In honor of Cybersecurity Awareness Month, Google said it wanted to make sure their products are secure "by default."
Google announced on Tuesday that it will be auto-enrolling 150 million of their users in two-step verification by the end of 2021. The platform will also force two million YouTube creators to turn on two-step verification by the end of the year as well.
In a blog post, Google Chrome product Manager AbdelKarim Mardini and Google account security and safety director Guemmy Kim said the best way to keep users safe is to turn on security protections by default.
"For years, Google has been at the forefront of innovation in two-step verification (2SV), one of the most reliable ways to prevent unauthorized access to accounts and networks. 2SV is strongest when it combines both 'something you know' (like a password) and 'something you have' (like your phone or a security key)," the two explained.
"2SV has been core to Google's own security practices and today we make it seamless for our users with a Google prompt, which requires a simple tap on your mobile device to prove it's really you trying to sign in. And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users' accounts into a more secure state."
In addition to requiring 2SV -- also known as two-factor authentication -- Google said it checks the security of 1 billion passwords and works to protect Google's Password Manager, which is built directly into Chrome, Android and the Google App.
(Score: 3, Informative) by Anonymous Coward on Thursday October 07 2021, @12:38AM (6 children)
It's about security! That we use as a reason for you to ...
... have a cellular phone/similarly enabled tablet ...
... on which you run some of our software ...
... instead of considering other two-factor options.
That's OK, we can all trust Alphabet! It's so much easier with their recommended medication!
Fuck these guys with the business end of a saguaro.
(Score: 3, Informative) by Rosco P. Coltrane on Thursday October 07 2021, @02:56AM (3 children)
- You can use iPhones to get your SMSies.
- You can use FIDO (e.g. Yubikey) for Google 2FA
I hate Alphabet / Google as much as the next guy, and I'll readily recognize that it's a great excuse for them to link user accounts, cell phone numbers and real identities for increased dataraping in the name of security. But there options to mitigate the privacy invasion.
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @10:52AM
eg solokey
FTFY
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @01:00PM
Google thanks you for giving them ever more data for free. Boycott Google and social media - you'll be amazed at how after a few months all that wated time gets filled up with healthy activities instead.
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @05:27PM
Yes, you may be able to avoid Google slurping up your phone number, but 2FA without a phone number for backup access might lead to being permanently locked out of your account, if you lose access to your 2nd factor. Of course, leaving the option of SMS backup might lead to losing your account via SS7 snooping or sim swapping too.
And, TOTP (e.g., google authenticator) isn't really secure either. It is nearly as easy to phish a TOTP private key as it is to phish a user password.
I wonder how many people are going to permanently lose access to their gmail accounts because of this?
(Score: 3, Interesting) by mcgrew on Friday October 08 2021, @02:29PM (1 child)
I think I'm already on their list. I wrote an HTML scoreboard [mcgrewbooks.com] for Felber's shuffleboard, on a large tablet, and the only browser on the tablet was one you couldn't put in fullscreen, so I went to Google Play to get Firefox. I couldn't get in to Google Play, they don't have my phone number and I don't use my phone for email. It was a little frustrating.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 1, Interesting) by Anonymous Coward on Friday October 08 2021, @10:16PM
F-Droid.org is great.
(Score: 4, Touché) by looorg on Thursday October 07 2021, @12:51AM (22 children)
Auto-enroll is that new corp-speak for forcing an upgrade on their users and their account(s)? Could be awkward when I eventually try to login then. I guess this is why they harass you with that "please attach a phone number to your gmail account for security". Like as if that will ever happen.
(Score: 2) by RS3 on Thursday October 07 2021, @01:26AM (15 children)
Yeah, I don't get it. AFAIK, it's pretty easy to find out someone's phone number. And mine has changed several times over the past few years, so I'm not sure how that can be "secure".
(Score: 5, Informative) by tangomargarine on Thursday October 07 2021, @03:49AM (14 children)
The phone number isn't another password to log in; it's where they send your one-time login code or something when you use your handle+password to log in.
The point is that you need to physically have your phone in order to log in. So now when you drop your phone in the toilet you won't even be able to check your email on your desktop! :D
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Informative) by Runaway1956 on Thursday October 07 2021, @04:42AM
This is why you don't use other people's phones. You KNOW they've been using that thing while in, on, and around the shitter. Sure, they washed their hands (maybe) before leaving the bathroom - but washing hands doesn't get the phone clean!
(Score: 2) by RS3 on Thursday October 07 2021, @05:14AM (6 children)
And maybe worse, phone gets stolen, and this wonderful system thinks all is well because someone at said phone responded and bought a nice yacht.
(Score: 3, Funny) by tangomargarine on Thursday October 07 2021, @09:55AM (2 children)
<insert obligatory "$5 wrench bypass" xkcd reference here>
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Touché) by tangomargarine on Thursday October 07 2021, @09:59AM (1 child)
Actually no, that doesn't work at all. What was I trying to say? "Biometrics only encourages them to cut off your hand"?
Yeah, that.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by RS3 on Thursday October 07 2021, @02:59PM
A coworker had a more than frustrating experience recently. A housemate had him taken to ER for "non-responsive". Turned out he was just asleep, and sleeps that deeply. He woke up in ER trying to figure out what was happening.
Anyway, they used his thumb to access his phone and he's very unhappy about that. Not sure what, if any, privacy laws might cover it. He doesn't want to sue the medical people, of course, so he's even more frustrated.
Needless to say, he does not use fingerprint or any other "biometric" ID on his phone. (are iris scans a thing yet?)
(Score: 2) by FatPhil on Friday October 08 2021, @01:05AM (2 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Interesting) by RS3 on Friday October 08 2021, @01:19AM (1 child)
Quite right. My concern is one I see too often: the absolute reliance on something. Like people with ABS, traction control, stability control, etc., in their cars, so they drive like nuts in rain, snow, ice, etc. 2FA can improve security, but it's not a panacea.
(Score: 2) by mcgrew on Friday October 08 2021, @02:38PM
...so they drive like nuts in rain, snow, ice, etc.
They drive even nuttier when the weather's nice. Safety features have nothing to do with it. Most people are just fucking STUPID. The ultimate safety feature in a car will be when cars all drive themselves and have no steering wheel, accelerator, or brake pedal. Stupid people fear self driving cars when over 90% of accidents are from human error. People are simply too stupid to be careful.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by darkfeline on Thursday October 07 2021, @08:20AM
The point of "something you have" is that someone has to rob you for it. Someone don't need to physically have your phone to login. They can easily swap your SIM without leaving their home. Hell, your phone service provider is already MITMing the one-time login code. Thus SMS OTP doesn't satisfy the second factor (although it is still a second step verification. It's nice to see terminology used correctly.)
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @01:21PM (2 children)
This has screwed a lot of discord users. Enable phone tfa, then have issues with keys or lose the phone and your account is borked.
I know of several people who have lost their account related data. It would be like being permanently locked out of your SN account after spending years posting.
Meanwhile, google demanded a phone number for gmail years ago for my account. I switched and never regretted it. The only issue is with installing that covid tracker on my phone. I borrow a friend's.
(Score: 2) by tangomargarine on Thursday October 07 2021, @05:02PM (1 child)
I don't think I've ever run across a "demand" like this that you couldn't bypass with a "maybe later" link.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by Common Joe on Thursday October 07 2021, @07:23PM
Lucky you. Google force-enrolled me a couple of years ago. There was no bypassing it. (I assume it's because they didn't approve of the brand of toothpaste I use, but who knows.)
(Score: 2) by edIII on Thursday October 07 2021, @11:39PM (1 child)
Phones are not, and never have been, secure. Before the portability act and the majority of people switching to cell phones, one would need to either hack the SS7 protocol or tap the phone line. Tapping the phone lines were incredibly easy to do. I can't remember what color the box was, but I know the specifications were in the Jolly Roger's Cookbook. Using the SS7 protocol was something that only highly skilled people working for the government probably did, not low level phreakers. However, low-level phreakers could very easily get your phone lines forwarded to another number. In the golden age of phreaking there was a lot you could do to somebody's phones.
Now that cell phones are everywhere, it is ironic that landlines are the more secure option (no SMS). Cell phones are the least secure item you have in your possession. It's trivially easy to perform a port-out attack on somebody and steal their number, even if that is temporary. SS7 attacks are more widespread these days and still occur frequently. The cell carriers and telephone companies still haven't completely mitigated those attacks and added the requisite levels of security. Then on top of all that, phone lines are now attached to devices that run operating systems. You can attack a phone remotely and then use it as the 2FA.
2FA needs to be standalone devices like Google's Titan Security Key and Yubico. Which is the same because if you look under the hood of Google's 2FA offerings it is Yubico that manufacturers it. You don't need to worry about being locked out forever for three reasons:
I use 2FA hardware keys everywhere, including the generation of long strong static passwords. All I remember is a short word or passphrase, and then the hardware key fills in the rest for me. I have that duplicated and geographically redundant. 2FA is not that hard to implement correctly, and you don't need a phone to do it. Most keys are less than $100 so it's not breaking the bank.
People need to stop using their phone immediately for security. Somebody I know just lost all of their cryptocurrency holdings with a major exchange because their phone was hacked.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 2) by mcgrew on Friday October 08 2021, @02:40PM
That's why I never do commerce on the phone. I use it to make phone calls, or if I'm in a waiting room I'll read on it.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 5, Interesting) by SomeGuy on Thursday October 07 2021, @01:42AM (4 children)
So, seriously, what is one supposed to do if they do not have a smart phone? Will they be locked out from using anything Google related such as Gmail?
(Score: 5, Informative) by EvilSS on Thursday October 07 2021, @04:08AM (1 child)
(Score: 1, Interesting) by Anonymous Coward on Thursday October 07 2021, @10:55AM
This looks like a good alternative:
https://www.indiegogo.com/projects/solo-v2-safety-net-against-phishing#/ [indiegogo.com]
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @01:04PM
(Score: 2) by digitalaudiorock on Thursday October 07 2021, @05:18PM
Maybe I'm missing something here. I have a dumb 4G LTE flip-phone and no smart phone, but I can get texts of course. Doesn't the 2 factor authentication just require getting some code via a text message?
(Score: 2) by tangomargarine on Thursday October 07 2021, @03:46AM
Hey, Microsoft tried it with Windows 10 and apparently we didn't sufficiently ruin their asshole in reprisal, so now Google is trying it, too!
And still Definitely Not Evil, Trust Us(tm)
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 4, Insightful) by SomeGuy on Thursday October 07 2021, @01:09AM (8 children)
So if you don't want a smart phone, then according to Google, you must go kill yourself.
(Score: 2) by tangomargarine on Thursday October 07 2021, @03:43AM (1 child)
These two people were killed by a blog post?
--
I'm glad that I've been clicking past those nags to link a phone number to my account for the last X years. Assuming they don't just scrape my contact list or something to get it...since your email and phone number contact lists are the same place and Android and all...
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Thursday October 07 2021, @03:52AM
oh you edited a quote with no emphasis. that's not surprising at all /s
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 5, Informative) by shortscreen on Thursday October 07 2021, @08:13AM (1 child)
They need you to buy a tracking device and keep it with you and turned on 24/7. They'll use BS schemes like this to make doing anything on the internet with your PC require a tracking device anyway, in the hope you'll just give up on the PC and use the tracking device exclusively, since it is more profitable for the corporate overlords and easier for them to monitor and control.
(Score: 3, Interesting) by Joe Desertrat on Thursday October 07 2021, @12:36PM
You can bet they will make third party apps much more difficult or impossible to use, like AT&T/Yahoo did with their email. On the rare occasions I log in online, Gmail already suggests turning off access for applications like Thunderbird to "be more secure". This new effort of theirs will force this "security" on us.
(Score: 2) by maxwell demon on Thursday October 07 2021, @08:24AM
No. I don't have an account at Google, and I can live quite fine with that. I don't have a Facebook account, Instagram account, Tiktok account or Twitter account either. And still, I don't feel the need to kill myself.
I do have an email account, which I got when gmail didn't even yet exist. Maybe gmail does have a better web interface; I don't know and I don't care since I rarely use the web interface anyway. That email account is completely unrelated to Google, and I don't expect to need a smartphone for that.
For a while, my bank exclusively used SMS for online authentication; that obviously needed a phone, but not a smartphone. Now I could authenticate with a smartphone, but I can also authenticate with a dedicated device. And I'd continue using that device even if I had a smartphone, as I feel much safer that way (for a start, I'm not normally carrying that device with me, so there's little chance of losing it or anyone stealing it; also since you can't install apps on it, or use it for anything but authentication, I expect it to be far less hackable).
I am thinking about finally getting a smartphone, but that's basically because real-life processes are increasingly designed under the assumption that everyone has one. I'll probably need an account for that; but then, if I need the account only for the smartphone, it's not really a problem if I need the smartphone in order to access it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by darkfeline on Thursday October 07 2021, @08:25AM (1 child)
Google has been adding secure elements to their recently phones. Think Yubikey inside the phone.
I can't tell if you're being facetious or ignorant. It doesn't have to be a phone. But for the average user, it's easier to get them to upgrade their phone rather than buy a Yubikey, so if you're aiming to make 2FA widespread then putting keys inside phones is rather clever, kind of like iodizing salt.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @01:17PM
"something you have"? i think that implies that key-pair generator needs to physically happen on another device.
if we assume that the yubi-key or whatever it's called is not hackable and very smug about what it connects to and to what protocol signal it answers (usb-port, we assume), the private and public key needs to be generated on a non android/google/mobile-phone-carrier controlled environment and then physically transported (read: plugged-in) to the "un-trusted device", that is you android.
however if you trust google and android implicitly then, sure, just buy a device that has the yubi-whatever soldered to the mainboard.
if google, for you ownZ benefits looks over the processes shoulder inside the mobile phone generating the key-pair and for your own benefit makes a copy (soon to be mandated by law?) of your private key to ze clouds ...? well ...
anyways, methinks "something you have" also needs to be "removable", so that yubi-whatever-key solution needs to slot in, like a simcard or sd-card ...
(Score: 2) by looorg on Thursday October 07 2021, @01:45PM
Perhaps not that harsh. But in some regard if you don't have a google account and a google connected phone and you search on google and you watch your ads served by google etc etc then you are not a real human/customer/product (whichever applies -- one or all) and then you are not real or an income source for them so then yes they probably prefer it if you didn't exist.
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @02:09AM
They just want more Ad dollars. That all. Just being another Facebook. Get you glue all your equipment together Since you gave it them it’s ok they watch you every second. See clause #52.
(Score: 1, Interesting) by Anonymous Coward on Thursday October 07 2021, @12:28PM (1 child)
Does the second factor go thru the same SMS vendor that just announced they were hacked since 2016?
Hardware tokens seem the only second factor worth the S word.
They are plentiful in the form of chip based credit cards.
If you were actually interested in security, why not use those?
(Score: 2) by EvilSS on Friday October 08 2021, @12:17AM
(Score: 1, Insightful) by Anonymous Coward on Thursday October 07 2021, @01:10PM (2 children)
I used gmail before they were so evil. Never provided phone number. Now it nags me for birthday constantly, threatening that it's "illegal" they don't have it. Hope its just like this and not a lockout. That would lead me to no longer using gmail after giving up on the search. Great job google!
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @01:33PM
Get out now. I am locked out of google. I refused to provide a phone number to unlock it.
(Score: 2) by hendrikboom on Saturday October 09 2021, @09:38PM
I use gmail only when my regular email service is down and I need to communicate with others for help in restarting it.
That said, I get people who should know better sending me messages on gmail and wondering why I don't reply.
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @02:13PM
No wall yet, but the fence coverage is just about complete. Totally different, after all, you can see through the bars!
(Score: 0) by Anonymous Coward on Thursday October 07 2021, @08:58PM (1 child)
I am fucking sick of my smartphone and its interminable, incessant demands for my time, action, and attention at every waking (and sleeping) hour of the day.
This is not a personal computer. It is a public data urinal for every company provided access to it. I am tired of smartphones and wish for nothing more than my old 3310 for making phone calls.
(Score: 2) by Joe Desertrat on Sunday October 10 2021, @08:21PM
So keep it at home. Turn off the ringer. Check it when you are ready, not every time someone sends you a cat video. The problem isn't the phone, it's the constant contact culture that seems to have evolved from the technology.