Difference between revisions of "Viewer Authentication"

From Second Life Wiki
Jump to navigation Jump to search
Line 1: Line 1:
= This page is under construction and no longer accurateUpdates coming soon. =
<b>Note:</b> If you would like to discuss the changes stated in this page, please use the discussion tab at the top.  We are reading it and answering your questions there and will update the wiki as neededThank you!


= Website Viewer Authentication (WVA) =
= Viewer Authentication =


In the past, the Second Life viewer and Second Life website have both required you to type in your name and password in order to access the grid and your account informationWith Website Viewer Authentication, Linden Lab seeks to bring these two together such that you will only need to type in your name and password at one place in order to access this content.  Now you'll be able to launch Second Life, securely, from the SL website.
Fairly soon, Linden Lab is going to introduce new form of logging in.  The current process requires an xml-rpc call from your viewer to our servers that runs along an inflexible code-path that is difficult to maintainThis process will change to a web-based path that is easier to maintain and will allow us easier access to tools for making logins smarter and furthering our anti-fraud efforts.


== It's your choice! ==
== What Changes For You? ==
When logging in, you do not have to change your daily routine.  The login screen you are given when starting the Second Life viewer will be a website version of the current interface.  However, it's suggested that if you want to take the most secure route to logging in, you do it via the Second Life website.  Once you've logged in to the website, you'll see a Go Inworld! button which will automatically launch the SL viewer for you.  By logging in this way, you will know that you're typing your password into a safe environment, whether you use the official LL viewer or (eventually) a third-party viewer.


<b>Note to Linux users:</b> Linden Lab is working to allow a secure website authentication for as many Linux users as possibleHowever, due to the nature of Linux distribution, a website login is not guaranteed to work as it may fail for reasons Linden lab is unable to predictIn these cases, it is suggested you log in via the viewer's login page.
You'll see a couple different changes when this is releasedFirst of all, the viewer's login page will be web-based.  It actually won't look that different from the current interface and allows all the same functionality.  Secondly, there will be an optional "Go Inworld!" page on our website that will allow you to log into Second Life straight from the webThis lets you to type your password into our website and gain access to any Second Life applications that take in the proper arguments.
 
Keep in mind that if you are developing a third-party application to access Second Life, we will be keeping our old login methods intact until you catch up with the new process - at which point we will shut down the old pathways.


== Frequently Asked Questions ==
== Frequently Asked Questions ==
==="I'm always logged in on the SL website.  How does this affect me?"===
==="I'm always logged in on the SL website.  How does this affect me?"===
If you're logged in on the website, you're simply one step away from being in Second Life.  A "Go Inworld!" link will be on the website for you to click which will launch your Second Life viewer and log you in automatically.
For security purposes, the website login is separate from the Second Life loginYour cookies on the "Go Inworld!" page will not be saved, but your name will be. This ensures sharing computers with others will not allow those other people to log in on your account.
Keep in mind that if you use multiple Second Life accounts, you will need to log out via the website before logging in with another account.  However, if multiple people use your computer, you may take advantage of your operating system's "User Switching" capabilities so that your cookies are not shared and logging out from the website is not a requirement.


==="On the viewer's login screen, I'm giving the choice of where I want to log into.  Will I still have that option?"===
==="On the viewer's login screen, I'm giving the choice of where I want to log into.  Will I still have that option?"===
Yes! The Go Inworld! page will contain the same options the SL viewer's login has.  You can login at your last location, your home, or a destination you specify.
Yes. This functionality will be the same both in the viewer's login and on the website's login.
 
==="I have separate accounts that I use.  How does this affect me?"===
If you wish to use a separate Second Life account, you must log out of your current account on the website and then log in with your separate account.


==="I use Second Life from a computer that is not mine.  How does this affect me?"===
==="I use Second Life from a computer that is not mine.  How does this affect me?"===
So long as you are logged into the website on someone's else computer, they will be able to gain access to your account, just as they would if you stayed logged in on a blog, in a video game, or on a social networking website.  If you simply log out of your account on the website when you are done using the computer, then your account's information will not be accessible.  As usual, common sense is your best friend when using a computer that is not your own.
Everything works the same as before, whether you log in via the viewer or the website.  The website password is not saved, so as soon as you log out of Second Life, other people cannot log in as you without knowing your password.
 
==="Are you telling me the client is not secure?"===
The official Second Life client released by Linden Lab on our SL website is secure.  However, due to our viewer's open-source nature, third-party versions may be hosted elsewhere and can be made to trick you into entering your password where it may be stolen.  Please read the [[#Security|Security]] section below for more details.


==="Why aren't you fixing bugs?  I don't care about login!"===
==="Why aren't you fixing bugs?  I don't care about login!"===
Linden Lab has a team of developers who are constantly fixing bugs in Second Life.  However, we also have developers who work on the website, the servers, and specific issues such as security, billing, and fraud prevention.  WVA is being developed as a security measure in order to ensure your Second Life identity cannot by stolen or phished by malicious entities.  By making your experience secure, we can save you time and money if something ever should go wrong, and allows us to devote more resources toward the ongoing development of Second Life.
Linden Lab has a team of developers who are constantly fixing bugs in Second Life.  However, we also have developers who work on the website, the servers, and specific issues such as security, billing, and fraud prevention.  Viewer Authentication is being developed in order to extend the ability of our logins such that they can take advantage of new fraud prevention measures, future account security measures, and be placed in a more flexible and easier to access code-path.


==="What happens when I want to use the First Look client or some other third-party application?"===
==="What happens when I want to use the First Look client or some other third-party application?"===
Currently, these options still use the old method of logging in.  WVA only applies to the main grid at this time.  We will have a complete transfer over to WVA very soon and will announce when it's ready and what changes you can expect.
Until they are brought up to speed with the new login process, these extra applications will still be able to use our old login procedure.
 
== Why we're making this change. ==
 
===Security===
With Website Viewer Authentication, Linden Lab will be able to centralize its login code to our website.  By doing so, we will be able to centralize our fraud prevention efforts such that we can make larger and faster changes when necessary.  Since you will only have to enter your login information in one place, there should never be a need to enter your name and password into any other interface.  This inherently increases your security.
 
*Note: Due to the open source nature of the Second Life viewer, it is possible to create a clone of the Second Life viewer with the intent to add code which will steal your password and send it to a malicious entity.  A person doing this can then host the viewer on their website saying that it is the official version, thus tricking you into downloading something that looks real but is in fact not.  By logging in via the Second Life website, this kind of attack will not work against you.
 
===Flexibility===
By centralizing logins, Linden Lab will eventually be able to verify your identity for third-party applications.  For example: if you wish to use an open source version of the Second Life viewer, you should not have to worry about typing in your name and password as the viewer will be able to authenticate you via our servers.  This flexibility will give your Second Life presence a greater reach than just the Second Life Grid.
 
===Persistence===
When you login through the Second Life website, you will be taken to a page which will launch Second Life for you.  So long as your cookie's session for the page's login is held and you launch through this page, you won't ever have to type in your name and password again until that cookie's session expires.  So you can log in and out of Second Life as much as you like without having to re-type your information over and over again.  Your identity will be persistent.


== The Future! ==
== The Future ==


===Integration===
By changing logins to a web-based path, many possibilities are opened up to us in the futureIntegration into OpenID, uses with new security measures, faster and better fixes when something breaks
Eventually, Linden Lab would like to allow Second Life identities to integrate with OpenID.  The WVA changes will make this route an easier one to handle.  With OpenID, your Second Life identity will be able to transfer to any other applications (eg: blogs, forums, social networking services) that wish to host OpenID capabilities in their servicesIt would open the possibility of logging into separate virtual worlds with your Second Life name.

Revision as of 16:38, 19 October 2007

Note: If you would like to discuss the changes stated in this page, please use the discussion tab at the top. We are reading it and answering your questions there and will update the wiki as needed. Thank you!

Viewer Authentication

Fairly soon, Linden Lab is going to introduce new form of logging in. The current process requires an xml-rpc call from your viewer to our servers that runs along an inflexible code-path that is difficult to maintain. This process will change to a web-based path that is easier to maintain and will allow us easier access to tools for making logins smarter and furthering our anti-fraud efforts.

What Changes For You?

You'll see a couple different changes when this is released. First of all, the viewer's login page will be web-based. It actually won't look that different from the current interface and allows all the same functionality. Secondly, there will be an optional "Go Inworld!" page on our website that will allow you to log into Second Life straight from the web. This lets you to type your password into our website and gain access to any Second Life applications that take in the proper arguments.

Keep in mind that if you are developing a third-party application to access Second Life, we will be keeping our old login methods intact until you catch up with the new process - at which point we will shut down the old pathways.

Frequently Asked Questions

"I'm always logged in on the SL website. How does this affect me?"

For security purposes, the website login is separate from the Second Life login. Your cookies on the "Go Inworld!" page will not be saved, but your name will be. This ensures sharing computers with others will not allow those other people to log in on your account.

"On the viewer's login screen, I'm giving the choice of where I want to log into. Will I still have that option?"

Yes. This functionality will be the same both in the viewer's login and on the website's login.

"I use Second Life from a computer that is not mine. How does this affect me?"

Everything works the same as before, whether you log in via the viewer or the website. The website password is not saved, so as soon as you log out of Second Life, other people cannot log in as you without knowing your password.

"Why aren't you fixing bugs? I don't care about login!"

Linden Lab has a team of developers who are constantly fixing bugs in Second Life. However, we also have developers who work on the website, the servers, and specific issues such as security, billing, and fraud prevention. Viewer Authentication is being developed in order to extend the ability of our logins such that they can take advantage of new fraud prevention measures, future account security measures, and be placed in a more flexible and easier to access code-path.

"What happens when I want to use the First Look client or some other third-party application?"

Until they are brought up to speed with the new login process, these extra applications will still be able to use our old login procedure.

The Future

By changing logins to a web-based path, many possibilities are opened up to us in the future. Integration into OpenID, uses with new security measures, faster and better fixes when something breaks

Retrieved from "https://wiki.secondlife.com/w/index.php?title=Viewer_Authentication&oldid=37035"