A couple days ago Linden Lab introduced multi-factor authentication to the Second Life platform.
While this was a highly anticipated feature for some of us, many SL residents are still unaware what MFA is, and why it is needed.
In simple terms MFA adds an extra layer of security when accessing sensitive account information, but do you really need that?
Yes! You absolutely do.
A Second Life avatar is not just some game character. It is a high value asset. Your Second Life account has payment information. You can transact on the LindeX currency exchange. If you are a creator all of your uploaded intellectual property is connected to your account.
Most importantly your avatar is of high emotional value.
The relationships we make, the way we express ourselves through our creative and intricate personas, all that is well worth protecting.
While this was a highly anticipated feature for some of us, many SL residents are still unaware what MFA is, and why it is needed.
In simple terms MFA adds an extra layer of security when accessing sensitive account information, but do you really need that?
Yes! You absolutely do.
A Second Life avatar is not just some game character. It is a high value asset. Your Second Life account has payment information. You can transact on the LindeX currency exchange. If you are a creator all of your uploaded intellectual property is connected to your account.
Most importantly your avatar is of high emotional value.
The relationships we make, the way we express ourselves through our creative and intricate personas, all that is well worth protecting.
TL;DR
I know a lot of you don't want to read, and while I hope you read the rest of my post, this is too important so here it is in extra-short.
- Get a multi-factor authentication app such as Microsoft Authenticator
- Go to https://accounts.secondlife.com/mfa/status
- Scroll down all the way to the Get Started button
- Open your app to scan the QR code
- Follow the instructions
Let's talk about Multi-factor Authentication
Unless you enabled MFA or 2FA already for some other service once before, all of this stuff may seem confusing at first, so I will try to explain it in as simple words as possible. Go ahead and grab a nice mug of tea, or coffee, and please read carefully what I have to tell you.
Your account credentials are usually two pieces. A user name and a password.
Enter the name, enter the password, and pop you are logged in.
The truth is that this method is not very secure at all. One piece of your credentials is already public, the user name, and then the password is usually not very good. We have to deal with so many passwords at this point it's almost impossible to keep any overview without a password manager, and it is very tempting to use passwords that are easy to memorize for things like Second Life and games.
Especially the passwords that are nice to remember, and can be typed quick, are easy to crack with a brute-force / dictionary attack mix.
These attacks can take some time, but even when done from scratch, they are easy to hack, and can be pulled off with super low effort by someone who isn't very bright, and who isn't good at programming. Imagine this like letting some program run that doesn't need more juice than a digital wrist watch from the late 1990s. The little thief can let things run, then just ignore it and collect your account later.
Your account credentials are usually two pieces. A user name and a password.
Enter the name, enter the password, and pop you are logged in.
The truth is that this method is not very secure at all. One piece of your credentials is already public, the user name, and then the password is usually not very good. We have to deal with so many passwords at this point it's almost impossible to keep any overview without a password manager, and it is very tempting to use passwords that are easy to memorize for things like Second Life and games.
Especially the passwords that are nice to remember, and can be typed quick, are easy to crack with a brute-force / dictionary attack mix.
These attacks can take some time, but even when done from scratch, they are easy to hack, and can be pulled off with super low effort by someone who isn't very bright, and who isn't good at programming. Imagine this like letting some program run that doesn't need more juice than a digital wrist watch from the late 1990s. The little thief can let things run, then just ignore it and collect your account later.
Your mind is not built to memorize arbitrary strings of letters and numbers
I would recommend anyone to use a password manager, such as Firefox Lockwise or 1Password, both of those are very good options.
But, and this is the very, very important part, only if your access to the password manager is secured by multi-factor authentication.
Of course you can use really complex passwords that are impossible to memorize, and still should be regularly changed, but when doing that for all your stuff, you will need a password manager, which again has to be properly secured, or it would be an even worse security breach when all of your passwords are getting leaked. As you can see, you are not really getting around the MFA security method anyway.
But, and this is the very, very important part, only if your access to the password manager is secured by multi-factor authentication.
Of course you can use really complex passwords that are impossible to memorize, and still should be regularly changed, but when doing that for all your stuff, you will need a password manager, which again has to be properly secured, or it would be an even worse security breach when all of your passwords are getting leaked. As you can see, you are not really getting around the MFA security method anyway.
It's a lot less annoying than you think
How does multi-factor authentication work in practice?
You have to download an app for your smartphone, iPad or PC that generates a random number every 30 seconds, and when accessing your account, or some particularly sensitive parts within your account dashboard, enter that random number in order to proceed further.
There are many good apps for this, but I personally recommend Microsoft Authenticator. I know, that seems to be an odd one coming from me of all people, but I want you to actually secure your accounts, and that means you need a solution that works when you need it.
For Microsoft Authenticator you will need a Microsoft Account, and that account can be secured with your phone number.
Microsoft doesn't go away any time soon, they are a fortress, and even if you already have a Google Account for your phone or You Tube, and could just use Google Authenticator, what we are trying to do here is to create multiple factors to make your accounts more secure.
Especially if you are already heavily invested in one particular platform it is wise to avoid putting all of your eggs in the same basket.
If you really can't warm up to the idea of using a service by Microsoft, there are also the Google Authenticator, Authy, or if you want go with open source FreeOTP (which is backed by Red Hat) or its fork FreeOTP+ if you are on a completely de-googled Android smartphone.
You have to download an app for your smartphone, iPad or PC that generates a random number every 30 seconds, and when accessing your account, or some particularly sensitive parts within your account dashboard, enter that random number in order to proceed further.
There are many good apps for this, but I personally recommend Microsoft Authenticator. I know, that seems to be an odd one coming from me of all people, but I want you to actually secure your accounts, and that means you need a solution that works when you need it.
For Microsoft Authenticator you will need a Microsoft Account, and that account can be secured with your phone number.
Microsoft doesn't go away any time soon, they are a fortress, and even if you already have a Google Account for your phone or You Tube, and could just use Google Authenticator, what we are trying to do here is to create multiple factors to make your accounts more secure.
Especially if you are already heavily invested in one particular platform it is wise to avoid putting all of your eggs in the same basket.
If you really can't warm up to the idea of using a service by Microsoft, there are also the Google Authenticator, Authy, or if you want go with open source FreeOTP (which is backed by Red Hat) or its fork FreeOTP+ if you are on a completely de-googled Android smartphone.
My head is already feeling hot...
Take a short break and try to focus. It's okay to do this in steps.
If installing the app took some effort, know that the hardest part is already out of the way.
Okay, let's assume that at this point you already have an authenticator app installed on your phone or iPad.
Next you want to visit your Second Life account dashboard, and on the left side pane select Account > Multi-Factor Authentication. Linden Lab is explaining things well, most importantly they let you know that logging in with your SL viewer won't require MFA, meaning that this part won't change at all, and that is okay. What we need to secure is the stuff we can do on our account dashboard on the web.
At the very bottom of this page is a teensy, tiny button called "Get Started", and that you need to click!
This leads to another page with a giganto QR code.
Now open your authenticator app. The one I recommend has a little + symbol top right. Touch the + and then select "Other" (as we are not adding a "personal" or "school" Microsoft account) and hold your iPad or phone so the camera is focused on the giganto QR code.
That was all you needed to do for the account to be set up in your authenticator app. It should be right there saying:
Second Life
Your Name
123 456
Just like that! These six numbers are changing every 30 seconds.
Next you want to click Continue, which leads you to a "Step 2: Enter Tokens" where they want you to add 2 of these numbers or "tokens".
You don't have to stress about the numbers going away too fast. Just take it easy, let it trickle down, 30 seconds are enough time to enter six numbers. Enter one token in the first field, and then wait a few seconds until another token is generated, and enter that one in the second field. If all was correct, they will tell you "Success!" and you get a friendly email from the friendly email robot letting you know.
If installing the app took some effort, know that the hardest part is already out of the way.
Okay, let's assume that at this point you already have an authenticator app installed on your phone or iPad.
Next you want to visit your Second Life account dashboard, and on the left side pane select Account > Multi-Factor Authentication. Linden Lab is explaining things well, most importantly they let you know that logging in with your SL viewer won't require MFA, meaning that this part won't change at all, and that is okay. What we need to secure is the stuff we can do on our account dashboard on the web.
At the very bottom of this page is a teensy, tiny button called "Get Started", and that you need to click!
This leads to another page with a giganto QR code.
Now open your authenticator app. The one I recommend has a little + symbol top right. Touch the + and then select "Other" (as we are not adding a "personal" or "school" Microsoft account) and hold your iPad or phone so the camera is focused on the giganto QR code.
That was all you needed to do for the account to be set up in your authenticator app. It should be right there saying:
Second Life
Your Name
123 456
Just like that! These six numbers are changing every 30 seconds.
Next you want to click Continue, which leads you to a "Step 2: Enter Tokens" where they want you to add 2 of these numbers or "tokens".
You don't have to stress about the numbers going away too fast. Just take it easy, let it trickle down, 30 seconds are enough time to enter six numbers. Enter one token in the first field, and then wait a few seconds until another token is generated, and enter that one in the second field. If all was correct, they will tell you "Success!" and you get a friendly email from the friendly email robot letting you know.
I don't get it. Sorry.
That's fine, let me give you a practical example.
If you set everything up, go to the left side pane again, click Account > Billing Information and you will arrive at a page that requests you to enter a MFA token with a "Submit Challenge" button before you can actually get there. That means unless the person who is trying to access your Billing Information is indeed you - this part of the dashboard cannot be accessed even if your account got compromised.
Which is why I recommend using an authenticator app with an account that can be secured with your phone number. Your phone can get stolen, alright, but your phone number can't. In the very worst case everything will be secure, especially the things that are dear to you. ♥
If you set everything up, go to the left side pane again, click Account > Billing Information and you will arrive at a page that requests you to enter a MFA token with a "Submit Challenge" button before you can actually get there. That means unless the person who is trying to access your Billing Information is indeed you - this part of the dashboard cannot be accessed even if your account got compromised.
Which is why I recommend using an authenticator app with an account that can be secured with your phone number. Your phone can get stolen, alright, but your phone number can't. In the very worst case everything will be secure, especially the things that are dear to you. ♥
Why isn't there a MFA challenge already when logging in?
Because this is MFA by Linden Lab, my dear friends, and Linden Lab does things in some mysterious ways. Sometimes you need to realize that many things we love about Second Life are exactly the way they are because Linden Lab is even being Linden Lab.
This surely wasn't an easy one to pull off, and getting to work on Second Life with all its special needs, but they did it.
In a worst case you are able to recover your account easily now, because you can change your email and password already after it was stolen, and nobody can abuse your account anymore to cause any greater harm. You can still be phished, which is obviously a big problem with fake market links spammed through in-world groups during the holidays every year, but if you use MFA it's half as bad now.
I love that we can finally have multi-factor authentication. Three days ago was the first time I really felt secure on SL since I had to deal with abuse issues. I'm so happy about MFA, you would not believe it. It makes all the difference to me, and I'm sure it does to others who had to deal with lots of abuse as well. All of my stuff has super tight security, and now my Second Life avatar is finally safe too.
I can finally let my hair down and chill out, maybe even find someone to play with again. That would be really nice. 🥰
This surely wasn't an easy one to pull off, and getting to work on Second Life with all its special needs, but they did it.
In a worst case you are able to recover your account easily now, because you can change your email and password already after it was stolen, and nobody can abuse your account anymore to cause any greater harm. You can still be phished, which is obviously a big problem with fake market links spammed through in-world groups during the holidays every year, but if you use MFA it's half as bad now.
I love that we can finally have multi-factor authentication. Three days ago was the first time I really felt secure on SL since I had to deal with abuse issues. I'm so happy about MFA, you would not believe it. It makes all the difference to me, and I'm sure it does to others who had to deal with lots of abuse as well. All of my stuff has super tight security, and now my Second Life avatar is finally safe too.
I can finally let my hair down and chill out, maybe even find someone to play with again. That would be really nice. 🥰