Gmail To Start Issuing 2FA Challenges To Change 'Sensitive' Settings (arstechnica.com) 89
Gmail only asks for your user credentials during the initial login, and that login session can last for weeks at a time. That's not as secure as it could be, so soon Gmail will start posting 2FA challenges if you try to access any "sensitive" settings, even when you're already logged in. From a report: The newly protected settings are for filters, account forwarding, and IMAP. Soon, poking around in any of these options will boot you into a "Verify it's you" 2FA prompt, and you'll have to pass the challenge on your phone (these settings are only available on the web). If this 2FA challenge is failed or not answered, you'll get a bright red "Critical security alert" pop-up alerting you to the attempt on all your trusted devices.
No phone. Then what? (Score:5, Insightful)
Re:No phone. Then what? (Score:4, Informative)
Google is pretty good at this, at least. 2FA can be a phone, Gmail app, an authenticator app, and a U2F key all at the same time, and you can also print some backup codes just in case. Email is the "master key" to most web sites that let you reset anything with just access to your email address, so please don't take security lightly.
Re: (Score:2)
My phone is not a secure device and it would be very easily stolen from me.
I am not also not paying $50 for a USB key that can't even double as storage for the handful of things that support it.
Re: (Score:2)
So, phone, phone, phone, and an impractical expensive USB toy.
My phone is not a secure device and it would be very easily stolen from me.
I am not also not paying $50 for a USB key that can't even double as storage for the handful of things that support it.
So don't use their free service then. Easy.
Re: (Score:2)
"So don't use their free service then. Easy."
Unfortunately it seems that every other service requires you to have a GMail account
Re: (Score:2)
Unfortunately it seems that every other service requires you to have a GMail account
Like what?
Re: (Score:2)
At least I assume that's the reason. The other reason would be he's just too lazy to use another email service or take the pains to set up his own.
Re: (Score:2)
>"Track Me Senseless" button
FTFY
Re: (Score:2)
Re: (Score:2)
I feel the same way about my phone. It is the one computing device that I use that I don't really trust. This is why I am always glad when a site allows for an authenticator app. It usually gets listed as Google Authenticator, but you can use whatever you want. I tend to use KeepassXC on my Linux boxes. Heck, it's really just a shared secret that you can use to generate number passcodes based on the time. You could write your own if you felt so inclined.
Re: (Score:2)
Re: (Score:2)
There are compatible alternatives to Google's authenticator app, such as Aegis [getaegis.app] (Android only, but I'm sure there are others for both iOS and Android.)
Re: (Score:2)
Re: (Score:2)
The shared secret for an authenticator can work on any software that supports it. Doesn't have to be a phone. But my phone is encrypted by default so nobody's getting my security keys just by stealing it.
I could get a USB key for closer to $25 that also supports NFC. Support for the protocol is built in at the browser level. The only reason it hasn't caught on is because everyone is still happy with SMS for 2FA. It's not so much about the "handful" of things that support it - it's about an email accoun
Re: (Score:2)
Re: (Score:2)
At $25 for a hardware token, you're getting NFC for free and still get to use it as USB. I really think that adds much cost these days.
Re: (Score:1)
So, phone, phone, phone, and an impractical expensive USB toy.
I know that the post to which you replied had a lot of words in it, so let me help you focus
and you can also print some backup codes just in case
I know what you're thinking... "paper? in this economy?". Yep. Sorry, mate.
Re: (Score:2)
You don't need to run TOTP (aka Google Authenticator App) on a phone. You can run it on your PC, though it's a bit of a bear. I wrote some Perl scripts so I can access my TOTP codes from my Linux PC.
Re: (Score:2)
This google move is actually a good one. It will protect critical configuration parts from being changed by someone who just walked up to the computer.
Re: (Score:2)
Re: (Score:2)
Use Passkey. U2F build into your current device. Or print out the security codes. It's not like you don't have options.
Re: (Score:2)
Re: (Score:2)
Something for your air gapped linux machine cli [nongnu.org]
It's an open standard, (oath) and there are multiple indepdendent implementations. One of the better two factor methods.
Re: (Score:3)
please don't take security lightly.
Security, if done properly, should be invisible to the authorized user and impenetrable to the unauthorized user. Cell phones have come close to this with facial recognition and fingerprint ID. 2FA is quite visible to the authorized user and an unbelievably massive headache to anyone who values privacy.
Re: (Score:3)
Windows Hello is officially FIDO2 certified. As it is, you can use face recognition or fingerprint readers for 2FA on Windows browsers but web sites are the problem. It's web sites barely moving past SMS. Some will use TOTP but very few use U2F or FIDO. And that's a standard that can be implemented in a LOT of different ways. Problem 2 is a lot of sites and services let you have only ONE 2FA registered. So Windows Hello as your 2FA would mean you can only use one computer to log in.
Re: (Score:2)
Sadly Windows Hello does not support U2F/FIDO tokens, i.e. you can't log in to your computer with a Yubikey or other U2F device.
There is an app from Yubico that allows it, but it has some caveats.
Re: (Score:2)
It seems that at least Azure AD supports it but I don't think a standard user account does.
Re: (Score:2)
I think it's the opposite, it doesn't work with Azure AD. It doesn't work with RDP either, which is a bit of a serious flaw.
Microsoft needs to support it natively.
Re: (Score:2)
https://learn.microsoft.com/en... [microsoft.com]
It does require some organizational setup first.
Re: (Score:2)
As as result, third party authenticators wanting to implement support for Windows Login need to either:
A) Des
Re: (Score:2)
Logging in with a FIDO2 security key is handled natively by Microsoft's own code. It's an open standard. It's only external in the physical connection sense.
Re: (Score:2)
Yes, that's the ideal. But it is an ideal.
The way security is usually done, I'm more than glad to settle for "not blocking your actual work" or no need to actively circumvent security measures to be able to work.
Blocking Copy&Paste for a remote machine with your password safe on a local machine means back to the old Password-Post-It on the monitor or bad passwords.
Re: (Score:2)
So far, I've always been able to deal with the idiots that block pasting of passwords and such is to toggle javascript off, paste, and toggle back on before leaving the field.
In a couple of cases, I think I've had to add a space, and then delete it, before tabbing out.
I just added shift-cmd-J to "Disable Javascript" in Safari's Develop menu. (I also added shift-cmd-I to disable image loading)
Re: (Score:2)
No, gmail does NOT allow a standard authenticator app. It's phone, Windows-based hardware key, or FU.
Re: (Score:2)
You definitely can. It just can't be your ONLY one so you have to set up another option first. They'll tell you to use Google Authenticator but that's just a standard TOTP implementation.
Re: (Score:2)
Yeah, you're right. What you -can't- do is turn off using your cell phone for auth without essentially removing gmail from your phone. Nor can you set TOTP as your -primary- 2FA. And FU if you don't actually trust your phone to be used for that.
Re: (Score:2)
There isn't exactly a primary 2FA. At least in weight. They do have a default first choice, but you can pick a different auth method. And they do require you to use one of 3 methods before choosing any of the other options - phone number, App based approval with either Gmail or YouTube, and a physical security key.
If you don't want phone or Gmail app (on phone or tablet), you can use a physical security key as your first 2fa method. Though I'm not sure what you think makes a phone with an encryption pi
Re: (Score:2)
The overwhelming majority of my interaction with my phone is a quick glance. Entering a pin would make that interaction 5 times as long. That's an impractical cost for a security mechanism.
Re: (Score:2)
NFC Smart unlock is very quick and is closer proximity than Bluetooth so less prone to hijacking from a distance if your phone is stolen.
I hope you have no private data on the device.
Re: (Score:2)
The first few articles google returned for "NFC smart unlock" were reports that Google removed NFC smart unlock from Android years ago. Is that not correct?
Re: (Score:2)
Gmail absolutely does support standard TOTP as well as its own phone-based thing. I have set up and used TOTP with my Gmail account.
Re: (Score:2)
Where do you go to print out these backup codes?
Re: (Score:2)
Once you've enabled 2FA, it's here:
https://myaccount.google.com/t... [google.com]
Re: (Score:2)
Google is good at what? Google requires a f-ing phone to even sync chrome settings. So no.
I have yet to find any way for the last several years to crate anything in google without a phone, and they blacklist any non real phone numbers ASAP.
can't even change your google wifi router settings without a god damn phone.
Re: (Score:2)
How is it 2023 and people still think that 2FA is an SMS message?
I use a Yubikey device, and an app on my phone. Google doesn't have my phone number on my account, and I won't ever add it as long as they use SMS for account recovery.
Re: (Score:2)
Because more than 3/4 of people use SMS as their 2FA
https://www.comparitech.com/st... [comparitech.com]
Re: (Score:2)
That can be emulated by software: Being either a password manager, an OTP authenticator (RFC6238), or a challenge-response password scrambler (RFC2104).
Because 2FA is 'something you have'. For people logging-in via their phone, yes, it is pointless asking the device that's already connected to 'prove' itself.
Re: (Score:2)
For people logging-in via their phone, yes, it is pointless asking the device that's already connected to 'prove' itself.
Not really. For example, on a Pixel phone it will either ask for your phone password (which is hopefully different to your Google password) or a biometric. It's not quite as ideal, but it is still a formidable challenge for an attacker to both acquire your phone, and its password or your biometric.
I use a long and complex password for my phone, one of the few I bother to remember.
Re: (Score:2)
Yes or, sometimes an e-mail. The answer might be linking the 2FA to a business phone number, then deleting the 2FA settings after the desired settings are changed.
Standard practice is a re-authentication before changing settings but since Google performs auto-login, that's no longer proof of an authorized user. Worse, Google is the one demanding "your phone is your password', meaning there is nil security once the device's lock-screen is bypassed.
Dislike Forced 2FA (Score:5, Insightful)
While 2FA is fine for somethings, I hate that it can be forced upon you at some places. It feels as if it is more for data mining than for my protection. Want to pay my electric bill? Better text me to make sure it is really me that wants to pay my bill. I mean if some hacker wishes to pay it, by all means let 'em.
I'm one of the few people that really wished they didn't have a cell phone but modern society makes it impossible. I don't want to be connected, but I'm a leper if I don't have a cell phone number.
I didn't want to give my number to some random chick at the counter at Pet Smart and told her I didn't have a phone (I was just in the car) and I was looked at like I was an alien from Mars. It was just easier to tell her that than to tell her I was running an odd operating system and not apple or android, so no, I couldn't use her app.
I really just want to be left alone.
Re: (Score:2)
A cell phone is the worst method. Just let me use a U2F/Fido key or an authenticator app and save SMS as a last resort. And let me disable SMS just to not have to worry about simjacking.
Re: (Score:2)
And when stores ask for a phone number for any reason, I either give (my area code) and then 555-5555 or 867-5309. I've never even had a complaint about the obviously fake 555 number. They're just trying to do what they're required to do and they don't care.
Re: (Score:2)
Re: (Score:2)
Don't worry. It will already be signed up so you wouldn't be adding to it. But a lot of area codes have that number unassigned. Incidentally, I found that 517-867-5309 is a rickroll.
https://telephoneworld.org/lan... [telephoneworld.org]
Re: (Score:2)
A TOTP "Authentictor App" is just a long password given to you by a server, with a twist that you don't actually enter that password.
Re: (Score:3)
It's a shared secret. It never gets sent back out over the Internet in any form, just used as a seed for a time-based generated password. I wouldn't call it a password because you're not meant to send it out and you can't reverse engineer the seed from the time-based password.
Re: (Score:2)
Can't get it from the numbers generated, just from the thing that spits out those numbers. Gotta save that password somewhere.
At least a dedicated security key is airgapped.
Re: (Score:2)
That's an entirely different problem. Why the hell does Pet Smart need an app? What's wrong with just having a web page? It's ridiculous. Not everything needs an app.
The worst are products that force you to use a stupid, usually poorly maintained, app for basic features. You can't even access parental controls on a Nintendo without a completely unnecessary app.
I just can't stand it.
Re: (Score:2)
Re: (Score:2)
Anything that is forced on you is not for your benefit.
Remember Windows95? People were literally lined up outside stores for its release. If it's good or an obvious improvement, people will choose to use it. Can't say the same thing about Windows10, now can we?
And if you don't have 2FA set up? (Score:1)
Then what? I hope they don't force me to set it up because it always comes back to providing a phone number, which I don't have.
Re: (Score:2)
Google 2FA does not require a phone number.
Bad session hygiene! (Score:2)
One of the bigger issues in cybersecurity are long-lived sessions, because they rarely serve a purpose other than putting up with lazy users who can't be bothered to conside
Re: (Score:2)
> why not kill the login after X hours?
GMail does do exactly that (although X=700ish, which might not be what you had in mind)
Re: (Score:2)
They need to do this for YouTube (Score:3)
Google needs to implement 2fa challenges for YouTube anytime someone does important stuff on a channel. Would help stop the channel hijacking...
All your phone numbers are belong to us (Score:2)
Hardly (Score:5, Interesting)
"Gmail only asks for your user credentials during the initial login, and that login session can last for weeks at a time"
I use a VPN and I have to answer 3 (three) times to 3 emails and click on a number to log in.
It's crazy.
Re: (Score:3)
That sounds like good scaling security: if the IP address changes, it challenges. If the IP stays the same, it has greater trust. It's not "crazy", it's the price of security, and you are using a VPN, just like the bad guys do when they try to hack into your email account.
Re:Hardly (Score:4, Insightful)
IP address change a lot these days, due to mobile users switching between cell towers and WiFi APs.
If they killed the session every time your IP address changed, you wouldn't be able to use their services on the train or bus, or walking around.
Re: (Score:2)
I don't even change the IP.
Re: (Score:3)
It might actually help to enable 2FA. With it on and using a VPN I get in without needing to receive any emails, just a single 2FA authentication via my phone or Yubikey.
What? (Score:2)
and that login session can last for weeks at a time.
Who the hell stays logged into their email account for weeks? That is just begging for problems. I guess basic security has been abandoned because people are too lazy.
Re: (Score:3)
and that login session can last for weeks at a time.
Who the hell stays logged into their email account for weeks? That is just begging for problems. I guess basic security has been abandoned because people are too lazy.
This is GMail we're talking about, so the login session is shared with Google's search functionality. Thus, almost nobody ever logs out. And if you're using Chrome, there are even more reasons not to do so.
Multi-user devices in a single household are a grey area, but in general, I'd argue that either a device is under your complete control or it isn't. If it is, then there's no real reason to ever log out of anything, because nobody else can use the device. If it isn't, then it isn't really safe to log
Re: (Score:2)
I think the airline thing is to pressure you into buying a ticket. They know that you probably have half a dozen tabs open, looking for the best deal.
Re: (Score:2)
I think the airline thing is to pressure you into buying a ticket. They know that you probably have half a dozen tabs open, looking for the best deal.
The more tabs you have open, the sooner you start having problems, and when I'm choosing between multiple airports, deciding whether to book a round trip with one company or one-way trips with two separate companies, etc., I end up with a bunch of tabs open. By breaking the buying experience, it doesn't drive me to buy more quickly; it makes me have to redo work that I've already done, which slows me down and makes the process take longer. The end result is that I'm angrier at the airlines that do this no
Re: (Score:2)
Dude, your posts are strange.
I got 2 questions for ya:
1 - What are you smoking?
2 - Where can I get some of it?
Re: (Score:3)
People have been unable to use passwords for about 15 years now.
Coincidentally, sites have been implementing "secure password enforcement" for about 15 years now. It ties in with what dgatwood said:
This is why every time an airline website makes me sign in once every half hour just to be able to see my flights (not buying something, not changing something, just verifying dates and times), I want to find out where their web engineers live, tie them to a chair in a cabin out in the woods somewhere, and make them listen as I read to them the original Netscape cookie specification over and over and over. :-D Such behavior is user-abusive and does nothing to meaningfully improve security.
I have the exact same reaction every time some stupid forum or online game or ticky-tack webstore demands a 10 character password with mixed case and numbers. Fuck you. If you're not my fucking bank or inextricably tied to my bank (no, giving me the option to Save This Card Number For Future Use doesn't count) then fuck you, let me use some trashy shitty throwaway password, a
Re: (Score:1)
Re: (Score:2)
Show me a point in time when people could handle 10 characters, mixed case, numbers/symbols. You can't, because they never could.
I'm deeply, deeply sorry you got downmodded, but you don't have to lash out or be willfully obtuse. You're human, sometimes you're wrong, it happens to the best of us.
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
This is just a speed bump (Score:1)
This is just a speed bump they will use to make it harder for you to change your marketing preferences.
2FA = 0FA (Score:2)
In my experience 2FA is often a catch-22. Again and again, it happens that the only way I can log in to some bank is 2FA to a phone number that the bank has deemed is not to its liking for 2FA, so the magic cookie never comes.
In other cases, doing a copy-paste of the magic number picks up a space, which when pasted fails the 2FA. Spaces, you may recall, are invisible. Do this 2x and you are locked out of your account. Call this number to fix it. Sorry, please call us during regular business hours, 4 da