Google Is About To Turn On Two-Factor Authentication By Default For Millions of Users (theverge.com) 108
Google is reminding us that it will enable two-factor authentication for 150 million more accounts by the end of this year. The Verge reports: In 2018, Google said that only 10 percent of its active accounts were using two-factor authentication. It has been pushing, prodding, and encouraging people to enable the setting ever since. Another prong of the effort will require more than 2 million YouTube creators to turn on two-factor authentication to protect their channels from takeover. Google says it has partnered with organizations to give away more than 10,000 hardware security keys every year. Its push for two-factor has made the technology readily available on your phone whether you use Android or iPhone.
A tool that also helps users keep their accounts secure is using a password manager, and Google now says that it checks over a billion passwords a day via its built-in manager for Chrome, Android, and the Google app. The password manager is also available on iOS, where Chrome can autofill logins for other apps. Google says that soon it will help you generate passwords for other apps, making things even more straightforward. Also coming soon is the ability to see all of your saved passwords directly from the Google app menu. Last but not least, Google is highlighting its Inactive Account Manager. This is a set of decisions to make about what happens to your account if you decide to stop using it or are no longer around and able to make those decisions.
A tool that also helps users keep their accounts secure is using a password manager, and Google now says that it checks over a billion passwords a day via its built-in manager for Chrome, Android, and the Google app. The password manager is also available on iOS, where Chrome can autofill logins for other apps. Google says that soon it will help you generate passwords for other apps, making things even more straightforward. Also coming soon is the ability to see all of your saved passwords directly from the Google app menu. Last but not least, Google is highlighting its Inactive Account Manager. This is a set of decisions to make about what happens to your account if you decide to stop using it or are no longer around and able to make those decisions.
MMG. (Score:2, Troll)
A tool that also helps users keep their accounts secure is using a password manager, and Google now says that it checks over a billion passwords a day via its built-in manager for Chrome, Android, and the Google app.
There's a chill in the air.
Something you lose plus something you forget (Score:5, Interesting)
Re:Something you lose plus something you forget (Score:5, Insightful)
not everyone has a smart phone, old people have very hard time working them (as you'll all find out one day). Not everyone has smart phone bought in last two years to have current and supported OS. Not everyone has google play on their android phone (tens of millions of phones in asia like that)
So in short, google is once against trying to be a goodie-goodie and ram shit down people's throat that won't work for massive amount of populace.
Hubris (Score:4, Insightful)
not everyone has a smart phone, old people have very hard time working them (as you'll all find out one day). Not everyone has smart phone bought in last two years to have current and supported OS. Not everyone has google play on their android phone (tens of millions of phones in asia like that)
So in short, google is once against trying to be a goodie-goodie and ram shit down people's throat that won't work for massive amount of populace.
This.
Tech companies seem to think that everyone that uses their products are always going to be tech savvy, and hence can handle these complex security measures with ease.
And of course, Google has been the most arrogant of all of them, dictating where the industry is supposed to go (usually for Google's own benefit, instead of that of the entire industry) for over a decade now.
There's gonna be a lot of pain ahead for the "mere mortals" of tech.
Re: (Score:3)
Tech companies seem to think that everyone that uses their products are always going to be tech savvy, and hence can handle these complex security measures with ease.
It's not just that, they also think that the only reason anyone would ever use the Internet/a phone/laptop/whatever is to use the company's product. Because of this, they have the leeway to make their system arbitrarily complicated, hard to use, and incompatible, because nothing else exists and it won't matter if we impose some extra inconvenience on the user. Except for all the other systems whose vendors have also decided to make their stuff arbitrarily complicated, hard to use, and incompatible, with e
Re: (Score:2)
I've got to agree - Google's current username/password logon screens are awful UX. I hold maybe a half dozen google accounts for various organisations I work with, so every time I want to log on as X, I have to click through a pointless screen asking me to log on as Y. Then, weirdly after being forced to say I want to log on as Y, I'm able to change from Y to X, and maybe have to enter my password, or maybe not before I get to where I'm going. Multiple (relatively slow) screens to do the simplest thing - no
Re: (Score:3)
Tech companies seem to think that everyone that uses their products are always going to be tech savvy
I don't believe this is true. They want to lock them into the Google ecosystem.
Re: (Score:2)
Re:Something you lose plus something you forget (Score:5, Interesting)
Google will only enable it if the user has a smartphone and is signed into their Google account with it. In fact I think it has to be an Android phone, not sure if iPhone is supported.
If they can work a smartphone then they can use this. It's very simple, when you log in to Google on another device a full screen message appears on your phone with "yes, it was me" or "no, it's not me" buttons in green and red.
Re: (Score:2)
Except that doesn't help me, where I'm allowed to access some Google services through the very locked-down network at work, but I can't have a phone with a camera in it on site.
Re: (Score:2)
You can add multiple secondary factors. You're not limited to just a phone.
Re: (Score:2)
Well you can disable it if you really want to. Your situation is an outlier though, most people don't have that problem.
Re: (Score:2)
Re: (Score:2)
Well, I set my mum's phone up and she doesn't have issues with it.
Re: (Score:2)
Re: (Score:2)
Note only this - many people (me included) use prepaid phones where you could lose the phone number quite quickly if you forget to top-up.
Or use services like Sipgate's Satellite that comes without SMS.
Re: (Score:3)
Comment removed (Score:4, Insightful)
Re: (Score:2)
You're naive and ignorant, google in fact does sell your information. Stop being a shill for their evil. They do evil.
https://www.tampabay.com/news/... [tampabay.com].
Re: (Score:3)
That is also a big fear of mine. However, that isn't insurmountable:
* I keep the recovery codes printed out and in a fire-resistant security container.
* I have an iPod Touch which syncs recovery codes, and is normally kept with airplane mode on.
* I use a PW manager like BitWarden, Codebook, 1Password, SafeInCloud, or enPass which supports not just encrypted 2FA, but can sync to Mac, PC, or a smartphone.
* I keep a backup of keys on a hardware encrypted USB drive, inside a VeraCrypt container. The hardw
Re: (Score:3)
as well as a good SIMjacking resistant number for SMS recovery.
For services that only offer SMS codes, I use my VoIP number for those (for which the account itself has non-SMS TFA).
Re: (Score:3)
Re: (Score:3)
I use TOTP (aka Google Authenticator), and it's not so bad.
First of all, you can export all your secrets as a QR code. Just take a high-quality photo or screenshot of that code and print it out. Make sure you can re-import it into another device. Then lock it away somewhere safely.
Second, Google gives you ten emergency backup codes for if you lose your TOTP device. Print those out, lock them away safely. They're your way in if for some reason you lose your TOTP secrets.
Third, if you have a PC, yo
Re: (Score:2)
Third, if you have a PC, you can put your QR code photo on it and back it up as you normally would. That gives you extra protection.
If you're savvy enough to go that far, you should also know that it's likely not the most secure thing to do - any hacking of your computer (or its backups) to gain access reveals all your codes. Best to keep everything "offline" (printouts/locked away).
Re: (Score:2)
It's true that you shouldn't keep the TOTP codes unencrypted on your PC, but on the other hand, I'd guess my Android phone is about as vulnerable to hackers as my Linux PC, so... meh.
I do keep them on an encfs file system which affords some security from someone taking my computer away if it's powered off.
Re: (Score:3)
Really? I'm familiar with my linux machine and I think I would notice if something nefarious was going on there. I have a plethora of tools to analyze the system, etc. But on an phone? No chance. You do not really see the filesystem, the list of processes, the network traffic, the logs. On a mobile device you are intentionally kept in dark with "we know better then you".
Re: (Score:3)
The problem is that 99.99% of the world's population doesn't want to take on a second job learning how to manage, and then actually managing, their 2FA infrastructure as you do. Shit, I work in IT and I don't want to have to go through all that crap, given that I manage dozens of systems each of which needs extensive plumbing and way too much effort to connect to every time I need to do something
There was a great study done a year or two back [citation needed] where Google rolled out 2FA internally. They
Re: (Score:2)
Hardware security keys that use USB / NFC / Bluetooth are way easier than typing 2FA codes. Almost no site supports that. Some still require only SMS. The problem with adoption is not how hard it is to do 2FA with one provider. It's the fragmentation.
Re: (Score:2)
Can you get TOTP initialization string/QR code without giving Google your phone number or associating your Google account with an android device? I tried and was not successful. Also: if you give them your phone number or access to some android device, can you subsequently really break the link? (remove the phone number resp. the association of the android device with you)?
Searching for this information yields web pages that are out of date and nav
Re:Something you lose plus something you forget (Score:5, Informative)
Can you get TOTP initialization string/QR code without giving Google your phone number or associating your Google account with an android device? I tried and was not successful. Also: if you give them your phone number or access to some android device, can you subsequently really break the link? (remove the phone number resp. the association of the android device with you)?
So, first, Google Authenticator does not require you to "link" your Google account with an Android account. The only software component on the Android device that knows anything about the account is the Google Authenticator app. It's a very simple app that does no network communication and in particular sends nothing to Google.
Or, if you don't want to use Google's TOTP app, there are many others. Any of them should work. The TOTP protocol is a standard (RFC 6238, I believe), and many implementations exist. There are apps for iOS, Windows, Mac and Linux that implement it as well, so you don't even have to use an Android device.
The best option, IMO, is to use a security key [google.com]. Set up a couple of them and keep one on your key ring and another stored in a safe place as a backup (also print out a set of backup codes and store those in a different safe place). If the cost of a couple of security keys seems high to you, keep in mind that you can use security key authentication (FIDO authentication, to be precise) with an increasing number of sites and systems, so this is an investment in your overall security, not just your Google account security.
Also, my suggestion is to set up multiple 2FA methods for your Google account. I use a set of security keys, the Google Authenticator app and a set of backup codes, with copies in my wallet and in my gun safe at home. I don't use SMS, not because I'm worried about giving my phone number to Google, but because SMS-based 2FA is not very secure. The reason for using multiple methods is that you don't want to get locked out of your account if your 2FA mechanism is lost or broken, so you want redundancy.
Full disclosure: I'm a Google employee. I work on Android security. But none of what I said above has anything to do with my employment; I'd say exactly the same if I worked somewhere else.
Re: (Score:2)
The Play Store description says "Version 5.10 may request access to" ... "have full network access" and "read Google service configuration" and others. Shrug.
Re: (Score:2)
Yes. I do have an application that I would prefer to use. But I was not able to find out how to initialize it. Because it seems that the only way how to get the initialization string or QR code is to use Google Authenticator. It would be nice if I could get the initialization string or QR code within the google account web pages via browser. I was not successful when searching for that.
That's the only way I've ever done it, through a web browser. https://account.google.com/ [google.com]
Here [authy.com] is the Authy app's guide to how to use set Authy up to provide TOTPs for Google. The same flow should work with any TOTP app.
Re: (Score:2)
and I joined this thread with "Can you get TOTP initialization string/QR code without giving Google your phone number... ?"
Re: (Score:2)
Thank you for your patience. I appreciate that. But Authy's instructions say:
and I joined this thread with "Can you get TOTP initialization string/QR code without giving Google your phone number... ?"
Hmm. I thought there was a way that didn't require phone for setup. But certainly you can remove your number after it's set up (I have no phone numbers associated with my account), and you could even use someone else's number while setting it up. You only need it long enough to get once confirmation code, and it can be via voice so it doesn't have to be a mobile. My guess is that they want the phone number because that's a simple, reliable recovery option, in case something goes wrong while you're setting
Re: (Score:2)
Re: (Score:3)
Authy, Authy, Authy, Authy, Authy.
https://www.google.com.au/sear... [google.com.au]
https://authy.com/ [authy.com]
Re: (Score:2)
Re:Something you lose plus something you forget (Score:4, Insightful)
I just didn't want to give Google my phone number. They scraped it from somewhere and asked if I wanted to confirm it as my phone number for 2FA, which made me want to confirm it even less.
I've managed to de-Google my personal life but the work life isn't so easy. If they require 2FA I might make my boss buy me a work phone that's on the business account.
Re: Something you lose plus something you forget (Score:5, Informative)
This.
I'm using only anonymous / throw-away accounts to manage google stuff (i.e. the occasional Maps entry or a rating or two), but now that I've forgotten some passwords, google won't let me reset them without providing a phone number. I'm not going to do that, so... I guess I've successfully de-google-ized my life?... *shrug*
Re: (Score:2)
You don't have to. You can use TOTP or a hardware key for 2FA with Google.
Re: (Score:3)
A few days later.. in other news google has millions of accounts go dark and suddenly outlook.com gains millions of new customers...
You make something secure you make it harder to use... You make authentication harder, I have to tell you more about myself for you to accept my authentication...
If I don't want things to be hard to use, when you make it harder, as far as I'm concerned you "break" the product.
If I don't want to tell you more about me, eg what devices belong to me and are associated with me, and
Your phone prevents multiple identities (Score:5, Insightful)
I am terrified by two factor ID. I had to reset my phone. Lost my two factor ID synchronization, couldn't find the some of my one-time passwords. So if someone who is relatively competent with technology (albeit shite at organizing) can't make this stuff work easily, I think we going to see the greatest exodus from the Internet ever as people lose access to their accounts and realized they're not worth getting back.
Two-factor authentication using phone numbers doesn't make you more safe. The vast majority of security lapses are on the corporate end, with large databases being stolen and the passwords decrypted. There's no reason to believe that it won't happen to Google.
The reason Google wants your phone is to prevent you from having multiple identities. If you have a single phone number, all your online identities are linked and your real ID can be effortlessly pierced using any of them.
YouTube now demands my phone number before I can log in, but I won't give it to them so my account is effectively unreachable. I can't even delete it.
I expect my GMail account will be next: no way to access without giving up my phone number.
None of these restrictions were in place when the accounts were opened, Google drew in the world with convenient and free services, then simply up and changed their terms of service afterwards.
The phrase "pray I don't alter it any further" comes to mind.
Re: (Score:2)
Re: (Score:2)
The vast majority of security lapses are on the corporate end, with large databases being stolen and the passwords decrypted.
No, not really. Yes, corporate lapses are a big problem, but passwords are not being decrypted en masse from competently run sites. They are stolen from sites that still store them in plaintext, or that don't use a salt, or that have some other kindergarden-level security issue.
The other half of the problem is poor security practices by individuals. People who use the same password everywhere. People who think their birthday, or their middle name makes a good password.
Both of these security risks are mi
Re:Your phone prevents multiple identities (Score:4, Interesting)
You can buy pre-activated SIM cards that can receive SMS on eBay for next to nothing. Very handy when you need a second or third account, or a disposable phone number just to satisfy some arbitrary requirement.
They only last about 6 months before being disabled due to lack of adding any credit to them, but they are so cheap it's not an issue.
Re: (Score:2)
The problem with that approach is that occasionally companies will send confirmation texts to the number as a "security" feature and if the number has expired you've lost your account. Or even worse if the number has been reassigned depending on how much info they send in the message.
Re: (Score:2)
I usually remove the number after I've signed up. If they don't allow that, oh well, I'll just make yet another new account.
Re: (Score:2)
Two-factor authentication using phone numbers doesn't make you more safe. The vast majority of security lapses are on the corporate end, with large databases being stolen and the passwords decrypted. There's no reason to believe that it won't happen to Google.
So 2FA is bad because the vast majority of exposures are corporate hacks which expose people's passwords ... exactly the kind of thing 2FA can protect against?
Were you so desperate to write some anti-Google post that your braincells imploded?
Re:Your phone prevents multiple identities (Score:5, Informative)
Two-factor authentication using phone numbers doesn't make you more safe. The vast majority of security lapses are on the corporate end, with large databases being stolen and the passwords decrypted. There's no reason to believe that it won't happen to Google.
That makes no sense.
Say someone steals the database, they have your username, password and phone number. They try to log in as you and it sends you an SMS. Game over, unless they also intend to clone your SIM card, buy which point hopefully IT has noticed and reset your password anyway.
With Google, even if they do get in you get instantly notified of the breech in multiple ways. By default, and I'm not sure you can even change it, Google will send you an email and a notification on your phone(s) and other Android devices. I think if you have a phone number on file you might get an SMS too. You will very quickly notice what is happening and Google provides a one-click "it wasn't me" button that locks down your account and kicks the attacker out instantly.
Re: (Score:3)
Re: (Score:2)
Sign up for a VoIP DID for a few bucks and turn on SMS. Unlock the accounts with that number and set up an alternate 2FA method. Discontinue the phone number.
Re: (Score:2)
That's what I'm terrified of as well.
The main authentication apps generally don't support cloud storage or even a way to backup and restore the keys so lose it and you can lose access to your account.
I too had to replace my phone, but they wouldn't do an advance replacement, and I nearly forgot all about 2FA required to log in to work - all the accounts using SSO use 2FA tied to an app. To even log into the site to change it requires confirmation in the app!
The only good thing is that Office365 isn't tied i
Re: (Score:2)
If you are not organized enough to keep the recover codes handy (I have them in my main Keepass database, which I have on multiple devices and in backups so there is zero chance of me losing it) you can give them a phone number to send recovery codes to.
I prefer not use phone numbers as they are less secure than other recovery methods, but they are great for people who are a bit less organized and still far better than not using 2FA.
You can also just print the recovery codes off and keep them at home, along
Re:Something you lose plus something you forget (Score:5, Insightful)
Poorly implemented MFA can be scary, because it can lock you out of your account until you get a hold of an admin to fix it (guess what: you can't reach a Google admin).
But, Google's MFA is not implemented poorly. It encourages you to create backup codes, every few months it ensures you have reviewed your alternate verification options, and similar. I have no fear of losing my account, even though I have been using MFA since it was first available.
That doesn't mean I trust Google, the corporation, to do the right thing. It just means that technically they have created a properly functioning feature that is safe, effective, secure, and... not idiot proof, but at least adjacent to that ideal.
Re: (Score:2)
The worry I have, particularly with Google, is if things break to the point where I would need to have something reset. The biggest problem is the dependence on mobile phones, which are vulnerable to loss, damage, and SIM hijacking. (I have a Tracfone for very occasional mobile access, but I don't live on it.) I don't want to be screwed if my "second factor" stops working. Or even worse, if some algorithm decides that I should be banned with no explanation, blocking multiple services all at once. Fortunatel
Re: (Score:1)
Get a yubikey. I set a couple of them up with my google account. One key I have with me, the other is in a safe. It supports near-field communications. When I blew out my android phone I bought another one. Fired it up, logged into Google, it asked for my yubikey, and man that was nice! Stuff came back onto the phone. It was great. I didn't get everything. Most of it came back to the point it wasn't a big deal. There is also no question it's me. Username, password, yubikey.
If we had a decrease of people on
Only 10% using it. For a damn good reason. (Score:4, Insightful)
TFA is garbage. The phone is just not trustworthy, damn thing might not even power up
Re: (Score:2)
I keep my TOTP secrets on my phone, my tablet and my PC. The odds of all of those going fubar at the same time are very remote. (And yes... I hacked together a program that lets me use my TOTP secrets from my PC, even though there's no official way to do that. The secrets are stored in an encrypted filesystem, though.)
Worst case, export your TOTP secrets as a QR code, take a screenshot, and print it out. Then you can re-import them into whatever new device you need.
Re: (Score:2)
There are plenty of desktop password managers that can run to give. The secret as a string. Also you are still only 1 house fire or burglary from losing all your secrets unless you keep an off-site backup.
Re: (Score:2)
A password manager you have, plus the same device that you have! "two" factors, at least, for very large values of one factor.
Re:Only 10% using it. For a damn good reason. (Score:5, Interesting)
Re:Only 10% using it. For a damn good reason. (Score:5, Insightful)
Don't be dumb. You already carry a Google beacon with you everywhere you go. They already have this information.
Re: (Score:2)
Re: (Score:2)
Who said anything about accounts? You use maps? You use search? There's a nice shadow account with your name (or likely your phone number) out there already.
It's naïve to think that you aren't being tracked because you don't have an account on social media. Unless you have a smartphone with zero apps on it, you are being tracked.
Re: (Score:2)
Re: (Score:3)
Yes. It prevents spammers creating Gmail accounts, which means Gmail is widely trusted and messages sent from it are accepted by most servers as not being spammy.
It also means that the user has a way to recover if they lose their password.
If you are bothered by it you can get a disposable pre-activated SIM to sign up with for a buck on eBay. Once signed up you can remove the number from your Google account. Just be sure to download the recovery codes so you don't get locked out.
Obviously for spammers even a
Re: (Score:2)
You need to apply future tense to your first sentence.
Generic GMail accounts (that is, non-GSuite mailboxes that MX to gmail.com) are currently the AOL of email. In my org, so many scammy throw-away impersonation accounts are generated in the gmail.com domain that we've set up tagging rules to mark stuff from gmail.com as fully untrusted. Google may, or may not, choose to play whack-a-mole with these accounts, when reported to their abuse team.
Forcing new free gmail.com mailboxes to implement device-based M
Re: (Score:1)
"Force" is pretty much never a good thing, nor a good way to deal with new or existing customers.
Re: (Score:3)
The phone is just not trustworthy
Which is why you enable more than one second factor.
Re: (Score:3)
That's not how 2FA works or how this kind of security mechanism works.
The phone is something you have. It isn't impervious to attack, nothing is. Despite that it's a significant extra barrier that an attacker has to overcome.
The benefits far, far outweigh the minor downsides.
Re: (Score:1)
for you apparently.
But do you understand there are other people in the world capable of independent thought and that some of us have decided the downsides outweigh the supposed benefits, for us personally, or at least in some situations or use-cases? Not everything must be protected like fort knox.
Re: (Score:1)
The benefits far, far outweigh the minor downsides.
Not to me they don't. I want access to humans curating paper backups, or at least until there is sufficient demand for durable machines. Our frail little systems can be entirely wiped out by a stray cosmic ray (or even a small power surge), and boom, all payments stop.
I Wonder (Score:2)
Does Solar Winds have a password manager?
Two factor is almost always done *wrong* (Score:5, Interesting)
People can of course enter random passwords for these, but then its not really 2 factor, its dual-password, which means you need to somehow remember 2 different passwords - might as well combine them.
Often though your cell phone is the second factor. This is deeply troubling for several reasons:
Its real use is of course identifying a specific person with an account, not password protection - this makes your data more valuable.
It gives the company access to your cell phone number - and some have been caught selling that information to marketers.
Your phone can be stolen, leaving you unable to access your accounts - unless there is a backup - in which case the 2nd factor wasn't really needed anyway.
Re: (Score:3)
If the second factor is SMS, then yes... it's crap. If the second factor is TOTP (aka Google Authenticator), then Google doesn't need to know your phone number, and your phone doesn't even need to be Internet-connected to generate the TOTP codes. You can also back up your TOTP codes onto a hard-copy QR code and lock that away safely.
My bank trumpeted 2FA... via SMS or email. :( What a waste of time. I suggested TOTP but received a bland corporate response.
Re: (Score:3)
As I wrote above [slashdot.org]: Can you get TOTP initialization string/QR code without giving Google your phone number or associating your Google account with an android device? I tried and was not successful. Also: if you give them your phone number or access to some android device, can you subsequently really break the link?
Re: Two factor is almost always done *wrong* (Score:2)
At least your bank does 2FA. Mine thinks it's still 1998.
Re: (Score:2)
Another big problem with stock security questions is a lot of people don't have answers for them, or there are many possible answers, or your answer will change over time or according to your mood. One site I was on had 10 question options to choose from, and none of them were applicable to my life -- they just assume you drove a car in high school, went to prom, have 2.5
Re: (Score:2)
Re: (Score:2)
Yeah - universal TOTP and/or FIDO and FIDO2 should be everywhere by now. The fact that people can't unify all 2FA in one place is killing adoption and forcing everyone to do SMS instead, which is a terrible idea.
The Beast wants more of your personal information (Score:5, Insightful)
Google just wants your phone number so they can match it with other information and confirm your identity. I specifically avoid giving my phone number out to attempt to avoid this.
I used to wonder why Google freaks out over their accounts. Then I realized those accounts are Google's property. It's not "my" account. They're how Google keeps track of us. Like a farmer keeping track of his livestock. This 2FA is nothing but a preventative injection of antibiotics. Only the sick need medicine.
Re: The Beast wants more of your personal informat (Score:2)
My phone is crap (Score:2)
Like almost all phones my phone sucks compared to a real computer, it might shit itself when I'm trying to use it for 2FA and then where will I be? Right and well fucked. Fuck your mandatory 2FA.
they turn it on for me months ago and I hate it... (Score:1)
if I wanted it I would have enabled it years ago
Screw Google and their broken (Score:3)
Re: (Score:2)
stuff. I already have 2 old gmail accounts I can't change the password on because the phone number is a landline. With no way to change any settings because I can get the text going to my landline to be allowed to change settings..
Google supports 2FA codes on land lines. There's an option to have the system call your phone and give you the code verbally, rather than via SMS.
In other words... (Score:2)
The power of the default (Score:2)
That's the power of the default. You can beg, plead and guilt people to do something you want to happen but if the default is for that thing not to happen then you're lucky if 10% of them ever do.
Translation -surrender your phone number to Google (Score:2)
Google have been harassing me to link my 16 year old gmail account to my phone number for randomly locking my account "for security reasons". All they achieved is to accelerate my migration to protonmail.
Yeah, no (Score:2)
Fuck 2FA and fuck the idiots who are making is mandatory.
and the store has no keys (Score:2)
https://store.google.com/confi... [google.com]
They are out of both their titan security keys to assist with this goal.
How to interpret this statement: (Score:1)
>> Google now says that it checks over a billion passwords a day via its built-in manager
I would use it, if it wasn't so broken (Score:1)
Basically the options that I had the last time I've tried to enable it for google stuff (which was a couple of months ago) was:
1) Either enable EVERY SINGLE android device that I own to serve as authenticator
2) GTFO
And, well, no thanks.
It's google... (Score:2)
Ever more (Score:2)
Ever more ways for me to be locked out of my accounts. Just one more reason why I insist on getting bills and bank statements in the paper mail.
Removed my cell phone from Google .... (Score:2)
I intentionally removed my cell phone from Google, so it cannot be used for 2FA.
Why? Very simple: a relative of mine got hacked twice using SIM swapping, where his phone provider gave his account to someone else who claimed they lost the SIM. Twice!
Basically, having a hackable device as the means of authentication is asking for trouble.
After it happened to him the second time, I removed my cell phone from my Google account.
Will see how things go though, if they mandate it ..
I don't own a smartphone, you assholes. (Score:2)
I don't own a smart phone. I just simply have no need for one.
Does this mean I won't be able to use my Gmail account any more? I remember I got that account back when they were doing "invites". I already got locked out of my old Youtube account (created before it used the google login), when they started requiring "texting" some code at login after any length of disuse.
2FA=SmartPhone? That seems to be what Google is trying to make people think. Is there no other way to do this?
Of course, Google's primary pr
Maybe you should take the hint google. (Score:1)
Could it be that 90% of people do not like or want 2FA?
I know I do not. I have been studiously avoiding and ignoring those "pushes" and "prods". If they force it, that could be what makes me abandon all google services completely.
2FA is a nice option for people that want it. But forcing it on everyone is a mistake.
Google doesn't have two-factor authentication. (Score:2)
They have "gimme your phone number so I can link it to your desktop account and whore that knowledge off to advertisers for more money" authentication.
It's not about security at all. Otherwise it would use two actually differing factors.
Re: (Score:1)