This hit me the other day. I dropped my phone and smashed both the screen and display making it essentially unusable. I needed to get into my email. I had no WiFi but I had access to an older phone with data. Tried to sign in on the other phone. It said I needed to confirm the login on my device, I obviously could not, it gave me an option saying 'can't access phone' so I clicked it, it took me to a page saying too bad sorry no signing in for you and that was it, I was locked out of email until I bought a new phone and set it up.
1. Add OTP to your account ("Google Authenticator", Lastpass, etc).
2. Remove phone number from account.
3. Enjoy not needing a phone ever again to login.
4. Might take a couple of days for (3) to stick, train the algorith by logging in a couple of times using OTP.
Your solution for not needing a phone to log in is to use Google Authenticator which is a phone app that would've been on the smashed phone?
I recently went through this exact scenario: Old phone broke. Bought a new one, restored backup. Guess which app doesn't restore its data from the old phone? Google Authenticator. Lost access to all my TOTP logins.
I've been bit by this before also. It's important to take the one time passcodes that Google provides seriously and keep a couple of them in your wallet.
That's already the case. If their algorithms decide that your activity is "unusual", they can disable your ability to login with literally no option to bypass it.
I've been getting this for years. This announcement doesn't seem like a major change to their overall policy, just a ramping up of the roadblocks for CGNAT and the like.
Rather than giving users options, Big Tech has decided to paternalistically kill passwords in favor of less convenient and less secure methods (my email is much less secure than my password store). Even from residential IPs, it's become the norm for banking websites to harass you with snake oil "2FA" every time you login. The only solution is to split up your online activities so you can conform to their demands with one VM/browser config, account for the extra annoyances as the price of using their services, and move as much activity as possible to freedom-respecting technologies.
Which of course is why those tech companies spent effort writing and advancing FIDO specs, and why I am able to login to my Goog/Facebook/MS accounts just perfectly damn fine using offline tools (pass, pass-otp).
Can we please stop spreading FUD because people here really getting their jimmies rustled at any extra steps (even though this forum is often rife with people falling for phishing attempts, repeatedly using GoDaddy, on and on, proving that they can't protect themeselves.)*
But maybe you could name a few tech companies besides Twitter who have implement 2FA you way you imply.
This is an old article. When it first was posted I strongly considered finally ditching Google forever. Of all the Google services, I only use gmail and then only for catching junk, spam, for Craigslist posts, and for bullshit account creations. I have two active junk gmail accounts.
I log in all the time, this morning included, and do it every time with a simple password. I have never been prompted for 2FA and there is no identifying info in my account or in the emails that it catches. The account names are even fake.
If I do end up prompted to set up 2FA I will simply delete the whole shitteroo and start over somewhere else with another fake name.
I'd like to make a humble appeal to you, dear Reader, that you consider if you are able to exist without Google services and the tradeoffs they entail.
This is not my opinion against 2FA, it is me using this moment of friction to ask a question most people are often too happy to ignore when things are going fine. Are you able to live without your captors or not?
I'm able to live without electricity but I'm not about to call the power company and have them cut my feed. There are folks who consider it some kind of incarceration to be beholden to the electricity provided by a power company; I respect them but I don't share their philosophy.
Depending on the situation it can be easy to cut yourself from the power company, but no one can create his own phone carrier regardless of the situation.
> Depending on the situation it can be easy to cut yourself from the power company
Unless the situation is "There is another power company right next door," I'll have to disagree.
If the claim is one can self-generate power, the analogy holds but not in the way, I think, the author means. Self-generation off-grid is a pain... Buy or build and maintain your own generators, your own storage, deal with impedance, deal with the risks of operating on high voltage, equipment breakdowns are yours and yours alone to repair, etc.
Similarly, I can self-host my own email, video, web servers, and possibly even build my own voice-activated assistants tuned perfectly to my specifications, sharing my data with nobody... But that's a lot of work when Google has provided all of that for me.
Yes, it’s immensely frustrating when a service doesn’t support proper 2FA or forces weak SMS as a backup to proper 2FA, undermining much of its value.
So while I support asking people to reconsider if they need a Google account, I would never recommend alternatives that lack 2FA and where possible, I refuse to use services that lack 2FA myself. Unfortunately there are still some categories like banking where TOTP, FIDO, etc is practically unheard of.
I'm continuously surprised how authoritarian some people are.
You consider something superior just because it works for you and therefore everyone should be forced to do as you, but you ignore what doesn't work for others (such as being tied to a phone).
GOOGLE is literally forcing people to use their products. Their entire business strategy is based around it, gobbling up or destroying every competitor, advertising and promoting their own services on search above others, illegally collaborating with other giant tech companies, and on and on. That's how monopolies work. That's the whole point.
They really want our phone numbers. I have a few throwaway accounts for subbing to sites that require log-in that I don't want connected to a phone. IF they brick my accounts, I'm just going to stop using Gmail and turn to Proton or something else.
Perhaps this changed now, but I had to set up a different 2FA method first (I used a U2F security key), then add OTP, and then it was possible to remove the U2F method.
After logging in with OTP once (I just keep the private key on my laptop in pass) you never seem to get asked to provide it again, but 2FA is nominally enabled.
"Then, a code will be sent to your phone via text, voice call, or our mobile app. Or, if you have a Security Key, you can insert it into your computer’s USB port."
> The Google Authenticator app for Android, iPhone, or BlackBerry can generate verification codes. It even works when your device has no phone or data connectivity.
Yes, that was what I meant. The quoted passage didn't seem to include any TOTP app, including GA. Apparently they are supported, the info is just on another page.
Yeah, they don't really want you to do it. That kinda makes sense when you think about it; TOTP has a lot of friction compared to "just press the button on the device 99% of you already have linked to your account".
There's only 3 options (I'm on the panel), Google Prompt (requires a phone), security key, or text message/voice call (requires a phone). 2 out of 3 require you to attach a phone number and the last one requires a security key to be inserted every time you want to make throw away accounts via Gmail.
Yeah, true, all they really want is our phone no's so they can sell the numbers to spammers and completely render our phones useless, even for texting . . . fuck GOOGLE
Not being able to get to your account when you lose the phone; having to run extra software.
But also, frankly, I just don't trust Google to implement this correctly, given their track record. Google sure employs a lot of smart people, but the quality of their products and services is generally crap.
> Not being able to get to your account when you lose the phone
Really? There are scratch codes for that. Or you can use an app that backs up your TOTP key for you, like Authy. Or you can store your TOTP key manually. Or you can have multiple devices. Or...
> having to run extra software
Oh, come on. Are you really complaining about having to compute an HMAC?
> I just don't trust Google to implement this correctly, given their track record.
Huh? You do know "The day Google forgot to check passwords" was fictional?
So yeah, the additional problems this introduces do have workarounds. Still, the point remains: this adds new problems for no gain (for me).
As for the track record: we are talking about a company that can't properly implement basic password authentication, see my first comment. And no, I'm not interested for possible reasons/excuses why is it so; what matters is that it doesn't work _for me_.
Seems like a great opportunity for folk to reevaluate whether they need a Google account at all. I finally escaped in September, after first trying all the way back in 2011. Dragged my feet for so long until eventually just saying "fuck it" after a few glasses of wine, and even recorded a screen cap of the final GAFYD deletion.
For anyone attempting escape, rclone seems to be the only tool that supports exporting all Google Docs ever shared to the account. Google Takeout (or the equivalent GAFYD tool) worked for everything else
> Seems like a great opportunity for folk to reevaluate whether they need a Google account at all.
Yeah, but still pretty inconvenient. I migrated all my main stuff way from Google years ago, but I have a bunch of accounts I use as throwaways that will be a much bigger PITA to use.
Probably a little easier for me, I stopped adopting anything new from Google for personal use after the Reader episode. I still have access to some business accounts mostly for GCloud.
Why would 2FA of all things be the critical issue? Tech savvy people should understand and use hardware security keys at this point to be securing their cloud accounts in general.
Tech savvy people often discard browser cookies at every opportunity. Adding a 2FA step to every interaction with Google is a change in routine, and forced routine changes are a great time to break any harmful habit
As a tech savvy person, I used 2fa for all the corporate stuff I could and for some personal stuff too.
Now that I only have one phone, I've turned off 2FA as much as possible, because only one phone means when it breaks, I can't access my accounts, because I can't get to the 2FA tokens. No thanks.
I use Keepass with Strongbox and save the database file in iCloud. That way I have TOTP codes backed up, and I can share with others such as my spouse.
You didn't read any of those screens warning about you needing the backup codes? I do realize some services don't provide backup codes (which is insane), but when they don't I have found that they provide the codes you can manually type in to authenticator apps. With that, you can add the code in multiple places, like on your phone and also another computer with any totp app like authy or TOFU or whatever to have a 'backup'.
I keep my backup codes in a plain text files in a folder on my home NAS which is encrypted on disk, and backs up through rclone (with encryption) to backblaze every night. I'm about to configure up a second NAS for redundancy because 3 2 1.
Because my email account is that's linked to every other account and I can't afford to lose everything just because I've lost my phone (which has happened twice in the last two years, but recovered it both times).
You have many options including notifications in google apps, authenticator apps, text messages, hardware tokens, written backup codes. Not all of these rely on your phone so set them all up
So in other words dramatically increase the attack surface on my account.
Enabling SMS authentication for an account is a huge DOWNGRADE in security, not an increase. Cellular providers are infamously easy to socially engineer.
No… Well I guess if you were adding SMS as a 2fa option to your real 2fa would increase surface but that wouldn’t solve what the parent comment was saying. So yea don’t do that (but it’s better than just a password).
1)Password alone is weak. 2)Password and SMS 2fa better.
3)Password and real 2fa best. 4)Password, real 2fa, backup codes, basically just as good as best.
Google is only eliminating #1, and only requires 2fa when logging into a new device. I’m surprised HN folks are having a tough time grasping this one, in general it’s pushing people (I’d guess 90% of people would never opt into anything more than a regular password, including the parent) into #2 above.
Oh c'mon, even tech savvy people are just using email for email.
For me, I have to consider 2FA, or in the case of my son, who doesn't want a phone, a Yubikey or similar. I don't want to live with the additional management and potential disaster of 2FA blocking his access to his email account, which is currently his gateway to university.
At work I have 2FA, but there's a whole IT/IS team to manage and unblock things (which happens, co-workers get blocked out of their email accounts regularly).
Personally, I'm hoping to convince my domain cohorts (family) to move to Protonmail or similar.
> For me, I have to consider 2FA, or in the case of my son, who doesn't want a phone, a Yubikey or similar. I don't want to live with the additional management and potential disaster of 2FA blocking his access to his email account, which is currently his gateway to university.
This is a good point: For many people, passwords are already too much of a hassle. 2FA is going to be just more hassle. I manage all the passwords for everyone in my family, because they just can't manage to remember theirs (even simple ones like hunter2), and they don't want to use a password manager themselves. I'm sure ours is not the only family in the world who does this. So, the burden falls on me to keep their passwords stored and secure, and tell it to them when they need it. Now add 2FA onto that pile and it's just going to be more of a hassle for me.
> Why would 2FA of all things be the critical issue? Tech savvy people should understand and use hardware security keys at this point to be securing their cloud accounts in general.
Yeah, sure, should be.
Meanwhile I've yet to actually see one in the wild, in a 20 year career, aside from one that's used on a server I know of.
Coworkers at small tech companies? Nope. Serious-business clients coming into the office? Don't see them busting out the USB stick and plugging it in to their laptops. Medium-sized tech companies? Nope.
Hell, I'd hate it even worse than phone 2fa. I lose my actual keys all the damn time. 80% of all remote controls in our house are, at any given time, vanished to some other dimension, because I have kids. The last thing I need is another tiny, super-important physical thing to lose. The only reason a cell phone is a useful object to me, and not another annoying thing I can never find, is because of "Find My".
- Run it yourself: And get eaten alive by third party anti-spam products. Maintaining a mail server is a full time job.
- Move to another large corporation (e.g. Apple, Microsoft, et al). What have you solved exactly?
- Move to a small mail provider and hope they don't go under (and you lose your x year old email address associated with tons of stuff) or have security issues because they didn't/couldn't afford the expertise.
The "least bad" option right now just seems to be to spread yourself around, so you're not too invested in any one vendor (in particular in case they ban you randomly for reasons they won't disclose or discuss).
D) go with any vendor but use your own domain. That way if you get randomly banned or they go under you still have the address, and it mostly solves issues with deliverability/being spam filtered.
> Move to a small mail provider and hope they don't go under (and you lose your x year old email address associated with tons of stuff) or have security issues because they didn't/couldn't afford the expertise.
You can also just use an email client that downloads the emails you get, and then point your MX-records to another provider if and when your provider goes belly up.
> The "least bad" option right now just seems to be to spread yourself around
Sounds about right. For e-mail I'm using SES for outbound on my domain, and.. of all things.. Yandex Mail for inbound. SES doesn't seem to have any problem with spam filters, Yandex OTOH, it's definitely a temporary solution, I'm only using it for POP3, but their webmail is also fairly cute. Yandex outbound is treated as spam by basically everything except Yandex
2. Use a small-ish mail provider that supports IMAP, etc.
3. Store all your emails/folders on a device (laptop, whatever). This way if the provider locks you out or goes under, it's easy to switch to another.
Has worked since what, the 80's? Personally been doing this since before Gmail existed. Ironically I chose this route precisely because the major providers (Yahoo, etc) were too unreliable for me - I had lost accounts multiple times because some of the (then) top mail providers decided to get out of the mail business and/or regressed their featureset so much that it hurt.
Of all the Internet services, this is the easiest one for someone to own.
Been using google prompt 2-step since they first started offering it a while back. Gotta say its the most painless 2-factor authentication of any account I actively use. Although its a bit clunky to have to open gmail on an iphone to get the prompt when I'm not dailying an android phone for testing reasons.
You don't need a mobile phone for TOTP -- you can do it from a shell script and openssl. Many security keys support storing TOTP built in, and Google also supports the various security key protocols (FIDO2 I think is the current version?)
I should point out that FIDO2 allows sites to require that visitors use a device from a specific whitelist of devices.[0] Google has already tightened the requirements by mandating 2FA, so don't be surprised when they start blocking "insecure" factors like shell scripts.
It probably wouldn't go down well if Google required an Android device to provide the second factor, but I could definitely see them requiring a device which does biometric verification of the user. That's a pretty good way of connecting online activity to a specific human (assuming the attacker can gain physical access to your authentication device, and has a model of your fingerprint/face, which governments increasingly do have).
Multiple still tie user to specific devices. It will not work on a friends machine (unless user memorises the shared secret used for hashes).
TOTP is essentially a glorified password (which is the shared secret), only so long that the user presumably does not remember it, so it is taken as a representation of a trusted device access. TOTP / HOTP are close to manual CHAP.
I don't feel two passwords (the real password and TOTP shared secret) are better than one.
How do I set up TOTP with Google? As far as I can tell, you first have to give them a mobile phone number and configure 2FA with that. Once it is configured, you can then change it to TOTP and remove your phone number. But I don't want to give Google my phone number in the first place.
They don't think the phone represents you. But the combination of proving you know the password and that you have physical access to a trusted device increases the confidence that it's you by a lot.
Depending on the form of second factor you use, it can stop phishing attacks (and don't say you'll never fall for one, anyone can make a mistake). The "send a notification" option for 2FA gives you information about where the login request is coming from, which is a chance to check that someone isn't sitting in the middle of login process. And something like WebAuthn makes phishing impossible outside of a browser exploit since the domains won't match.
I'm a technical person and I have no idea what your post means... and I also need to figure this out and explain it to the rest of my (extended) family.
Google Accounts are the new printers, familial-y speaking.
One common 2FA method is TOTP (time-based, one time password). Bitwarden [0] is a password/secrets manager that you can host yourself. It supports TOTP so you can just use that instead of a separate app like Google Authenticator or Authy. I would not recommend this personally as if you expose your master password for bitwarden, you've also made it possible for the attacker to sign in via 2FA... which normally would require access to your phone or backup keys. But it is more convenient.
Basically, people should be using password managers by this point. I recommend bitwarden because you can host it yourself, it's good for storing other secrets, and it has browser plugins/apps.
Follow-up question: I downloaded Authy on my phone and my desktop, and the first thing it wants is a phone number. I'm trying to solve for not having a phone -- can Bitwarden's TOTP be used without a phone number being provided?
Bitwarden does not require a phone, but it sadly TOTP support is only in the paid version. What I do is keep TOTP in an app called Aegis, which supports backing up the seeds. This way, I can always use the seed file to setup Aegis on a new device.
I feel I'm the only one who absolutely hates the zoo of MFA I'm subjected to as part of the latest and greatest in security for the masses. I hope something comes along to replace all of it soon.
Don't worry. Many companies are already replacing it with a simple webcam image of your mug (Hopefully directly stored on a server somewhere so it can be used for identity theft purposes).
Assuming you mean face and not a coffee mug, can you give an example? Most companies using facial recognition are using 3D maps of facial features using IR or other sensors, not a camera image. Windows Hello and Face ID come to mind, hence why they work in the dark.
I am fully aware that these algorithms use reference points on your face. I'm still not pleased with that data getting passed around.
As for the part of my comment in parentheses; I'm graciously awaiting the facial equivalent of "passwords in plaintext on the server". It's rather uncommon these days but I can almost guarantee it'll happen at least once.
My point is that generalizing it as a "webcam image on a server" is not only disingenuous, it's incorrect. It's not from the webcam, it's not an image, and it's not on any server except your own local device. Unless you have an example of a company doing this, which I did ask for. As far as I know companies are not storing that data in the cloud, at least the major ones I'm aware of.
Literally everything you can make to solve a problem leads to XKCD standards.
If we go by XKCD logic we wouldn't have Netflix because it would just be another "standard" alongside all of the other film distribution methods.
This seems pretty worrisome if you have ANY non-Apple device. So if I create an account using PassKeys, but at some later date, I need to log in using a browser on a Windows or Linux box, what do I do? I don't have a password, since one was never created. And all my credentials are in iCloud.
This is already an issue Apple has with their own Apple ID 2-factor authentication; in order to authenticate, you must either accept the prompt and receive the code on a current Apple device, or (secondarily) recieve a code via SMS.
Frustratingly, there is no option to add a TOTP code (like most other services, including Google, offer) or to disable SMS 2FA as a backup (despite its known security issues).
I say this mostly because I assume Apple would use your Apple ID credentials as a way to log in to these services on a Windows or Linux machine, as they do currently with the "Sign in with Apple" flow.
I feel like my PC is should be the source of truth for my identity, not my phone. Phones get lost, stolen, and destroyed at times and there's no guarantee that I'll have access to my phone number for the rest of my life. I'm already completely screwed if my phone number changes, because not every service offers one-time-use codes to bypass 2FA.
It is absolutely baffling that there's no desktop 2FA program that's widely used. I guess tech savvy people are using android emulators on their PC to run google authenticator, but that's such a pain.
Has anyone had luck with yubikeys for personal accounts?
> Supports Google Authenticator and other authentication apps that can generate one-time security codes.
How do you do this? I'm looking at my personal account settings and the 2-step options are "app on my iOS devices", "security key", or "text message/voice call".
Was the same for me until I enrolled one of the above. I used a security key to get past that stage, then I was allowed add an Authenticator app. Very frustrating UX.
How so? If you have a variety of second factors enabled (security key, TOTP, recovery codes) it seems like you can be confident enough in not getting locked out.
People who are in the top 1% of technical skill will do that. Not "the rest of us".
Most of those tools suck. For instance I got a yubikey which has numerous flaws (not quite a regulation USB device), but the one that "EOLed" it was that the hole to attach it to a keychain wore away. A 0.25-cent nylon washer would have fixed it. Fortunately I was able to recover the yubikey rather than lose it, but it isn't on my keychain anymore.
Banks and other high-margin organizations can afford heavy reset and recovery processes. Companies like Google where customer service is "talk to the hand" can't and won't.
Is this the standard answer now every time someone complains of beating treated like shit? "I was walking down the street in broad daylight and someone beat me and threw me in the gutter!"
"Nobody is obligated to teach you self-defense."
"I tried to stop while driving but my breaks failed and I crashed into a house!"
"Nobody is obligated to teach you proper car maintenance."
"My wife's surgeon lied about his qualifications and now she's dead!"
"Nobody is obligated to teach you how to spot a quack."
IT'S NOT OUR OBLIGATION EITHER. It's Google's, to make products that don't abuse and exploit their users. Stop this bizarre gaslighting tactic. 2FA is a shitty scam system that increases complexity and failure rates, radically decreases privacy, and DOESN'T increase security because the vast majority of users will just use SMS, which is easily hacked.
SMS excludes people who live in places where cell phone carriers choose not to cover. I've had to drive 2 miles from my house to receive an SMS, and I live just 20 minutes from a major research university.
> People who are in the top 1% of technical skill will do that. Not "the rest of us".
That means it's not 100% guaranteed one will be locked out, _provided that_ one has the tech chops. Even with such condition, is enough to totally invalidate your statement of "100% guaranteed you'll be locked out".
You probably should change your statement to say "99% of people (i.e., those withiout tech chops) will very likely -- or almost certain -- to be locked out sometime in the future". Now that new statement will be true.
Got a 2FA prompt for my Google account which said something like: 'Tap the confirm button on your phone to verify it's you'. Just dawned on me I switched to a dumbphone about 5 years ago for privacy reasons and binned my smartphone. So no more Google account for me.
It makes me wonder how many people are going to be locked out of their accounts because of these changes. So many people looking for a human. Sadly Google support is famously terrible, and 99% of queries are just Google replying back saying: 'RTFM' or 'Please refer to the FAQ for support'.
Google locking me out of my account, despite me providing valid credentials, was the catalyst in de-googlifying my life.
The inherent tradeoff with information security is convenience. For a personal account, the user should decide where they want to exist on that curve. Google's assumptions that I have perpetual access to a cellular device, or a consistent ISP, are user hostile.
Absolutely. Additionally, when The Verge runs an article about how “Google doesn’t do anything to protect your account even though it’s the center of your digital existence”, with the story of a user who failed to enable 2FA and had their entire life upended, the retort that “users should be able to decide for themselves where they want to be on the convenience / security curve doesn’t play.
This isn't about articles by a site 95% of the population has never heard of and it sure isn't about security if SMS is considered acceptable for the second factor.
Cellular providers have laughable security when it comes to account access and changes. The easiest way to get to someone's money and digital life is to figure out their cell phone company, and then convince them to send you a new SIM card for their account. Presto, instant to their bank account and now their google account.
This is about google wanting to tie more identifying information to a google account, and (by way of making all but "install our app" incredibly annoying) force iOS users to have a Google app on their phone so they know what IP address to associate with you at all times.
I was in the process of stripping Google out of my life and this looks like excellent motivation to speed that along.
I also have an old account that despite knowing the correct password AND having access to the recovery email for that account, Google refuses to let me log in and there's no recourse. It's frustrating to say the least.
I never regained access to it. It's just an old account that I only used for a brief period of time so I don't think there's anything valuable in there, but it still sucks nonetheless.
Please consider doing a write up on how you resolved this? There must be thousands of people impacted by this.
I've also had this situation when relocating countries. I had to abandon a 15 year old account (for which I also had a valid working recovery email) with a lot of issues recovering online banking etc. (Had to physically travel to another country to restore multiple services associated with the account).
I'm with fastmail now. I will never again depend on a mail service that I am not paying for.
This spells the end of privacy on the Internet. Your phone 100% identifies you. Plus, if you lose it, you may lose your account as well. I just got an email from Twitter support, saying that I could “restore” my lost access by creating new account. I thought this email was some kind of a joke, but no.
That is why I use a TOTP app that lets me export an encrypted copy of the TOTP secrets. I also have a printed-out copy of the secrets stored in a secure location, which I update monthly for new accounts I add in. Prior to that when I was just using Google Authenticator I would record the TOTP secret prior to importing it into the app.
What TOTP app do you use, and what format do you print the secrets in?
I currently use "OTP Auth" for iOS, which supports backup and encrypted cloud sync, but I'm not sure if that supports something like "export to a text file".
AFAIK you should be able to remove your phone number from your account after adding some other type of MFA (authenticator app or key fob). Did this change recently?
"This spells the end of privacy on the Internet. Your phone 100% identifies you."
My "2FA Mule" has no identifying information of any kind on it and doesn't follow my location(s).
It's a stock android phone with no google account and no apps installed except for "SMS Forwarder"[1].
It is configured to forward all SMS to an email address via encrypted SMTP. This means that I can receive these 2FA codes anywhere I have Internet access - such as an airplane or newly arrived in a foreign country where my SIM card does not work.
The "2FA Mule" itself is plugged in at my office in a corner.
I'm not employing this for anything sensitive but it's interesting to consider that I can use SMS based 2FA while divorcing it from my day to day SIM identity ...
What happens if that phone is destroyed through some sort of accident, possibly involving your office? No matter how unlikely, if that's not a contingency you've planned for, the plan needs some work.
> This spells the end of privacy on the Internet. Your phone 100% identifies you.
But I don't think Google mandates you to use a phone for 2FA? You can use any TOTP app or a U2F dongle like the Yubikey (or the Ledger Nano S, which has an U2F app).
I see your point but unlike climate change, privacy is not a one-way loss. It can be restored so long as some other technology prevails. Wishful thinking perhaps, but it's well within the realm of possibilty.
Google's 2FA is very frustrating to say the least. The forced use of a mobile device with a Google app installed as my primary 2FA device is nothing if not annoying-- I already have 1Password set up in the browser to autofill 2FA codes. Google doesn't seem to like this because after sign in I always have to wait for the prompt saying "open the google app on your phone", then scroll down and click "try a different way" and THEN click a selection to enter a 2FA code. Very very frustrating.
That sounds like design decisions for optimising the 2FA experience for the vast majority of users, who don't want to mess with Google Authenticator or their password manager _is_ Google (Chrome).
I use a password manager myself (as IMHO everyone should). It's not ideal because if your master password gets compromised it's potentially catastrophic in away that any individual getting compromised isn't.
The problem with 1Password 2FA is, I believe, that the 2FA itself is still gated behind your master password, in that if that gets compromised so does your supposed 2FA.
The central idea of 2FA is it's something you know and something you have. If that 1Password master password is the only thing needed to gain access then you don't really have 2FA.
Again, I don't use this feature of 1Paswword so this might not be exactly how it works.
But if so, I'm sympathetic to Google not treating it as 2FA because, well, it isn't.
I know 2FA is often described in this way but it's not the way I really use it or how your average person wants to use it IMHO. It's just a second piece of data that is needed to login, which does add significant security. Maybe I just don't oversee anything important enough but I don't actually want my digital security to be dependent on a single piece of hardware ever. Yes, I know about backup codes but where are you going to store those if not 1Password/alternative-manager? So for me I'm perfectly happy to keep my 2FA alongside my password in 1Password.
As for "If that 1Password master password is the only thing needed to gain access then you don't really have 2FA." it's not, unless they get access to a device you have logged into 1Password on in the past (and thus entered your secret key [0]). For me this stays true enough to "something I have". If someone has my phone/computer AND can guess my 1Password master password then things are already pretty bleak and they already have access to whatever other 2FA app I was using (Authy/GA).
Lastly 2FA falls apart if you share an account with a significant other (or a team). In 1Password I can just move that login to a shared vault or share that login individually and everyone can log in and use 2FA. I'm not sure what the alternative would be. Sure, if a product supports multiple accounts or even multiple 2FA's (I don't think I've ever seen the latter, at least in non-enterprise settings) there is a way to do this but most apps/SaaS/etc there isn't an alternative (other than disabling 2FA).
Yes. I write them in a book. The book lives in a locked desk drawer.
My threat model does not include "Nation state adversary breaks into my home and... reads the contents of the book". If I annoy the Russians enough, presumably they would just try to outright murder me.
In contrast, "Person I annoyed online plans elaborate Internet revenge" is definitely a potential threat I want to cope with, as are "Scam email claiming to be from company I have account with", "Facebook lose everybody's passwords", and so on.
In the event I die, most documents and other material are encrypted and so are now intentionally useless. My accounts are not intended to be "memorialized" or whatever. My net worth cashes out for a handful of people to split up as they choose, or if they can't/won't evenly between them.
If you meant somehow the building burns down and destroys all my possessions but leaves me miraculously alive, I lose access to a bunch of stuff. Nothing to be done about it.
But one of the Security Keys lives in my jeans pocket, so if I survive the fire in the regular way, by fleeing a burning building, I still have that Security Key. If I am wearing trousers. Not so many people actually flee naked, if the fire is going to kill you in the time it takes to pull jeans on you're probably just not making it out at all.
> It's not ideal because if your master password gets compromised it's potentially catastrophic in away that any individual getting compromised isn't.
If you care about this, consider security through compartmentalization provided by Qubes OS. I store my passwords in plain text in an offline VM (with hardware virtualization).
The problem is that “something I have” is generally supposed to imply that it’s a physical object whose functionality cannot be feasibly copied to another object. Some data, especially data stored in the cloud, isn’t really a good candidate, even if it’s protected by a password that only you know.
I disagree. The "have" factor can be soft or hard. It just needs to not be memorable (because then it's guessable, which is a primary weakness of a "know" factor).
For example: if you have an application protected by password+yubikey with "remember device" enabled, after prompting for your password it may decide not to also prompt you for the yubikey, and that can be because a cookie (perhaps ANDed with some other heuristics) is taking its place. A cookie which can be trivially copied to another device, but can't be trivially memorized nor guessed, and is for that reason not a "knowable" thing. If it was considered a "know" factor, then the "remember device" feature would effectively be a "conditionally disable 2FA" feature (two "knows" are 1FA), but it's really not that, outside of describing the interim UX.
I think that a "remember device" feature is a totally orthogonal concept. That's really just another word for a session, and it's quite common for authentication to apply to an entire session rather than to each and every message in a session.
It's true, of course, that once you have created an authenticated session on a device, anyone who has compromised that device (with physical access or a software hack) can likely gain access to that session. But the authentication method still prevents unwanted initiation of sessions, which is the whole point.
Any service provider obviously needs to choose their session policies to match the sensitivity of their service, their own threat models, and the threat models of their clients. So e.g. an online bank probably shouldn't issue cookies that last for a year and are portable across IP addresses. For some services, it could be a good idea for the session to only grant less sensitive access (e.g. only read access), and still require fresh authentication for sensitive actions (e.g. transferring money).
Totally agree, it’s crazy to have your 2FA and password manager be the same application. You can actually disable 1Password’s 2FA and tie a different 2FA. I’m not sure if it’s just a business/teams feature, but we are able to require everyone at the company install and use Duo as their primary 2FA as part of their 1Password activation.
The only use case I've identified for 1Password 2FA is an account that _must_ be a shared login. There are a few business services we use that don't support multiple users on an account.
A password manager itself should be protected with 2FA already. Especially in terms of 1Password since you mentioned it, you need to have both master password and private key to decrypt a vault. It is a pretty strong 2FA as long as you know how to protect the private key.
Granted that if you put your TOTP seed somewhere else outside the password manager, you technically achieved "3FA"(1Password master password + 1Password private key + TOTP token) and it is more secure. But I don't think putting TOTP seed and password together in the same password manager weakens 2FA?
To login to a website:
- Without a password manager, your 2 factors are account password + account TOTP.
- With 1Password, your 2 factors are 1Password master password + 1Password private key.
I avoided using my password manager's 2fa for quite some time for the same argumentation...
But when I realised the 'something you have' is the password manager (actually, the data store) itself, and the 'thing I know' is my master password (and not the individual site's password) I've started using it for 2fa.
I can still see how the subscription version of 1password stretches that definition though (because you don't actively have unique ownership of the data itself), which is why I use keepass now.
Just like a dongle, your pc is not immune to evil maid if left unattended. My threat model isn't inclusive of that (my threats come from the internet - I live rurally).
Requiring your phone for 2fa (google auth or sms 2fa or other) isn't a panacea either, especially if that's the device you're logging in with.
I wish Google would allow setting 2fa without a phone number...
> the 'something you have' is the password manager
The problem is, assuming your master password is unique (I hope so!), all of the likely vectors for exposing it also expose the database, even if it's only kept locally. Having the database only stored in one place is also quite inconvenient, of course, and any sync mechanism adds even more opportunities for it to be exposed.
My computer could very easily have a zero-day vulnerability get exploited. So could my phone. Either one would expose anything I do on it (for example: access my password database using my master password).
(My solution to this is to use a security key for as much as I can. If you're not concerned about this risk, great, but it definitely is a threat.)
Your example is correct, but your 1Password account can be protected by MFA that's separate from 1Password itself. They also support U2F.
I personally have all my MFA codes in 1Password, but 1Password is protected with my Yubikey. In the unlikely event that a bad actor did acquire my master password, they wouldn't get far unless they also physically had my hardware security key.
1. 1Password requires a secret key[1] in addition to the master password to gain access on a new device - specifically to protect against weak/reused/leaked master passwords
2. You can add 2FA (well, technically 3FA if you need the secret key, master password, AND a rotating token) to your 1Password signin as well (I auth Authy for that purpose)
The second factor for login to 1Password (or other password managers) protects you from people logging into your account officially, but not from vulnerabilities or inside action of the vendor.
1Password also seems able to bypass the secret key ("If you still can’t find your Secret Key, contact 1Password Support.") which means social engineering, phishing, and/or credential stuffing attacks are viable.
somthing you have and something you know. a password can be hacked remotely. something you have is more involved. these are layees if security. some are better than others and there are gimicks like some forms of recovery.
> The central idea of 2FA is it's something you know and something you have. If that 1Password master password is the only thing needed to gain access then you don't really have 2FA.
Well, this is not exactly true. You need to know the master password, and you need to have the device that has the 1Password database on it. Even with the knowledge of the master password, you can't login into your $random_website account from my laptop. So even without the additional one-time 2FA codes, using a password manager that has a master password and doesn't synchronize its database, de-facto, _is_ a form of 2FA. Yes I understand that this view is controversial and that auditors will disagree.
Others have mentioned a desktop app, but how often do your parents have to 2fa? It's not every time they log in (unless they're buying a new burner laptop every time they log in. If they are, there may be other issues to discuss first.)
Because your parents do not have cellphones, Google will conclude that it doesn't know a better way to authenticate them and they get to keep their existing (poor) security. As the article eventually explains.
If you would like your parents to have better security for these accounts, I commend Security Keys. Unless your parents aren't together any more, or are just really fervently independent, it's probably fine to buy them one each, but with the suggestion that they both enroll both keys. This way when Parent #1 loses the Yubikey you bought them, Parent #2 can use their Yubikey to save the day until a new one is purchased.
Yubico's USB A format factor "Security Key 2" is robust, but relatively expensive for what you need.
Searches for "Security Key" on Amazon or your preferred site will give you a pile of products and review feedback across price brackets, the only thing your parents are likely to care about are the connector (USB A is no use for a USB C MacBook for example) and maybe other form factor concerns like can it hang from a keychain, or would it fit in a wallet? For their purpose these things don't fill up, and shouldn't (modulo physically smashing it) wear out.
You can always buy a USB-A-to-USB-C adapter/converter. They are available everywhere, inexpensive, and if you're afraid it will be misplaced, there's always the option to glue the USB A key to the adapter...
The whole point of 2FA is that 2 devices need to be compromised - your phone AND your computer. With desktop Authy only one device - your computer - needs to be compromised.
This is correct but, in the vast majority of cases, attacks are carried out remotely. I would agree that where third parties have access to your machine, it would be not be a good solution.
That's not really on the table though. We are not talking about your local tech illiterate bank here. We are talking about securing your Google account which is likely used to SSO authenticate with many other accounts.
I sort of disagree. With social engineering, it could be easier to reset someone's password with a SIM swap than traditional means. For many years, PayPal refused to do true 2FA and I cringed at having to choose between no 2FA or SMS-based. Phone numbers are much easier to source through public records than many people realize. As someone who has had the same primary cell phone number since I was a teenager, I’m honestly shocked it isn’t in more places (I’ve taken great pains to limit it getting out, but I’m still shocked). That scares me enough to almost get a second number, but that’s such a pain in the ass and not a great solution.
While I'm sure that Fi and Google Voice are better than almost any other carrier based SMS security, this does nothing to convince me to ever use SMS 2FA.
"Your Fi number is tied to your Google Account." -- I'm sure you've seen cases of people's google accounts being randomly locked for no reason. Now you lose access to make a call too!
The last thing I'd ever trust security to is SMS. Lots of good technical details here:
Here in the US, NIST has deprecated the use of SMS as 2-factor auth[1] on the grounds that "there’s a risk that SMS messages can be intercepted or redirected".
> The whole point of 2FA is to have "2" independent pieces of data to verify logins. Gating 2FA behind a single password defeats the point.
Indeed.
It's also why I think U2F should be mandatory in way more places/sites/companies (it is in some, thankfully): you then need to physically have a Yubikey or similar and it's not possible anymore to trade security for convenience. It doesn't solve all security issues, but it's already a great step forward.
When you let people the choice, they'll pick the lazy, insecure, way.
My password manager requires a hardware token to log in. So now the second factor is "has a device I've logged into my password manager with, or the hardware token for the password manager".
Two passwords - a master password, and a secret key. That secret key comprises the phone or laptop with 1password configured being the "something you have" for MFA because it's basically the same as the TOTP seed value/QR code - that secret key is only used by the user when setting up a new device - similar to when a new TOTP MFA is set up.
If you are working in facility where you can't have a mobile phone nearby, it is incredibly frustrating. Sure, just print out a long list of codes every week.
I've used a U2F dongle for my 2FA with Google for a few years. I've been enrolled in the Google Advanced Protection program for a while. I don't have any issues around Google logins, just plug in my U2F dongle and press the button or hold the dongle near my phone for NFC to do its magic.
Another benefit is that I'm much less likely to lose my U2F dongle as it's on my physical keychain (and has been, for years, without damage) than I am to need to replace or wipe my phone (although a password manager with 2FA codes in it also avoids this).
For anyone who says, "But what if $WORKPLACE doesn't allow you to plug in USB dongles or use NFC!?!" my counter is then maybe you shouldn't be logging into your personal Google account on that PC. And you probably have an IT department who already have a solution for 2FA that you're required to use.
Also, just because you aren't allowed to plug in "USB dongles" such as flash drives, does not mean FIDO authenticators [the things needed to make WebAuthn or its predecessor U2F work] won't work.
A FIDO authenticator is actually a USB HID class device, like a keyboard‡. So, if your $WORKPLACE doesn't allow you to plug in keyboards then, OK, I guess maybe a FIDO dongle isn't worth trying, but few people are in that situation.
If your employer has a policy of specifically issuing and authorising only particular devices (e.g. you can pick from a list of 3 Dell branded keyboards and 2 Logitech keyboards and anything else needs HR director override) then seems like it's time for them to authorise and issue a nice high quality FIDO authenticator. Yubico make some eye-wateringly expensive models, maybe they should pick those.
‡ "Like" a keyboard but it isn't a keyboard. The FIDO protocols don't involve keypresses, the device is just HID class because well, it's a Human Interface Device, seems legit. It sets protocol to 0xFF custom, and needs dedicated software to use that, which is fine.
Some work machines have all external ports glued shut and the mouse/keyboard are non-removable to prevent data exfiltration. Though you shouldn't be logging into personal accounts on those machines anyway.
This is quite a flippant response. These requirements are being put in place against (some) users' will. Simple changing email providers isn't exactly easy and maybe they need to access that account. Maybe Google should allow users to turn this off?
I've had the same experience. Signed up for Advanced Protection Program not long after it was announced and I've been very happy with my MFA experience with Google for years now.
If you use a Google Titan Key with Apple devices, have you been able to pair and successfully authenticate using either (1) bluetooth only, or (2) NFC only, on any Apple device?
I have not, and it's frustrating that Google offers no support beyond their help pages for their own branded hardware.
I use a few Yubikeys and a Bluetooth Feitian key with my iPhone 8. My wife uses a Google Titan USB key and Bluetooth key for her Apple devices. Our iPads are too old to have NFC, but the Bluetooth paired fine with Google's Smart Lock app and we've used that.
For our iPhones, the NFC has worked fine even without the Smart Lock app. I believe Google phased Smart Lock out some time ago but I've not tried using it in a while, I don't use an iPad very often.
Yes, the bluetooth titan key definitely worked for me and my wife on our iPhones. I think NFC did too but I haven't had to reauthenticate my iPhone in ages so I don't remember for sure.
What's your plan for when your dongle is lost/stolen/destroyed? Many U2F devices cannot be backed up and they recommend that you register with 2 separate devices. But while that is possible, it certainly doesn't scale and really is useless advice for the general case.
I have 3 U2F devices. My wife has 2. For any U2F logins we have, we have enrolled all of our dongles in each login.
At least one of each of our devices is always stored at home in a safe place, where we store other valuable documents. If either of us lose one device, we will buy a new U2F dongle, enroll the new dongle, and unenroll the old lost/missing/stolen dongle from each of the services we use.
You can't backup a U2F dongle but so far everywhere I've enrolled to use one it always recommends you enroll at least 2 and keep one in a safe place.
I have a Yubikey 5, Yubikey 4, and a Feitian Bluetooth key, the Feitian is basically the unbranded Google Titan Bluetooth key. Both work fine, although I haven't used the Bluetooth one in a while. I use my Yubikey 5 on a regular basis.
FWIW, you could use a different app, other than Google's. For example, you could use an app called Authy or the Microsoft authenticator app. Then AT LEAST, the app is outside the Google network.
One alternative (though it's absurd it has to be this way) is to use two separate google accounts - one for your phone, one for everything else. It actually solves a few invasive/dark patterns Google employs.
Google's 2FA doesn't make sense. The 2FA bugs sometimes tried to log in to a brand new laptop, and it automatically logged me in without any asking for verification.
That’s the beauty of 2 factor. If you lose your phone and a bad actor picks it up, they now have one of your factors (what you have) but not “what you know.”
2. Google DOES require 2FA on an account, but only requires the second auth if "suspicious activity" crops up.
3. Google requires 2 auths on each and every login.
On 1, if a bad actor picks up your phone and tries to log in, they will fail if you haven't saved your login, or succeed if you've been lazy and saved it. In the latter case, that's really on you (and you might still be able to get your account back even then, if they didn't fully and quickly reset password and other details!)
On 2 however, they will try to log in, fail, and trigger a lock-down that can only be lifted with both auths. One of which you don't have anymore. Congrads, you've just lost your account!
3 is the same as 2, just for different reasons. As soon as that phone disappears, you don't have the second auth, and you're screwed.
And don't even bother with anything that isn't a phone. We both know nobody in the general public is using anything other than text for this. And some older folks don't even have that! Add on to this that SMS can be easily hacked, and it's pretty clear this whole system is a joke.
You just put in your back up codes to restore access. That’s why the backup codes/words exist. If I lose my crypto wallet or it gets stolen, I go to my bank, get the words from my safe deposit box, and use those words to seed my new wallet. Doesn’t have to be a bank — a home safe or filing cabinet will work, but when my phone broke I had zero problem restoring my 2FA on my new phone using the backup words.
You can use your backup codes. In fact your point is a good reason to HAVE MFA given that in the past, if you lost your phone all your data would be compromised.
This was already required to generate what's called an "App Password", in order to keep using IMAP in a sane way without constantly getting emails about suspicious logins when my K9-Mail app on my phone connects to public hotspots.
The irony of the matter is that I keep my OTP key in the same password manager as my google password, in order to not require a phone to access it, and this "App Password" is significantly weaker than my generated passwords...
Oh and I should add that it was already rather compulsory in order to be able to log in to your account on "public" computers (think printing services, schools, ...), as google would straight up block the login unless you got an existing device to confirm your login (i.e. a phone with google apps and services, which I don't have).
With the 2FA enabled this no longer is a problem as long as I have a device nearby on which my OTP key is stored...
This article links to a Google blog post which notes explicitly: "NOTE: The automatic 2SV enrollment will not impact organizations on Google Workspace. Organizations on Google Workspace will continue to have the choice of enrolling their users in 2SV via the admin console."
306 comments
[ 2.6 ms ] story [ 271 ms ] threadI recently went through this exact scenario: Old phone broke. Bought a new one, restored backup. Guess which app doesn't restore its data from the old phone? Google Authenticator. Lost access to all my TOTP logins.
https://i.imgur.com/4YrElkJ.png
Keep that in mind when you e.g. go traveling.
Rather than giving users options, Big Tech has decided to paternalistically kill passwords in favor of less convenient and less secure methods (my email is much less secure than my password store). Even from residential IPs, it's become the norm for banking websites to harass you with snake oil "2FA" every time you login. The only solution is to split up your online activities so you can conform to their demands with one VM/browser config, account for the extra annoyances as the price of using their services, and move as much activity as possible to freedom-respecting technologies.
Can we please stop spreading FUD because people here really getting their jimmies rustled at any extra steps (even though this forum is often rife with people falling for phishing attempts, repeatedly using GoDaddy, on and on, proving that they can't protect themeselves.)*
But maybe you could name a few tech companies besides Twitter who have implement 2FA you way you imply.
I log in all the time, this morning included, and do it every time with a simple password. I have never been prompted for 2FA and there is no identifying info in my account or in the emails that it catches. The account names are even fake.
If I do end up prompted to set up 2FA I will simply delete the whole shitteroo and start over somewhere else with another fake name.
"The company plans to automatically enable two-step verification for accounts that have been configured correctly."
2FA is a strict improvement and everyone should be using it. I applaud Google for mandating a best practice.
It's far preferable to the alternative of having your account compromised because your password is guessed or stolen.
I'm able to live without electricity but I'm not about to call the power company and have them cut my feed. There are folks who consider it some kind of incarceration to be beholden to the electricity provided by a power company; I respect them but I don't share their philosophy.
Unless the situation is "There is another power company right next door," I'll have to disagree.
If the claim is one can self-generate power, the analogy holds but not in the way, I think, the author means. Self-generation off-grid is a pain... Buy or build and maintain your own generators, your own storage, deal with impedance, deal with the risks of operating on high voltage, equipment breakdowns are yours and yours alone to repair, etc.
Similarly, I can self-host my own email, video, web servers, and possibly even build my own voice-activated assistants tuned perfectly to my specifications, sharing my data with nobody... But that's a lot of work when Google has provided all of that for me.
So while I support asking people to reconsider if they need a Google account, I would never recommend alternatives that lack 2FA and where possible, I refuse to use services that lack 2FA myself. Unfortunately there are still some categories like banking where TOTP, FIDO, etc is practically unheard of.
You consider something superior just because it works for you and therefore everyone should be forced to do as you, but you ignore what doesn't work for others (such as being tied to a phone).
And as others have said, you can use another product.
https://webapps.stackexchange.com/questions/127464/enabling-...
Perhaps this changed now, but I had to set up a different 2FA method first (I used a U2F security key), then add OTP, and then it was possible to remove the U2F method.
After logging in with OTP once (I just keep the private key on my laptop in pass) you never seem to get asked to provide it again, but 2FA is nominally enabled.
https://www.google.com/intl/en/landing/2step/#tab=how-it-wor...
I'm not sure why TOTP isn't an option. Google Authenticator still seems to be a supported app.
> The Google Authenticator app for Android, iPhone, or BlackBerry can generate verification codes. It even works when your device has no phone or data connectivity.
You can also use third party apps, I use Authy
But also, frankly, I just don't trust Google to implement this correctly, given their track record. Google sure employs a lot of smart people, but the quality of their products and services is generally crap.
Really? There are scratch codes for that. Or you can use an app that backs up your TOTP key for you, like Authy. Or you can store your TOTP key manually. Or you can have multiple devices. Or...
> having to run extra software
Oh, come on. Are you really complaining about having to compute an HMAC?
> I just don't trust Google to implement this correctly, given their track record.
Huh? You do know "The day Google forgot to check passwords" was fictional?
As for the track record: we are talking about a company that can't properly implement basic password authentication, see my first comment. And no, I'm not interested for possible reasons/excuses why is it so; what matters is that it doesn't work _for me_.
It doesn't, though. Go actually read the article this time, not just the headline.
> for no gain (for me).
Sure. There's no way your system could ever be compromised. It's not like you actually click any of the links on HN, right?
> we are talking about a company that can't properly implement basic password authentication
[citation needed]
For anyone attempting escape, rclone seems to be the only tool that supports exporting all Google Docs ever shared to the account. Google Takeout (or the equivalent GAFYD tool) worked for everything else
Yeah, but still pretty inconvenient. I migrated all my main stuff way from Google years ago, but I have a bunch of accounts I use as throwaways that will be a much bigger PITA to use.
Now that I only have one phone, I've turned off 2FA as much as possible, because only one phone means when it breaks, I can't access my accounts, because I can't get to the 2FA tokens. No thanks.
I keep my backup codes in a plain text files in a folder on my home NAS which is encrypted on disk, and backs up through rclone (with encryption) to backblaze every night. I'm about to configure up a second NAS for redundancy because 3 2 1.
I read them, and said, no thanks; I'd rather be able to recover my accounts easily.
Enabling SMS authentication for an account is a huge DOWNGRADE in security, not an increase. Cellular providers are infamously easy to socially engineer.
1)Password alone is weak. 2)Password and SMS 2fa better. 3)Password and real 2fa best. 4)Password, real 2fa, backup codes, basically just as good as best.
Google is only eliminating #1, and only requires 2fa when logging into a new device. I’m surprised HN folks are having a tough time grasping this one, in general it’s pushing people (I’d guess 90% of people would never opt into anything more than a regular password, including the parent) into #2 above.
Parent should do #4, but #2 is fine
For me, I have to consider 2FA, or in the case of my son, who doesn't want a phone, a Yubikey or similar. I don't want to live with the additional management and potential disaster of 2FA blocking his access to his email account, which is currently his gateway to university.
At work I have 2FA, but there's a whole IT/IS team to manage and unblock things (which happens, co-workers get blocked out of their email accounts regularly).
Personally, I'm hoping to convince my domain cohorts (family) to move to Protonmail or similar.
This is a good point: For many people, passwords are already too much of a hassle. 2FA is going to be just more hassle. I manage all the passwords for everyone in my family, because they just can't manage to remember theirs (even simple ones like hunter2), and they don't want to use a password manager themselves. I'm sure ours is not the only family in the world who does this. So, the burden falls on me to keep their passwords stored and secure, and tell it to them when they need it. Now add 2FA onto that pile and it's just going to be more of a hassle for me.
Yeah, sure, should be.
Meanwhile I've yet to actually see one in the wild, in a 20 year career, aside from one that's used on a server I know of.
Coworkers at small tech companies? Nope. Serious-business clients coming into the office? Don't see them busting out the USB stick and plugging it in to their laptops. Medium-sized tech companies? Nope.
Hell, I'd hate it even worse than phone 2fa. I lose my actual keys all the damn time. 80% of all remote controls in our house are, at any given time, vanished to some other dimension, because I have kids. The last thing I need is another tiny, super-important physical thing to lose. The only reason a cell phone is a useful object to me, and not another annoying thing I can never find, is because of "Find My".
Your choices are:
- Run it yourself: And get eaten alive by third party anti-spam products. Maintaining a mail server is a full time job.
- Move to another large corporation (e.g. Apple, Microsoft, et al). What have you solved exactly?
- Move to a small mail provider and hope they don't go under (and you lose your x year old email address associated with tons of stuff) or have security issues because they didn't/couldn't afford the expertise.
The "least bad" option right now just seems to be to spread yourself around, so you're not too invested in any one vendor (in particular in case they ban you randomly for reasons they won't disclose or discuss).
On the other hand they are small enough to certainly be hurt by concentrated DDoS attacks as it’s been happening the last week.
You can also just use an email client that downloads the emails you get, and then point your MX-records to another provider if and when your provider goes belly up.
Mail provider with any small provider.
Use Thunderbird, it's honestly better that it has been in maintenance-only mode for a decade and isn't being "innovated".
Sounds about right. For e-mail I'm using SES for outbound on my domain, and.. of all things.. Yandex Mail for inbound. SES doesn't seem to have any problem with spam filters, Yandex OTOH, it's definitely a temporary solution, I'm only using it for POP3, but their webmail is also fairly cute. Yandex outbound is treated as spam by basically everything except Yandex
1. Have your own domain name.
2. Use a small-ish mail provider that supports IMAP, etc.
3. Store all your emails/folders on a device (laptop, whatever). This way if the provider locks you out or goes under, it's easy to switch to another.
Has worked since what, the 80's? Personally been doing this since before Gmail existed. Ironically I chose this route precisely because the major providers (Yahoo, etc) were too unreliable for me - I had lost accounts multiple times because some of the (then) top mail providers decided to get out of the mail business and/or regressed their featureset so much that it hurt.
Of all the Internet services, this is the easiest one for someone to own.
It probably wouldn't go down well if Google required an Android device to provide the second factor, but I could definitely see them requiring a device which does biometric verification of the user. That's a pretty good way of connecting online activity to a specific human (assuming the attacker can gain physical access to your authentication device, and has a model of your fingerprint/face, which governments increasingly do have).
[0] https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Gu...
- Hardware key (fido u2f).
- TOTP or HOTP generator (on any platform, PC, Mac, iOS, Android, whatever).
- Trusted Device.
The second factor ties me to a specific device.
TOTP is essentially a glorified password (which is the shared secret), only so long that the user presumably does not remember it, so it is taken as a representation of a trusted device access. TOTP / HOTP are close to manual CHAP.
I don't feel two passwords (the real password and TOTP shared secret) are better than one.
I'm not against RFC'd TOTP , but is it possible with google?
The post specifically states that there are other forms of 2FA, including token based.
Depending on the form of second factor you use, it can stop phishing attacks (and don't say you'll never fall for one, anyone can make a mistake). The "send a notification" option for 2FA gives you information about where the login request is coming from, which is a chance to check that someone isn't sitting in the middle of login process. And something like WebAuthn makes phishing impossible outside of a browser exploit since the domains won't match.
Google Accounts are the new printers, familial-y speaking.
Basically, people should be using password managers by this point. I recommend bitwarden because you can host it yourself, it's good for storing other secrets, and it has browser plugins/apps.
[0]: https://bitwarden.com/
Follow-up question: I downloaded Authy on my phone and my desktop, and the first thing it wants is a phone number. I'm trying to solve for not having a phone -- can Bitwarden's TOTP be used without a phone number being provided?
Thanks in advance.
0: https://github.com/dani-garcia/vaultwarden
https://bitwarden.com/pricing/
As for the part of my comment in parentheses; I'm graciously awaiting the facial equivalent of "passwords in plaintext on the server". It's rather uncommon these days but I can almost guarantee it'll happen at least once.
https://xkcd.com/927/
https://sixcolors.com/post/2021/06/wwdc-2021-apple-takes-the...
Frustratingly, there is no option to add a TOTP code (like most other services, including Google, offer) or to disable SMS 2FA as a backup (despite its known security issues).
I say this mostly because I assume Apple would use your Apple ID credentials as a way to log in to these services on a Windows or Linux machine, as they do currently with the "Sign in with Apple" flow.
Could even set up rules for like "only during business hours in my country"
I feel like my PC is should be the source of truth for my identity, not my phone. Phones get lost, stolen, and destroyed at times and there's no guarantee that I'll have access to my phone number for the rest of my life. I'm already completely screwed if my phone number changes, because not every service offers one-time-use codes to bypass 2FA.
It is absolutely baffling that there's no desktop 2FA program that's widely used. I guess tech savvy people are using android emulators on their PC to run google authenticator, but that's such a pain.
Has anyone had luck with yubikeys for personal accounts?
I simply use Authy instead of Google Authenticator. It has a desktop app that syncs to the Authy app on my phone.
With Windows 11, you'll soon be able to run Android apps without needing to install an Android emulator, but that's not here and now, though...
How do you do this? I'm looking at my personal account settings and the 2-step options are "app on my iOS devices", "security key", or "text message/voice call".
https://en.wikipedia.org/wiki/Time-based_One-Time_Password
I guess there's some needles here to be threaded, whether we stay or leave Google.
Most of those tools suck. For instance I got a yubikey which has numerous flaws (not quite a regulation USB device), but the one that "EOLed" it was that the hole to attach it to a keychain wore away. A 0.25-cent nylon washer would have fixed it. Fortunately I was able to recover the yubikey rather than lose it, but it isn't on my keychain anymore.
Banks and other high-margin organizations can afford heavy reset and recovery processes. Companies like Google where customer service is "talk to the hand" can't and won't.
Nobody is obligated to help you learn.
"Nobody is obligated to teach you self-defense."
"I tried to stop while driving but my breaks failed and I crashed into a house!"
"Nobody is obligated to teach you proper car maintenance."
"My wife's surgeon lied about his qualifications and now she's dead!"
"Nobody is obligated to teach you how to spot a quack."
IT'S NOT OUR OBLIGATION EITHER. It's Google's, to make products that don't abuse and exploit their users. Stop this bizarre gaslighting tactic. 2FA is a shitty scam system that increases complexity and failure rates, radically decreases privacy, and DOESN'T increase security because the vast majority of users will just use SMS, which is easily hacked.
That means it's not 100% guaranteed one will be locked out, _provided that_ one has the tech chops. Even with such condition, is enough to totally invalidate your statement of "100% guaranteed you'll be locked out".
You probably should change your statement to say "99% of people (i.e., those withiout tech chops) will very likely -- or almost certain -- to be locked out sometime in the future". Now that new statement will be true.
It makes me wonder how many people are going to be locked out of their accounts because of these changes. So many people looking for a human. Sadly Google support is famously terrible, and 99% of queries are just Google replying back saying: 'RTFM' or 'Please refer to the FAQ for support'.
The inherent tradeoff with information security is convenience. For a personal account, the user should decide where they want to exist on that curve. Google's assumptions that I have perpetual access to a cellular device, or a consistent ISP, are user hostile.
Cellular providers have laughable security when it comes to account access and changes. The easiest way to get to someone's money and digital life is to figure out their cell phone company, and then convince them to send you a new SIM card for their account. Presto, instant to their bank account and now their google account.
This is about google wanting to tie more identifying information to a google account, and (by way of making all but "install our app" incredibly annoying) force iOS users to have a Google app on their phone so they know what IP address to associate with you at all times.
I was in the process of stripping Google out of my life and this looks like excellent motivation to speed that along.
I've also had this situation when relocating countries. I had to abandon a 15 year old account (for which I also had a valid working recovery email) with a lot of issues recovering online banking etc. (Had to physically travel to another country to restore multiple services associated with the account).
I'm with fastmail now. I will never again depend on a mail service that I am not paying for.
I currently use "OTP Auth" for iOS, which supports backup and encrypted cloud sync, but I'm not sure if that supports something like "export to a text file".
It is open source, maintained, easy to use, can do backups and re-present the QR code so you can easily scan it with another device.
https://github.com/andOTP/andOTP
I'm a Googler, but haven't really looked into this yet.
FTFY. Though, I'd argue privacy has been dead there for years already.
My "2FA Mule" has no identifying information of any kind on it and doesn't follow my location(s).
It's a stock android phone with no google account and no apps installed except for "SMS Forwarder"[1].
It is configured to forward all SMS to an email address via encrypted SMTP. This means that I can receive these 2FA codes anywhere I have Internet access - such as an airplane or newly arrived in a foreign country where my SIM card does not work.
The "2FA Mule" itself is plugged in at my office in a corner.
I'm not employing this for anything sensitive but it's interesting to consider that I can use SMS based 2FA while divorcing it from my day to day SIM identity ...
[1] https://play.google.com/store/apps/details?id=com.frzinapps....
I don't think that's an issue at all ...
I don't care about the phone - all I care about is the SIM card. If the SIM card is destroyed, your provider can issue a new one.
I guess if the 2FA mule was destroyed while I was traveling that would be a real pain but ...
(yes even as relatively "cheap" phones are these days. there was a time that $20 was a no-go for me.)
But I don't think Google mandates you to use a phone for 2FA? You can use any TOTP app or a U2F dongle like the Yubikey (or the Ledger Nano S, which has an U2F app).
The problem with 1Password 2FA is, I believe, that the 2FA itself is still gated behind your master password, in that if that gets compromised so does your supposed 2FA.
The central idea of 2FA is it's something you know and something you have. If that 1Password master password is the only thing needed to gain access then you don't really have 2FA.
Again, I don't use this feature of 1Paswword so this might not be exactly how it works.
But if so, I'm sympathetic to Google not treating it as 2FA because, well, it isn't.
As for "If that 1Password master password is the only thing needed to gain access then you don't really have 2FA." it's not, unless they get access to a device you have logged into 1Password on in the past (and thus entered your secret key [0]). For me this stays true enough to "something I have". If someone has my phone/computer AND can guess my 1Password master password then things are already pretty bleak and they already have access to whatever other 2FA app I was using (Authy/GA).
Lastly 2FA falls apart if you share an account with a significant other (or a team). In 1Password I can just move that login to a shared vault or share that login individually and everyone can log in and use 2FA. I'm not sure what the alternative would be. Sure, if a product supports multiple accounts or even multiple 2FA's (I don't think I've ever seen the latter, at least in non-enterprise settings) there is a way to do this but most apps/SaaS/etc there isn't an alternative (other than disabling 2FA).
[0] https://support.1password.com/secret-key/
On a flash drive/SD card, or even printed out, and then stashed somewhere safe/secure (i.e. not in an unlocked drawer next to your desk)
My threat model does not include "Nation state adversary breaks into my home and... reads the contents of the book". If I annoy the Russians enough, presumably they would just try to outright murder me.
In contrast, "Person I annoyed online plans elaborate Internet revenge" is definitely a potential threat I want to cope with, as are "Scam email claiming to be from company I have account with", "Facebook lose everybody's passwords", and so on.
If you meant somehow the building burns down and destroys all my possessions but leaves me miraculously alive, I lose access to a bunch of stuff. Nothing to be done about it.
But one of the Security Keys lives in my jeans pocket, so if I survive the fire in the regular way, by fleeing a burning building, I still have that Security Key. If I am wearing trousers. Not so many people actually flee naked, if the fire is going to kill you in the time it takes to pull jeans on you're probably just not making it out at all.
If you care about this, consider security through compartmentalization provided by Qubes OS. I store my passwords in plain text in an offline VM (with hardware virtualization).
[0] https://www.qubes-os.org/security/xsa/
For example: if you have an application protected by password+yubikey with "remember device" enabled, after prompting for your password it may decide not to also prompt you for the yubikey, and that can be because a cookie (perhaps ANDed with some other heuristics) is taking its place. A cookie which can be trivially copied to another device, but can't be trivially memorized nor guessed, and is for that reason not a "knowable" thing. If it was considered a "know" factor, then the "remember device" feature would effectively be a "conditionally disable 2FA" feature (two "knows" are 1FA), but it's really not that, outside of describing the interim UX.
It's true, of course, that once you have created an authenticated session on a device, anyone who has compromised that device (with physical access or a software hack) can likely gain access to that session. But the authentication method still prevents unwanted initiation of sessions, which is the whole point.
Any service provider obviously needs to choose their session policies to match the sensitivity of their service, their own threat models, and the threat models of their clients. So e.g. an online bank probably shouldn't issue cookies that last for a year and are portable across IP addresses. For some services, it could be a good idea for the session to only grant less sensitive access (e.g. only read access), and still require fresh authentication for sensitive actions (e.g. transferring money).
Our choice is either:
* No 2FA
* Virtual, 1Password 2FA
It's better. But it's not great.
Granted that if you put your TOTP seed somewhere else outside the password manager, you technically achieved "3FA"(1Password master password + 1Password private key + TOTP token) and it is more secure. But I don't think putting TOTP seed and password together in the same password manager weakens 2FA?
To login to a website:
- Without a password manager, your 2 factors are account password + account TOTP.
- With 1Password, your 2 factors are 1Password master password + 1Password private key.
But when I realised the 'something you have' is the password manager (actually, the data store) itself, and the 'thing I know' is my master password (and not the individual site's password) I've started using it for 2fa. I can still see how the subscription version of 1password stretches that definition though (because you don't actively have unique ownership of the data itself), which is why I use keepass now.
Just like a dongle, your pc is not immune to evil maid if left unattended. My threat model isn't inclusive of that (my threats come from the internet - I live rurally).
Requiring your phone for 2fa (google auth or sms 2fa or other) isn't a panacea either, especially if that's the device you're logging in with.
I wish Google would allow setting 2fa without a phone number...
The problem is, assuming your master password is unique (I hope so!), all of the likely vectors for exposing it also expose the database, even if it's only kept locally. Having the database only stored in one place is also quite inconvenient, of course, and any sync mechanism adds even more opportunities for it to be exposed.
My computer could very easily have a zero-day vulnerability get exploited. So could my phone. Either one would expose anything I do on it (for example: access my password database using my master password).
(My solution to this is to use a security key for as much as I can. If you're not concerned about this risk, great, but it definitely is a threat.)
I personally have all my MFA codes in 1Password, but 1Password is protected with my Yubikey. In the unlikely event that a bad actor did acquire my master password, they wouldn't get far unless they also physically had my hardware security key.
2. You can add 2FA (well, technically 3FA if you need the secret key, master password, AND a rotating token) to your 1Password signin as well (I auth Authy for that purpose)
[1] https://support.1password.com/secret-key/
1Password also seems able to bypass the secret key ("If you still can’t find your Secret Key, contact 1Password Support.") which means social engineering, phishing, and/or credential stuffing attacks are viable.
Well, this is not exactly true. You need to know the master password, and you need to have the device that has the 1Password database on it. Even with the knowledge of the master password, you can't login into your $random_website account from my laptop. So even without the additional one-time 2FA codes, using a password manager that has a master password and doesn't synchronize its database, de-facto, _is_ a form of 2FA. Yes I understand that this view is controversial and that auditors will disagree.
If you would like your parents to have better security for these accounts, I commend Security Keys. Unless your parents aren't together any more, or are just really fervently independent, it's probably fine to buy them one each, but with the suggestion that they both enroll both keys. This way when Parent #1 loses the Yubikey you bought them, Parent #2 can use their Yubikey to save the day until a new one is purchased.
Yubico's USB A format factor "Security Key 2" is robust, but relatively expensive for what you need.
Searches for "Security Key" on Amazon or your preferred site will give you a pile of products and review feedback across price brackets, the only thing your parents are likely to care about are the connector (USB A is no use for a USB C MacBook for example) and maybe other form factor concerns like can it hang from a keychain, or would it fit in a wallet? For their purpose these things don't fill up, and shouldn't (modulo physically smashing it) wear out.
You can always buy a USB-A-to-USB-C adapter/converter. They are available everywhere, inexpensive, and if you're afraid it will be misplaced, there's always the option to glue the USB A key to the adapter...
"Your Fi number is tied to your Google Account." -- I'm sure you've seen cases of people's google accounts being randomly locked for no reason. Now you lose access to make a call too!
The last thing I'd ever trust security to is SMS. Lots of good technical details here:
https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...
If a SIM swap scam is happening and your account is locked, it is incredibly unlikely they'll be able to swap it out.
[1] https://www.zdnet.com/article/nist-blog-clarifies-sms-deprec...
The whole point of 2FA is to have "2" independent pieces of data to verify logins. Gating 2FA behind a single password defeats the point.
Indeed.
It's also why I think U2F should be mandatory in way more places/sites/companies (it is in some, thankfully): you then need to physically have a Yubikey or similar and it's not possible anymore to trade security for convenience. It doesn't solve all security issues, but it's already a great step forward.
When you let people the choice, they'll pick the lazy, insecure, way.
Chaining just increases vulnerability.
You can fill forms and feedback but I have never heard of free users ever getting as much as a reply back.
Another benefit is that I'm much less likely to lose my U2F dongle as it's on my physical keychain (and has been, for years, without damage) than I am to need to replace or wipe my phone (although a password manager with 2FA codes in it also avoids this).
A FIDO authenticator is actually a USB HID class device, like a keyboard‡. So, if your $WORKPLACE doesn't allow you to plug in keyboards then, OK, I guess maybe a FIDO dongle isn't worth trying, but few people are in that situation.
If your employer has a policy of specifically issuing and authorising only particular devices (e.g. you can pick from a list of 3 Dell branded keyboards and 2 Logitech keyboards and anything else needs HR director override) then seems like it's time for them to authorise and issue a nice high quality FIDO authenticator. Yubico make some eye-wateringly expensive models, maybe they should pick those.
‡ "Like" a keyboard but it isn't a keyboard. The FIDO protocols don't involve keypresses, the device is just HID class because well, it's a Human Interface Device, seems legit. It sets protocol to 0xFF custom, and needs dedicated software to use that, which is fine.
I have not, and it's frustrating that Google offers no support beyond their help pages for their own branded hardware.
For our iPhones, the NFC has worked fine even without the Smart Lock app. I believe Google phased Smart Lock out some time ago but I've not tried using it in a while, I don't use an iPad very often.
At least one of each of our devices is always stored at home in a safe place, where we store other valuable documents. If either of us lose one device, we will buy a new U2F dongle, enroll the new dongle, and unenroll the old lost/missing/stolen dongle from each of the services we use.
You can't backup a U2F dongle but so far everywhere I've enrolled to use one it always recommends you enroll at least 2 and keep one in a safe place.
I haven't been able to get any Google Titan Key to work with any Apple device via NFC.
I use an iPhone 8.
Google doing it properly should not upset you this much.
Your example is a great reason for 2FA to exist.
1. Google does not require 2FA.
2. Google DOES require 2FA on an account, but only requires the second auth if "suspicious activity" crops up.
3. Google requires 2 auths on each and every login.
On 1, if a bad actor picks up your phone and tries to log in, they will fail if you haven't saved your login, or succeed if you've been lazy and saved it. In the latter case, that's really on you (and you might still be able to get your account back even then, if they didn't fully and quickly reset password and other details!)
On 2 however, they will try to log in, fail, and trigger a lock-down that can only be lifted with both auths. One of which you don't have anymore. Congrads, you've just lost your account!
3 is the same as 2, just for different reasons. As soon as that phone disappears, you don't have the second auth, and you're screwed.
And don't even bother with anything that isn't a phone. We both know nobody in the general public is using anything other than text for this. And some older folks don't even have that! Add on to this that SMS can be easily hacked, and it's pretty clear this whole system is a joke.
In the past, wouldn't all your data still be behind a password? Am I missing something?
The irony of the matter is that I keep my OTP key in the same password manager as my google password, in order to not require a phone to access it, and this "App Password" is significantly weaker than my generated passwords...