Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Gmail To Start Issuing 2FA Challenges To Change 'Sensitive' Settings (arstechnica.com) 89

Gmail only asks for your user credentials during the initial login, and that login session can last for weeks at a time. That's not as secure as it could be, so soon Gmail will start posting 2FA challenges if you try to access any "sensitive" settings, even when you're already logged in. From a report: The newly protected settings are for filters, account forwarding, and IMAP. Soon, poking around in any of these options will boot you into a "Verify it's you" 2FA prompt, and you'll have to pass the challenge on your phone (these settings are only available on the web). If this 2FA challenge is failed or not answered, you'll get a bright red "Critical security alert" pop-up alerting you to the attempt on all your trusted devices.
This discussion has been archived. No new comments can be posted.

Gmail To Start Issuing 2FA Challenges To Change 'Sensitive' Settings

Comments Filter:
  • by weirdow ( 9298 ) on Thursday August 24, 2023 @03:45PM (#63794350) Homepage
    And what if your account isn't linked to a phone? Will the 2FA be sent to the recovery email or will you be forced to add a phonenumber or suffer being unable to change whatever you want to change .
    • by omnichad ( 1198475 ) on Thursday August 24, 2023 @03:50PM (#63794364) Homepage

      Google is pretty good at this, at least. 2FA can be a phone, Gmail app, an authenticator app, and a U2F key all at the same time, and you can also print some backup codes just in case. Email is the "master key" to most web sites that let you reset anything with just access to your email address, so please don't take security lightly.

      • So, phone, phone, phone, and an impractical expensive USB toy.
        My phone is not a secure device and it would be very easily stolen from me.
        I am not also not paying $50 for a USB key that can't even double as storage for the handful of things that support it.
        • So, phone, phone, phone, and an impractical expensive USB toy.

          My phone is not a secure device and it would be very easily stolen from me.

          I am not also not paying $50 for a USB key that can't even double as storage for the handful of things that support it.

          So don't use their free service then. Easy.

          • by rossdee ( 243626 )

              "So don't use their free service then. Easy."

            Unfortunately it seems that every other service requires you to have a GMail account

            • Unfortunately it seems that every other service requires you to have a GMail account
               
              Like what?

              • All of the ones that proudly share their usage with Google via the "Login with Google" button he so clearly abuses for everything.

                At least I assume that's the reason. The other reason would be he's just too lazy to use another email service or take the pains to set up his own.
            • I guess I'll go get another burner phone, buy a SIM for cash and use that for Google if they start asking for it.
        • I feel the same way about my phone. It is the one computing device that I use that I don't really trust. This is why I am always glad when a site allows for an authenticator app. It usually gets listed as Google Authenticator, but you can use whatever you want. I tend to use KeepassXC on my Linux boxes. Heck, it's really just a shared secret that you can use to generate number passcodes based on the time. You could write your own if you felt so inclined.

          • by dbialac ( 320955 )
            Given Google's reputation, I have a very hard time trusting their app as far as privacy goes. It might be ok today (probably not), but the next update might make it not ok if it is.
            • by dskoll ( 99328 )

              There are compatible alternatives to Google's authenticator app, such as Aegis [getaegis.app] (Android only, but I'm sure there are others for both iOS and Android.)

        • The shared secret for an authenticator can work on any software that supports it. Doesn't have to be a phone. But my phone is encrypted by default so nobody's getting my security keys just by stealing it.

          I could get a USB key for closer to $25 that also supports NFC. Support for the protocol is built in at the browser level. The only reason it hasn't caught on is because everyone is still happy with SMS for 2FA. It's not so much about the "handful" of things that support it - it's about an email accoun

        • So, phone, phone, phone, and an impractical expensive USB toy.

          I know that the post to which you replied had a lot of words in it, so let me help you focus

          and you can also print some backup codes just in case

          I know what you're thinking... "paper? in this economy?". Yep. Sorry, mate.

        • by dskoll ( 99328 )

          You don't need to run TOTP (aka Google Authenticator App) on a phone. You can run it on your PC, though it's a bit of a bear. I wrote some Perl scripts so I can access my TOTP codes from my Linux PC.

        • by xwin ( 848234 )
          You can use a number of authenticator apps that provide encryption and password protection. andOTP comes to mind but there are many more. Even if you phone is not secured by a password the authenticator app is. If you can't be bothered to protect your tokens, there is no helping you. Just set your google account password to "Password123" and be done with it.
          This google move is actually a good one. It will protect critical configuration parts from being changed by someone who just walked up to the computer.
        • Use Passkey. U2F build into your current device. Or print out the security codes. It's not like you don't have options.

        • Something for your air gapped linux machine cli [nongnu.org]

          It's an open standard, (oath) and there are multiple indepdendent implementations. One of the better two factor methods.

      • by dbialac ( 320955 )

        please don't take security lightly.

        Security, if done properly, should be invisible to the authorized user and impenetrable to the unauthorized user. Cell phones have come close to this with facial recognition and fingerprint ID. 2FA is quite visible to the authorized user and an unbelievably massive headache to anyone who values privacy.

        • Windows Hello is officially FIDO2 certified. As it is, you can use face recognition or fingerprint readers for 2FA on Windows browsers but web sites are the problem. It's web sites barely moving past SMS. Some will use TOTP but very few use U2F or FIDO. And that's a standard that can be implemented in a LOT of different ways. Problem 2 is a lot of sites and services let you have only ONE 2FA registered. So Windows Hello as your 2FA would mean you can only use one computer to log in.

          • by AmiMoJo ( 196126 )

            Sadly Windows Hello does not support U2F/FIDO tokens, i.e. you can't log in to your computer with a Yubikey or other U2F device.

            There is an app from Yubico that allows it, but it has some caveats.

            • It seems that at least Azure AD supports it but I don't think a standard user account does.

              • by AmiMoJo ( 196126 )

                I think it's the opposite, it doesn't work with Azure AD. It doesn't work with RDP either, which is a bit of a serious flaw.

                Microsoft needs to support it natively.

                • https://learn.microsoft.com/en... [microsoft.com]

                  It does require some organizational setup first.

                • Microsoft does support external auth natively. The only problem is that due to the old 90's era crypto US export restrictions, anything that goes near the Windows SAM needs a special signature from Microsoft to even load. Actually getting that signature has even higher requirements than the ones Microsoft imposes for regular drivers. (Read: Vastly more expensive to develop and submit for signing.)

                  As as result, third party authenticators wanting to implement support for Windows Login need to either:
                  A) Des
                  • Logging in with a FIDO2 security key is handled natively by Microsoft's own code. It's an open standard. It's only external in the physical connection sense.

        • Yes, that's the ideal. But it is an ideal.

          The way security is usually done, I'm more than glad to settle for "not blocking your actual work" or no need to actively circumvent security measures to be able to work.

          Blocking Copy&Paste for a remote machine with your password safe on a local machine means back to the old Password-Post-It on the monitor or bad passwords.

          • by hawk ( 1151 )

            So far, I've always been able to deal with the idiots that block pasting of passwords and such is to toggle javascript off, paste, and toggle back on before leaving the field.

            In a couple of cases, I think I've had to add a space, and then delete it, before tabbing out.

            I just added shift-cmd-J to "Disable Javascript" in Safari's Develop menu. (I also added shift-cmd-I to disable image loading)

      • No, gmail does NOT allow a standard authenticator app. It's phone, Windows-based hardware key, or FU.

        • You definitely can. It just can't be your ONLY one so you have to set up another option first. They'll tell you to use Google Authenticator but that's just a standard TOTP implementation.

          • Yeah, you're right. What you -can't- do is turn off using your cell phone for auth without essentially removing gmail from your phone. Nor can you set TOTP as your -primary- 2FA. And FU if you don't actually trust your phone to be used for that.

            • There isn't exactly a primary 2FA. At least in weight. They do have a default first choice, but you can pick a different auth method. And they do require you to use one of 3 methods before choosing any of the other options - phone number, App based approval with either Gmail or YouTube, and a physical security key.

              If you don't want phone or Gmail app (on phone or tablet), you can use a physical security key as your first 2fa method. Though I'm not sure what you think makes a phone with an encryption pi

              • The overwhelming majority of my interaction with my phone is a quick glance. Entering a pin would make that interaction 5 times as long. That's an impractical cost for a security mechanism.

                • NFC Smart unlock is very quick and is closer proximity than Bluetooth so less prone to hijacking from a distance if your phone is stolen.

                  I hope you have no private data on the device.

                  • The first few articles google returned for "NFC smart unlock" were reports that Google removed NFC smart unlock from Android years ago. Is that not correct?

        • by dskoll ( 99328 )

          Gmail absolutely does support standard TOTP as well as its own phone-based thing. I have set up and used TOTP with my Gmail account.

      • Google is pretty good at this, at least. 2FA can be a phone, Gmail app, an authenticator app, and a U2F key all at the same time, and you can also print some backup codes just in case.

        Where do you go to print out these backup codes?

      • by G00F ( 241765 )

        Google is good at what? Google requires a f-ing phone to even sync chrome settings. So no.

        I have yet to find any way for the last several years to crate anything in google without a phone, and they blacklist any non real phone numbers ASAP.

        can't even change your google wifi router settings without a god damn phone.

    • by AmiMoJo ( 196126 )

      How is it 2023 and people still think that 2FA is an SMS message?

      I use a Yubikey device, and an app on my phone. Google doesn't have my phone number on my account, and I won't ever add it as long as they use SMS for account recovery.

      • How is it 2023 and people still think that 2FA is an SMS message?

        Because more than 3/4 of people use SMS as their 2FA

        https://www.comparitech.com/st... [comparitech.com]

      • ... Yubikey device ...

        That can be emulated by software: Being either a password manager, an OTP authenticator (RFC6238), or a challenge-response password scrambler (RFC2104).

        ... 2FA is an SMS message?

        Because 2FA is 'something you have'. For people logging-in via their phone, yes, it is pointless asking the device that's already connected to 'prove' itself.

        • by AmiMoJo ( 196126 )

          For people logging-in via their phone, yes, it is pointless asking the device that's already connected to 'prove' itself.

          Not really. For example, on a Pixel phone it will either ask for your phone password (which is hopefully different to your Google password) or a biometric. It's not quite as ideal, but it is still a formidable challenge for an attacker to both acquire your phone, and its password or your biometric.

          I use a long and complex password for my phone, one of the few I bother to remember.

    • .... will you be forced to add a phone number ...

      Yes or, sometimes an e-mail. The answer might be linking the 2FA to a business phone number, then deleting the 2FA settings after the desired settings are changed.

      Standard practice is a re-authentication before changing settings but since Google performs auto-login, that's no longer proof of an authorized user. Worse, Google is the one demanding "your phone is your password', meaning there is nil security once the device's lock-screen is bypassed.

  • Dislike Forced 2FA (Score:5, Insightful)

    by linuxrunner ( 225041 ) on Thursday August 24, 2023 @03:50PM (#63794366)

    While 2FA is fine for somethings, I hate that it can be forced upon you at some places. It feels as if it is more for data mining than for my protection. Want to pay my electric bill? Better text me to make sure it is really me that wants to pay my bill. I mean if some hacker wishes to pay it, by all means let 'em.

    I'm one of the few people that really wished they didn't have a cell phone but modern society makes it impossible. I don't want to be connected, but I'm a leper if I don't have a cell phone number.

    I didn't want to give my number to some random chick at the counter at Pet Smart and told her I didn't have a phone (I was just in the car) and I was looked at like I was an alien from Mars. It was just easier to tell her that than to tell her I was running an odd operating system and not apple or android, so no, I couldn't use her app.

    I really just want to be left alone.

    • A cell phone is the worst method. Just let me use a U2F/Fido key or an authenticator app and save SMS as a last resort. And let me disable SMS just to not have to worry about simjacking.

      • And when stores ask for a phone number for any reason, I either give (my area code) and then 555-5555 or 867-5309. I've never even had a complaint about the obviously fake 555 number. They're just trying to do what they're required to do and they don't care.

        • by dbialac ( 320955 )
          Do you understand the torment that the person with 867-5309 in any area code already has to go through? You've made it worse.
      • by Dwedit ( 232252 )

        A TOTP "Authentictor App" is just a long password given to you by a server, with a twist that you don't actually enter that password.

        • It's a shared secret. It never gets sent back out over the Internet in any form, just used as a seed for a time-based generated password. I wouldn't call it a password because you're not meant to send it out and you can't reverse engineer the seed from the time-based password.

          • by Dwedit ( 232252 )

            Can't get it from the numbers generated, just from the thing that spits out those numbers. Gotta save that password somewhere.

            At least a dedicated security key is airgapped.

    • by narcc ( 412956 )

      That's an entirely different problem. Why the hell does Pet Smart need an app? What's wrong with just having a web page? It's ridiculous. Not everything needs an app.

      The worst are products that force you to use a stupid, usually poorly maintained, app for basic features. You can't even access parental controls on a Nintendo without a completely unnecessary app.

      I just can't stand it.

    • by dbialac ( 320955 )
      Some sights like Door Dash somehow think their services are important enough to require it. When I was VP at a company, I once laid out a penny on a conference table during a meeting when our security guy was talking about making everything hyper secure. I asked him, "How much time, money and resources would he put forth to secure that penny?" The point was taken. Security was implemented where it was needed and with less worry where it wasn't, there was time to implement stronger security ideas where it wa
    • Anything that is forced on you is not for your benefit.

      Remember Windows95? People were literally lined up outside stores for its release. If it's good or an obvious improvement, people will choose to use it. Can't say the same thing about Windows10, now can we?

  • by Anonymous Coward

    Then what? I hope they don't force me to set it up because it always comes back to providing a phone number, which I don't have.

  • Since most users are lazy, and have terrible data hygiene, why not kill the login after X hours? It's recommended to clear your browser at least once a day, if not more, and run a tool like "bleachbit" to remove any temp files, so really you shouldn't have an active login or session that extends past a day, maybe two days at the most.

    One of the bigger issues in cybersecurity are long-lived sessions, because they rarely serve a purpose other than putting up with lazy users who can't be bothered to conside
  • by jonwil ( 467024 ) on Thursday August 24, 2023 @04:32PM (#63794486)

    Google needs to implement 2fa challenges for YouTube anytime someone does important stuff on a channel. Would help stop the channel hijacking...

  • All your phone numbers are belong to us and we'll sell them to whoever we want!
  • Hardly (Score:5, Interesting)

    by nospam007 ( 722110 ) * on Thursday August 24, 2023 @04:34PM (#63794492)

    "Gmail only asks for your user credentials during the initial login, and that login session can last for weeks at a time"

    I use a VPN and I have to answer 3 (three) times to 3 emails and click on a number to log in.

    It's crazy.

    • That sounds like good scaling security: if the IP address changes, it challenges. If the IP stays the same, it has greater trust. It's not "crazy", it's the price of security, and you are using a VPN, just like the bad guys do when they try to hack into your email account.

    • by AmiMoJo ( 196126 )

      It might actually help to enable 2FA. With it on and using a VPN I get in without needing to receive any emails, just a single 2FA authentication via my phone or Yubikey.

  • and that login session can last for weeks at a time.

    Who the hell stays logged into their email account for weeks? That is just begging for problems. I guess basic security has been abandoned because people are too lazy.

    • by dgatwood ( 11270 )

      and that login session can last for weeks at a time.

      Who the hell stays logged into their email account for weeks? That is just begging for problems. I guess basic security has been abandoned because people are too lazy.

      This is GMail we're talking about, so the login session is shared with Google's search functionality. Thus, almost nobody ever logs out. And if you're using Chrome, there are even more reasons not to do so.

      Multi-user devices in a single household are a grey area, but in general, I'd argue that either a device is under your complete control or it isn't. If it is, then there's no real reason to ever log out of anything, because nobody else can use the device. If it isn't, then it isn't really safe to log

      • by AmiMoJo ( 196126 )

        I think the airline thing is to pressure you into buying a ticket. They know that you probably have half a dozen tabs open, looking for the best deal.

        • by dgatwood ( 11270 )

          I think the airline thing is to pressure you into buying a ticket. They know that you probably have half a dozen tabs open, looking for the best deal.

          The more tabs you have open, the sooner you start having problems, and when I'm choosing between multiple airports, deciding whether to book a round trip with one company or one-way trips with two separate companies, etc., I end up with a bunch of tabs open. By breaking the buying experience, it doesn't drive me to buy more quickly; it makes me have to redo work that I've already done, which slows me down and makes the process take longer. The end result is that I'm angrier at the airlines that do this no

    • The majority of people have been unable to use passwords for about 15 years now. They have just grown too stupid. The mental atrophy of facebook and tiktok has destroyed their minds. I am serious. It hardly matters though, we'll all parboil to about the same tenderness.
    • People have been not been able to use passwords for about 15 years now. They have just grown too stupid. The mental atrophy of facebook and tiktok has destroyed their minds. I am serious. It hardly matters though, we'll all parboil to about the same tenderness.
  • This is just a speed bump they will use to make it harder for you to change your marketing preferences.

  • In my experience 2FA is often a catch-22. Again and again, it happens that the only way I can log in to some bank is 2FA to a phone number that the bank has deemed is not to its liking for 2FA, so the magic cookie never comes.

    In other cases, doing a copy-paste of the magic number picks up a space, which when pasted fails the 2FA. Spaces, you may recall, are invisible. Do this 2x and you are locked out of your account. Call this number to fix it. Sorry, please call us during regular business hours, 4 da

I'd rather just believe that it's done by little elves running around.

Working...