Google is Changing How You Set Up 2FA 39
Google is streamlining the process of setting up two-factor authentication (2FA). From a report: Instead of entering your phone number first to enable 2FA, you can now add a "second step method" to your account such as an authenticator app or a hardware security key to get things set up. This should make it safer to turn on 2FA, as it lets you avoid using less secure SMS verification. You can choose to enter a time-based one-time passcode through apps like Google Authenticator, or you can follow the steps to link a hardware security key.
No thanks (Score:2)
Make it an option but dont force me to use some bloody app (hardware token for personal use? Dont make me laugh) just to connect to email etc. I'm an adult and should be allowed to have my accounts as secure or not as I please.
Re: No thanks (Score:3)
Hysterical analogy. Dont try and equate a life with a hack of an email account.
Re: (Score:3)
Don't force me to do 2FA....I have it on accounts that matter...but half the shit on the multiple gmail or other accounts is just crap I don't care that much about....they're often used to sign up for stuff to keep from giving my 'real' info....
Re: (Score:1)
Don't force me to do 2FA....I have it on accounts that matter...but half the shit on the multiple gmail or other accounts is just crap I don't care that much about....they're often used to sign up for stuff to keep from giving my 'real' info....
I'd be OK with this if accounts without 2FA were prevented from sending outbound emails.
Right now a new gmail account has heavier spam filtering applied, which over time each sent email that isn't flagged as spam reduces a score value on the account.
Long standing accounts that send a lot of email that isn't spam become "more trusted" in some ways vs others.
For example a 10 year old account never flagged for anything, suddenly sending a URL with an IP to a contact, is not going to get flagged for that. A ne
Re: (Score:2)
I do 2FA on everything. My local NAS machines all have 2FA on their admin accounts, and I even use the PAM module as a protection for incoming SSH if a key isn't used.
However, it all depends on the 2FA method.
Google Authenticator TOTP is IMHO the best. It is simple, as it is a shared secret, handled by a lot of apps and PW managers, easy to export/import, and it is a solid protocol, and gives excellent security. Of course, its downside is phishing, and MITMs where someone enters their password on a suspe
Re: (Score:2)
Google Authenticator TOTP is IMHO the best. It is simple, as it is a shared secret, handled by a lot of apps and PW managers, easy to export/import, and it is a solid protocol, and gives excellent security. Of course, its downside is phishing, and MITMs where someone enters their password on a suspect site and the 2FA there, and now the site has access to the account. However, this can be worked around, and not the fault of the protocol.
I don't for the life of me understand why these hacks are allowed to persist or why people think systems that do nothing to prevent the worlds #1 leading method of compromise should be deemed fit for purpose in 2024.
PKI (private key) is the solution to what you have. Whether it is bidirectional authentication of the TLS channel or poorly reinventing the wheel (e.g. FIDO et el)
SAS + ZKP is the solution to what you know. Which Google et el have of course universally failed to implement.
All of this other shi
Re: (Score:3)
Make it an option but dont force me to use some bloody app (hardware token for personal use? Dont make me laugh) just to connect to email etc.
A lot of people don't realize that their primary email account is the key to pretty much every other account they have, because approximately all online accounts use email to secure their forgotten password reset flows.
Personally, I treat my email account as my "crown jewel", the most important thing in my life to secure, since it's the key to everything else. Many of my financial accounts will, of course, send me a notification that my password is changed -- via email, to the same email account (some o
Need a new identity method/system. (Score:2)
As you said, access to an email or device doesn't seem like a good user identification system. And the only way I can imagine one being supported is if it was forced to. You need a system used everywhere to be useful, but it won't be everywhere unless someone pays for it to be.
Biometric (scan body parts) is the most logical to me. No it shouldn't be the only thing needed to suddenly perform an action, but it should be enough to identify a 'who' at the end of a wire. Or to exclude the possibility too.
Why
Re:Need a new identity method/system. (Score:5, Interesting)
Biometric (scan body parts) is the most logical to me.
How do you ensure that a body part was actually scanned, rather than some bits being replayed? Biometrics provide very high security in attended contexts, e.g. where there's a security guard watching you present the body part to a scanner that is under the control of the entity who is trying to verify you. But when the scanning is done remotely, using scanning hardware that is under the control of the person being scanned, it really doesn't provide much security.
Another problem with biometrics is that body parts can get lost or damaged, locking people out of stuff. Imagine being unable to pay your bills because you got a little cut on your finger.
Biometrics have their place, they are valuable authentication tools, but they have serious limitations. They have to be combined with and backstopped by other authentication mechanisms.
Re: (Score:2)
IMHO, biometrics should be considered as "usernames". They identify the user. However, identification is not authentication. This is the same thing as typing "root" on a console, or "Administrator" on a DC. It means nothing until authentication via some other mechanism or mechanisms is complete.
Fingerprint + device? Possible. This works for pretty much any and all phones.
Fingerprint + PIN on a device? Definitely.
Fingerprint + a YubiKey? Possibly.
Ideally, combining something you are with something yo
Re: (Score:2)
IMHO, biometrics should be considered as "usernames".
They're not usernames, nor are they passwords. They have very different security properties from both, and don't fit into the username/password model.
The main difference from usernames is that usernames are not inherently bound to the person, but biometrics are. If I know your username, I can type it in and claim to be you. If I know your fingerprint, I cannot submit it to a proper fingerprint scanner (note that "proper" is carrying a lot of weight here). Said another way, in the context of a proper sca
Re: (Score:2)
The ironic thing is that one of my gmail accounts and AppleIDs is arguably well secured. Not just a password, but a YubiKey, and the YubiKey requires a PIN before it will complete the auth process, so this means something a long passphrase as a front line defense, but even then, there is a public key and a PIN guarding that, which erases the key on the cryptographic token after a few tries. With that in mind, those two accounts are quite useful for recovery because the chance of someone unauthorized getti
Re: (Score:2)
The ironic thing is that one of my gmail accounts and AppleIDs is arguably well secured. Not just a password, but a YubiKey, and the YubiKey requires a PIN before it will complete the auth process, so this means something a long passphrase as a front line defense, but even then, there is a public key and a PIN guarding that, which erases the key on the cryptographic token after a few tries. With that in mind, those two accounts are quite useful for recovery because the chance of someone unauthorized getting in those is small, barring a hack on the email provider's side.
Yep. This is the way to treat your crown jewels, which is what your primary email address is. At least until we finally move away from passwords and therefore from password reset flows.
That will, of course, create other problems :D
Re: (Score:2)
The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.
My bank requires it, which is inconvenient because I'd like to do a transfer, then realize my phone isn't near me and have to run it to in order to sign in using its 2FA system.
The company I work for did it for Office365, which means if I need to log into Teams on the web, I have to run to phone to authorize the login as well.
But since I can't authorize another device, i'm stuck
Re: (Score:2)
The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.
You can copy your Google Authenticator token to other devices quite easily. Of course, the more places you put the seed secrets, the more opportunity there is for someone to steal them.
Re: (Score:2)
The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.
Almost every time you are asked to scan a QR code, there will be some fine print that says "having trouble scanning" or whatever. If you click that, you can usually get the raw TOTP key and then you can save it in a password manager and provision it in multiple places. The manager I use understands TOTP and even has a special field for it so it can generate codes wherever I am, be it work laptop, home pc, or phone.
Of course this won't work if it is just a provisioning code for a proprietary app.
Re: (Score:3)
Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it.
If it's one of these 'MFA vendors' with a bespoke app, that is tiresome, but I don't mind RFC6238 TOTP setups.
Re: (Score:2)
Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it.
If it's one of these 'MFA vendors' with a bespoke app, that is tiresome, but I don't mind RFC6238 TOTP setups.
Google Authenticator is an RFC 6238 TOTP implementation, or you can use any other compliant implementation.
Re: (Score:2)
>"Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it."
^^^ THIS
Just any standard TOTP app is all that is needed when it is done correctly. F*** any company trying to force me to give them my personal cell number, that is NOT GOING TO HAPPEN.
Re: (Score:2)
No you don't need any "app". The so called "Authenticator App" in Google Account settings / Security / 2-Step Verification is actually TOTP, which you could simply generate with a browser extension.
You could do just that even until now, but setting it up was more involved -- you first had to first enable 2FA with an android phone (for which you could use an emulator), then add TOTP as an "extra" method, and finally remove the google account phone/emulator, leaving TOTP as the primary 2FA method).
Re: (Score:2)
The so called "Authenticator App" in Google Account settings / Security / 2-Step Verification is actually TOTP, which you could simply generate with a browser extension.
IMO it's better to use a TOTP app on your phone. Desktop OSes are significantly less secure than mobile OSes (though still better than SMS). But, yes, any RFC-compliant TOTP generator will work.
Re: (Score:2)
As always, the issue is that people who say this, also scream bloody murder when their accounts are hacked and complain that $COMPANY is insecure and needs to fix their security. Also that $COMPANY won't return access to their email accounts since $COMPANY has no good way to prove who the rightful owner is. And $COMPANY is terrible because they don't have huge blanks of people in every country waiting by the phone to fix their hacked account problems.
It's easy to say you'll take personal responsibility wh
Re: (Score:2)
I'm an adult and should be allowed to have my accounts as secure or not as I please.
I see that someone else made an attempt at a car analogy using seatbelts, but I'd suggest that the better car analogy is drinking and driving: with both driving drunk and keeping your account in an insecure state, you're imposing a cost on the people around you when something goes wrong. In this case, your account is more likely to be "hacked" through no fault of the service provider (e.g. the email and password you use across every site got out via an unrelated site's leak). Even though it isn't their faul
Re: No thanks (Score:1)
Re: (Score:2)
>"Make it an option but dont force me to use some bloody app"
The problem [presumably] is that it wasn't an option, they forced you to reveal and use your cell phone number. Many sites assume you can or will do that. I *never* allow that, simply because they *will* spam me.
But I agree with you when it comes to some proprietary app. Either your system supports TOTP, or it is *broken*. TOTP means you can use ANY authenticator app you want, including things like FreeOTP+ [Haowen Ning] or Authenticator Pr
I'm missing something - how is this more secure? (Score:2)
If a bad actor already has access allowing them to create a new email address which doesn't belong to them, what's to stop them from setting up the new second factor using their own authenticator app as well? Seems like all this does is save the bad actor some time, since now they don't have to compromise a target's SIM first.
Re: (Score:1)
I'm missing something - how is this more secure?
If a bad actor already has access allowing them to create a new email address which doesn't belong to them, what's to stop them from setting up the new second factor using their own authenticator app as well?
No one mentioned more or less secure. The word chosen was "streamlined"
This doesn't effect existing accounts* so wouldn't have any effect on making their security any different. This is for newly created accounts.
It means I can enable MFA and choose the type of factor I want, say a FIDO token for example.
Compare that to before where I had to enable MFA, give them my phone number, validate it, then add a third factor with my FIDO token, go back and attempt to remove the second factor that is my phone numbe
or, you know ... (Score:1)
Re: (Score:2)
Who should hire competent computer people? The problem isn't the computer people, it's the random users who regularly get hacked because NOBODY is immune.
The only thing you can be sure of is that people who proudly proclaim that they're too competent to be hacked, will be hacked.
Re: (Score:2)
... hire halfway competent computer people.That would work.
What, in your estimation, would these "competent computer people" do, exactly?
No, it is not (Score:2)
I have nothing Google, hence I will not be setting up 2FA with them. So no "changes" to that either.
How does this help??? (Score:2)
Re: (Score:2)
Then, they have the keys to the kingdom: They can pretend to be you, anytime, anywhere. This is why the phone-unlock PIN exists. The idea is, (don't link all your online services to the one account, and) you enable 2FA before the phone is stolen. In the past, it was assumed having the phone in your sweaty palm was security enough but that thinking creates a bigger point-of-failure. Online services are slowly including not-the-phone authentication, such as TOTP or a physical security key.
Google designed Oauth2. It's terrible. F'off now. (Score:2)
Or security key (Score:2)
Or a physical security key: Then, one can enable TOTP and optionally, delete the security key. Your phone number wasn't needed as much as Google wanted to link the account to a real person.
It sounds as if the security key is not required anymore.
On Windows/Linux, "KeePassXC" works as a TOTP authenticator and provides an in-software security key for Mozilla/Chrome browsers.
Google account without phone number? (Score:2)
Does this mean Google no longer requires a mobile phone number to have a Google account? I had an old account I lost access to after Google changed the deal and demanded I give them my mobile number.