back to article Google will make you use two-step verification to login

Google has marked World Password Day by declaring "passwords are the single biggest threat to your online security," and announcing plans to automatically add multi-step authentication to its users' accounts. A mere eight years after Intel began promoting World Password Day as a way to raise awareness about the importance of …

  1. Blackjack Silver badge

    SMS are even more unsafe that emails so I will resist for as long as I can.

    1. Cynic_999

      SMS is easily spoofed, but that is not a problem when using it for 2FA. In that case the attack vector would be to *intercept* an SMS message. This can be done (by transferring the target cellphone number to a different SIM), but not easily, quickly or undetectably. The same is true of emails - easy to spoof, but far more difficult to intercept (especially if using a private/company email address & server rather than a web-based public server).

      1. Anonymous Coward
        Anonymous Coward

        Like GMail?

      2. This post has been deleted by its author

      3. rcxb Silver badge

        Actually intercepting someone's SMS messages can be done quickly, easy, and undetectably:

        https://www.vice.com/en/article/y3g8wb/hacker-got-my-texts-16-dollars-sakari-netnumber

      4. Pascal

        "The same is true of emails - easy to spoof, but far more difficult to intercept (especially if using a private/company email address & server rather than a web-based public server)"

        You are saying it's easier to steal email content from a specific email account hosted at Google than from the average, halfass-configured corpo mail server that is most likely something installed 10 years ago and left unimproved?

        1. Cynic_999

          "

          You are saying it's easier to steal email content from a specific email account hosted at Google than from the average, halfass-configured corpo mail server that is most likely something installed 10 years ago and left unimproved?

          "

          If the private email server is only accessible from within a corporate LAN, then yes.

    2. The_Idiot

      It's not just...

      ... that SMS is potentially unsafe. what happens when your phone service is for a long or short period, unavailable? Is there a single cell service that has never, ever suffered an outage? Whether for a short of long period? That has never suffered _multiple_ outages over the life of a single user-contract? I don't have figures, but I wouldn;t bet on such a unicorn existing... and no phone/ no SMS/ no 2FA/ no access may not be quite as poetic and shoes, short service, but could have more impact.

  2. AndrewV

    Before they make it mandatory, they need to develop a universally accessible method.

    I'm quadriplegic, and use my chin to type.

    I can't check a phone.

    I can't press a button like the ones on usb security keys.

    I could probably hack together a fix, but I'm a coder. Most disabled people aren't, and shouldn't have to be to use online resources.

    1. IfYouInsist

      There are ordinary desktop tools equivalent to the Google Authenticator. For Linux there's oathtool (https://www.nongnu.org/oath-toolkit/oathtool.1.html or your distro's package repository) and for Windows there's t2otp (https://www.token2.com/shop/page/t2otp-exe-command-line-totp-generator). Presumably there's something for the Apple crowd as well but I wouldn't know.

      1. AndrewV

        Thank you!

        1. BillD

          There's also https://authy.com/ which synchronises across platforms.

          1. Anonymous Coward
            Anonymous Coward

            I didn't like Authy

            It sounded good but if I remember right, at the time this February, had little or no good instructions. More of a it's so easy it just works... or something like that.

            So I set it up wrong, or at least it seemed that way. And due to no good help, I couldn't figure out how to fix it. So I deleted my account. It was nice that it gave me a month to reconsider the account deletion. ;-)

            1. Anonymous Coward
              Anonymous Coward

              Re: I didn't like Authy

              Yes, it works if you are lucky, and puts you in 2FA Hell if you are unlucky. I certainly hope there is a way to opt out with Google, because once I foolishly fell for their gubbins and tried to switch to 2FA - and it took me a week to get things working again. Sheer Bloody Heck.

      2. John PM Chappell
        Thumb Up

        You, sir, are a gent.

        That is all :)

  3. WolfFan Silver badge

    What about just plain Gmail?

    Will that require 2FA as well? I foresee… problems… if so.

    1. tfewster
      Facepalm

      Re: What about just plain Gmail?

      It appears to me that Gmail already uses 2FA - the device you log in from is also a factor*. Because they send me a warning email if I log in from a new phone or computer.

      So they could enforce 2FA at the point I log in from a new device. Which would be spectacularly unhelpful if my phone is stolen when I'm away from home as I wouldn't be able to register a replacement.

      * Of course, as my username/password will be stored on the device to log in to Gmail automatically, it's only 1 factor in use 99% of the time

      1. The Oncoming Scorn Silver badge
        Big Brother

        Re: What about just plain Gmail?

        Annoying that they shoot reminders about plane tickets & departures etc to a certain destination, but once there with your normal device, they scream about your being in a non-familiar location.

        1. Yes Me Silver badge
          Go

          Re: What about just plain Gmail?

          https://www.google.com/accounts/DisplayUnlockCaptcha is your friend, unless they bugger that up with the 2FA nonsense.

        2. Robert2coffee

          Re: What about just plain Gmail?

          If you have 2FA this does not happen at all...

      2. DS999 Silver badge

        Re: What about just plain Gmail?

        the device you log in from is also a factor

        Which is implemented using a cookie, or cookie like browser storage. Hardly a useful second factor when it is so easy for other sites to lift those off a browser.

    2. Anonymous Coward
      Anonymous Coward

      Re: What about just plain Gmail?

      Problems indeed -- especially with those of us who use imap from a desktop.

  4. Anonymous Coward
    Anonymous Coward

    Share my phone number?

    With Google et al?

    I think not.

    1. Graham Cobb Silver badge

      Re: Share my phone number?

      Indeed. I have a few Google accounts which I only ever use for limited, specific purposes. None of them have a phone number associated. If they needed an email address to set up then that was a one-time or other no longer existing address.

      I won't supply a phone number or use a non-open-source app. But I would be happy to use an open OTP generator like the one I use for remote access to my personal cloud server.

      1. John Brown (no body) Silver badge

        Re: Share my phone number?

        "Indeed. I have a few Google accounts which I only ever use for limited, specific purposes."

        Exactly this! Seperate accounts for different usage. Of course we don't want them linked in any way, most especially by a common phone number. There are usually reasons people want different, unrelated, unlinkable accounts.

    2. Imhotep

      Re: Share my phone number?

      Google is the primary security risk that I encounter. Give them my mobile number? I don't think so.

      I moved to a paid email account several years ago. The 'dead' gmail account only receives spam.

    3. ecofeco Silver badge

      Re: Share my phone number?

      Exactly. I have to give my phone number to far too many places as it is and the amount of spam calls I get has long since forced me years ago to stop answering my phone if there no caller ID.

      Which is more than inconvenient. It has also been costly.

  5. Notas Badoff

    You've crossed the line

    How does this work if I go travel to other lands and have to use local sims for internet. What if I have to use a locally acquired mobile? Doesn't that mean I've changed too many things to be recognized?

    1. Chewi

      Re: You've crossed the line

      I may be misunderstanding here as the article isn't clear but if existing TOTP 2FA is still sufficient then that can be done entirely offline.

  6. G R Goslin

    Are these people real?

    I live in an area, so far ignored by 2g, 3g,4g and 5g, so my chances of a second factor coming to my 'phone anytime soon is a bit remote. I keep all my passwords on the Word (Psion) application on a twenty odd year old Psion netBook, which is almost never connected to the 'net. At the last count, it ran to 28 pages of A4, at four lines to an entry, for the most part. Admittedly, a whole lot of these entries are obsolete, Like the Daily Telegraph online crossword, which I gave up when they started to charge an exorbitant for an account. Everyone and their dog is requiring an acount with password. Very few of them can agree on how the password shall be constructed.Never forget that he simplest way to crack a password, is to crack the owner of the password. Usually with a big stick..A cheap and very low tech solution. I once tried to get an account on a hardware forum, for something I was using. After a couple of hours having passwords rejected. Even hitting keys at random did not generate a viable password, I decided that the manufacturer did not want people on his forum, and gave up.

    1. Short Fat Bald Hairy Man

      Re: Are these people real?

      They are real. Real shits.

    2. Doctor Syntax Silver badge

      Re: Are these people real?

      The question to ask is why do these bastards want a password? If it's to protect my interests then I'll use a random string of characters and let KeePass do the heavy lifting. If it's for some arcane purposes of their own (hello iPlayer BBC Sounds) it gets Passw0rd1 or something appropriate.

      1. iron Silver badge

        Re: Are these people real?

        The correct response to the BBC Sounds app is to uninstall.

    3. Anonymous Coward
      Anonymous Coward

      Re: Are these people real?

      I once registered at a site (don't recall which) but found I couldn't log back in with the password I had picked.

      It turned out that the rules for generating a new password were looser than the rules for the password at login and my password had one (or more) of the illegal traits!

      1. Anonymous Coward
        Anonymous Coward

        Re: illegal password

        My passwords were wrong a different way. I was making them too long for the site. The password setup part would accept the long password, but it only read the number of characters it wanted, and ignored the rest.

        Me, not knowing this, would try to use the longer password I saved to log in and it would reject it as wrong. While trying to work it out with support the second or third time, I finally noticed the password length limit and counted to see that I was over it. I guess a password can be too secure.

    4. FlamingDeath Silver badge

      Re: Are these people real?

      Unfortunately the world we live in, authenticating yourself to identify in some way, that you are you, something is needed, a key, a password, whatever.

      Locks can be picked

      Passwords can be guessed

      Keys can be copied

      Passwords can be copied

      I don't think I need to explain that a higher character space results in higher entropy for the same character length

      Just be thankful that not all websites think its an amazing idea to force its users to type the password in upon account creation, because of some dumbass 'it improves security' reasoning, as Ebay did, not sure if they still do though.

      1. EarthDog

        Re: Are these people real?

        The irony is that anytime they require upper case, lower case, number, special character etc., they are actually restricting the keyspace making it easier to crack.

  7. Paul Hovnanian Silver badge

    Zero Factor Authentication

    I don't use Google stuff other than as an Anonymous Coward.

    They can't steal my password if I don't have one.

  8. Anonymous Coward
    Anonymous Coward

    Another Attempt By Large Corporations To Erode Privacy

    ......along the lines of "We need to know that you are who you say you are".

    *

    So......burner phones become increasingly necessary for those of us who masquerade as AC.

    *

    Sometimes I'm "Howard Beale".....sometimes "Thomas Beale".....but always contactable on a burner!

    *

    On a related subject, I'm curious about the threat of legislation to restrict access to internet resources based on the age of the person hitting the keys. How precisely will ISPs make sure that Thomas Beale is over eighteen? Maybe this Google move is a step in the direction of "age snooping".......in addition to all the other hoovering going on. I think we should be told!

    1. RobThBay

      Re: Another Attempt By Large Corporations To Erode Privacy

      Age snooping. I've been getting hassled by google lately that I *must* give them my birthdate to continue using their calendar.

      I give all these services the absolute minimum amount of personal info.

      1. WolfFan Silver badge

        Re: Another Attempt By Large Corporations To Erode Privacy

        I find that entering 31 December 1969 when idiots who demand a birthdate can be quite useful. 16 July 1969 and 13 April 1970 work well, to. One of them is even two digits off from my real birthdate…

        1. Anonymous Coward
          Anonymous Coward

          Re: Another Attempt By Large Corporations To Erode Privacy

          I use 1st October 1919 for my Google birthday, easy to remember ... 191919

        2. -tim
          Facepalm

          Re: Another Attempt By Large Corporations To Erode Privacy

          I tend to use 29 Feb with an odd year for any site that is willing to take it.

    2. John Brown (no body) Silver badge

      Re: Another Attempt By Large Corporations To Erode Privacy

      "How precisely will ISPs make sure that Thomas Beale is over eighteen? "

      YouTube already require age verification before they let you watch age-restricted content. Enter your credit card number or send them a scan/photo of your driving licence or passport. All this means to me is that I can't watch age restricted videos on YouTube because they are not getting my card number, driving licence or passport details. Not ever.

      Of course, it seems to be primarily a US based age restriction system. Any possibility of a nipple show and it's age restricted. Violence and stupid gun stunts, on the other hand, doesn't seem to attract the age-restriction Police quite so much.

      I'm not sure just how old my YouTube account is now. Maybe when the account is 18 years old it will be de-restricted based on the fact that I, the owner of the account, MUST be over 18 by then :-)

    3. Anonymous Coward
      Anonymous Coward

      Re: Another Attempt By Large Corporations To Erode Privacy

      "restrict access to internet resources based on the age of the person hitting the keys"

      I don't need Google to find porn and gore. I can find much better without their help.

      My Google account (which I rarely use) has a DOB of 2006. So I'm 15 years old, protected by a bunch of kid safety laws and not capable of entering into a contract should I click "Agree".

    4. Anonymous Coward
      Anonymous Coward

      Re: Another Attempt By Large Corporations To Erode Privacy

      Sorry.....pedantry warning!

      *

      The point being made is about the identity of the actual physical person using the laptop/tablet/phone.

      *

      It's not about the data stored on the ISP database which says that Account = 123456 and DOB = 1969-12-31.

      *

      So......how do legislators think that ISPs will be able to prevent underage folk using (for example) their parent's accounts? Perhaps the idea is that all user access will be via a video-based login session, so that the ISP will use AI and facial recognition to validate the age of the physical person? Perhaps the AI will be able to tell the difference (for example) between a real parent.....and a photograph of a real parent held in front of the camera? Maybe add voice recognition into the mix? .....and so on.

      *

      And of course, if this hypothetical scenario is the one that legislators have in mind......how many people will be prepared to hand over to the ISP video and audio in addition to name, DOB and so on....in order to get an "approved" account?

      *

      .......which is then hijacked by bad actors to do bad things in someone else's name?

      *

      I think the legislators need to tell us in detail how these age limits will ACTUALLY be implemented!

  9. steviebuk Silver badge

    Don't force it

    We already struggled to get the multiskilled operators (painters, decorators, builders) and the grounds team to use the tablets and phones & we're fully aware passwords aren't secure but if 2fa gets in the way, they'll be even more annoyed.

    We have 2fa setup on 365 for the office workers but its fucking flacky. It will randomly decide a laptop that has office 2016, the Outlook 2016 isn't a "modern app" (it is) so doesn't understand 2fa so needs the one time password instead. It will randomly decide the mobile you're using needs a 2fa check and refuses to pass it despite nothing being fucking wrong. Turn off 2fa, log them in, turn 2fa back on and all fine.

    I understand the need for 2fa just make it simple and make it fucking work.

    1. FlamingDeath Silver badge

      Re: Don't force it

      Microsoft are bellends, everything they do usually ends up a disaster

      Installing Office 2010, it tells you the telephone activation service is discontinued

      But it isn't, cos I used it. They (microsoft) describe this an as error, though they don't mention if its a computer error, or a corporate error

      https://support.microsoft.com/en-us/topic/-telephone-activation-is-no-longer-supported-for-your-product-error-when-activating-office-9b016cd2-0811-4cb3-b896-5a6a13177713

      Aren't tech firms amazing?

      1. steviebuk Silver badge

        Re: Don't force it

        You should watch Mark Russinovich's Case Of the Unexplained talks. He's now head of Azure but even when he was just a Technical Fellow in Microsoft he'd always take a dig at the Office Team. He even used his tools to find a bug in the Office Suite told them about it but they still told him to report it properly as a bug. So despite how high up he was, even he couldn't get the Office Team to listen to him.

        I do understand however, it was a bit of jossing but still feels like the Office Team possibly don't listen much.

  10. Big_Boomer Silver badge

    Usability?

    2fa is fine, but when you have to repeatedly login to multiple sites several times per day (they all timeout after 15-30 mins) then it becomes a royal PITA. Once again the addition of more security will result in more work for the user. When does this end? When the user can no longer login will it finally be considered secure?

    I remember when Single-Sign-On was gonna be the next big thing and it would make all of our lives easier, but it never happened because we migrated everything to the bloody cloud and now we have to login and enter single use codes more than we ever had to when it was all hosted in house.

    1. Doctor Syntax Silver badge

      Re: Usability?

      "Once again the addition of more security will result in more work for the user."

      Translate that to "the most minimal password the user can contrive".

    2. FlamingDeath Silver badge

      Re: Usability?

      The most secure computers I know of are are still in their boxes, unplugged

      1. John Brown (no body) Silver badge
        Black Helicopters

        Re: Usability?

        Are they fully assembled and ready to use if you plug them in? Better play safe and remove anything that can be removed and store them in separate boxes. In separate buildings. On separate continents. Now THAT is secure :-)

        Or drop them in an industrial shredder :-)

  11. PerlyKing

    Google password security

    On the subject of Google and passwords, are they leaking like a sieve or am I just unlucky? About three or four times a year I get a Google security alert telling me that someone else knows my randomly generated, 20 character password. I haven't told anyone, so what's going on?

    1. Anonymous Coward
      Anonymous Coward

      Re: so what's going on?

      It's spam email attempting to get you to trigger a password change? I have a google account (for youtube playlists) I don't get these emails.

      1. PerlyKing

        Re: so what's going on?

        It's not just email, I also get an alert through the Google security app (whatever it's called).

        1. Mage Silver badge
          Big Brother

          Re: I also get an alert through the Google security app

          They will do that warning, that "someone else [may have] used your password, when it was actually you, but the IP address changed. Or you switched browser.

          The email client here triggers it when the ISP occasionally changes the IP address.

          See also Steam's paranoid security where EVERY different browser or PC on the same external IP, with a massive big long unique password generates an SMS message. Or requires doing a Google Captcha, which is missing from the Win7 client, so changing account stuff on that fails.

          It's also a problem if an ISP simply deletes all the email addresses and you forgot about site XXX.

          Never mind flat batteries, disabled SIMs due to lack of use, or out of coverage (maybe a Faraday shield type room).

          Passwords are not a problem. It's service providers leaking them or users using the same ones or simple ones. I only remember two passwords. The non-important ones are stored in browser and all are in a backed up address book, never in laptop bag and only taken ever to one other off site location.

          Google wants our phone numbers and to know who all the accounts belong to. Now impossible to have separate Google accounts without Google knowing it's the same person. They are not a fit company to "own" Android or provide any service other than advertising.

    2. iron Silver badge

      Re: Google password security

      I have a 20-something character Google password that hasn't changed since the day I set it up. I have never seen a security alert like that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Google password security

        my password is ~64 chars, randomly generated, and I HAVE recieved the alerts.

    3. Graham Cobb Silver badge

      Re: Google password security

      Maybe just means that your email address appeared on one of the Pwned lists and they assume you reuse passwords on multiple sites because so many people do?

    4. vtcodger Silver badge

      Re: Google password security

      You're getting security related emails from Google that you can understand? How? I get emails from them every now and then offering to help me enhance my security. But their missives quickly deteriorate into a jumble of incomprehensible phraseology that makes no sense whatsoever.

      I ignore them.

      I'd probably ignore them even if I understood them.

  12. Blofeld's Cat
    Devil

    Er ...

    I commonly reuse passwords on sites where I will probably not be coming back, and shouldn't really need to set up an account in the first place.

    This usually happens where I am researching something like opening times or prices, but the company will not tell me unless I create an account first.

    In such cases no real financial or personal information is ever given, the mailbox concerned is only used for "confirm your email" messages, and gets auto-deleted unread after 48 hours.

    If it turns out that I will be turning a casual enquiry into something more solid, then a proper email address and password gets generated and recorded.

    I recently had to create an account just to find out when and if the local authority Swimming Pool Leisure Centre "Wellbeing Center" [sic] was reopening.

    And, no, I don't want to "like" my experience on Facebook, or become a "friend" of your refuse collection department.

    1. Boothy

      Re: Er ...

      Quote: "I recently had to create an account just to find out when and if the local authority Swimming Pool Leisure Centre "Wellbeing Center" [sic] was reopening."

      Would that come under GDPR? Just curious.

      Happy to be corrected, but I though one of the rules of GDPR was that you can only mandate asking for PII (name, email address etc), if it's actually data required to provide the service or function. That data (assuming any of it, is asked for during account creation of course) isn't needed simply to display opening times.

      1. damiandixon

        Re: Er ...

        Gdpr only applies in some jurisdictions.

        It's a pain to implement even for the most trivial things such as a membership list for a youth group where you need name, age, emergency contacts and some medical information.

        The amount of paperwork generated and thus time and resources consumed is out of all proportion for volunteer organisations.

        Gdpr needs to be simplified and made a lot easier to understand and comply with.

  13. fpx
    Devil

    I have multiple GMail accounts and clean my browser cookies when switching between sessions.

    Forcing me to enter a mobile phone number will finally allow them to track me across my multiple identities. How convenient for them!

    Sure, they might already fingerprint my browser to track me, but that only gives them probability, not certainty.

    1. David 132 Silver badge
      FAIL

      I have kind of the opposite problem. I have two Amazon accounts - one personal tied to my gmail address, and one for work, tied to my corporate email. The latter is linked to my cellphone (which is a personal phone, but company funded) for 2FA.

      On my personal Amazon account, I'm forever being nagged to set up 2FA. So I enter my cellphone number - and get told "nope, this number is already linked to an Amazon account" (duh, yes, my second account).

      It's apparently beyond Amazon's ken that anyone might conceivably have two accounts. Despite them being the ones who aggressively pushed my company into forcing us all to switch to corporate Amazon accounts in the first place (where the pricing is higher, but hey, someone somewhere is getting a kick-back I'm sure).

  14. Martin an gof Silver badge

    Google classroom?

    Will this also apply to Classroom? It's supposed to be isolated but seems to send details 'outside' - for example, Youtube gets age information from a Classroom account even if no account exists for YT.

    How will 2FA work for these children? Particularly where they might not have a mobile phone? Is it going to be something that can be turned off?

    M.

    1. Dan 55 Silver badge

      Re: Google classroom?

      I guess enterprise and educational accounts will be managed by the organization, as they are now.

  15. mark l 2 Silver badge

    I keep getting a Google notification on my phone telling me that I have to provide them with my date of birth to allow Google to 'comply with the law'.

    I keep dismissing it because I don't want to give Google any more information then they already have.

    I just don't trust that Google won't be using 2FA for their own tracking and advert pushing purposes more than for anything security related.

    1. Doctor Syntax Silver badge

      I finally gave them the start of the Unix epoch and it kept them quiet. If enough people did that maybe they'd get the message that they're being treated with exactly the amount of respect they deserve.

    2. iron Silver badge

      That is for legal reasons, they need proof of age for Google Play. Just give them 1st Jan of the year you were born or something like that.

      1. Graham Cobb Silver badge

        I did something similar (I think I gave the right date and month but 10 years before) with another site (not Google). Some years later, the site sold themselves to a financial institution (although not being a financial service themselves) and the account was automatically converted to an account on the financial institution.

        Well, financial institutions take DoB much more seriously ("know your customer" etc). The next time I tried to log in it asked me for my DoB as part of the login. I had completely forgotten I had made up one for the original site and tried to log in with my real DoB. It didn't work.

        The customer service person was very helpful but very surprised that my DoB in the system was "wrong"! After all, normally they have verified that as part of their setup process. I explained that my account had come from the acquisition and he was very willing to believe that the company they had acquired were useless enough to have got my DoB wrong! It did take him escalating a couple of levels to be able to fix it, though :-)

        1. David 132 Silver badge
          Happy

          The customer service person was very helpful but very surprised that my DoB in the system was "wrong"

          Shoulda just told them, with a straight face, that your DoB had changed because you were a born-again Christian.

          1. This post has been deleted by its author

            1. Anonymous Coward
              Anonymous Coward

              I've ben giving out a false birth date since aged six. We have a birthday tradition here called 'the dumps', where everyone can beat you on your back the number of years you have lived. Until midday for some reason. My birthday was close to the school holidays so I moved it into the school holidays to avoid the beatings.

      2. Anonymous Coward
        Anonymous Coward

        I've had a pretty useless Google account for years on my phone. It has an obviously false name, a false address and a handful of app purchases which were paid from the balance on a Play top-up card. A month or so it suddenly bugged me for my DOB which like the good doctor above I set to the Unix epoch date. What new law is this which requires them to ask me for it?

        1. Anonymous Coward
          Anonymous Coward

          The same law that makes water flow downhill and join a river.

  16. D@v3

    66 per cent of Americans admit to...

    and what, 30% do it but don't admit to it, would be my guess

  17. FlamingDeath Silver badge
    IT Angle

    This reminded me of a thing that happened quite a while ago

    When 2FA became a thing on google, I adopted early and I remember having to set up an 'ASP' (application specific password) for my '2FA unaware' mail client

    This 'ASP' was entered into the mail client and remained like that, working

    One day, some years later, I decided to refresh and update this 'ASP', so went hunting for the page to do this, alot had changed, the UI, everything

    I found the page, but oddly, no record of any 'ASP', but I could create one

    So I start a google discussion asking whats going on, being a community thing? I got some answers, mostly people accusing me of not knowing what I am doing and I am thick, etc. but eventually after a lot of discussion, descriptions of the issue, people realising that I am not being thick and actually something is borked, someone said it had been passed onto an engineer. I hear nothing at all from then on

    But weirdly, my '2FA unaware' mail client with the original 'ASP' suddenly stopped working. Had a google engineer somehow found this 'ASP' perhaps buried away in some database somewhere, some legacy system no longer attached to the "new shiny UI"?

    I decided that I was not convinced I knew what was going on 'behind the scenes at google', so I left the mail client, as it was, with its original 'ASP'

    2 weeks later, the 'ASP' started working again, it seems it was only temporarily disabled

    So basically, there is an application specific password for my mailbox, which I do not know what it is, and I have no way of managing it, ie deleting it.

    Isn't technology amazing?

  18. a_yank_lurker

    Contrarian Opinion

    The problems with passwords are reuse when they should not be and idiotic password requirements. As a couple have noted, reusing passwords on burner accounts is usually fine. However, as noted, each site with financial information stored on it should have its own, lengthy password. I use a password manager to generate and store passwords locally, they are never stored online. Many sites limit the length of passwords to about 20 characters; I prefer much longer ones.

    The real issue is not 2FA or passwords but that too many conduct all their financial business on a mobile (not necessarily a phone) device in public places. Places that are often not very secure. Also, with devices that can be easily nicked.

    1. DS999 Silver badge

      Re: Contrarian Opinion

      The real issue is not 2FA or passwords but that too many conduct all their financial business on a mobile (not necessarily a phone) device in public places. Places that are often not very secure. Also, with devices that can be easily nicked.

      Why is that a problem? I don't do my banking on my phone at home or in public, but let's say I did in a park while people were walking by. Someone snatches my phone with my banking app open. So what? I can't transfer money out of my bank to a new account without a verification step that automatically sends a few small deposits/credits (random amounts of tens of cents each way canceling out to zero) to the new account and then I have to list those exact figures in order to verify I have access to that other account before the linkage is made and transfers are allowed. The transfers take place overnight, giving me tons of time after my phone is grabbed to contact my bank and put a freeze on any attempts to transfer money out.

      I'd hate to have my phone stolen, but I wouldn't worry at all about someone accessing my banking information even if they stole it with the phone unlocked and banking app open. The worst they could do is see my balance and who I do business with.

      If your banking app allows transferring money to a new account it has never used before, or writing some sort of electronic check to someone it has never written to before, without some type of additional verification or time to allow you to report your phone stolen maybe you need a more secure bank!

      1. Anonymous Coward
        Anonymous Coward

        Re: Contrarian Opinion

        Maybe they could move money from Saving to Checking, and then buy a lot of stuff with another app. I'd rather not have my phone stolen to find out.

        1. DS999 Silver badge

          Re: Contrarian Opinion

          Maybe they could move money from Saving to Checking, and then buy a lot of stuff with another app

          Anyone (at least anyone who lives in the US) dumb enough to use a debit card for online purchases despite the massive disadvantages that has over a credit card deserves what they get. No one could do what you describe to me, because there are zero sites on the internet that have EVER had a debit card number of mine. Nor do I ever use it for in person purchases, for that matter. If my bank could give me a bank card that didn't also double as a debit card I wouldn't even carry one.

      2. a_yank_lurker

        Re: Contrarian Opinion

        I did not mention I only use a wired connection from a desktop when I do any online shopping or financial activities. Call me paranoid but someone is going to have a hard time getting my credentials and there are much easier prey available. It's not that it cannot happen to me, it's just there easier targets than me around.

    2. Anonymous Coward
      Anonymous Coward

      @a_yank_lurker - Re: Contrarian Opinion

      It occurred to me twice that I have been locked out of my email account and each time by the provider.

      First time it was Yahoo that suddenly decided that the device I was using was not being recognized even though I had been using that PC for decades. When forced to do a password recovery I discovered the recovery address I used was with a provider that went out of business. To their credit, Yahoo support was helpful and after some lengthy email exchange I got my access restored.

      Second time, it's Google who locked me out of one of my email accounts because 'it seems somebody knows your password'. How in the world they would be able to tell that, beats me. Each time I'm trying to access it, I receive an email at the recovery email address telling me someone is trying to access my Gmail account (thanks a lot, Google, you're being very helpful). Unfortunately, Google's support is not very helpful at all.

      How can I give my Gmail address to a financial institution knowing very well Google can lock me out at any moment ?

  19. CrackedNoggin Bronze badge

    I was using "google auth (with the time based numbers)" on my main cell phone as 2FA to log in to Google on my desktop. But I didn't feel safe with that because I mount my phone on my bicycle and use is as sports GPS/ANT+ recorder without screen lock. So I moved "google auth" to another obsolete phone without a SIM card and on which I leave Wifi switched off always - it became a dedicate stay-at-home un-connect auth device.

    Google response to that was to force me to use my main phone as an per-login-optional 2FA device. When I try to log in online, there is always an option to use my phone as a 2FA device, and that option is the default. I can select each time to use my offline "auth" phone, but if my phone ever got into the wrong hands the bad guy could use the phone as 2FA.

    I use complex passwords, so it's not the end of the world, but it is a pretty stupid way to hobble their own 2FA.

  20. Anonymous Coward
    Anonymous Coward

    If you lose your phone, for whatever reason

    Accessing your accounts on a new device isn't trivial.

    1. Anonymous Coward
      Anonymous Coward

      Re: If you lose your phone, for whatever reason

      If 2FA was enabled on the lost device.

      I meant to add.

  21. Charlie Clark Silver badge

    I hope not

    Account databases do get compromised, and any username and password so exposed can be easily fed to a bot that will try the combination out at popular websites, a technique known as credential stuffing.

    I hope that passwords are no longer being stored unencrypted as that should now count as negligence: hashing with a salt makes reverse engineering much, much harder.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like