Jump to content

Oh crap, MFA now required!

Arielle Popstar

By Arielle Popstar,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 218 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

Istelathis

Istelathis

Posted
Posted
3 hours ago, Arielle Popstar said:

Here we go with Enforcing Viewer Login MFA

 

 

Do you have an account without MFA to check to see if Lumiya still works?  I'm not sure if this means all viewers by default have to be MFA enabled to connect to their servers, or if it simply means that people with MFA enabled accounts will need viewers that have MFA capabilities to log in with.  I don't have any older viewers to test it with myself.

Link to comment
Share on other sites
  • Replies 134
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Solar Legion
Solar Legion

How does it affect users of a Viewer that has not had any updates in some time, that has been pulled from the official App store and only exists now on the devices of those who managed to grab it befo

Lyric Demina
Lyric Demina

" If a viewer is not MFA Capable yet, then those accounts will no longer be able to log into Second Life using that viewer. "  It sounds like this is a compliance requirement for 3rd party viewers, ra

Solar Legion
Solar Legion

I'd rather use my own MFA than be forced to have to download/utilize yet another proprietary MFA application which is used only for a single application.

Posted Images

Anna Salyx

Anna Salyx

Posted
Posted
2 hours ago, Arielle Popstar said:

So are you saying those who had MFA enabled were not getting the protection it is supposed to afford because anyone could use a non MFA viewer and still login without issue? Hasn't that just been giving residents a false sense of security in thinking that enabling it prior to today gave them some sort of protection when it didn't?

Basically yes.  Allowing an account setup for MFA to be logged into sans MFA by a viewer that does not support that feature is a gaping security hole. I am glad they have finally plugged that up.  It should have been plugged sometime ago IMO.  It's like locking the front door and leaving a window open next to it.

 

2 hours ago, Caleb Kit said:

Well, I just filed a ticket with the labs.  Starting up MFA fails because Google Authenticator (on a few month old) Samsung phone does not give out 'tokens'. So you can't complete the MFA sign up. I think maybe someone sent out that press release early cuz they aren't ready yet.  Or me and my money will be going bye bye after almost 17 years.  And I use Google Authenticator numerous times each day.  I have used MFA all over for work and private business for over 10 years I believe.  I have been looking forward to Second Life finally implementing this security feature. 

I'm not sure what you are trying to say here.  I've been using Google Authenticaor (iOS) for SL ever since MFA was first enabled.  Early adopter.  It works just fine. And setup was easy:   scan the QR and then supply two generated numbers (tokens) (if I recall correctly). So I'm not grokking at what step it's failing for you. That said, they did have some outbound internet issues earlier that might have been interfering with the sign up process. But at last check (as of this post) that's been fixed, so.... try again?

  • Like 5
Link to comment
Share on other sites
Anna Salyx

Anna Salyx

Posted
Posted
23 minutes ago, UnilWay SpiritWeaver said:

This seems like it was done... backwards.

They should have required all TPVs to enable MFA before letting us add MFA to our accounts. Make sure the feature works, then roll it out. Instead they rolled it out to customers, and then told TPVs to implement support for it.

That logic escapes me.

The long and the short is that Linden Lab provides a viewer to access the service and the MFA routines were implemented there.  TPVs are just that, third party, and no matter how widely they are used or how much they are sanctioned by the company, using them is always "at your own risk".  While I personally think the window of MFA support adoption for TPVs has been  overly generous, I don't think LL did anything fundamentally wrong by releasing a feature that was fully incorporated and supported by the official product but maybe not by the TPV community.  Most of the main TPV vendors have come on board, and did so quite readily too I might add, and this just closes the door finally on the few hold outs that for whatever reason won't or can't. 

And even now they are not "making" or "requiring" TPV makers to include this feature.  Rather they are saying, if you (the user) wish to avail yourself of this added security protocol, then the viewer you choose much support this.  I don't have a problem with that either.

  • Like 3
Link to comment
Share on other sites
Dorientje Woller

Dorientje Woller

Posted
Posted
3 hours ago, Anna Salyx said:

The long and the short is that Linden Lab provides a viewer to access the service and the MFA routines were implemented there.  TPVs are just that, third party, and no matter how widely they are used or how much they are sanctioned by the company, using them is always "at your own risk".  While I personally think the window of MFA support adoption for TPVs has been  overly generous, I don't think LL did anything fundamentally wrong by releasing a feature that was fully incorporated and supported by the official product but maybe not by the TPV community.  Most of the main TPV vendors have come on board, and did so quite readily too I might add, and this just closes the door finally on the few hold outs that for whatever reason won't or can't. 

And even now they are not "making" or "requiring" TPV makers to include this feature.  Rather they are saying, if you (the user) wish to avail yourself of this added security protocol, then the viewer you choose much support this.  I don't have a problem with that either.

Still, I as so many others do have an issue with "installing yet another app from Google/Microsoft on their smartphone", which in turn hightens the risk of privacy breach of the person who has installed that app. Why not simply forward that token/key towards the email address or by text to the smartphone. At the end of the story, each person is still allowed to install or not install whatever app on his/her personal device. 

  • Like 2
Link to comment
Share on other sites
Akane Nacht

Akane Nacht

Posted
Posted
6 hours ago, Anna Salyx said:

Basically yes.  Allowing an account setup for MFA to be logged into sans MFA by a viewer that does not support that feature is a gaping security hole. I am glad they have finally plugged that up.  It should have been plugged sometime ago IMO.  It's like locking the front door and leaving a window open next to it.

I didn't know there was this loophole. Way overdue for addressing it but better late than never I guess. 

I too have been using MFA since it was made available, with no issues from my side. 

Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
1 minute ago, Akane Nacht said:

I didn't know there was this loophole. Way overdue for addressing it but better late than never I guess. 

I too have been using MFA since it was made available, with no issues from my side. 

I think it hasn't been mentioned a lot (or I missed it), that depending on your setup and karma, one is rarely prompted for the MFA. YMMV.

Link to comment
Share on other sites
Akane Nacht

Akane Nacht

Posted
Posted
3 minutes ago, Dorientje Woller said:

Still, I as so many others do have an issue with "installing yet another app from Google/Microsoft on their smartphone", which in turn hightens the risk of privacy breach of the person who has installed that app. Why not simply forward that token/key towards the email address or by text to the smartphone. At the end of the story, each person is still allowed to install or not install whatever app on his/her personal device. 

I'm not sure why installing something like Authenitcator would highten the risk of privacy breach. If you practice good phone hygiene (install apps from official sources/ playstores, have anti-malware on your phone, monitor app permissions, etc) these 2FA apps won't do you any harm. If your phone is compromised anything you access from it (email, sms) will also not be secure. 

  • Like 1
Link to comment
Share on other sites
Akane Nacht

Akane Nacht

Posted
Posted
3 minutes ago, Love Zhaoying said:

I think it hasn't been mentioned a lot (or I missed it), that depending on your setup and karma, one is rarely prompted for the MFA. YMMV.

I noticed I wasn't asked for MFA if I saved password (I use SL viewer). So if i used a shared computer anyone could get in without MFA. 

Link to comment
Share on other sites
Love Zhaoying

Love Zhaoying

Posted
Posted
11 minutes ago, Akane Nacht said:

I noticed I wasn't asked for MFA if I saved password (I use SL viewer). So if i used a shared computer anyone could get in without MFA. 

That's interesting, I would have assumed the password is stored at the computer's "user" level, so if you're using multiple Windows / etc. user accounts on your PC, you'd at least not have that problem. I don't use "accounts" on my home PC, so that's not surprising for me personally. (Technically then, mine is a "shared" computer but I live alone.)

Link to comment
Share on other sites
belindacarson

belindacarson

Posted
Posted
6 hours ago, Istelathis said:

Do you have an account without MFA to check to see if Lumiya still works?  I'm not sure if this means all viewers by default have to be MFA enabled to connect to their servers, or if it simply means that people with MFA enabled accounts will need viewers that have MFA capabilities to log in with.  I don't have any older viewers to test it with myself.

I'm logged in on lumiya right now with no issues but I don't have mfa enabled.

  • Like 1
Link to comment
Share on other sites
UnilWay SpiritWeaver

UnilWay SpiritWeaver

Posted
Posted
34 minutes ago, Akane Nacht said:

I didn't know there was this loophole. Way overdue for addressing it but better late than never I guess. 

That's why I note that the order of things is backwards. Proper order would be:

  1. If they had required TPV compliance first there would have been no gap period where users falsely believed they were protected.
  2. You do some quiet testing to make sure things work - any viewer claiming to support it does so, any viewer not fails on login for a test account.
  3. You get the feature rolled out into those viewers that choose to support it, THEN you let customers add the feature to their accounts.

 

Rolling out a feature first without requiring TPVs to either support it or block logins to accounts that have MFA - means accounts that presumed they were protected were in fact not.

10 minutes ago, belindacarson said:

I'm logged in on lumiya right now with no issues but I don't have mfa enabled.

If you don't have MFA enabled this change does nothing.

All the change is, is that people who DO have MFA, now cannot use a TPV to circumvent using that MFA. In other words... if you have my account password, a few days ago you could have logged into my account even if I had MFA active, using a TPV. Now, at least if this policy has actually gone live, you cannot.

Since your account lacks MFA - nothing has changed for you. Anyone on any viewer who guesses your password can log into it.

 

  • Like 1
Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted
53 minutes ago, Dorientje Woller said:

How on earth does: a. Google knows that it's for Second Life & b. what if you don't use a Google account?

The Google Authenticator app generates individual pass tokens separately for each account it's registered to authenticate. In  my case, for example, there's a whole list of different account-specific tokens that update together about every minute. Each account is loaded into the app individually, and each service to which one authenticates also gets account-specific tokens from Google through a public API. It's all just an implementation of RFC 6238, the Time-based One-time Passwords spec.

I believe you need to have a Google account to actually use the Google Authenticator app. For one thing, that's one way to recover access if you lose the only device where the authentication accounts are loaded, and to help port them around to multiple devices if/when desired.

They wouldn't have had to use Google, specifically. The Microsoft Authenticator is also very handy. But it's slightly safer—and substantially easier to support—to choose and use only one.

Also, these apps are very much more secure than text- or email-based code distribution, so it's good they didn't offer those now fairly obsolete options.

  • Like 1
Link to comment
Share on other sites
Anna Nova

Anna Nova

Posted
Posted (edited)

Why do people from the USA have to invent new TLAs for everything.  Is it because the country itself is a TLA?  Or just a attempt to hijack English again?

WTF is a MFA?

Post Script: I am NOT using Google-anything for anything.  I am not using anything made by the anti-trust corporation Microsoft either.

PPS (sic): I have now read the referenced articles from the Ignorance Base, and understand.  Treat this as a rant!

Edited by Anna Nova
Link to comment
Share on other sites
Dorientje Woller

Dorientje Woller

Posted
Posted
20 minutes ago, Qie Niangao said:

The Google Authenticator app generates individual pass tokens separately for each account it's registered to authenticate. In  my case, for example, there's a whole list of different account-specific tokens that update together about every minute. Each account is loaded into the app individually, and each service to which one authenticates also gets account-specific tokens from Google through a public API. It's all just an implementation of RFC 6238, the Time-based One-time Passwords spec.

I believe you need to have a Google account to actually use the Google Authenticator app. For one thing, that's one way to recover access if you lose the only device where the authentication accounts are loaded, and to help port them around to multiple devices if/when desired.

They wouldn't have had to use Google, specifically. The Microsoft Authenticator is also very handy. But it's slightly safer—and substantially easier to support—to choose and use only one.

Also, these apps are very much more secure than text- or email-based code distribution, so it's good they didn't offer those now fairly obsolete options.

Good, what about people that are using "dumb" phones for various reasons. Having a smarphone is still a free choice? How will you use those authenticators.

  • Haha 1
Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted
1 hour ago, UnilWay SpiritWeaver said:

That's why I note that the order of things is backwards. Proper order would be:

  1. If they had required TPV compliance first there would have been no gap period where users falsely believed they were protected.
  2. You do some quiet testing to make sure things work - any viewer claiming to support it does so, any viewer not fails on login for a test account.
  3. You get the feature rolled out into those viewers that choose to support it, THEN you let customers add the feature to their accounts.

Rolling out a feature first without requiring TPVs to either support it or block logins to accounts that have MFA - means accounts that presumed they were protected were in fact not.

This sounds correct for optimizing security, but just look through this thread for user reactions to anything that could possibly be misconstrued as a mandate to use MFA. With SL's user base LL had little choice but to roll it out gradually. (As I recall, TPVs had a long time up front, too, to prepare and test their implementations before the Lab made MFA available to users.)

That said, I certainly agree the interval before mandating TPV compliance was way too long, and it was not well communicated that MFA-protected accounts weren't really protected during that interval.

Maybe they gave the excessive interval because TPV developers really aren't working full time on viewer maintenance, and maybe they didn't clearly state the vulnerability during that interval in an attempt to get people to at least install MFA and start using it. Or something. But that long interval certainly wasn't ideal from a user security standpoint, and if they didn't have to give special consideration to TPV developers, that interval wouldn't be needed at all.

Link to comment
Share on other sites
Zalificent Corvinus

Zalificent Corvinus

Posted
Posted (edited)
29 minutes ago, Anna Nova said:

WTF is a MFA?

"Multi Effing Annoying", a system of really irritating "make you log in several times" using third party apps, usb dongles, keyfobs, numeric codes sent to your phone, riddles, ancient demonic puzzle boxes, and other drek designed to ensure that you can't log in and spend your own money, which CLAIMS it's for your "protection".

 

"Please enter the 1FA Impossible to remember Stupor-Strength password that you wrote oin a post-it note stuck to the edge of the monitor.

Please enter the 4th, 7th, and 14th characters from the 2FA impossible to remember 'memorable data', that you also wrote on that post-it note.

Please complete the 3FA captcha to prove you are not a bot thing.

Please enter the 4FA 6 digit security code sent to your phone.

Your 5FA Trusted device, has had a web browser update, and is no longer a 5FA trusted device, would you like to 5FA Trust this device... Again...

You will receive a 6FA automated phone call, to confirm you want to trust your PC... Again...

Congratulations, you can now use your online banking!

Error, you took more than 60 seconds to walk from your PC, to the table in the hall with the bill you want to pay, and back, 7FA Auto Timeout has automatically logged you out, please start the MFA process all over again from scratch!

Have a nice MFA day!"

Edited by Zalificent Corvinus
  • Thanks 1
  • Haha 2
Link to comment
Share on other sites
Qie Niangao

Qie Niangao

Posted
Posted
2 minutes ago, Dorientje Woller said:

Good, what about people that are using "dumb" phones for various reasons. Having a smarphone is still a free choice? How will you use those authenticators.

Right, those accounts will need to login without MFA, using easily phished passwords. I think it's theoretically possible to use a web-based application to exchange MFA tokens, but only after passkeys are universal, and that's probably a long way off (and I suppose those will generate all the same resistance as smartphones and MFA mandates).

  • Haha 1
Link to comment
Share on other sites
Akane Nacht

Akane Nacht

Posted
Posted
3 hours ago, Love Zhaoying said:

That's interesting, I would have assumed the password is stored at the computer's "user" level, so if you're using multiple Windows / etc. user accounts on your PC, you'd at least not have that problem. I don't use "accounts" on my home PC, so that's not surprising for me personally. (Technically then, mine is a "shared" computer but I live alone.)

I was just talking about the SL viewer 'remember password' option or whatever it's called, not across mulitple users on my pc. I only have one user setup on my pc, as I exclusively use it at home. Anyways perhaps the viewer is meant to work like that 🤷‍♀️

Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 218 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...