[HN Gopher] Google is going to turn on 2FA by default
___________________________________________________________________
Google is going to turn on 2FA by default
Author : Tomte
Score : 38 points
Date : 2021-05-08 15:57 UTC (7 hours ago)
(HTM) web link (arstechnica.com)
(TXT) w3m dump (arstechnica.com)
| zbrozek wrote:
| This kind of behavior is a good reminder of how little agency you
| have over accounts in your name. I turned off 2FA on my Google
| account (these days used only for Hangouts) because that account
| has little value, and the flurry of notifications that it
| produced was not worth the protection. I'm glad to be mostly de-
| Googled.
| butz wrote:
| My parents are using GMail and I have no idea how to explain and
| set up 2FA for them. Google probably won't do a good explanation
| either. And 2FA probably won't work on their landline
| telephone...
| skybrian wrote:
| You probably need to do it for them. Seriously.
|
| I bought my mother a Yubikey a while ago and walked her through
| printing out backup codes (stored in a location I will remember
| even if she doesn't) and registering it with her Chromebook.
| It's on her keychain, but she won't need to use it until she
| gets a new computer when the Chromebook dies.
|
| The advantage of this is that her account can't be broken into
| remotely, which would be catastrophic.
|
| (Contrast with another relative that I think is on her third
| Google account.)
| CarelessExpert wrote:
| The blog post is vague, stating that only accounts that are
| "appropriately configured" will be automatically enrolled.
|
| This article speculates a bit that:
|
| > On Android, Google Prompt is a full-screen pop-up built into
| every device as part of Google Play Services, so that's easy.
| On iOS, Google Prompt requests for your account can be received
| by the Google Search app, the Gmail app, or the dedicated
| Google Smart Lock app. It sounds like everyone meeting these
| requirements will soon be enrolled in 2FA.
|
| So assuming this is correct, if your parents don't have an
| Android phone attached to the account, and don't have an iPhone
| with those apps installed, then this won't affect them.
|
| Of course, it'd be nice if Google was a little more clear on
| what they're doing, here...
| Hnrobert42 wrote:
| I don't know if it is required. I think it is just going from
| opt in to opt out.
| ______- wrote:
| This is dangerous. I specifically don't want 2FA on one of my
| Google accounts because I only have one phone number tied to one
| device, and this decision by Google to enforce 2FA is going to
| lock out millions of accounts since some people like to have two
| Google accounts for compartmentalization reasons (one account for
| work and another one for play is a common thing to see). So now I
| need a second phone to get 2FA prompts on the account where I
| _don 't_ want 2FA turned on.
| JimDabell wrote:
| SMS is not the only - or preferred - 2FA mechanism for Google
| accounts. You can use any TOTP authenticator application,
| Google mobile applications like Gmail, physical security keys,
| or backup codes. Having a single phone number is not a problem
| for dealing with multiple 2FA-enabled Google accounts.
| csdreamer7 wrote:
| Google makes using a different TOTP authenticator very
| difficult.
|
| First, I need to register a phone number as 2FA. Only then
| can I choose an alternate method, get codes, and have to
| select Google Authenticator to use my Open Source
| authenticator, Aegis.
|
| Does not say Google Auth or any TOTP; specifically only says
| Google Auth. I was worried Aegis would not work until I tried
| it.
|
| Why not show choices on the sign up screen? Why do I need to
| register a phone number first? It is very insecure in the
| USA. Data collection? Hold out from when a phone number was
| the only real 2FA and a TOTP was under additional options? If
| the latter, that needs to change if 2FA is going to be
| mandatory.
| simion314 wrote:
| >a single phone number is not a problem for dealing with
| multiple 2FA-enabled Google accounts.
|
| It increases the risk that a ban on an account will bring all
| of them down since you link them with same phone number
| identity.
| hansvm wrote:
| > or preferred
|
| I just made a new Google account a couple hours ago, and it
| definitely looks like the preferred mechanism.
|
| - There's one stage in the signup flow you can't bypass
| without SMS (granted, it doesn't automatically save that
| number to the account if you opt out, so that's nice).
|
| - When setting up 2FA you're given giant messaging
| encouraging you to use a phone number. There's tiny text for
| other 2FA options.
|
| - Those other 2FA options don't actually include TOTP. To
| enable TOTP you have to enable a "primary" 2FA solution (SMS,
| hardware key, or push notification), then enable a
| "secondary" 2FA solution (which can include TOTP), and if
| you're concerned about the shitty security SMS provides you
| then need to remove that as a 2FA option.
|
| Edit: Mind you, it's probably reasonable given the state of
| the rest of their ecosystem to not have TOTP as the 2FA for
| your Google account (like if you have a chicken and egg
| problem trying to get into an android device with a TOTP
| app), but TOTP doesn't seem to be anywhere near as preferred
| as SMS.
|
| That, and they do support hardware tokens out of the box
| (even if the UI doesn't make that super clear), so that's a
| step in the right direction.
| skynet-9000 wrote:
| Even though TOTP is provably safer than SMS, it looks like
| the reason why they want SMS/push as a "primary" is so that
| they can suck in more phone numbers, since hardware keys
| have an additional cost that most people won't have. Phone
| numbers will let them do better ad targeting.
| amk10 wrote:
| That is Silicon Valley's reason for 2FA in a nutshell.
| Phone numbers can only be obtained with identification in
| many countries. It is a privacy nightmare.
| weird-eye-issue wrote:
| It's because people lose access to their phone number
| rarely. It would be pretty much expected for somebody to
| not realize their Google Authenticator codes aren't backed
| up before losing/selling their phone or losing their
| Yubikey before backing up the private key off it. As
| somebody who doesn't use SMS 2FA, I still think it's a
| great middle ground for the average user.
| [deleted]
| dathinab wrote:
| Except that you might need to first setup phone/sms 2FA to
| then be able to setup any other 2FA auth, without being able
| to fully disable phone/sms based 2FA auth.
|
| I'm not sure if it's still that way, but when I setup 2FA I
| could not directly setup non phone/sms 2FA (e.g. Yubikey, non
| google authenticator apps).
|
| Worse even through I then explicitly disabled phone/sms based
| 2FA google at some point just switched it back one.
|
| Worse there had been multiple times where having the 2nd
| factor but not the first (password) was enough to combine it
| with social engineering to completely take over an account.
| Some security researcher go hacked by this. Again I'm not
| sure it's still that way, but I don't trust Google anymore to
| not accidentally but a 2FA related vulnerability which makes
| the account less secure into their authentication flow. They
| either don't care (likely) or don't have the competency to
| handle this (unlikely). Well it's one of the reasons I'm
| slowly moving away from Google.
| [deleted]
| CarelessExpert wrote:
| Then use a TOTP authenticator, which isn't tied to a phone
| number.
|
| As an aside, this is the second comment, now, that is confusing
| general 2FA with SMS-based 2FA specifically. Given the audience
| of HN this is honestly surprising to me and makes me wonder how
| common this confusion is.
|
| That alone makes me glad Google is doing this as maybe it'll
| drive more folks to be educated about 2FA.
| minipoulion wrote:
| Last time I checked and tried to have good 2fa on a Google
| account with only that,
|
| TOTP is only allowed as an "additional" means of 2fa and to
| enable it you already need to have the Google Android promt
| authentication/phone? 2fa configured (Maybe not exactly like
| that, but basically you cant just add TOTP without having
| something worse already added).
| [deleted]
| [deleted]
| dmoy wrote:
| I do not have SMS 2fa on my google account, but I do have
| TOTP and now U2F. At one point I definitely had only TOTP.
| At one point, I also had only U2F.
|
| What I don't remember is whether or not I had SMS 2fa
| before and removed it, or never had it at all.
| CarelessExpert wrote:
| This is not accurate.
|
| I just checked because I thought I was crazy: my account
| has SMS-based 2FA specifically disabled. The only enabled
| options are the Android prompt, Google Authenticator, and a
| set of backup codes.
| skybrian wrote:
| I think you're jumping to conclusions. It's unclear what
| "provided their accounts are appropriately configured" means,
| but a Google account that's not associated with any phone
| number or device probably isn't "appropriately configured" and
| I would guess that nothing will change.
|
| But the original blog post was so opaque that I completely
| misunderstood what they were going to do until pointed out in
| this article. It's bizarre how badly written some Google blog
| posts are these days.
| [deleted]
| weird-eye-issue wrote:
| Why would you need a second phone? This is one of the more
| ridiculous things I've read on HN.
| Normal_gaussian wrote:
| It is very common to arrange your life so that you are able
| to 'hand in' all work devices and walk away. Its a seperation
| of work and home life that is very healthy, and a reasonable
| self-protective measure.
| jacquesm wrote:
| Such assumptions are the root of all evil.
| weird-eye-issue wrote:
| Just install Authy on your computer with a master password
| for the personal account. No second phone needed. Or
| install Authy on your phone, but I can't tell if you are
| saying you only have a work phone and no personal phone? Or
| is it visa versa? I'm having trouble picturing your setup
|
| Edit: If you already have two phones due to your work life
| separation, then 2FA isn't really causing you to get a
| second phone is it?
| qwerty10001 wrote:
| You are replacing one privacy nightmare with another:
|
| https://www.twilio.com/legal/privacy/authy
|
| The only privacy friendly method is _no 2FA_ , just long
| secure passwords. Which is why 2FA is pushed so hard ...
| CarelessExpert wrote:
| > The only privacy friendly method is no 2FA, just long
| secure passwords. Which is why 2FA is pushed so hard ...
|
| This is absolutely ridiculous and so clearly false I
| can't help but wonder if it's intentional misinformation.
|
| There are numerous open source TOTP authenticators for
| both the desktop and mobile that require absolutely no
| data to be stored in the cloud or shared with third
| parties.
|
| I myself use KeepassXC and Keepass2Android.
| joshuamorton wrote:
| Not to mention, like, fido/u2f based systems which don't
| have any privacy concerns I can think of, even
| theoretically.
| weird-eye-issue wrote:
| I use Authy specifically because of their backup options.
| That obviously requires collecting my phone number and
| email address. I have no problem with that because if I'm
| traveling and somebody steals my laptop, phone, and
| backup Yubikey I won't be completely shit out of luck.
|
| If you don't want to use Authy then use something else
| that doesn't backup the 2FA codes for you. But don't say
| 2FA is inherently a privacy concern. It isn't.
| CarelessExpert wrote:
| This doesn't explain the comment.
|
| If you have a Google account for work you also have a work
| issued computer at minimum, so install a TOTP authenticator
| there.
|
| If you also have a work issued phone it's a total non-issue
| as you can use that for 2FA.
|
| If you access your work Google account from a personal
| device in circumstances where you don't have access to work
| equipment, then install an authenticator there.
| vidarh wrote:
| > If you have a Google account for work you also have a
| work issued computer at minimum
|
| I have a Google account for work. I don't have a work
| issued computer.
|
| I think you're assuming too much about how other people
| might work.
|
| I agree there are enough options that it shouldn't
| _really_ be a big problem, but it 's not surprising that
| not everyone are aware of the options.
| weird-eye-issue wrote:
| Here is a possible suggestion, let me know if there are
| problems with it. Install Authy on your phone and backup
| the 2FA secret key in the same password manager that you
| have the work password stored. That will allow you to
| effectively share the account (2FA included) and fully
| relinquish control if you leave. Would that work?
| vidarh wrote:
| I'm not the person who said they had a problem with it.
| CarelessExpert wrote:
| > I have a Google account for work. I don't have a work
| issued computer.
|
| Which must mean you're using personal equipment and
| you're not doing what the previous person was talking
| about, which was:
|
| > It is very common to arrange your life so that you are
| able to 'hand in' all work devices and walk away.
|
| Context matters. I was arguing a specific point based on
| a scenario the previous individual was posing. That
| scenario apparently doesn't apply to you, in which case,
| go argue with that person, because it wasn't my claim.
|
| Now, if we want to talk about _your_ specific
| circumstance, if you 're using personal equipment to
| access a work account, stick a TOTP authenticator on your
| personal device.
|
| I honestly don't understand what's confusing about this.
| Normal_gaussian wrote:
| At a previous position I regularly used a variety of
| company issued hardware (alongside my standard
| workstation). The only company device I had consistently
| was the phone.
|
| In my current position I can be called up for an
| emergency at any time. I'm not going to cart my desktop
| or laptop around on my day off, but carrying a phone for
| use with any reasonably secure machine I can find is a
| good solution.
|
| People with responsibility for operations systems will
| find themselves in this kind of situation somewhat
| regularly. These are also the people most likely to
| seperate work and personal devices due to usage policies
| or risk profiles.
| vidarh wrote:
| Doing work on my personal laptop does not mean I can't
| just hand in the work devices and walk away. My
| credentials would be disabled. The work _data_ remains on
| work machines.
|
| > I honestly don't understand what's confusing about
| this.
|
| I didn't argue it was confusing. I argued against your
| assumption. And there's no need to use that tone - it
| comes across as aggressive and condescending. EDIT: I
| note this is not your only comment in this thread that
| comes across this way. Looking at your comment history
| suggests you're just direct, so I'll assume you don't
| mean anything by it, but it rarely goes over well here.
| danuker wrote:
| Dangerous? For the users maybe. What are they going to do?
|
| For Google? They get to clean up (only keep "real" users) and
| reduce datacenter costs.
| slac wrote:
| And maybe slow down account creation used for online
| harassment?
| weird-eye-issue wrote:
| A phone number is already needed to create a Google
| account, completely independently of 2FA and a backup phone
| number
| Hnrobert42 wrote:
| Last week I created a gmail account. No phone number was
| required. I fully expected it to require one, but it
| didn't.
| weird-eye-issue wrote:
| It looks like if you create it through the Gmail app that
| is a workaround to not needing a phone number
| karmicthreat wrote:
| I really like how the TOTP Yubi Authenticator app works. Just
| saves my secret to the Yubikey and I can save that secret to
| multiple keys. Then put a printed copy of the QR-Code in the
| vault in case I get hit by a bus.
|
| This covers destruction of phone, destruction of office,
| destruction of Yubikey, destruction of me.
|
| I would like to use U2F, but some companies (looking at you AWS
| team) only allow 1 MFA method period. And that just doesn't work.
| g42gregory wrote:
| I am assuming that this is because they urgently need to collect
| your cell phone number to make more money from ads?
| hrktb wrote:
| A lot of people commenting on using 2FA options other than SMS,
| but to the best of my knowledge it will only work after you've
| already associated a phone number to the account.
|
| Wanted to check if I'm just dumb, and all recent answer point to
| the same issue: https://www.quora.com/Is-it-possible-to-use-
| Google-2-step-ve...
| CarelessExpert wrote:
| My Google account is configured right now to only support the
| Android prompt, TOTP, and Backup Codes. SMS is specifically not
| enabled, both for 2FA and account recovery.
|
| Either that answer is out of date or it's lacking nuance. I
| haven't done it in a while, but it may be that you need SMS 2FA
| initially, and then once you've added TOTP you can then remove
| SMS.
|
| But SMS is absolutely _not_ required and anyone who thinks it
| is and is avoiding 2FA for that reason needs to go take a
| second look at their security settings.
| hrktb wrote:
| I can also remove SMS as 2FA on my account, but I've had to
| give a phone number on all my accounts at different points in
| time, and they got confirmed by SMS.
|
| What I was pointing at is not that SMS is the only option but
| that the phone number + confirmation seems mandatory at least
| once.
| prirun wrote:
| IMO, the bottom line is that Google wants your phone
| number, I'm guessing so they can somehow further target
| ads. They bugged the hell out of me a while back trying to
| get a phone number, even though I had a backup email
| address configured. They haven't bugged me for a while now,
| but that's likely because now they're going to try to force
| me to give them a phone number.
| [deleted]
| riffic wrote:
| out in the real world, there are _a lot_ of people out there who
| hate 2FA. I have it on almost everything. You can 't please
| everybody.
| Proven wrote:
| That's fine, I'll disable it.
|
| If they won't let me, then I'll stop using Google services which
| require me to auth.
|
| That's how it works.
| javierbyte wrote:
| I lost one of my accounts last month to something similar to
| this. I used to have a secondary email as 2FA and then it got
| changed to "use one of my active devices", honestly I don't
| remember if there was some popup asking me to confirm the change,
| but one day I changed my iOS devices and the account was lost for
| good as I could not "tap confirm".
|
| I tried to contact them from the email that used to be the 2FA,
| but no one could help me. It was a sad and eye-opening experience
| as I could have lost google domains and more.
| BuckRogers wrote:
| I use Microsoft Authenticator because it backs up my 2FA accounts
| to my iCloud and I believe to Microsoft's servers on Android. If
| you lose those you're in trouble. I'm sure there are other
| options that support that now. When I moved everything that I
| could over, the open source options didn't support this. If I
| wasn't happy with the best open source solution, I wanted to use
| something from a large vendor that would be well supported. Any
| vendor not named Google at least, I have the least amount of
| trust in them among the 500 pound gorillas.
|
| If you want to get ahead of this and save your accounts I've been
| using MS Authenticator for years now and am very happy with it.
| tristan957 wrote:
| Similarly I've been using Authy. I've started a Bitwarden
| account to store my passwords and I'm wondering if I should
| just move my 2FA codes to Bitwarden which partially defeats the
| purpose but convenience is always great.
| bagels wrote:
| I don't enable it because of the social engineering attacks
| against mobile carriers, tricking them to hand out SIM cards to
| crooks.
| danuker wrote:
| I recommend andOTP downloaded from F-Droid:
| https://f-droid.org/en/packages/org.shadowice.flocke.andotp/
| CarelessExpert wrote:
| Also for the desktop I just use KeepassXC with my TOTP creds
| in their own database.
| boromisp wrote:
| An other option: Aegis Authenticator
| https://f-droid.org/packages/com.beemdevelopment.aegis
| CarelessExpert wrote:
| Which is irrelevant given Google uses a combination of TOTP,
| and for connected Android phones or iOS devices running certain
| Google apps, a confirmation prompt on the phone.
| JimDabell wrote:
| Enabling SMS 2FA doesn't make your account less secure. At
| worst, if somebody targets you with SIMjacking, it simply
| doesn't make you more secure.
|
| If you don't have 2FA enabled for your account, you are in the
| least secure position compared with enabling any 2FA method.
|
| Either way, there's no need to use SMS for 2FA with Google,
| they support many other forms of 2FA.
| GhostVII wrote:
| I think Google actually allowed you to just use your phone
| number to recover your account, so it was effective 1FA. In
| that case it would be less secure. They might have changed it
| now though.
| PeterisP wrote:
| Often enabling SMS 2FA also enables SMS as a password reset
| option, which does make you less secure, since SIMjacking is
| easier than guessing a reasonable not-reused password.
| CarelessExpert wrote:
| With Google you can disable SMS-based account recovery
| independent of your 2FA options.
| fr2null wrote:
| If that is the case though, you are not really enabling SMS
| 2FA. It is just SMS (1F) authentication.
|
| Real 2FA would (theoretically) never make your account less
| secure than 1FA, because even if the second factor has 0
| security, it shouldn't decrease the security of the first
| factor.
|
| However, it is true that this may not always be the case
| for imperfect implementations, like your example. I can
| aldo imagine that social engineering might have a higher
| succes ratio if the intruder can say "it really is me! I
| have the correct second factor, I just lost my first
| factor...".
| remus wrote:
| SMS based 2SV is just one option, there are many better methods
| you can enable for a google account.
| jacquesm wrote:
| That's all fine and good but reliability of delivery of 2FA data
| is not exactly fantastic (especially SMS, which lots of people
| use for 2FA), besides that it gives google your phone number,
| which not everybody may want to do.
| CarelessExpert wrote:
| > That's all fine and good but reliability of delivery of 2FA
| data is not exactly fantastic
|
| So don't use SMS.
|
| TOTP authenticators don't require any data to be transmitted at
| the time of authentication. They're set up with an initial
| shared secret (typically transmitted via QR code) at which
| point the codes are generated independently on the two devices.
|
| This means the TOTP device doesn't even need to be connected to
| the internet. As long as you can get the TOTP seed onto the
| device (worst case: type it in), you can use that device for
| 2FA.
___________________________________________________________________
(page generated 2021-05-08 23:01 UTC)