[HN Gopher] Google's most ridiculous trick to force users into a...
___________________________________________________________________
Google's most ridiculous trick to force users into adding phone
number
"To help keep your account secure, starting May 30, 2022, Google
will no longer support the use of third-party apps or devices which
ask you to sign in to your Google Account using only your username
and password." What does it have to do with phone numbers, you
might think? Well, it's not that obvious. I have beed using
FairEmail app to read emails on my phone for many years. Recently,
Google made this change, so I thought I need to take some actions
to make sure I can continue using my favourite email app. After
reading a bit, everything looked pretty simple: - I could add my
email account to my phone and login using google's native
authentication methods, or - <<you can use an app password, please
see below.>> Sure I don't want to add google's account to my phone
just to be able to receive emails via IMAP, so I'll just generate
separate app password for my email app, right? Well, for some
reason it's not possible to generate app passwords unless you have
2FA enabled. The option is just not there. What can be simpler
than adding 2FA to my account? I use password managers and my
passwords are super strong, but I have no other choice, I'll have
to use an authenticator app to continue reading emails on my phone,
doesn't make much sense but anyway... You can't just scan a QR
with TOTP secret and enable 2FA for your account. Well, you can,
after you enable 2FA by SMS using your phone number, or 2FA by
notification on the phone, after you add google account to your
phone. But using an authenticator is an <<additional method>> which
is not available until <<primary>> 2FA method (SMS / phone number)
is added. Oh, you can give away your phone number first, enable
2FA, after 2FA is already enabled you can remove 2FA by SMS and
keep using authenticator app as your 2FA method, it's simple. I
guess I'll just have to stop using google. Thanks for making my
life more difficult and caring about my security, Google. TL:DR;
You can't use <<less secure>> apps (apps other than official gmail
app) to sync emails if you don't want to link your account to your
phone number or add google account to your phone.
Author : vort3
Score : 279 points
Date : 2022-05-03 18:54 UTC (4 hours ago)
| nottorp wrote:
| I've given Google my phone number ages ago and I still can't use
| their smtp to send email from apple's mail.app...
| dudus wrote:
| I think the fact you can't generate an app password without a 2FA
| is because it never made sense. You would be better off just
| logging into your account directly. Now that you can't do that it
| makes sense. I'd file that as a FR.
|
| One point is that app passwords can be a security issue in
| itself. If you have one the security page on Google alerts you
| with a big flashy yellow exclamation point and recommend you you
| to remove it. I did it, broke my email and took a few days to
| connect the dots, recreate a new app password and setup email
| again.
|
| I think the problem they have is that mail clients don't do
| oAuth. So you always have that security weak link if you need
| IMAP/pop access.
| bsamuels wrote:
| Every tech company is losing the war against credential stuffing.
| I have a friend working at a series B startup with <10k MAU, you
| wanna know how many login attempts there are each month? 25,000
| login attempts. Per user. That's 250m login attempts each month
| using stolen credentials.
|
| None of the service providers who claim to fix the issue are
| worth their weight in salt. Shape, Akamai, none of them have a
| grip on the problem because the attackers are constantly
| evolving. As you can see, even Google is capitulating despite all
| the fud that people on HN spread about the company being
| omniscient.
|
| Anyone who thinks this is about advertising/collecting personal
| data is out of their minds.
|
| The worst part is nobody can talk about it because anything you
| reveal about your problems can give the attackers a massive edge.
| walrus01 wrote:
| at 25,000 login attempts per user if you're not doing common
| sense rate-limiting of attempts per username, and rate limiting
| per IP space origin (either discrete ipv4 /32 or attempts from
| within a whole ASN), you've got other problems.
|
| the rate-limit and blockage time for attempts should increase
| ban time/lockout-timer on an exponential time scale the more
| that a single browser/useragent/browser fingerprint/IP makes
| incorrect attempts.
|
| yes obviously there are people out there with fully automated
| systems who will try massive lists of commonly used plaintext
| passwords for authentication if you don't throttle/rate-limit
| it.
| FrenchDevRemote wrote:
| >yes obviously there are people out there with fully
| automated systems who will try massive lists of commonly used
| plaintext passwords for authentication if you don't
| throttle/rate-limit it.
|
| and those people use single browser/single useragent/single
| browser fingerprint/single IP
|
| the people competent enough to send millions of requests are
| usually also competent to send hard to detect requests
|
| there are dozens of (free)tools/services offering those
| capabilities for LEGITIMATE purposes(like scraping)
|
| there is an even bigger underworld market for paid tools for
| illegitimate purposes
| walrus01 wrote:
| if you're sending millions of requests you still have a
| finite number of proxies to use, it would be thousands to
| tens of thousands of requests per discrete /32 ipv4 proxy
| address, and not hard to detect as an abnormal volume of
| attempts per IP.
|
| even if you see something like a single /32 address that is
| probably the public facing endpoint of a mobile phone
| carrier's cgnat and has MANY users behind it, trying
| different password attempts, you can still rate limit the
| number of attempts per unique username.
|
| the actual amount of legit requests that a human who has
| forgot their password makes is 99.9% of the time under ten
| requests per account before they give up.
| jjav wrote:
| > Anyone who thinks this is about advertising/collecting
| personal data is out of their minds.
|
| Google is a public company, just look at their annual reports.
| Where do they make most revenue? Advertising.
|
| Thus, everything they do is about promoting advertising. It
| would be naive to think otherwise.
| nprateem wrote:
| And how do they avoid wasting money and therefore increase
| their profits? By putting in automated systems, that in this
| case are good enough for the majority of non tech savvy, non
| paranoid users.
| throw10920 wrote:
| There are _far_ better ways to stop credential stuffing than
| requiring a phone number that would be _immediately_ obvious to
| the people at Google - Hashcash, for instance[1].
|
| 250M login attempts times a few seconds of CPU time is a _lot_
| of compute cost to inflict on an attacker who is carrying out
| the same attack against a bunch of other services at once, and
| virtually nothing to the few thousands of active users who
| should only be logging in once every few months each.
|
| And yes, a few extra seconds of logon time is viable, because
| people are _used_ to the login process taking a few seconds and
| they don 't do it very frequently.
|
| "Credential stuffing" is straight-up an _invalid_ excuse for
| asking for someone 's phone number.
|
| [1] https://en.wikipedia.org/wiki/Hashcash
| [deleted]
| supertrope wrote:
| Proof of work rewards those who own fast CPUs (or are using
| stolen CPU time). Those who are using an non-high end Android
| phone, a battery powered laptop, or an older PC are punished
| with a long loading times. Part of why Gmail takes so long to
| load is the anti-bot scripts.
|
| Use rate limiting instead.
| throw10920 wrote:
| > Proof of work rewards those who own fast CPUs (or are
| using stolen CPU time).
|
| _Most_ technology rewards people who own fast CPUs or are
| using stolen CPU time, so this statement doesn 't mean
| much.
|
| What actually matters is "does this significantly
| negatively impact those with slower processors" (no) and
| "is it still effective at punishing attackers" (yes).
|
| Impact: I'll set my Hashcash challenge so that it takes
| about 8 seconds on a 10-year-old middle-of-the-line Intel
| processor. There, login time is about doubled for people
| running that extremely old hardware, and that's the worst
| case - and this is entirely acceptable given that _most
| people do not log in to their accounts very often_ - they
| do so _once_ and then stay logged in for weeks or months.
|
| Effectiveness: Even for attackers using stolen CPU time -
| _Hashcash is still effective_. If you have malware on a
| low-power device, that device is going to be _far_ slower
| at login attempts. If you have a user-facing device, they
| 're much more likely to notice their computer being slow,
| and do something that might lead to discovery. If you've
| stolen compute on some cloud, then the IT folks are more
| likely to notice, and so on.
|
| Rate limiting is good, but is _complementary_ to proof-of-
| work - if you have a large pool of IPs /devices to log in
| from, for instance, rate limiting isn't very effective.
| michaelt wrote:
| The problem with proof-of-work-for-login is:
|
| Some of your attackers are going to run your proof-of-work
| algorithm on a 3090 Ti GPU and put loads of work into
| optimising their setup.
|
| Some of your legitimate users are going to run it on a
| Raspberry Pi 1 with an ancient browser that only runs wasm
| through a javascript polyfill.
|
| Tough to make up for a 1000x performance difference.
| [deleted]
| bsamuels wrote:
| Attackers are using hacked IoT devices to do these attacks.
| These devices have roughly the same computing power as a mid
| level smartphone. Attackers do not use their own hardware,
| and don't care about how much energy is used by their bot
| devices.
|
| In a normal attack, there are maybe 2-3 requests per hour
| that come from each hacker-owned device. The only thing that
| hashcat would do is drastically increase power consumption at
| no cost to the attacker, and turn the application into a
| battery drainer on mobile devices.
|
| So no, Hashcat is not an adequate solution.
| throw10920 wrote:
| > Attackers are using hacked IoT devices to do these
| attacks. These devices have roughly the same computing
| power as a mid level smartphone.
|
| False for a _very large_ variety of low-power IoT devices
| using chips like the ESP32, which are multiple decimal
| orders of magnitude slower than a modern computer (or high-
| end smartphone) and will absolutely take _far_ longer to
| compute a Hash _cash_ challenge than one of those devices.
| Your smart light bulb is absolutely _not_ hosting a
| Qualcomm Snapdragon 450 to change its colors.
|
| Additionally, adding this compute+power load causes the
| presence of malware to become far more visible on these
| devices, which increases risk of discovery, which is a
| _significant_ upside.
|
| Finally, because there's now a significant computational
| cost to performing a login attempt, the value of individual
| devices are further decreased to the attacker, which
| reduces their likelihood of compromising these devices, and
| for using them for these kinds of attacks against services
| that use this measure.
|
| So, yes, Hashcash is _absolutely_ an adequate solution, and
| yes, there is _absolutely_ a cost to the attacker.
| bsamuels wrote:
| You have no idea what you're talking about. Botnets are
| almost entirely ISP router/modem combo devices.
|
| Hashcat was proposed over 20 years ago. You really think
| out of all the tens of thousands of security engineers
| working on this problem, nobody has ever considered it?
| Get a grip.
|
| I hate how this website incentivizes people to try to
| make posts that sound smart instead of posting stuff
| they're actually knowledgeable about.
| wolverine876 wrote:
| > Botnets are almost entirely ISP router/modem combo
| devices.
|
| Above you say they are IoT devices. I don't mean
| 'gotcha', but to learn: What does the population of
| botnet devices consist of?
| cm2187 wrote:
| Mostly, there are so many IPs those attackers can use. When I
| look at the smtp/imap failed authentication attempt logs, the
| patterns are fairly obvious. Different IPs trying similar
| looking emails in a sequences. I think in most cases where
| banning the IP, even only for 24h, will do the trick (and /64
| block for v6).
|
| Also there is something to be said for generating the
| password yourself and sending it in clear to your users by
| email. The reality is that if the attacker has access to your
| client's emails, it's game over anyway because of password
| recovery. And this way you enforce that your clients will not
| reuse a password, and will have a strong non brute forceable
| password. And if you get hacked, at least you didn't leak
| that precious password your users reused everywhere else. The
| only issue I can think of is that's because smtp is the most
| neglected protocol of the internet, there is no way to ensure
| the email will be encrypted in transit.
| bsamuels wrote:
| Attacks coming from the same IP address are literally kids
| just running port scanners.
|
| Blocking individual IP addresses has never been a valid
| mitigation against professional attackers. Attackers will
| just pivot to renting a different botnet from different
| geographies/ip ranges.
|
| If your service has any level of scale, there can be double
| digit percentages of users who are sharing an IP address
| with a hacked device. Blocking attacker IP addresses will
| block users of your service.
| antisthenes wrote:
| > Anyone who thinks this is about advertising/collecting
| personal data is out of their minds.
|
| For the end user it is absolutely about collecting additional
| personal data. My concerns as a user are not the concerns of
| Alphabet, the company, period.
| the8472 wrote:
| > Anyone who thinks this is about advertising/collecting
| personal data is out of their minds.
|
| Sorry, but that trust has been burned and I don't see a path to
| recovery. Support hardware tokens or get off my lawn.
|
| https://www.eff.org/deeplinks/2019/10/twitter-uninentionally...
| https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...
| zerocrates wrote:
| Pretty sure they do support hardware tokens.
| flokie wrote:
| +1..get a yubikey or similar device, problem solved.
| Nextgrid wrote:
| Only _after_ you give them a phone number. In fact, they
| allow you to _remove_ the phone number afterwards, so
| clearly they 're happy with non-SMS 2FA being the only 2FA
| method on the account, as long as they first get the
| opportunity to stalk you beforehand.
| eps wrote:
| Do they accept burner phone #s?
| FrenchDevRemote wrote:
| the average person don't have any idea what's a hardware
| token. google is not catering to HN readers, they're catering
| to your grandma, your parents, your little brother/sister,
| your tech illiterate neighbor.
|
| They couldn't care less about the habits of a nerd on
| archlinux with ublock, noscript, firefork a vpn, hardware
| tokens and 2FA everywhere with recovery code split in 7
| different location.
| throw10920 wrote:
| This is a straw-man. The problem is not that Google is
| designing their services to cater to the average tech-
| illiterate user, it's that they're _preventing_ the tech-
| literate users from opting out of phone recovery and /or
| using something more sane, like what's been listed above.
|
| That's clearly malice. Like, there's _no_ good reason that
| Google would _require_ you to hand over a phone number.
| xur17 wrote:
| > Every tech company is losing the war against credential
| stuffing. I have a friend working at a series B startup with
| <10k MAU, you wanna know how many login attempts there are each
| month? 25,000 login attempts. Per user. That's 250m login
| attempts each month using stolen credentials.
|
| I ran into a similar situation (small, growing startup dealing
| with credential stuffing attacks). We have since implemented a
| few different solutions, but one of the most successful was
| rejecting reused passwords at signup using this service [0].
|
| Some other effective solutions include captchas, emailing a
| verification code, etc. Aggressive rate limiting was not at all
| successful, as the botnets seem to have endless piles of
| residential ip addresses to send requests from.
|
| [0] https://haveibeenpwned.com/Passwords
| _jal wrote:
| Google can have my phone number when they give me Sundar's.
| sir wrote:
| If all you need is IMAP/SMTP you can use this local proxy to
| continue using the "less secure" app without needing app
| passwords: https://github.com/simonrob/email-oauth2-proxy
| 0daystock wrote:
| Google is no saint, but there's absolutely no reason to ascribe
| ill intent to collecting phone numbers of 2FA setup. The reason
| is simple: Google has billions of users, and at any given time, a
| lot of them break their devices and lose access to 2FA
| credentials. Phone numbers, despite all their flaws, are still
| the most reliable long-term and mostly-immutable attributes which
| can service as a proxy for identity which can and does aid
| account recovery at scale. If you crack your phone screen, you
| can walk to a brick and mortar cell shop, present your ID and get
| a new phone that receives security codes without a second
| thought. If you're using Aegis and storing MFA seeds locally,
| you're on the hook for backups and no one wants that
| responsibility.
|
| Think of it like using social security numbers to authenticate
| yourself to the bank. Yes, it's terrible, but it's kind of the
| only thing that works when done on a massive scale. Yes, you can
| do better at managing your 2FA credentials, but most users cannot
| - they struggle even having strong passwords. Phone numbers
| bridge that security-usability gap. To be clear, this isn't an
| endorsement of the system (I think the user should be allowed to
| choose), but rather trying to make sense from an engineering
| perspective.
| throw10920 wrote:
| This is an explanation for why Google might _ask_ for phone
| numbers. This is _not_ an explanation for why Google might
| _require_ phone numbers.
|
| The only valid reasons for the latter are (1) to collect your
| PII and/or (2) because they think that they know better than
| you and they're going to _force_ you to do a thing because they
| think it 's in your best interests - in other words, a tyrant
| ruling over a techno-feudalistic society.
|
| If Google was really concerned _only_ for the safety of their
| users, and not trying to obtain PII for their personal use,
| they would build an opt-out button, something that would allow
| users to print out a one-time-use password /encryption key, or
| register an alternate email address, in lieu of providing a
| phone number. They don't.
|
| Your explanation doesn't hold water.
| nomel wrote:
| Why might Google require it?
|
| It adds an external cost to creating an account. I imagine
| this is incredibly valuable in fighting spam across all of
| their services. No coincidence, the phone number requirement
| is the only reason I don't have several disposable twitter,
| Facebook, and Google accounts.
| cheriot wrote:
| > a tyrant ruling over a techno-feudalistic society
|
| It's an email app. There are many other options.
| throw10920 wrote:
| Google is, uh, not just email.
|
| https://about.google/products/
| cheriot wrote:
| The topic of the post was email. Even expanding to every
| other product, which ones are you forced to use? Just
| pick another one.
|
| Calling this feudalism is a bit much.
| nicce wrote:
| Email was just an example. Topic is about account.
| [deleted]
| jjav wrote:
| > Phone numbers, despite all their flaws, are still the most
| reliable long-term
|
| How so? The most realiable one is email, as it doesn't need to
| be tied to any third party so it can exist a lifetime.
|
| I've had the same email since the mid 90s. I've had probably a
| dozen or more phone numbers in that timeframe. A handful of
| which are still tied to various company accounts even though
| I've long since haven't had any acces to those phone numbers.
| kevin_thibedeau wrote:
| Then what happens when you change phone numbers and don't
| bother registering it with Google? There is a real risk of you
| becoming a non-person by linking things that shouldn't ever be
| linked.
| fweimer wrote:
| Google asks for a phone number in this context even for
| accounts which are integrated with an external identity
| provider and for which Google does not need to (or rather: must
| not) provide a recovery option. Furthermore, in most countries,
| phone numbers (especially mobile phone numbers, as suggested by
| Google) are very susceptible to targeted attacks, so I hope
| that Google does not use them as a recovery option even for
| non-corporate accounts.
|
| I think it's some sort of state machine glitch that this
| account feature only becomes available after adding a phone
| number. I couldn't come up with any other explanation. And I
| really hope that the static passwords stay indefinitely because
| the XOAUTH extension for IMAP is brittle, hostile to open-
| source software because of the API key requirement, and does
| not add security anyway. (I wouldn't mind manually rotating the
| passwords once per quarter, though.)
| TheDong wrote:
| From your perspective, you're looking at a change that impacted
| you.
|
| From google's perspective, they're looking at a change which
| reduces phishing and scams by some small percent, and impacts a
| minuscule fraction of their users.
|
| Abuse, scams, phishing, and forgotten passwords are all
| significant problems which phone numbers help with. I'd be
| willing to bet these changes end up having an on net positive
| impact for google's users.
|
| How many phishers do you think will be stopped by removing an
| insecure login flow? How many people do you think want to use
| insecure apps, but don't have a phone number and refuse to login
| to their google account on their phone?
| nicce wrote:
| Phone number is ultimate crossplatform and cross account
| identifier, only minority uses burner numbers for this. So I
| doubt that the phishing is the main driving motivation here,
| instead it is using phone numbers for easier tracking.
| Nextgrid wrote:
| Phone numbers are also the primary thing people keep in
| contact lists and are very reliable to infer social graphs by
| stealing people's contacts and connecting the dots server-
| side.
| xg15 wrote:
| > _How many phishers do you think will be stopped by removing
| an insecure login flow? How many people do you think want to
| use insecure apps, but don 't have a phone number and refuse to
| login to their google account on their phone?_
|
| I actually don't know. Do you have any numbers?
| pferde wrote:
| I too was hit by this a few months ago, after having to create a
| Google account for work, and worked around it by running an
| android emulator where I installed their authenticator app. This
| was enough to get past the stupid "you have to have a phone"
| requirement, and gave me access to the TOTP secret, which I then
| promptly added to my favourite open source 2FA utility.
|
| Screw you, Google, you're not getting my phone number.
| rsync wrote:
| Which android emulator do you use ?
| ghoward wrote:
| What's your favorite open source 2FA utility?
| browningstreet wrote:
| They call me about my car's extended warranty every day whether
| google has my number or not.
|
| I also get a call, every day, precisely at 9:04am, from random
| numbers matching the first 6 digits of my phone number.
|
| Protecting my phone number is a dead effort on my end.
| Nextgrid wrote:
| There's a difference between random spam and having a world-
| scale stalker knowing your number. The first doesn't have any
| other details on you, the latter already has plenty and wants
| the phone number to infer your social graph.
| accuratefud wrote:
| accuratefud wrote:
| groffee wrote:
| A lot of 2FA is security theater and doesn't provide any actual
| protection.
|
| If your phone gets taken by the police (or stolen), with an
| authenticator app or sms they can get into your account easily
| but you're locked out.
|
| A hardware key is the way to go but even then there's no
| guarantee the police wouldn't take that as well, and most people
| think having an app on their phone is enough.
|
| And 'email alerts' are even worse, if someone has taken your
| computer and has complete access to your accounts, an email
| saying "is this you?" is just gonna make them laugh.
| Nextgrid wrote:
| To be fair the threat model for most people isn't the police or
| any other physical attack - instead it's remote attacks such as
| phishing, malware, etc.
| ASalazarMX wrote:
| The Fair Email FAQ [1] states that it supports Google's OAuth, so
| why don't you authenticate with that?
|
| "OAuth for Gmail is supported via the quick setup wizard. The
| Android account manager will be used to fetch and refresh OAuth
| tokens for selected on-device accounts. OAuth for non on-device
| accounts is not supported because Google requires a yearly
| security audit ($15,000 to $75,000) for this. You can read more
| about this here [2]."
|
| 1. https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-
| co... 2.
| https://www.theregister.com/2019/02/11/google_gmail_develope...
|
| So it maybe works, or maybe not, because they're not paying
| Google for the security audit.
| butz wrote:
| Does using 2FA for GMail login actually add more security?
| Especially considered that to enable it, first you have to use
| dubiously secure SMS 2FA.
| 0daystock wrote:
| It's still an additional authentication factor, so in most
| circumstances, yes it would benefit security. However, you can
| (and should) use U2F for 2FA, which involves hardware making
| cryptographic assertions that cannot be phished or man-in-the-
| middle'd. It's possible to remove SMS as an option after
| turning this on in Google settings, but unfortunately not so
| with many other providers.
| vort3 wrote:
| It's not even about not willing to spend 1$ for a random phone
| number.
|
| Here's a list of things that are wrong with what Google does:
|
| - If you want to read your email, you have to use app specific
| password. I'm ok with that.
|
| - You can't generate app specific passwords if you don't have 2FA
| enabled. That's some artificial limitation made to force you into
| adding phone number to your account.
|
| - You can't use authenticator app to enable 2FA. I have no idea
| why SMS which is the least secure way to send information is a
| primary method and authenticator app which can be set up by
| scanning QR from the screen without sending any information at
| all is <<secondary>> and can only be used after you give your
| phone number.
|
| - You can use <<notification>> to confirm it's you, but you can
| only do that on the phone. I'm currently logged in in my browser,
| certainly I could confirm any login attempt from that same
| browser, wouldn't that be a second factor?
|
| - Nowhere in announcements or help pages or in the Google Account
| interface they tell you that you can't generate app passwords if
| you don't have 2FA. The button is just missing and you wouldn't
| even know it should be there unless you search on the internet.
|
| - Nowhere they tell you the only way to enable 2FA is to link
| your account to your phone number or to your android/iphone
| device, the options are just not there.
|
| All of this is just bizarre and ugly. I have no idea why other
| people are not complaining, probably most of them just accepted
| that and added phone numbers.
| glennpratt wrote:
| It does make sense from one perspective I've seen. Scammers are
| using 2FA to lock people out of their own accounts and demand a
| ransom for the tokens. Happened to a friend of mine a couple
| months ago.
| loosescrews wrote:
| > You can't use authenticator app to enable 2FA
|
| Are you sure about that? I don't think this is true. I
| definitely don't have a phone number linked to my Google
| Account and I have TOTP enabled as well. They even have the
| Advanced Protection mode which doesn't allow SMS or the
| authenticator app.
|
| Really though, you should do the last thing. Buy some security
| keys and enable Advanced Protection.
| Canada wrote:
| It is true, I have recently looked everywhere. You can't
| enable choose TOTP with only a desktop web browser.
|
| I'm really glad that I've never used a gmail address for
| email before, I'd hate to be stuck with using anything run by
| Google.
| bbbbbr wrote:
| This is correct. A phone number is NOT required to enable
| 2FA, at least in my experience within the last few months.
|
| I set up 2FA to use Yubikey hardware keys for a google
| account, and was then allowed to generated app passwords. No
| phone number has ever been attached to the account.
|
| I do agree that not allowing app-passwords to be generated
| without setting up 2FA is coercive and seems hard to justify,
| and it is plausible that it is being used to push people into
| attaching their phone numbers to their accounts. If I recall
| right, the current language for the setup process skews
| heavily toward phone numbers and does not do a good job of
| highlighting other (more privacy oriented) alternatives (as
| may be evidenced at least in the case of OP).
| pid-1 wrote:
| I've tried that a few days ago.
|
| You always need to add a phone as your first MFA method.
|
| A simple hack though:you can add other methods, then remove
| phone.
|
| Your account was likely created before phone MFA was
| mandatory (as the first method).
| prirun wrote:
| > A simple hack though:you can add other methods, then
| remove phone.
|
| Sure. That's like when I deleted my DigitalOcean account.
| They still send me notices about their service. Just
| because something is deleted for _you_ doesn 't mean it's
| deleted for _them_.
| accuratefud wrote:
| malux85 wrote:
| I've seen different authentication methods for different
| countries etc, for example there are some countries that if
| you put in your age as > 70 when signing up, the combination
| of being old and in a poorer country means google never asks
| you for a phone number, because it's likely you don't have a
| cellphone.
|
| So the rules can vary by region
| nagisa wrote:
| Google used to give more options before. Today if you want to
| set-up 2FA you must either give them a phone number or use a
| phone.
|
| Only then you can add other authentication methods (this a
| hardware key) and remove your phone as an option.
|
| Source: went through this nonsense a couple years ago and
| then again a couple months ago with a different account.
| tyrfing wrote:
| You can start with a hardware key:
| https://i.imgur.com/FIjNyIh.png
| accuratefud wrote:
| lnxg33k1 wrote:
| Yeah I am sure too, my last company used google apps and I
| didn't want to use my personal number for google, but they
| forced me to insert a number in order to use 2FA, so I had to
| ask for a work SIM just so that google would STFU, it was
| said to be a backup method for google authenticator, f*uck
| google
|
| Companies using google apps, keep in mind, you pay money for
| a service but if there's google involved, you're still a
| product, just avoid it
| kevin_thibedeau wrote:
| Microsoft plays the same games with their authenticator
| app.
| lnxg33k1 wrote:
| Let's avoid Microsoft too?
| im3w1l wrote:
| > That's some artificial limitation made to force you into
| adding phone number to your account.
|
| Agreed
|
| > You can't use authenticator app to enable 2FA. I have no idea
| why SMS which is the least secure way to send information is a
| primary method and authenticator app which can be set up by
| scanning QR from the screen without sending any information at
| all is <<secondary>> and can only be used after you give your
| phone number.
|
| The amount of people getting locked out of their account
| because they lost the phone with the auth app would be
| unacceptably large, is my guess. Like people lose their phones
| _all the time_. Simjackings are rare.
| Szpadel wrote:
| not only lost phone, but damaged phone is enough, as you can
| easily swap sim card but authenticator need to be set up
| again. BUT there are also one time recovery codes, they could
| add you option to use those to recover after clicking through
| few screens of warnings to make sure that you know what
| consequences does it have
| eternityforest wrote:
| That's one reason I definitely prefer SMS auth to any other
| method at the moment.
|
| What if your phone is damaged while traveling and you are
| away from where you stored your recovery keys?
| rtsil wrote:
| Whenever I add a new 2FA token, I always add it to my
| phone and a TOTP app (Authy) on my computers. Same thing
| for recovery keys.
| lxgr wrote:
| You can always bring a paper recovery code or FIDO
| authenticator (both of which are safe against SIM
| swapping attacks).
| FrenchDevRemote wrote:
| we've been told for decades to "not write passwords on
| postits" and we're really back to square one...
| lxgr wrote:
| It's not a password, it is a secondary, single-use
| recovery second factor.
|
| Carrying that around in a wallet doesn't make you any
| more vulnerable to physical attackers than carrying your
| Yubikey on a keyring, and it's much more secure against
| remote attacks than SMS-2FA (where you can fall victim to
| SIM swapping, number porting attacks etc).
| charcircuit wrote:
| ideally the paper would be in a safety deposit box / safe
| and not stuck to your monitor.
| FrenchDevRemote wrote:
| If it fits your need to have it a fixed location, then
| yes.
|
| But he talked about traveling.
|
| IDK about you but I don't travel with a safe in my
| backpack
| lxgr wrote:
| Just put it in your wallet and/or luggage. Without your
| account name and password, it's useless to any potential
| thief.
| eternityforest wrote:
| I never thought of the whole idea of wanting to hide my number
| from them, and I suspect most other users haven't either, but
| it does seem like an issue once you think about it.
|
| It might have something to do with not wanting to have tons of
| spam accounts out there? Do they have code to keep a closer eye
| on unverified accounts?
|
| Or preventing broken devices from locking people out, in a "We
| must protect users from themselves" kind of way?
|
| Google is a mass market company, _clearly_ not a privacy
| company, anyone who really wants to not be constantly tracked
| should probably stay away for many more reasons than this.
| jqpabc123 wrote:
| _I guess I 'll just have to stop using google._
|
| Welcome to the club. The fastest way to convince me *not* to use
| a product is to attach a "Google" label to it. Nothing Google has
| to offer justifies the drawbacks.
|
| NOTE: I do use an Android phone --- but only after it has been
| thoroughly de-Googled --- starting from a stripped down, bare
| metal device that won't even power up.
| sergiotapia wrote:
| I bought Pixel phones for my wife and I because the price and
| ease of use to save my kids pictures was absolutely worth it.
|
| I haven't found a service that functions as well as Google
| Photos. She takes pics and I take pics, and we have a shared
| account that backs it all up without any messing about. I have
| done precisely ZERO tech support for my wife since buying this
| service and phones and I will probably never leave.
| [deleted]
| abawany wrote:
| Mega.nz and OneDrive work well for me, albeit slightly less
| polished and (thankfully) a lot less opinionated than Google
| Photos.
| Graffur wrote:
| How do you see eachothers photos though?
| Ourgon wrote:
| If ever you get tired of Google - and for those who get tired
| of Apple or Amazon or whomever they have entrusted their
| digital photo archiving needs to...
|
| Any of the personal cloud things - Nexcloud, Owncloud,
| Seafile, Syncthing and others - can be used to sync files -
| and with that photos and videos - from mobile devices to some
| server somewhere. This can be the server-under-the-stairs,
| your NAS at home, a wall-wart with a Raspberry Pi and a drive
| taped together, a VPS or a commercial entity offering these
| as SaaS. You can keep using your phones with or without
| Google, that is up to you. If you run the stuff yourself
| you'll need to install and configure the parts which make it
| work, if you use a commercial instance you just have to
| install the relevant app and tell it to sync your data. You
| can do this in parallel to using Google Photos, just to make
| sure you have a backup in case Google wants just that one
| extra piece of personal data to allow you to access your
| photos which makes you give up on them. Just one more
| piece... and one more please...
| kybernetikos wrote:
| I have a system involving syncthing fork set up on my
| families phones and computers. I have to admit it was fiddly
| to set up but it has run very smoothly with no maintainence
| since then.
| HWR_14 wrote:
| Have you thought about an Apple iCloud family accounts?
| 29athrowaway wrote:
| Amazon Photos
| Graffur wrote:
| I would not trust Amazon with tech related stuff lol
| srcreigh wrote:
| My dad hates his pixel. His impressions are that they are
| taking away useful functionality and replacing it with Google
| assistant. He said he keeps trying to disable Google
| assistant but it turns on again the next morning.
|
| I myself tried to power off the device. Holding the lock
| button actually didn't show a power off menu, it opened
| Google assistant. As far as I can tell the only way to turn
| off the phone was to say "Turn off" to the assistant.
| markdown wrote:
| HN needs a bot that posts an inb4 comment every time there's a
| post about Google or a Google product.
|
| These predictable responses don't add any value whatsoever, and
| they're tiring to read.
| [deleted]
| worik wrote:
| Pot meet kettle....
| Dylan16807 wrote:
| Once you're in the pit of bad comments, you might as well
| _try_ to discourage the original problem.
| imchillyb wrote:
| The predictable responses, to the predictable responses add
| even less value than the original comment did.
|
| I wish HN would auto-remove these BS comments about BS
| comments. They're so tiring and boring...
| pessimizer wrote:
| You don't think your comment constantly gets posted as a
| reply?
| throw10920 wrote:
| Downvote and move on - adding a low-value comment of your own
| worsens the problem in some ways.
| QuikAccount wrote:
| > NOTE: I do use an Android phone --- but only after it has
| been thoroughly de-Googled --- starting from a stripped down,
| bare metal device that won't even power up.
|
| You're going to have to explain to me. Particularly the
| "starting from a stripped down, bare metal device that won't
| even power up. Because this sounds excessive and a bit over the
| top.
| jqpabc123 wrote:
| adb shell rm -rf
| ryantgtg wrote:
| Their device might have Google Smart Shellac on it, so this
| user chose to strip it off for the full De-Goog experience.
| QuikAccount wrote:
| > Google Smart Shellac
|
| No idea what this is and searching yields nail polish as
| the result.
| jwagenet wrote:
| Shellac is just a varnish/coating, so the implication is
| Google features are metaphorically painted on the phone
| hardware and software and you just need to scrape it off.
| jqpabc123 wrote:
| Unfortunately, what Google embeds into Android software
| is significantly more adverse than just "shellac".
|
| A standard Android phone sends your IMEI and SIM card
| info to Google servers on boot up before you even have a
| chance to login.
| QuikAccount wrote:
| Citation for this?
| ryantgtg wrote:
| I was making a (funny) joke that they put magic google
| paint on the phone, in addition to their software in the
| phone.
| okasaki wrote:
| My biggest complaint is that companies like Google won't make
| clear policies and instead their messaging is just corposhit
| nonsense.
| superkuh wrote:
| Good thing I switched to running my own mailserver in 2013. Now
| I'm completely independent of google and google accounts. If my
| @gmail.com email stops working with Thunderbird or other imap
| clients then that's that. I'm done using gmail.
|
| Google hates open protocols. Don't let their claims of OAuth
| being open fool you. They don't use OAuth, they use OAuth 2 which
| is the mega-corp version shoved down the IETF's throat where
| every single corporate implementation is different and not-
| interchangable. You need a different OAuth2 plugin for every
| mega-corp.
| vort3 wrote:
| I have a small free VPS and free domain name
| (whatever.duckdns.org). Do you think I can make a mail server
| that works, that could send emails that won't end up in spam
| folder of other people, and that I could use to create
| accounts?
|
| I have thoughts of running my own mail server, but a lot of
| sites just won't let you create an account if you don't provide
| <<trusted>> email, and by <<trusted>> most of the time they
| mean gmail.
| walrus01 wrote:
| small fee VPS are likely to be in IP space that has a 'bad'
| reputation from other people who have historically done dumb
| things in the same /24 or /22, etc, even if it looks clean
| from RBL checking tools, you have no idea what its reputation
| is for actual delivery _to_ google and office365.
| superkuh wrote:
| Well, the best time to start is now... but without a domain
| name I don't think you'll have much luck. If you want to
| learn how to set up and run a mail server I cannot recommend
| https://workaround.org/ispmail enough. These tutorials cover
| all the background and high-level concepts for why you're
| doing things in addition to the details needed to implement a
| proper mailserver.
| doublepg23 wrote:
| Linode managed to get blacklisted by Microsoft for weeks. I
| don't think you should expect a single mailserver to be able to
| survive in the current email climate.
|
| While email may be open it was designed in a pre-spam era and
| we've been fighting the oversights ever since.
| turdnagel wrote:
| Just one thing keeping me on Google for email/calendars: Search.
| I recently switched back to the Gmail app away from Spark for
| this. Don't have any examples off the top of my head, but I
| routinely encountered situations where I'd search for something
| in Spark or the Apple Mail client and couldn't find it out
| without using Gmail desktop/app.
| more_corn wrote:
| One of the Google cofounders read the book "Nudge" and loved it
| so hard they invented a process I call "Shove". You'll do what we
| want or we'll push you into traffic.
|
| This is a prime example of using dark patterns to achieve a short
| term goal at the cost of creating a world none of us want.
|
| We must all remain vigilant of this trap both as creators and as
| users.
|
| I applaud you for calling it out. I wish there was something more
| we could do about it.
| z9znz wrote:
| For some time now it has been necessary to first setup a phone
| number as the 2FA solution on a Google account. Only after doing
| that does it become possible to setup alternative 2FA solutions.
|
| So every account I setup, I have to temporarily provide my phone
| number to enable 2FA, then setup authy, and then delete my phone
| number. Obviously Google now knows who the real user is, but I
| haven't been creating additional accounts to be secret. That
| doesn't excuse the system, but it's not more than a small hassle
| for me.
| 14 wrote:
| The only solution I can see is buying a burner phone to avoid
| these situations. Yesterday tried to set up a new to me used
| iPhone 7 for my son. It too forces a phone number from you. I had
| to link my phone number to his phone which I didn't really want
| to do.
| metadat wrote:
| Twilio? Google voice?
| craftyguy wrote:
| > The only solution I can see is buying a burner phone to avoid
| these situation
|
| Or, you know, stop fucking using google.
| rsync wrote:
| A "2FA Mule" is a special kind of burner phone that forwards
| the authentication to the endpoint of your choice - in my case,
| email:
|
| https://news.ycombinator.com/item?id=29710908
| bxparks wrote:
| The problem with using a burner phone is that you could be
| assigned a phone number that has been blacklisted due to its
| abuse by a previous owner. Then Google terminates your account
| as soon as you use the banned number.
| Nextgrid wrote:
| To be fair, this is a risk even with a "legitimate" number.
| How do you know whether the previous owner did anything
| nefarious with it before it was recycled and assigned to you?
|
| Of course, the real solution is to remove the leverage Google
| has on you so that a ban is no longer a problem.
| scintill76 wrote:
| Can you ever "burn" the number though? I'd be scared they will
| require you to receive a SMS token on it later, when they feel
| like it.
| vort3 wrote:
| Can you recommend me any real working website where I could buy
| cheap one time virtual number that could be used to enable 2FA
| for my account?
|
| And I hope they will never ever again ask me to confirm
| anything using that number.
| abawany wrote:
| I have used voip.ms for years. The basic plan costs approx 1
| usd/m with no contracts, etc. and any messages received can
| be forwarded to and responded from email.
| bell-cot wrote:
| Ah... I sense a very lucrative, low-ethics business model in
| providing "cheap one-time virtual [phone] numbers" to be used
| for security-sensitive purposes.
| jqpabc123 wrote:
| Unfortunately, others have already beat you to it.
|
| For example, https://cheapglobalsms.com/
|
| I went a slightly different route --- an old spare phone
| with Ultra Mobile PayGo prepaid SIM. For $3 per month you
| get 100 minutes of voice, 100 texts and 100 MB data per
| month.
|
| The reason for this is that some security providers throw a
| little kink in the works by actually making a call to
| verify your number on sign-up.
| markdown wrote:
| Wait, you didn't want to add a phone number to a phone?
| elric wrote:
| Depends on where you live. In my neck of the woods, burner
| phones are illegal. It's (nominally) impossible to get a phone
| number without getting ID verification. This applies to
| physical sims, but also to online services a la Twilio.
| Nextgrid wrote:
| Providing ID verification to the carrier/government is one
| thing, providing it to Google is another. I'm personally much
| more comfortable with the government or carrier knowing my
| number than Google.
| negative_zero wrote:
| Thank you for posting this. I have had a second email account
| setup at the company I work for, and hit this exact problem. I
| thought I was going mad! Especially because I had enabled 2FA
| with TOTP with an existing company account just a few months ago.
| nprateem wrote:
| Shame HN is 80% tropes now from paranoid introverts who don't
| want to go back to the office and who could write Dropbox in half
| an hour
| pb7 wrote:
| It's painfully obvious that a non trivial number of users here
| maintain little contact to ordinary people who make up 99% of
| the user base.
| adhesive_wombat wrote:
| I also really hate the use of Telegram by ostensibly open source
| projects for this reason.
| ad404b8a372f2b9 wrote:
| Every new feature from Google is a middle finger to their users,
| then you get some corporate double speak about how it's all well
| and good and how it makes the product better.
|
| Get a Fastmail account, I got one after I got tired of google
| breaking my IMAP settings every other week. They're cheap, they
| have most everything you'd need from an email provider, and they
| don't require a special app like proton.
| snihalani wrote:
| I tried fastmail and then there was no search on the drive
| aspect. had to move back to google
| throw10920 wrote:
| Fastmail is great at _email_. If you want a _G Suite_
| experience, then you 'll need...well, Google.
| travisporter wrote:
| I'm able to search for filenames in fastmail files. I guess
| you refer to searching file contents?
| kevin_thibedeau wrote:
| You can mount the files via WebDAV then grep away or point
| an indexing tool at that as desired.
| vort3 wrote:
| I think if I'm gonna pay for using email, I'll just try to get
| any cheap VPS/domain and try to run my own email. It'll be more
| expensive for sure, but at least it will be my own thing I'm
| paying for.
| jjulius wrote:
| Just depends whether or not the effort it takes to find a VPS
| company whose IPs aren't blocked by major email providers,
| and then ensuring that your emails continuously make it
| through to their destinations, is worth the cost savings.
|
| I share your sentiment, but I opted for Fastmail because the
| effort wasn't worth the savings. YMMV, obviously.
| leereeves wrote:
| The problem with running your own email is getting past the
| spam filters.
|
| The big email providers have basically built a walled garden
| around email by blocking anyone outside the garden as spam.
| They have no incentive to open the system to people who run
| their own email.
| kevin_thibedeau wrote:
| Fastmail service with a custom domain includes 10GB storage
| and zero hassles.
| MilaM wrote:
| Here is how I solved the same problem a couple of weeks ago. If
| you still have an active session in a browser, you can add a
| recovery e-mail address to you account security settings. After
| that I was able to add a Yubikey as a second factor without
| adding a phone number. This should also work if you want to use
| TOTP as a 2F instead of a Yubikey.
| mxuribe wrote:
| So, at what point will there be a legitimate third option other
| than Google android phones (and associated ecosystem) and Apple
| iphones (and associatyed ecosystem)??? And, no, i don't mean
| rooting a phone, etc. to install Lineage or other alternative
| operating systems on it. I mean, i want to go out, buy a phone
| that is decent enough for the basics of what i need to do and is
| de-googled...not too crazy expensive like an iphone, and comes
| with legitimate support from a manufacturer. Its exhausting!
| momirlan wrote:
| nokia 3220
| mxuribe wrote:
| I guess i did walk into that one! :-)
| kevin_thibedeau wrote:
| With any new employer be sure to show up with just a
| featurephone so you can shoot down any brain dead attempt to
| force you to link your personal property to corporate
| authentication.
| mxuribe wrote:
| This is a great idea! :-)
| TameAntelope wrote:
| I don't see a problem giving Google my phone number.
| walrus01 wrote:
| the thing about 'adding a phone number' is that hijacking
| somebody's DID is fairly trivial these days for a good social
| engineer, you get the customer service department at somebody's
| cellular carrier to port out the number, or activate it on a new
| SIM card put into a burner.
|
| the SS7/PSTN is horribly broken.
|
| SMS based "2FA" is not actual 2FA
| 0daystock wrote:
| I think "trivial" is generous. For context, the current market
| rates for a SIM swap ranges from several thousand USD
| (T-Mobile) to well over fifty thousand USD (Verizon). It is not
| really something most people should lose sleep over, in my
| opinion.
| walrus01 wrote:
| I classify it as trivial compared to the effort in breaking
| some real 2FA or otherwise hijacking the start of authority
| for somebody's online identity/ability to reset their
| passwords and gain access to an account, like getting
| possession of a personal domain name to change the
| authoritative nameservers, set a new MX and receive incoming
| password-reset emails.
|
| Working in the telecom industry I've seen the pressures that
| first tier phone service reps are under and how they can be
| socially engineered, if someone is in possession of enough
| pieces of a person's identity already, to issue a new SIM or
| port out a number.
| drivebycomment wrote:
| > TL:DR; You can't use <<less secure>> apps (apps other than
| official gmail app) to sync emails if you don't want to link your
| account to your phone number or add google account to your phone.
|
| Not true in multiple ways.
|
| "Less secure apps" are ones that don't support OAuth. There are
| plenty of third party email apps that are not considered "less
| secure apps". E.g Thunderbird or Outlook, or iOS Mail work
| perfectly fine, as many others.
|
| You can use u2f keys as second factors and don't need to add your
| phone number as a second factor nor as a recovery phone, as my
| Google account.
| Melatonic wrote:
| Couldn't you just install the Google Profile on any android
| tablet or spare phone or something, set it up, switch to
| authenticator (on your normal phone) and then remove the accounts
| and whatnot from the tablet? Never use SMS at all?
|
| The real head scratcher for me here though is that you are fine
| with Google hosting all of your emails and whatnot but knowing
| the phone number is a huge problem? If you do not trust Google
| with your phone number it seems like going with another email
| service would probably already be a good decision.....
| tpoacher wrote:
| I'm not too keen on mandatory 2fa via phone. we need something
| simpler, like, dunno, some sort of chip on our hands or foreheads
| perhaps? /s
|
| on a serious note, it's annoying how fundamentalists eventually
| keep getting shit right because of idiots in power fulfilling
| their prophecies (daniel sloss had a nice comedy skit on this)
| dane-pgp wrote:
| That makes me wonder, how big does the gap have to be between a
| supposed prophecy and the supposed fulfilment of that prophecy
| before we can't call it "self-fulfilling" any more?
|
| I suppose that on a time scale of thousands of years, a lot of
| analytical methods break down (and certainly it would be hard
| to start any new experiments which take that long to complete),
| but I think that epistemological bonus points should go to
| anyone whose interpretation of a prophecy guessed the correct
| ~50 year period for its fulfilment roughly 1800 years in
| advance.
|
| https://en.wikipedia.org/wiki/Millennialism#cite_ref-18
___________________________________________________________________
(page generated 2022-05-03 23:01 UTC)