back to article Google to auto-enroll 150m users, 2m YouTubers with two-factor authentication

Google is going to automatically enroll 150 million users and two million YouTube creators into using two-factor authentication for their accounts by the end of the year, it announced on Tuesday. Passwords aren’t good enough on their own, Google’s AbdelKarim Mardini, group product manager working on Chrome, and Guemmy Kim, …

  1. Anonymous Coward
    Paris Hilton

    And because we know the best way ...

    The road to Hell is paved with good intentions and Google "engineers" who wouldn't know what Chartered means if it kicked them in the nadgers.

    Fuck wits.

    1. Anonymous Coward
      Anonymous Coward

      Re: And because we know the best way ...

      I feel like talking to myself.

      When a Civil Engineer fucks up, a bridge collapses or a dam bursts ... err this is starting to look bad.

      When a FAART or FFUNGI, FUUNG? whatever, employee fucks up then Facebook vanishes for six hours. Did anyone die as a result? Probably, sadly. I bet that somewhere a doctor or lots use FB to run clinics. Somewhere as a result of the lack of FB, someone may have died. On the other hand someone may have survived being knobbled by a well meaning but deranged doctor who could no longer communicate due to the outage.

      So a real Engineer kills people when they screw up and generally ends up having to face up to that. FAANG/FLOOP etc programmers and other staff, when they fuck up, there are less cat memes in the world - that's how they seem to be seen at times of breakage. There are a lot of other businesses that have gone all in on FB and Co. Will they be compensated in some way?

      No.

      1. Gene Cash Silver badge

        Re: And because we know the best way ...

        The BBC made a big "think of the children"-style deal over WhatsApp being down.

        People around the world lost contact with their families on Monday, patients were cut off from doctors, and governments were unable to communicate with citizens when Facebook's social media and messaging tools went down for almost six hours.

        Jesus H. Jumping Christ. What a bunch of moaners. FB being down is NOT the end of the world, people.

        People need to stop basing their business and essential communication around a resource they DON'T EVEN PAY FOR! If I see a restaurant or other business on Google Maps or whatever, and their website is Facebook... I don't even bother to look further. I know they're too lazy to make decent food.

        Google threw a shitfit over people using their well-known nicknames instead of their real names, and started locking people out of their accounts. That's when I bought an email address where I actually pay for the damn thing and I'm the customer, and shifted all my communications to that.

        https://www.bbc.com/news/technology-58801814

        1. jmch Silver badge

          Re: And because we know the best way ...

          " If I see a restaurant or other business on Google Maps or whatever, and their website is Facebook... I don't even bother to look further. I know they're too lazy to make decent food."

          Conversely, one could argue that they are so focused on their food (or whatever the core business is) that they don't have time to faff around with creating their own website. The best discovery tool for restaurants is still personal recommendation.

          1. Anonymous Coward Silver badge
            Holmes

            Re: And because we know the best way ...

            If you're looking for something technical, a nice website is a good sign.

            If you're looking for something non-technical, the website is largely irrelevant.

            My favourite chinese takeaway doesn't have a website (the only reference online is someone has posted photos of their menu somewhere). My mechanic doesn't have a website (or even email). The best painter & decorator in the area doesn't have a website. None of those places have any interest in computing, but they're good at what they do.

            McDonalds has a comprehensive website.

          2. stiine Silver badge

            Re: And because we know the best way ...

            the 'focused on food' restaurants are ususally the ones that go out of business because the failed to understand that accounting was actually more important than cooking.

        2. Anonymous Coward
          Anonymous Coward

          Re: And because we know the best way ...

          "The BBC made a big "think of the children"-style deal over WhatsApp being down."

          Just read that article and noticed this bit:

          'A dentist in the UK, Chris Donnell, said that parts of his job often relied on communication via WhatsApp.

          "Seriously feel for medical and dental friends who use WhatsApp for their hospital handovers, out-of-hours queries, chatting to senior colleagues for advice etc," he said.'

          Using WhatsApp for "hospital handovers"? That's potentially a breach of GDPR. This has been brought up before in the NHS, see https://www.nhsx.nhs.uk/information-governance/guidance/use-mobile-messaging-software-health-and-care-settings/

          Specifically the bit about "the transfer of special category data across unregulated servers outside the UK". Isn't WhatsApp data stored in USA?

          I don't use WhatsApp but realise that its "apparently" end-to-end encrypted but that still doesn't mean personal data sent via it is safe, potentially WhatsApp/FB as the app developer could siphon off data before its encrypted (and the recent row over WhatsApp T&Cs changes, certainly for non EU & UK users, seems to imply they do/will do so).

          Plus I assume these dentists are using their personal handsets for this which likely aren't appropriately secured (no MDM in place to enforce encryption, strong screenlock codes, etc)...

          1. SImon Hobson Bronze badge

            Re: And because we know the best way ...

            That's potentially a breach of GDPR

            Err, what's with the "potentially". Try as I can, I cannot think of a practical way in which anyone could be using WA for that without breaching GDPR - badly. Just the fact that "Joe Bloggs" (note, made up name, any similarity to any real/living Joe Blogs in purely coincidental) is in Anytown Infirmary would be sensitive personal information and there's no way the T&C for WA (we can hoover up whatever we want, when we want it) would make this GDPR compliant.

            What's more, it's hard to see how anyone with any contacts in their address book could use WA now without breaking the law - unless they are conscientious enough to ask every single contact for their informed and freely given consent.

        3. Margaret Bartley

          Re: And because we know the best way ...

          I know a lot of technophiles, nerds, dweebs. They are not necessarily good cooks.

          I'm looking for a place to serve good food. chances are pretty good they don't have time to screw around with constantly-changing, poorly documented tech requirements.

          A good website for a restaurant is kind of like a slick marketing campaign - tells me they need to spend more money on advertising because their repeat business isn't good enough to keep them going!

      2. rcxb1

        Re: And because we know the best way ...

        <blockquote>FAANG/FLOOP etc programmers and other staff, when they fuck up, there are less cat memes in the world</blockquote>

        The G and the A's in FAANG stand for Google, Amazon and Apple. Those are major cloud service providers. When all of Amazon and Google goes down, so does a large percentage of the web and web services. When Apple goes down, good luck with text messages... they'll try (and fail) to use iMessage even when its down and SMS/MMS would would just fine. Not quite the flippant, silly insignificant concern.

        File uploads? Sorry, that's using some Google javascript, please try sending that MRI to us tomorrow...

        Out of money in your checking account? Afraid you can't login to your bank because their front-end servers are on S3.

        Hope you don't have "smart locks" on anything important, because they won't be opening for you until those service providers come back up.

        1. SImon Hobson Bronze badge

          Re: And because we know the best way ...

          I have smart locks, at least I think the brushed chrome effect is pretty smart. They work with ordinary keys and don't have any electronics.

          Oh ... you weren't talking about their looks ?

    2. P. Lee

      Re: And because we know the best way ...

      Indeed. Google have done something absolutely right - 2FA is great and everyone should use it.

      And yet, because its Google doing it, its now really creepy. You know people won't be getting dedicated 2FA keys, they will use their phones, most likely with Google's authentication app.

      So now Google has your phone linked to their applications on an ongoing basis, even if you're using an iphone.

      1. LybsterRoy Silver badge

        Re: And because we know the best way ...

        Two questions:

        1. why does everyone assume I and the rest of the world have a smartphone?

        2. why does anyone assume I care at all about 2FA for a poxy email address that I use when I don't want to use my real one?

        1. Jellied Eel Silver badge

          Re: And because we know the best way ...

          1. why does everyone assume I and the rest of the world have a smartphone?

          There are workarounds.

          So my bank sent me a letter saying that in order to improve online banking security, it was moving to 2FA. In order to continue buying stuff online, I'd need to download and install their phone banking app.

          So there was me thinking "Huh, install banking thing in the gizmo most likely to get lost or stolen?". But lo, they went and did it anyway. I didn't, and discovered that the bank's contact details form doesn't insist on a mobile number. So if you have a DDI you can divert*, and a DDI provider with an SMS-speech gateway, it'll just call you and text to speech will read you the passphrase**.

          Ok, so perhaps slightly more faffing around that doing a spot of copypasta, but I guess if that's your thing, perhaps try piping the call to a speech-text. Then cursing 2FA provider when you discover you can't crtl-v ctrl-v from or to their form. Not that 'smart' phones have ctrl keys anyway. But no need to install cra.. I mean an app on your phone.

          *Officially or unofficially

          **BT's gateway has a fun habit of reading 296563 as "Two hundred and ninety six thousand five hundred and sixty three" rather than just the digits.

        2. rcxb1

          Re: And because we know the best way ...

          <blockquote>1. why does everyone assume I and the rest of the world have a smartphone?</blockquote>

          Because "80.76% of the world’s population [own] a smartphone". You are in an extremely small minority if you do not. Why would you assume companies would cater their offerings to such a tiny minority?

          <blockquote>2. why does anyone assume I care at all about 2FA for a poxy email address that I use when I don't want to use my real one?</blockquote>

          Why do you assume anyone cares at all about you and your specific used-cases?

      2. ConsumedByFire

        Re: And because we know the best way ...

        "You know people won't be getting dedicated 2FA keys, they will use their phones, most likely with Google's authentication app."

        A key is one of the options.

      3. Robert Helpmann??
        Childcatcher

        Re: And because we know the best way ...

        ...because its Google doing it, its now really creepy.

        It's not Google is using it that makes it creepy, it's how they will use it that does it. They already have a lot of information about their users. I am sure Google will be able to leverage this to embed themselves even more into their lives.

        From the article: ...this code could be generated by an app on your phone or emailed to you...

        So to get into my Google account, I could have them send the passcode to my Gmail address that I now have to use 2FA to get into? Also, how is this going to work for those of us who are not allowed to use our cell phones at work (yes, this is a thing) but are allowed some reasonable access to personal email and other web resources?

        1. stiine Silver badge

          Re: And because we know the best way ...

          just install a TOTP app on the computer so that everyone can access your 2fa codes...

  2. Anonymous Coward
    Anonymous Coward

    'something you have'

    or don't have. Quite an about-face from being 'safe' to being 'f**ked' on a bad day.

    I've accidently left the house without my cellphone once in maybe 2 years, but I regretted it only because of the wonderful pictures I missed taking.

    The base for my passwords is 14 characters long, in a European language I don't know, and was a friend's made up nickname for himself. And he's dead now and not talking. If that is insecure - as a practicality - then turn off passwords completely, Google and world.

    1. ShadowSystems

      Re: 'something you have'

      I made sure my passphrase was as strong as I could make it, mostly by taking it from the Necronomicron & transcribing it into Elder God runes so that anyone reading it ends up summoning Cthulhu. I'm not worried, he just sticks his head out his bedroom door & asks me WTF I want _this_ time. I love having a flatmate! =-D

      1. KittenHuffer Silver badge

        Re: 'something you have'

        You are flatmates with Mark Zuckerberg?!?

        1. ShadowSystems

          At KittenHuffer, re: Zuckerberg...

          Hell no I'm not having that turd as a flatmate, I'm insane not sociopathic! (Besides, Zuck once bit the moose that then went on to assault my sister. Obviously Zuck is rabbid.)

      2. Chris G

        Re: 'something you have'

        Damn you! You have just encouraged me to look for a runic keyboard, the bad thing is they exist.

        That's another rabbit hole I'll get lost in, on the brightside though, my passwords will be beyond the majority of monkeys on typewriters having much chance of brute forcing.

        1. stiine Silver badge
          Coffee/keyboard

          Re: 'something you have'

          You can also download a lovecraftian font for your summoning or for passwords.

      3. LybsterRoy Silver badge

        Re: 'something you have'

        I prefer the "Harpist In The Wind" trilogy - especially Master Ohm's real name.

    2. Lazlo Woodbine

      Re: 'something you have'

      That's fine for you, but I know a lot of staff around my workplace have ridiculous passwords based on the their kids' names, far far too easy to break

      1. Irongut Silver badge

        Re: 'something you have'

        I used to work with a woman whose password was literally her eldest son's name. When I introduced a password reset policy she added a 1 to the end. Eventually for some reason that I forget she changed it... to her other son's name. The worst part is this was less than 10 years ago.

        1. LybsterRoy Silver badge

          Re: 'something you have'

          No! The worst part is that we are forced into entering any password, let alone bloody stupid ones that must have a lower case letter, an upper case letter, a number and a special character and can only be 10 characters long WHEN NO PASSWORD IS REALLY NEEDED AT ALL!

          1. Mr D Spenser

            Re: 'something you have'

            Not sure why this is getting the down votes

            I agree with strong passwords and MFA when the information is important enough to protect

            Having to login to your "free" account to see sports scores is just stupid.

            I have no problems with sites using ads to generate revenue to provide me with information. I do have a problem with sites that have decided to generate their income by participating in commercial surveillance.

            What better tracker that an id that has been authenticated. I bet tracking companies will pay a premium for that information.

            1. Anonymous Coward
              Anonymous Coward

              Re: 'something you have'

              @Mr D Spenser

              So why are you bothering with this site? There are at least 3 trackers here

              Doubleclick.net - Google-analytics.com - Googletagmanager.com

              There are probably more. That is just what my browser has blocked. My other add blocker will probably find more.

          2. batfink

            Re: 'something you have'

            And of course they won't tell you what the requirements ARE, and will just give you a message saying "this password doesn't meet our minimum requirements".

      2. John_3_16
        Trollface

        Re: 'something you have'

        They buy a lot of lotto tickets? Voted for Trump 2 or 3 times? Lost homes & relatives in flood plains? Lost relatives right after they shouted, "Hey, everybody, watch this!"? Sent a lot of money to African scammers? Etc. Etc. Fools & anything they have are soon parted...

    3. Anonymous Coward
      Anonymous Coward

      Re: 'something you have'

      "The base for my passwords is 14 characters long, in a European language I don't know, and was a friend's made up nickname for himself. And he's dead now and not talking."

      If Facebook gets hacked and the bad guys find out your password is "SvenSøønstrømFacebook", it doesn't take a genius to figure out your Wells Fargo password is "SvenSøønstrømWellsFargo". (Source and victim sites could be any other site including banks, travel, porn, media, whatever)

  3. Doctor Evil
    Unhappy

    Google has been trying really, really hard for a number of years now to get my mobile number. Always denied. Now they've come up with a novel way to force the issue: 3 options for 2SV, 2 of which involve giving them my number and the 3rd of which is unduly onerous. That'll be it for me; I can browse YouTube anonymously (until they disallow that too) and there are alternative throwaway email and other services out there.

    1. jmch Silver badge
      Mushroom

      Yep, this. They also keep nagging me to tell them my date of birth. Eff off,already!

      1. Anonymous Coward Silver badge
        Big Brother

        I gave them my date of birth several years ago. So long ago that I'm not sure that I can remember what fake details I gave them.

        I made sure that I was over 18 at the time, and almost certainly under 100, so that's fewer than 30000 possibilities (and I can exclude my actual DoB from that).

      2. Spacedinvader
        Happy

        just put the oldest allowed? google fit, I was born in 1892, I'm 30cm tall and weight 100st 13lb...

      3. Barry Rueger

        Just for yucks I actually installed the app that connects to our Samsung stove and it DEMANDED my birth date.

        With WIFI enabled the stove has downloaded a software update and has started playing a really annoying song every time the oven is preheated.

        1. Androgynous Cupboard Silver badge

          I have one of these. Worst user interface I’ve ever seen, which is saying something: a otary dial, six hard buttons and a touch screen, and in order to cook anything you need a particular sequence of all three. Yet it still wants for an RTC to keep the time when the power cuts. The odds of me letting this horror into my network are a hard zero.

        2. Anonymous Coward
          Anonymous Coward

          @Barry Rueger - Sorry but

          You asked for it.

          1. Anonymous Coward
            Anonymous Coward

            Re: @Barry Rueger - Sorry but

            @A/C

            Can't upvote you enough. Why do people buy internet connected stuff and then go all surprised when they see the downside. Always assuming there is an upside.

            I don't count being able to control heating, lighting, seeing who is at my door without getting off my fat arse an upside. And if I am on holiday and someone breaks in, I sure as hell don't want to know until I get back home. At least that way my holiday isn't wrecked.

    2. Kane
      Unhappy

      "Google has been trying really, really hard for a number of years now to get my mobile number."

      Yup, they tried this the other day with me on teh tubes. Dropped in username, then password, then a prompt to enter a mobile number appeared for "security purposes".

      Hit back on the browser, started the login process again, no further prompt. I suspect they would expect some pushback from this so have probably scripted this to accommodate for this behaviour, with a log recorded somewhere saying "try again in 3 months" or some such.

    3. Cuddles

      "3 options for 2SV, 2 of which involve giving them my number and the 3rd of which is unduly onerous"

      Are you sure? The three options I see mentioned in the article are SMS, an authenticator app, or a hardware key. Only the first of those involves your phone number. OATH-based authenticator apps don't need your phone number or any other personal information, and there are a variety available from non-Google sources.

      I really wouldn't consider a hardware key particularly onerous either. Sure, it's an extra thing to carry around and/or lose, but if you just stick it on a keyring or in a wallet it can actually save a fair bit of time since you don't need to faff around reading and typing in authentication codes.

      1. Anonymous Coward
        Anonymous Coward

        2SV makes hacking accounts harder but the hack is much more reliable when I succeed.

      2. Grikath
        Facepalm

        You mean carrying an actual, physical thing with you that can get lost, stolen, damaged....And which gives Access To All Your Stuffz..

        Brillant Idea!! Stellar!!

        1. Cuddles

          Well yes. Something you know, something you have, something you are. Those are generally the three main categories that can be used for MFA. The thing about the "something you have" part is that it requires you to have something. It's truly baffling how many people here seem to think that adding additional layers of security somehow makes things less secure.

      3. John Brown (no body) Silver badge

        "OATH-based authenticator apps don't need your phone number or any other personal information, and there are a variety available from non-Google sources."

        But the vast majority of people will assume that if Google wants you to use an authenticator app, then only the Google one will work. No doubt the Google page telling you to install an authenticator app will strongly encourage this belief too. I wonder which permissions the Google authenticator app will ask for "for your security"?

        1. Cuddles

          "I wonder which permissions the Google authenticator app will ask for "for your security"?"

          Camera. That's it. It still mostly works fine if you deny that, but it's required for setting up MFA using a QR code.

          1. John Brown (no body) Silver badge

            "Camera. That's it."

            For now...<plays ominous sepulchral music>

    4. John Brown (no body) Silver badge

      "That'll be it for me; I can browse YouTube anonymously (until they disallow that too) and there are alternative throwaway email and other services out there."

      The only problem there is that Google won't let you watch YouTube videos they deign to be of "adult" nature unless you log in. By "adult", you have think like a USAian. All the blood, gore and violence you could ever want is open to anyone who wants to watch, but if there's a hint of the "wrong" bit of skin, then you must be signed in and prove you are over 18. I could quite easily imagine that the bar for non-adult videos can and will be adjusted to make it more convenient to be signed in rather than not.

  4. Chet Mannly

    Nothing to do with forcing people to hand over their phone numbers right?

    It's obviously for security purposes, not so that they can force people that haven't already to hand over their phone numbers as well as all the other data they have on you...

    1. Chris G

      Re: Nothing to do with forcing people to hand over their phone numbers right?

      As I mentioned a while back, a video I wanted to look at was rated 18+ because it was reporting on an incident with graphic violence. They wanted my credit card details!

      There is a world full of media out there, both entertaining and informative that doesn't a bloody signature, so google can fuck off!

      Google et al have their own best interests at heart several orders of magnitude higher than the interests of their users, unless it is going to impinge on profits, in which case refer to 'own best interests'.

  5. Barry Rueger

    Mandated? No thanks.

    “The answer is usability,” he said. “It’s about how many people would we drive out if we force them to use additional security.”

    I've already started dropping sites that demand too many hoops to jump through. And I honestly suspect that is much more about theater than real security.

    I'm a big boy. I can read. I can decide how much, or how little, security is needed on a given site. 99% of the time I'm comfortable with a giant kickass password that should be unguessible.

    At least until the site manages to have their user database appear on HaveYouBeenPowned?

    1. Doctor Syntax Silver badge

      Re: Mandated? No thanks.

      One hoop too many is demanding the set up of an account for a one-off purchase or maybe not even a purchase (yes, BBC with iPlayer, this includes you) but demanding a user ID for no good reason at all.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mandated? No thanks.

        "yes, BBC with iPlayer, this includes you"

        If you follow a BBC News page link to a BBC radio programme - it then insists you sign in to listen to it. That is in spite of BBC radio programmes being public free-to-air for several decades now.

  6. Randesigner

    Convenient?

    "so we are working on technologies that provide a convenient, secure authentication experience"

    So, like captcha?

    1. Anonymous Coward
      Anonymous Coward

      Re: Convenient?

      Which of these people do you not know - click any strangers.

      1. Anonymous Coward
        Anonymous Coward

        Re: Convenient?

        Oh fuck!

  7. Anonymous Coward
    Anonymous Coward

    Telephone numbers are not credentials

    A telephone number is a mapping in a database accessible to hundreds of thousands of minimum-wage telco tech support and retail employees around the globe, many of whom will happily change that mapping for a few hundred bucks -- and have, in numerous well-publicised incidents. Control of a number provides absolutely zero proof of identity, and was never intended to do so. Hardware keys are in principle a little better but they are invariably riddled with firmware bugs and far too easily lost, and remain a niche product of interest mainly to engineers and security researchers. More fundamentally, passwords align responsibility for account security (by choosing and managing passwords wisely or foolishly) with ownership of the account's data, while typical 2FA mechanisms delegate that responsibility to unaccountable third parties with no incentive to maintain security. Worst of all, the "secondary" authn method is usually allowed to trigger a password reset, making it effectively the sole authn method.

    It has become an article of faith that "passwords provide poor security". In one sense that's true: it has been amply proven that many people do not use them effectively, are highly resistant to education, and under those circumstances get very little security from them. In another sense, however, it's false: for account owners who do follow sound password management practices, guessing the password or obtaining it from the account owner -- whether directly or by use of a key logger or similar malware -- become significantly more difficult and costly than other attacks against that account. Since the purpose of any security measure is to render some classes of attacks not worthwhile to or beyond the capabilities of some threat actors, passwords are in fact an effective security measure for those account owners. They may or may not be sufficient, but account owners who know they are high-value targets will almost certainly prefer passwords to the weak "2FA" alternatives that are widely used, which create ready opportunities for cost-effective attacks via third parties unaccountable to the owner. The reason passwords are attacked so frequently is that for attackers looking merely for targets of opportunity, they are the lowest-cost attack vector. Targets of opportunity are almost always of low value, so passwords are actually a reasonably effective mechanism when considered in the context of the assets to be protected and the threat landscape. Assets too valuable to be protected by passwords are likely also too valuable to be protected by a Google account, regardless of the authn methods used to access that account.

    There are more secure systems, but all require specialised hardware, software, training, and/or physical security measures to use effectively, and are less convenient. Most members of the general public -- the target market for Google's services -- are not willing to accept a system with those attributes. That's probably rational: again, if you need more security than good passwords can provide, you probably also need more security than you would trust Google to provide. Moreover, it is highly unlikely that the same people who have proven incapable of good password hygiene would prove any more adept at using a more complex security system. Depending upon the choices made by the designers of that system, they will quickly be locked out permanently, stop using the protected system altogether, or bypass the security measures. One can argue that all of these are merely engineering challenges that have yet to be solved, but whether they are unsolved or insoluble makes little difference. Passwords in fact remain the best available solution for this type of service and target market. Account owners must choose their passwords and password management practices in accordance with the value of their assets and anticipated threat model. Taking that choice out of their hands reduces security for high-value targets while focusing protective measures on the lowest-value assets.

    1. LybsterRoy Silver badge

      Re: Telephone numbers are not credentials

      I think you said "passwords good 2FA bad" but with all the accompanying verbiage I'm not sure.

      1. Doctor Syntax Silver badge

        Re: Telephone numbers are not credentials

        I think he said "If you use 2FA whoever's got hold of your phone is efectively you".

  8. Anonymous Coward
    Anonymous Coward

    Eh

    So for most of us, is YouTube really so important and so linked into the intricacies of our lives that our accounts there need to be considered "high security"? I mean, wow, the list of Youtube videos I've watched for the past 10+ years is mostly a sad reflection on my life, not something I'd worry about in the least if world+dog were to find it out. ShopdogSam, TubalCain, AvE, Abom76. Boring machining videos. And lately some of that Davy guy who plays bass. So what? That knowledge really, REALLY needs to be kept secret? I could see this being an issue for content-creators/providers who are making $ off the videos they post and possibly have bank accounts tied to their Youtube account, but those of us on the consumer-side, who really gives a damn?

    And my Google account? who gives a shit? Take it, play with it, send spam from it. I don't care, it's disposable if need be. It needs about as much security as the water hose in my front lawn.

    This seems more like Google is trying to remind everyone that Google is "important" to their lives, so their grubby little accounts need to be more highly secured. That, and Google REALLY wants to harvest those last 5 million mobile numbers they don't yet have.

    1. Anonymous Coward
      Anonymous Coward

      Re: Eh

      Your Youtube account most likely isn't in need of high security, so it's good fortune that nobody was daft enough to enforce a one-account system that tied say your YT, email, docs, and whatever else Google flings into the face of people into a single account.

      1. Kevin Johnston

        Re: Eh

        My Google account exists purely because I have an Android device where it is a pre-requisite but the only usage for the account is to fire up that device (and presumably track any activity etc etc..paranoid? Moi?)

        Almost all of my real internet activity is done on a Linux box through either Firefox or Opera with the usual Ghostery/No-Script style blockers and if that means I cannot use YouTube then I consider that a bonus.

        1. Anonymous Coward
          Anonymous Coward

          Re: Eh

          You don't need a Google account to use Android.

          I have a recent Samsung phone which is perfectly operational without either a Google or a Samsung account. I get my apps from either APKpure or Fdroid.

        2. Anonymous Coward
          Anonymous Coward

          @Kevin Johnston - Re: Eh

          Over the past decade, all my Android phones were Googleless. Yep, no account at all. I always told the salesperson that I will configure the Google account when I get home 'cause now I'm in a hurry.

      2. Anonymous Coward
        Anonymous Coward

        Re: Eh

        Yeah, only a daft monopolist would do such a thing.

        Wait, are we talking about Microsoft or Google?

    2. Dan 55 Silver badge

      Re: Eh

      If you make money off of YouTube you probably don't want to lose control of your account.

      1. Graham Cobb Silver badge

        Re: Eh

        Sure. And I tolerate much more security on my work account for the same reason. But, in case you haven't noticed, there are far fewer creators on YT than there are consumers!

        1. Dan 55 Silver badge

          Re: Eh

          I'm not sure how many creators YT has, but 2 million as mentioned in TFA sounds reasonable.

  9. Missing Semicolon Silver badge

    Finally...

    .. they get to break IMAP4 enough to ensure nobody bothers with it, so we are forced to "engage" with gmail on Chrome.

    1. Joe W Silver badge

      Re: Finally...

      This.

      This is what my first thought was as well.

  10. Mahhn

    2SV = Two Step Viper (Ventrure bros)

    Sorry goog, you can't have my phone number, since I don't have one of my own (carry a work phone). You can have the Email back and youtube is as much commercials as it is anything - heck I remember watching things on YT to avoid commercials, back in the day lol.

    All good things come to an end.

    Thanks for the heads up Reg, I'm backing up my address book today to avoid loosing contacts :)

    1. John Brown (no body) Silver badge

      Re: 2SV = Two Step Viper (Ventrure bros)

      Same here. Never have I owned my own mobile phone. I've had a work provided one for over 20 years now.

  11. batfink

    Credit Card numbers?

    I had an email (allegedly) from Google that stated that they wanted either my credit card details or a photo of my drivers licence/passport to establish that it was me, in order to "validate" a couple of my various gmail accounts.. I immediately assumed it was a scam, but it wouldn't surprise me if Google was actually trying to harvest that information. Anyone else had this?

    Ignored it, either way.

    1. Anonymous Coward
  12. petef

    1½SV

    This is likely to be 1½FA in practice. If your phone is compromised, e.g. stolen, then it will likely be able to disclose emails, texts, etc. So these "extra" factors are nothing of the sort.

  13. Anonymous Coward
    Anonymous Coward

    " ... The idea being that if someone learns of or guesses your password, they also need to get something else off you, like your unlocked phone or hardware key. "

    I'm not so sure it needs to be unlocked - "7 Methods to Hack/Bypass Android lock screen Pin/Pattern/Password" [ drphone dot wondershare dot com ]

    If a stolen pin-locked phone can be unlocked then having 2FA as Authenticator on the same phone is worse than useless. Also if the mail account used on that phone can be used for SMS authentification, ouch.

    I do use Authenticator but on an older offline phone (no sim, bt and wifi turned off always) used for nothing else. Also, my regular Android phone has a dedicated google email account that isn't used for any other purpose.

    Which all means a lot of inconvenience, e.g., no bank balance checks and transfers on the road. Possible for me because I grew up when that wasn't possible anyway.

  14. John_3_16
    Facepalm

    PWs are as strong as...

    Flood after flood, folks still build their homes on the shores & islands of flood/storm plains. Year after year, they get killed & lose all of their property. Then, survivors, on TV, boldly declare they will stupidly rebuild. Fools soon lose everything. Google has been fleecing a lot of fools for a long time now. You can't protect someone willing to live in a trailer on the beach on the southern tip of Florida below high tide. Like strong PWs, 2FA only works for those who create strong ones. And each of their accounts has a unique one. Who gives the dark net more access than anyone to security & personal data of the common folk? Corps like Google. Governments. Hacks constantly gaining millions of folks data several times a year. 2FA will not protect you once they have the data needed to become you.

    I only use 2FA for sites that force me to. I have one email service I actually use & 3 others as backup when each one locks me out due to their security errors. And 2FA. I WILL NOT give any of them my phone numbers or home address. NOT my birthday. Hackers & spammers don't need it. THAT is who gain the most from players like Google & Facebook.

    What is 2SV? Google trying to rewrite & own 2FA? Read the other day about rich criminals & large Tech companies buying up huge chunks of the privacy market companies. They have their own PR companies. They have their own "comment" armies. Example. They buy 4 or 5 VPN providers. They continue to promote the protections provided. Their PR firm(s) & commenters back up the claims. They use their own audit firm to confirm the lies. What does an honest person looking for a VPN do? The crooks & spammers (U know who I mean), are backdooring & harvesting all of the data before it gets encrypted & passed on. And you don't have a clue because of the hype. It has already happened. Facebook & Google & all the others only care about more money & power.

    Good read: https://blog.windscribe.com/consolidation-of-the-vpn-industry-spells-trouble-for-the-consumer-57e638634cf0/

    Stay safe & God bless... John_III_XVI

  15. Jonjonz

    Giving away more of your private information to increase security?

    Sounds like an oxymoron to me.

  16. D. Evans

    Recovery?

    The major reasons for lack of uptake on 2FA systems by the mug punters are:

    1. Lack of recovery when access is lost. Most people using something like Google Authenticator only have access on one phone. Loose the device, loose access. My wife and are back-ups for each other but how many people have that luxury.

    2. Synchronization when changing devices. Have you tried recovering moving Google Authenticator to a new handset. Ouch.

    3. Cost of hardware specific devices. I'm looking at YubiKey, and you still need to have a back-up device.

    Until people can share keys (as in a family, as that how most families work), and the above issues are addressed the resistance to any 2FA system will continue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like