29 comments

[ 3.6 ms ] story [ 66.2 ms ] thread
This is great news but your phone is still required for two-factor which is an easy attack vector with some social engineering with mobile carriers.
You can delete your phone number after enabling another kind of 2fa. Google will nag you about it but it is possible.

(I imagine someone at Google made sure this is possible and I thank them for it)

My rant with that is that the normal, regular user won't configure the fall-back solution. Nobody remembers to write down those numbers-and-codes; when they do, they don't keep it safe and leave the paper over the desk.

When you travel abroad, is out of battery, break your phone, etc, etc, you're 100% out of your digital life until you can overcome the 2FA limit. And this happens in the moments you need it most.

This is why I like authy because you can use it everywhere on most systems
I love Authy and used it for a ton of stuff, but some places started not supporting it. I'm looking at you coinbase. For some reason I have three 2FA apps on my phone now. I purposely didn't have 2FA setup on some accounts while I was living abroad because so many SMS based 2FA for sites don't support international numbers.
I'm just glad google caved allowing you to use authy. For a while they only allowed you to use their authenticator and I just hated it. I don't care how much integration went in with Android. Authy I can install on linux, windows, mac, android, and IOS. What is there not to love there?
I'm just glad google caved allowing you to use authy.

Why do you think they did this?

Do you think building Google Analytics into Authy had anything to do with it?

Repeat after me --- until proven otherwise, assume everything Google does has privacy invasion built into it. This includes "caving".

And because of Google's autocratic nature with zero support for personal users..this will result in a lot of nightmares.
(comment deleted)
2FA sucks for so many reasons. Privacy is destroyed and losing your phone is multiplied into an even bigger disaster.

But just say "no" to Google and a lot of the issue goes away.

> 2FA sucks for so many reasons. Privacy is destroyed and losing your phone is multiplied into an even bigger disaster.

How is privacy destroyed by using a well implemented 2FA solution? I understand TOTP standard supports generating tokens locally with no network access required.

How is privacy destroyed by using a well implemented 2FA solution?

Most 2FA; including Google, default to using your phone number or worse, access to your device from their software.

Post your phone number and I will show you how this destroys your privacy.

Exactly. And this goes beyond the company itself abusing your trust. There's a major data breach at a large company almost every month now. Unless absolutely necessary, never give any personally identifiable data to any company, because they will get hacked, and that info will end up on the net, where it can be abused.
OK but we're discussing Google, which users already trust with essentially all their data.
Good point. If you really understood or cared about privacy, you wouldn't be following the Google herd.

They probably already have all your personal info so why not verify it so they can be sure they have it right?

It's really what's best for your own protection. It's not like Google is "evil" or something. Mooo!

> 2FA sucks for so many reasons.

> Privacy is destroyed

How?

> and losing your phone is multiplied into an even bigger disaster

Not if you are using a U2F key instead of your phone as your second factor.

How?

Post your phone number and I will show you.

Not if you are using a U2F key instead of your phone as your second factor.

Same problem, different device. Phones and hardware keys are both easy to lose or break/destroy.

> Post your phone number and I will show you.

I know how posting a phone number destroys privacy.

What I want to know is how 2FA does. For which you have provided no explanation.

I know how posting a phone number destroys privacy.

From the article, Google "standard" 2FA uses your mobile device. So by your own admission, giving others (and particularly Google) your number or access to your phone destroys privacy.

Yeah, this is the conclusion that I'm coming to as well. It's better to just move on from Google and attempt to find alternatives to all their services.
That's why they give you recovery keys, and tell you to back up the private key (securely) on a different device if feasible. If you can't recover because you lost one device, you aren't even trying to follow basic practices in this security space.
And then your house burns down, or your backup account gets hacked.

People are bad enough with passwords. They'll be worse with recovery keys.

In other words, for 2FA to work properly, you have to do all the stuff you were neglecting before 2FA?

Otherwise, you'll have a bigger problem than ever before.

And this is called "progress"?

If its SMS we're all fucked. Cell carriers are not hardened against attack and nobody's life savings, communication, social life, etc should be wrapped up in their incompetence.
My bank mandated some “phone code” for a transaction; only problem was that it didn’t arrive. So I tried again and again. 20 minutes later, like 7 of the things arrived all at once on my phone. The bank locked my account for “suspicious activity”, and it could only be unlocked with a phone call. Then I call them, the minimum estimated wait is 50 minutes (oh, and the estimate got worse each time I tried later; and they are not open on Sundays). It ended up taking days to fix something caused by THEIR unreliable mechanism.

I also had an issue with an account that had a 2FA option but via an app that proved dangerous because I accidentally forgot about it when switching phone devices (same number) and just about locked up my entire account trying to get it working again.

If you mandate 2FA, it has to work and it has to leave the customer better off. If not, why bother?

Sounds like you need a new bank. Checking accounts are pretty cheap these days, why not switch?
But can I switch it off if I want? The article doesn't say.
Wasn't there a wave of articles just a few months ago about how it was time to give up on two-factor because phones/sims were too easy to hack, spoof etc? Regardless, the day a service or site (other than my bank) requires a phone or other physical device to be tied to my account is the day I stop using the service. It's a profoundly bad idea for so many reasons. Passwords are like democracy: the worst idea, except for all the others.