Google is Changing How You Set Up 2FA 55
Google is streamlining the process of setting up two-factor authentication (2FA). From a report: Instead of entering your phone number first to enable 2FA, you can now add a "second step method" to your account such as an authenticator app or a hardware security key to get things set up. This should make it safer to turn on 2FA, as it lets you avoid using less secure SMS verification. You can choose to enter a time-based one-time passcode through apps like Google Authenticator, or you can follow the steps to link a hardware security key.
No thanks (Score:2)
Make it an option but dont force me to use some bloody app (hardware token for personal use? Dont make me laugh) just to connect to email etc. I'm an adult and should be allowed to have my accounts as secure or not as I please.
Re: No thanks (Score:4)
Hysterical analogy. Dont try and equate a life with a hack of an email account.
Real reason - avoiding regulation (Score:3)
Google, Microsoft and the usual companies want to avoid using any phone system related calls, messaging to avoid regulation by phone regulators around the world.
They want to control all aspects of the security lifecycle from secure boot on phone hardware, network protocols, communication mechanisms, 2FA method and biometrics to
- Collect as much data as possible on you
- Build AI profiles of users end-to-end use of a phone, app
- Not pay any phone system for the cost of sending a SMS text message or a phone ca
Re: (Score:3)
Hysterical analogy. Dont try and equate a life with a hack of an email account.
Well... these days you're not far off. What is a hack of a Google account? For many people it's their email. It's their calendar. It's their password safe. It's the login to other systems. With the email + password it's also the backup 2FA process used for many of their other services.
You can very quickly find your life (while not completely over in the beating heart sense) can be absolutely devastated if this level of information is handed over to someone else. Didn't we just run a story on Slashdot a few
Re: (Score:3)
Don't force me to do 2FA....I have it on accounts that matter...but half the shit on the multiple gmail or other accounts is just crap I don't care that much about....they're often used to sign up for stuff to keep from giving my 'real' info....
Re: (Score:2)
I do 2FA on everything. My local NAS machines all have 2FA on their admin accounts, and I even use the PAM module as a protection for incoming SSH if a key isn't used.
However, it all depends on the 2FA method.
Google Authenticator TOTP is IMHO the best. It is simple, as it is a shared secret, handled by a lot of apps and PW managers, easy to export/import, and it is a solid protocol, and gives excellent security. Of course, its downside is phishing, and MITMs where someone enters their password on a suspe
Re: (Score:2)
Google Authenticator TOTP is IMHO the best. It is simple, as it is a shared secret, handled by a lot of apps and PW managers, easy to export/import, and it is a solid protocol, and gives excellent security. Of course, its downside is phishing, and MITMs where someone enters their password on a suspect site and the 2FA there, and now the site has access to the account. However, this can be worked around, and not the fault of the protocol.
I don't for the life of me understand why these hacks are allowed to persist or why people think systems that do nothing to prevent the worlds #1 leading method of compromise should be deemed fit for purpose in 2024.
PKI (private key) is the solution to what you have. Whether it is bidirectional authentication of the TLS channel or poorly reinventing the wheel (e.g. FIDO et el)
SAS + ZKP is the solution to what you know. Which Google et el have of course universally failed to implement.
All of this other shi
Re: (Score:2)
Those accounts might not matter to you, but they matter to Google because they don't want them getting hacked and used for spam or scams.
Re: (Score:2)
Re:No thanks (Score:5, Insightful)
Make it an option but dont force me to use some bloody app (hardware token for personal use? Dont make me laugh) just to connect to email etc.
A lot of people don't realize that their primary email account is the key to pretty much every other account they have, because approximately all online accounts use email to secure their forgotten password reset flows.
Personally, I treat my email account as my "crown jewel", the most important thing in my life to secure, since it's the key to everything else. Many of my financial accounts will, of course, send me a notification that my password is changed -- via email, to the same email account (some of them allow a separate account, in which case I have them set to notify my wife's account, but not most). A few of the most important financial accounts will also send a followup snail mail notification of the password change, but an attacker can easily drain them before I get that notification.
I'm an adult and should be allowed to have my accounts as secure or not as I please.
I agree with the sentiment, but in practice most adults don't understand how to secure their accounts. Some nannying is justified here.
Need a new identity method/system. (Score:2)
As you said, access to an email or device doesn't seem like a good user identification system. And the only way I can imagine one being supported is if it was forced to. You need a system used everywhere to be useful, but it won't be everywhere unless someone pays for it to be.
Biometric (scan body parts) is the most logical to me. No it shouldn't be the only thing needed to suddenly perform an action, but it should be enough to identify a 'who' at the end of a wire. Or to exclude the possibility too.
Why
Re:Need a new identity method/system. (Score:5, Informative)
Biometric (scan body parts) is the most logical to me.
How do you ensure that a body part was actually scanned, rather than some bits being replayed? Biometrics provide very high security in attended contexts, e.g. where there's a security guard watching you present the body part to a scanner that is under the control of the entity who is trying to verify you. But when the scanning is done remotely, using scanning hardware that is under the control of the person being scanned, it really doesn't provide much security.
Another problem with biometrics is that body parts can get lost or damaged, locking people out of stuff. Imagine being unable to pay your bills because you got a little cut on your finger.
Biometrics have their place, they are valuable authentication tools, but they have serious limitations. They have to be combined with and backstopped by other authentication mechanisms.
Re: (Score:2)
IMHO, biometrics should be considered as "usernames". They identify the user. However, identification is not authentication. This is the same thing as typing "root" on a console, or "Administrator" on a DC. It means nothing until authentication via some other mechanism or mechanisms is complete.
Fingerprint + device? Possible. This works for pretty much any and all phones.
Fingerprint + PIN on a device? Definitely.
Fingerprint + a YubiKey? Possibly.
Ideally, combining something you are with something yo
Re: (Score:3)
IMHO, biometrics should be considered as "usernames".
They're not usernames, nor are they passwords. They have very different security properties from both, and don't fit into the username/password model.
The main difference from usernames is that usernames are not inherently bound to the person, but biometrics are. If I know your username, I can type it in and claim to be you. If I know your fingerprint, I cannot submit it to a proper fingerprint scanner (note that "proper" is carrying a lot of weight here). Said another way, in the context of a proper sca
Re: (Score:2)
https://yro.slashdot.org/story... [slashdot.org]
Re: (Score:2)
Another important note about biometrics, in the US at least, is that they are not protected by our 5th amendment; it only protects things that are held in your mind, like passwords or combinations. This distinction was recently upheld in court: https://yro.slashdot.org/story... [slashdot.org]
Biometric authentication was found to not be protected by the 5th amendment by a federal appellate court, yes. I think that will stand, although SCOTUS could reverse it. Rulings on password authentication, however, are split. Some appellate courts have held that you cannot be forced to divulge your password because it would be testifying against yourself. Others have held that unless the password itself is incriminating being force to divulge it does not self-incriminate, any more than opening your home in
Re: (Score:2)
The ironic thing is that one of my gmail accounts and AppleIDs is arguably well secured. Not just a password, but a YubiKey, and the YubiKey requires a PIN before it will complete the auth process, so this means something a long passphrase as a front line defense, but even then, there is a public key and a PIN guarding that, which erases the key on the cryptographic token after a few tries. With that in mind, those two accounts are quite useful for recovery because the chance of someone unauthorized getti
Re: (Score:2)
The ironic thing is that one of my gmail accounts and AppleIDs is arguably well secured. Not just a password, but a YubiKey, and the YubiKey requires a PIN before it will complete the auth process, so this means something a long passphrase as a front line defense, but even then, there is a public key and a PIN guarding that, which erases the key on the cryptographic token after a few tries. With that in mind, those two accounts are quite useful for recovery because the chance of someone unauthorized getting in those is small, barring a hack on the email provider's side.
Yep. This is the way to treat your crown jewels, which is what your primary email address is. At least until we finally move away from passwords and therefore from password reset flows.
That will, of course, create other problems :D
Re: (Score:2)
The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.
My bank requires it, which is inconvenient because I'd like to do a transfer, then realize my phone isn't near me and have to run it to in order to sign in using its 2FA system.
The company I work for did it for Office365, which means if I need to log into Teams on the web, I have to run to phone to authorize the login as well.
But since I can't authorize another device, i'm stuck
Re: (Score:3)
The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.
You can copy your Google Authenticator token to other devices quite easily. Of course, the more places you put the seed secrets, the more opportunity there is for someone to steal them.
Re: (Score:3)
The problem are the tokens are generally not as portable. I'm still trying to find one that lets me install it in multiple places.
Almost every time you are asked to scan a QR code, there will be some fine print that says "having trouble scanning" or whatever. If you click that, you can usually get the raw TOTP key and then you can save it in a password manager and provision it in multiple places. The manager I use understands TOTP and even has a special field for it so it can generate codes wherever I am, be it work laptop, home pc, or phone.
Of course this won't work if it is just a provisioning code for a proprietary app.
Re: (Score:3)
Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it.
If it's one of these 'MFA vendors' with a bespoke app, that is tiresome, but I don't mind RFC6238 TOTP setups.
Re: (Score:2)
Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it.
If it's one of these 'MFA vendors' with a bespoke app, that is tiresome, but I don't mind RFC6238 TOTP setups.
Google Authenticator is an RFC 6238 TOTP implementation, or you can use any other compliant implementation.
Re: (Score:2)
>"Note that if 'some bloddy' app can be KeePassXC or FreeOTP+, I won't mind it."
^^^ THIS
Just any standard TOTP app is all that is needed when it is done correctly. F*** any company trying to force me to give them my personal cell number, that is NOT GOING TO HAPPEN.
Re: (Score:3)
No you don't need any "app". The so called "Authenticator App" in Google Account settings / Security / 2-Step Verification is actually TOTP, which you could simply generate with a browser extension.
You could do just that even until now, but setting it up was more involved -- you first had to first enable 2FA with an android phone (for which you could use an emulator), then add TOTP as an "extra" method, and finally remove the google account phone/emulator, leaving TOTP as the primary 2FA method).
Re: (Score:3)
The so called "Authenticator App" in Google Account settings / Security / 2-Step Verification is actually TOTP, which you could simply generate with a browser extension.
IMO it's better to use a TOTP app on your phone. Desktop OSes are significantly less secure than mobile OSes (though still better than SMS). But, yes, any RFC-compliant TOTP generator will work.
Re: (Score:2)
For security, a security key is the best option. All the processing happens off-device.
Re: (Score:2)
For security, a security key is the best option. All the processing happens off-device.
Maybe. The facts that security keys generally don't require user authentication and are often left plugged into devices all the time are weaknesses under some threat models.
I have specific ideas about what the best solution is, but it hasn't yet been implemented. I'm working on it :-)
Re: (Score:2)
I don't recall seeing a security key that doesn't require user authentication, as in they require someone to press the button before they will do anything. I suppose anyone could press the button, although Yubikey make one with a fingerprint reader.
Re: (Score:2)
I don't recall seeing a security key that doesn't require user authentication, as in they require someone to press the button before they will do anything. I suppose anyone could press the button
Touching a button is not user authentication, it's confirmation. The difference, as you observed, is that anyone can press the button, including the attacker who stole your security key. There's also no way to tell which authentication request you're confirming.
although Yubikey make one with a fingerprint reader.
That helps. It still doesn't provide any way to tell which authentication request you're confirming. I'm sure the FAR on that device is terrible, but that's probably fine in this context.
Re: (Score:2)
I'm that case your phone might be a good option. Use that as a security key with fingerprint authentication.
Re: (Score:2)
As always, the issue is that people who say this, also scream bloody murder when their accounts are hacked and complain that $COMPANY is insecure and needs to fix their security. Also that $COMPANY won't return access to their email accounts since $COMPANY has no good way to prove who the rightful owner is. And $COMPANY is terrible because they don't have huge blanks of people in every country waiting by the phone to fix their hacked account problems.
It's easy to say you'll take personal responsibility wh
Re: (Score:2)
I'm an adult and should be allowed to have my accounts as secure or not as I please.
I see that someone else made an attempt at a car analogy using seatbelts, but I'd suggest that the better car analogy is drinking and driving: with both driving drunk and keeping your account in an insecure state, you're imposing a cost on the people around you when something goes wrong. In this case, your account is more likely to be "hacked" through no fault of the service provider (e.g. the email and password you use across every site got out via an unrelated site's leak). Even though it isn't their faul
Re: No thanks (Score:1)
Re: (Score:2)
>"Make it an option but dont force me to use some bloody app"
The problem [presumably] is that it wasn't an option, they forced you to reveal and use your cell phone number. Many sites assume you can or will do that. I *never* allow that, simply because they *will* spam me.
But I agree with you when it comes to some proprietary app. Either your system supports TOTP, or it is *broken*. TOTP means you can use ANY authenticator app you want, including things like FreeOTP+ [Haowen Ning] or Authenticator Pr
Re: No thanks (Score:2)
What's the problem here? Just use an open source free authentication app instead. OTP is a protocol, not an app. Apps just implement it. And while Google tries to push you into using their own authenticator for their selfish, self-promoting reasons, you are free to use any OTP app you want.
Re: (Score:2)
I'm an adult and should be allowed to have my accounts as secure or not as I please.
I'm sure there are some insecure services out there to help you along with your poor life choices. Also have you considered taking up smoking?
Re: (Score:2)
I'm missing something - how is this more secure? (Score:2)
If a bad actor already has access allowing them to create a new email address which doesn't belong to them, what's to stop them from setting up the new second factor using their own authenticator app as well? Seems like all this does is save the bad actor some time, since now they don't have to compromise a target's SIM first.
Re: (Score:1)
I'm missing something - how is this more secure?
If a bad actor already has access allowing them to create a new email address which doesn't belong to them, what's to stop them from setting up the new second factor using their own authenticator app as well?
No one mentioned more or less secure. The word chosen was "streamlined"
This doesn't effect existing accounts* so wouldn't have any effect on making their security any different. This is for newly created accounts.
It means I can enable MFA and choose the type of factor I want, say a FIDO token for example.
Compare that to before where I had to enable MFA, give them my phone number, validate it, then add a third factor with my FIDO token, go back and attempt to remove the second factor that is my phone numbe
Re: (Score:2)
Who should hire competent computer people? The problem isn't the computer people, it's the random users who regularly get hacked because NOBODY is immune.
The only thing you can be sure of is that people who proudly proclaim that they're too competent to be hacked, will be hacked.
Re: (Score:2)
... hire halfway competent computer people.That would work.
What, in your estimation, would these "competent computer people" do, exactly?
No, it is not (Score:2)
I have nothing Google, hence I will not be setting up 2FA with them. So no "changes" to that either.
How does this help??? (Score:2)
Re: (Score:2)
Then, they have the keys to the kingdom: They can pretend to be you, anytime, anywhere. This is why the phone-unlock PIN exists. The idea is, (don't link all your online services to the one account, and) you enable 2FA before the phone is stolen. In the past, it was assumed having the phone in your sweaty palm was security enough but that thinking creates a bigger point-of-failure. Online services are slowly including not-the-phone authentication, such as TOTP or a physical security key.
Google designed Oauth2. It's terrible. F'off now. (Score:2)
Or security key (Score:3)
Or a physical security key: Then, one can enable TOTP and optionally, delete the security key. Your phone number wasn't needed as much as Google wanted to link the account to a real person.
It sounds as if the security key is not required anymore.
On Windows/Linux, "KeePassXC" works as a TOTP authenticator and provides an in-software security key for Mozilla/Chrome browsers.
Google account without phone number? (Score:2)
Does this mean Google no longer requires a mobile phone number to have a Google account? I had an old account I lost access to after Google changed the deal and demanded I give them my mobile number.
Good thing I only use it for porn (Score:2)
I'm so glad for the convenience of Google login on my favorite porn sites! And since Google, a technological leader, cares about my privacy, I know that I'm in good hands.