The indented passage below is from an email on the SL-Dev list:
Hey all. I’m Sabin Linden, a developer here at Linden Lab. You may know me as that Linden with the pixel avatar or maybe… Well… Actually I don’t do much external facing work so you probably don’t know me at all. Don’t worry, you’re not missing out on much.
In any case, I wanted to take a moment and send to this list some security changes Linden is going to make in order to further the efforts of anti-fraud and phishing prevention. Pretty soon we’re going to consolidate logins to our website so we can eventually centralize the process. In other words, residents will not have to type their name and password into SL viewers and applications, they’ll type them into our website instead. The process that occurs is as follows: 1: After logging into the website, you’ll be taken to a new page that has the same login location options the current SL viewer has. 2: When you hit the Go button, a form is submitted to a php page, which redirects to a secondlife:/// url that has a web key appended to it. 3: The secondlife:/// url itself will launch Second Life with locational details and the web key will authorize your account for login. Note: You can find more detailed information (the whys and hows) on the public wiki at https://wiki.Secondlife.Com/wiki/Viewer_Authentication
This method works for Windows and Mac machines, but unfortunately due to the nature of how Linux handles secondlife:/// links (it doesn’t), we have been unable to come up with a proper, catch-all solution that would allow this method of login to work for 100% of the Linux using population. We estimate (aka: make an educated guess) that we can catch about 70% of Linux users at first and will be working to get that number as close to 100% as possible. However, because there are so many different distributions and configurations of Linux available, there’s always the possibility of people who cannot launch Second Life from the website. Fortunately, we will be implementing a login screen for each of our viewers (similar to the one you see now) which goes through our website. Although this doesn’t allow as much security as we would like (since you’re still technically typing your password into the viewer) it will, at least, allow all Linux users to log in. Additionally, it will provide a fall-back for those who are used to the current way of logging in.
With this information, I wanted to get your feedback! Do you think there’s a way we could make website viewer authentication work for all Linux users? Do you have any specifications for how this will interact with your third party viewers and applications? Anything I haven’t covered that you’re worried about? Thanks for your time everyone, we’d love to hear what you have to say.
There are threads in the Second Life forums and at Nicolaz Beresford’s blog site http://nicholaz-beresford.blogspot.com/2007/09/secondlife-authentication.html and I assume there are probably many more other places where this is already being discussed.
I think this will be a signifcant reduction in convenience for SL users while not being much increase in security, and possibility a reduction in real world security in some cases.
The Second Life wiki section on this topic is at https://wiki.secondlife.com/wiki/Viewer_Authentication .