Jump to content

Oh crap, MFA now required!

Arielle Popstar

By Arielle Popstar,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 366 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Katherine Heartsong

Katherine Heartsong

Posted
Posted (edited)
1 hour ago, Love Zhaoying said:

Maybe I missed something, what about "Authy"? Or are you saying they related to Meta?

Thanks!

I don't know anything about Authy (aka Twilio), their ownership, funding structure (they do have investors so profit will need to take precedence over anything), privacy, security, business model, etc and didn't mean to imply a link between Meta and them.

I haven't researched them enough to make any statement, except that I don't trust any company that does not have full (as possible) transparency about themselves, their profits, shareholders, owners, etc.

Edited by Katherine Heartsong
  • Like 2
  • Thanks 2
Link to comment
Share on other sites
  • Replies 134
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Solar Legion
Solar Legion

How does it affect users of a Viewer that has not had any updates in some time, that has been pulled from the official App store and only exists now on the devices of those who managed to grab it befo

Lyric Demina
Lyric Demina

" If a viewer is not MFA Capable yet, then those accounts will no longer be able to log into Second Life using that viewer. "  It sounds like this is a compliance requirement for 3rd party viewers, ra

Solar Legion
Solar Legion

I'd rather use my own MFA than be forced to have to download/utilize yet another proprietary MFA application which is used only for a single application.

Posted Images

Katherine Heartsong

Katherine Heartsong

Posted
Posted (edited)

Microsoft's authenticator gathers at least the following information from anyone and links it to your identity who installs it in iOS ...

  • Location
  • User content
  • Usage data
  • Contact info
  • Identifiers (whatever that means)
  • Diagnostics

Google's MFA authenticator gets all this and also ...

  • Contacts
  • Other data (that's vague and broad, isn't it?)
  • Search history (but not linked to your identity, gosh, thanks Google!)
  • More diagnostics

Nope. I'll turn on MFA—and not via an app—when I'm forced to, not a moment before. A code via email works just fine, thanks.

Edited by Katherine Heartsong
  • Like 4
  • Haha 1
Link to comment
Share on other sites
Dorientje Woller

Dorientje Woller

Posted
Posted
2 minutes ago, Katherine Heartsong said:

Microsoft's authenticator gathers at least the following information from anyone and links it to your identity who installs it in iOS ...

  • Location
  • User content
  • Usage data
  • Contact info
  • Identifiers (whatever that means)
  • Diagnostics

Google's MFA authenticator gets all this and also ...

  • Contacts
  • Other data (that's vague and broad, isn't it?)
  • Search history (but not linked to your identity, gosh, thanks Google!)
  • More diagnostics

Nope. I'll turn on MFA and not via an app when I'm forced to, not before. A code via email works just fine, thanks.

Fun part, Facebook accounts, Google accounts do get a account verification code through SMS, without an issue.

  • Like 3
Link to comment
Share on other sites
Solar Legion

Solar Legion

Posted
Posted

Ah yes, the Privacy Brigade has shown up now too ...

Pick an App and use it if you want to use MFA. Don't need to use Google or Microsoft's Authenticators as has already been pointed out.

E-mail and text based "authenticator" services are far more vulnerable than the application based ones.

Got a problem with the ones listed as examples by LL? That's nice - no need to use one from Google or Microsoft. LastPass? If you wish t give them a chance, go for it (newsflash for you - no company is immune to data breaches). Authy? Phone and PC side authenticator applications are available.

I find it cute the hoops some will jump through to justify their "distrust" (yes, being polite here).

 

  • Like 3
Link to comment
Share on other sites
Zalificent Corvinus

Zalificent Corvinus

Posted
Posted
4 hours ago, Love Zhaoying said:

Ah..so if SL did MFA without using a third-party, you'd be fine with that?

The WHOLE point of the MFA industry is that it's "3rd party parasites trying to cash in on people using the internet".

 

So, you have an online system, you gently remind your customers to choose "strong" passwords, and NOT to give their login details to others, but STUPID people do so regardless.

The Professional Sales Liar from MFA Parasites Inc shows up and claims that MFA will save stupid people from them selves, and convinces you to force your users to sign up for "Free MFA".

 

It costs MONEY to run these MFA services, somebody somewhere is paying, so, are they mining data and selling it, or charging the online service for "protecting your stupid customers", or selling users "auth dongles" or "auth keyfobs" or whatever, the "MFA Parasites Inc Faux-Secure Dongle, yours for just $99 plus sales tax and postage", or what?

 

Then you get the MFA Cargo Cultists, whining that sms messages to your phone are "obsolete" because the Phisher can somehow INTERCEPT the message,, assuming they KNOW your phone number, and are even in the same damn country, to pluck the message out of the ether. Then the MFA Cultists whine that we have user id's and passwords at all, and yearn for a day when we are all just randomised hidden 64 char alpha numeric passkeys, that we ourselves must never know.

 

MFA is a blatant attempt by Parasites to scam companies by offering to "cure stupidity with annoying extra  nonsense" 

 

Why do you think take-up on "non mandatory" MFA is generally so poor? I don't want to have to  spend 10 mins faffing around with some Faux-Security Snake Oil designed to protect morons, every time I want to spend $0.30 on something in an SL weekend sale.

  • Like 3
  • Thanks 2
  • Haha 1
Link to comment
Share on other sites
Zalificent Corvinus

Zalificent Corvinus

Posted
Posted
5 minutes ago, Love Zhaoying said:

On the surface, your statement appears to be hyperbole.

IJS!

 

No, it really isn't.

We've had companies offering "login services", where you PAY them to store your password and id in their "secure database" so you DON'T NEED to know them. This "protects you from phishing" apparently, until hackers hack the database admins id and password and steal the whole damn list.

That's something that actually happened.

There are "Consultants" who will charge your company money for telling you that you need to inflict MFA on your users. There are sales reps for companies offering MFA services.

It's a large industry, pretending you are "good guys" protecting people from their own stupidity, by denying them the ability to log in to their own accounts.

I worked on one help line, where at least 1/4 of the calls were from people who couldn't log into the system because their phones had been stolen or were broken, or their number had changed and they couldn't do the phone based MFA thing, and we'd have to mess about resetting stuff for them.

 

  • Like 3
  • Haha 1
Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
2 minutes ago, Zalificent Corvinus said:

No, it really isn't.

We've had companies offering "login services", where you PAY them to store your password and id in their "secure database" so you DON'T NEED to know them. This "protects you from phishing" apparently, until hackers hack the database admins id and password and steal the whole damn list.

That's something that actually happened.

There are "Consultants" who will charge your company money for telling you that you need to inflict MFA on your users. There are sales reps for companies offering MFA services.

It's a large industry, pretending you are "good guys" protecting people from their own stupidity, by denying them the ability to log in to their own accounts.

I worked on one help line, where at least 1/4 of the calls were from people who couldn't log into the system because their phones had been stolen or were broken, or their number had changed and they couldn't do the phone based MFA thing, and we'd have to mess about resetting stuff for them.

 

Go back, back, back in time..

MFA used to mean you carried a fob from some company like RSA. You entered the number on the fob when prompted. The number changed every few minutes. No login, no advertising, no data collection, etc.

There have been recent Forum posters who say that they still use such devices for accessing their bank accounts, etc.

Link to comment
Share on other sites
Zalificent Corvinus

Zalificent Corvinus

Posted
Posted
Just now, Love Zhaoying said:

Go back, back, back in time..

MFA used to mean you carried a fob from some company like RSA. You entered the number on the fob when prompted. The number changed every few minutes. No login, no advertising, no data collection, etc.

There have been recent Forum posters who say that they still use such devices for accessing their bank accounts, etc.

Exactly my point...

"Hi I'm your local Sales Liar from MFA Parasites, and I'm here to convince you to protect YOUR customers, by signing up to the MFA Parasites Moron-Tech Faux-Security Fob! All your customers will need to do is order a Fob for JUST $99 plus sales tax and postage, and follow the instructions, then they can use the Fob to PROVE they are THEM every time they try and log in. It's so simple!"

Fobs cost money, somebody had to PAY the Parasites for those things, just as somebody PAYS for the Online Auth Services somewhere along the line.

@Sid Nagy Was correct about somebody always pays for this stuff.

 

  • Like 3
  • Haha 1
Link to comment
Share on other sites
Wulfie Reanimator

Wulfie Reanimator

Posted
Posted (edited)
23 hours ago, UnilWay SpiritWeaver said:

This seems like it was done... backwards.

They should have required all TPVs to enable MFA before letting us add MFA to our accounts. Make sure the feature works, then roll it out. Instead they rolled it out to customers, and then told TPVs to implement support for it.

That logic escapes me.

It was a little backwards, yeah, but it was a faster way to get any added protection and we're glad it was finally done at all. We had nothing for... how many years? 😋

When they originally added MFA, it was only enforced on the account page on secondlife.com (so your personal details were protected, and your email/password couldn't be changed)

After that they implemented MFA to other pages like marketplace.secondlife.com

And now they finally enforce it for viewer logins.

Edited by Wulfie Reanimator
  • Like 1
  • Thanks 1
Link to comment
Share on other sites
Anna Salyx

Anna Salyx

Posted
Posted (edited)
On 9/20/2023 at 12:55 AM, UnilWay SpiritWeaver said:

That's why I note that the order of things is backwards. Proper order would be:

  1. If they had required TPV compliance first there would have been no gap period where users falsely believed they were protected.
  2. You do some quiet testing to make sure things work - any viewer claiming to support it does so, any viewer not fails on login for a test account.
  3. You get the feature rolled out into those viewers that choose to support it, THEN you let customers add the feature to their accounts.

 

Rolling out a feature first without requiring TPVs to either support it or block logins to accounts that have MFA - means accounts that presumed they were protected were in fact not.

I don't disagree with the last statement.  and I think much further down the line Wulfie R mentioned that at first the MFA was compartmentalized to key parts of the dashboard, then expanded from there. Even with the blocking now in place, Linden Lab still does not require that TPV makes incorporate MFA tech. I do think that Linden Lab should have been much more forthcoming in the fact that the security hole was there, but there is also a philosophy of security through obscurity (which yes, I know doesn't means this specifically but it can be applied).

23 hours ago, Qie Niangao said:

I believe you need to have a Google account to actually use the Google Authenticator app. For one thing, that's one way to recover access if you lose the only device where the authentication accounts are loaded, and to help port them around to multiple devices if/when desired.

No, you can use G-Authenticator w/out a Google account, and even using it with one, it was opt in to cloud store/sync the token database.  I opted not to. Instead I, simply, manually sync my accounts between my phone and my tablet.  so if the phone ever gets broke or (touch wood) lost/stolen, I'm not suddenly locked out of a a lot of account. Once I opted out of cloud storage, I can't later decide to turn it on.  I've not tried uninstalling and reinstalling to see if that gives me the option again however, mainly because I have zero interest in that.

 

22 hours ago, Dorientje Woller said:

Good, what about people that are using "dumb" phones for various reasons. Having a smarphone is still a free choice? How will you use those authenticators.

At least one (Authy) has a desktop version for Win, Mac, and Linux.  so you don't need a smart device if you don't have or want one.

19 hours ago, Arielle Popstar said:

I disagree as those 2 options are fairly standard for online banking now and familiar for many that would not be happy with having to install an Authenticator app. Either option would be easy to implement and increase or even force the adoption rate whereas the App option is likely to keep the residents using it quite low. They are better then no MFA at all and neither would have required TPV's to merge the code in.

Standard is not synonymous with secure. Yes, it can be argued that they are better than nothing, but not by much.  If your banking details includes your main e-mail and your e-mail account get compromised it's a simple matter to have your bank send out reset data.  There have been more than a few cases of phone SIM hijacking through weak link CS Agent at the phone company and your SMS messages get redirected. (last one is probably less likely in most cases I'll agree).

it's one reason I have a secure e-mail account that only has one use: bank.  no it's never given out, it's never used to send mail. it's not installed on my phone. since my bank doesn't use MFA it's my way to adding a layer of security. :P

13 hours ago, Zalificent Corvinus said:

So, you have an online system, you gently remind your customers to choose "strong" passwords, and NOT to give their login details to others, but STUPID people do so regardless.

The Professional Sales Liar from MFA Parasites Inc shows up and claims that MFA will save stupid people from them selves, and convinces you to force your users to sign up for "Free MFA".

It costs MONEY to run these MFA services, somebody somewhere is paying, so, are they mining data and selling it, or charging the online service for "protecting your stupid customers", or selling users "auth dongles" or "auth keyfobs" or whatever, the "MFA Parasites Inc Faux-Secure Dongle, yours for just $99 plus sales tax and postage", or what?

I'd say less than stupid.  The advice is use a strong unique password that is 8+ characters long, mixed case, numbers and special symbols, etc and even multiple words, etc, on every site, and change them every 6 months or so. Now, I've got easily 100+ accounts: that advice is not going to happen.  Either I use a password vault service, or I reuse passwords. (I tried password vaults, but never found one that was convenient enough to stick with for any number of reasons).

it's not stupidity, it's not even laziness, it's convenience (which okay might be synonymous with those two thing). I have a strong unique password for each of my banks. I have a strong unique password for my credit card services. I have a strong unique password for my e-mail accounts.  I use separate obscure e-mail accounts for my banks and for the credit card services, and then have a couple of general use accounts.  I have MFA on about 30 of what I'd consider sensitive accounts but the bulk reuse passwords to some extent or another. It's just a fact of life. 

We are drowning in passwords, and something has to give. I'll take the added step of MFA on the important things as it does add an additional layer and very little effort.  A thing you know and a thing you have. 

I'm a product, and I have no illusions otherwise. I carry a phone so I'm tracked. All my activity is tracked to varying degrees on line.  My viewing habits are reported back by either my cable provider or by the streaming services I use. What I buy is tracked either because I order online or pay by plastic, I rarely if ever use cash anymore.  My eating habits are tracked because I use a grocery store loyalty card. I could go on, but this, really, is just one small drop in an otherwise huge pond. I don't have to like it, but I can accept it and accept the benefits that some of that that gives me for being a data point product.

Edge case but even so, when I worked in IT we had a software vendor that sometimes needed to log into our systems to troubleshoot problems, but we didn't want to give them free access. So when we contacted them for support, we had to provide them with the MFA token from an RSA fob for them to log in. They had the password but could not access the system without us being explicitly onboard with it and giving them the final one time key. This was 20 years ago and long before MFA was really gaining traction as a consumer product, so it does have a history of being very useful tech.

MFA is not pure snake oil.  it is a valid technology that has its place. and in the sea of passwords, it has its place now IMO.  If you have just a few accounts and practice good safety practices it might be redundant, but for a lot of modern society it's the band-aid that is sorely needed.

One final thought: There are a lot of authenticators on the iOS store that try to trick to using them instead of the main one by looking like the main ones.  Goggle Authenticaor was a big one for copying and so they recently changed their icon to stand out.  the others haven't followed yet but I'm sure they will in time.  So you do still need to be diligent on vetting who you decided to use and that the app you chose is the one you think it is.

Edited by Anna Salyx
removed quoted post that I didn't actually respond to.
  • Like 1
  • Thanks 2
Link to comment
Share on other sites
Wulfie Reanimator

Wulfie Reanimator

Posted
Posted
41 minutes ago, Anna Salyx said:

I do think that Linden Lab should have been much more forthcoming in the fact that the security hole was there, but there is also a philosophy of security through obscurity (which yes, I know doesn't means this specifically but it can be applied).

They were; the original announcement about MFA mentions that it only affects the Dashboard, not viewer logins. It was also talked about on the forum extensively.

  • Like 3
Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted
10 hours ago, Wulfie Reanimator said:

When they originally added MFA, it was only enforced on the account page on secondlife.com (so your personal details were protected, and your email/password couldn't be changed)

I'd kinda forgotten this part. You're right, that was already a big improvement in security. Now that I think about it, the value of phishing an account with MFA could have been cut further by locking out the ability to buy L$ in the viewer. (If my account ever buys even L$ 1 in the viewer, it ain't me doing it.)

8 minutes ago, Anna Salyx said:

No, you can use G-Authenticator w/out a Google account

Thanks, that's interesting. Now I'm even less sure how Alphabet gleans enough from the sparse traffic through Authenticator to profit by providing the service, not having an account-worth of other data to associate with it. But we're not surprised when Search works in an incognito browser, so maybe monopoly still buys largesse. (That's a little tongue-in-cheek. Trending Search data can improve all searches, with or without knowing who's doing the search. The value seems less obvious in knowing brief peaks in logins to various services, even by geography. Evidently Google is a better spy than I am.)

  • Like 1
Link to comment
Share on other sites
Akane Nacht

Akane Nacht

Posted
Posted
17 minutes ago, Qie Niangao said:

Thanks, that's interesting. Now I'm even less sure how Alphabet gleans enough from the sparse traffic through Authenticator to profit by providing the service, not having an account-worth of other data to associate with it. But we're not surprised when Search works in an incognito browser, so maybe monopoly still buys largesse. (That's a little tongue-in-cheek. Trending Search data can improve all searches, with or without knowing who's doing the search. The value seems less obvious in knowing brief peaks in logins to various services, even by geography. Evidently Google is a better spy than I am.)

It may not be directly profitable but maybe it makes them look good to be doing their due diligence by making 2FA easy and free, plus they already have the lion's share of the mobile os market. They can afford to throw us a bone to keep us happy and locked in. 

  • Like 1
Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted
16 minutes ago, Alwin Alcott said:

At the accountpage this is easy to disable.


ef7dfc5f6a78ffbea6ce7cef53b0d45e.png

That's interesting. Does it actually work, though? It seems to insist that I have one funding source to use for "Buying L$ in Second Life Viewer", unless I'm just doing it wrong. (I'd always assumed this was only to assign different sources for distinct uses, so I don't recall trying to disable a category entirely until now.)

Link to comment
Share on other sites
AmeliaJ08

AmeliaJ08

Posted
Posted
18 hours ago, Dorientje Woller said:

Really, just installed those authenticators on my smartphone .. Google and MicroSoft one. None of them explains how it operates, what you have to do, what kind of information it needs. Why not simply set up a second layer of authentification with a pin code that is linked to the account, like Windows does.

It's not up to them to explain, they just provide the code. It's up to whatever service you are using to explain how you use that code and they all do.

 

Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted
18 hours ago, Dorientje Woller said:

Why not simply set up a second layer of authentification with a pin code that is linked to the account, like Windows does.

because

4 hours ago, Anna Salyx said:

A thing you know and a thing you have. 

which is way better than two things you know. And not quite as good as adding the third leg: something you are (biometrics), to the extent it can be reliably obtained. (Some fingerprint readers can be pretty lax, 2D face recognition is weak, etc.)

  • Like 1
Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
1 minute ago, Qie Niangao said:
5 hours ago, Anna Salyx said:

A thing you know and a thing you have. 

which is way better than two things you know. And not quite as good as adding the third leg: something you are (biometrics), to the extent it can be reliably obtained. (Some fingerprint readers can be pretty lax, 2D face recognition is weak, etc.)

It's like the Riddle of the Sphinx! Or the "Old Man from Scene 24".

 

Link to comment
Share on other sites
Phil Deakins

Phil Deakins

Posted
Posted

I had a bit of a shock on Wednesday. When logging in with Speedlight, a message popped up saying that Speedlight is using MFA, and I couldn't log in. It appeared to be mandatory. I'm not going to use any Google, Microsoft, or any other system for that purpose, so I thought that's the end of my Speedlight usage. It was very disappointing. A little later, I was able to log in as normal, so I must have hit a particular time when they were incorporating it.

  • Like 1
Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 366 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...