Difference between revisions of "User:Brad Linden/Login MFA"
Jump to navigation
Jump to search
Brad Linden (talk | contribs) |
Brad Linden (talk | contribs) (added info about MFAHash debug setting) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
== New Parameters == | == New Parameters == | ||
Any viewer that does not supply these fields will be interpreted as not supporting MFA features | Any viewer that does not supply these fields in its login requests will be interpreted as not supporting MFA features | ||
; "token" | ; "token" | ||
| Line 19: | Line 19: | ||
: message to be presented to the user when prompting for token, for example: | : message to be presented to the user when prompting for token, for example: | ||
To continue logging in, enter a new token from your multifactor authentication app. If you feel this is an error, please contact support@secondlife.com | To continue logging in, enter a new token from your multifactor authentication app. If you feel this is an error, please contact support@secondlife.com | ||
; login failure message - | ; updated login failure message - LoginFailedAuthenticationFailed | ||
: new login failure request similar to password failure request. when mfa is required this indicates that either the password or TOTP token entered was not correct. For example: | : new login failure request similar to password failure request. when mfa is required this indicates that either the password or TOTP token entered was not correct. For example: | ||
Sorry! We couldn't log you in. | Sorry! We couldn't log you in. | ||
| Line 25: | Line 25: | ||
* Username (like bobsmith12 or steller.sunshine) | * Username (like bobsmith12 or steller.sunshine) | ||
* Password | * Password | ||
* Token | * Second Factor Token (if enabled) | ||
Also, please make sure your Caps Lock key is off. | Also, please make sure your Caps Lock key is off. | ||
== New Debug Settings == | |||
; "MFAHash" - string | |||
: This setting overrides the mfa_hash value stored for testing purposes. It is applied at login time, and will overwrite any saved mfa_hash value for the account that is logging in. This is typically used to set the mfa_hash value to "0" or some other value that is known to be invalid in order to force a new token challenge from the login server. It is non-persistent as a debug setting, but affects how the encrypted storage for the mfa_hash value is persisted. It must be set from the command line or from the Debug menu prior to logging in. | |||
Latest revision as of 17:57, 21 April 2022
New Parameters
Any viewer that does not supply these fields in its login requests will be interpreted as not supporting MFA features
- "token"
- The user's entered Time based One Time Password (TOTP) token. This should be the empty string for login attempts that are not responding to an MFA challenge.
- "mfa_hash"
- The saved hash value and timestamp from a previously successfully answered MFA challenge. This should be the empty string initially.
New Returned Fields
- "mfa_hash"
- The optional hash value and timestamp from a successfully answered MFA challenge. This should be saved in secure storage scoped to the user and current grid similar to how saved passwords are stored. Currently the timestamps expire after 30 days. Subsequent login attempts for the same user and grid combination should fill in this value in the "mfa_hash" parameter of the login request.
New Errors
- login failure reason - mfa_challenge
- A new failure reason that should be handled by displaying a prompt to enter the TOTP token, and retrying the login request with that value in the "token" parameter.
- login failure message - LoginFailedAuthenticationMFARequired
- message to be presented to the user when prompting for token, for example:
To continue logging in, enter a new token from your multifactor authentication app. If you feel this is an error, please contact support@secondlife.com
- updated login failure message - LoginFailedAuthenticationFailed
- new login failure request similar to password failure request. when mfa is required this indicates that either the password or TOTP token entered was not correct. For example:
Sorry! We couldn't log you in. Please check to make sure you entered the right * Username (like bobsmith12 or steller.sunshine) * Password * Second Factor Token (if enabled) Also, please make sure your Caps Lock key is off.
New Debug Settings
- "MFAHash" - string
- This setting overrides the mfa_hash value stored for testing purposes. It is applied at login time, and will overwrite any saved mfa_hash value for the account that is logging in. This is typically used to set the mfa_hash value to "0" or some other value that is known to be invalid in order to force a new token challenge from the login server. It is non-persistent as a debug setting, but affects how the encrypted storage for the mfa_hash value is persisted. It must be set from the command line or from the Debug menu prior to logging in.