Google Passkeys - The solution to phishing? - Will LL implement this?

[CaithLynnSayes]

 

 

Could this new Google feature be the solution to the phishing that seems to be happening a lot in SL?

 

 

 

[LittleMe Jewell]

Quote

Google Passkeys - The solution to phishing? - Will LL implement this?

Well, even if they do, I sure as hell won't use it.  I have no desire to tie my SL to a Google account.

[Racheal Rexen]

Not everyone has a cell phone

[Rick Nightingale]

No way I'm using anything tied to google (or apple, or microsoft more than I absolutely have to), and I'm resisting being forced to 'need' a mobile phone by companies with very vested interests in selling them and the tracking and personal data they glean from them all.

Edit: It should be said though that there are passkey solutions not tied to google, although I've not had chance to check them out yet.

Edited May 27, 2023 by Rick Nightingale

[Alwin Alcott]

4 hours ago, CaithLynnSayes said:

Could this new Google feature be the solution to the phishing that seems to be happening a lot in SL?

nothing will help the ones that keep clicking on every shiny blinking link that pops up in groups, chats and IM's 

[Quistess Alpha]

Even if you accept the premise that this is "more secure" than regular passwords or 2-factor, it's still perfectly vulnerable to a "downgrade" fishing attack because you need a regular password system in case you lose your phone. And you need bluetooth for this to work, is that standard on most computers now?

[Love Zhaoying]

Without my low comprehension, I dungetit, why this is much different than the fact I already uses Google Authenticate for MFA with Second Life.

 

Edited May 27, 2023 by Love Zhaoying

[Silent Mistwalker]

 

Yeah, I can't afford a smartphone let alone adding Bluetooth. I swear the people that work for these companies believe money grows on trees.

Edited May 27, 2023 by Silent Mistwalker

[CaithLynnSayes]

I understand the concerns with Google itself but i just can't but help appreciate the technology behind it

[Quistess Alpha]

44 minutes ago, Love Zhaoying said:

Without my low comprehension, I dungetit, why this is much different than the fact I already uses Google Authenticate for MFA with Second Life.

A) the probability of this getting implemented for SL is somewhat low.

B) The main practical differences are 1) this is intended to ~replace passwords on sites that use it, rather than add an extra step. 2) passkeys are (theoretically) more secure against man-in-the-middle attacks, because your phone tells the site your trying to log into identifying information about your computer. Incidentally, this probably means you can't use it over a VPN? (actually not sure about that, I really can't find any sources on the cryptography, it's all stuff about how to set it up.)

Edited May 27, 2023 by Quistess Alpha

[Spiffy Voxel]

Passkeys are an interesting idea, and one that is being supported by many organisations and isn't a Google-specific thing. (Thankfully.) Microsoft and Apple are also on board, as are most of the password management services such as 1Password and Bitwarden. At the moment, it's still in the early stages of being implemented, so for now I'd hope that Linden Lab does a better job of explaining how Multi-Factor Authentication for Second Life accounts, which is already here, will help protect people against phishing attacks.

[Aiyumei]

That's been around for years. But it was a feature mainly focused towards business users.

[EliseAnne85]

20 hours ago, Alwin Alcott said:

nothing will help the ones that keep clicking on every shiny blinking link that pops up in groups, chats and IM's 

Yeah this, what Alwin said.  ^^^^^^^^^^^

And the above goes for all social media.  

[Pekuru]

Nah. I'll just stick to my Offline password and 2FA management solutions.

[Kimmi Zehetbauer]

On 5/27/2023 at 10:08 AM, Racheal Rexen said:

Not everyone has a cell phone

Was bad enough I had to change banks due to the old one requiring a smart phone app to use their ATM.

[Qie Niangao]

Once Lastpass was hacked, there could be no doubt that passwords are simply obsolete for normal account authentication. To me, the fewer of them I have, the better.

Also, I'll definitely choose Google over most anybody else for universal-scale security. Alphabet's technology operations have been remarkably reliable—for products they continue to support, that is.

 

[Love Zhaoying]

9 minutes ago, Qie Niangao said:

Once Lastpass was hacked

Assuming "Lastpass" is like "Keypass" or some other "Key Vault" site / application..

If a company has their own "onsite" Key Vault (not accessible except through the company's internal network, or internal VPN such as by using ZScaler), wouldn't it be more secure?

 

[Katherine Heartsong]

No. I avoid Google (and Meta) like it's the second Black Death.

Phishing isn't something in search of a technical solution, we already know how to solve for those cases. 99.9% of the time it's the human at the end of the phishing attempt that is the failure point. Until we can prevent human beings from being fooled, manipulated, deceived, tricked, uninformed, uneducated, time-short, etc, no amount of technical security features will prevent successful phishing attacks.

[Caeruleiae]

Phishing even though it's a technical and security issue on the surface-is mostly a people issue at its core. People who find themselves a victim of phishing-as crass as it may sound-are usually the very reason they are in that position. I'm not excusing the behavior or defending the people who commit the acts-but people need to learn to be more careful and until they do no amount of security measures will eliminate or even lessen the instances of phishing. The only thing that can be done is continuing to try and educate people and hope eventually it sinks in-while dealing with the aftermath and holding people responsible and accountable for their own actions or inaction that lead to the problem in the first place. 

If you don't hold people accountable for finding themselves on the wrong end of a phishing attack-they'll end up there again. 

[Arielle Popstar]

1 hour ago, Caeruleiae said:

Phishing even though it's a technical and security issue on the surface-is mostly a people issue at its core. People who find themselves a victim of phishing-as crass as it may sound-are usually the very reason they are in that position. I'm not excusing the behavior or defending the people who commit the acts-but people need to learn to be more careful and until they do no amount of security measures will eliminate or even lessen the instances of phishing. The only thing that can be done is continuing to try and educate people and hope eventually it sinks in-while dealing with the aftermath and holding people responsible and accountable for their own actions or inaction that lead to the problem in the first place. 

If you don't hold people accountable for finding themselves on the wrong end of a phishing attack-they'll end up there again. 

Phishing even though it's a technical and security people issue on the surface-is mostly a people technical and security issue at its core. FiFY

It is unreasonable and a fantasy to expect that the whole online population is going to require a degree in the Computer sciences to have enough knowledge on how to protect themselves from the myriad of vulnerabilities that tech is making us prone to. Digital tech created the potentials for the issues so it is up to them to solve it. Remember, computers were supposed to make out lives easier, not more difficult.

[Qie Niangao]

4 hours ago, Love Zhaoying said:

If a company has their own "onsite" Key Vault (not accessible except through the company's internal network, or internal VPN such as by using ZScaler), wouldn't it be more secure?

Possibly "more" secure, but not secure enough. Anything that still uses passwords as part of ordinary authentication (and if there's anything of sufficient value being protected by those passwords) it will be breached sooner or later.

(Also, phishing is just one of many password vulnerabilities. Phishing gets a lot of play on these forums because it happens so often in Second Life, but it's not the only way passwords make everything less secure.)

[EliseAnne85]

22 hours ago, Arielle Popstar said:

technical and security issue at its core.

About the only thing I can think of that might help is if there is created a way for people to make safe links if they want to share and a way for the recipient to know it's a safe link.  Perhaps, technology companies need to create a company called SAFELINK and name it that.  Then, perhaps the mouse could hover over the link and it changes to a particular color so one can see that is safe.  I'm just giving an example; I'm not saying I have the know-how how safelinks could be created.  But, all technology companies could do at this time is to make a way for SAFELINKS and for people to know what are and what aren't SAFELINKS.  

Edited May 30, 2023 by EliseAnne85

[EliseAnne85]

1 hour ago, EliseAnne85 said:

About the only thing I can think of that might help is if there is created a way for people to make safe links if they want to share and a way for the recipient to know it's a safe link.  Perhaps, technology companies need to create a company called SAFELINK and name it that.  Then, perhaps the mouse could hover over the link and it changes to a particular color so one can see that is safe.  I'm just giving an example; I'm not saying I have the know-how how safelinks could be created.  But, all technology companies could do at this time is to make a way for SAFELINKS and for people to know what are and what aren't SAFELINKS.  

Quoting myself.  

I just searched what are "safe links", apparently Microsoft 365 has a way to detect whether links are safe or not.  Plus, there is one for Google where you right click the URL, choose COPY (not left click on it) and paste it in Google's checker to see if it is a safe link or not.

How do I know if a link is safe to click on?

 

Google has its own version of a URL checker called Google Transparency Report. To check the safety of a link, all you have to do is safely copy the link and paste it into Google's URL checker. To safely copy a link, right-click and choose “copy” from the options that appear.Feb 9, 2023

Edited May 30, 2023 by EliseAnne85

[Caeruleiae]

On 5/29/2023 at 11:20 AM, Arielle Popstar said:

It is unreasonable and a fantasy to expect that the whole online population is going to require a degree in the Computer sciences to have enough knowledge on how to protect themselves from the myriad of vulnerabilities that tech is making us prone to. Digital tech created the potentials for the issues so it is up to them to solve it. Remember, computers were supposed to make out lives easier, not more difficult.

Who made the suggestion that the whole online population would not only obtain but also require a degree in order to do the most very basic of things to protect themselves? I know the world is full of idiots and ignorance-but at some point personal accountability is important. It is absolutely not a technical problem at its core-it is a very real people problem though. Ignorance is what creates the potential for problems. Ignorance can be solved though. Technology isn't going anywhere-it is going to constantly evolve. People need to learn to be more cautious. If people are unwilling to do the most very basic of things to protect themselves-they will continually find themselves at risk of being a victim of any sort of issue. It's not as if the information one can use to protect themselves is hidden behind some degree. In first grade we started going to the computer lab. In first grade  I was taught not to click random links. It's not that difficult of a concept. 

[Theresa Tennyson]

On 5/29/2023 at 11:20 AM, Arielle Popstar said:

Phishing even though it's a technical and security people issue on the surface-is mostly a people technical and security issue at its core. FiFY

It is unreasonable and a fantasy to expect that the whole online population is going to require a degree in the Computer sciences to have enough knowledge on how to protect themselves from the myriad of vulnerabilities that tech is making us prone to. Digital tech created the potentials for the issues so it is up to them to solve it. Remember, computers were supposed to make out lives easier, not more difficult.

The Brooklyn Bridge was supposed to make our lives easier, not more difficult...

https://history.howstuffworks.com/historical-figures/conman-sold-brooklyn-bridge.htm