Who's using 2FA? Sweet FA. Less than 10% of Gmail users enable two-factor authentication It has been nearly seven years since Google introduced two-factor authentication for Gmail accounts, and virtually no one is using it. In a presentation at Usenix's Enigma 2018 security conference in California, Google software engineer Grzegorz Milka today revealed that, right now, less than 10 per cent of active Google …
I wish I could say I was surprised by these figures but, as a network admin who enforces 2FA on all of the systems I manage, so who has to deal with the faux ignorance of users as a result, and given that passwords like 12345678 and Password123! still figure highly in password breach lists, I am, in all honesty not.
There are few good reasons not to use 2FA (and I can't think of any outside of, possibly, some for users with disabilities) and lots of good reasons to use it. My extended network of contacts whose systems I don't manage means that I still speak to people who suffer system breaches that would have been prevented by 2FA but even after suffering a breach, people would rather substitute one bad password that they use on more than one system for another bad password that they use on more than one system and pretend they've solved the problem and that it can't happen again. In circumstances such as that, and in this day and age, it's hard not to think that they deserve all that's coming to them.
If it's duo, please for the love of god turn off the setting to detect rooted phones. I factory reset two different phones from the graveyard drawer and still couldn't log in because both had their bootloader fuses set. Had to buy myself a fresh phone just for corp login.
I too enforce it. Gapps for work. Its in the admin settings.
https://torbjornzetterlund.com/enable-enforcing-2fa-g-suite/
Its a very secure setup and we have several thousand users, happy with Google suite, and no issues with 2FA. all for the fraction of the price of a Microsoft office suite, we get a superb, secure, integrated, use anywhere, office, mail, calendar collaboration suite.... We laugh at organisation that will think it's the 1990s and shop accordingly.
Before some clueless numpty chimes in about Google privacy. Gapps for business and education have their own policies...
https://support.google.com/googlecloud/answer/6056650?hl=en
" "I wish I could say I was surprised by these figures but, as a network admin who enforces 2FA on all of the systems I manage"
How did you manage to achieve that? I suspect a lot of enquiring minds would like to know."
Ditto!
you actually get a say in how things are done? that must be awesome! do you own the company?
nobody ever asks my opinion on anything. I sit in the corner of a shared office listening to the fallout of a cavalcade of totally avoidable wreckage spewing past my ears. Its not good for my stress levels just listening to the fucked upped ness that I hear all day, must be worse for those actually having to deal with it . When theyre not doing that , they are doing incredibly labourious data entry jobs that could easliy have been automated. I offered to automate it , but this fell on deaf ears ... " oh were doing that one day ...may as well leave it for now ..."
I'm really surprised that there would be a question about how I'm able to enforce 2FA on all the systems I administer. @Throatwarbler Mangrove's response summed it up really rather well I felt:-
"
Admin: "Welcome to $company. You have your choice of using an RSA token or smartphone token app to log in. Please set your PIN now."
Sorted.
"
I've done this for the last 3 years with several different companies but to be fair, the largest was only about 120 people. They were in 5 offices in the UK, Hong Kong and China, as well as quite a few home based users though. It wasn't easy but it was easier than fixing a breach caused by the criminally awful passwords users choose, and easier for them to deal with than dealing with me leaving. I always explained the reasons why we were using it and made easy to follow documentation easily available (I even did a video). But the secret sauce had two ingredients: a splash of beligerence (see @Throatware Warbler's reply) and a generous helping of trickery, which was to make it as easy as possible for a few key execs, even if that meant doing everything 2FA related for them so that when people complained to them they couldn't understand what the fuss was about and told people to just do as I said.
As a sidenote to my last comment, I should probably mention that our pro mail system is unreachable from outside the local network, and that I host my own mail server for sensitive personnal stuff. My Google accounts are thus only seeing mundane, unimportant material (as they bloody should)
There are few good reasons not to use 2FA (and I can't think of any outside of, possibly, some for users with disabilities)
huh?
If you are disabled and can use a computer, then you can use a phone app to do the 2FA key.
But yeah, I'm one of the 10% who does it on my active gmail accounts.
If you are disabled and can use a computer, then you can use a phone app to do the 2FA key.
Nonsense. The number of exceptions is vast, even before you bring disabilities into the picture. We have an office with completely stable cabled internet but no cell coverage on anything but O2 (and it isn't reliable) and customers who either can't (underground facility) or won't (compliance) allow external communication that doesn't go through their firewalls (we can log in to our mail server but cell phones stay with security at the gate). 2FA can work with the little calculator gizmos that some banks issue, but anything dependent on cellphones is a non-starter.
That's still entirely Google's fault.
First there's the fact that my cheapo smartphone doesn't have any room left for yet another app (mostly because Google insist that I keep its own Play-related apps installed and up-to-date even though I never used them, ever, and never will, and also partly because GNURoot Debian is more important to me than pretty much anything else -and nothing of that can be installed on my humongous SD cards because Google's own Android won't allow it without jailbreaking the phone).
And then I only use my Gmail account through IMAP -I only log in my Google accounts when Google forces me to do so because apparently logging in via IMAP from across the street (let alone from abroad) is apparently considered suspicious enough to warrant an account lockdown. Given that my mail apps have, to put it lightly, QUITE decent security features, 2FA would actually decrease both usability and security for me (stealing and unlocking my phone would be a whole lot easier than breaking my accounts from the user side, although of course if The Big G slips and gives access to my account from the inside I'm stuffed, but 2FA can't solve that).
There is of course a bit of stubbornness from my side, too : I couldn't be bothered to keep my smartphone with me at all times to save my life.
The day Google enforces 2FA, I'm gone. I can't be the only one.
Note that I do use 2FA for my banking operations, even though my bank doesn't mandate it. I choose the card-reader password generator, because even though it's a bit more cumbersome it's actually 3FA (webform login, physical card, and NIP). 3.5 FA if you take the card reader into account.
> "There are few good reasons not to use 2FA (and I can't think of any outside of, possibly, some for users with disabilities) "
Last time I looked at GMail's 2FA, it wanted to either use a smartphone app, or send me an SMS. First option's out as I don't own a smartphone (which, depending on the age bracket you look at, is not that uncommon - heck, my parents don't even have a mobile phone). Second option didn't work as I didn't get the SMS within 3 hours, and the code timed out, as did the next. Yes, there are ways around these issues (e.g. MS will phone you with an audio code, or you could use an RSA SecureID [although who pays for that may well be a barrier]), but there are some real usability issues with it once you get to the point of "cannot use a phone for this" (even if it is a good idea).
"Last time I looked at GMail's 2FA, it wanted to either use a smartphone app, or send me an SMS. First option's out as I don't own a smartphone"
For starters that makes you very unusual, most people who don't own phones don't own computers either.
Also, there's a Windows app to use if you really don't have access to a smartphone or a tablet.
"For starters that makes you very unusual, most people who don't own phones don't own computers either."
Nonsense. Most of my parents' 70 to 80 year old friends have computers, if only for video chat with their grandchildren.
The Saga holidays booking system has 2FA. By SMS, because the "no smartphone" is exactly the demographic they're targeting.
I totally agree with this - I did have 2FA on - then my phone signal died. I live in rural Norfolk - its not Google's fault the mobile phone network in rural UK is so bad! When I had a problem in 2016 it was HELL getting back on because i had given a mobile phone number that I could no longer use. There has to be another way?
"There are few good reasons not to use 2FA (and I can't think of any outside of, possibly, some for users with disabilities)"
I have no cell-phone coverage, thus whenever I have to receive one of these code numbers, I must drive a mile or so until I reach a safe place to stop and wait for my 'phone to wake up to the fact that there is now signal and for the SMSC to wake up and forward the text messages it has accumulated for me, and once I have received the code I have to drive back and hope that the process I have started will allow me to carry on from where I left off.
This is tedious.
I do - in fact - have 2FA enabled on my google accounts and I always have to go through the "more options" | use backup codes route; but at least Google provides this option, my ire is directed at the other sites which refuse to acknowledge the possibility of less than 100% coverage for 100% of all networks!
2FA by TXT is just another attack vector (examples below). For instance, can you use a different dedicated 'throwaway' email address instead? Most users don't care maybe, but others don't want to give Google their cell with the all pervasive tracking that leads to. General apathy is another issue. Following the headlines below some users may think, what's the point?!
~
#2FA is akin to adding a second lock to the front door... while leaving the back door open,”
http://www.theregister.co.uk/2015/12/30/krebs_paypal_hack_criticism/
~
The malware can read SMS messages, which means it can also circumvent (two factor authentication) 2FA systems.
http://www.theregister.co.uk/2016/02/15/android_trojan_mazar_bot/
~
Criminals persuade phone providers to divert mobile phone numbers in what is sometimes called "SIM swap fraud".
http://www.bbc.co.uk/news/business-35716872
~
US standards lab says SMS is no good for authentication
https://www.theregister.co.uk/2016/07/24/nist_says_sms_no_good_for_authentication/
~
The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact
http://www.theregister.co.uk/2016/12/06/2fa_missed_warning/
~
http://www.theregister.co.uk/2016/12/06/2fa_missed_warning/
Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'https://www.theregister.co.uk/2017/07/10/att_falls_for_hacker_tricks/
~
2FA by TXT is just another attack vector (examples below).
^ ^ ^ this ^ ^ ^
For a proximity attack, defeating SMS 2FA doesn't even require the more esoteric vectors in the other AC's post. Most phones show text messages on the lock screen by default, and most people leave it that way for convenience. Think how many people leave their phone face up on their desk, or on the table at the coffee shop, etc. If an attacker can get brief physical access to the device, s/he can grab the auth code (and possibly even acknowledge or delete the message), leaving no obvious trace. The target will have no idea how they got hacked, because "they did everything they were supposed to."
The point here is 2FA blocks the common failure point, Somone from Pakistan has guessed your password, but needs to physically find you and get your phone...
That is a pretty huge barrier right there and it makes even SMS 2FA massively more secure than not having it at all..
Anyone saying you shouldn't bother at all, frankly is dangerous.
Google supports FIDO U2F hardware tokens/keys = no more SMSs needed, and if you enable the Advanced Protection Program setting for your Google Account then U2F keys are mandatory for login.
(you will need minimum 2 keys, just in case one of them malfunctions)
https://landing.google.com/advancedprotection/
https://support.google.com/accounts/answer/6103523
when you enable the advanced protection mode Google will even prevent the use of SMS for authentication or account recovery because U2F is then mandatory for all account operations.
@ adrian 4 "you're suggesting passing the authentication secret over the open phone network"
yes, so what - it's a one time secret. If you manage to eavesdrop on that message somehow, how are you then going to enter it into my browser that requested it?
They offer other options as a preference to SMS - hardware token, voice call, authenticator app, smartphone prompt and there's also 10 backup codes that can be regenerated any time.
Those wary of potential SMS hijacking should be well covered with the other options.
Quite the opposite - I might have several gmail accounts for various different aspects of my life, I don't want to make it trivial for Google to tie them all together by the one phone number, nor to buy multiple disposable phones for 2FA. Also those accounts are of low value to me anyway.
"Please, if you haven't already done so, just enable two-step authentication. This means when you or someone else tries to log into your account, they need not only your password but authorization from another device, such as your phone."
Sharing my phone number with Google? You serious? Absolutely not, because I simply do not trust them not to abuse my number for "other activities" such as sending me "very important" updates about their commercial partners, in other words: plain out spamming me.
See, and this is also where 2FA becomes somewhat pointless. Because what if you can't use an external device (such as your phone)? Simple: then they'll send you the extra step using other methods. For example a webpage so that you can authenticate yourself twice from the same machine (your computer). So if your computer gets taken over you're still screwed.
Which is another point for concern: session cookies. Generally speaking everyone clicks "remember me" thus allowing themselves to automatically log back in once they revisit the website. Steal all those cookies and...
2FA is nice, but it doesn't solve the main problem.
Sigh, so many cretins here that don't understand basic technology. Just because you use your phone as the 2FA auth, doesn't mean you have to give them your phone number... Also Google don't phone you up with promotions. Have even bothered to read their privacy policy???
Keep flipping the burgers , it's best you stay clear of tech sector jobs, and I would also disconnect from the internet, as it's clear you have trouble distinguishing fact from fiction.
Companies the size of Google, apple and Microsoft have to abide by their privacy policies, the might of EU and US government would crucify them in public if they were not following them.
Sure, but whilst their privacy policies say they won't share your number with anyone else, it's what they do with it themselves.
For example all Android devices report the caller ID of phone calls back to Google, who then look it up in the owner's contacts list and build up a handy network of who calls them and who they call. So even if you've not explicitly given them your phone number and your contacts, they'll have it simply because of the likelihood of your having called someone with an Android device who has given them that.
Meanwhile you've no relationship with Google, and they're free to do whatever they like with your number.
In some countries this storing of records without permission to hold them is illegal, but they do it anyway. It's simply too complicated for politicians and regulators to keep up with. Doing little more than targeting ads supposedly more accurately is a way of monetising this without it being too obvious.
Companies the size of Google, apple and Microsoft have to abide by their privacy policies, the might of EU and US government would crucify them in public if they were not following them.
You should read more articles on here ... Google have abused their position and stolen punters data without consent in the past. Mighty UK courts came up ... now, if you were in Britain between some dates 5 or so years ago AND were resident in Britain on some day last year you could apply to UK courts to get some cash from mighty Google ... EU ? Could not care less .... institutions are far too slow, when they even care to react ... go look at facebook, they know most of my friends, have my phone number, one or more email addresses of me ... you name it ... am not on there ... same with WhatsApp ... then, they can buy data from La Poste (French postal service) and could get my physical address, some purchasing habits of mine were I to use "club cards" etc etc etc ... The French postal service basically has everybody's address, so they buy data from supermarkets etc and can correlate it, they then sell that data on to anything ... they know everything my neighbour purchased last year, down to when she purchases menstruation pads ... some years ago, she received incontinence underpant protection pads (or whatever you call them) because she is 60 and had bought menstruation pads for another woman in distress .... somebody, somewhere, thought she had incontinence ... In other words, we are already fucked and no government is doing anything about it ... in France, thanks to CNIL, we can ask companies to delete records on us ... how does that work when the data has been sold on to 255 different companies, some of which multinationals with head offices in some overseas tax haven ?
Where was the EU, France, Germany, or UK when slurpOS (Windows 10) was force fed to the masses ?
Worse even than all that ... younger generations consider it "normal" to pass on all data on them, they do not see a problem ...
I do not care about downvotes ... a downvote to me means "I disagree" or " you got something wrong" ... in the latter case I expect clarification ... damn, to quote Linus, if you disagree with my above post, you are an idiot, no ifs, buts or maybes ... sorry.
Do note that I frequently post rants to harvest downvotes on this handle ... like Brexit-related ;-) (yeah, I find that fun) ... so it is not the downvotes as such that matter to me ... what does sadden, though, me is ignorance....
"the might of EU and US government would crucify them in public if they were not following them"
The EU, maybe, but certainly not the US.
Regardless, who said anything about not following them? I was talking more about how they're written. Seriously, take a good look at most privacy policies, particularly those from large corporations such as Google. After working through the legalese, they all basically allow the companies to do what they like with the data unless a law specifically prohibits them from doing it.
Google is no exception here.
Plus, giving Google (or any tech company) your mobile number provides them with yet another way to cross-correlate you with other online and offline data that they have gathered.
IMO the only useful 2FA method that addresses the lost-device problem is to use an app like Authy, that allows you to back up your code generator settings and access them on another device. Of course, that means the backup mechanism itself becomes an attack target...
Dang. Security is hard...
I was looking at Authy the other day. The idea of being able restore/migrate 2FA generation between devices (rather than having to set each one up again) appealed.
But it's another "free" app so it's not clear how/when they intend to monetise their customer base. And I'm not sure I'm comfortable handing over my multitude of 2FA code generators to them for "free". At least I know what I'm getting into with giving my mobile number to Google.
You don't have to give your phone number to Google. I'm with you on not wanting to do that.
So I use the authenticator app. If you don't trust Google's app then there are third party versions. And you can use printed out codes as a backup in case of phone failure.
Doesn't protect you against lost laptop/phone scenarios but does protect against phishing scams.
I will not be giving Google my cell phone number. No. Not happening. Ever. Because I have several Gmail accounts, I will give Google another email... one of theirs. For some reason that's not good enough. They insist that they _must_ have a phone. They are not getting it.
Google also wants me to use their app instead of Mail or Outlook; Mail and Outlook are 'less secure'. No. I am not using their app.
There is a menu item which allows users to send feedback. Said feedback vanishes into the black hole of Mountain View, never to see the light of day again. Microsoft and Apple will respond to feedback; you have to hit them with a pretty big stick, but they'll respond. Apparently the PSTN doesn't reach to Mountain View, 'cause there's no phone support from Google. Apple and Microsoft give phone support. Annoying phone support, especially from Microsoft, but it's there, And if you persist, you can actually get through to someone who can fix the problem. Sometimes.
No, Google is not going to get access to my phone. Should they attempt to force the issue, that would be the final impetus to my getting my own domain and mail server and I would wave bye-bye to Gmail... and they'd not be able to harvest 'keywords' from my mail any more.
The snag being that even if your own email is not hosted with Google (or another so-called “free” email provider), many of your contacts will have been tight-fisted enough to have done so with their own email address (or use Android or Chrome), so Google, etc, get to harvest your email conversations with those friends from *that* end.
Sadly, email is no longer (never really was) fit for purpose as a guaranteed private end to end encrypted means of communication (setting up GPG, etc, is Too Hard for almost everybody), so what we really need is for a new secure open standard to replace email, but email is just too ubiquitous and easy to use (“good enough”) for sufficient momentum to have been reached, and Google, WhatsApp/Facebook, etc, have a vested interest in the world *not* having a communications protocol that they can’t sniff at least some advertising, etc, metadata from.
Google, amongst others, are phasing out SMS based authentication because of SS7 vulnerabilities. We're not quite at the stage where if your 2FA is SMS based you might as well not bother, but we're not that far off. There are countless app and hardware based authentication methods, Authy is my app based preference but there's the LastPass, Microsoft and Google Authenticator apps amongst others as well. No need for SMS.
Some of us don't use it because it's pointless. Since some one has an exact copy of every one of my emails, ie, the sender or receiver, and since nothing I send via email is important, and since most of what I know, or what is known about me is already on Facebook, Twitter, leaked from Banks, leaked from companies I've purchased from, stored by Google, tracked by every website I've visited, used and leaked by Governments, listened in to via TV's and phones, on camera etc etc .... just what am I protecting that is so important that I need to have 2 devices just to log into an account?
Hell, most of my online accounts I'd like to do away with any password whats so ever.
Anyone who wants my identity appears to already have it, or could, if they wanted, just go and get it.
Even health info was given to Google.
Years ago I wanted medical insurance, but was told I need to pay more because I have a family history of heart problems...they knew enough then. By now someone in my family has probably had some sort of DNA test done, for genealogy purposes or medical reason.
Believe me, there is nothing important about my life that isn't already known that needs protecting by a password.
Even the banks are doing away with them for small card transactions.
Selling security has been little more than selling fear for a fair while now. It isn't ignorance that I say this, I read about all the leaks here! Security for me is a risk assessment of the possible damage that could happen.
There is no way a 2FA password can protect against, CPU flaws, rogue apps in play store, big company data breaches etc etc.
I think it total ignorance that makes you feel a password is protecting you. Your ignorance is total bliss, sir!
What exactly is every one supposed to protect? Some of us don't use it because it's pointless.
Anyone who wants my identity appears to already have it, or could, if they wanted, just go and get it.
Ok. What's your real identity? Name, date of birth, ID number, and address, please.
If you give those to us (random AC), it proves your point that what "every one supposed to protect" is "pointless". If you don't give those to us, it proves that you didn't think what "every one supposed to protect" is "pointless", contradicting your point.
I'm with AC. I simply do not trust email or other Internet related technologies. I predate the Internet, which means the web as well. I still remember fondly petting a shiny, new PDP-11/780 the day it arrived. If you have a bit of Google-Fu, simply search on "brian bartlett" and the rest will follow. [Hint: I'm top of the list.] And yes, my identity has already been stolen, some time ago as a matter of fact, despite using an offline/out-of-band password manager without password reuse. Didn't even make a speed-bump there.
Where I do use 2FA, via Yubikey, is code signing. Content there is worth protecting. Everything email related is mere dross; newsletters and vulnerability warnings. Not even the bank account information is useful, consisting of low funds notices.
For extra points, finger-print my posts. That'll turn up my other accounts. There are quite a few out there.
I predate the Internet, which means the web as well. I still remember fondly petting a shiny, new PDP-11/780 the day it arrived.
The 11/780 was a VAX not a PDP and came out in 1977, by which time the Internet was small, but well-established.
I think that most people have varying degrees of security for different sites. For instance, a number of sites such as el reg require passwords. None of the data stored in those accounts is personally identifiable (beyond my email address, which you need to login anyway...) and so the password is both relatively weak and between similar accounts because to be frank, nobody is going to put any effort into securing or cracking these accounts because there is no benefit to the hacker, or danger to me personally beyond somebody posting something under my account. Quelle horreur!
My work accounts and anything with personally identifiable information or credit card details are secured to the point of paranoia.
I have got a few gmail accounts, such as MR A N Other for "market research" into how much the competition charges by getting a quote every now and again, and I do wonder how many phantom users like this gmail has as it throws off the percentages quite a bit. It'd be interesting to know how many active users have properly secured their accounts.
I use 2fa for my gmail accounts (one work, one personal). I find it works very well. Their app also works for my Amazon account, my personally implemented Nextcloud and Github. Can't complain.
My wife uses gmail too, but she doesn't use it. I haven't told her to, because I wouldn't be able to read her emails if she did.
No. Only recently has google told us it won't be reading all email passing through its servers any more (not that I believe it). Anyone using gmail for anything serious was/is an idiot.
I have dozens of gmail accounts to not be used for anything serious and to scatter information about me I can't stop google collecting. Fsked if I am going to give google a real phone number to correlate with the rest of the personal information I can't stop them slurping. They will never get a credit card number from me for the same reason.
The only thing I use GMail for is the Android phones/tablets because I have to have a GMail account for them password is reasonably secure, it whinges to another email unique address if I add another tablet - why do I need to add more security to something of low value to me?
Then there is security of my phone no - I'd rather Google couldn't link my account to me.
Personally I couldn't give a damn if my Gunkmail account got hacked.
Just open another.
Big G pisses me off enough with it anyways. Despite undoubtedly stealing all my details, and huge number crunching, they still can't figure out if it's me logging into the account a few miles from home, let alone when I holiday somewhere exotic. Even from my phone. Which had to be registered with a gmail account. Doh.
My own mail server seems to manage it ok :-)
I don't dispute 2FA has a place, but it is horses for courses. What happens if employees don't have a phone, leave it at home, or don't want to give a personal number for work use?
I should imagine 'ease of use' is the reason most don't use it. Techheads may think it is stupidly simple. But then you haven't met my wife. Or mother in law. She still can't tell the difference between SMS and IM, or a browser and the internet, and likely never will.
If it isn't stupidly simple people won't voluntarily use it and most likely will change account if forced (what G are actually worried about).
There has to be a simpler, better, more effective, more reliable way than giving your number to Google.
I don't know if Googleplex allows it, but there are alternative authenticators. Authy has a phone and desktop program, I use FreeOTP which is developed by Red Hat and thus is open-source. As for the phone number, Google are just being d-holes about that, there's no reason for them to use your number, they make you scan a QR code anyway. Having said that, can you delete the number afterwards? I would imagine they'd take the opportunity to nab your phone for their recovery method.
Whilst most people don't care about what's in their Gmail or about someone else hacking in, Google care a lot. A plundered Gmail account and it's contact list is the food of spammers everywhere. If this happens too much then Gmail is discredited and Google's reputation as a repository of your most important information sinks a little more. Google's profit relies in part on Gmail being secure.
As it is it is woefully underperforming. Google want people to seriously use it, to trust it entirely, because the value of the analytics they derive from it goes up as a result. With only 10% of people turning on 2FA that kinda means most people have zero intention of letting Google into their more official, financial, important lives. That questions the value of advertising with Google.
For example I don't know anyone who uses Google Pay or Apple Pay. Using a credit card for touch transactions is simple and way easier for the kind of shopping people do.
"If you've called some who has an Android mobile and your name in their contacts list, Google has your mobile number"
This is true more often than it should be, but it isn't true as a blanket statement. Some people actually do use Android without involving Google's apps or services at all.
This. Very much this. I actually used to have 2FA enabled for my Google account, back when is was possible to go straight to OTP for that... Had to disable it for a while when my smartphone broke down and when I came back with a new one - lo, all of a sudden you HAD to have a phone number to activate 2FA. I've just checked again and either I am blind or this is still the case.
Last I looked (been awhile) they wanted my mobe number, you bet - and I don't have one - security by non existence. SMS? I've heard of it, and will not have one until after I get a facebook account, sometime after I die.
They don't seem to understand that not all of us are phone addicts. When I'm out and about - that's MY time, not to be interrupted by any moron who has my number and who is bored and wanting free entertainment from me. I happen to have a car with a cel phone and have no minutes and don't even know the number. No need. If I need 911 - that'll work. Else, bugger off.
Cash?
It's being phased out now already in some countries... To cut down on black money. If you have to use electronic payments to buy pot, moonshine, Russian black market cigarettes etc. the banks will know and as they send their data to the tax agencies (to check for money laundering and terror financing), you (the seller) will get nailed at least for tax evasion and probably also for undocumented income by the police... That's the idea anyway.
2FA is worthwhile pain as allows for a couple ways of notification and verification. By using a text message to a phone, this prevents a miscreant from clicking a link an being able to reset the password even if they have the email account. One email vendor (Fastmail) goes an extra step, every device connected to an email account has its own password, different from the webmail password. Lose the phone, just disable/reset the password for the phone.
Recently Swambo got an email from a merchant for an order placed by someone else in another state. She never had an account with the merchant and was puzzled what happened. I convinced her to the call the merchant to see if they can shed any light. It appears someone has a very similar email account to hers and fat fingered the setup as the credit card used was in the buyer's name. OOPS. Swambo is changing her passwords as a defensive move. I pointed out she could have played havoc with the other person if the 2FA authorization is not used as the login is likely her email account address. Moral of the story, 2FA is a pain but by adding an extra step you are likely to block someone getting access to your account.
that "just Gmail" account is not just for email.. if your phone is connected to the account (and it needs to be, if you want email) then the account can be used to enable remote GPS tracking, make the phone ring for 5 minutes in case you misplaced it, or even send a remote WIPE command to the phone, just by logging in to the account on any computer. Email is just a tiny fraction of the functions it has.
https://www.google.com/android/find
if your phone is connected to the account (and it needs to be, if you want email)
No, not if you're using a 3rd-party mail service.
then the account can be used to enable remote GPS tracking, make the phone ring for 5 minutes in case you misplaced it, or even send a remote WIPE command to the phone, just by logging in to the account on any computer
Only if you've enabled that on the phone/tablet.
Google security is meh
Let me tell you why
About 5 or more years ago on my Gmail account I created what is called an "application specific passwrod" for my iPhone mail client, because it was not "2FA aware"
Anyway, sometime in the last couple of months I decided to update this password, but could not find it anywhere. This is what I did next, naturally.
Irrespective of my frustration, they (someone at google), disabled this application specific password somehow, for about 3 weeks, and then re-enabled it again (I never deleted the profile on my iPhone so it started working again
I am back to square one, where if for whatever reason my phone gets stolen (unlocked), or this password is compromised, there is nothing I can do about it. It is effectively from my perspective, HARD FUCKING CODED INTO MY GMAIL ACCOUNT
Google are fucking pricks, and I just don't know what else to do
you can do this: enable advanced protection with U2F keys.
one of the steps when enabling advanced protection is to WIPE ALL application-specific passwords and prevent the use of such application passwords.
Change your main account password after that.
https://landing.google.com/advancedprotection/
if that application still works after those steps, send a message to security[_AT_]google.com
Good grief! This sort of thing is exactly why only a few have advanced security! It's too complicated or too involving or too long winded or simply 'what?' for the average non-technical user. No, there has to be a better way then faffing about with a bloody mobile (no, I'm not in a cell) and getting a resend because the first one hasn't arrived. The tech just isn't good enough yet.
And as for reporting stuff to the tech giants - again why bother? It almost certainly doesn't get read, let alone acted upon, especially if you're outside the US. No, unless you're reporting from some whizzbang tech company in California you're just used as fodder to help pad out numbers for the advertisers to read; they don't really care about you.
G2 - "you can do this: enable advanced protection with U2F keys."
Thank you, I shall certainly look into that
G2 - "P.S.: or report it here https://www.google.com/appserve/security-bugs/new"
Again, thank you, this is helpful
AC - "You could try reading the documentation properly? App passwords aren't shown more than once"
Ok, you could try reading what I posted, at no point did I say I wanted to see the password, I said that I just wanted to delete it and create a new one (update it), but it was not listed anywhere for me to do this, so it was unadministrable and effectively hardcoded into my gmail account
Craigie - "Umm, you go to https://myaccount.google.com/apppasswords and revoke it/create a new one."
And here lies the problem, it wasnt there. Google had lost any mention of it in the front-end, but they did manage to disable it for about 3 weeks, I am guessing by a DB edit and then reverted that change when I kicked off because of their lack of communications
Just A Quick Comment - "Good grief! This sort of thing is exactly why only a few have advanced security! It's too complicated or too involving or too long winded or simply 'what?' for the average non-technical user."
You know there is a saying, "To err is to be human, but to really foul things up you need a c̶o̶m̶p̶u̶t̶e̶r̶ shitty software developer" - Someone, somewhere fucked something up, and it wasnt me, you could be the most techically able person in the world, but if a software coder fucks something up (as appears to be the case with my ancient application specific password), there is nothing I can do about it because its hidden from me
Look, I realise I am just a product in googles eyes and I WILL be making efforts to move away from their services, but it doesnt matter who you use, they're all fucking shit when it comes to fixing problems, THEY CREATED
"Your problem is PEBCAK"
Whatever you say AC, your bravery is commendable, standing by your comment with your profile name. You must really have faith in its accuracy. So much so that you can say whatever you want, it is meaningless, not based on reality and is basically a random comment by a random unknown.
It's sad that YOU think you understood the issue, do you suffer with a mental illness or something?
Delusions of grandeur perhaps?
"Anyway, sometime in the last couple of months I decided to update this password, but could not find it anywhere."
You could try reading the documentation properly? App passwords aren't shown more than once. If they become exposed or you need to enter them again, you delete the current one and create a new one. https://support.google.com/accounts/answer/185833
I have a new computer. I tried to log into my Amazon account, and they insist on sending a 6-digit token to my registered email address. Said token has a 10 minute lifetime, and the email persistently takes 11-15 minutes to get to me. It's been like that for weeks. No other email, even from international contacts, takes more than a minute or two to arrive. 2FA or sweet FA?
Amazon suddenly started requiring & sending me these 6-digit tokens, last summer, whilst I was 1000 miles from my registered PC/email. As you can only complain/negotiate with Mr.Bz from within an Amazing account, I had to create a new throw-away a/c each time I wanted to discuss internet security with a second tier employee, as Tier-1 Joyce from the Philippines was very helpful - but not quite upto speed on security.
I eventually got them to switch to SMS based 2FA. They never explained why they autonomously established 2FA, in an unuseable way, via open email postcards.
Server load: The similarly open postcard SMS 2FA takes baseline about 10 seconds to arrive, be it for AMZN..com/de/uk/fr) except during Black Friday week when their (the original!) cloud was too busy to bother sending anything!. BFW was much busier than Xmas week, SMS 2FA took just 30 seconds in the run-up to the solstice.
I don't use 2FA on Slurp, what's the point! Hello state department. . . nice day to you too
I have setup 4FA on some nice work projects , mind, and the Slurp authenticator was quite easy to integrate
I'd love for just one of those people who say they've nothing of any interest in their mailbox to put their money where their mouth is and make their credentials public. But they don't because they're talking BS. The fact is, your e-mail is none of anyone else's business and mischief can be made no matter how throwaway it is.
..but that's not because I have a problem with 2FA. My problem is giving a company like google access to every tiny aspect of my life. No thanks. I use gmail on a desktop only. I use chrome solely for gmail & nothing else & I never search with google (which is just as shit as every other search engine these days). I will not be giving them my phone number.
2FA is a royal pain in the arse when you don't have your phone. In August my WIleyFox Spark X had decided to stop working reliably (wouldn't answer phone calls, wouldn't ring when calls were placed, restarts etc). In a bid to show the phone who's boss, after it died one too many times, I threw it in the River Moy - forgetting I was throwing my SIM card away with it.
Didn't need the phone, really, for 2 weeks after that (as I was on holiday). But when I got back to work I forgot my work email account had 2FA on it, and there was I waiting for a replacement SIM card to arrive.
Well, I also have it on my primary google a/c, but using authenticator rather than SMS.
The reason being that mobile signal (hence receiving a SMS) is extremely flakey out here in the countryside, especially if the walls of your house are circa 3 foot thick...
Also Visa have apparently insisted that for all web purchases wifey must authenticate with SMS, hence she doesn't use VISA anymore for web purchases, many sites still accept paypal though!
Apparently this is called 'progress'
Given that El Reggers are supposed to be in touch with current tech (plus maybe what's coming down the line) I am a little baffled that there were so many people who just had to bang on about phone signals and reliability *without* known that (a) Google Authenticator (among others) is standalone ... and - more importantly - the Google (and Facebook) 2FA implementation allows you to create a set of login tokens in the event you don't have your 2FA device.
Arthur C Clarke was spot on about how new ideas get adopted.
I'm growing weary of this POV that if it's not 100%, it's not worth it, when you are starting at 0%. FGS, take the 50%, and then work on that. (Isn't that the DevOps way ?). I'm sure we can all find fault with various 2FA schemes. But they are all going to be a little better than SFA systems.
Sigh.
In order to use Google Authenticator, I would have to install it on my cell phone. Now, think carefully (this may be difficult for you, but try) IF I DON'T WANT TO BLOODY GIVE GOOGLE MY BLOODY PHONE NUMBER, WHY ON GOD'S GREEN EARTH WOULD YOU THINK THAT I WOULD EVEN CONSIDER INSTALLING AN APPLICATION FROM THEM WHICH BY ITS NATURE REQUIRES EXTENSIVE ACCESS TO THE INARDS OF MY SYSTEM?
Google does not reply to 'feedback'. Google has no phone support. If there is a problem, such as my being somewhere out in West Bumfuck, Idaho, and needing access to my stuff... and NOT having access to my Google Auth-equiped device, then I'm shit out of luck. And I can't call in and ID myself and get in that way, 'cause there's NO BLOODY PHONE SUPPORT. I can do that with Apple or Microsoft accounts; it's a pain but it can be done.
I do not store pix on anything Google. I do not store banking info on anything Google. I do have a nice long password (a 18 character passphrase, including caps letters, common letters, numbers, and symbols) which might be crackable but won't give anyone who goes to the trouble much more than the ability to send email in my name... and I have non-Google email which can be used to alert my contact list that thee's a problem.
I don't trust Google. I will limit their access to my devices. In the event that Google tries to insist on using 2FA, I will simply stop using Google services, because I DO NOT TRUST GOOGLE.
If you don't trust Google, you can't trust ANYONE since ALL Google would need to ID you is for ONE Android user to call you, and they'll get you even if you use a dumb phone or a landline.
Don't like Google? Might as well try to fight Big Brother, cut loose, and retreat to a cabin deep in the woods out of view of spy satellites.
so why bother
I suspect that some of that 90% of people not using 2factor auth already known that gmail is utterly compromised and is inherently insecure anyway so why bother having to reach for the phone every time you log in.
Sure, a lot of people use it in blissful ignorance too.
Switching away from gmail is hard to do as even the very best secure alternatives lack some of the most basic of gmail features.
I love using 2FA and enabled it on my Google account practically as soon as it came out. I loved the way I got that extra layer of security every time I logged into Gmail, but wait.. the damned thing keeps suggesting I "trust this computer", so unless I make a concerted effort to remember to uncheck the tick box , I'm insecure for 30 days (yes, I know I manually switch it in My Account).
Then there's another Online Giant that I used 2FA with - I even rushed out and bought a Gemalto keyfob to use with it and I felt safe. That is until the battery failed (as they do) and inserting a new one failed to make my fob work again... So now I'm locked out of my Online Giant account and they want me to supply proof of ID, proof of address, all Notarized. Can I be bothered? No. Is it a problem? Not for me.
This is where Authy and LastPass have it nailed. They make an encrypted backup of your setup whenever you add/change/delete an auth set up so that a change of device doesn't mean having to log into every account and manually set up 2FA again on the new device. That's no help with hardware based 2FA of course!
FFS people google 2FA is only Oauth2.0 TOTP, you can use the code in anything you like that runs the protocol to generaet the code.
Theres apps for windows, Mac, linux, Android, iOS, tizen, watchOS you name it
its as hard as copy and paste or scan a QR code to get it to work
got all my google accounts on 2FA, means i have to be less selective about passwords...
You dont need anything else, if you have an OAuth app on the device you are accessing Gmail from, be that smart phone, PC, or anything else with a browser.
Or SMS to landline is a thing (at least here in the uk)
but 2 factor SMS is proven insecure (as per the SS7 german banking hijack) and not recommended by NIST
Most Password Safes have one builtin now. And if you only have a dumb phone, and are willing to accept the risks, use SMS. BUt considering there are very few truely dumb phones available now.
There's a surprising amount of mis-information and mis-understanding about Google's 2FA here. Probably not helped by the fact 2FA can mean lots of different things to different people and vendors use the term for all sorts of things.
However proper 2FA means RFC6238, popularly known as Time-Based One Time Protocol (or TOTP for short). This is a standard devised by the Initiative for Open Authentication (OATH - not to be confused with Oauth!) and because it's an open standard there are loads of implementations of it. Google Authenticator and Microsoft Authenticator are the obvious ones, but even things like Symantec VIP (used for PayPal 2FA) is actually a tweaked version of TOTP and can be kludged to let you use a standard TOTP app instead of having to buy a PayPal dongle.
The key thing about TOTP is that it's entirely offline - no need for SMS or an internet connection. You simply put a seed value into your authentication app (usually by means of a QR code) and away you go. Some apps don't let you back up the seed, so the simple answer there is to either save the QR code image file in a safe place, or print it out and stick it in a fireproof safe/leave a copy with your lawyer/insert paranoid method here.
There are also quite a lot of server side implementations of TOTP now, and it's really easy to implement in code as well - there are libraries for all the major programming languages. So really, if you have a website which needs authentication, there's no excuse not to support it.
The latest standard that's emerging is FIDO (also known as U2F) but I personally don't like this one as it requires a physical key/dongle.
Source: I wrote a Windows TOTP server application a few years ago that my company still uses to provide mandatory 2FA for our corporate VPN.
Yeah, right. Fuck off.
Although, because MacOS keeps on bugging me to do it, I did try enabling 2FA for my Apple cloud-thingy-whatever-they-call-it account, (because they've got my phone number anyway after I bought stuff from them) but the code they texted to my phone wasn't recognised, 3 times in a row. So Fuck them too.
Please, if you haven't already done so, just enable two-step authentication.
Sigh. Because there's no reason other than laziness why anyone hasn't, eh?
Iain, perhaps - and I'm just going out on a limb here - you should try to find out why people haven't enabled 2FA before lecturing them about it.
I'm only on the first page of comments, and I've already seen numerous posts pointing out the failure modes with phone-based authenticators. While OTA does remove some of the ones SMS is prey to (and don't get me started on people still using SMS as an authentication mechanism...), it requires additional software and a present, working smartphone.
Google's 2FA also doesn't accommodate shared accounts or delegated access. If I'm unavailable, I want my wife and kids to be able to get into my account.
Quite simply the costs and risks of 2FA are greater than the risks of password-only authentication for everything I use Google for. Google's existing 2FA would be a security downgrade.
My smartphone in the past has been unable to receive Santander's OTP SMS messages. That makes me none to keen to sign up to a similar authentication service that has a potentially mission critical failure mode.
The perceived risk of locking myself out of my account is too great. I don't know whether that is justified but the potential failure puts me off.
Currently I am completly locked out of a gmail account as I can't seem to prove that I am who I say I am.
I guess that makes it fairly safe; if I can't access the damn thing I suppose no one else can.
I have a phone that won't get a signal where I live or where I work and my reference email died off when the firm that I used to work for went under.
So now Google is competing with Yahoo mail?
(and doing a damn good job at it)
and I have had Google 2FA active for ages. I must be in the top 10% too.
Once you have registered your devices you hardly ever need to worry about it, unless you are using multiple shared devices on a temporary basis. you code can be SMS, voice call or app based on a variety of platforms, so its not that hard to get a code, even in an evil genius bunker.
The only time to be careful is when you are replacing the phone with the app on it, as you need a code from your old (trusted) device to register your new one, they away again.
one-time codes also can be provided for other types of devices to get them trusted too. so for the most part its a passive second factor post device or app registration and therefore even for hard of thinking its not so hard to live with.
The problem - at its very root - is 2FA or MFA just layers one bad method on top of another (as most stacks give the user options).
We're in the security business and know unequivocally: a) An authentication stack is only as good as the worst factor, b) PINs, passwords and legacy biometrics (fingerprint, 2D face, retina...) are either too easy to break, too intrusive or the ROI is far too low (ex: retina needs the right environment to work, takes too long and requires a device to be too close for daily comfort), and c) anything that takes antsy humans more than 4-5 seconds is not acceptable - and this is what we see *in practice*.
What is coming is smarter, faster AI-driven software-based biometrics that will allow us to be secure using one factor. For very-high-value transactions, though, additional verification is more than acceptable. Some friction in the process is okay (but not more than the magic 4-5 seconds!), and we actually expect friction if the stakes are higher (the effort must be worth the result). I'd be happy to spend another few seconds to make sure my $10K transfer was truly secure.
This is not a Google problem. It's an authentication technology problem.
"What is coming is smarter, faster AI-driven software-based biometrics that will allow us to be secure using one factor."
I frankly don't see how you can make biometrics any more secure than the crapsack they are now. In fact, given all your criteria, practical security is a fool's game because the minimum standard for anything that's practically worthwhile is basically too irksome for the average Joe. Thus why we're stuck at deadbolts (that can be defeated with a well-placed kick), passwords that people forget, and fobs people tend to lose.
Frankly, if you want better security, you're going to need to start with a better human being.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
