[sldev] OpenID & SSL certificates

Matthew Dowd matthew.dowd at hotmail.co.uk
Wed Oct 3 01:26:21 PDT 2007

Previous message: [sldev] OpenID & SSL certificates
Next message: [sldev] Re: [META] Formal critique of new auth mechanism?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I think it is still important to point out the gross miscommunication > that happened here. LL is working on something to reduce fraud by > consolidating their login services, someone misunderstood this to mean > they were trying to make the login process more secure, and about 100 > e-mails of argument were generated as a result. There are some > legitimate concerns (that could probably be addressed without scrapping > anything) buried deep deep deep inside the largest off-topic thread on > sldev yet.

Security, Persistence and Flexibility were the three headings LL used in their original wiki page on the subject.

Under security anti-fraud was mentioned but the only concrete example of how the new mechanism would actually help prevent/detect fraud was third party password capture. It was inevitable that after this was dismissed (if the web page is displayed via an embedded web client, then username/password can still be captured since the third party has access to the source code for the embedded web client; this isn't really the main security issue with third party or indeed LL clients), that discussion for other ways of improving security would be discussed.

Reading the new CAPTCHA blog entry, I'm guessing that one thing LL may be thinking of is introducing CAPTCHAs into the client side login process *after* a failed logon attempt. This would add protection against automated dictionary attackes on usernames and passwords - although I would hope that LL already has mechanisms for detecting such activity. However, this is not the only way this could be achieved. One mechanism might be that after three failed logon attempts, the account is locked and generates a message "You account has been temporarily locked due to too many invalid logon attempts. To unlock your account, please logon to your account pages via the website" - the website login could have various additional checks (e.g. CAPTCHA's, confirmation of date of birth etc.) before the account is unlocked.

Matthew
_________________________________________________________________
100’s of Music vouchers to be won with MSN Music
https://www.musicmashup.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.secondlife.com/pipermail/sldev/attachments/20071003/d84c5dd4/attachment.htm

Previous message: [sldev] OpenID & SSL certificates
Next message: [sldev] Re: [META] Formal critique of new auth mechanism?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the SLDev mailing list