Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Security The Internet

Google Is About To Turn On Two-Factor Authentication By Default For Millions of Users (theverge.com) 108

Google is reminding us that it will enable two-factor authentication for 150 million more accounts by the end of this year. The Verge reports: In 2018, Google said that only 10 percent of its active accounts were using two-factor authentication. It has been pushing, prodding, and encouraging people to enable the setting ever since. Another prong of the effort will require more than 2 million YouTube creators to turn on two-factor authentication to protect their channels from takeover. Google says it has partnered with organizations to give away more than 10,000 hardware security keys every year. Its push for two-factor has made the technology readily available on your phone whether you use Android or iPhone.

A tool that also helps users keep their accounts secure is using a password manager, and Google now says that it checks over a billion passwords a day via its built-in manager for Chrome, Android, and the Google app. The password manager is also available on iOS, where Chrome can autofill logins for other apps. Google says that soon it will help you generate passwords for other apps, making things even more straightforward. Also coming soon is the ability to see all of your saved passwords directly from the Google app menu. Last but not least, Google is highlighting its Inactive Account Manager. This is a set of decisions to make about what happens to your account if you decide to stop using it or are no longer around and able to make those decisions.

This discussion has been archived. No new comments can be posted.

Google Is About To Turn On Two-Factor Authentication By Default For Millions of Users

Comments Filter:
  • MMG. (Score:2, Troll)

    by Ostracus ( 1354233 )

    A tool that also helps users keep their accounts secure is using a password manager, and Google now says that it checks over a billion passwords a day via its built-in manager for Chrome, Android, and the Google app.

    There's a chill in the air.

  • by layabout ( 1576461 ) on Tuesday October 05, 2021 @08:39PM (#61865255)
    I am terrified by two factor ID. I had to reset my phone. Lost my two factor ID synchronization, couldn't find the some of my one-time passwords. So if someone who is relatively competent with technology (albeit shite at organizing) can't make this stuff work easily, I think we going to see the greatest exodus from the Internet ever as people lose access to their accounts and realized they're not worth getting back.
    • by iggymanz ( 596061 ) on Tuesday October 05, 2021 @08:45PM (#61865269)

      not everyone has a smart phone, old people have very hard time working them (as you'll all find out one day). Not everyone has smart phone bought in last two years to have current and supported OS. Not everyone has google play on their android phone (tens of millions of phones in asia like that)

      So in short, google is once against trying to be a goodie-goodie and ram shit down people's throat that won't work for massive amount of populace.

      • Hubris (Score:4, Insightful)

        by Sebby ( 238625 ) on Tuesday October 05, 2021 @09:04PM (#61865321)

        not everyone has a smart phone, old people have very hard time working them (as you'll all find out one day). Not everyone has smart phone bought in last two years to have current and supported OS. Not everyone has google play on their android phone (tens of millions of phones in asia like that)

        So in short, google is once against trying to be a goodie-goodie and ram shit down people's throat that won't work for massive amount of populace.

        This.

        Tech companies seem to think that everyone that uses their products are always going to be tech savvy, and hence can handle these complex security measures with ease.

        And of course, Google has been the most arrogant of all of them, dictating where the industry is supposed to go (usually for Google's own benefit, instead of that of the entire industry) for over a decade now.

        There's gonna be a lot of pain ahead for the "mere mortals" of tech.

        • Tech companies seem to think that everyone that uses their products are always going to be tech savvy, and hence can handle these complex security measures with ease.

          It's not just that, they also think that the only reason anyone would ever use the Internet/a phone/laptop/whatever is to use the company's product. Because of this, they have the leeway to make their system arbitrarily complicated, hard to use, and incompatible, because nothing else exists and it won't matter if we impose some extra inconvenience on the user. Except for all the other systems whose vendors have also decided to make their stuff arbitrarily complicated, hard to use, and incompatible, with e

          • I've got to agree - Google's current username/password logon screens are awful UX. I hold maybe a half dozen google accounts for various organisations I work with, so every time I want to log on as X, I have to click through a pointless screen asking me to log on as Y. Then, weirdly after being forced to say I want to log on as Y, I'm able to change from Y to X, and maybe have to enter my password, or maybe not before I get to where I'm going. Multiple (relatively slow) screens to do the simplest thing - no

        • Tech companies seem to think that everyone that uses their products are always going to be tech savvy

          I don't believe this is true. They want to lock them into the Google ecosystem.

        • by jhecht ( 143058 )
          One more pain in the ass from Google. They already think I am on a new machine every time my desktop crashes or Firefox updates. They think my email accounts are not being used when I'm feeding mail through a desktop email client that gives me much better control than Google's webmail. They warn me a new machine has used my account when I have my laptop in a new place, or use it after some minor change. The only thing they haven't done yet is sending an alert that I have to respond to in a few minutes when
      • by AmiMoJo ( 196126 ) on Wednesday October 06, 2021 @07:18AM (#61866027) Homepage Journal

        Google will only enable it if the user has a smartphone and is signed into their Google account with it. In fact I think it has to be an Android phone, not sure if iPhone is supported.

        If they can work a smartphone then they can use this. It's very simple, when you log in to Google on another device a full screen message appears on your phone with "yes, it was me" or "no, it's not me" buttons in green and red.

      • Note only this - many people (me included) use prepaid phones where you could lose the phone number quite quickly if you forget to top-up.

        Or use services like Sipgate's Satellite that comes without SMS.

        • 2FA doesn't require SMS - in fact SMS is not great for 2FA because phone number takeover is possible (the weak link is the port-out mechanism at your existing carrier - set a password on that if you can). Apps such as Google Authenticator, Authy, etc. are more secure. Hardware keys are another good option.
      • Comment removed (Score:4, Insightful)

        by account_deleted ( 4530225 ) on Wednesday October 06, 2021 @09:23AM (#61866273)
        Comment removed based on user account deletion
    • That is also a big fear of mine. However, that isn't insurmountable:

      * I keep the recovery codes printed out and in a fire-resistant security container.

      * I have an iPod Touch which syncs recovery codes, and is normally kept with airplane mode on.

      * I use a PW manager like BitWarden, Codebook, 1Password, SafeInCloud, or enPass which supports not just encrypted 2FA, but can sync to Mac, PC, or a smartphone.

      * I keep a backup of keys on a hardware encrypted USB drive, inside a VeraCrypt container. The hardw

      • by Sebby ( 238625 )

        as well as a good SIMjacking resistant number for SMS recovery.

        For services that only offer SMS codes, I use my VoIP number for those (for which the account itself has non-SMS TFA).

      • That's a LOT of work just to log into Gmail -- USPS is easier (and maybe faster). :-)
    • by dskoll ( 99328 )

      I use TOTP (aka Google Authenticator), and it's not so bad.

      First of all, you can export all your secrets as a QR code. Just take a high-quality photo or screenshot of that code and print it out. Make sure you can re-import it into another device. Then lock it away somewhere safely.

      Second, Google gives you ten emergency backup codes for if you lose your TOTP device. Print those out, lock them away safely. They're your way in if for some reason you lose your TOTP secrets.

      Third, if you have a PC, yo

      • by Sebby ( 238625 )

        Third, if you have a PC, you can put your QR code photo on it and back it up as you normally would. That gives you extra protection.

        If you're savvy enough to go that far, you should also know that it's likely not the most secure thing to do - any hacking of your computer (or its backups) to gain access reveals all your codes. Best to keep everything "offline" (printouts/locked away).

        • by dskoll ( 99328 )

          It's true that you shouldn't keep the TOTP codes unencrypted on your PC, but on the other hand, I'd guess my Android phone is about as vulnerable to hackers as my Linux PC, so... meh.

          I do keep them on an encfs file system which affords some security from someone taking my computer away if it's powered off.

          • by rastos1 ( 601318 )

            I'd guess my Android phone is about as vulnerable to hackers as my Linux PC, so... meh

            Really? I'm familiar with my linux machine and I think I would notice if something nefarious was going on there. I have a plethora of tools to analyze the system, etc. But on an phone? No chance. You do not really see the filesystem, the list of processes, the network traffic, the logs. On a mobile device you are intentionally kept in dark with "we know better then you".

      • The problem is that 99.99% of the world's population doesn't want to take on a second job learning how to manage, and then actually managing, their 2FA infrastructure as you do. Shit, I work in IT and I don't want to have to go through all that crap, given that I manage dozens of systems each of which needs extensive plumbing and way too much effort to connect to every time I need to do something

        There was a great study done a year or two back [citation needed] where Google rolled out 2FA internally. They

      • by rastos1 ( 601318 )

        I use TOTP (aka Google Authenticator), and it's not so bad.

        Can you get TOTP initialization string/QR code without giving Google your phone number or associating your Google account with an android device? I tried and was not successful. Also: if you give them your phone number or access to some android device, can you subsequently really break the link? (remove the phone number resp. the association of the android device with you)?

        Searching for this information yields web pages that are out of date and nav

        • by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday October 06, 2021 @09:12AM (#61866235) Journal

          I use TOTP (aka Google Authenticator), and it's not so bad.

          Can you get TOTP initialization string/QR code without giving Google your phone number or associating your Google account with an android device? I tried and was not successful. Also: if you give them your phone number or access to some android device, can you subsequently really break the link? (remove the phone number resp. the association of the android device with you)?

          So, first, Google Authenticator does not require you to "link" your Google account with an Android account. The only software component on the Android device that knows anything about the account is the Google Authenticator app. It's a very simple app that does no network communication and in particular sends nothing to Google.

          Or, if you don't want to use Google's TOTP app, there are many others. Any of them should work. The TOTP protocol is a standard (RFC 6238, I believe), and many implementations exist. There are apps for iOS, Windows, Mac and Linux that implement it as well, so you don't even have to use an Android device.

          The best option, IMO, is to use a security key [google.com]. Set up a couple of them and keep one on your key ring and another stored in a safe place as a backup (also print out a set of backup codes and store those in a different safe place). If the cost of a couple of security keys seems high to you, keep in mind that you can use security key authentication (FIDO authentication, to be precise) with an increasing number of sites and systems, so this is an investment in your overall security, not just your Google account security.

          Also, my suggestion is to set up multiple 2FA methods for your Google account. I use a set of security keys, the Google Authenticator app and a set of backup codes, with copies in my wallet and in my gun safe at home. I don't use SMS, not because I'm worried about giving my phone number to Google, but because SMS-based 2FA is not very secure. The reason for using multiple methods is that you don't want to get locked out of your account if your 2FA mechanism is lost or broken, so you want redundancy.

          Full disclosure: I'm a Google employee. I work on Android security. But none of what I said above has anything to do with my employment; I'd say exactly the same if I worked somewhere else.

          • by rastos1 ( 601318 )

            So, first, Google Authenticator does not require you to "link" your Google account with an Android account. The only software component on the Android device that knows anything about the account is the Google Authenticator app. It's a very simple app that does no network communication and in particular sends nothing to Google.

            The Play Store description says "Version 5.10 may request access to" ... "have full network access" and "read Google service configuration" and others. Shrug.

            Or, if you don't want t

            • Yes. I do have an application that I would prefer to use. But I was not able to find out how to initialize it. Because it seems that the only way how to get the initialization string or QR code is to use Google Authenticator. It would be nice if I could get the initialization string or QR code within the google account web pages via browser. I was not successful when searching for that.

              That's the only way I've ever done it, through a web browser. https://account.google.com/ [google.com]

              Here [authy.com] is the Authy app's guide to how to use set Authy up to provide TOTPs for Google. The same flow should work with any TOTP app.

              • by rastos1 ( 601318 )
                Thank you for your patience. I appreciate that. But Authy's instructions say:

                On the next screen, Google asks you to set up your phone. Choose your country, and enter your phone number.

                and I joined this thread with "Can you get TOTP initialization string/QR code without giving Google your phone number... ?"

                • Thank you for your patience. I appreciate that. But Authy's instructions say:

                  On the next screen, Google asks you to set up your phone. Choose your country, and enter your phone number.

                  and I joined this thread with "Can you get TOTP initialization string/QR code without giving Google your phone number... ?"

                  Hmm. I thought there was a way that didn't require phone for setup. But certainly you can remove your number after it's set up (I have no phone numbers associated with my account), and you could even use someone else's number while setting it up. You only need it long enough to get once confirmation code, and it can be via voice so it doesn't have to be a mobile. My guess is that they want the phone number because that's a simple, reliable recovery option, in case something goes wrong while you're setting

    • Authy, Authy, Authy, Authy, Authy.

      https://www.google.com.au/sear... [google.com.au]

      https://authy.com/ [authy.com]

    • by RazorSharp ( 1418697 ) on Tuesday October 05, 2021 @09:44PM (#61865397)

      I just didn't want to give Google my phone number. They scraped it from somewhere and asked if I wanted to confirm it as my phone number for 2FA, which made me want to confirm it even less.

      I've managed to de-Google my personal life but the work life isn't so easy. If they require 2FA I might make my boss buy me a work phone that's on the business account.

    • by aqui ( 472334 )

      A few days later.. in other news google has millions of accounts go dark and suddenly outlook.com gains millions of new customers...

      You make something secure you make it harder to use... You make authentication harder, I have to tell you more about myself for you to accept my authentication...

      If I don't want things to be hard to use, when you make it harder, as far as I'm concerned you "break" the product.

      If I don't want to tell you more about me, eg what devices belong to me and are associated with me, and

    • by Okian Warrior ( 537106 ) on Tuesday October 05, 2021 @10:47PM (#61865531) Homepage Journal

      I am terrified by two factor ID. I had to reset my phone. Lost my two factor ID synchronization, couldn't find the some of my one-time passwords. So if someone who is relatively competent with technology (albeit shite at organizing) can't make this stuff work easily, I think we going to see the greatest exodus from the Internet ever as people lose access to their accounts and realized they're not worth getting back.

      Two-factor authentication using phone numbers doesn't make you more safe. The vast majority of security lapses are on the corporate end, with large databases being stolen and the passwords decrypted. There's no reason to believe that it won't happen to Google.

      The reason Google wants your phone is to prevent you from having multiple identities. If you have a single phone number, all your online identities are linked and your real ID can be effortlessly pierced using any of them.

      YouTube now demands my phone number before I can log in, but I won't give it to them so my account is effectively unreachable. I can't even delete it.

      I expect my GMail account will be next: no way to access without giving up my phone number.

      None of these restrictions were in place when the accounts were opened, Google drew in the world with convenient and free services, then simply up and changed their terms of service afterwards.

      The phrase "pray I don't alter it any further" comes to mind.

      • by Ghiora ( 1004216 )
        Since you can use an app on the phone, windows or Linux for generating the 2FA numbers your claim about multiple identities is simply incorrect. 2FA helps avoid some one breaking in by guessing your password or using a leaked password..
      • The vast majority of security lapses are on the corporate end, with large databases being stolen and the passwords decrypted.

        No, not really. Yes, corporate lapses are a big problem, but passwords are not being decrypted en masse from competently run sites. They are stolen from sites that still store them in plaintext, or that don't use a salt, or that have some other kindergarden-level security issue.

        The other half of the problem is poor security practices by individuals. People who use the same password everywhere. People who think their birthday, or their middle name makes a good password.

        Both of these security risks are mi

      • by AmiMoJo ( 196126 ) on Wednesday October 06, 2021 @04:04AM (#61865805) Homepage Journal

        You can buy pre-activated SIM cards that can receive SMS on eBay for next to nothing. Very handy when you need a second or third account, or a disposable phone number just to satisfy some arbitrary requirement.

        They only last about 6 months before being disabled due to lack of adding any credit to them, but they are so cheap it's not an issue.

        • by Viol8 ( 599362 )

          The problem with that approach is that occasionally companies will send confirmation texts to the number as a "security" feature and if the number has expired you've lost your account. Or even worse if the number has been reassigned depending on how much info they send in the message.

          • by AmiMoJo ( 196126 )

            I usually remove the number after I've signed up. If they don't allow that, oh well, I'll just make yet another new account.

      • Two-factor authentication using phone numbers doesn't make you more safe. The vast majority of security lapses are on the corporate end, with large databases being stolen and the passwords decrypted. There's no reason to believe that it won't happen to Google.

        So 2FA is bad because the vast majority of exposures are corporate hacks which expose people's passwords ... exactly the kind of thing 2FA can protect against?

        Were you so desperate to write some anti-Google post that your braincells imploded?

      • by AmiMoJo ( 196126 ) on Wednesday October 06, 2021 @07:24AM (#61866039) Homepage Journal

        Two-factor authentication using phone numbers doesn't make you more safe. The vast majority of security lapses are on the corporate end, with large databases being stolen and the passwords decrypted. There's no reason to believe that it won't happen to Google.

        That makes no sense.

        Say someone steals the database, they have your username, password and phone number. They try to log in as you and it sends you an SMS. Game over, unless they also intend to clone your SIM card, buy which point hopefully IT has noticed and reset your password anyway.

        With Google, even if they do get in you get instantly notified of the breech in multiple ways. By default, and I'm not sure you can even change it, Google will send you an email and a notification on your phone(s) and other Android devices. I think if you have a phone number on file you might get an SMS too. You will very quickly notice what is happening and Google provides a one-click "it wasn't me" button that locks down your account and kicks the attacker out instantly.

      • by sinij ( 911942 )
        Relevant information - if you use Chrome browser on Windows, Google is less likely to harass you with "security" prompts. When they get on my case, I spin up VM with Windows 10 OS and Chrome and they seem to temporarily back off. Try that.
      • Sign up for a VoIP DID for a few bucks and turn on SMS. Unlock the accounts with that number and set up an alternate 2FA method. Discontinue the phone number.

    • by tlhIngan ( 30335 )

      That's what I'm terrified of as well.

      The main authentication apps generally don't support cloud storage or even a way to backup and restore the keys so lose it and you can lose access to your account.

      I too had to replace my phone, but they wouldn't do an advance replacement, and I nearly forgot all about 2FA required to log in to work - all the accounts using SSO use 2FA tied to an app. To even log into the site to change it requires confirmation in the app!

      The only good thing is that Office365 isn't tied i

    • by AmiMoJo ( 196126 )

      If you are not organized enough to keep the recover codes handy (I have them in my main Keepass database, which I have on multiple devices and in backups so there is zero chance of me losing it) you can give them a phone number to send recovery codes to.

      I prefer not use phone numbers as they are less secure than other recovery methods, but they are great for people who are a bit less organized and still far better than not using 2FA.

      You can also just print the recovery codes off and keep them at home, along

    • by The Raven ( 30575 ) on Wednesday October 06, 2021 @08:59AM (#61866201) Homepage

      Poorly implemented MFA can be scary, because it can lock you out of your account until you get a hold of an admin to fix it (guess what: you can't reach a Google admin).

      But, Google's MFA is not implemented poorly. It encourages you to create backup codes, every few months it ensures you have reviewed your alternate verification options, and similar. I have no fear of losing my account, even though I have been using MFA since it was first available.

      That doesn't mean I trust Google, the corporation, to do the right thing. It just means that technically they have created a properly functioning feature that is safe, effective, secure, and... not idiot proof, but at least adjacent to that ideal.

    • by Megane ( 129182 )

      The worry I have, particularly with Google, is if things break to the point where I would need to have something reset. The biggest problem is the dependence on mobile phones, which are vulnerable to loss, damage, and SIM hijacking. (I have a Tracfone for very occasional mobile access, but I don't live on it.) I don't want to be screwed if my "second factor" stops working. Or even worse, if some algorithm decides that I should be banned with no explanation, blocking multiple services all at once. Fortunatel

    • by ebvwfbw ( 864834 )

      Get a yubikey. I set a couple of them up with my google account. One key I have with me, the other is in a safe. It supports near-field communications. When I blew out my android phone I bought another one. Fired it up, logged into Google, it asked for my yubikey, and man that was nice! Stuff came back onto the phone. It was great. I didn't get everything. Most of it came back to the point it wasn't a big deal. There is also no question it's me. Username, password, yubikey.

      If we had a decrease of people on

  • by fustakrakich ( 1673220 ) on Tuesday October 05, 2021 @08:44PM (#61865267) Journal

    TFA is garbage. The phone is just not trustworthy, damn thing might not even power up

    • by dskoll ( 99328 )

      I keep my TOTP secrets on my phone, my tablet and my PC. The odds of all of those going fubar at the same time are very remote. (And yes... I hacked together a program that lets me use my TOTP secrets from my PC, even though there's no official way to do that. The secrets are stored in an encrypted filesystem, though.)

      Worst case, export your TOTP secrets as a QR code, take a screenshot, and print it out. Then you can re-import them into whatever new device you need.

      • by flink ( 18449 )

        There are plenty of desktop password managers that can run to give. The secret as a string. Also you are still only 1 house fire or burglary from losing all your secrets unless you keep an off-site backup.

    • A password manager you have, plus the same device that you have! "two" factors, at least, for very large values of one factor.

    • by avandesande ( 143899 ) on Wednesday October 06, 2021 @12:00AM (#61865593) Journal
      It's not for security reasons, they want to link your google account(and all the data they have gathered) to a physical presence.
      • by thegarbz ( 1787294 ) on Wednesday October 06, 2021 @06:27AM (#61865961)

        Don't be dumb. You already carry a Google beacon with you everywhere you go. They already have this information.

        • Actually they don't. I have a 'smart phone' but I don't have it set up with any social media or email accounts. Nothing I do (and I suspect most people) needs my 24-7 attention.
          • Who said anything about accounts? You use maps? You use search? There's a nice shadow account with your name (or likely your phone number) out there already.

            It's naïve to think that you aren't being tracked because you don't have an account on social media. Unless you have a smartphone with zero apps on it, you are being tracked.

            • Agreed, but they won't be able to link it to my online presence unless I sign up for two factor authentication.
      • by AmiMoJo ( 196126 )

        Yes. It prevents spammers creating Gmail accounts, which means Gmail is widely trusted and messages sent from it are accepted by most servers as not being spammy.

        It also means that the user has a way to recover if they lose their password.

        If you are bothered by it you can get a disposable pre-activated SIM to sign up with for a buck on eBay. Once signed up you can remove the number from your Google account. Just be sure to download the recovery codes so you don't get locked out.

        Obviously for spammers even a

        • by ksw_92 ( 5249207 )

          You need to apply future tense to your first sentence.

          Generic GMail accounts (that is, non-GSuite mailboxes that MX to gmail.com) are currently the AOL of email. In my org, so many scammy throw-away impersonation accounts are generated in the gmail.com domain that we've set up tagging rules to mark stuff from gmail.com as fully untrusted. Google may, or may not, choose to play whack-a-mole with these accounts, when reported to their abuse team.

          Forcing new free gmail.com mailboxes to implement device-based M

          • by danda ( 11343 )

            "Force" is pretty much never a good thing, nor a good way to deal with new or existing customers.

    • The phone is just not trustworthy

      Which is why you enable more than one second factor.

    • by AmiMoJo ( 196126 )

      That's not how 2FA works or how this kind of security mechanism works.

      The phone is something you have. It isn't impervious to attack, nothing is. Despite that it's a significant extra barrier that an attacker has to overcome.

      The benefits far, far outweigh the minor downsides.

      • by danda ( 11343 )

        for you apparently.

        But do you understand there are other people in the world capable of independent thought and that some of us have decided the downsides outweigh the supposed benefits, for us personally, or at least in some situations or use-cases? Not everything must be protected like fort knox.

      • The benefits far, far outweigh the minor downsides.

        Not to me they don't. I want access to humans curating paper backups, or at least until there is sufficient demand for durable machines. Our frail little systems can be entirely wiped out by a stray cosmic ray (or even a small power surge), and boom, all payments stop.

  • Does Solar Winds have a password manager?

  • by joe_frisch ( 1366229 ) on Tuesday October 05, 2021 @09:24PM (#61865363)
    The classic questions "make of the car you drove in high school" are not only a matter of public record, but have very few likely answers.

    People can of course enter random passwords for these, but then its not really 2 factor, its dual-password, which means you need to somehow remember 2 different passwords - might as well combine them.

    Often though your cell phone is the second factor. This is deeply troubling for several reasons:

    Its real use is of course identifying a specific person with an account, not password protection - this makes your data more valuable.

    It gives the company access to your cell phone number - and some have been caught selling that information to marketers.

    Your phone can be stolen, leaving you unable to access your accounts - unless there is a backup - in which case the 2nd factor wasn't really needed anyway.
    • by dskoll ( 99328 )

      If the second factor is SMS, then yes... it's crap. If the second factor is TOTP (aka Google Authenticator), then Google doesn't need to know your phone number, and your phone doesn't even need to be Internet-connected to generate the TOTP codes. You can also back up your TOTP codes onto a hard-copy QR code and lock that away safely.

      My bank trumpeted 2FA... via SMS or email. :( What a waste of time. I suggested TOTP but received a bland corporate response.

      • by rastos1 ( 601318 )

        If the second factor is TOTP (aka Google Authenticator), then Google doesn't need to know your phone number, and your phone doesn't even need to be Internet-connected to generate the TOTP codes.

        As I wrote above [slashdot.org]: Can you get TOTP initialization string/QR code without giving Google your phone number or associating your Google account with an android device? I tried and was not successful. Also: if you give them your phone number or access to some android device, can you subsequently really break the link?

      • At least your bank does 2FA. Mine thinks it's still 1998.

    • The classic questions "make of the car you drove in high school" are not only a matter of public record, but have very few likely answers.

      Another big problem with stock security questions is a lot of people don't have answers for them, or there are many possible answers, or your answer will change over time or according to your mood. One site I was on had 10 question options to choose from, and none of them were applicable to my life -- they just assume you drove a car in high school, went to prom, have 2.5

      • by Megane ( 129182 )
        Yep, they tend to be oriented toward "normal" people, the kind with two kids, two cars, and two pets. Or the questions are about grade school, or your "first" something, much easier for the under-30 crowd that makes those questions, than for the over-50 crowd. I also had a case where an answer was honestly 3 characters, but anything less than 4 was rejected. "Security questions" are shit if you can't make up your own questions.
    • Yeah - universal TOTP and/or FIDO and FIDO2 should be everywhere by now. The fact that people can't unify all 2FA in one place is killing adoption and forcing everyone to do SMS instead, which is a terrible idea.

  • by DNS-and-BIND ( 461968 ) on Tuesday October 05, 2021 @09:28PM (#61865371) Homepage

    Google just wants your phone number so they can match it with other information and confirm your identity. I specifically avoid giving my phone number out to attempt to avoid this.

    I used to wonder why Google freaks out over their accounts. Then I realized those accounts are Google's property. It's not "my" account. They're how Google keeps track of us. Like a farmer keeping track of his livestock. This 2FA is nothing but a preventative injection of antibiotics. Only the sick need medicine.

    • It's just a bit of confirmation that they lack due to you not giving them your number, most of your Android using friends have happily synced their address book with Google, with your name and number. I'm not saying you're wrong, and I even agree, but that ship has sailed a long time ago. I was actually thinking of putting up a claim against Google, Facebook, etcetera, for asking people to give them their contact list, because I never gave my contacts the right to share my data. And you can't use Facebook (
  • Like almost all phones my phone sucks compared to a real computer, it might shit itself when I'm trying to use it for 2FA and then where will I be? Right and well fucked. Fuck your mandatory 2FA.

  • if I wanted it I would have enabled it years ago

  • by oldgraybeard ( 2939809 ) on Wednesday October 06, 2021 @12:56AM (#61865629)
    stuff. I already have 2 old gmail accounts I can't change the password on because the phone number is a landline. With no way to change any settings because I can get the text going to my landline to be allowed to change settings..
    • stuff. I already have 2 old gmail accounts I can't change the password on because the phone number is a landline. With no way to change any settings because I can get the text going to my landline to be allowed to change settings..

      Google supports 2FA codes on land lines. There's an option to have the system call your phone and give you the code verbally, rather than via SMS.

  • ...Google wants to harvest & track yet more of its users' phone numbers. This also makes it even more difficult to switch phone numbers, i.e. you have to remember & know how to change all the accounts you have that use 2fa & there's always the risk of forgetting to change one or more & getting locked out. What are Google doing to make their account access recovery process more useable/useful while ensuring the increased security that 2fa is supposed to bring?
  • In some countries, organ donation is opt-in. In some countries, it is opt-out. Guess which countries have an easier time finding donors for transplants.

    That's the power of the default. You can beg, plead and guilt people to do something you want to happen but if the default is for that thing not to happen then you're lucky if 10% of them ever do.

  • This isn't about security but enforcing the regime of invasive tracking.

    Google have been harassing me to link my 16 year old gmail account to my phone number for randomly locking my account "for security reasons". All they achieved is to accelerate my migration to protonmail.
  • The only options are Google branded only, insecure, or expensive.
    Fuck 2FA and fuck the idiots who are making is mandatory.
  • https://store.google.com/confi... [google.com]

    They are out of both their titan security keys to assist with this goal.

  • >> Google now says that it checks over a billion passwords a day via its built-in manager

  • Basically the options that I had the last time I've tried to enable it for google stuff (which was a couple of months ago) was:

    1) Either enable EVERY SINGLE android device that I own to serve as authenticator
    2) GTFO

    And, well, no thanks.

  • ... the purpose is probably to gather more private information about you and what you do.
  • Ever more ways for me to be locked out of my accounts. Just one more reason why I insist on getting bills and bank statements in the paper mail.

  • I intentionally removed my cell phone from Google, so it cannot be used for 2FA.

    Why? Very simple: a relative of mine got hacked twice using SIM swapping, where his phone provider gave his account to someone else who claimed they lost the SIM. Twice!

    Basically, having a hackable device as the means of authentication is asking for trouble.

    After it happened to him the second time, I removed my cell phone from my Google account.

    Will see how things go though, if they mandate it ..

  • I don't own a smart phone. I just simply have no need for one.

    Does this mean I won't be able to use my Gmail account any more? I remember I got that account back when they were doing "invites". I already got locked out of my old Youtube account (created before it used the google login), when they started requiring "texting" some code at login after any length of disuse.

    2FA=SmartPhone? That seems to be what Google is trying to make people think. Is there no other way to do this?

    Of course, Google's primary pr

  • Google said that only 10 percent of its active accounts were using two-factor authentication

    Could it be that 90% of people do not like or want 2FA?

    I know I do not. I have been studiously avoiding and ignoring those "pushes" and "prods". If they force it, that could be what makes me abandon all google services completely.

    2FA is a nice option for people that want it. But forcing it on everyone is a mistake.

  • They have "gimme your phone number so I can link it to your desktop account and whore that knowledge off to advertisers for more money" authentication.

    It's not about security at all. Otherwise it would use two actually differing factors.

  • Comment removed based on user account deletion

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...