VR + 2 step verification is poor combination.
MrDummy_NL
The reason: 2-factor security code is on your phone, but how can you look at it with VR headset on?
It's very akward to stare every time between phone and headset you just pulled off your head to watch phone code. You cannot look at phone while in VR. Desktop users have no problems, but VR users cannot do it fast, because there is also timer on code. For some people, it's even more work to put on properly headset on the head.
So i am thinking login FIRST in vrchat.com site, verify it with 2-factor code. This should lock your login automatically for next login, so you don't need login again in VRChat, because the ip address or session is registered.
This may also special timed login, so you have like 1 hour time to login VRChat before it's invalid.
It's even bad idea to log off btw in VRChat - because you need login and do 2-factor security step again. If you're in streaming while kicked off by server error or hacked client, you dont want let others see what you type there in login.... and yes, again put off your headset to look on phone.
This is why VR + 2 factor security login combination is not great, more stupid in use. There should better and easier solutions to login with VR without need grab your phone because the 2-factor code step. Login on website is simple solution to make it easier.
Another idea is special app on your phone to give login permission with click. For example Blizzard / Battle.net has this way to authorize the login by click and you don't need enter code.
Log In
MrSmuggy
OVR toolkit
Y
Yaki
I am a user of 2-factor. I see no problem to taking the headset off. The codes normally last I would guess about 45 second maybe 30. I would not want the two factor to last through logins mostly because in game, it logs me right in without it. I don’t have to use it every time I log into the game and I personally don’t mind using it every time on the website. My forethought is, if you want to get rid of the two factor, disable it and don’t use it. I see no problem with removing the headset when you have to do the occasional relog. I like having two factor for every login so I know my account has that extra security. I don’t want anything to happen that can add loopholes to what is meant to be the safest option for your account.
Toawa
IP Whitelist is a non-starter; it wouldn't work for those with dynamic IP. I think the fact that you have to take your headset off for a minute is not so much the issue; the issue is that you have to then put it back on in order to actually put in the code. This goes for passwords too. I think if you have to actually log in, there it should pop up a dialog box on the desktop that lets you put in the username/password/2FA (should be all in the same box, you know if you have a 2FA or not...) easily from the desktop instead of either having to put back on the headset, or having to type it out without the headset on and hope that the password/2FA box had focus (which half the time it didn't).
Maneki-Neko
install authy on PC
access desktop from inside vr
click the copy code button
solved?
hakanai
Maneki-Neko: Maybe if VRChat had a Paste button it would be easier. Or if it looked at the clipboard and automatically copied a 6-digit number if it was there?
HostileLogOut
Ip Whitelist wouldnt woke imo. 2 factor is the best security.
TheHeimZocker
i'm sorry but i disagree with this idea and this "issue" that you have to look on your phone, i use the VR a lot and looking on my phone doesn't take longer than 10 seconds, you can pull your VR with 1 hand up and the other hand you use to use the phone, where is the problem? 2-factor security is very important and usefull. If you just want that you log into the page in first than where is the reason for 2-factor security?
Elum
TheHeimZocker: Not everyone is you. This is a valid issue.
Y
Yaki
Elum: it’s really not it takes two seconds to read and memorize the code.
MrDummy_NL
TheHeimZocker: It's just the way to use it is not great, some people find it just akward and not easy. There should some better ways to complete 2FS first then put on the VR headset. That is more "friendly" use and you're quicker online. Even BEFORE you start streaming, which is very important part. Because if you start already streaming, and you must type login / 2FS step, you need switch to censor mode and type in.
Actually that goes also for when server kicked you out, or someone with hacked client kicked you out.
This can done outside VR, just looking on desktop screen. Not in VR screen (which is used for streaming).
And some headsets are bit hard to look on VR display due smaller FOV.
AlyCatVR
Yaki: I agree, this is more of a personal problem than a widespread issue.
Elum
Yaki: For you yes. Not for other people.
AlyCatVR
Elum: And this is a user-specific issue that not everyone uses. ¯\_(ツ)_/¯
Fusl
The idea of an IP whitelist is kinda a duplicate of https://feedback.vrchat.com/feature-requests/p/ip-whitelist-for-2-factor-authentication
MrDummy_NL
Fusl: IP Whitelist is not good if your IP changed sometimes. Login before on website should automatic whitelist ipaddress and you should login immediately with VR.