Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Google Technology

Google is Changing How You Set Up 2FA 55

Google is streamlining the process of setting up two-factor authentication (2FA). From a report: Instead of entering your phone number first to enable 2FA, you can now add a "second step method" to your account such as an authenticator app or a hardware security key to get things set up. This should make it safer to turn on 2FA, as it lets you avoid using less secure SMS verification. You can choose to enter a time-based one-time passcode through apps like Google Authenticator, or you can follow the steps to link a hardware security key.
This discussion has been archived. No new comments can be posted.

Google is Changing How You Set Up 2FA

Comments Filter:
  • Make it an option but dont force me to use some bloody app (hardware token for personal use? Dont make me laugh) just to connect to email etc. I'm an adult and should be allowed to have my accounts as secure or not as I please.

    • Was thinking the same thing.

      Don't force me to do 2FA....I have it on accounts that matter...but half the shit on the multiple gmail or other accounts is just crap I don't care that much about....they're often used to sign up for stuff to keep from giving my 'real' info....

      • I do 2FA on everything. My local NAS machines all have 2FA on their admin accounts, and I even use the PAM module as a protection for incoming SSH if a key isn't used.

        However, it all depends on the 2FA method.

        Google Authenticator TOTP is IMHO the best. It is simple, as it is a shared secret, handled by a lot of apps and PW managers, easy to export/import, and it is a solid protocol, and gives excellent security. Of course, its downside is phishing, and MITMs where someone enters their password on a suspe

        • Google Authenticator TOTP is IMHO the best. It is simple, as it is a shared secret, handled by a lot of apps and PW managers, easy to export/import, and it is a solid protocol, and gives excellent security. Of course, its downside is phishing, and MITMs where someone enters their password on a suspect site and the 2FA there, and now the site has access to the account. However, this can be worked around, and not the fault of the protocol.

          I don't for the life of me understand why these hacks are allowed to persist or why people think systems that do nothing to prevent the worlds #1 leading method of compromise should be deemed fit for purpose in 2024.

          PKI (private key) is the solution to what you have. Whether it is bidirectional authentication of the TLS channel or poorly reinventing the wheel (e.g. FIDO et el)

          SAS + ZKP is the solution to what you know. Which Google et el have of course universally failed to implement.

          All of this other shi

      • by AmiMoJo ( 196126 )

        Those accounts might not matter to you, but they matter to Google because they don't want them getting hacked and used for spam or scams.

      • If you do not like the terms of their free email account, you have a choice not to use it. Capitalism at its best.
    • Re:No thanks (Score:5, Insightful)

      by swillden ( 191260 ) <shawn-ds@willden.org> on Monday May 06, 2024 @02:36PM (#64452046) Journal

      Make it an option but dont force me to use some bloody app (hardware token for personal use? Dont make me laugh) just to connect to email etc.

      A lot of people don't realize that their primary email account is the key to pretty much every other account they have, because approximately all online accounts use email to secure their forgotten password reset flows.

      Personally, I treat my email account as my "crown jewel", the most important thing in my life to secure, since it's the key to everything else. Many of my financial accounts will, of course, send me a notification that my password is changed -- via email, to the same email account (some of them allow a separate account, in which case I have them set to notify my wife's account, but not most). A few of the most important financial accounts will also send a followup snail mail notification of the password change, but an attacker can easily drain them before I get that notification.

      I'm an adult and should be allowed to have my accounts as secure or not as I please.

      I agree with the sentiment, but in practice most adults don't understand how to secure their accounts. Some nannying is justified here.

      • As you said, access to an email or device doesn't seem like a good user identification system. And the only way I can imagine one being supported is if it was forced to. You need a system used everywhere to be useful, but it won't be everywhere unless someone pays for it to be.

        Biometric (scan body parts) is the most logical to me. No it shouldn't be the only thing needed to suddenly perform an action, but it should be enough to identify a 'who' at the end of a wire. Or to exclude the possibility too.

        Why

        • by swillden ( 191260 ) <shawn-ds@willden.org> on Monday May 06, 2024 @03:57PM (#64452288) Journal

          Biometric (scan body parts) is the most logical to me.

          How do you ensure that a body part was actually scanned, rather than some bits being replayed? Biometrics provide very high security in attended contexts, e.g. where there's a security guard watching you present the body part to a scanner that is under the control of the entity who is trying to verify you. But when the scanning is done remotely, using scanning hardware that is under the control of the person being scanned, it really doesn't provide much security.

          Another problem with biometrics is that body parts can get lost or damaged, locking people out of stuff. Imagine being unable to pay your bills because you got a little cut on your finger.

          Biometrics have their place, they are valuable authentication tools, but they have serious limitations. They have to be combined with and backstopped by other authentication mechanisms.

          • IMHO, biometrics should be considered as "usernames". They identify the user. However, identification is not authentication. This is the same thing as typing "root" on a console, or "Administrator" on a DC. It means nothing until authentication via some other mechanism or mechanisms is complete.

            Fingerprint + device? Possible. This works for pretty much any and all phones.
            Fingerprint + PIN on a device? Definitely.
            Fingerprint + a YubiKey? Possibly.

            Ideally, combining something you are with something yo

            • IMHO, biometrics should be considered as "usernames".

              They're not usernames, nor are they passwords. They have very different security properties from both, and don't fit into the username/password model.

              The main difference from usernames is that usernames are not inherently bound to the person, but biometrics are. If I know your username, I can type it in and claim to be you. If I know your fingerprint, I cannot submit it to a proper fingerprint scanner (note that "proper" is carrying a lot of weight here). Said another way, in the context of a proper sca

              • by nazrhyn ( 906126 )
                Another important note about biometrics, in the US at least, is that they are not protected by our 5th amendment; it only protects things that are held in your mind, like passwords or combinations. This distinction was recently upheld in court:

                https://yro.slashdot.org/story... [slashdot.org]
                • Another important note about biometrics, in the US at least, is that they are not protected by our 5th amendment; it only protects things that are held in your mind, like passwords or combinations. This distinction was recently upheld in court: https://yro.slashdot.org/story... [slashdot.org]

                  Biometric authentication was found to not be protected by the 5th amendment by a federal appellate court, yes. I think that will stand, although SCOTUS could reverse it. Rulings on password authentication, however, are split. Some appellate courts have held that you cannot be forced to divulge your password because it would be testifying against yourself. Others have held that unless the password itself is incriminating being force to divulge it does not self-incriminate, any more than opening your home in

      • The ironic thing is that one of my gmail accounts and AppleIDs is arguably well secured. Not just a password, but a YubiKey, and the YubiKey requires a PIN before it will complete the auth process, so this means something a long passphrase as a front line defense, but even then, there is a public key and a PIN guarding that, which erases the key on the cryptographic token after a few tries. With that in mind, those two accounts are quite useful for recovery because the chance of someone unauthorized getti

        • The ironic thing is that one of my gmail accounts and AppleIDs is arguably well secured. Not just a password, but a YubiKey, and the YubiKey requires a PIN before it will complete the auth process, so this means something a long passphrase as a front line defense, but even then, there is a public key and a PIN guarding that, which erases the key on the cryptographic token after a few tries. With that in mind, those two accounts are quite useful for recovery because the chance of someone unauthorized getting in those is small, barring a hack on the email provider's side.

          Yep. This is the way to treat your crown jewels, which is what your primary email address is. At least until we finally move away from passwords and therefore from password reset flows.

          That will, of course, create other problems :D

      • by tlhIngan ( 30335 )

        The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.

        My bank requires it, which is inconvenient because I'd like to do a transfer, then realize my phone isn't near me and have to run it to in order to sign in using its 2FA system.

        The company I work for did it for Office365, which means if I need to log into Teams on the web, I have to run to phone to authorize the login as well.

        But since I can't authorize another device, i'm stuck

        • The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.

          You can copy your Google Authenticator token to other devices quite easily. Of course, the more places you put the seed secrets, the more opportunity there is for someone to steal them.

        • by flink ( 18449 )

          The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.

          Almost every time you are asked to scan a QR code, there will be some fine print that says "having trouble scanning" or whatever. If you click that, you can usually get the raw TOTP key and then you can save it in a password manager and provision it in multiple places. The manager I use understands TOTP and even has a special field for it so it can generate codes wherever I am, be it work laptop, home pc, or phone.

          Of course this won't work if it is just a provisioning code for a proprietary app.

    • by Junta ( 36770 )

      Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it.

      If it's one of these 'MFA vendors' with a bespoke app, that is tiresome, but I don't mind RFC6238 TOTP setups.

      • Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it.

        If it's one of these 'MFA vendors' with a bespoke app, that is tiresome, but I don't mind RFC6238 TOTP setups.

        Google Authenticator is an RFC 6238 TOTP implementation, or you can use any other compliant implementation.

      • >"Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it."

        ^^^ THIS

        Just any standard TOTP app is all that is needed when it is done correctly. F*** any company trying to force me to give them my personal cell number, that is NOT GOING TO HAPPEN.

    • No you don't need any "app". The so called "Authenticator App" in Google Account settings / Security / 2-Step Verification is actually TOTP, which you could simply generate with a browser extension.

      You could do just that even until now, but setting it up was more involved -- you first had to first enable 2FA with an android phone (for which you could use an emulator), then add TOTP as an "extra" method, and finally remove the google account phone/emulator, leaving TOTP as the primary 2FA method).

      • The so called "Authenticator App" in Google Account settings / Security / 2-Step Verification is actually TOTP, which you could simply generate with a browser extension.

        IMO it's better to use a TOTP app on your phone. Desktop OSes are significantly less secure than mobile OSes (though still better than SMS). But, yes, any RFC-compliant TOTP generator will work.

        • by AmiMoJo ( 196126 )

          For security, a security key is the best option. All the processing happens off-device.

          • For security, a security key is the best option. All the processing happens off-device.

            Maybe. The facts that security keys generally don't require user authentication and are often left plugged into devices all the time are weaknesses under some threat models.

            I have specific ideas about what the best solution is, but it hasn't yet been implemented. I'm working on it :-)

            • by AmiMoJo ( 196126 )

              I don't recall seeing a security key that doesn't require user authentication, as in they require someone to press the button before they will do anything. I suppose anyone could press the button, although Yubikey make one with a fingerprint reader.

              • I don't recall seeing a security key that doesn't require user authentication, as in they require someone to press the button before they will do anything. I suppose anyone could press the button

                Touching a button is not user authentication, it's confirmation. The difference, as you observed, is that anyone can press the button, including the attacker who stole your security key. There's also no way to tell which authentication request you're confirming.

                although Yubikey make one with a fingerprint reader.

                That helps. It still doesn't provide any way to tell which authentication request you're confirming. I'm sure the FAR on that device is terrible, but that's probably fine in this context.

                • by AmiMoJo ( 196126 )

                  I'm that case your phone might be a good option. Use that as a security key with fingerprint authentication.

    • by kqs ( 1038910 )

      As always, the issue is that people who say this, also scream bloody murder when their accounts are hacked and complain that $COMPANY is insecure and needs to fix their security. Also that $COMPANY won't return access to their email accounts since $COMPANY has no good way to prove who the rightful owner is. And $COMPANY is terrible because they don't have huge blanks of people in every country waiting by the phone to fix their hacked account problems.

      It's easy to say you'll take personal responsibility wh

    • I'm an adult and should be allowed to have my accounts as secure or not as I please.

      I see that someone else made an attempt at a car analogy using seatbelts, but I'd suggest that the better car analogy is drinking and driving: with both driving drunk and keeping your account in an insecure state, you're imposing a cost on the people around you when something goes wrong. In this case, your account is more likely to be "hacked" through no fault of the service provider (e.g. the email and password you use across every site got out via an unrelated site's leak). Even though it isn't their faul

    • This is another one of those things where previous actions of others causes inconvenience for many others. Because some drank 10 beers then got behind the wheel, now we can't even have 2 then drive. Because some had their life behind a password1234 email account we have 2FA.
    • >"Make it an option but dont force me to use some bloody app"

      The problem [presumably] is that it wasn't an option, they forced you to reveal and use your cell phone number. Many sites assume you can or will do that. I *never* allow that, simply because they *will* spam me.

      But I agree with you when it comes to some proprietary app. Either your system supports TOTP, or it is *broken*. TOTP means you can use ANY authenticator app you want, including things like FreeOTP+ [Haowen Ning] or Authenticator Pr

    • What's the problem here? Just use an open source free authentication app instead. OTP is a protocol, not an app. Apps just implement it. And while Google tries to push you into using their own authenticator for their selfish, self-promoting reasons, you are free to use any OTP app you want.

    • I'm an adult and should be allowed to have my accounts as secure or not as I please.

      I'm sure there are some insecure services out there to help you along with your poor life choices. Also have you considered taking up smoking?

    • Ummm. You are talking about your free Google email account, right? The account for which Google has to maintain for you? Under those conditions, Google will now impose more security requirements. That seems rather entitled for you to impose conditions on Google. If it was an account that you paid money to use, that would be a different matter.
  • If a bad actor already has access allowing them to create a new email address which doesn't belong to them, what's to stop them from setting up the new second factor using their own authenticator app as well? Seems like all this does is save the bad actor some time, since now they don't have to compromise a target's SIM first.

    • by Anonymous Coward

      I'm missing something - how is this more secure?
      If a bad actor already has access allowing them to create a new email address which doesn't belong to them, what's to stop them from setting up the new second factor using their own authenticator app as well?

      No one mentioned more or less secure. The word chosen was "streamlined"
      This doesn't effect existing accounts* so wouldn't have any effect on making their security any different. This is for newly created accounts.

      It means I can enable MFA and choose the type of factor I want, say a FIDO token for example.

      Compare that to before where I had to enable MFA, give them my phone number, validate it, then add a third factor with my FIDO token, go back and attempt to remove the second factor that is my phone numbe

  • I have nothing Google, hence I will not be setting up 2FA with them. So no "changes" to that either.

  • Maybe I'm dumb, but if someone stole your phone and password can't they just install an authenticator app - using your phone number? How is this better than 2FA?
    • ... your phone and password ...

      Then, they have the keys to the kingdom: They can pretend to be you, anytime, anywhere. This is why the phone-unlock PIN exists. The idea is, (don't link all your online services to the one account, and) you enable 2FA before the phone is stolen. In the past, it was assumed having the phone in your sweaty palm was security enough but that thinking creates a bigger point-of-failure. Online services are slowly including not-the-phone authentication, such as TOTP or a physical security key.

  • They have multiple 2FA and MFA solutions and OAuth2, their shameless corruption of email authentication (that already has a zillion options) is one of the worst. It's web-authentication for non-web protocols and it's one of the dumbest things I've seen from them, yet they still act like they know WTF they are doing. Puh leeese. Google, go shut down some more parts of Google (hopefully your MFA/2FA parts) and piss off.
  • by NotEmmanuelGoldstein ( 6423622 ) on Monday May 06, 2024 @06:20PM (#64452650)

    ... your phone number first ...

    Or a physical security key: Then, one can enable TOTP and optionally, delete the security key. Your phone number wasn't needed as much as Google wanted to link the account to a real person.

    It sounds as if the security key is not required anymore.

    On Windows/Linux, "KeePassXC" works as a TOTP authenticator and provides an in-software security key for Mozilla/Chrome browsers.

  • Does this mean Google no longer requires a mobile phone number to have a Google account? I had an old account I lost access to after Google changed the deal and demanded I give them my mobile number.

  • I'm so glad for the convenience of Google login on my favorite porn sites! And since Google, a technological leader, cares about my privacy, I know that I'm in good hands.

Staff meeting in the conference room in %d minutes.

Working...