Second Life login process to change

Posted Sep 28th 2007 10:00PM by Tateru Nino
Filed under: News, Accounts

Sabin Linden informs us that the login process for the viewer is going to change to address anti-fraud and other security issues. Essentially, you're not going to be logging in through the viewer anymore.

Instead, logins will be processed through the Second Life website, and the browser launched from there with a custom, secure token included in a secondlife:/// link. The token is valid for five minutes.

While the solution has been tested internally to function fine with Windows and Mac viewers, the Linux viewer solution still needs work.

If you use multiple accounts (need to log out of one on the website and into another) this could be very cumbersome. Likewise if you use more than one kind of viewer (beta, release candidate, homebrew...). There are also concerns with how this will affect bots and non-traditional viewers (Katharine Berry's AJAXLife, etc), essentially making the login process potentially more involved.

It shouldn't be too difficult to provide working login services for alternative grids, however.

Ultimately the aim appears to be that the viewer never has access to your password, though the initial release should still have a familiar login screen that passes through the web-service to authenticate, and bots will continue to function as they are until at least the second iteration. After that they will need to post and retreive data from the web-service - which is not all that different to what they are currently doing.

While efforts to beef up security from potentially malicious viewers is laudible, really the viewer doesn't need your password. Once you're logged in, a malicious viewer can do anything it likes with your account that you could do, and can actively conceal from you that it is doing it (sending all your money to someone else, and displaying a false balance, for example).

Tags: AJAXLife, Bots, Donovan-Linden, Katharine-Berry, Linux, Login, Mac, Sabin-Linden, Security, Viewer, Windows

Reader Comments

(Page 1)

1. kk a linden informs YOU but not the actual resident population. Did they inform YOU about the VAT thing too? Just how closely are YOU linked to LL?

Posted at 5:02AM on Sep 29th 2007 by sirhc DeSantis

2. It's all over the SL-dev mailing list at the moment. No, I get no special favors or special info from Linden Lab or individual Lindens. I gather it the way everyone else does.

How closely am I linked? I don't think they like me a whole lot. So, no more closely than anyone else.

Hope that helps. You can visit the public mailing list archive for a full copy of the announcement and following discussion, which I have summarized in the post above.

Posted at 5:47AM on Sep 29th 2007 by Tateru Nino

3. sirhc DeSantis, you are addressing a real problem with Linden Labs, witch seems not to be able to communicate with the SL community, or event to think of this community as adult individual who have helped constructing Second Life.

But to my understanding Tateru has ever bee a member of this community and has done what she could (and that’s a lot) to promote community spirit and convey it to us (and to the Lindens, too). And by the way, the Insider gives more information to us as a community that the Linden, that’s very sad, but we shouldn’t drown the firemen because they fight fire.

As you, being an european seeing the european sim owners being ruined by this sudden application of VAT, I’m very sad, but I don’t think Tateru has to do with that.
As you to I feel anger and helplessness seeing carefully forged community disappearing because of the sheer incompetence of Linden Labs…

Posted at 6:59AM on Sep 29th 2007 by DD Ra

4. The VAT mail was sent to all residents from European countries. I had it in my regular mail. The login thing went over the developer mailing list yesterday night.

Posted at 8:23AM on Sep 29th 2007 by Nicholaz Beresford

5. I've known about this for a couple of weeks, after discussing it with Zero Linden after the SL Grid Architecture meeting - there will (well, should) be the option for pages such as AjaxLife to direct a user to the SL site where they can log in, which will then redirect them back to wherever (e.g. AjaxLife), with login token in tow.

So web-based viewers are fine, assuming this actually goes through as discussed. Of course, this does make it difficult to use such things if secondlife.com (or would it be something.agni.lindenlab.com?) is blocked.

As for the viewer being able to be evil once you're logged in anyway - yes, it can be. I imagine that one day in the distant future you'll be able to set what permissions the viewer will have as you log on - although I have no evidence for that.

Posted at 2:48PM on Sep 29th 2007 by Katharine Berry

6. I know this isnt the right section to post this in, but im having trouble. Ive been away for a while and decided to join back SL. But everytime i try to log in.it says " Despite our best efforts, something un expected has gone wrong" and it never connects. Anyone have any clue as to what the problem is. Im usuing the 1.18.2(1) viewer

Posted at 5:10PM on Sep 29th 2007 by marc

7. @5:

Kat, this is all fine, but given that the web phishing is a well-established criminal business, this change as it is, will actually make it easier, not harder, for the miscreants.

There are several attack vectors right now, including the web phishing part - even today.

The proposed scheme will remove the least likely of them, and make the web login as it is the default and familiar process for the users - so phishing will be easier, not harder, in my opinion.

Of course, I reserve the right to be wrong,
the time will show... :-)

Posted at 8:04AM on Sep 30th 2007 by Dalien Talbot

8. So far, Dalien, everyone on the dev list that I've seen so far (though there have been too many posts for me to properly read them all yet) agrees with you. I have yet to see anything from anyone in favor of it.

Linden Lab says this system is "not set in stone" and has asked for a formal list of criticism for the plan, which is presently being drawn up on the Second Life wiki.

Posted at 8:04AM on Sep 30th 2007 by Tateru Nino

Diablo 3 now a 'theoretical possibility' on consoles Burnout Paradise Cagney update not delayed for PS3 Hudson Soft thinks PS3 development costs are too high	Breakfast Topic: Farewell, Midsummer Well Fed Buff: Dry Pork Ribs Know Your Lore: Malorne
Ninja Gaiden 2 gets patched, sorta Design a GRiD livery for the game's upcoming DLC Dungeon crawler goodness: New Sacred 2 footage	Marble game accessory modeled after Goatse LEGO Batman screens, or how to desexy the ladies Another Week in Japan: Hardware and software numbers 6/23-6/29
DS Fanboy Lite: June 28 - July 4 Princess Maker 4: Implicitly erotic parenting sim coming to DS Special Edition Lite, stickers, and ... global issues?	PSP caused teen to shoot another teen Sensory overload in Gundam Battle Universe TV spot Surprise, Surprise: PSP is #1 in Japan again
Electronic Gaming Monthly: Now with PC gaming coverage Blizzard's Pardo confirms next game as new MMO BigCast iTunes and RSS feeds updated and online!	UFC 86 Weigh-In Video: Corey Hill Is a Freak Dan Cook, Sports Columnist Credited With 'Ain't Over Till the Fat Lady Sings,' Dies at 81 Malcolm Jenkins Had Too Much Fun at Playboy's All America Function

Second Life login process to change

Reader Comments

RSS NEWSFEEDS

RESOURCES

Sponsored Links

Featured Galleries

SL Insider blogroll

Weblogs, Inc. Network