Second Life Multi-Factor Authentication: the what and how

via Linden Lab

Linden Lab has announced the initial introduction of Multi-Factor Authentication for Second Life accounts, and has done so in request to numerous requests for increased account security from users to protect personal data.

Traditional user name and password requirements (referred to as single factor authentication) have long be regarded as vulnerable to hacking – up to and including “long” passwords involving alpha-numeric combinations, as the recent publishing by hackers of a 100GB text file of 8.4 billion passwords demonstrated. Multi-Factor Authentication (MFA) adds an additional layer of protection when accessing personal or protected information on-line, and does so by using a combination of elements.

Rather than relying just on something you know (your user name and password), MFA requires a combination of something you know, together with at least one of something you have (such as a electronic token /device capable of generating such a token, something inherent to you (e.g. a fingerprint, your voice, etc), or where you are (e.g. using a specific network connection or via GPS location).

Of these, Linden Lab is implementing MFA based on something you know – your user name and password – and something you have, in this case an authentication token in the form of (preferably) a 6-digit code that can be generated via a user’s smartphone or tablet from a unique QR code from Linden Lab.

With the introduction of MFA, it is important to stress – as noted in the official documentation – that:

  • It is entirely opt-in: you decide if you want to use it or not.
  • It is currently only being applied to the sensitive account information accessed via Account drop-down menu on the left of your Second Life dashboard (so the options relating to account password change, payment method change, transaction information, e-mail settings, etc.).
    • It does not currently impact or change how you log-in to Second Life using any viewer / client.
    • It will be extended across further Second Life web properties (e.g. the Marketplace, etc), in time, and eventually to the viewer as well.
  • E-mail authentication is being developed.
  • Information and initial instructions for setting-up MFA can be found here.
  • Even with MFA enabled, you should still routinely change your Second Life password, using strong and unique options in accordance with best practice.

Setting-Up MFA

Setting-Up MFA is actually relatively straight-forward, and is carried out from your account dashboard via Account → Multi-Factor Authentication.

Selecting this option will display an initial page outlining the process, together with a Get Started button at the bottom.

Accessing the MFA set-up page, and the QR Code / set-up key page (see below)

To complete the process, proceed as follows:

  1. Install a suitable MFA app on a device with a camera (if using the QR code approach). I opted to use Google Authenticator.
  2. Read the introduction notes via Account → Multi-Factor Authentication (above left) and click the Get Started button.
  3. A page will be displayed on your screen with a unique QR code and set-up key.
    • Make sure you make a note of the set-up key – you may need this to help unlock your account should you be unable to use your authenticator of choice.
    • If you are using the set-up key alone, skip to step 6.
  4. Launch your authenticator app and select the option to scan a QR code, then:
    • Point the camera to the QR code on your screen so it is centred within the frame / cross hairs.
    • When positioned correctly, the  authenticator app should automatically capture an image of the QR code (or if a button is available to tap, tap that.
  5. The app will update to show a page that displays your Second Life account name and a 6-digit account token (2 groups of 3 numbers separated by a space).
    • Note this code will update every 30 seconds.
  6. Click Continue on the MFA set-up page. It will update to prompt you to enter two tokens into two fields on the page (see below).
    • If you are using the 6-digit token generated by the QR code, type the displayed code (including the space) into the first field.
    • Wait for the display yo update with a new 6-digit token, then enter the second code into the second token field.
    • If you are using the set-up key, enter this into each field.
  7. Click Activate MFA.
  8. Providing you have done everything correctly, you’ll be informed MFA is now successfully active on your account.
Entering the tokens generated by your MFA app: one unique token per field, as generated by the authenticator app. If you are using the set-up key given on the MFA page, enter that.

How it Works

When MFA is active on your account, clicking any option in the Account drop-down menu to which it has been applied will display an MFA Challenge page.

The account options that – at the time of writing – will present the MFA challenge page. Use your MFA app to obtain a 6-digit code

The MFA Challenge page requires you enter one new token, as generated via your MFA app (or use of the set-up key). Just open the app, select your Second Life account (if using MFA on more than one account – if you are using MFA on just a single account, it will be displayed be default), and then enter a fresh 6-digit code as generated by the app.

Removing MFA

As the official documentation notes, you can disable MFA at any time using Account → Multi-Factor Authentication, entering a code from your app OR enter your set-up key and then click on the Remove MFA button.

Official MFA Links

6 thoughts on “Second Life Multi-Factor Authentication: the what and how

  1. I’m tempted to enable this just to test if I can enter “push” and get a green check/red x on my phone instead of dealing with the numbers.

    -ls

    Like

  2. I set it up pretty easily with the LastPass Authenticator app because I’m trying to limit how much I rely on Google, even though my phone is on Android. It was really easy, even though I used my phone for every step in the process. Instead of using a QR code, I did a copy-and-paste with the keyword to start the process.

    Like

      1. I hear you. I have a few MFA apps on my phone because some sites insist on a specific app, but if it’s my choice I always go with LastPass. I trust them more with my data.

        Like

        1. I’m just lazy! Well, that and despite having a phone with an idiotic level of storage available, I hate having a plethora of apps sitting on it, particularly as I avoided getting a “brand” ‘phone sick to gill with bloatware from and manufacturer, etc, and opted for one which came with Android 10 “only” (plus the expected Google apps – calendar, maps, etc.)

          Liked by 1 person

Have any thoughts?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.