[HN Gopher] Google removed my Yubikeys from a Google account 'ju...
___________________________________________________________________
Google removed my Yubikeys from a Google account 'just to be safe'
Author : nalllar
Score : 283 points
Date : 2022-12-26 20:28 UTC (2 hours ago)
(HTM) web link (lunnova.dev)
(TXT) w3m dump (lunnova.dev)
| yborg wrote:
| Google support bot requires HN Google account nightmare stories
| to reach 1000 points or be posted by paulg before they are
| addressed.
|
| (FWIW I addes YUbikeys to 2 old long-term Google accounts about 6
| months ago and they are still there. I did do this from the home
| location I usually use Google from, though.)
| nalllar wrote:
| Unfortunately for my hopes of getting this fixed, this post
| started getting flagged after it sat at the number 1 spot
| earlier today, or maybe Dang bumped it down because there are
| too many google support posts.
|
| :P
| [deleted]
| proactivesvcs wrote:
| February this year I migrated my Mojang (Minecraft) account to a
| Microsoft Account, which I created solely for this use. I played
| a bit on a local world with just myself. The account had a
| unique, secure password and was secured with TOTP 2FA when I set
| it up.
|
| I recently tried to play the game again but was told I had to
| login again. Doing so locked my account because it had been used
| in ways which violated Microsoft's ToS: hacking, phishing or
| scamming other users. They demanded my telephone number before
| they'd allow me to use it again.
|
| I basically consider this account and the game lost now. I didn't
| buy this game when it was owned by Microsoft, but will never buy
| anything from Microsoft which requires me to have an account with
| them ever again.
| 63 wrote:
| Iirc that's a common occurrence. For some reason Microsoft
| really wants phone numbers associated with accounts.
| uallo wrote:
| They did the same thing to an account I used to access Bing
| Webmaster Tools. Instead of giving them anything, I now
| actively move friends and family away from Bing. Not that many
| of them used it in the first place, but now there are none left
| as far as I know.
| falsenapkin wrote:
| Yeah that was a frustrating experience. I caved though, but
| they also didn't like that I was using a phone number already
| associated with an account that I use for office... I didn't
| want them to be the same account.
|
| Tangent, after giving in to the phone I became more
| disillusioned with Minecraft as 1) MS appears to have canceled
| a 3rd installment of music from C418 over licensing issues
| (C418 wanted rights) and instead got some new artists whose
| music is good but doesn't fit the nostalgic vibe and seems
| played more often as well as with regularity in certain
| scenarios (previously it was fully random) and 2) classic case
| of S****horpe censoring and bans, applied to inoffensive words,
| peoples names, other languages, private servers, peoples pre-
| existing user name, even within commands, etc...
| tmpburning wrote:
| They probably asked you for your phone number at the same
| time....
| nalllar wrote:
| I did not get asked for a phone number or use SMS 2FA during
| this process.
| fosefx wrote:
| Tangent: Instagram managed to lock me out of their service for a
| week or so a couple of days ago. My browser was signed in into my
| account, but I have not used it for like a month.
|
| Got logged out. I log back in (using 2FA btw). "Please give us
| your phone number so we can verify it's you" I enter my phone
| number. I don't really get the point of this because they did not
| have my number before, so what are they actually verifying here?
| Anyway, I trust Facebook with my phone number lol. I get a code,
| I enter it. "Your account activity is suspicious and we will
| limit your account for a bit" That was it. No redirect, no link
| to click, nothing. So I go back to instagram[.]com and have to do
| the same thing again?
|
| Well maybe my browser is on a block list now or sth. So I go to
| my phone (where I was signed in). And the App is broken
| completely, looks like the session was invalidated.
|
| I log out, log back in, do 2FA, enter the code again. Same
| result.
|
| I checked back in a couple of days ago and it seems like I have
| access again.
|
| It is unfathomable how this can happen. How can the front gate to
| your multi billion service just not work to the point where you
| DOS yourself?
|
| Also this account has 0 images, and just a couple of followers,
| so there is literally nothing to protect.
|
| In moments like these you really start to notice the missing
| communication channels to the big tech companies. Is there any
| other industry that has zero customer support?
| [deleted]
| smartaz42 wrote:
| I'm sure that they have outstanding customer support. But you,
| however, are not the customer.
| moloch-hai wrote:
| I'm confident they _don 't_ have outstanding customer
| support, even for actual customers (who are not you).
|
| Outstanding customer support would entail _expense_ ,
| threatening _profits_. The money of happy and unhappy
| customers turns out to be the same color.
| bmitc wrote:
| It seems like most industries are moving towards no support
| because "we need to scale at all costs and to the detriment of
| customers" seems to be the capitalism drumbeat. Customers these
| days, to many companies, are just statistical artifacts in
| their system.
|
| I had a case the other day where I called my insurance company.
| The automated system couldn't understand my answers (I was
| actually trying to answer the given prompts rather than just
| repeating "representative" over and over). It replied "it looks
| like we're having a problem" and proceeded to just say goodbye
| and hang up on me. More than infuriating, and that's an
| understatement.
| Nextgrid wrote:
| The problem is that there's zero law enforcement against
| corporation-vs-consumer fraud. Companies have noticed and are
| taking advantage of it (basic market pressures - if they
| don't, their competitor will).
|
| Why make it easy for our customers to contact us (presumably
| to make a claim - ie the whole reason insurance products
| exist) when we can just _pretend_ it 's easy, collect money
| based on that lie and get away with it?
| willnonya wrote:
| This isnt capitalism. It's more corporatism.
|
| Capitalism responded to market forces and the needs of the
| customer.
| xboxnolifes wrote:
| Capitalism also tends toward the mean at the expense of the
| edge cases.
| SoftTalker wrote:
| Yes, companies which have real customer service will in
| theory have a competitive advantage over companies which
| have a voice response system that hangs up on the customer.
|
| What often happens though, is that consumers go with the
| lowest price above all other considerations. Then they get
| the hard lesson in "you get what you pay for."
|
| It's the same reason that air travel is so awful. You'd
| think that one or more of the airlines would compete on
| comfort and service, but that's impossible when travelers
| go to Expedia and overwhelmingly pick the flight with the
| lowest price.
|
| I personally don't pay rock bottom for insurance, and I
| have an agent I can call and talk to without any
| intervening voice menus. A human in a local office answers
| the phone.
| bmitc wrote:
| You pay health insurance out of pocket? I was referring
| to my medical insurance provided by my company.
|
| I in general try to speak with my wallet, so to speak,
| but it's like posting into the ocean. And with some
| things, like mail and shipping services, there are no
| options.
| SturgeonsLaw wrote:
| That's all semantics, we can't say "Capitalism is when the
| system does good things, and Corporatism is when it does
| bad things", the difference is not meaningful since
| Capitalism leads to/is Corporatism.
| tarboreus wrote:
| Disagree. A robust anti-trust environment would alleviate
| 90% of these issues. What we are in now (in the US) is an
| environment of corporate political capture, which is not
| inevitable, as a similar situation was demonstrably
| reversed in the early 20th century by strong anti-trust
| legislation and enforcement.
|
| The companies get away with this because they have
| massive market power, and they have used the wealth
| generated by that power to capture our political system.
| quanticle wrote:
| Capitalism responded to market forces and the needs of the
| customer.
|
| Did it? When? I can't name a single era when "capitalism"
| (a fuzzy term) actually responded to consumer demands in
| the way that the parent poster described. Whether it's
| railroad robber barons screwing over farmers, Ford selling
| cars with an unacceptable risk of catching fire, or Google
| arbitrarily deleting people's entire digital identities,
| large corporations have _always_ treated their customers as
| a collection of statistical artifacts (to quote another
| poster elsewhere in this thread).
| unqueued wrote:
| This makes me worried, because I am pretty sure Google is going
| to start removing keys based on attestation certificates.
|
| I believe that this is much more about rate limiting than about
| security for the end users.
| nalllar wrote:
| Hi HN. I posted this here because it seems to be the best way to
| get someone at google to look at something.
|
| To preempt some comments along the lines of "why are you relying
| on google in 20xx", I try my best not to these days but I still
| rely on them to forward emails from my old accounts, or for
| services like youtube where you must have a google account for
| full features.
| [deleted]
| yetanotherloser wrote:
| It's undeniably shitty behaviour from the Goo but I'm
| increasingly getting the message that the only sane attitude is
| detachment from anything I posted in some past , more naive
| age. Scribe on vellum or linen rag that which is for the ages,
| and ignore the rest. If it's on a server I don't even mourn it,
| I killed it already by putting it there.
| ziml77 wrote:
| That's how I think about it. What's the big deal really to
| lose things from the past? I still have way more of my
| personal history solidified in in recorded form than people
| of ages past. They managed just fine, I will too.
| gpanders wrote:
| >What's the big deal really to lose things from the past?
|
| Losing pictures of my kids when they were young would be
| devastating. For some things, it's a very big deal.
| tasuki wrote:
| Sad, sure, but devastating?
| ergonaught wrote:
| Yes.
|
| Why would it even occur to you to police how someone
| feels about losing things of immense personal
| significance?
| hotpotamus wrote:
| I tend to agree, but you can also run your own servers.
| into_infinity wrote:
| Google generally does stuff like that when they believe somebody
| else had access to your account and made changes. This sometimes
| involves the attacker enrolling for (their own) 2FA or changing
| recovery methods to lock you out. So, the action of removing 2FA
| is in itself not unreasonable.
|
| It's possible that their logic has some sort of a bug, especially
| if it only happens when you visit a specific service - and in
| that case, getting on HN might be the best way to get it looked
| at by a human... but also make sure you don't have any other
| issues going on.
| nalllar wrote:
| Removing security keys that have been registered for years is
| very unlikely to be the right move even if my device has been
| compromised, as they are one of the most reliable ways I could
| prove I am the original account owner at some later point.
|
| If the message had stated "We have removed recently added
| security keys" I would be a lot more understanding!
| lamontcg wrote:
| If you had your recovery keys stored in a note on lastpass
| you might have wanted to rotate those as well recently.
|
| Yeah, in theory those recovery keys should still be secure,
| but you know for certain that a hostile attacker has the
| encrypted secure note, and without any confidence in lastpass
| it makes sense to change them as well.
|
| Unfortunately this means you look exactly like someone doing
| an account takeover and changing the password and recovery
| keys on the account.
| nalllar wrote:
| Thanks for the heads up.
|
| I don't use lastpass, but if I did I wouldn't have to
| because this "Just to be safe" process also reset/removed
| the recovery keys.
| ehsankia wrote:
| > registered for years
|
| Right, that's likely the "bug" part. On HN of all places,
| people shouldn't be surprised that bugs happen.
| nalllar wrote:
| Unfortunately due to a lack of customer support posting
| here gives me the best chance of getting it fixed!
|
| If google had working support flows I would not have
| written this up or posted here about it.
|
| A few years back I lost access to a different google
| account as the recovery phone number was a landline and
| google was trying to send SMS messsages to it. I had the
| right password but it thought I was suspicious and insisted
| on SMS verification. I never managed to reach a human to
| get something done about the issue.
| sofixa wrote:
| > Unfortunately due to a lack of customer support posting
| here gives me the best chance of getting it fixed! > If
| google had working support flows I would not have written
| this up or posted here about it.
|
| They do, you just have to pay for that privilege via
| Google One.
| nalllar wrote:
| If you are locked out you can't access Google One's
| support.
| sofixa wrote:
| My understanding is that you can always call them, even
| if your account is blocked.
| nalllar wrote:
| I don't have it but it looks like you have to initiate
| the call from the Google One page and they call you, they
| don't have an inbound number.
|
| Googling "google one phone number" did show me a
| potential scam result in the infobox at "gooogle-live-
| personn" on google sites that obviously isn't official.
| You can't make this stuff up.
| qmarchi wrote:
| Went ahead and escalated this one internally. That's
| pretty bad.
| Shank wrote:
| Were you using a VPN or something? I'm curious if this was
| tripped by setting off impossible-travel flags or something. It
| seems plausible that this is just anti-account takeover logic
| working as-expected, but with a false positive alert.
| nalllar wrote:
| Anti-ATO should not clear out security keys that have been
| registered for a long time. If suspicious new keys were added,
| it should clear those.
|
| From the audit log in my email no new keys were added before
| this was tripped.
|
| I am not using a VPN and as far as I know I am not doing
| anything unusual. I might be committing the crime of having a
| Linux Firefox user agent but I somewhat doubt that was the
| problem, that's not that unusual.
| unqueued wrote:
| I was hoping that using hardware keys would eliminate some of
| the security hoops that we have to jump through. And it does
| seem to help. But the whole reason that I have a key is so I do
| not have to supply my phone number, and I have a more trusted
| way of proving my identity, even if I am connecting from an
| unusual location.
| ffhhj wrote:
| >> As google has no support channels I can use, my only recourse
| is to write this blog post and hope someone sees it.
|
| By 2030 we will need to build a social network with at least 10k
| users to get some attention from the Gooverlords.
| blacklight wrote:
| Articles like these (which can generally be grouped under the
| "what the hell is Google doing with my account and my data, and
| why can't I reach out to a human to get out of this Kafkaesque
| nightmare?") are popping on HN on a daily basis.
|
| I've previously been reported for commenting on a previous
| article that Google is a faceless company that produces shitty
| products and it doesn't actually doesn't give a shit of user
| experience, negative feedback nor deleting/locking accounts (and,
| often, years of work) for no clear reasons.
|
| Somebody responded "on HN we often hear only one side of the
| story (people getting a negative experience with Google) and not
| Google's side".
|
| So, since many Google employees are also here on HN, I ask you
| folks: do you have any words to say in defense of these crappy
| policies?
|
| If yes, then I'm happy to change my mind about Google, and eat
| back all the countless offenses I've thrown at the company over
| the years if convinced by enough plausible arguments.
|
| If no Google employees can come here (or, even better, directly
| reach out to those impacted by their bad decisions) and defend
| their policies, then I abide to my words: Google is a shitty
| company that produces shitty products, it is proud of being a
| faceless company that doesn't care about supporting users (even
| though it makes a lot of money out of their data), it makes
| horrible business decisions, and it leaves people in the dark
| when locked out of their accounts. Such companies, in a healthy
| market with enough competition, deserve to rot and fail and be
| mourned by nobody.
| anonuser123456 wrote:
| I think your commentary is unfair; they make great business
| decisions. They realize that the benefit of fucking over a few
| users here and there is outweighed by the cost of helping them.
|
| And people that matter have a back channel via employees or
| account reps to clear things up.
| n1c00o wrote:
| I would assume that it is mostly Google engineers on the site,
| and they do not have any link with these policies nor provide
| any information (either legal clause or simply that they don't
| know).
|
| Not to play the devil's advocate but Google is still a great
| research company, helping the open-source community and the
| tech industry.
| alphabet9000 wrote:
| found a similar error message happening to someone else a year
| ago with few recourse options:
| https://support.google.com/accounts/thread/103488375/google-...
| nonfamous wrote:
| I had a similar experience recently when setting up a new TCF TV
| for my mother. I didn't see a "was this you?" email to her Gmail
| account after logging her in to Android TV, and within hours her
| password had been invalidated by Google. The message when trying
| to log in at gmail.com was "Your password has been changed in the
| last week", which caused me great concern and an hour or so
| changing passwords, etc. If the message had said "Google
| invalidated your password" I'd still have been pissed, but at
| least not panicked.
| xrayarx wrote:
| Sad story, it is the same with all the newfangled companies: you
| are a product, not a customer
| moloch-hai wrote:
| The joke is on the customers, then, who are treated as badly as
| users.
| srwx wrote:
| Great so when something like the recent LastPass leak happens and
| I go in and cycle my password, 2fa and backup codes out of simple
| precaution Google is going to perhaps mark that all as suspicious
| and undo it for anyone who might come along and pretend to have
| lost access to my account?
| PaulKeeble wrote:
| Its a surprisingly risky to update your login credentials.
| Users do it so rarely its perceived as suspicious even when it
| comes from known IPs and everything else looks healthy. Given
| its Google if it goes wrong you loose the account completely.
| Its insane you have to weigh up the potential consequences of
| doing the right thing for security but that is how Google has
| set the system up.
| nothasan wrote:
| I think Google needs to add a better way to secure old /
| previously inactive accounts. My guess is because your account
| was old, and your current device, IP and overall fingerprint was
| different it decided you were an intruder.
| nalllar wrote:
| I don't know, while this account is old and fairly infrequently
| used I normally have it in the google account switcher dropdown
| logged in rather than completely logged out.
| marcinzm wrote:
| Removing pre-existing security measures due to suspicious
| activity seems an odd strategy.
| carbocation wrote:
| This seems inadequate to explain the removal of _security
| keys_. Unless Google inferred that OP was not just a garden
| variety intruder, but some sort of advanced persistent threat
| that had added such keys long ago?
| nothasan wrote:
| Yep I don't know what's going on here. OP posted another
| reply with the time they added their keys and they aren't
| recent.
| pwdisswordfish9 wrote:
| Reading stories like these, I'm glad I don't even have a Google
| account.
| PaulKeeble wrote:
| I remember how promising early Google was, how great Gmail
| appeared to be. Now the search is barely usable, your account
| gets nuked because you logged in a minute later than usual and
| they still don't have any support. Strangely businesses haven't
| completely abandoned everything to do with them, they clearly
| don't care about their paying customers let alone the free tier
| ones.
| wkat4242 wrote:
| > Removing physical U2F keys from an account without request
| seems to be the worst possible reaction to suspicious activity.
|
| Exactly, unless they were added during the suspicious activity.
| But this seems to be not the case.
|
| I work in cybersecurity and I've seen hackers setting up PINs etc
| on hijacked Whatsapp accounts just to make it harder for the
| legit owner to recover it. So if it was a really recent addition
| it might make sense. If the Yubikey was there for ages it's a
| really stupid move because it's the one way the real owner can
| prove themselves.
| nalllar wrote:
| The account has had some security keys set up since ~2020, with
| additional keys added last year.
| tmpburning wrote:
| Google twice removed my password from my Google account... i.e.:
| I could not login even with the correct password.
| Animats wrote:
| We need a general solution to reestablishing authentication.
|
| The hard-line solution would be that you go to a post office,
| airport, police station, motor vehicle office, passport office,
| or bank, they take your fingerprints, picture, and a retinal
| scan, you get a new ID card and token, and your old ones are
| invalidated.
|
| The US just pushed the date for REAL ID enforcement further out,
| again. This time from spring 2023 to 2025.[1] REAL ID terrifies
| illegal aliens. Once everyone legal in the US has one, getting a
| job or traveling will be much harder.
|
| [1] https://www.cnn.com/travel/article/dhs-real-id-deadline-
| exte...
| SoftTalker wrote:
| It's already illegal to hire illegal aliens. Why will REAL ID
| change anything in that regard?
|
| Employers who disregard the law now will continue to disregard
| the law.
| 0x457 wrote:
| It depends on state to state. In California, you can get non-
| REAL ID if you have at least one form of ID (i.e. passport
| from another country). Doesn't matter whether you're
| documented or not.
|
| REAL ID looks different and essentially proves that you are
| not undocumented.
|
| Visually, there used to be no difference between ID for
| undocumented and documented, so you can travel freely. My
| immigration lawyer recommended against traveling to AZ with
| that ID.
|
| Not sure what it changes in terms of hiring. Even with REAL
| ID after background check, I had to submit proof that I'm
| allowed to work in this country.
| lmm wrote:
| > It's already illegal to hire illegal aliens. Why will REAL
| ID change anything in that regard?
|
| It's hard to enforce that when there's no easy way to prove
| someone _isn 't_ in the country legally.
| sokoloff wrote:
| How does Real ID help _prove_ that someone who doesn't have
| one isn't here legally?
|
| I am here legally and renewed my license since my state
| offered Real ID. I still got the old "Not for Federal ID"
| license. If I show that to someone, does that somehow prove
| I'm not here legally?
| cavisne wrote:
| Businesses just ask for a social security number, and a
| random one is provided.
|
| So they can plead ignorance.
| SoftTalker wrote:
| No, they are supposed to ask for documentation, not just a
| number.
|
| https://www.uscis.gov/i-9-central/form-i-9-acceptable-
| docume...
| 0x457 wrote:
| That's if you're hiring an immigrant as an immigrant, not
| as something who pretends to be a citizen.
| codegeek wrote:
| No that's incorrect. I-9 verification is for everyone
| including citizens. Basically you need to show proof that
| you are legally allowed to work in the US which also
| applies to citizens. Source: I am an employer.
| NovemberWhiskey wrote:
| No; the I-9 process is for everyone.
| choppaface wrote:
| It won't stop cash transactions, but it will hinder inter-
| state movement as generally give police an extra reason to
| detain somebody.
| choppaface wrote:
| Amazon uses Whole Foods for returns. Apple can push to all your
| devices for MFA. Imagine the impact on perception of google
| customer service if they deployed support kiosks to grocery
| stores.
| akerl_ wrote:
| Tying commercial account unlocks to governments feels like a
| terrible idea.
| willmadden wrote:
| That sounds like a one-way ticket to a police state.
| akerl_ wrote:
| Yea. To say nothing about the abuses possible if the US was
| in charge of the account unlocks for American citizens,
| picture for a moment if the Russian government was
| responsible for unlocks for Russian users of Google.
|
| And then there's the question of how the heck you scale this
| if you're a new company and want to handle unlocks for global
| users.
| [deleted]
| smarx007 wrote:
| Not meaning to hurt any feelings here, but are you aware that
| people in Sweden have been filing taxes online for years with
| the help of nation-wide https://en.wikipedia.org/wiki/BankID ?
| Brian_K_White wrote:
| Real ID is terrible, and I am a perfectly legal not alien nor
| criminal.
| [deleted]
| jamest wrote:
| Related, but different, & if there's someone at Google looking at
| this:
|
| There was a Titan Bluetooth Key (for 2FA) Vulnerability, you've
| said you'll replace the affected keys[1], but you're no longer
| doing so. Which is frustrating.
|
| [1] https://security.googleblog.com/2019/05/titan-keys-
| update.ht...
| mcint wrote:
| You'll have better luck with a separate post, even if it
| doesn't hit the front page. I would over-describe the problem,
| state it in 3 different ways, so some kind soul searching is
| more likely to find it.
| twawaaay wrote:
| Google's implementation does not seem to be doing much good
| anyway. To be fair, it is not just Google -- most companies feel
| the same pressure of having to implement MFA but then also make
| it convenient for clueless users to recover their access.
|
| The right way to implement hardware keys is to allow registering
| multiple of them (so that you can put at least one or two off-
| site -- in a secure storage) and then not let you recover the
| access under any circumstances without showing you still own at
| least one of those keys.
|
| If you can recover access without the keys then what is the point
| of keys in the first place?
| carbocation wrote:
| > The right way to implement hardware keys is to allow
| registering multiple of them
|
| Google allows this.
| twawaaay wrote:
| You missed the second part.
| carbocation wrote:
| I see, so you're saying that it's good that Google does the
| first part, but needs to add the second part. Awareness
| that Google does the first part wasn't clear from the
| comment.
| twawaaay wrote:
| Any security mechanism is pretty much worthless if it can
| be trivially circumvented.
|
| So yes, the second part is pretty important
|
| Actually both parts are important, either is worth little
| without the other. Having well implemented hardware key
| is useless if you can't configure more than one -- too
| much risk having a single piece of hardware that if it
| fails or you loose it will lock you irrevocably from the
| account.
| roxgib wrote:
| This annoys me a lot - I do sympathise with the fact that these
| services are regularly bombarded with users unable to log in,
| but modern authentication tools have existed for a while now
| and it's time everyone learned to use them. A lot of services
| insist on including your phone number as a backup
| authentication method, making you vulnerable to simjacking, or
| your email address for the same purpose (basically offloading
| the authentication problem to someone else). That's if you
| can't bypass it altogether.
|
| For services that allow it I have both a TOTP app on my phone
| and a YubiKey registered, which I figure is sufficient
| redundancy. Other people could have an old phone registered as
| well if they don't want to buy a security key. It's a very
| minor hassle to set up and I can't see why people can't do it.
| Brian_K_White wrote:
| You can duplicate the totp too. Either save the initial seed
| generated by the site(s), or depending on the app it may
| provide a way to export the seeds.
|
| You don't go through the setup process on the sites again.
| The sites have no knowledge that you have 1 or 21 new totp
| apps set up. You just enter the saved seed keys into the app
| and it starts spitting out the same correct codes as the
| other apps you already had setup.
|
| Gnome authenticator can export a json file containing the
| keys to all the sites you have in it. You can then take those
| (just manually read them in a text editor), and enter them
| into Google Authenticator on a phone, and now you have 2
| working authenticator apps, both spitting out the same
| correct codes every 30 seconds.
|
| Further, you take that same json and paste it into a note in
| a keepass record, or save the individual seed keys in
| individual site entries just like the passwords, and copy
| that keepass db file all over the place including cloud
| drives, and including places you can access without the totp.
|
| Now you can reproduce a working authenticator from scratch on
| any device at any time no matter where you are and no matter
| what happens to your phone or laptop. Buy a brand new phone
| or laptop, have a way to get a copy of your keepass db
| without needing the totp app, and in a couple minutes you
| have a working totp app again.
|
| You never really have to even use the single-use emergency
| bypass codes. Keeping copies of the initial setup seeds is
| really no different from keeping copies of the emergency
| codes, but the setup seeds reproduce a fully working app not
| just a one-time access to a site.
|
| And even if some app doesn't provide an export like gnome
| authenticator, you can also just record the key the first
| time it is generated instead of just scanning the qr code.
| Once you've saved it, you can use it as many times as you
| want.
| mook wrote:
| If you're putting it in keepass anyway, you might as well
| use it (either the original C# one with plugins or
| KeepassXC) as your authenticator app. Mobile keepass
| applications support the same.
| plantain wrote:
| I run a SaaS for what you might imagine would be highly
| technical, educated clients, and despite this I am bombarded
| by users who seemingly have never done a Register ->
| Activation email workflow.
|
| Users are hard.
| jzb wrote:
| "but modern authentication tools have existed for a while now
| and it's time everyone learned to use them"
|
| It's a nice thought, but overall computer literacy is still
| highly varied, and it likely will be for a very long time.
|
| We still have a large percentage of users who use computers
| sparingly and by rote. I have family members who need a lot
| of help to do day to day setups and are going to have a hard
| time with MFA devices or apps.
|
| "Other people could have an old phone registered as well if
| they don't want to buy a security key. It's a very minor
| hassle to set up and I can't see why people can't do it."
|
| Minor hassle _for you._ Major hassle for a lot of users. Try
| real hard to put yourself in the place of a 77-year-old user
| who has limited sight and only needs to use a computer to
| accomplish very specific tasks - and has zero interest in
| doing more than basic email, banking, and a few other things
| that can only be done online. They have a smartphone only
| because it 's a connection to their grandkids.
|
| Because of the smartphone they're saddled with a Google or
| Apple ID that they'd otherwise never bother with. A TOTP app
| or YubiKey? That's _well_ outside their comfort zone.
|
| This isn't because these users are dumb. But the assumption
| that "it's time everyone learned" is based on the idea that
| everybody is using computers regularly and has resources for
| educating them - which is simply not true.
|
| My kids, my wife, and my in-laws all use computers very
| differently than I do and it's extremely educational how
| people outside the industry see and use computers.
|
| My 17-year-old only uses a Chromebook for school (grudgingly)
| and would rather do everything on their phone. My wife is
| fairly computer savvy, but still hits roadblocks. (She does
| enjoy forwarding me screenshots of particularly bad Phishing
| attempts...) And my older in-laws occupy most of their time
| far, far away from their computer. Singular.
|
| Anyway - it'd be lovely if folks had way more empathy for the
| huge swaths of people who have less experience with
| computers. It's not the priority for them that you imagine
| that it should be.
| tbrownaw wrote:
| Really, there needs to be some way to add a secondary key
| that's in secure storage _without removing it from secure
| storage_.
| twawaaay wrote:
| In realm of real hardware security modules this is actually
| simple, at least in theory. (I worked as a security officer
| for credit card payment company and we had real HSM boxes
| worth small fortune each). What you do is you initialise the
| hardware device with same cryptographic material. You can
| make as many clones as you want, securely. In practice it is
| a huge headache but it is due to amount of procedures and
| paperwork you need to do.
|
| Now, I am not an expert on Yubikeys and the protocols used by
| these tokens, but I know they have protection against reply
| attacks meaning they keep the sequence number that is
| incremented for each challenge/response. Pretty sure it could
| be made to support multiple keys. It would be really nice if
| I was able to initialise multiple yubikeys and use them
| interchange-ably (and keep two in safe deposit box just in
| case).
| kkfx wrote:
| Personally, just to be safe I have ceased to use many "big name"
| services, preferring for instance to have my mails locally,
| paying a service (not that much) with a hotline... My personal
| policy is: if I can't phone them, if I have no local registered
| office to contact in case of need, if I do not have my data
| locally in usable forms, that's means is not safe for me going
| with them.
___________________________________________________________________
(page generated 2022-12-26 23:01 UTC)