What they forgot to mention --- it has drastically undercut user privacy.
Your phone number is personally identifying/privacy destroying info. Never provide your phone number if you have any expectation of privacy.
But on second thought, never use Google if you have any expectation of privacy. Their entire business is built around destroying user privacy for profit --- and this is just the latest example.
Google's 2FA auto-enroll uses your installed phone apps. For example, if you have the Google app on your phone connected to your account, you're auto-enrolled. From what I understand, you don't need to give your phone number (but I believe you now need to give a phone number when signing up for a new Google account)
Is 2FAing everything in our life really the way to go? I'm 2FAing so many times each day -- work, email, entertainment, banking, etc. And if you ever change an element of your life, like moving to a new house, it's bonkers for a few days.
1FA with U2F is viable for most people. Same risk profile as the security of your house, car, safety deposit box, credit card.
A distant second is push notification login, but it has a lot of drawbacks including users allowing every time they get a notification and compromised phones. Just not SMS! Or sending links/tokens by email.
Most people accept that their houses are accessible via a single physical key that - in reality - is mostly security theater as 10 minutes of lock picking lawyer will yeild favourable results depending on your motivation.
And 2FA does not represent the real world. If you lose your house key, you may need a new door, or perhaps a skilled locksmith can make your day a lot less worse.
Yet, in the digital sphere, if you lose your 2FA (or backup codes) your account is lost, forever. There is no "digital locksmith". I dare anyone to test this by losing their "key" and attempting to regain access, there is no other human on earth you can physically contact, especially with Google.
Let me ask anyone here: you've invested over 10+ years of your life working for your house or car. You get a single set of keys. The terms and conditions state if you ever lose your keys you will be locked out, without recourse, forever.
Yet this happens constantly with Google (just search HN, it's practically every week!). If their AI says "you bad, you go bye", your keys are taken away and any of your legally purchased possession's are just taken away, and somehow this is legal!!
We must fix this before mandating strict digital security.
I agree with you but Google has helped me recover my personal gmail account multiple times. The form sends a request which can take them a few days to respond.
> Most people accept that their houses are accessible via a single physical key that - in reality - is mostly security theater as 10 minutes of lock picking lawyer will yeild favourable results depending on your motivation.
It's not security theatre. You have to think in terms if threat models. Majority of breakins happen because someone opened the door or left it unlocked. Like computers, even if the door was 2ft stell that is very hard to open, most houses you can just cut through the wall with a mediocre investment at homedepot. The security of the door isn't a good comparison because having a lock and a keypad for second factor auth won't change much. A pry bar or battering ram away either way. The threat model of locks for regular people exclude threat actors that will go to that length to break in because of various factors including the value of what is behind the doors,etc... your typical crackhead or habitual criminal isn't looking to pick locks or break doors because it takes time, people have doorcams these days and they are too lazy, there are easier targets where people leave keys under a rock, open up if you knock with a pizza box in hand,etc... like cybercrime irl attackers tend to go after the easiest most valuable target.
> And 2FA does not represent the real world. If you lose your house key, you may need a new door, or perhaps a skilled locksmith can make your day a lot less worse.
There are 2FA locks with pin/key/bluetooth/app combinations.
> Yet, in the digital sphere, if you lose your 2FA (or backup codes) your account is lost, forever.
Arguably, a locksmith replacing your lock is the same as you having to create a new account. If an online service refuses to reset your credential it is only because you agreed to the Tos, otherwise you have legal means to obtain anything of value behind that account just like IRL. Also, I know people that were robbed and lost all their documentation and it took years to get it all back during which they couldn't get a driver license and most employers couldn't hire them.
> The terms and conditions state if you ever lose your keys you will be locked out, without recourse, forever.
You keep using strawman arguments. Crappy Tos and company have nothing to do with the discussion regarding authentication mechanisms. A service can always verify your ID and when you are locked out require another id verification to allow credential reset which some cryptowallet providers do.
Stop using shitty services by companies like Google. I haven't needed a personal google account in over half a year after cutting out android from my life.
Also, security can be good without being strict. And strict security can be bad.
The transition from elective to non-consensual "for your own good
security" no longer means more or less "security", it is a
qualitative, fundamental change in what "security" _is_ and the
relation you have to a "service".
It ceases to be a service. The power relation has changed. This is no
longer about security, as you and I (regular folk) would understand
it. Call it other things please; data-mining, enforced tracking,
enclosure, domestication, bullying - but don't dignify the narrative
by continuing to talk about "security" or "authentication".
Many people miss this subtle sleight, the switch where the bodyguard
becomes the kidnapper, or the walls to keep baddies out become the
cage to keep you in.
I don't think it's ridiculous at all. I've had a gmail account for 13 years or so, and year or two ago, they started hounding me to give them my phone number. I never did and eventually they quit bugging me about it.
I don't think Google has any particular interest in our security. Why should they if we're not paying them? As a cororation, it doesn't make any difference.
But what they do want is more information about us, so they can target better and charge more for ads. I'm sure if they have all that mail content, Google Drive content, Google Docs, Sheets, presentations, etc., having a phone number too is somehow to their financial advantage for their ad business, and that's the reason they want it.
Same as the politicians pushing no encryption for the safety of kids. It's only slightly because they also want to be able to intercept all our communications. Yeah, sure it is.
The 2fa here relies on push notifications, not on phone numbers by my understanding.
> I don't think Google has any particular interest in our security. Why should they if we're not paying them? As a cororation, it doesn't make any difference.
But so many of Google's actions do show that it cares about security, from the high-security mode for journalists and other at-risk populations to this very post, so perhaps your premises are wrong?
I noticed the other day when making a throw away google account that the phone number box was outlined in red implying it was mandatory. I called their bluff and left it blank without running into issues. Could be I was in an A/B test, not sure really.
Curious if that worked for you longer term. I remember getting stuck.
I know twitter and facebook will allow you to proceed but then lock your account "for security reasons" pretty much immediately unless you cough up the goods.
That could happen. It's been working for a few weeks but I only log in every few days to check on a youtube comment so who knows. Its fine for me really. I only create throw away accounts with them.
That happened when I created a twitter account a year and a half ago. Their explanation was obviously bullshit, as I had not posted even a single comment with the account. I felt peeved, so I filed daily complaints with customer service, and they eventually relented. (It's been a while, so my recollection is hazy, but I think it took a couple of weeks.)
2FA with Google has screwed me out of an important account when I switched phone numbers after moving countries. I was on the phone with customer service for countless hours and customer support more or less directly said that there's nothing that can be done. The only way I was able to recover the account was some internal process with a friend that worked at Google at the time. This was 5 years ago. I have never opted into 2FA since.
Living on a boat which has internet access but limited access to cell service, I'm finding 2FA to be seriously inconvenient. I can't get into one of my bank accounts most of the time, because they don't believe I'm me, despite using the same computer as ever, and require me to enter a code they've sent to my phone, which I can't provide because my phone has no service. Grr.
19 comments
[ 2.9 ms ] story [ 30.2 ms ] threadYour phone number is personally identifying/privacy destroying info. Never provide your phone number if you have any expectation of privacy.
But on second thought, never use Google if you have any expectation of privacy. Their entire business is built around destroying user privacy for profit --- and this is just the latest example.
What do they do for desktop and iPhone users?
What comes after 2FA-everything?
A distant second is push notification login, but it has a lot of drawbacks including users allowing every time they get a notification and compromised phones. Just not SMS! Or sending links/tokens by email.
And 2FA does not represent the real world. If you lose your house key, you may need a new door, or perhaps a skilled locksmith can make your day a lot less worse.
Yet, in the digital sphere, if you lose your 2FA (or backup codes) your account is lost, forever. There is no "digital locksmith". I dare anyone to test this by losing their "key" and attempting to regain access, there is no other human on earth you can physically contact, especially with Google.
Let me ask anyone here: you've invested over 10+ years of your life working for your house or car. You get a single set of keys. The terms and conditions state if you ever lose your keys you will be locked out, without recourse, forever.
Yet this happens constantly with Google (just search HN, it's practically every week!). If their AI says "you bad, you go bye", your keys are taken away and any of your legally purchased possession's are just taken away, and somehow this is legal!!
We must fix this before mandating strict digital security.
It's not security theatre. You have to think in terms if threat models. Majority of breakins happen because someone opened the door or left it unlocked. Like computers, even if the door was 2ft stell that is very hard to open, most houses you can just cut through the wall with a mediocre investment at homedepot. The security of the door isn't a good comparison because having a lock and a keypad for second factor auth won't change much. A pry bar or battering ram away either way. The threat model of locks for regular people exclude threat actors that will go to that length to break in because of various factors including the value of what is behind the doors,etc... your typical crackhead or habitual criminal isn't looking to pick locks or break doors because it takes time, people have doorcams these days and they are too lazy, there are easier targets where people leave keys under a rock, open up if you knock with a pizza box in hand,etc... like cybercrime irl attackers tend to go after the easiest most valuable target.
> And 2FA does not represent the real world. If you lose your house key, you may need a new door, or perhaps a skilled locksmith can make your day a lot less worse.
There are 2FA locks with pin/key/bluetooth/app combinations.
> Yet, in the digital sphere, if you lose your 2FA (or backup codes) your account is lost, forever.
Arguably, a locksmith replacing your lock is the same as you having to create a new account. If an online service refuses to reset your credential it is only because you agreed to the Tos, otherwise you have legal means to obtain anything of value behind that account just like IRL. Also, I know people that were robbed and lost all their documentation and it took years to get it all back during which they couldn't get a driver license and most employers couldn't hire them.
> The terms and conditions state if you ever lose your keys you will be locked out, without recourse, forever.
You keep using strawman arguments. Crappy Tos and company have nothing to do with the discussion regarding authentication mechanisms. A service can always verify your ID and when you are locked out require another id verification to allow credential reset which some cryptowallet providers do.
Stop using shitty services by companies like Google. I haven't needed a personal google account in over half a year after cutting out android from my life.
Also, security can be good without being strict. And strict security can be bad.
The transition from elective to non-consensual "for your own good security" no longer means more or less "security", it is a qualitative, fundamental change in what "security" _is_ and the relation you have to a "service".
It ceases to be a service. The power relation has changed. This is no longer about security, as you and I (regular folk) would understand it. Call it other things please; data-mining, enforced tracking, enclosure, domestication, bullying - but don't dignify the narrative by continuing to talk about "security" or "authentication".
Many people miss this subtle sleight, the switch where the bodyguard becomes the kidnapper, or the walls to keep baddies out become the cage to keep you in.
I don't think Google has any particular interest in our security. Why should they if we're not paying them? As a cororation, it doesn't make any difference.
But what they do want is more information about us, so they can target better and charge more for ads. I'm sure if they have all that mail content, Google Drive content, Google Docs, Sheets, presentations, etc., having a phone number too is somehow to their financial advantage for their ad business, and that's the reason they want it.
Same as the politicians pushing no encryption for the safety of kids. It's only slightly because they also want to be able to intercept all our communications. Yeah, sure it is.
> I don't think Google has any particular interest in our security. Why should they if we're not paying them? As a cororation, it doesn't make any difference.
But so many of Google's actions do show that it cares about security, from the high-security mode for journalists and other at-risk populations to this very post, so perhaps your premises are wrong?
I know twitter and facebook will allow you to proceed but then lock your account "for security reasons" pretty much immediately unless you cough up the goods.