More and better security systems for our accounts
tracked
Kira Balestra
I've always had MFA enabled since we got the option to have it and I've never had any problems since we got access to MFA, but all last week I had constant problems since neither the SL website nor any of the SL viewers would accept my authentication app tokens... I reinstalled several times, cleared cache everywhere, changed authenticator apps several times, tried other web browsers... and nothing worked on the web or the viewer, in the end I had to remove that option from my account... and I haven't tried again because I got fed up with not being able to work in peace.
It would be great to have an authentication system or more security options that are really reliable
I don't currently trust Second Life's MFA, but I also don't like having my account with just a password and nothing else.
Log In
Maestro Linden
Merged in a post:
Add support for MFA recovery codes
Alisyn Baxton
There have been ongoing issues with people's MFA getting messed up, either due to issues with SL, or with their own device configuration. We need to have the ability to respond to MFA using one-use recovery codes. This would allow users to 'self-support' and not require opening a ticket to restore access if they have issues with their MFA app. This is a common practice for most MFA implementations, so I'm not sure why SL did not include support for recovery codes when implementing MFA. I know from discussions in Discord that this is one of the reasons that more people do not use MFA for Second Life; the risk of being locked out due to malfunctioning phone or other key generation devices.
Alestes Resident
Good morning I have exactly the same problem. One of my premium plus accounts was recently hacked (and yet my password is hard) and that's due to the total absence of attack blocking by bruteforce. You should block the account with reactivation by email if you type the wrong password three times at the login. So Linden reimbursed me (zero excuses by the way and a week of reaction while I am premium plus I mean slowness) and I adopted the MFA. Result: the first false manipulation (the Google software is really bad and not translated) I zapped the token from this account and... Impossible to access my accounts without going through the MFA to deactivate the MFA... Seriously? It is amazing that after twenty years the ABA of security has not been mastered at Linden.
primerib1 Resident
I think something is wrong with the TOTP on LL side.
I'm using Authy so I can see how much time I have before the TOTP code refreshes.
I found that as long as I stay on the FIRST HALF of the refresh period, I can login using TOTP no problem.
But if the timer shows I have less than half period left, that is, I'm on the SECOND HALF of the refresh period, I won't be able to use the TOTP code. I have to wait until the code refreshes and only then can I use the (new) TOTP code to login.
LL, please check if the TOTP parameters are correct in your server-side TOTP configuration.
PS: The standard for TOTP specifies that, due to possible time drift between client and server, the server
should
accept 3 TOTP codes: The "current" TOTP code, the "previous" TOTP code, and the "next" TOTP code. It seems LL's implementation only accepts the "current" TOTP code + configured wrongly that it actually refreshes every 15 seconds rather than 30 seconds. If LL's implementation also accepts the "previous" TOTP code then I would have no problem logging in when I'm in the second half of the refresh period.Kira Balestra
primerib1 Resident I tried two authenticator apps (Google and Microsoft) and both of them only fail with SecondLife stuff, web and viewers. One of them also fails with discord, but neither of them fails with absolutely anything else.
I tried the SL website with different browsers (the result was the same)
In the end I had to remove the MFA and stick with just the password.
On other important websites where money is handled I usually have several extra security options, two-step verification, one-time codes by phone, or by email... any option that complements a simple password, no matter how long it is, they can still steal our accounts but at least it makes you feel a little less unprotected... There are MANY accounts being stolen lately and it is increasing, not only in SL, but in general, it is very necessary to have as many security options as possible, but that they work correctly for god's sake ><
primerib1 Resident
Kira Balestra Try to use the code within seconds of them changing on your 2FA app. If you have just opened the 2FA app, wait until the numbers change, then as soon as possible (within 10 seconds) type in the number and login.
TOTP is an Internet standard and the calculation should be identical between 2FA apps.
Also check that the time on your phone is accurate, at least to the 10s of second. Because TOTP works by hashing a secret key with the current time. So the numbers generated by TOTP with the exact same secret key at the exact same time will always be the same.
Kira Balestra
primerib1 Resident Thanks! I've been trying to use MFA again for a couple of weeks now and it's working fine with the Microsoft app. I don't know if that was a one-off problem or if it will happen again. I hope not! But I'm going to check out what you said anyway. Honestly, I don't have much idea about these things and it would be good to start getting to know it better.
Vincent Nacon
In the meantime, make your password extremely long (20 characters or longer) and has some unusual character symbols besides letters and numbers, like ?!$%&*#. And of course, don't use pet/family names or anything that is considered personal to you, be total random.
I've found it easier to remember my own set of rules about what kind of password for it rather than remembering the password itself.
Kira Balestra
Vincent Nacon Yes! I currently do, my passwords are 20+ characters long and I use everything, symbols, letters (uppercase, lowercase, numbers...) and I change them constantly, but I have been hacked before and I feel really uncomfortable even doing that... and now that MFA don't works fine for me .. worst lol Thank you so much for your advice!
Nelson Jenkins
Vincent Nacon Has that been fixed? Passwords were truncated to 16 characters for years. It was a problem when signing into the wiki, the viewer will silently truncate the password so you never notice, but trying to sign in via the wiki, it'd only work if you entered the first 16 characters...
Kira Balestra
Nelson Jenkins It seems we can now use longer passwords, I don't know what the limit will be but my current password is 30 characters.
SL Feedback
tracked
SL Feedback
Hello, and thank you for your detailed report regarding the issues with MFA and account security. This concern has been brought up in the past and is currently tracked. We understand how frustrating it can be to deal with authentication problems, especially when it impacts your ability to work in peace. While we have no estimate on when improvements might be implemented, please keep an eye on future updates. Your input is invaluable, and we appreciate your commitment to helping us improve Second Life. Thank you for sharing your experience!
Mo Elara
SL Feedback I have installed MFA today, with all required steps. and regardless how often I delete browser data in 2 browsers (Opera and Safari on Mac) and 2 authenticator apps, I NEVER get asked for the authenticator token. Is this still not working since September?
P.S. a day later: MFA now works on the viewer, not the web page though. Is that intended?