[BUG-231938] MFA RC Viewer rejects authentication code and fails log-in

[sl-service-account]

What just happened?

Attempted to log-in with SL MFA viewer 6.5.4.569309, and log-in repeatedly failed via rejection of MFA code.

What were you doing when it happened?

1. Launched MFA viewer 6.5.4.569309.
2. Entered log-in credentials.
3. Received prompt to enter 6-digit code (via Google Authenticator).
4. Log-in failed.
5. Re-tried 3-4 times, each time with refreshed authentication code. All failed.

To confirm incorrect typing of log-in credentials was NOT to blame for failure:

1. Launched MFA viewer.
2. Entered user-name with intentionally incorrect password - viewer rejected log-in before making request for MFA (as I would expect).

(Log-in credentials also work fine on current release viewer (568554), installed separately on my system, and on all TPVs I commonly use (Firestorm. Catznip, Kokua - so do not believe a typing error is the cause of the issue).

To confirm issue appears to be with MFA:

1. Cleared log-in fields on MFA viewer.
2. re-entered user name and password correctly.
3. Received authentication code request.
4. Entered refreshed 6-digit code.
5. Log-in failed.
6. Repeated these steps numerous times, taking care to enter correct password & a refreshed authentication code, all attempts failed.

What were you expecting to happen instead?

The viewer / back-end would accept an authentication code and log me into Second Life using MFA viewer.

Other information

Original Jira Fields

| Field | Value | | ------------- | ------------- | | Issue | BUG-231938 | | Summary | MFA RC Viewer rejects authentication code and fails log-in | | Type | Bug | | Priority | Unset | | Status | Closed | | Resolution | Triaged | | Labels | mfa | | Reporter | Inara Pey (inara.pey) | | Created at | 2022-03-18T15:29:22Z | | Updated at | 2022-06-29T16:54:17Z | ``` { 'Build Id': 'unset', 'Business Unit': ['Platform'], 'Date of First Response': '2022-03-18T10:46:10.919-0500', 'ReOpened Count': 0.0, 'Severity': 'Unset', 'System': 'SL Viewer', 'Target Viewer Version': 'viewer-development', 'What just happened?': 'Attempted to log-in with SL MFA viewer 6.5.4.569309, and log-in repeatedly failed via rejection of MFA code. ', 'What were you doing when it happened?': '1. Launched MFA viewer 6.5.4.569309.\r\n2. Entered log-in credentials. \r\n3. Received prompt to enter 6-digit code (via Google Authenticator).\r\n4. Log-in failed.\r\n5. Re-tried 3-4 times, each time with *refreshed* authentication code. All failed.\r\n\r\nTo confirm incorrect typing of log-in credentials was *NOT* to blame for failure:\r\n\r\n1. Launched MFA viewer.\r\n2. Entered user-name with *intentionally incorrect* password - viewer rejected log-in *before* making request for MFA (as I would expect).\r\n\r\n(Log-in credentials also work fine on current release viewer (568554), installed separately on my system, and on all TPVs I commonly use (Firestorm. Catznip, Kokua - so do not believe a typing error is the cause of the issue). \r\n\r\nTo confirm issue appears to be with MFA:\r\n\r\n1. Cleared log-in fields on MFA viewer.\r\n2. re-entered user name and password *correctly*. \r\n3. Received authentication code request.\r\n4. Entered refreshed 6-digit code. \r\n5. Log-in failed. \r\n6. Repeated these steps numerous times, taking care to enter correct password & a refreshed authentication code, all attempts failed. ', 'What were you expecting to happen instead?': 'The viewer / back-end would accept an authentication code and log me into Second Life using MFA viewer. ', } ```

[sl-service-account]

Whirly Fizzle commented at 2022-03-18T15:46:11Z, updated at 2022-03-18T15:47:30Z

I can reproduce this on Second Life Release 6.5.4.569309 (64bit), when using Google Authenticator.

2022-03-18T15:43:36Z INFO #LLXMLRPCListener# newview/llxmlrpclistener.cpp(338) Poller::poll : login_to_simulator result from https://login.agni.lindenlab.com/cgi-bin/login.cgi: status Complete, errorcode OK ((done)) 2022-03-18T15:43:46Z WARNING #LLLogin# viewer_components/login/lllogin.cpp(259) LLLogin::Impl::loginCoro : Failed to hear from updater, proceeding with fail.login 2022-03-18T15:43:46Z INFO #LLStartup# newview/llstartup.cpp(1061) idle_startup : Login failed, LLLoginInstance::getResponse(): {'Linden_Error_Code':'1-6234a8ad-58aa22b80b0e60412cd4e166','login':'false','message':'Sorry! We couldn 't log you in. n nPlease check to make sure you entered the right n n * Username (like bobsmith12 or steller.sunshine) n n * Password n n * Second Factor Token (if enabled) n nAlso, please make sure your Caps Lock key is off. If you feel this is an error, please contact support@secondlife.com.','message_args':} 2022-03-18T15:43:46Z INFO #LLStartup# newview/llstartup.cpp(1187) idle_startup : Notification: {'ERROR_MESSAGE':'Login failed. nSorry! We couldn 't log you in. nPlease check to make sure you entered the right n * Username (like bobsmith12 or steller.sunshine) n * Password n * Second Factor Token (if enabled) nAlso, please make sure your Caps Lock key is off.'} 2022-03-18T15:43:46Z WARNING # newview/lltoastalertpanel.cpp(195) LLToastAlertPanel::LLToastAlertPanel : Alert: Login failed.\nSorry! We couldn't log you in.\nPlease check to make sure you entered the right\n * Username (like bobsmith12 or steller.sunshine)\n * Password\n * Second Factor Token (if enabled)\nAlso, please make sure your Caps Lock key is off.

[sl-service-account]

Whirly Fizzle commented at 2022-03-18T15:53:02Z

MFA is working on the change password page though: https://accounts.secondlife.com/change_password/?

[sl-service-account]

Dan Linden commented at 2022-03-18T16:24:15Z

Thank you for the report, Inara!

[sl-service-account]

Kitty Barnett commented at 2022-03-18T16:24:58Z

It's working for me when authenticating with the Microsoft authenticator app:

2022-03-18T16:12:31Z WARNING # newview/lltoastalertpanel.cpp(176) LLToastAlertPanel::LLToastAlertPanel : Alert: To continue logging in, enter a new token from your multifactor authentication app.\nIf you feel this is an error, please contact support@secondlife.com 2022-03-18T16:12:44Z INFO #LLLogin# newview/lllogininstance.cpp(429) LLLoginInstance::handleLoginFailure::::operator () : PromptMFAToken: token submitted 2022-03-18T16:12:44Z INFO #LLXMLRPCListener# newview/llxmlrpclistener.cpp(293) Poller::Poller : login_to_simulator request sent to https://login.agni.lindenlab.com/cgi-bin/login.cgi 2022-03-18T16:12:44Z INFO # llui/llfloater.cpp(775) LLFloater::closeFloater : Closing floater toast 2022-03-18T16:12:49Z INFO #LLXMLRPCListener# newview/llxmlrpclistener.cpp(338) Poller::poll : login_to_simulator result from https://login.agni.lindenlab.com/cgi-bin/login.cgi: status Complete, errorcode OK ((done)) 2022-03-18T16:12:49Z INFO #LLLogin# newview/lllogininstance.cpp(481) LLLoginInstance::handleLoginSuccess : LLLoginInstance::handleLoginSuccess

[sl-service-account]

Whirly Fizzle commented at 2022-03-18T16:27:50Z

It also fails for me using Microsoft Authenticator.

[sl-service-account]

Maestro Linden commented at 2022-03-18T18:04:36Z, updated at 2022-03-18T18:06:15Z

[~inara.pey] [~kitty.barnett] [~whirly.fizzle]: We took a deep look into Whirly's login attempt, which failed due to a bad MFA token, and figured out the issue: the token was entered as the Google Authenticator app prints it, with a space in the middle; like "123 456". Rather than this format, the MFA check was expecting the numeric digits without any spaces, e.g. "123456".

It appears that the web-based secondlife.com MFA check is automatically removing any whitespace, hence the success there. But the login process is taking the token as-is, causing the failure. We think that the viewer or login server should follow the same behavior as web, as (in my mind, at least) a valid MFA token will never include whitespace.

[~inara.pey] can you please confirm if this explains the failures you saw? That is, if you only enter the 6 numeric digits into the MFA field, login succeeds?

[sl-service-account]

Whirly Fizzle commented at 2022-03-18T18:06:57Z

Hiya Maestro. I can confirm that setting up MFA again & missing the spaces out of the tokens allows me to login on the MFA viewer :D

[sl-service-account]

Inara Pey commented at 2022-03-18T20:55:25Z

@Maestro  - apologies, I should have added comments in the initial description: some of my tests were both including and excluding the space (as generated by Google Authenticator) - and all attempts failed. 

 

As per Whirly's comment disabling and enabling MFA through the website avoiding the use of the space appears to rectify matters.  I'd also suggest that as Google authenticator gives codes as XXX[space]YYY (and I believe MS Authenticator does as well), and users are more than likely going to enter that format verbatim - then it should be a case that the viewer strips the space, if that is what the website does.

[sl-service-account]

Jeffbot Linden commented at 2022-03-19T00:12:22Z

Mentioned in build 569725 for DRTVWR-550 (Viewer MFA)

• 22a22d17b4c10606cb36a35c92ed627ba2d8aa69 : Fix SL-17034/BUG-231938 whitespace in token causes authentication failure

[sl-service-account]

Jeffbot Linden commented at 2022-05-04T18:56:42Z

Mentioned in build 571502 for DRTVWR-548 (Maintenance: Nomayo)

• 22a22d17b4c10606cb36a35c92ed627ba2d8aa69 : Fix SL-17034/BUG-231938 whitespace in token causes authentication failure

[sl-service-account]

Jeffbot Linden commented at 2022-05-04T19:05:18Z

Mentioned in build 571503 for DRTVWR-561 (Maintenance: O (placeholder))

• 22a22d17b4c10606cb36a35c92ed627ba2d8aa69 : Fix SL-17034/BUG-231938 whitespace in token causes authentication failure

[sl-service-account]

Jeffbot Linden commented at 2022-05-04T19:17:17Z

Mentioned in build 571507 for DRTVWR-546 (Performance Improvements)

• 22a22d17b4c10606cb36a35c92ed627ba2d8aa69 : Fix SL-17034/BUG-231938 whitespace in token causes authentication failure

[sl-service-account]

Jeffbot Linden commented at 2022-05-04T21:35:57Z

Mentioned in build 571498 for DRTVWR-543 (Maintenance: Makgeolli)

• 22a22d17b4c10606cb36a35c92ed627ba2d8aa69 : Fix SL-17034/BUG-231938 whitespace in token causes authentication failure

[sl-service-account]

Jeffbot Linden commented at 2022-05-05T13:02:14Z

Mentioned in build 571539 for DRTVWR-539 (Performance Floater & Auto FPS)

• 22a22d17b4c10606cb36a35c92ed627ba2d8aa69 : Fix SL-17034/BUG-231938 whitespace in token causes authentication failure

[sl-service-account]

Jeffbot Linden commented at 2022-06-29T16:54:18Z

Mentioned in build 572985 for DRTVWR-529 (EDU Viewer)

• 22a22d17b4c10606cb36a35c92ed627ba2d8aa69 : Fix SL-17034/BUG-231938 whitespace in token causes authentication failure