Recover from MFA lockout without the help of support
tracked
Nyx Onyx
After a conversation with Spots Linden, I'm requesting again a way to recover from being locked out due to MFA not working, lost device with MFA on it, or whatever. Locked out as in cannot use the disable-MFA feature on the web. I can't enable MFA before there is such a method.
Log In
SL Feedback
updated the status to
tracked
SL Feedback
Issue tracked. We have no estimate when it may be implemented. Please see future updates here.
Nyx Onyx
Hadet Sonnenkern jwenting Resident Ava Bloodrose Having a copy of the QR code is great, as is having the key on a mix of devices / software. But it's not helping you when the one and only (hardly Multi) "MFA" method available for SL at this time is not working on their end, or on yours.
Whatever the cause is for MFA not working, there should be more than one way to get into one's account while having MFA enabled. And if not, then there should be a way to disable it, without having to wait until Support gets around to your ticket.
I advocate for a mix of at the very least two MFA methods, preferably three. Passkeys are nice, recovery codes are nice, knowledge + e-mail is nice (not ONLY e-mail, please - that method alone shouldn't be trusted!). Other methods?
Journey Bunny
Ofc, having a fully automated second way to access the account without needing MFA sort of goes around the point of having MFA, so... there needs to be a spec designed around acceptable risk.
One method already exists:
Lost your phone?
Don't worry! If you've lost access to your authenticator app, you can use your verified email address to remove your MFA token. Be sure to keep your email address up to date!
To remove MFA by email, click Multi-Factor Authentication > Disable Multi-Factor Authentication via Email from your Account Dashboard at SecondLife.com.
Keep that. But, ofc, it depends on being logged-in somewhere.
Then, I suggest:
- At MFA setup, generate ~10 single-use backup codes. Require the resident to copy/download and confirm them before MFA activates.
- Allow registering a second independent factor (a second authenticator, or a WebAuthn/FIDO2 security key).
At the MFA challenge, add "Use a backup code". Upon use, send messaging to contacts on file notifying about the use of a backup code to get in. Include a link to recover the account if "this wasn't you." If a backup code is used, direct user to the MFA management to disable/change mfa method. Note recommendation below.
Optionally, but I'd recommend: Enforce a cooldown on generating new one-time codes; maybe a week? This way, if someone gets in via one-time code, they can't generate 10 new ones, giving themselves a chain of continuous access without needing MFA. In other words, if a person has to use one of their 10 codes to get in, they can change MFA but cannot get a fresh set of codes for a while.
Optionally, but I'd recommend: Enforce a timeout on changing account information. Maybe 3 days? Basically, IF a backup method is used to get in, do not allow change of email/contact info for a cooldown period. This gives the user an opportunity to catch problems before their whole account is redirected.
I hope this supplies a real spec to get this thing going!
Hadet Sonnenkern
I really highly recommend people use an MFA app/service that isn’t device locked
Protonpass and Bitwarden are good options.
jwenting Resident
Wouldn't be very useful 2FA if someone could just disable it after getting your credentials from a fake marketplace site now, would it be?
AlettaMondragon Resident
jwenting Resident Not that they couldn't get the token the same way, but also the people that still fall for those scams apparently don't use MFA either, after all what would protect them is THINKING, one way or another.
Ava Bloodrose
I agree. I find it very strange, and worrying, there is no recovery key provided during activation of MFA. Which is why when i set it up, I scanned the code with multiple apps, that are accessible via web.