Require MFA of all users
closed
Emma Portilo
Making MFA required for all users, instead of allowing them to opt in to use, would be safer for all of us. It is great that those of us that want to protect our accounts can do so by choosing MFA. But if it were required of everyone it might help reduce stolen accounts and the unfortunate messages sent in groups with phishing links.
Log In
SL Feedback
Merged in a post:
Reduce phishing by moving beyond passwords
Brozier Rizzler
Phishing keeps coming up in the feedback, and while ideas like restricting links in groups might reduce spam, they don’t actually stop accounts from being compromised.
The reason phishing works is simple: passwords can be stolen and reused.
Once a user enters their password into a fake site, the attacker can log in from anywhere. That’s the real problem.
Linden Lab has already taken a strong step by introducing MFA. However, as long as it remains optional, adoption will be uneven, and attackers will continue targeting the large pool of password-only accounts. Phishing will continue to work at scale.
If the goal is to meaningfully reduce account compromise, the platform needs to move beyond passwords.
This means:
- Passwords are no longer sufficient for account access
- Authentication shifts toward methods that can’t be captured and reused (e.g. device-based, one-time, passkey or equivalent modern approaches)
You can limit where phishing links appear, but you can’t prevent users from encountering them entirely.
What you can do is remove the value of what those links are trying to steal.
And if there is no reusable credential:
- Stolen login details stop working
- Account takeovers drop
- The incentive behind phishing campaigns is significantly reduced
Spidey Linden
marked this post as
closed
Hello, and thank you for your feature request.
Incoming suggestions are reviewed in the order they are received by a team of Lindens with diverse areas of expertise. We consider a number of factors: Is this change possible? Will it increase lag? Will it break existing content? Is it likely that the number of residents using this feature will justify the time to develop it? This wiki page further describes the reasoning we use: Feature Requests
This particular suggestion, unfortunately, cannot be tackled at this time. However, we regularly review previously deferred suggestions when circumstances change or resources become available.
We are grateful for the time you took to submit this feature request. We hope that you are not discouraged from submitting others in the future. Many excellent ideas to improve Second Life come from you, our residents. We can’t do it alone.
Thank you for your continued commitment to Second Life.
AHSouth Resident
I disagree with this. MFA has proven to be troublesome much more than once. I had my own bad experiences myself when had to disable it in order to login. No more layers to make things even worse, let people take their own decisions.
Alwin Alcott
make every payment safe by using the european system where the security is at the banks side .. there's no need for LL or any other money transfer company that needs your info... biggest problem of draining accounts is gone than.
Naroc Resident
so my experience of MFA is mixed some times it is a joy and other times it is a nightmare, outlook/microsoft for example is notorious for locking people out of accounts just because some one tried logging in too many times even if they did not have the 2nd authorization method they still lock YOU the actual user out, or their authorization service is down so you can't use your second method to even verify it is you despite knowing the password, i fear a lot of people will just quit SL if the MFA causes them issues because lets be honest unless SL is your source of income your not going to waste time trying to recover an account or fighting with multi factor authorization if there is an issue.
F
FionaFridaze Resident
The real point is that Login and Passwords were never really secure and MFA adds an improved hurdle to those who would want malicious access to an account. Using MFA creates a more obvious situation where “this should not be happening” and can cause people to pause, think, and opt-out.
Using MFA with a password manager, a prerequisite in the 21dt century, is seamless when properly configured.
The sad part here is that viewer developers seem to not like password managers and misinterpret them as hacking tools.
Perhaps we could skip MFA and move to Passcods, but then you really need the password manager to manage across your devices.
MFA is not great, but it is better than nothing.
Rachelle Kiyori
FionaFridaze Resident This actually I agree with. More applications need to take advantage of password managers, for sure, though it is not an easy one-and-done solution. There's too many different ones, including commercial ones, and adding compatibility for them will be a pain (without at least temporarily splitting the project, or offloading the work to a third-party library that can maintain it separately).
That being said, this is already a perfectly viable solution for the general population: The viewer allows to save passwords, and so do web browsers. If your web browser does not recall the saved password for the site you are logging into, then it's simple: DO NOT CONTINUE! This is likely a phishing site!
(But this also will require some internet awareness 2026 which, sadly, many people do not have)
F
FionaFridaze Resident
Anyone who does not use MFA deserves what they get. Those who preach against it lack experience. They should just stop talking.
Rachelle Kiyori
FionaFridaze Resident
No one is preaching against it completely. But anyone who treats it as god-tier security is also not thinking correctly - that's a fact. MFA codes can be phished just as easily as passwords can, and all it takes is one login by the scammer and the account is already gone.
You think the time limit really offers that much protection? Think again. A script can be set to log into the account the moment the code is provided and hijack it, and the money can easily be stolen and any Lindens that your credit card will allow you to buy can just as quickly be pilfered by the hacker while he is in. It's not as hard as you would like to think it is, unfortunately. And more people would realize this if they tried to look at things from all perspectives rather than focusing on their anger and frustration that the compromised accounts are causing (and indeed, it is a lot!!)
So at the end of the day all you've done is introduced an extra layer of inconvenience - which will be endured once more as the account is stolen by the scammer while they walk away with the correct MFA token to log into the victim's account.
To be clear - I am 100% in support of optional MFA. I think it's a good thing to have, and indeed more users should use it. But I am 100% against mandatory MFA.
Katronia Carissa
You will only need the code once a month. As long as you check the box when you login. The platform is awash with scammers and more people losing their accounts everyday.
Yes I wish people wouldn't click the scam links that pop up in various groups but they do and no matter how much group mods fight block and ban. The cycle continues and is getting worse.
Every day I see so many groups popping up with scam links from compromised accounts. People that have been on SL for years, losing their accounts in unguarded moments.
Remember this doesn't just protect your account but it also protects your payment method.
Please enable MFA on all accounts and make it an opt out service rather than opt in.
Nika Talaj
Please no. My life is already a hell of 6-digit MFA codes. Really, the percentage of SL users who have enough RL resources sunk into the platform to merit whatever protection MFA would offer them is SMALL. Make it more cumbersome to login to SL and SL might even lose userbase.
lale Delvalle
You're not thinking about all users. Some people don't have extra money and if LL forces it on everyone some might decide they have had enough. Let people make their own decisions.
Load More
→