Hello opensource-dev,
I want to give everyone more details about the MFA (Multi-Factor Authentication) login changes that Monty mentioned were deployed recently. We are beginning to add MFA protection to the viewer by integrating the existing web MFA authentication methods (Introducing Multi-Factor Authentication for your Second Life Account!) to the viewer login process.
We can now discuss what is needed to add support for it to various viewers.
The idea is that viewers which are MFA capable will add 2 new parameters (token & mfa_hash) to their login requests. When a login attempt needs a token, the failed login response will have its reason field set to mfa_challenge, and the viewer should handle this by prompting the user for an authenticator token and retrying the login attempt with that token attached. The login server will validate that token and if that succeeds, will allow the login and return an mfa_hash value that will be valid for 30 days.
I've posted the full protocol details here: https://wiki.secondlife.com/wiki/User:Brad_Linden/Login_MFA
The login server is now enforcing MFA only on MFA capable viewers according to the users preferences at https://accounts.secondlife.com/mfa/status. Viewers that are not MFA capable will not be blocked from logging in yet. We have planned a grace period for non-MFA-capable viewers to allow for time developing and testing these features as needed. When the grace period ends later this year, then users' MFA preferences will begin being enforced on all viewers attempting to log in.
Please let me know if anything is unclear or you have questions.
Thanks,
Brad Linden
Question: when will (plain) email MFA be made available (and if anything,
at least on Aditi, for testing purpose) ?
- What about old clients that are not maintained any more ?... Why would
they be bared from SL login after the grace period *as long as the user
did not enable MFA on their account* ?
- How to bisect regression bugs after the grace period is over, when the
said regression was introduced in an old version of a given client/viewer
that did not have MFA enabled ?
...
Err... How am I supposed to use this thing to log into SL with an MFA-enabled
account ? Any recipe, please ?
--
Archives of earlier incarnations of this list are at https://list-archives.secondlife.com
---
You received this message because you are subscribed to the Google Groups "opensource-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opensource-de...@lists.secondlife.com.
To view this discussion on the web visit https://groups.google.com/a/lists.secondlife.com/d/msgid/opensource-dev/7ADA57FD-6F47-46FD-BA71-D4548FBD0FB6%40gmail.com.
Tonya Souther wrote:
>I'd be surprised if the whole architecture wasn't pluggable, myself, and once the basic setup is done and proven, other kinds of MFA can be added easily enough. Me, I use both Yubikey and TOTP (via LastPass Authenticator, so I don't lose the keys when I switch phones).
>I would have thought Apple's protocol, alongside Google's "tap yes on your Android phone", would be pretty good, though. SMS is right out, and so is email: someone who is going to hijack your SL account is going to hijack your email too.
Absolutely not. Typical attackers with their phishing campaigns in SL usually don’t care for email, they are usually just after the L$. I don’t know how many people are still using the same password everywhere, but even if they do, the SL website or the viewer do not show the email address anywhere.
So, it’s an absolute uncommon scenario, that an attacker that hijacks someone’s SL account would also be able to hijack the victim’s email account.
Even with intensive soliciting of the hijacked user’s contacts that’s an atypical scenario, attackers don’t waste time, they usually just try to quickly phish some credentials with fake SL login websites that they spread in groups, and try to get out as many L$ as they can, as quickly as possible. That’s the main risk that needs to be mitigated, that I see happening every other month.
Email based 2FA is just about right. LL just needs to be careful that they don’t get banned by the email providers for too many bounced emails, like they got banned by United Internet (“1&1”) in Germany a couple of years ago. It took nearly two years to convince them to lift the ban.
Martin RJ
On Sun, Mar 13, 2022 at 12:55 PM Argent Stonecutter <secret...@gmail.com> wrote:
On 2022-03-08, at 12:19, Henri Beauchamp <sl...@free.fr> wrote:
> - The chosen MFA protocol itself is weak: why relying on an external and
> offline application (basically a fancy hash generator with the "secret"
> as the -permanent, never renewed- seed and the current time as the
> variable) and time-based token, when you have verified email that is a
> much stronger way to ensure that the person login in is indeed the legit
> account owner ???
There are basically two MFA systems that are "best practice". These are open TOTP protocols (Google Authenticator, 1Password, etc... a logical descendent of the old RSA hardware keys) and open hardware challenge-response protocols (Yubikeys, FIDO, ...).
Personally I would rather LL supported both kinds.
Email based challenges are way down the list alongside SMS and Apples "you have to have an iPhone" scheme (which seems to be a proprietary challenge-response scheme that only works on iOS devices).
--
Archives of earlier incarnations of this list are at https://list-archives.secondlife.com
---
You received this message because you are subscribed to the Google Groups "opensource-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opensource-de...@lists.secondlife.com.
To view this discussion on the web visit https://groups.google.com/a/lists.secondlife.com/d/msgid/opensource-dev/7ADA57FD-6F47-46FD-BA71-D4548FBD0FB6%40gmail.com.
--
Archives of earlier incarnations of this list are at https://list-archives.secondlife.com
---
You received this message because you are subscribed to the Google Groups "opensource-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to opensource-de...@lists.secondlife.com.
To view this discussion on the web visit https://groups.google.com/a/lists.secondlife.com/d/msgid/opensource-dev/CA%2BBE2c419VJV0DN%3DxNUm6%2BpxAGn7aBbryVeMZ0hga%2BK4gr1rfw%40mail.gmail.com.