[sldev] [META] Formal critique of new auth mechanism?

[Callum Lerwick]

On Sat, 2007-09-29 at 22:12 +0200, Dale Glass wrote:
> And IMO, they would be a very good thing to have. SL can be limited to the 
> point of becoming a 3D chat client and still be useful. I can see how some 
> people would like being able to login from a cybercafe to discuss 
> something with a client or friend without making themselves vulnerable. 
> With a one time login password, restrictions that only allow chatting, you 
> could login from the most spyware infested box safely.

Well really, the biggest problem here is there is no separation between
authentication of your financial transactions and authentication of your
identity. :)

In the real world, you can put your money in a bank, authenticated with
things such as physical tokens (Your bank/check/credit card) and PIN
numbers, which are solely dedicated to authenticating access to your
money, and nothing else. Your identity is authenticated separately,
typically by some form of government issued ID. You are not forced to
carry all your money with you, reducing the risk you are exposed to if
you get mugged, and making you less of a target for being mugged in the
first place.

In real life, showing your ID to the bouncer at the door to gain access
to the club does not give the bouncer full access to your bank account
in return.

You have no such option in Second Life. You are essentially traveling
Second Life holding all your lindens in hand, as "virtual cash", ripe
for "virtual mugging". (Well, there was that Ginko thing and HAH HAH
that worked out well didn't it? Actually I suppose making yourself some
"mule" accounts isn't a bad idea...)

There is the option of trading lindens for "real money", but that mixes
up your first life with your second life and opens up a huge can of bees
as far as transaction limits and fees and exchange rates and the IRS and
so on...

At any rate, this is easily solved. Give everyone a "virtual wallet"
which is "opened" with a separate password from your login. Logging in
from an untrusted location? Just remember to keep your wallet shut.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.secondlife.com/pipermail/sldev/attachments/20070929/a4abf3cd/attachment.pgp