Google To Eliminate SMS Authentication in Gmail, Implement QR Codes (forbes.com) 143
Google is preparing to abandon SMS verification codes for Gmail authentication in favor of QR codes, Gmail spokesperson Ross Richendrfer told Forbes. The move aims to address significant security vulnerabilities inherent in SMS-based verification while combating fraudulent exploitation of Google's messaging infrastructure, he said.
"Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication," Richendrfer said. The transition will target "rampant, global SMS abuse" that undermines security and enables criminal schemes. SMS verification currently serves dual purposes at Google: confirming user identity and preventing service abuse. However, these codes are vulnerable to phishing, dependent on carrier security practices, and frequently exploited in "traffic pumping" scams where fraudsters profit from artificially triggered SMS messages.
The forthcoming implementation will display QR codes that users scan with their phone cameras instead of entering six-digit codes. This approach eliminates shareable verification codes and reduces dependency on telecom carriers. The changes will roll out "over the next few months," the company said.
"Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication," Richendrfer said. The transition will target "rampant, global SMS abuse" that undermines security and enables criminal schemes. SMS verification currently serves dual purposes at Google: confirming user identity and preventing service abuse. However, these codes are vulnerable to phishing, dependent on carrier security practices, and frequently exploited in "traffic pumping" scams where fraudsters profit from artificially triggered SMS messages.
The forthcoming implementation will display QR codes that users scan with their phone cameras instead of entering six-digit codes. This approach eliminates shareable verification codes and reduces dependency on telecom carriers. The changes will roll out "over the next few months," the company said.
I am altering the deal... (Score:5, Insightful)
Pray I don't alter it any further.
Having dealt with the fallout of people losing access to their accounts due to MFA, and not just from compromise, I am completely convinced that passkeys will result in the same. The whole system is completely ridiculous, and their whole claim of improved security has been demonstrated to be a fabrication.
Re:I am altering the deal... (Score:5, Informative)
You seem to be a bit confused. This is for if you have 2FA set up on your account. One option is to use SMS as the second factor, but it's optional and there are much, much better options. You can use a security key (e.g. Yubikey or Google's own Titan keys), a pop-up message on your Android devices, or a time-based code (TOTP).
SMS has poor security and sometimes doesn't work if you are abroad.
Passkeys are a different thing. You can use them for MFA but usually they used in addition to it for high security accounts. You can also use them to bypass logging in manually, or remove the need for cookies.
As for Google's security, the simple fact is that they are the only major tech company offering extensive online services that hasn't been badly hacked. While individuals do get targetted, and they have had some data loss incidents, it's never been on a mass scale, a systematic failure that allowed an attacker to get into specific accounts without phishing or stealing keys. If there is only one thing that they are good at, it's security.
Re: (Score:3)
They're talking about when you DON'T have 2FA set up at all. Google one day decided that they still won't let you sign in with just your password. And then all the accounts with old phone numbers that never got updated suddenly became locked out. Devices that were authenticated continued to work but the user still couldn't get to the account settings to update the phone number.
Re: (Score:3)
Which is why you should never have just a phone number as your only way of recovering an account. Google asks you to set up a recovery email address as well, and as I mentioned you can also download recovery codes, and tap "yes" on your Android device (enabled by default).
So to get locked out you have to lose your old phone number, lose your old email address, opt out of Android notifications, and don't bother with the recovery codes. At that point, it's your own fault.
Re: (Score:2)
SMS has poor security and sometimes doesn't work if you are abroad.
Is there another 2FA scheme that doesn't carry the risk that you may lose access to your accounts if you lose your phone?
Re: (Score:3, Insightful)
Put your TOTP key in your password manager.
Works good.
Have an offline backup of your password manager datastore.
Re: (Score:2)
Security key, ideally two of them. Keep one safe somewhere away from the other.
You can also download backup codes that you can use to log in. Keep them in your password manager, or even print them and put them in a safe.
You can also use a password manager that supports TOTP codes. Keepass can do it. Then you have a backup on your computers.
Re: (Score:2)
Security key, ideally two of them. Keep one safe somewhere away from the other.
This is what has always kept me from adopting hardware security keys. There is no way to clone them, which means going through the registration ritual on every account multiple times. And if the second key is in a secure remote location like it's supposed to be that means the added hassle to travel to that location and check out the key every time I create a new account so I can register the backup key, plus a window of vulnerability while that key is checked out when I have both in my possession so I can
Re: (Score:2)
You don't have to add both keys at the same time, you can wait until you get back to your other location before adding the second one.
I use the recovery codes, they are easy to store in Keepass.
Re: (Score:2)
You seem to be a bit confused. This is for if you have 2FA set up on your account.
MFA is either already mandatory for gmail or will soon be.
One option is to use SMS as the second factor, but it's optional and there are much, much better options. You can use a security key (e.g. Yubikey or Google's own Titan keys), a pop-up message on your Android devices, or a time-based code (TOTP).
SMS has poor security and sometimes doesn't work if you are abroad.
SMS, TOTP, pop-up messages and authenticator apps offer no protection against verifier impersonation neither can these systems be judged on their individual merits without consideration of requirements for successful credential recovery. If you can simply bypass a factor by saying you forgot/lost it then the actual point of these systems is reducing administrative costs not improving security.
While individuals do get targetted, and they have had some data loss incidents, it's never been on a mass scale, a systematic failure that allowed an attacker to get into specific accounts without phishing or stealing keys. If there is only one thing that they are good at, it's security.
This is simply not the case, phishing attacks are a wides
Re: (Score:2)
What I like about Google's solution is that they let your choose which options you want to use. So you can evaluate your own threat model and decide which suits you best.
You can opt into enhanced security too, which locks it down even further. Of course the risk of getting locked out increases too.
Passkeys will be a PITA (Score:4, Insightful)
Instead of just having the browser remember a password you enter the once on each machine you're probably going to have to register Every Bloody Device (as you can hardly copy private keys all over the place) so no more going to a cafe in some far flung place to check your email if you have no phone connection.
Re: (Score:2)
Google's actually pretty good about multiple 2FA options. You can have backup keys stored anywhere and everywhere and you can have OTP-based authenticators and physical keys all at the same time.
They're bad about forcing specific rules but not being clear enough up front about how you'll get into your account when you only have one 2FA method and it's not available.
Re: (Score:2)
> as you can hardly copy private keys all over the place
The upcoming Passkeys spec provides for portability.
TOTP sync is just that, already.
Re: (Score:2)
How would be SMS (the only thing that's going away) any better "if you have no phone connection" ?!
I don't see 2FA becoming mandatory (if you just want to go around entering your password, as single authentication method, into various cafe PCs), and from the existing 2FAs the vast majority are offline (TOTP, recovery codes, any kind of USB secure key, heck even passkeys between PC and phone over bluetooth don't need internet).
Re: (Score:2)
"How would be SMS (the only thing that's going away) any better"
SMS works over 2G, apps don't.
Re: (Score:2)
All the mentioned authentication schemes don't need even 2G. Additionally 2G is woefully insecure, particularly for authentication SMSes, never mind more and more discontinued.
Re: (Score:2)
It doesn't need to be secure for a 1 time code. If a criminal already has your login and password you're screwed anyway.
Re: (Score:2)
The account recovery is also tied to SMS, to the same number so nope, not a great idea to rely on 2G SMSes for anything.
Re: (Score:2)
Google's planned replacement for the SMS codes appears to require internet access. From TFA:
“Specifically, instead of entering your number and receiving a 6-digit code, you’ll see a QR code being displayed, which you need to scan with the camera app on your phone.”
QR codes aren't magic. There's just a string or number in there. Usually, it's a URL. Maybe it's meant to trigger some Google app on your phone? In either case, it likely needs to call home, cause that's the point.
Re: (Score:2)
And pre-sync'd TOTP generators (there's a pretty popular one called Google Authenticator that runs on your phone, and uses standards so the seed key can be imported in basically every password manager out there) don't require any internet at all. What's your point?
Re: (Score:2)
I don't want to have to require on a smartphone to read email on a PC is my point.
Re: (Score:2)
A phone that can receive SMSes is a higher bar than a TOTP generator that can really run offline on anything (never mind phones, even watches, not even really smart watches but like Garmin watches or similar).
Re: (Score:2)
What about TOTP requires a smartphone? Do you not know how to use a web browser? Have you never seen a TOTP app on a desktop PC?
Re: (Score:2)
You can even do this on the command line.
sudo apt install oathtool
seed="your TOTP seed from the setup QR code"
oathtool -b --totp "$seed"
Or use any of a number of TOTP generators out there. There's just a secret number, a well defined algorithm (math), and the current time = TOTP code.
Re: (Score:2)
so no more going to a cafe in some far flung place to check your email if you have no phone connection.
If you have no phone connection how was SMS going to work? If you have no phone connection there are multiple other options available including OTPs from Google. You really didn't think your post through.
Re: (Score:2)
Passkeys should not be the only 2nd factor associated with an account. For first login you should use TOTP or a hardware token (e.g. Yubikey). You then generate a passkey for that device and that becomes your login factor forward on that device. For an untrusted public device, you just login with TOTP every time and forego the passkey.
Re: (Score:3)
their whole claim of improved security has been demonstrated to be a fabrication
I am curious about this. Do you have a link? Most, if not all studies I have seen indicate that those who use MFA see a big improvement in security compared to those who don't.
Of course, cyber-criminals adapt, and they find workarounds, but everything seem to indicate that those who don't use MFA are much easier targets.
Re: (Score:2)
No one will loose access to their accounts due to this. Google accounts have always had several different options for 2FA. Heck I was still able to access my google account despite breaking my phone entirely (No QR code, no Authenticator, no SMS)
Learn how 2FA works. If your system only accepts a single second factor then you've set it up wrong.
Re: (Score:2)
2FA is a mess, I recently got 2 Yubi Keys, a spare just in case I lost 1, I tried to set it up, but google won't let me set up 2 passkeys, no the second one has to be a FIDO2 security key, with a pin, no I just want 2 that work the same so I can put one away and if lose the first I can just use the other one. There is no way I will remember a secure pin in a few years unless I use something like my eftpos pin, and that is not happening.
Also tried set 2FA up on Firefox sync, I think I can do it but it requi
The problem (Score:3, Insightful)
Re: (Score:3, Funny)
It's easy ! Show the QR code on your screen, put your phone in front of a mirror, take a photo with the selfie camera, adjust the focus because it will be blurry, take a photo again, adjust luminosity, take another photo, frame properly, maybe it's too small now, or too big, ok it's done, hey wait was that QR code actually coming from a legitimate Google URL or did it come from a random webpage you were browsing, not sure, go back, check which app is showing the QR code, check the URL, go back again, oh it
Re: (Score:2)
Re: (Score:2)
I know you're joking, but there's an element of reality in this - at least in my case when I'm using a desktop setup.
Get QR on phone then either
locate a webcam I bought 15 or so years ago and try to get it to work or
root around under my desk; find the laptop that's plugged into the big screen; move it without disconnecting any wires (screens, usb hub, speakers, ethernet, power; open it up; remove the covering from the camera; contort myself so that the camera and phone can see each other and finally hope
Re: (Score:2)
Or don't use the QR MFA and choose any of the other 4 or 5 options Google makes available to you, including a TOTP option that requires no internet connection or camera at all.
Good lord.
Re: (Score:2)
Yes, yes! With the mirror you *always* carry with you on trips to the woods...
Re:The problem [needs a solution] (Score:2)
Mod parent funnier even though I can't remember if the encoding for QR codes allows for reflection...
I did think of a new aspect of my favorite imaginary solution approach for the new monopoly problem. The pro-freedom anti-greedom taxation needs to detect monopoly profits to activate the higher tax rates. I thought of detection by two methods: Lack of customer choice and complaints from wannabe competitors. However a third detection method should involve the employees. Do they have any options to get jobs d
Re: (Score:2)
...what we used to do to get a valeted car and the cell phone app process...Now, you download an app...
"So, we're at an impasse. I'm not downloading an app or going to a website or creating an account. If you can't valet my car without involving a smartphone, I'll park somewhere else, probably at a different restaurant."
A variant of this: keeping a dumbphone in the car, even as a prop. "I only have a dumbphone; can I not park my car here?" can help with this, too.
One of the things i've found despressing, along this vein, is at the airport, when the TSA wants to take one of those FaceID photos. Last time I w
Re: (Score:2)
It's all about the edge cases. I imagine they did a poor job of security if you lost your half of that paper ticket.
Re: (Score:2)
It's all about the edge cases. I imagine they did a poor job of security if you lost your half of that paper ticket.
Most valets I've worked with are pretty good at remembering faces. Asking the person to describe their car is a good start; if the face and the car both look familiar, that's usually a step in the right direction. Showing the receipt from the restaurant is also helpful; if the valet ticket is roughly an hour older than the receipt, the person probably came in at the right time, and someone attempting to socially engineer a car theft would have had to walk to the restaurant and order dinner, leaving just a m
Re: (Score:2)
At least on my Android phone, I just tap and hold at the bottom of the screen to bring up the badly named "circle to search" feature. Then it will auto identify the QR code on the screen.
Re: (Score:2)
If you're on your phone you've never needed SMS for login in the first place. It would send you an authenticator notification or rely on the existing passkey stored on your device. This shouldn't affect anyone since the only time google sent SMSes to the phone device you had in your hand when using a google service was for the purposes of phone number confirmation when you register it as a 2FA token. SMSes were only used as an option when you weren't on your phone.
Unless there's an edge case I wasn't aware
Re: (Score:2)
"an authenticator notification "
How did I log into the authenticator?
" the existing passkey stored on your device"
How did I get the passkey on the device before I logged in?
"SMSes were only used as an option when you weren't on your phone."
How did I get the SMS if I wasn't on my phone?
Re: (Score:2)
With a folding phone, obviously.
such secure, much qrcode (Score:2)
well I for one welcome our QR-Code scanning underlings!
Now that I've twisted my brain into a pretzel (Score:2)
(and that I need an advil)
Re: (Score:2)
I can confirm that none of this makes any sense whatsoever. (and that I need an advil)
Using SMS for 2FA is what makes no sense. It's time everyone should get rid of it.
Sorry, can't help with the Advil.
Re: (Score:2)
Using SMS for 2FA is what makes no sense. It's time everyone should get rid of it.
Though I agree SMS is a poor fit, shouldn't we be demanding more from our SMS providers? We give them a tiny message and a destination, and their job is to get it to the correct destination. If they can't reliably manage that, that's a problem! Maybe we should be yelling to get that fixed, and then we'd have something we could use.
To say it another way, I think using SMS for 2FA DOES make a lot of sense, so long as you ignore the security issues. Otherwise, it'd doing nearly everything we want from a 2nd fa
Re: (Score:3)
The problem is that you're delegating device/account security to a third party who doesn't really have any interest or motivation to provide it. SMS was never intended to be a secure channel for authentications, it just got used because it was available, without consultation with the entities that provide it. Demanding that mobile carriers securely manage SMS destination puts a lot of burden on them to develop and deploy mechanisms for strongly authenticating individuals, and for securely identifying devic
Re: (Score:3)
SMS wasn't intended for this, and SSN wasn't intended for a lot of things. Who cares about the intent?
Demanding that mobile carriers securely manage SMS destination puts a lot of burden on them to develop and deploy mechanisms for strongly authenticating individuals, and for securely identifying devices.
Firstly, so what? Let's do it. Second, neither of those are really needed. What is needed is for number portability to have some form of confirmation/security to it, shut down sim swapping options, and secure the SS7 network - all things we should want anyway. You don't need to strongly authenticate people - burner phones are perfectly fine for this purpose. You don't need to securely identify the device -
Re: (Score:2)
Using SMS for 2FA is what makes no sense. It's time everyone should get rid of it.
Yeah, that was the first conundrum. But the whole 'making a senseless thing even more senseless' are when things became... painful.
So no smartphone = bugger off? (Score:3)
Not everyone has a smartphone even today particularly in poorer countries. Are they not going to be allowed to use googles services?
Re: (Score:2)
Why do people think Google is eliminating all other MFA schemes in favor of this?
Where does it say that?
Hint: it doesn't. They are getting rid of the least secure and most annoying option. So use one that works for you, including TOTP. Don't even need a phone for that, just a password manager to hold the seed key and generate codes from a clock.
Re: (Score:2)
What other 2FA method doesn't require a smartphone?
Re: (Score:2)
Found someone else that's never heard of TOTP apparently.
Re: (Score:2)
Oh, great! The people that can't afford a smart phone just need to own a computer and use that. /s
FWIW, yeah, I know they *could* just have a tiny USB key with their seed and password manager on it. Then they could use a public/shared computer and pull that up to get their code. But wouldn't the SMS option to a dumbphone be pretty handy in that situation? IE: maybe they should just dissuade people from using it, but still honor it?
Re: (Score:2)
If they don't own a smartphone or a computer, how are they accessing GMAIL?
Can you think at least a little bit?
I hate qr codes because I dont want the apps (Score:3)
Re: (Score:2)
I have no idea how these google QR codes will end up working, but I have to scan codes quite often on my phone and I have no software installed for that. Only the stock camera app.
Yes. And, as usual, "security" is the excuse. (Score:2)
Spyware is the real reason.
Re: (Score:2)
QR codes are scannable by the default camera app on both Android and iOS so I really don't know what the fuck you're talking about here with "install and keep their app on your phone."
Also, re: "so they can steal and sell your phone data" - you're the one granting them granular permissions on the device to your data. Deny it access. Also known as: learn to use the device's data security features if you are worried about data security.
Re: (Score:2)
Just FYI, you can get third party barcode and QR code scanners. I had a one I liked much more on Android, but now I'm using "Scandit" on iOS. It's also handy for scanning all kinds of stuff and seeing what they hold. Insurance card, ID cards, address labels, QR codes, etc etc.. And, rather than flinging you off to the default web browser, you can actually inspect the payload first.
I understand why (Score:3)
If you're a business you don't necessarily want to give every one of your employees their own cell phone or tablet even and you don't necessarily want them using their own personal cell phones, especially if you have some employees that need to function in a secure environment like a server room with sensitive data.
I am happy to see that these tend to use standard authenticator protocols so you could literally use any authenticator app or if you really wanted to write your own. I think there might be some desktop authenticator apps out there but they're very pricey because they are sold as part of larger security products and packages. They're definitely isn't a free one that I would trust. I've come across a few Chrome extensions but I'd be a little scared to use those. Small Chrome extension vendors often get bought out by malware companies...
Re: (Score:2)
They want to get rid of SMS but not having any sort of desktop application you can use to get to codes as a problem especially for any business using Gmail. If you're a business you don't necessarily want to give every one of your employees their own cell phone or tablet even and you don't necessarily want them using their own personal cell phones, especially if you have some employees that need to function in a secure environment like a server room with sensitive data.
Ignoring how the employees with no phones would get their SMS codes to begin with, you can use pretty much any TOTP app for MFA for Google, and there is a whole selection of windows TOTP applications out there.
Re: (Score:2)
Email (Score:3)
You're basically pushed into using some sort of external device (phone, tablet or even a dongle). That might be google trying to sell more devices though...
Re: (Score:3)
There are desktop based TOTP generators. Some are open source, including the CLI oathtool [github.com]. I think these QR codes are just meant to replace SMS for folks who haven't setup any second factor other than a phone number.
Re: (Score:2)
Google supports TOTP.
There are many password managers that work in web browsers which also support TOTP.
This has been a solved problem for like a decade. If you're a business that doesn't want to hand out mobile devices, instead hand out a license for 1password or similar for far cheaper, and know that you're also improving the security of every other password and secret in the organization at the same time.
Or use Google Authenticator - a free standards-based app.
There is a whole lot of fury over this, whe
Mandatory device (Score:3)
So, no more access to Gmail unless you have the pre-authorized mandatory device. In particular, no access if/when that device is lost/dead battery/sold/malfunctioning. Def. no access if you are on a guest computer elsewhere. And, of course, since many other services will be tied to the email address and will send their respective authorization codes there - no access to any of those. A modern version of a king who went out at night incognito as a pauper, and then was locked out of his castle :/
(Which is why my email is hosted with a private company that requires none of this bs)
Re: (Score:2)
Yes, you must have your pre-authorized mandatory device called "a web browser" just like the minimum requirement for using Gmail has always been. Web browsers are capable of showing you a TOTP code from your choice of storage mechanisms that can be offline, or "cloudy" as you prefer.
Why six digits? (Score:2)
Six digits is security theater. The system should have a rate-limiting setup that blocks any logins for a period of time after a number of failures. In this way, a 2FA with perhaps only 10,000 possible codes would be quite adequate.
Re: (Score:2)
On the scale of Google, it matters. Attackers won't try 10000 codes on the same account, they will be kicked out well before that. But they can try 10000 different accounts though a botnet and statistically, one of them will work, then, maybe retry every few hours. It will give the attackers a steady stream of accounts, and statically, every account attacked this way will be hacked after a few years. You can't block logins for too long either because it would make for an easy denial-of-service attack.
6 digi
QR: Tracking Non Human Readable Trojan Horse! (Score:2)
The only party I want to protect my email from (Score:2)
is Google itself.
If I was that concerned about security on my (multiple) throw-away email accounts, I would use another provider, like Proton. Or get an in-house email server, like we used to do.
Sharable (Score:3)
I run a non-profit organization that has a Google / Gmail account for storing our documents and handling email.
"This approach eliminates shareable verification codes"
They already disabled SMS for us a few months back. And now they're making shit even harder on us. They shifted us onto a system where it would ping one user's phone with a notification to accept a login, and we'd have to call that person ahead of time to let em know to accept a login request. We have multiple users who access and interact with our shared Google account. They're trying to go the Netflix route of "no shared accounts", but the difference is a shared Google account isn't about content consumption, often times its literally about a business entity existing and interacting with others.
For the time being, I've purchased a number of Yubikeys and distributed them to the board of directors so they can retain access, but this has been a pain. We've had to also purchase adapters for Lightning for instance, so they can work on iPhones, not just desktops/laptops.What used to be a simple process of managing the account has become a total royal pain in the ass.
Get rid of it altogether (Score:3)
This harassment of needing to get a phone call or text message or whatever just to access your email needs to stop. It's a joke and provides no additional security since all of the above can be spoofed.
My dad is now unable to acess his email (not at Google) because the provider insists he is acting suspicously by accessing his email from the same machine at the same location every single day. The phone call he's supposed to receive never happens. It just loops around
There should never be a requirement you have to get a phone call/text/whatever to get into your account. The harassment must end.
Please correct me if I'm wrong... (Score:3)
From my understanding, the problem with SMS for MFA is the code is sent in clear text over the cellular network. That's obviously a weakness.
With that said, an attacker still needs my login and password. To get this they would need to directly hack the website's db. As a user, I can't do anything about that. The only other way you are getting my login/password would be to possibly wiretap and break the encryption setup between the browser and the website. To do this, you would likely need to get me to install a compromised plugin for the browser or otherwise be able to directly see me type my login/password (shoulder surfing or maybe some kind of keylogger).
The more likely scenario is you'd try phishing me for my credentials instead.
Am I missing anything here? Sounds like you would have to REALLY target me as an individual to actually compromise my account, even with me using SMS for MFA. Yes, I realize you could sim clone but wouldn't this first require you steal my phone and break into that first? I'm seeing a lot of precursors here that must happen before you can exploit SMS MFA.
Obviously it would be nice if all sites supported yubi-key or an authenticator app (though I've heard some of these have leaks as well). Not sure why more places, especially banks and government websites, don't require this.
So sure, SMS isn't ideal but it's much better then zero MFA and if you don't reuse your credentials, that helps as well. I wish more places would let you set a custom login (very few allow this, they just want to use your email address for login.)
Please, someone with more knowledge explain to me how my take is incorrect as I'm really not seeing the big fuss here.
New email provider? (Score:2)
--Is non-free (requires a fee)
--Has servers in the US
--Accepts SMTP and POP
--Has a web interface
--Is not a FAANG company or similar (no Microsoft, for example)
Re: (Score:2)
They allow a yubikey
Re: (Score:2)
They allow a yubikey
What do you do if your Yubikey dies or is lost?
Re: (Score:2)
They allow a yubikey
What do you do if your Yubikey dies or is lost?
It's an important question. Sensible sites (and I think Google is included in this) allow you to register multiple Yubikeys (so you can keep one with you, and one in a secure place - or even more, depending on your level of paranoia). Other sites (Paypal, I'm looking at you - also Salesforce while we're at it) do not, and this is a big flaw.
Re: (Score:2)
> What do you do if your Yubikey dies or is lost?
Set up account recovery codes and store them in the notes field of your password manager.
It's a set of ~12 keys.
Re: (Score:2)
How do you scan a QR code if you break your phone? At least even non-smart phones could get text messages. And to answer your question, you get several passkeys. If one quits working, you user your backup. One service gave me a set of one-time-use passwords.
Passkeys are The Shit.
Re: (Score:2)
However, as you say, I see this as a move towards more control over the authentication process (you can trust us) thru use of proprietary technology. Then of course, millions of businesses and people, dependent on G, will adopt it. Then G has a stronger chokehold on us, and the internet.
Re: (Score:2)
Use TOTP.
It is called "Google Authenticator" in your Google account settings because it is the app they are recommending, but any app or device supporting the TOTP standard will work. It is a free standard, completely offline, and doesn't require any personal information. You can register any number of devices, you can also print out the QR code or passkey they give you and store it somewhere save if you want to add devices at a later time.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
So you've never heard of Google Authenticator, or any other TOTP based rotating-code system that is in no way tied to even an email address.
Sounds like you're unhappy for the sake of being unhappy, because that's been a thing for like 10 years now.
Re:Sure - even more of a pain in the ass (Score:5, Insightful)
Making life more of a pain in the ass, every god damned day. Thanks.
Because QR codes are perfect and secure. Or maybe not. https://www.techradar.com/QR-c... [techradar.com]
As soon as people get used to it, it's just another phishing attack vector
Re: (Score:2)
Re: (Score:2)
If they issue you a pre-shared key in the form of a QR code that you save somewhere, how is that introducing any QR code risk? And the only thing that should ever ask for it would be a Google auth page which is pretty recognizeable.
This literally isn't any different from any other preshared secret, other than having a whole lot more entropy available because the secret length can be arbitrarily large without a useability problem of remembering a 128-character key.
Re: (Score:2)
I think we're missing a piece of info critical to determining if this introduces risk, what type, and how much. How does this work?
Just going on TFS, it sounds like: ... enter user+pass
* you go to gmail
*
* gmail displays a QR code
* WTF do I do with a QR code displayed on my phone while trying to login to the gmail website on my phone?
* Or, lets say I was on my computer, and I can scan the QR with my phone. What does that prove? Does it prove I have _MY_ phone (the "something you have" in MFA)?
When they send
Re: (Score:2)
* WTF do I do with a QR code displayed on my phone while trying to login to the gmail website on my phone?
Actually a good question. I don't know if I've tried to use a QR for MFA on my phone.
* Or, lets say I was on my computer, and I can scan the QR with my phone. What does that prove? Does it prove I have _MY_ phone (the "something you have" in MFA)?
It proves the same thing that an SMS proves- that you have your phone.
The QR encodes some kind of OTP that only a person with access to the screen you're using has.
This is like an SMS, in effect, only the vulnerability domain is visibility of your screen, and not half the intelligence agencies in the world.
Re: (Score:2)
QR codes are not secure, or insecure.
Like any URL, you should only click on ones you trust.
Re: (Score:2)
Idiotic take. QR codes are not secure, or insecure.
Like any URL, you should only click on ones you trust.
Can you tell me how you will know that it is Google that sends you a QR code? I'm an idiot - now tell me that I can read the QR code on an email that looks like a legit code from Google. You're a smarter person - tell us how this is perfectly secure. Yeah, I check the headers and raw source on emails that look at first to be legit. How many do that. Same will happen with QR codes.
I have long avoided QR codes except under duress, because they are inherently insecure. You have to trust that the site they
Re: (Score:2)
A URL arriving from "xyx.google.com" gives me reasonable belief it came from google.
But if someone sends me an authorization from "xyz.stealingauthentication.com", I know it's bad.
A QR code won't even let me see that until the page loads.
Re: (Score:2)
However, when little green lock on your browser is there from www.google.com, the page that shows you the fucking QR code, you can consider it from a trusted source.
When in the fuck did this discussion about MFA turn into a discussion of the perils of scanning a random QR code on a utility pole and giving the resulting URL your bank credentials?
Re: (Score:2)
Can you tell me how you will know that it is Google that sends you a QR code?
Because you just logged into google and gave them their credentials.
If it wasn't google that you did this in, the problem pre-existed the QR code.
I agree- you are an idiot.
Re: (Score:2)
Everything they touch is visibly getting worse.
SMS "TFA" should have been killed years ago (Score:2, Insightful)
It was obviously a bad scheme, it put far too much pressure on a mechanism which was not designed to withstand it. There's only one reason for SMS "TFA" -- it makes it trivial to support the "lost factor" problem by outsourcing it to the phone company. Lost your phone? Can't get an SMS? Too fucking bad the Verizon store is over there, come back when your phone works.
NIST tried to get rid of it, but too many institutions with bad security (mainly banks!!) whined and complained and here we are. There are sti
Re: (Score:2)
SMS MFA is shit, and needs to go away. I won't even touch the bit where SIM cloning means it's absolutely not secure, but instead focus on the useability pain in the ass: for example, who's phone number goes in for a joint account? Which then results in "my wife getting the SMS verify and I have to bother her to get it so I can do the thing I need to do."
At least a QR code can be saved in a shared vault of some kind which makes it less of a pain in the ass for a whole lot of people.
Re: (Score:2)
Making life more of a pain in the ass, every god damned day. Thanks.
Seems like most of our security theater is really about getting us to jump through hoops like trained circus animals. Does it actually improve security? Maybe, maybe not. But it'll sound good to some C-Suite or the insurance company that still things changing passwords every thirty days is a good thing.