Second Life Multi-Factor Authentication: the what and how

via Linden Lab

Linden Lab has announced the initial introduction of Multi-Factor Authentication for Second Life accounts, and has done so in request to numerous requests for increased account security from users to protect personal data.

Traditional user name and password requirements (referred to as single factor authentication) have long be regarded as vulnerable to hacking – up to and including “long” passwords involving alpha-numeric combinations, as the recent publishing by hackers of a 100GB text file of 8.4 billion passwords demonstrated. Multi-Factor Authentication (MFA) adds an additional layer of protection when accessing personal or protected information on-line, and does so by using a combination of elements.

Rather than relying just on something you know (your user name and password), MFA requires a combination of something you know, together with at least one of something you have (such as a electronic token /device capable of generating such a token, something inherent to you (e.g. a fingerprint, your voice, etc), or where you are (e.g. using a specific network connection or via GPS location).

Of these, Linden Lab is implementing MFA based on something you know – your user name and password – and something you have, in this case an authentication token in the form of (preferably) a 6-digit code that can be generated via a user’s smartphone or tablet from a unique QR code from Linden Lab.

With the introduction of MFA, it is important to stress – as noted in the official documentation – that:

  • It is entirely opt-in: you decide if you want to use it or not.
  • It is currently only being applied to the sensitive account information accessed via Account drop-down menu on the left of your Second Life dashboard (so the options relating to account password change, payment method change, transaction information, e-mail settings, etc.).
    • It does not currently impact or change how you log-in to Second Life using any viewer / client.
    • It will be extended across further Second Life web properties (e.g. the Marketplace, etc), in time, and eventually to the viewer as well.
  • E-mail authentication is being developed.
  • Information and initial instructions for setting-up MFA can be found here.
  • Even with MFA enabled, you should still routinely change your Second Life password, using strong and unique options in accordance with best practice.

Setting-Up MFA

Setting-Up MFA is actually relatively straight-forward, and is carried out from your account dashboard via Account → Multi-Factor Authentication.

Selecting this option will display an initial page outlining the process, together with a Get Started button at the bottom.

Accessing the MFA set-up page, and the QR Code / set-up key page (see below)

To complete the process, proceed as follows:

  1. Install a suitable MFA app on a device with a camera (if using the QR code approach). I opted to use Google Authenticator.
  2. Read the introduction notes via Account → Multi-Factor Authentication (above left) and click the Get Started button.
  3. A page will be displayed on your screen with a unique QR code and set-up key.
    • Make sure you make a note of the set-up key – you may need this to help unlock your account should you be unable to use your authenticator of choice.
    • If you are using the set-up key alone, skip to step 6.
  4. Launch your authenticator app and select the option to scan a QR code, then:
    • Point the camera to the QR code on your screen so it is centred within the frame / cross hairs.
    • When positioned correctly, the  authenticator app should automatically capture an image of the QR code (or if a button is available to tap, tap that.
  5. The app will update to show a page that displays your Second Life account name and a 6-digit account token (2 groups of 3 numbers separated by a space).
    • Note this code will update every 30 seconds.
  6. Click Continue on the MFA set-up page. It will update to prompt you to enter two tokens into two fields on the page (see below).
    • If you are using the 6-digit token generated by the QR code, type the displayed code (including the space) into the first field.
    • Wait for the display yo update with a new 6-digit token, then enter the second code into the second token field.
    • If you are using the set-up key, enter this into each field.
  7. Click Activate MFA.
  8. Providing you have done everything correctly, you’ll be informed MFA is now successfully active on your account.
Entering the tokens generated by your MFA app: one unique token per field, as generated by the authenticator app. If you are using the set-up key given on the MFA page, enter that.

How it Works

When MFA is active on your account, clicking any option in the Account drop-down menu to which it has been applied will display an MFA Challenge page.

The account options that – at the time of writing – will present the MFA challenge page. Use your MFA app to obtain a 6-digit code

The MFA Challenge page requires you enter one new token, as generated via your MFA app (or use of the set-up key). Just open the app, select your Second Life account (if using MFA on more than one account – if you are using MFA on just a single account, it will be displayed be default), and then enter a fresh 6-digit code as generated by the app.

Removing MFA

As the official documentation notes, you can disable MFA at any time using Account → Multi-Factor Authentication, entering a code from your app OR enter your set-up key and then click on the Remove MFA button.

Official MFA Links