Google will make you use two-step verification to login Google has marked World Password Day by declaring "passwords are the single biggest threat to your online security," and announcing plans to automatically add multi-step authentication to its users' accounts. A mere eight years after Intel began promoting World Password Day as a way to raise awareness about the importance of …
SMS is easily spoofed, but that is not a problem when using it for 2FA. In that case the attack vector would be to *intercept* an SMS message. This can be done (by transferring the target cellphone number to a different SIM), but not easily, quickly or undetectably. The same is true of emails - easy to spoof, but far more difficult to intercept (especially if using a private/company email address & server rather than a web-based public server).
This post has been deleted by its author
"The same is true of emails - easy to spoof, but far more difficult to intercept (especially if using a private/company email address & server rather than a web-based public server)"
You are saying it's easier to steal email content from a specific email account hosted at Google than from the average, halfass-configured corpo mail server that is most likely something installed 10 years ago and left unimproved?
"
You are saying it's easier to steal email content from a specific email account hosted at Google than from the average, halfass-configured corpo mail server that is most likely something installed 10 years ago and left unimproved?
"
If the private email server is only accessible from within a corporate LAN, then yes.
... that SMS is potentially unsafe. what happens when your phone service is for a long or short period, unavailable? Is there a single cell service that has never, ever suffered an outage? Whether for a short of long period? That has never suffered _multiple_ outages over the life of a single user-contract? I don't have figures, but I wouldn;t bet on such a unicorn existing... and no phone/ no SMS/ no 2FA/ no access may not be quite as poetic and shoes, short service, but could have more impact.
Before they make it mandatory, they need to develop a universally accessible method.
I'm quadriplegic, and use my chin to type.
I can't check a phone.
I can't press a button like the ones on usb security keys.
I could probably hack together a fix, but I'm a coder. Most disabled people aren't, and shouldn't have to be to use online resources.
There are ordinary desktop tools equivalent to the Google Authenticator. For Linux there's oathtool (https://www.nongnu.org/oath-toolkit/oathtool.1.html or your distro's package repository) and for Windows there's t2otp (https://www.token2.com/shop/page/t2otp-exe-command-line-totp-generator). Presumably there's something for the Apple crowd as well but I wouldn't know.
It sounded good but if I remember right, at the time this February, had little or no good instructions. More of a it's so easy it just works... or something like that.
So I set it up wrong, or at least it seemed that way. And due to no good help, I couldn't figure out how to fix it. So I deleted my account. It was nice that it gave me a month to reconsider the account deletion. ;-)
Yes, it works if you are lucky, and puts you in 2FA Hell if you are unlucky. I certainly hope there is a way to opt out with Google, because once I foolishly fell for their gubbins and tried to switch to 2FA - and it took me a week to get things working again. Sheer Bloody Heck.
It appears to me that Gmail already uses 2FA - the device you log in from is also a factor*. Because they send me a warning email if I log in from a new phone or computer.
So they could enforce 2FA at the point I log in from a new device. Which would be spectacularly unhelpful if my phone is stolen when I'm away from home as I wouldn't be able to register a replacement.
* Of course, as my username/password will be stored on the device to log in to Gmail automatically, it's only 1 factor in use 99% of the time
Indeed. I have a few Google accounts which I only ever use for limited, specific purposes. None of them have a phone number associated. If they needed an email address to set up then that was a one-time or other no longer existing address.
I won't supply a phone number or use a non-open-source app. But I would be happy to use an open OTP generator like the one I use for remote access to my personal cloud server.
"Indeed. I have a few Google accounts which I only ever use for limited, specific purposes."
Exactly this! Seperate accounts for different usage. Of course we don't want them linked in any way, most especially by a common phone number. There are usually reasons people want different, unrelated, unlinkable accounts.
I live in an area, so far ignored by 2g, 3g,4g and 5g, so my chances of a second factor coming to my 'phone anytime soon is a bit remote. I keep all my passwords on the Word (Psion) application on a twenty odd year old Psion netBook, which is almost never connected to the 'net. At the last count, it ran to 28 pages of A4, at four lines to an entry, for the most part. Admittedly, a whole lot of these entries are obsolete, Like the Daily Telegraph online crossword, which I gave up when they started to charge an exorbitant for an account. Everyone and their dog is requiring an acount with password. Very few of them can agree on how the password shall be constructed.Never forget that he simplest way to crack a password, is to crack the owner of the password. Usually with a big stick..A cheap and very low tech solution. I once tried to get an account on a hardware forum, for something I was using. After a couple of hours having passwords rejected. Even hitting keys at random did not generate a viable password, I decided that the manufacturer did not want people on his forum, and gave up.
The question to ask is why do these bastards want a password? If it's to protect my interests then I'll use a random string of characters and let KeePass do the heavy lifting. If it's for some arcane purposes of their own (hello iPlayer BBC Sounds) it gets Passw0rd1 or something appropriate.
I once registered at a site (don't recall which) but found I couldn't log back in with the password I had picked.
It turned out that the rules for generating a new password were looser than the rules for the password at login and my password had one (or more) of the illegal traits!
My passwords were wrong a different way. I was making them too long for the site. The password setup part would accept the long password, but it only read the number of characters it wanted, and ignored the rest.
Me, not knowing this, would try to use the longer password I saved to log in and it would reject it as wrong. While trying to work it out with support the second or third time, I finally noticed the password length limit and counted to see that I was over it. I guess a password can be too secure.
Unfortunately the world we live in, authenticating yourself to identify in some way, that you are you, something is needed, a key, a password, whatever.
Locks can be picked
Passwords can be guessed
Keys can be copied
Passwords can be copied
I don't think I need to explain that a higher character space results in higher entropy for the same character length
Just be thankful that not all websites think its an amazing idea to force its users to type the password in upon account creation, because of some dumbass 'it improves security' reasoning, as Ebay did, not sure if they still do though.
......along the lines of "We need to know that you are who you say you are".
*
So......burner phones become increasingly necessary for those of us who masquerade as AC.
*
Sometimes I'm "Howard Beale".....sometimes "Thomas Beale".....but always contactable on a burner!
*
On a related subject, I'm curious about the threat of legislation to restrict access to internet resources based on the age of the person hitting the keys. How precisely will ISPs make sure that Thomas Beale is over eighteen? Maybe this Google move is a step in the direction of "age snooping".......in addition to all the other hoovering going on. I think we should be told!
"How precisely will ISPs make sure that Thomas Beale is over eighteen? "
YouTube already require age verification before they let you watch age-restricted content. Enter your credit card number or send them a scan/photo of your driving licence or passport. All this means to me is that I can't watch age restricted videos on YouTube because they are not getting my card number, driving licence or passport details. Not ever.
Of course, it seems to be primarily a US based age restriction system. Any possibility of a nipple show and it's age restricted. Violence and stupid gun stunts, on the other hand, doesn't seem to attract the age-restriction Police quite so much.
I'm not sure just how old my YouTube account is now. Maybe when the account is 18 years old it will be de-restricted based on the fact that I, the owner of the account, MUST be over 18 by then :-)
"restrict access to internet resources based on the age of the person hitting the keys"
I don't need Google to find porn and gore. I can find much better without their help.
My Google account (which I rarely use) has a DOB of 2006. So I'm 15 years old, protected by a bunch of kid safety laws and not capable of entering into a contract should I click "Agree".
Sorry.....pedantry warning!
*
The point being made is about the identity of the actual physical person using the laptop/tablet/phone.
*
It's not about the data stored on the ISP database which says that Account = 123456 and DOB = 1969-12-31.
*
So......how do legislators think that ISPs will be able to prevent underage folk using (for example) their parent's accounts? Perhaps the idea is that all user access will be via a video-based login session, so that the ISP will use AI and facial recognition to validate the age of the physical person? Perhaps the AI will be able to tell the difference (for example) between a real parent.....and a photograph of a real parent held in front of the camera? Maybe add voice recognition into the mix? .....and so on.
*
And of course, if this hypothetical scenario is the one that legislators have in mind......how many people will be prepared to hand over to the ISP video and audio in addition to name, DOB and so on....in order to get an "approved" account?
*
.......which is then hijacked by bad actors to do bad things in someone else's name?
*
I think the legislators need to tell us in detail how these age limits will ACTUALLY be implemented!
We already struggled to get the multiskilled operators (painters, decorators, builders) and the grounds team to use the tablets and phones & we're fully aware passwords aren't secure but if 2fa gets in the way, they'll be even more annoyed.
We have 2fa setup on 365 for the office workers but its fucking flacky. It will randomly decide a laptop that has office 2016, the Outlook 2016 isn't a "modern app" (it is) so doesn't understand 2fa so needs the one time password instead. It will randomly decide the mobile you're using needs a 2fa check and refuses to pass it despite nothing being fucking wrong. Turn off 2fa, log them in, turn 2fa back on and all fine.
I understand the need for 2fa just make it simple and make it fucking work.
Microsoft are bellends, everything they do usually ends up a disaster
Installing Office 2010, it tells you the telephone activation service is discontinued
But it isn't, cos I used it. They (microsoft) describe this an as error, though they don't mention if its a computer error, or a corporate error
https://support.microsoft.com/en-us/topic/-telephone-activation-is-no-longer-supported-for-your-product-error-when-activating-office-9b016cd2-0811-4cb3-b896-5a6a13177713
Aren't tech firms amazing?
You should watch Mark Russinovich's Case Of the Unexplained talks. He's now head of Azure but even when he was just a Technical Fellow in Microsoft he'd always take a dig at the Office Team. He even used his tools to find a bug in the Office Suite told them about it but they still told him to report it properly as a bug. So despite how high up he was, even he couldn't get the Office Team to listen to him.
I do understand however, it was a bit of jossing but still feels like the Office Team possibly don't listen much.
2fa is fine, but when you have to repeatedly login to multiple sites several times per day (they all timeout after 15-30 mins) then it becomes a royal PITA. Once again the addition of more security will result in more work for the user. When does this end? When the user can no longer login will it finally be considered secure?
I remember when Single-Sign-On was gonna be the next big thing and it would make all of our lives easier, but it never happened because we migrated everything to the bloody cloud and now we have to login and enter single use codes more than we ever had to when it was all hosted in house.
On the subject of Google and passwords, are they leaking like a sieve or am I just unlucky? About three or four times a year I get a Google security alert telling me that someone else knows my randomly generated, 20 character password. I haven't told anyone, so what's going on?
They will do that warning, that "someone else [may have] used your password, when it was actually you, but the IP address changed. Or you switched browser.
The email client here triggers it when the ISP occasionally changes the IP address.
See also Steam's paranoid security where EVERY different browser or PC on the same external IP, with a massive big long unique password generates an SMS message. Or requires doing a Google Captcha, which is missing from the Win7 client, so changing account stuff on that fails.
It's also a problem if an ISP simply deletes all the email addresses and you forgot about site XXX.
Never mind flat batteries, disabled SIMs due to lack of use, or out of coverage (maybe a Faraday shield type room).
Passwords are not a problem. It's service providers leaking them or users using the same ones or simple ones. I only remember two passwords. The non-important ones are stored in browser and all are in a backed up address book, never in laptop bag and only taken ever to one other off site location.
Google wants our phone numbers and to know who all the accounts belong to. Now impossible to have separate Google accounts without Google knowing it's the same person. They are not a fit company to "own" Android or provide any service other than advertising.
You're getting security related emails from Google that you can understand? How? I get emails from them every now and then offering to help me enhance my security. But their missives quickly deteriorate into a jumble of incomprehensible phraseology that makes no sense whatsoever.
I ignore them.
I'd probably ignore them even if I understood them.
I commonly reuse passwords on sites where I will probably not be coming back, and shouldn't really need to set up an account in the first place.
This usually happens where I am researching something like opening times or prices, but the company will not tell me unless I create an account first.
In such cases no real financial or personal information is ever given, the mailbox concerned is only used for "confirm your email" messages, and gets auto-deleted unread after 48 hours.
If it turns out that I will be turning a casual enquiry into something more solid, then a proper email address and password gets generated and recorded.
I recently had to create an account just to find out when and if the local authority Swimming Pool Leisure Centre "Wellbeing Center" [sic] was reopening.
And, no, I don't want to "like" my experience on Facebook, or become a "friend" of your refuse collection department.
Quote: "I recently had to create an account just to find out when and if the local authority Swimming Pool Leisure Centre "Wellbeing Center" [sic] was reopening."
Would that come under GDPR? Just curious.
Happy to be corrected, but I though one of the rules of GDPR was that you can only mandate asking for PII (name, email address etc), if it's actually data required to provide the service or function. That data (assuming any of it, is asked for during account creation of course) isn't needed simply to display opening times.
Gdpr only applies in some jurisdictions.
It's a pain to implement even for the most trivial things such as a membership list for a youth group where you need name, age, emergency contacts and some medical information.
The amount of paperwork generated and thus time and resources consumed is out of all proportion for volunteer organisations.
Gdpr needs to be simplified and made a lot easier to understand and comply with.
I have multiple GMail accounts and clean my browser cookies when switching between sessions.
Forcing me to enter a mobile phone number will finally allow them to track me across my multiple identities. How convenient for them!
Sure, they might already fingerprint my browser to track me, but that only gives them probability, not certainty.
I have kind of the opposite problem. I have two Amazon accounts - one personal tied to my gmail address, and one for work, tied to my corporate email. The latter is linked to my cellphone (which is a personal phone, but company funded) for 2FA.
On my personal Amazon account, I'm forever being nagged to set up 2FA. So I enter my cellphone number - and get told "nope, this number is already linked to an Amazon account" (duh, yes, my second account).
It's apparently beyond Amazon's ken that anyone might conceivably have two accounts. Despite them being the ones who aggressively pushed my company into forcing us all to switch to corporate Amazon accounts in the first place (where the pricing is higher, but hey, someone somewhere is getting a kick-back I'm sure).
Will this also apply to Classroom? It's supposed to be isolated but seems to send details 'outside' - for example, Youtube gets age information from a Classroom account even if no account exists for YT.
How will 2FA work for these children? Particularly where they might not have a mobile phone? Is it going to be something that can be turned off?
M.
I keep getting a Google notification on my phone telling me that I have to provide them with my date of birth to allow Google to 'comply with the law'.
I keep dismissing it because I don't want to give Google any more information then they already have.
I just don't trust that Google won't be using 2FA for their own tracking and advert pushing purposes more than for anything security related.
I did something similar (I think I gave the right date and month but 10 years before) with another site (not Google). Some years later, the site sold themselves to a financial institution (although not being a financial service themselves) and the account was automatically converted to an account on the financial institution.
Well, financial institutions take DoB much more seriously ("know your customer" etc). The next time I tried to log in it asked me for my DoB as part of the login. I had completely forgotten I had made up one for the original site and tried to log in with my real DoB. It didn't work.
The customer service person was very helpful but very surprised that my DoB in the system was "wrong"! After all, normally they have verified that as part of their setup process. I explained that my account had come from the acquisition and he was very willing to believe that the company they had acquired were useless enough to have got my DoB wrong! It did take him escalating a couple of levels to be able to fix it, though :-)
This post has been deleted by its author
I've ben giving out a false birth date since aged six. We have a birthday tradition here called 'the dumps', where everyone can beat you on your back the number of years you have lived. Until midday for some reason. My birthday was close to the school holidays so I moved it into the school holidays to avoid the beatings.
I've had a pretty useless Google account for years on my phone. It has an obviously false name, a false address and a handful of app purchases which were paid from the balance on a Play top-up card. A month or so it suddenly bugged me for my DOB which like the good doctor above I set to the Unix epoch date. What new law is this which requires them to ask me for it?
This reminded me of a thing that happened quite a while ago
When 2FA became a thing on google, I adopted early and I remember having to set up an 'ASP' (application specific password) for my '2FA unaware' mail client
This 'ASP' was entered into the mail client and remained like that, working
One day, some years later, I decided to refresh and update this 'ASP', so went hunting for the page to do this, alot had changed, the UI, everything
I found the page, but oddly, no record of any 'ASP', but I could create one
So I start a google discussion asking whats going on, being a community thing? I got some answers, mostly people accusing me of not knowing what I am doing and I am thick, etc. but eventually after a lot of discussion, descriptions of the issue, people realising that I am not being thick and actually something is borked, someone said it had been passed onto an engineer. I hear nothing at all from then on
But weirdly, my '2FA unaware' mail client with the original 'ASP' suddenly stopped working. Had a google engineer somehow found this 'ASP' perhaps buried away in some database somewhere, some legacy system no longer attached to the "new shiny UI"?
I decided that I was not convinced I knew what was going on 'behind the scenes at google', so I left the mail client, as it was, with its original 'ASP'
2 weeks later, the 'ASP' started working again, it seems it was only temporarily disabled
So basically, there is an application specific password for my mailbox, which I do not know what it is, and I have no way of managing it, ie deleting it.
Isn't technology amazing?
The problems with passwords are reuse when they should not be and idiotic password requirements. As a couple have noted, reusing passwords on burner accounts is usually fine. However, as noted, each site with financial information stored on it should have its own, lengthy password. I use a password manager to generate and store passwords locally, they are never stored online. Many sites limit the length of passwords to about 20 characters; I prefer much longer ones.
The real issue is not 2FA or passwords but that too many conduct all their financial business on a mobile (not necessarily a phone) device in public places. Places that are often not very secure. Also, with devices that can be easily nicked.
The real issue is not 2FA or passwords but that too many conduct all their financial business on a mobile (not necessarily a phone) device in public places. Places that are often not very secure. Also, with devices that can be easily nicked.
Why is that a problem? I don't do my banking on my phone at home or in public, but let's say I did in a park while people were walking by. Someone snatches my phone with my banking app open. So what? I can't transfer money out of my bank to a new account without a verification step that automatically sends a few small deposits/credits (random amounts of tens of cents each way canceling out to zero) to the new account and then I have to list those exact figures in order to verify I have access to that other account before the linkage is made and transfers are allowed. The transfers take place overnight, giving me tons of time after my phone is grabbed to contact my bank and put a freeze on any attempts to transfer money out.
I'd hate to have my phone stolen, but I wouldn't worry at all about someone accessing my banking information even if they stole it with the phone unlocked and banking app open. The worst they could do is see my balance and who I do business with.
If your banking app allows transferring money to a new account it has never used before, or writing some sort of electronic check to someone it has never written to before, without some type of additional verification or time to allow you to report your phone stolen maybe you need a more secure bank!
Maybe they could move money from Saving to Checking, and then buy a lot of stuff with another app
Anyone (at least anyone who lives in the US) dumb enough to use a debit card for online purchases despite the massive disadvantages that has over a credit card deserves what they get. No one could do what you describe to me, because there are zero sites on the internet that have EVER had a debit card number of mine. Nor do I ever use it for in person purchases, for that matter. If my bank could give me a bank card that didn't also double as a debit card I wouldn't even carry one.
I did not mention I only use a wired connection from a desktop when I do any online shopping or financial activities. Call me paranoid but someone is going to have a hard time getting my credentials and there are much easier prey available. It's not that it cannot happen to me, it's just there easier targets than me around.
It occurred to me twice that I have been locked out of my email account and each time by the provider.
First time it was Yahoo that suddenly decided that the device I was using was not being recognized even though I had been using that PC for decades. When forced to do a password recovery I discovered the recovery address I used was with a provider that went out of business. To their credit, Yahoo support was helpful and after some lengthy email exchange I got my access restored.
Second time, it's Google who locked me out of one of my email accounts because 'it seems somebody knows your password'. How in the world they would be able to tell that, beats me. Each time I'm trying to access it, I receive an email at the recovery email address telling me someone is trying to access my Gmail account (thanks a lot, Google, you're being very helpful). Unfortunately, Google's support is not very helpful at all.
How can I give my Gmail address to a financial institution knowing very well Google can lock me out at any moment ?
I was using "google auth (with the time based numbers)" on my main cell phone as 2FA to log in to Google on my desktop. But I didn't feel safe with that because I mount my phone on my bicycle and use is as sports GPS/ANT+ recorder without screen lock. So I moved "google auth" to another obsolete phone without a SIM card and on which I leave Wifi switched off always - it became a dedicate stay-at-home un-connect auth device.
Google response to that was to force me to use my main phone as an per-login-optional 2FA device. When I try to log in online, there is always an option to use my phone as a 2FA device, and that option is the default. I can select each time to use my offline "auth" phone, but if my phone ever got into the wrong hands the bad guy could use the phone as 2FA.
I use complex passwords, so it's not the end of the world, but it is a pretty stupid way to hobble their own 2FA.
Account databases do get compromised, and any username and password so exposed can be easily fed to a bot that will try the combination out at popular websites, a technique known as credential stuffing.
I hope that passwords are no longer being stored unencrypted as that should now count as negligence: hashing with a salt makes reverse engineering much, much harder.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
