Bradford Mint

Not forgetting that there's a cost in dealing with fraudulent transactions which could have been mitigated by not having had the fraud occur in the first place. Hence as we know, an organisation will be interested in factoring the cost of technology change against not only profit (generally none for security) but mitigation of time and effort and financial loss (saving) in dealing with the issue. Thus in short, no not every penny spent but the delta between the cost that they presently have vs the reduction in that cost and the overall improvements obtained. Did I need to write this in bold too or is this ok do you think? Bottom line is, some SLers run around forever with L$0 in their account while others have thousands in USD flowing through and would welcome extra protection.

Ridiculously selective (but continuously entertainingly so) in badly interpreting and misquoting. I said "I don't bother to lock it but rely on other security measures for that one" There's no roof, not much point locking the doors to prevent entry now is there? Remind me again when the "Passwords are awesome" seminar is again? I need to pop it in the calendar Incidentally, that insurance company will in almost all certainty, fall under PSD2 legislation and will be implementing strong customer authentication, guaranteed when it comes to online financial transfers. Irony eh?! This is done to mitigate risk, something that insurance companies are generally rather interested in. They couldn't care less about the small minded opinions of a few IT folk though.

Could do, It makes no difference to me. On the other hand, as an educational exercise for those who believe that a truck load of blank cards can be made into valid ones, there's enough information there to allow a little bit of Googling, to discover that their previous understanding was built on sand.

Yet again, just more evidence that this really isn't your world of knowledge but i'm not here to teach it so continue with the misbelief, makes no difference to me That article from 2005 (#LOL) is out of date, those problems are OLD, dinosaur problems long since addressed. Evidence that you're clueless as to how smartcards work, how biometric data is actually stored and accessed and how match on card works for example. Your examples of offline auth are so old that they appear to be fossils too. Let me know when the seminar on "Passwords are all we need" is running though please. As regards stolen cards, they only value that a current ID card based around PKI would have would be the visual presentation of the card. Simply because the list of serial numbers of the stolen cards would be blacklisted in the CMS and would not be valid for enrolment. Further they would not be writable by someone "just stealing a truck load" would be because the SOPIN's are diversified at manufacture based upon an agreed algorithm and key seed value that is HSM generated at the manufacturer and moved securely by means of a key ceremony and imported into the CMS. Further, each batch of cards will have it's Global Platform Keys which need to be defined and entered into the CMS before anything can happen. Get this stuff wrong and you lock the cards pretty smartish and end up with ice scrapers. All of this before even writing digital certificates onto the cards. But yeah, you can print one that looks pretty and "looks" ok to a passing copper but try to actually validate it (which is simple to do in the field by said copper) and it'll fail all over the place. Plus, any decent ID card may just be a blank card but then has to go through various forms of additional security which includes various things like laser etching, holograms, lamination etc. Of course, you know all this right, which is how you magically transformed a blank plastic card into a fully valid ID card. There's more but clearly no need to point it out. Honestly, please stop now with decades old beliefs. OUT OF DATE!

That makes for a humourus read but i'd be rather embarrassed to have written that if it were me because anyone can do a quick google to look up offline 2FA authentication and cardless ATM operation. It's a bit like watching the flat earth videos on YouTube, just because it's not understood, don't go claiming that things cannot be so. Similarly, i'm sure that anyone championing that it's all the users fault will not dare take the stage at the next infosec conference available and deliver a session on how username and password are the way forward and that everything else is just marketing. Did you hear the one about the dinosaur that said to it's friendly dino's "Nah mate, that meteor stuff is rubbish, it's going to miss us by a mile!"

Offline authentication, yes it's very real. You're just demonstrating petulant ignorance i'm afraid so no need to further add to this even though yet again, you completely ignore the fact that desktop based authenticators remove the phone use case entirely. It would probably be a surprise to you that cash can be withdrawn from an ATM, using a phone and not a bank card, where that phone has no radio connections of any sort. That's just another use case of course. "inconveniencing most of its customers"? Where has that been stated other than in your text? What part of "for those who would wish to use it" is difficult to understand here? I also proposed changes which only impacted the web login which is pretty trivial to incorporate 2FA. You might have missed that suggestion along the way. "deliberately violate Tos by giving their password", now you're really pulling things from thin air. Sorry but your incorrect assertions and ignorance about modern authentication methods are evident and it's probably better to let those who are current continue the thread.

Fortunately the security world has moved on from the belief that passionate support of weak authentication is all that's required and yes, you will no doubt discover how offline authenticators work when your bank plops their PSD2 compliant service in your lap . (It's not difficult to do offline MFA, rather simple actually). The rest isn't worth responding to i'm afraid, it's based upon outdated beliefs and lack of understanding as to modern authentication and what appears to be a failure to actually read what was written because there are certainly no demands from me, only requests and those don't even involve a complete revamp so we'll just have to agree to differ. As to it being a necro thread, that's actually irrelevant because the situation hasn't changed so the original question remains valid. Not really much need to start the same thread again is there?

Nope Klytna, this isn't how modern 2FA authenticators work, they're just not restricted or enforced in the methods you statesd. Offline use, removes all the fuss about country, networks, roaming, SMS etc. while still allowing the authenticator to work. Someone stealing the phone, yep, that's a very targetted attack and would still need them to validate to the authenticator itself, protected by a PIN or biometric. You'd need your phone thief to get past that too. Is this extra authenticator preventing the phishing attack and the weak username/password from being used the other side of the world? Absolutely and that's by far the most likely threat actor involved here and again, I will yet once more point out that a phone isn't the only authenticator that can respond here, I have stated a desktop authenticator several times so please don't get hung up on phones. I don't understand the objection to a reasonable request for stronger authentication for those it would benefit, if it would be optional and your choice is to remain weak. That's fine but that's not a reason to champion what is fundamentally weak authentication. With regard to your bank not using it, they will if they're not already because they will be bound by PSD2 (Payment Services Directive 2) which is an EU directive which apart from other things, mandates Secure Customer Authentication and username/password ain't it! (Brexit won't remove this requirement either, it's already being implemented by banks in the UK).

Then that person would be a candidate for either continuing with weaker authentication as they are right now or a non data bound authenticator or if no phone, a desktop authenticator. Also, "You also assume that EVERYONE uses a Dumbphone, with access to "apps", and that EVERYONE has a contract with unlimited text messages, with which to respond to the bloody 2FA nonsense. " At NO point have I mentioned an SMS channel, assumption that EVERYONE should have or use a phone and no mention of contracts. Those just aren't in my statements or assumptions at all. Notwitsthanding that SMS is deprectated as a recommendation by both NIST and NCSC. We're way beyond SMS as the 2FA method of choice. On premise service operated by LL, nobody other than LL would be party to the data mentioned. I can't stress this enough, MFA should be available for those who would choose to use extra security to protect their assets and account so none of the response given applies as the user would have opted to do this. You don't want it? Don't use it. Next contender with "problems" step up...

Ask yourself who is liable in the event of a loss, then there's your answer. With regard to hindrance by employing additional factors, you are aware that additional factors can reduce the burden of authentication? For example, most risk engines will allow multiple attributes to be considered before even prompting for authentication to be stepped up. For example, if you're on the usual PC, in the usual location, usual login times etc. there's no need to prompt for additional human responses via authenticators. Only when funds above a threshold or new PC or unusual location are involved would a need for an additional authenticator. Passwords can be eradicated too when additional authenticators are in play. The assumption that multi factor authentication is hassle just means that the wrong factors have been adopted. Times have changed!

They don't need data or wifi, a cellular network connection would suffice or an authenticator that's not based on a time sync for those who find keeping time is just too difficult. Old equipment for the SL viewer has no factor here so is irrelevant. I've already mentioned other authenticators. At no point is the addition of extra authentication factors suggested to be mandatory, nor a removal of insecure methods by those convinced that they're good enough and still relevant, they're really not but live the dream. Viewer login methods may be legacy and interwoven in such a way that makes current authentication integration challenging, we'll just have to accept mediocrity there then but there's no reason to prevent additional factors being made available for the web UI. If the game login user credentials were decoupled from the account login to the web UI, that would be a huge step forward. As it stands, relying on username and password is hugely outdated and that's about all there is to it and did they appear to learn anything for Sansar? Nope!

Even smart people can get caught out. Odd how that happens. Assets could be their creations, where would you like them to hold them? What would be the value of say the inventory of Maitreya or Blueberry would you estimate?

Please explain why you believe this as i'm interested in why you perceive it to be a) a poor idea and b) why it's a single country thing?

Yes but unlike many other games, they have users who have assets of value and transact sizeable sums of money. There's still no excuse to not offer stronger authentication for those who wish to use it.

So your device suffers a drift, then either put a SIM card in and turn the data off so that it derives clock from the network or leave wifi on, this really isn't an issue and I was addressing the paranoia of having a smartphone based soft token. There's still no reason to not be offered stronger authentication, these are made up, imaginary reasons to avoid doing something better. OCRA based tokens are but one 2FA mechanism, others exist. Again, the request is there to have it available, nobody is suggesting that it should be forced on those who still believe that passwords alone are good enough.

Like I said, a smartphone is just one platform upon which to host an authenticator, if you want a different platform, that's fine too. You can have a soft token on your desktop if you're concerned about the data leakage from a smartphone and that's just one direct replacement that would also offer push authentication. Other token types abound. As to me buying you one, i'm sure you can afford $36 for a new smartphone? There are so many other ways that you are tracked anyway but that's a different topic, this one is about LL getting with the program and offering more modern authentication for those that want it. Besides, once you install the authenticator, you can turn off wifi, don't need the SIM card, how do you think it's going to be tracked with no data connection?

It's about risk management and mitigation. That particular car is in monetary terms, worth half the value of one tyre, or 2/3rd of a tank of fuel. Another car is a classic convertible worth far more but I don't bother locking that one either because it gets parked in low risk areas and never has the roof up. It relies on other security mechanisms than a door lock when you can just jump in! On the other hand, my transactions within SL have been of far higher value. The problem with being smart is that social engineering can catch people out, even the smart ones so to mitigate that risk, we implement other security factors to assist. 2FA is not a panacea but is just another important tool that should be offered. You can have the strongest password you like but if you're coerced into entering it or malware sniffs it, it's not going to help you much. There remains no excuse today for a platform provider not to offer extra authentication beyond username/password on a platform that deals with assets of value.

Fine for you, maybe you don't transact large funds or have valuable assets but for those to whom it is important is no reason not to offer it. I don't always lock my car on the drive, does that mean cars shouldn't have or don't need door locks?!

The simple answer is "get one" if you want to use easy 2FA. Just like you need a suitable GPU for shadows. We need to stop playing to the lowest common denominator to avoid implementing best practice but alternate options are available for those without a mobile device. Just have a desktop soft token instead. No big deal at all.

I'm not sure what the correlation is between your Windows tablet and your happiness at not having a smartphone?

It wouldn't have to impact the viewer client if an out of band push authentication was to be sent to a smartphone app. If the back end login process is so messy that it can't accommodate an intermediate challenge then that says a lot about the authentication mechanism behind the scenes. So begs the question, what has been learned? Is 2FA available for Sansar? (I went there just once, didn't see any reason to stay and didn't see 2FA)

It's not a question of blame, that's entirely irrelevant. The issue is about best protecting assets and the appropriate tools are not provided.

High availability, redundant channels!

Mobile push authentication really isn't a faff at all. There are different authentication methods and risk engine parameters that reduce multifactor authentication to a level that is not intrusive. But yes, if you choose not to use it and suffer a breach, that's your issue to deal with.

So when you get really bored... And any other gazillion links to pass the time, this is just an example.