Google Will Automatically Enroll Users in Two-Factor Authentication Soon (pcworld.com) 150
Most security experts agree that two-factor authentication (2FA) is a critical part of securing your online accounts. Google agrees, but it's taking an extra step: It's going to automatically sign Google account holders up for two-factor accounts. From a report: In a way, Google sees two-factor authentication as a replacement for passwords, which Mark Risher, Google's director of product management for identity and user security, in a statement called "the single biggest threat to your online security." Because they're easy to steal and hard to remember, users will end up reusing passwords. If stolen, they can be used to unlock multiple user accounts, adding to the risk. Google already uses 2FA to secure accounts, but it's been optional until now. According to Risher, Google will start "automatically enrolling users in 2SV [what Google calls 2FA] if their accounts are appropriately configured." However, Google said that users would be given an opportunity to opt out, too.
What happens if someone loses their phone? (Score:5, Insightful)
If it's a bank asking for 2FA and I suddenly lose access, I can go in branch and get it fixed. Does Google offer a customer support in case this happens? That's what freaks me out the most about 2FA for everything. Instead of having me in control of which password I use for which website, and therefore limiting how much I lose if one gets hacked, now everything relies on a single point of failure which is my phone number. I'm not a security expert, so to me it just feels like I went from 25 points of failure to one. Am I freaking out for nothing?
Re: (Score:3, Informative)
Don't use SMS. Use Authy.
Re: (Score:3)
While I use Authy, it isn’t a sure thing if you lose your phone and backup device (taplet, laptop), which are often in the same location. Nor is my Yubikey with paper backup in a safe somewhere. As far as I am aware, there are no great 2-of-3 authentication options out there for general purpose use.
Re:What happens if someone loses their phone? (Score:4, Interesting)
I fscking can't stand to have to get a text EVERY time I log into something, read a code and punch it in.
I don't keep anything in google accounts that is worth that kinda security really....
2FA is a PITA, and I'd really rather reserve it for ONLY accounts that actually are important and need securing.
Re: (Score:2)
However, Google said that users would be given an opportunity to opt out, too.
(emphasis mine)
I often don't RTFA either, but hell, it's the LAST LINE of TFS!!
Re: (Score:2)
Yeah Authy backs itself up, but I still do worry about getting locked out of everything. Everything except my bank account, of course, since my bank is stuck in 1995.
Re:What happens if someone loses their phone? (Score:5, Insightful)
Never use a phone for 2FA if you can avoid it. Use Ubikey, SQRL, TOTP (Aegis, Authy, Google Authenticator), or some other FIDO. Heck, even an email with 2FA might be better than phone - smaller attack surface.
Re: What happens if someone loses their phone? (Score:2, Troll)
Seems most of those things aren't 2FA *at all*.
A physical device with physical tamper protection/detection and its own SoC, that accepts a storage device (something you have) with an encrypted key on it, and has a keypad and display to enter a password (something you know) to decrypt said key, to use it inside and *only* inside the device, to set it up as a tunneling router for secure messages... *THAT* would be 2FA.
Add some biometrics (something you are) *on top* and you got 3FA.
This current fake "2FA" tre
Re: (Score:2)
2FA is a safety net behind your password. As long as you've got control of your phone, you can thwart a password-only attack.
Re: (Score:2, Flamebait)
2FA exists for stupid people only - those who do not use strong and unique passwords for each account that they have and keep them very locked away and securely backed up in a good and Open Source password manager.
Because even a person that does the above, but does it online with a commercial and closed source password manager is a stupid person.
Re: (Score:3)
Do you also argue that passwords aren't what they claim, because they can be shoulder-surfed or brute-forced or reused?
SMS- and email-based 2FA do fail as 2FA because they rely on third-party message routing rather than checking something you have, but TOTP, FIDO and similar forms of 2FA are what they claim to be.
Re: (Score:3)
2FA is supposed to be something-you-have (which would have to be physically stolen) and something-you-know (which would have to be acquired via surveillance or interrogation). The difficulty of perpetrating two very different kinds of acquisition means that any breach is likely to require a significant investment of resources.
Anything based on a phone number currently *cannot* provide 2FA, because the phone number can be easily stolen using readily available public information about the target - which rend
Re: (Score:2)
Authy (Score:2)
Signal, Authy, etc. want my phone number still. :(
Re:What happens if someone loses their phone? (Score:4, Interesting)
I have two-factor auth on my personal Google account (which only gets used occasionally nowadays).
I've noticed that, lately, Google won't just default to the TOTP - they want me to use some other Google app. To use TOTP, I have to click through several prompts. Also, they keep wanting to put a cookie on my device so that two-factor won't be needed in the future.
Basically, it seems like Google is now trying to leverage two-factor auth for their own tracking purposes. Which is just like Google - pretend they're doing something good while actually doing something crappy underneath.
Google just wants your cell phone number (Score:4, Informative)
I tried to create a new gmail addy. Had to provide existing email addy for verification. Ok, fine. Used the emailed link and now they want a cell number as well? Now? I stopped at that point.
Google, Ebay etc do NOT need a cell phone number 'for my security'.
Re: (Score:2)
Yes, I am NOT giving google my Cell Phone Number. I guess good bye to gmail, nice knowing you.
The good news is, I now have a respectable looking dump email for sites that want a email
Re:Google just wants your cell phone number (Score:5, Funny)
867-5309
Re: (Score:2)
That only works if your name is Jenny.
Re: (Score:2)
Damn you, Tommy Tutone!!!
Re: (Score:2)
867-5309?
Re: (Score:2)
867-5309!
Re:What happens if someone loses their phone? (Score:5, Informative)
I only wish banks were are diligent with the 2FA as Google is. All of my credit unions use an SMS or a call for the second factor. Even the investment houses do the same. If you are forced to use SMS as a second factor, you would be much better off using Google Voice number as there is no sim card that can be swapped or hijacked.
Re: (Score:3)
You apparently do not know what TOTP is. TOTP is a Time-based One Time Password generated by an app that's implemented RFC 6238 - apps like OTP Auth or Google Authenticator.
Re: (Score:2)
Trusting an advertising company with known ties to the US government with everything, what could possibly go wrong?
Re: (Score:2)
Can you please how you were able to set that up? I'd like to find those several prompts for TOTP.
I use Google for business, and business means sharing accounts. Godforbid I hire three people that use the same "support" email account. I'd like both of them to use TOTP and not have three people woken up at night with alerts if one person wants to login.
Re: What happens if someone loses their phone? (Score:2)
Business does not mean sharing accounts. Setup forwarding, that's why they include it in your business plan.
Re:What happens if someone loses their phone? (Score:4, Informative)
If you are signed into your Google account on your phone it will default to that. You get a prompt asking if you are trying to log in. Very easy and quick.
As a backup you can use time based codes. You can also use a security key, or if you have a Pixel phone you can use that as a security key over Bluetooth. There are lots of options to choose from.
Re: (Score:3, Informative)
But that's even remotely now how it works when you're on your computer. Here's how that goes:
- I go to gmail.com
- I fill in my username, then my password
- I am then prompted to "open the gmail app on your iPhone" (why do I need my phone? I'm at my computer!)
- I select "Try another way"
- I am then presented with a list:
* Tap "yes" on your phone or tablet (again - why should I need a second device?)
* Get a verification code on Google Authenticator App (no, there's n
Re: (Score:2)
You don't have to use Google's authenticator app. You can use any that supports the TOTP standard. There seem to be a few on the app store for iPhone, maybe there is an open source one. On Android there are open source ones.
Using SMS risks your SIM being hijacked.
Re: (Score:3)
Yup, and as I mentioned - Bitwarden has support for TOTP built-in. If you wish, Bitwarden can even auto-fill the TOTP code into your clipboard after you've pasted the username and password.
Before I used Bitwarden, when my passwords were still in Apple's Keychain - I used an app called OTP Auth specifically for the TOTP codes.
Re: (Score:2)
My TOTP authenticator is simply four lines of code that I wrote myself. There is nothing difficult about TOTP nor any need to get an "app" written by some shady third-party.
Re: (Score:2)
If you log into your phone with a Google account then they know exactly who you are and where you are at all times - so 2FA becomes redundant at that point anyway.
Re: (Score:2)
Interestingly, I use TOTP (Google Authenticator, specifically) for two non-Google accounts, including access to my RAID box. It works fine. I'm not sure whether I want to try using it for Google, though, and risk having Big G find some creative new way of screwing it up.
Re: (Score:2)
Re: (Score:2)
This. From what I can tell the only proper way to do 2FA without exposing yourself to GSM hacks or loss of access via loss of a SIM card/application data is to use something like andOTP and back up the application's files so that you can transfer it to another phone or get codes via another similar application. Anything else and you're exposing yourself to at least one of those problems.
Re: (Score:2, Insightful)
This is the fake 2FA where if you get somebodies phone (the something you have part) then you can reset all their passwords (the something you know part.)
This is the virtue signaling version of regular old 1FA.
Re: (Score:2)
Re: (Score:3)
Except that you also need their phone password to do all that stuff, i.e. a second factor.
Re:What happens if someone loses their phone? (Score:4, Insightful)
It's probably more secure if you don't know how to make a password, and reuse passwords. In other words it will be more secure for the "average person". In aggregate it will reduce the amount of stolen accounts that Google has to deal with. (To the extent they deal with it at all... They do not have customer support, so trying to get any kind of dialogue with them usually involves a lawyer. I'm sure they'd like to cut down on those interactions.)
In the absolute sense, no it is not more secure. Not at all. The average smartphone has more holes than Swiss cheese, not to mention the SIM swapping attacks people can social-engineer on the carriers.
I'm pretty sure the calculation here is to make things easier for Google, and make it easier for the average idiot to not have to keep track of passwords. They probably did a study showing getting rid of passwords increases satisfaction or engagement by 1.1% or something. That's why you see Microsoft pushing "better" authentication systems now too.
Re: (Score:2)
No matter how good your password is, it can still be stolen by things like keyloggers or phishing sites.
The Google 2FA app can't be spoofed by phishing sites, BTW.
SIM swapping is easy to avoid, just don't have a recovery phone number on your account.
Re: (Score:2)
No matter how good your password is, it can still be stolen by things like keyloggers or phishing sites.
There are no protections that works against a compromised system no matter what you do.
A system compromised with a keylogger can also transmit entered verification codes to a third party so that they can access your account rather than yourself. They can fool you into thinking you are accessing your account while they are stealing anything of value from you. There are no limits to what can be done from a compromised system.
Passwords also can't be stolen via phishing sites when secure authentication is us
Re: (Score:3)
This has indeed been a problem. Had a developer's phone break and he was locked out of work accounts for several days until IT could sort things out. (things being naively put into the cloud means local IT can't just push a few buttons to fix things) Not sure what Luddites do, maybe demand that the company pay for their phone?
Apple nags me to add 2FA for my phone, which just seems... bizarre. Use a second phone to unlock my phone? Maybe they don't describe it well, maybe it means I can't get to my Appl
Re: (Score:3)
Why didn't IT just use the recovery codes they downloaded when they set up 2FA?
Re: (Score:2)
They're screwed. No humans are involved, so you lose everything. 2FA is crap, because the only way it works is if it's NFA where N > 2.
Unless you require a backup for recovery, 2FA is worse than a decent password.
Re: (Score:3)
Like you, I feel the need to balance the risk of getting locked out against the risk of account compromise. If a site does not offer recovery alternatives, I do not turn on MFA. Here are the options Google offers:
* prompt pops up on all mobile devices currently logged into your Google account.
* TOTP codes
* Voice or text message
* Backup codes that can be printed and put in your safe.
* Security Keys, such as Yubikey.
* Trusted devices (e.g. your home PC) that d
Just another way of... (Score:3, Insightful)
Re: Just another way of... (Score:2)
Re: (Score:3)
You don't need a phone number to use 2FA with Google.
Re: (Score:2)
Re: (Score:2)
It's extremely easy to use Authy or Microsoft Authenticator or any number of others with your Google account. It's fully supported and trivial to set up.
I've been using a few different apps over the years for TOTP, never had an issue. I haven't used Authy but all the others allow you to just scan a QR code off the screen, the exact same way you set to the Google app.
Re: (Score:2)
If you have an unmodified Android phone with a Google identity on it, then trust me - they have your phone number, IMEI number, email address, home address and know your exact location at all times. Don't kid yourself.
Re: (Score:3)
Google does not have my text phone number, and I have no plans to give it to them.
Same here, but start your planning exit. They already locked me out of family email account for refusing to provide my phone number. Protonmail is good alternative to Gmail. Start migrating before they get you over the barrel.
Re: (Score:2)
It's not just Google too. Many services want them like Signal, Authy, etc. :(
2FA does improve security ... (Score:3, Interesting)
but it lets Google ask for extra information that will go into what it knows about you and uses to sell more advertising.
Re: 2FA does improve security ... (Score:3)
If only it actually was 2FA.
(2FA by definition implies two *different* factors. Not one factor twice.)
Re: (Score:2)
If only it actually was 2FA.
(2FA by definition implies two *different* factors. Not one factor twice.)
How is your password the same factor as an authy code (or an SMS text)?
When done right, otherwise 2fa locks (Score:3)
Re: (Score:3)
Facebook? That's probably for the best in the long run. There are worse things ...
Probably hundreds of people here in Sweden have been locked out of PayPal for months now because PayPal didn't bother to implement verification of phone numbers before turning on 2FA and making it mandatory. And they don't man their phones to make it possible to change the phone number registered with PayPal.
People can't pay for things, they have money laying around in their accounts that they can't get to, and at the same ti
Re:When done right, otherwise 2fa locks (Score:4, Interesting)
I've locked myself out of it for months now.
I got rid of all my "fake friends" on Facebook as the New Year came and went, that left me with about 80 "real" friends and relatives. I PM'ed them all 7 days before closing my Facebook account, I gave them my mobile number and email address, and told them to come find me on Telegram if they want. (Yes, I know signal is better but more people seem to know Telegram so "small steps", as they say.) I got rid of WhatsApp at the same time.
I feel liberated and calmer as a result and have absolutely no need to go back to it after three months.
Get rid of that crap from your life, you won't regret it in the long term.
Re: (Score:2)
That's why I stopped using twitter. They locked my account, and if I wanted to unlock it, I'd have to give them my phone number.
Like, what? ByeeEEEE! lol
Re: (Score:2)
But at least nothing of value was lost.
I hate 2FA (Score:2)
All my passwords (at least the ones I care about) are unique and I manage all 415 logins with 1Password.
I find 2FA to be really annoying.
Re: (Score:3)
All my passwords (at least the ones I care about) are unique and I manage all 415 logins with 1Password. I find 2FA to be really annoying.
If you are already using 1password you can use it for the 2FA. It is a bit of a PITA, but the highlights are:
Set up 2FA as google demands. Then go in to add an "Authenticator app"
When it puts the QR code on your screen, click "Can't scan it" and it will give you the text version.
Then go into 1password and edit your entry for google.
Add a field for 1 time password, and enter the text from the QR code.
Save it , test it, and you are all good.
Don't forget to remove your phone number if you needed to ente
And what about accounts with multiple users? (Score:2)
Re: (Score:3)
You can actually share a TOTP QR code seed and it will then generate the same codes on multiple devices.
Decentralize 2FA please (Score:2)
Imo it's not good that second factor services seem to be concentrating in a small number of big vendors, such as Google, MS, Facebook. Just like it's not healthy for the Internet that other basic services like email, chat, social media have been concentrated. We should be able to work with smal
Re: (Score:3)
I mean, 2FA can be as simple as a TOTP code. See https://www.ietf.org/rfc/rfc62... [ietf.org]
This is a pretty popular approach and is inherently decentralized, there's no communication between the endpoint providing the code and anything else. It's just a machine generated shared secret that the two parties simplify to a code by doing hmac on the key and a coarse grained timestamp and simplifying to a numerical code.
Similarly, anything with a Yubikey is similar, the devices are inherently offline.
I think you mean au
Gmail? (Score:3)
Actually, I have 2 gmail accounts (1 for spam/marketing bs, 1 for real stuff). Am I gonna get 2 messages every 15 minutes?
Re: Gmail? (Score:2)
1. Why do you use GMail?
A vserver gets you that for literally $5 a.month. (I checked.) Unlimited number of mail adresses and mailboxes, obvioulsy. At least Amavisd spam filtering obviously.
2. Why do you use POP(3, hopefully) in 2021?
Something wrong with IMAP?
Re: (Score:2)
1. Why do you use GMail?
Um, it's free. It's neither connected to my job nor my ISP. And I've been doing it that way for maybe 20 years now, so those 2 are the email addy's everyone knows to contact me with. Never heard of vserver.
I like having my mail on my own system, not "in the cloud".
2. Why do you use POP(3, hopefully) in 2021? Something wrong with IMAP?
Actually, now that you jiggle my memory I think it may actually be IMAP.
I retired 10 years ago and haven't really kept up with stuff like this.
Re: Gmail? (Score:2)
Re: (Score:2)
Re: (Score:3)
I've got thunderbird configured to download my email from the Gmail POP server every 15 minutes. Are they going to text me a key every 15 minutes?
Check out App passwords: https://myaccount.google.com/a... [google.com]
It allows you to have a separate non-changing 16-character password for just thunderbird.
Wat? (Score:3)
Google has really lost the thread here.
In a way, Google sees two-factor authentication as a replacement for passwords, which Mark Risher, Google's director of product management for identity and user security, in a statement called "the single biggest threat to your online security."
A replacement for passwords you say. Guess what the first authentication factor is?? Goddamnit Google, stop being stupid.
Even more stupid is using SMS as the second factor, when SMS hijacking is already trivial. If Google wants to actually be helpful (ha!), they need to mandate secure enclave chips in all phones where the manufacturer has signed the Google services contract, and provide a dirt simple authenticator app with those services to use it properly.
But SMS and no password? Goddamnit Google, stop being stupid.
Re: (Score:2)
The replacement for passwords should probably be certificates. It's something you know, and if it's on your phone and locked then it's something you have. Or have a special dongle with the private key. But confusing to the layperson, so passwords aren't going to go away anytime soon.
Re: (Score:2)
Re: (Score:2)
Plug in your dongle. Well, if it's just email, and some megacorp has not tied your email to all your personal and financial information, then a password of 12345 is good enough for many people. Otherwise, just don't do this from a random computer. Or do it however you do SSH on a random computer (ie, you don't).
On your own computer you've generated a cert to be stored with the email service/ISP and your email is encrypted with your public key. Or if not desiring encrypted email, it still provide authent
Re: (Score:2)
As a hint: you're reading the words of a tech reporter talking about a conversation with someone focused on this topic. Assuming that "Google" is being stupid because of the words of a tech reporter, instead of the tech reporter either misunderstanding or miscommunicating, is a little odd.
There's a clear interpretation: Passwords suck. They are broken and insecure as used in practice. Sure, most of the alternate factors have their own downsides too, with SMS based OTP being notably even weaker against targe
You mean fake two-factor. (Score:2)
Aka 1. force them to give you their phone numbers and phone access and 2. block out all regular normal clients like IMAP clients without a full browser and JS and webGL and webEverything built in.
The computer is one factor.
The phone is another instance of that same type of factor. Not a new one. It adds no security. It only exists to feed Google's monopolism and attempt to kill everything non-web.
There ... (Score:2)
I just deleted my recovery email, so that I won't be enrolled into two-factor authentication.
Are you happy now, Google!?
Only one other factor? (Score:2)
One of the major problems with all these attempts to get people to 2FA is that they only allow one second factor. Facebook is a good example.
Google allows one Google Authenticator and SMS phone numbers - and SMS is not even a recommended form of 2FA today - so that is not great either.
When your sole second factor breaks, how do you replace it? You can hack it with Gauth by keeping the seed somewhere and initialising more than one Gauth instance from it, but you have to think of that when you sign up. And ho
Re: (Score:2)
Facebook also leaks all your personal information on the internet, so I'm not sure the password is the weakest link there.
Re: (Score:2)
Google Wants To Lock Out Third Party Apps (Score:3)
I only run Android on my mobile devices (three phones and one tablet) and all of them are now de-Googled and running LineageOS with no Google Apps.
I do still use Gmail and YouTube, on my mobile devices I use a third-party email app (either the one built in to LineageOS or one from the F-Droid store) and NewPipe for YouTube which allows me to view YouTube videos without logging in and hold local subscription lists.
It is becoming increasingly more difficult to connect third-party apps to Google Accounts. Every time you do so, you have to log into the Google account and turn on the setting to allow "untrusted" apps, which then lets you connect them. However, the setting then reverts back by itself. I foresee a near future where they will turn it off completely.
Google want you to use their approved apps with their services because then you cannot avoid the advertising and tracking. Everybody should be taking control of their privacy and getting off of Google completely now - forcing 2FA just forces you to use their apps.
Who remembers when Google's slogan was "Don't be evil"?
I've had it for a while even if I don't want too (Score:2)
Google makes it a pain to login when they don't recognize my device and I want to disable that "feature" but I don't see how
Re: (Score:3)
Also if you are traveling and say your old phone was destroyed how would log in? Only if you are lucky enough to have another device handy that has already logged in. With this how would you log in at all if your phone was unavailable. Its not like google provide a phone line to call to fix this.
This makes no sense. (Score:3, Insightful)
Sell more smart phones? (Score:3)
So, does this mean I will have to buy a stupid smart phone just to log in to my Gmail account on my powerful desktop computer?
I've already run in to these assholes wanting to "text" me for a login. I have been trying to log in to my old site specific youtube (now google) account - I only log in every year or two and this time it insisted that it "text" me to prove I was the owner, even though it already validated my password and e-mail address.(Just for shits I gave it my "landline" number, and it didn't do anything). I don't know if it is worth trying to call their support phone number.
There is nothing magical about "texting". It is not even secure. It just locks people in to toy smart phones.
Re: (Score:2)
So how will this work (Score:2)
If you don't have a smartphone... (Score:2)
I'll keep using my passwords thank you (Score:2)
Most sites are now using alternate forms of identifaction or 2nd factors as methods of forcing you give up your real identity. I don't trust the internet and I don't trust 99% of the services that I use on the internet to have my best interests at heart. I want to be able to use services anonymously. Services that do shit that take that option away from me make me less secure, not more even when they are using 2 factor like a texted code. I DONT WANT YOU TO FUCKING KNOW MY PHONE NUMBER. If my account gets h
2FA is great. Google's horrible implementation... (Score:3)
Do you have your Gmail account connected to your computer's general email app? Now try signing out of the account and reinstalling it in the app, as I happened to do yesterday for a neighbor having email trouble. The email app shunted me to Google's browser-based login to authenticate the account. After I entered the address and known-good password, it led me through a rabbit trail of five CATCHA screens, asking me to identify which fuzzy blobs were chimneys, cars, crosswalks, traffic lights, and boats. Then it had to "revalidate the browser" by asking several security questions she didn't remember setting up and then sending a 2FA code to the phone number in the Gmail account. Nothing happened, because the phone she had specified was a landline and there is no option to send a code by voice. I tried the link for "Other Ways To Verify" and that led to a blank dialog.
No more Gmail for her. Fortunately it wasn't her primary email account anyway.
Elderly people (Score:2)
Many elderly people can barely figure out how to log in with ONE factor. Many don't have smartphones at all. 2FA will essentially lock them out.
Re: (Score:2)
I have a couple of zombie accounts that forward mail to a main account. I lost the passwords to them years ago. I wonder if those will keep working, or if I'll have to get the passwords reset, log in, and set up 2FA with them.
Why would they stop forwarding? You don't log into them now, do you?
Re: (Score:2)
Any form of shared account is frowned upon in corporate environments because security auditors have a remit to be able to track the ownership and use of any account to a unique individual.
Whilst I accept that personal and home users probably do this all of the time, for email it's much better to create something like a mailing or distribution list so each user gets the same emails to their own accounts.
Re: (Score:2)
Shared accounts cause one major problem from a security perspective...
Let's pretend that person A and person B share an account that has automatic password expiry after 60 days. Person B logs in one day and is immediately forced to change the password on the account before being able to use it. Person A doesn't know this, tries to log in with the old password and locks the account out after around three invalid access attempts. Then it's a call to the help desk to get the account unlocked, it may have alrea
Re: (Score:2)
So what if your password never expires, for low security application, say Netflix. Why would you care if someone else especially a family member shares your account. In fact netflix specifically lets you set up profiles for different users under the same account.
Re: (Score:2)
What about a person who has more than one phone/device?