), then it is most likely that it was not guessed/cracked, but instead stolen, and if you did not give it away, the only solution is to have it stolen from your computer in one way or another.

Also, do NOT use web-based email services to register your credentials, with any service: these are subject to data theft, and this could allow a hacker to pirate your email account and manage to fake a ”forgotten password” procedure to register a new password without you even noticing it. Always use an ISP-based email account, and preferably via a dedicated email client (Thunderbird, Sylpheed & Co) configured to retrieve and delete your emails from the ISP's server (this way, you are safer in case their server gets hacked and data on it stolen, not to mention privacy reasons for not letting clear text emails on any other computer than yours), i.e. via POP3/SMTP protocols, and not IMAP !

2 hours ago, 4longtail said:

2) The service provider gave access:  I can not imagine why, they should have a good suspicion, for which I did not give any reason.

3) The MFA challenge never happened. It just occasionally randomly asks me for a challenge.. not every hour. may be once a day..

Right now, and as Wulfie explained, viewer-side MFA login is not enforced by LL's login server, to give time to TPVs to implement MFA (AFAIK all major/well maintained TPVs got it done now) and to users to update to the MFA-enabled versions of the said TPVs, so the person who stole your password did not need MFA authentication to login with any viewer... But your SL web account is still safe.

Edited September 27, 2022 by Henri Beauchamp

[4longtail]

Hi

All good remarks about password safety, I changed the password immediately, did not use external password saving software,

and if LL says my password is good it should be complex enough, completely random passwords are even better, just for me a little difficult to remember.

ISP-based email account is not possible for me right now, may be in the future. 

MFA is probably not the solution yet.

 

Just a radio button 

[o] Limit total amount of transactions per day to

[500] L$

(may be set even the number of hours or days, if one wants to go totally overboard)

It is just for all users that are worried about this, safe to know the damage is limited to 500 Linden$ per day.

If you are buying a lot each day and don't want to have extra safety, just uncheck the radio button, or just increase the value to 1000 or 2000 lindens

If this was in the main Linden Labs account, a change could start the Multi Factor Authentication process, and make this safer to use.

For me, not buying things I might leave it even lower than 500 linden, and not have to write silly things here and waiting and hoping LL will fix the current issue.

I fear they just say "Tough luck for you, read the TOS, you've done something wrong, better spend your money as soon as you have it"  in a more polite way said of course.

Just can't imagine other residents aren't worried the same will happen to them and would not like to have some safety threshold in place

In this case I probably would have changed my password again, and not even bothered to give LL more work and your time discussing this minor LL matter.

 

Kind regards Sharona. 

[4longtail]

Hi, 

Thanks LindenLabs, for solving my problem so quickly (within 2 days they have added the 6339 Lindens back to my account) Just curious, what caused it, or what could be done to prevent it. (still waiting on answer from Linden Labs on cause or ways to prevent it, or invite to help making Secondlife Safer in this respect)  I know  there are others with larger problems, ( losing money in Paypal, losing total control of their avi ) I still love to help making Secondlife Safer for all of us, by finding effective ways to cut the profits of the bad guys, contact me in how I could contribute. (4longtail@gmail.com or inworld 4longtail resident / Sharona)

 

[Radhika Lionheart]

Hey everybody: I actually like mult-factor authentication, and have it set up on my phone to require a thumb print. BUT I don't like that it only asks for MFA every 30 days. I want it to ask for that every time I log on. Is there a way to do that? 

[Gabriele Graves]

Not at this time.

[Gabriele Graves]

On this topic.  I've decided to remove MFA for now from my account.  I had my account setup to use TOTP for MFA.  When the ToS update happened FS 6.6.3.67470 got stuck in a MFA <-> Accept ToS loop which resulted in me being temporarily locked out of my account.

This is what appeared to be happening:

1. Press "Log In" after entering credentials
2. Ask for MFA token
3. Show ToS dialog which can take up to 10 seconds to load and you cannot accept whilst loading
4. Wait for acceptance
5. Validate Token which has probably timed out now or is just treated as invalid for some reason
6. Send user back to step #1
7. Rinse, repeat until locked out of account for what seemed like about 30mins
8. Had to accept the ToS from the secondlife.com to proceed.

Clearly the right design would have been to verify the MFA token immediately after asking for it and before showing the ToS as this would verify the person who is accepting the ToS really is the account holder and prevent the token timing out.  I'm not sure if this is LL's fault or the fault of FS.  If I were a gambling person, I would say LL.

When you add this inconvenience to the fact that enabling MFA right now is pointless if someone with a older TPV can just bypass it, I decided just to wait until this is sorted out.

TOTP MFA is a fantastic security measure if done right which I use for many non-SL accounts.  This currently isn't done right in my opinion and certainly isn't secure.
 

[sandi Mexicola]

7 hours ago, Gabriele Graves said:

• Validate Token which has probably timed out now or is just treated as invalid for some reason
• Send user back to step #1

This is actually a bug.  I don't think it has anything to do with MFA (probably some kind of update on the LL side?). 

You chose the correct workaround: "Had to accept the ToS from the secondlife.com to proceed."   

 

Edited November 13, 2022 by sandi Mexicola

[Jaylinbridges]

On 9/28/2022 at 8:56 PM, 4longtail said:

Just curious, what caused it, or what could be done to prevent it. (still waiting on answer from Linden Labs on cause or ways to prevent it, or invite to help making Secondlife Safer in this respect)

Doubt you will get an answer.   If your password was not trivially simple, like 12345, or "password",  you were likely phished.   There are fake MP login urls sent around in groups everyday in SL.  These url pages look exactly like MP, and ask you to log in with your SL name and password. Then they move you to the real MP, and they now have your password.

MFA won't do a thing to prevent phishing.

Edited November 14, 2022 by Jaylinbridges

[Wulfie Reanimator]

1 hour ago, Jaylinbridges said:

Doubt you will get an answer.   If your password was not trivially simple, like 12345, or "password",  you were likely phished.   There are fake MP login urls sent around in groups everyday in SL.  These url pages look exactly like MP, and ask you to log in with your SL name and password. Then they move you to the real MP, and they now have your password.

MFA won't do a thing to prevent phishing.

It would stop others from logging in despite having your password, though, if LL actually enforced it for viewer login. But until then it's kinda just there. 🙂