Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Is Finally Making Two-Step Verification Less Annoying (theguardian.com)

Posted by msmash on from the security-measures dept.

Google, which first introduced two-factor authentication about five years ago, is now making it a little easier to utilize this security measure. Instead of users having to manually enter a code that they received in a text message, they will now see a prompt message that only requires them to tap on the phone to approve login requests. The feature will be available on Android as well as iOS soon. The Guardian reports: You do have to turn this service on even if you already use two-step. To turn it on you need to first login to Google and then go to My Account > Sign-in & security > Signing in to Google > 2-step Verification. There you will have options to turn on two-step verification, add Google prompt as an extra form of authentication or replace your existing two-step method. Google isn't the first to use notifications as a method of login verification, both Twitter and Facebook allow users to confirm logins using notifications from their respective smartphone apps. But even they require entering the app, viewing the alert and tapping confirm. Google's one-tap confirm is much faster.

136 comments

  1. Why would I want 2 step by Anonymous Coward · · Score: 2, Insightful

    And why on God's green earth would I want to give Google my telephone number?

    1. Re:Why would I want 2 step by Anonymous Coward · · Score: 5, Insightful

      You really think they don't have it already?

      That's... cute.

    2. Re:Why would I want 2 step by __aaclcg7560 · · Score: 3, Informative

      Two-factor authentication is based on what you know (your password) and what you have (your cellphone). If script kiddies tries to hack into your account by guessing your password, they will still need your cellphone before they can log into your account.

    3. Re:Why would I want 2 step by Anonymous Coward · · Score: 1

      If you use Apple or Windows Phone, you probably want to avoid it... in fact, wrap your phone in a tinfoil case, just to be safe. If you use Android..... Google already has you phone number and this just makes 2-factor authentication far easier to use with no loss in security.

    4. Re:Why would I want 2 step by JackieBrown · · Score: 2

      It's a security thing. If someone gets into my gmail account, they can reset the passwords for most of my accounts.

      With two step, even if they have the password for my gmail account, they need a random number that google sends to my phone each time I (or someone) tries to log into my account.

      My bank does this too.

    5. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      No, they absolutely don't. Maybe they have yours, but most certainly not mine.

    6. Re:Why would I want 2 step by andrewbaldwin · · Score: 1

      I understand the sentiment but do you honestly believe that they don't already have it?

    7. Re:Why would I want 2 step by Jawnn · · Score: 4, Insightful

      Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

    8. Re:Why would I want 2 step by cmiller173 · · Score: 2

      Alternatively a usb token like this $6 one I use would provide a secure second factor.

    9. Re:Why would I want 2 step by Anonymous Coward · · Score: 1

      It stops people from "hacking" your account and making purchases against you. E.g. Sony do not have two factor authentication, and people regularly find someone guessing their password (or logged by LAN sniffers on compromised MS Windows machines). This account is likely to have payment details stored in Sony's system, just like fleabay, Amazon, Apple et al. Naughty hacker now logs in using your PSN details, "buys" tons of games, loads on to their console, and then reverts to their own account to play them. The account that's been compromised has no knowledge of this until they get a statement, or if they still have the original email address access, a notice.

      This person then tries to dispute the transactions, Sony will say "fuck off, don't care." If you resort to reversing the charges through your bank as a fraudulent purchase, Sony will cancel your account, locking you out of everything you bought previously, and will probably remotely disable your consoles. Despite being about to see a new console appeared against the account, and the IP address could be thousands of miles away in a different state, country or continent. Sony will not aid you.

      Two factor authentication will stop this criminal activity, unless they also happen to gain access to your phone. That's why "2 step" should be a legal minimum. Furthermore, it also allows you to gain control of accounts people steal. Your FB, twatter, gmail accounts might be leave logged-in, someone can change your password, now you're fucked. Having a phone on record allows you to reset access via a code sent to your device.

    10. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      "What you have" in the case of a text message is your cellphone number, which we've seen companies port over to the hacker's phone with enough social engineering.

      I stick to google authenticator, and avoid using the phone for browsing the web and getting it hacked.

    11. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      Don't kid yourself. If you have an Android phone they already know it.

    12. Re: Why would I want 2 step by ikejam · · Score: 3, Insightful

      Perhaps so, but do consider this : if you have say a hundred friends (a fair percentage of whom will be using android ) who have you in their contacts, ( not them in yours which ofcourse is under your control) , it would be trivial for Google to know your contact number with a high level of certainty

    13. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      And how exactly does it work if I do not have a cellphone?

    14. Re:Why would I want 2 step by EvilSS · · Score: 1

      "What you have" in the case of a text message is your cellphone number, which we've seen companies port over to the hacker's phone with enough social engineering.

      I stick to google authenticator, and avoid using the phone for browsing the web and getting it hacked.

      Google Authenticator is what the article is talking about.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    15. Re: Why would I want 2 step by Anonymous Coward · · Score: 0

      Real life is not facebook. Nobody has a 100 friends.
      And the most Google would know is that such a number exists, not that I have it.

    16. Re:Why would I want 2 step by __aaclcg7560 · · Score: 3, Informative

      And how exactly does it work if I do not have a cellphone?

      Google recommends these security tokens in the US as an alternative.

      https://support.google.com/accounts/answer/6103523?hl=en
      https://www.amazon.com/s/?field-keywords=%22FIDO%20U2F%20Security%20Key%22

    17. Re:Why would I want 2 step by CrimsonAvenger · · Score: 3, Insightful

      I take it that a "Telephone Book" is a strange idea where you come from?

      Yes, I know they don't usually do them for cell phones, but there isn't a really good reason why the notion should be outrageous or anything....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    18. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      Then you are not part of the modern world and thus have no use for email.

    19. Re: Why would I want 2 step by Blymie · · Score: 1

      Call logs are the real problem though. Every call Google Play Equipped phones make, every call that comes in, Google also has a record of that.

      That, combined with other people's address book, gives them all they need.

      Not that they'll ever get my phone number Willingly either.

    20. Re: Why would I want 2 step by Anonymous Coward · · Score: 0

      Google has your number. Deny it as much as you want, but they do. :)

    21. Re: Why would I want 2 step by RavenLrD20k · · Score: 1

      Ok...how about this... Do you do business with any companies that have your name and number? Have you ever had to hire some sort of service provider for a utility or home infrastructure (ie plumbing, electrical, HVAC, etc)? Have you ever placed an order for some part or device that was not kept on-site that you were required to provide a contact number for?

      No one has 100 real friends. Just about everyone in modern society has at least 100 people that maintain you on their contact list. Out of those 100+ people the chances of at least one of them using an Android based phone for their contact management is not zero. If there is one person out there with an Android device that has associated your name with a phone number, congratulations: You are now on Google's contact list under that number. You can just about guarantee that even if you don't personally use Google's services, they know your contact information. They know your employer. They know your phone number with your employer. They have a good idea of your home city, if not your exact address. They probably know your phone number. They probably know your cell phone number and what carrier it's on.

      The biggest takeaway from this is if someone wants to find out who you are, or how to contact you, there's much greater than a non-zero chance that they will. You can find out a lot about anyone without even having to acquire a Private Eye permit. All it takes is time and a reason to direct their magnifying glass over you. Welcome to modern society. Anything that makes you stand out, paints a target on your back for one group or another.

    22. Re:Why would I want 2 step by tepples · · Score: 1

      Google recommends [FIDO] security tokens in the US as an alternative.

      The page on support.google.com says this won't work with a web browser other than Chrome, such as if I'm testing my website's "Sign in with Google" functionality on other browsers (especially Firefox, Edge, and IE 11).

    23. Re: Why would I want 2 step by Anonymous Coward · · Score: 0

      ROFL you poor tin foil hat soul. Sorry, If you use any Google service especially any phone apps, they got your phone #. :)

      Just except big data is much smarter then you.

    24. Re:Why would I want 2 step by mlts · · Score: 1

      Two step forces an attacker to go from passive harvesting to actively targeting people for attack. A list of brute forced passwords is useless against accounts that use 2FA. Without it, there is a good chance, the attacker will be able to find some accounts with the same or similar passwords.

    25. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

      Don't be naive, Google will violate any "long established regulations", with impunity, whenever they want, to advance their core ADVERTISING business.

    26. Re: Why would I want 2 step by Anonymous Coward · · Score: 0

      So you don't have any friend that have your phone number in their contacts on a Android device? All your friend dial your phone number by memory? I think you are being truly ignorant. There are dozens of way for Google to have your phone number without you providing it to them.

    27. Re: Why would I want 2 step by Anonymous Coward · · Score: 0

      Accept! Accept!
      Speak English, troop!

    28. Re:Why would I want 2 step by Darinbob · · Score: 1

      Right. And when I get a new phone then I no longer have what I had and I can't log into Google anymore. I never turned on this feature anyway because for a very long time I explicitly disabled texts. Is there an equivalent to password resets, a "I lost my dongle" button to click?

    29. Re:Why would I want 2 step by __aaclcg7560 · · Score: 1

      And when I get a new phone then I no longer have what I had and I can't log into Google anymore.

      Get a new phone, change your set up. Shouldn't be an impossible situation. Unless, of course, you have a problem with change.

      I never turned on this feature anyway because for a very long time I explicitly disabled texts.

      I was the same way until I got a data plan that provided unlimited texts.

    30. Re:Why would I want 2 step by Stan92057 · · Score: 1

      You do realize their is a difference is giving your phone number to someone as apposed to them having it because someone else gave it to them?

      --
      Jack of all trades,master of none
    31. Re: Why would I want 2 step by Anonymous Coward · · Score: 0

      So, you do not work, live on a park bench, and communicate through pigeon. Cool story bro.

    32. Re:Why would I want 2 step by Jawnn · · Score: 2

      Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

      Don't be naive, Google will violate any "long established regulations", with impunity, whenever they want, to advance their core ADVERTISING business.

      [citation needed]
      How has Google run afoul of regulations governing mobile or wireline telephony? Right. They haven't. Given that they're Google, if they were going to behave in the manner you fear, they would have done so by now. They have not and they will not because there's nowhere near enough profit in telephony efforts compared to what they are already squeezing out of search, Android, Chrome, etc.

    33. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      Sounds like you need either:

      1. A test account without 2fa(duh)
      2. A mobile phone or google authenticator app(duh)

    34. Re: Why would I want 2 step by Anonymous Coward · · Score: 0

      Autism harder, bro.

    35. Re:Why would I want 2 step by jbmartin6 · · Score: 1

      Isn't just an app you install on the smartphone? No telephone number involved. You could get an affordable Android phone and only use it with wi-fi.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    36. Re:Why would I want 2 step by thegarbz · · Score: 1

      So you don't know anyone then? I know with 100% certainty that Google knows the phone number of every contact I've ever put in my phone and it's attached to their name and their most common email address, and all with zero option to opt in or out on their behalf.

      That is a feature of Android as it is the feature of any messaging app, contacts organisers (gmail), or social media apps Google has ever released.

      They know your number. Get over it.

    37. Re:Why would I want 2 step by ceoyoyo · · Score: 1

      In addition to the other suggestions, Google uses a standard two-factor encryption protocol. You should be able to use any device, including a Desktop computer, that can run that code. I know there's a Python library.

    38. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      Are you one of those weird people who doesn't port their phone number when they change phones? Or in a country where you can't?

      Even so, Google has a "backup code" list that you can keep in your wallet or wherever, ten one-time-use codes that you can instantly expire should the sheet you print it on be compromised.

    39. Re:Why would I want 2 step by bickerdyke · · Score: 1

      Two words: Password recovery.

      Google forums are full of "clever" people who went from

      And why on God's green earth would I want to give Google my telephone number?

      to "why can't Google just text me a new password to my cell" without any transition....

      --
      bickerdyke
    40. Re:Why would I want 2 step by bickerdyke · · Score: 1

      There are emergency codes you print out and keep in a safe place in case you lose your phone. Or you can keep one of the fido tokens before as a spare, in case you lost your phone.

      And two-factor runs completely without text messages if you use an app to generate the otp. It's a standard algorithm and it can work completely offline.

      --
      bickerdyke
    41. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      You do realize their is a difference is giving your phone number to someone as apposed to them having it because someone else gave it to them?

      You do realize there is a difference between their, they're, and there, yes?

    42. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      For the benefit of knowing that if some hacker pulls your password of a heart bleed vulnerability your account is still secure. That is worth a lot to me.

    43. Re:Why would I want 2 step by Nunya666 · · Score: 1

      And how exactly does it work if I do not have a cellphone?

      You're funny. Someone on /. that doesn't have a cellphone. Yeah, right!

    44. Re: Why would I want 2 step by allo · · Score: 1

      nope, they do not transfer call logs to their servers. If they do, it would be rather new and a reason to sue them.

    45. Re:Why would I want 2 step by Anonymous Coward · · Score: 0

      As well as the emergency codes, which have already been pointed out, you can also enter a backup number. I have my home number set as a backup, so should I lose my phone I can get the code sent to that.

    46. Re:Why would I want 2 step by Xicor · · Score: 1

      if you are on android they do....

    47. Re: Why would I want 2 step by Anonymous Coward · · Score: 0

      I beg to differ. I am a Mormon and have literally hundreds of friends through my years in the church. I imagine there are other churches that have similarly high participation rates, and a large, close-knit community that would demonstrate the same phenomenon.

  2. I am not sur this is an improvement by Anonymous Coward · · Score: 5, Interesting

    I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

    1. Re:I am not sur this is an improvement by Anonymous Coward · · Score: 0

      Isn't this authentication necessary just for the Google services (which as far as I'm aware are all online)?

      Anyhow, Blizzard recently rolled out a similar one-tap authentication for their games.

    2. Re:I am not sur this is an improvement by gmack · · Score: 2

      For cases like that, you can get a U2F key. It is a USB dongle so no internet connection required.

    3. Re:I am not sur this is an improvement by Anonymous Coward · · Score: 0

      Google Authenticator didn't need an internet connection to give you codes as long as the phone's date/time is correct.

    4. Re:I am not sur this is an improvement by GIL_Dude · · Score: 4, Informative

      So, this is an improvement because it is just one step of the process. If it fails (due to the no data connection issue you mention), you just click to use another method and it fails back to the previous text message option. So no real downside on that count. The biggest drawback I have hit with it is that Google won't let you use both this new method and a hardware security key (I was using a Yubikey). You have to remove the hardware security key from your account in order to add this new method. That's really a bummer because the hardware keys didn't rely on your phone at all. You just have a small USB key that you pop into the computer and press a button when prompted.

    5. Re:I am not sur this is an improvement by AmiMoJo · · Score: 1

      I would assume that the code entry option remains as a backup should you be unable to get a data connection.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:I am not sur this is an improvement by EvilSS · · Score: 1

      I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

      Why do you think the app won't also give you a code if you need it because you are offline? Blizzard, Microsoft (on Android, they use Google Auth or Authy on iOS weirdly enough), and LastPass all have push auth requests but give you the option to manually input the code if you need to. I'm sure Google will as well.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    7. Re:I am not sur this is an improvement by RevRagnarok · · Score: 1

      Since they allow paper backups, I would assume you could still use the numbers... (disclaimer: haven't RTFA yet)

      --
      I should put something clever here. Maybe someday.
    8. Re:I am not sur this is an improvement by cyn1c77 · · Score: 1

      I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

      Google is actually letting you choose from several different methods including " tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone." So they are not requiring a data connection.

      Ref: http://googleappsupdates.blogs...

  3. Easier than that by Anonymous Coward · · Score: 0

    Don't use Google's stuff. Problem solved.

  4. Oh joy - more clickthrough. by ErikTheRed · · Score: 0

    Let's face it: the IT industry has, intentionally or otherwise, pretty much trained users to just robotically click "Yes" and "I Accept" on eight trillion things they don't understand. And now we will have eight trillion and one, and security will be worse for it.

    --

    Help save the critically endangered Blue Iguana
    1. Re:Oh joy - more clickthrough. by __aaclcg7560 · · Score: 1

      That's not the IT industry, it's the software industry. The IT industry, of course, doesn't allow users to install software willy-nilly, especially if downloaded off the Internet and mindlessly clicking "Yes"/"I Accept" everything.

    2. Re:Oh joy - more clickthrough. by Anonymous Coward · · Score: 1

      The point of this form of two-step authentication is that you prove that you have physical possession of the cellphone associated with the account in addition to the password for the account. Having to manually enter a code does not provide any additional security over tapping on the phone - you either have the phone or you don't. So you might as well do it in the most convenient way possible.

    3. Re:Oh joy - more clickthrough. by Qzukk · · Score: 4, Insightful

      But how else am i going to watch tits.avi.scr.js.jpg.exe.com if I don't click Allow?!

      BTW, how many more versions of windows will continue to "hide extensions for known file types"?

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    4. Re:Oh joy - more clickthrough. by __aaclcg7560 · · Score: 2

      BTW, how many more versions of windows will continue to "hide extensions for known file types"?

      I don't expect that to change in any future version of Windows. Here's a link to fix your problem.

      http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions

    5. Re:Oh joy - more clickthrough. by Anonymous Coward · · Score: 0

      I never click a random button unless it says (recommended) next to it.

    6. Re:Oh joy - more clickthrough. by friedmud · · Score: 3, Insightful

      While I think this is a good idea... I can kind of understand what he's saying.

      Imagine this:

      1. Bad guys steal password
      2. Bad guys go to gmail.com and enter password
      3. Good guy receives notification that approval is needed for a login
      4. So used to just clicking Approve for this notification the good guy clicks Approve... and the Bad guys are in.

      That scenario couldn't happen with a pin code being sent... because the Bad guys would not receive the pin code and the Good guy wouldn't have anywhere to enter the pin code...

      I agree that it's pretty boneheaded... but the point of the parent is that we're all so used to clicking OK/Approve (and we REALLY will be if every website requires this kind of authentication) that many normal people might accidentally click Approve for bad requests...

    7. Re:Oh joy - more clickthrough. by Ash-Fox · · Score: 2

      4. So used to just clicking Approve for this notification the good guy clicks Approve... and the Bad guys are in.

      You have to unlock the phone first...

      --
      Change is certain; progress is not obligatory.
    8. Re:Oh joy - more clickthrough. by thegarbz · · Score: 1

      BTW, how many more versions of windows will continue to "hide extensions for known file types"?

      Before you complain about this ask yourself:
      1) Did people know what a filetype was?
      2) Did the rate of success for these attacks change dramatically as a result?

      The most common infection vector for these types of files do NOT go through windows explorer. They are downloads complete with box asking if you want to open the file, or email attachments which show the file name in full. People were fooled before, people will continue to be fooled, and hiding or showing the file extension in an operating system doesn't change this one bit.

    9. Re:Oh joy - more clickthrough. by friedmud · · Score: 1

      You don't when using Duo at least...

  5. A Google App? by Toad-san · · Score: 0, Offtopic

    And how long do you think it'll take for the Bad Guys [tm] to invent their own "one-tap app", that will look and act exactly like Google's .. or worse, will be phished or sneaked into your system without your knowing, will act like your phone, and will transmit everything it discovers to its real owners? Lessee, what is today .. Tuesday?

    1. Re:A Google App? by cryptizard · · Score: 3, Insightful

      I'm not sure you understand what this does. You might as well say how long do you think it will take for someone to make a fake Gmail app that steals your Google password? Or any other service for that matter? It is a completely orthogonal question to this topic.

  6. Perhaps I'm the only one by 93+Escort+Wagon · · Score: 4, Insightful

    But I don't find SMS two-factor with to be particularly burdensome. It's simple, it works, and it relies only on a de-facto standard method of communication that pretty much everyone already has access to - no vendor lock-in required.

    --
    #DeleteChrome
    1. Re:Perhaps I'm the only one by Anonymous Coward · · Score: 0

      Using TOTP instead of SMS is even better. It requires no communication at all. So you could be literally sitting in a faraday cage that has a computer and ethernet cable, and still be able to log in to your email.

    2. Re:Perhaps I'm the only one by Anonymous Coward · · Score: 0

      > I don't find SMS two-factor with to be particularly burdensome

      I do. This year I spent my vacation on a boat. No phone signals. But, at the top of mast was a 4G dongle, so we had fast WiFi on board.

      This summer, I'll spend two weeks in another remote location with little/no phone coverage - but plenty of wifi hotspots.

      How do I access my email if I have WiFi, but no phone coverage to receive SMS?

      At least I'll be able to get into GitHub - they let you use your prefered TOTP software one your own device. No SMS.

    3. Re:Perhaps I'm the only one by Anonymous Coward · · Score: 0

      SMS is easily exploitable, with people able to redirect where the SMS messages go

    4. Re:Perhaps I'm the only one by NotInHere · · Score: 1

      My main problem with SMS two factor is that in order to do it, I need to tell them my phone number. This gives the service an unique ID.

      I much more prefer a yubikey based solution, where the protocol is open and one can implement whatever one wants on the client side (including an app where you have to tap, or an usb stick you have to put into the computer, etc).

    5. Re:Perhaps I'm the only one by cryptizard · · Score: 1

      Get a Yubikey or other Universal 2 Factor device. Amazon has one for $6.

    6. Re:Perhaps I'm the only one by AmiMoJo · · Score: 1

      Cost is a problem. SMS is insanely expensive for what it is, and millions of users generating millions of SMS messages a day adds up to a lot of money. It also has issues traversing borders and networks, which can end up costing you a lot of money if you receive texts while roaming abroad.

      The rolling code system laid out in the RFC that Google implemented has none of those disadvantages, and the added advantage that it doesn't rely on the mobile network securing your message against eavesdropping. You also don't have to give your phone number to the service provider you are logging in to.

      There is no vendor lock-in with rolling codes either, it's an open standard (RFC 6238) and there are multiple open implementations available on most platforms. You don't have to use Google's app.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Perhaps I'm the only one by EvilSS · · Score: 1

      > I don't find SMS two-factor with to be particularly burdensome

      I do. This year I spent my vacation on a boat. No phone signals. But, at the top of mast was a 4G dongle, so we had fast WiFi on board.

      This summer, I'll spend two weeks in another remote location with little/no phone coverage - but plenty of wifi hotspots.

      How do I access my email if I have WiFi, but no phone coverage to receive SMS?

      At least I'll be able to get into GitHub - they let you use your prefered TOTP software one your own device. No SMS.

      You use the authenticator app and use the code it gives you and enter it manually. Jesus this isn't an either/or. Every other push-auth app out there does this.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    8. Re:Perhaps I'm the only one by Anonymous Coward · · Score: 0

      Well, actually, people have bypassed sms auth by social engineering the phone companies:

      https://www.wired.com/2016/06/deray-twitter-hack-2-factor-isnt-enough/

    9. Re:Perhaps I'm the only one by Solandri · · Score: 1

      SMS is notoriously unsecure. The encryption is only between the phone and the tower. A hacker could potentially intercept the message anywhere else along the transmission route. To truly be secure, it has to be end-to-end encryption, like SSL on websites. Apple sort of has the right idea with iMessage, except they manage the end-to-end keys themselves so they (or a hacker who breaks into their servers) could potentially read your messages. It needs to be done using keys generated and stored only on the endpoint device. (Which has the obvious drawback of past messages becoming unreadable if you lose your device. The keys should be backed up onto another personal device, but because people are lazy/foolish/ignorant Apple decided to back it up on their servers.)

      And even end-to-end encryption isn't completely secure. There are apps out there which when installed on your phone will surreptitiously forward a copy of all your text messages to someone else. Likewise, if you lose your phone (unheard of I know, but it happens) your security is blown. In particular, for people with Android phones, 2FA for Google accounts via SMS is just 1FA. If a thief steals your phone, it's already got access to your Google accounts. And now they're going to 2FA validate you're you by sending a text to the phone in the thief's possession?

      This is the same reason I switched from Google's Authenticator 2FA app to Authy. Authenticator just runs - it assumes your phone is secure and always in your possession. Yes you can and should put a password on your phone, but sometimes you do hand your phone unlocked to other people so they can use it, or a thief can steal it from your hands while it's unlocked and you're using it. Authy at least requires you to enter a PIN or password each time you use it.

    10. Re:Perhaps I'm the only one by Bengie · · Score: 1

      Too bad it's not secure. SMS is easily intercepted because the telcom systems have no authentication. Lots of stories about SMS and phone call trivial interception have hit the tech news over the years.

    11. Re: Perhaps I'm the only one by Anonymous Coward · · Score: 0

      If it's on an Ethernet connection then that defeats the whole purpose of a faraday cage now doesn't it?

    12. Re:Perhaps I'm the only one by crashumbc · · Score: 1

      ^^ this

      And Google give you back-up codes to use, you do have them right?

    13. Re:Perhaps I'm the only one by crashumbc · · Score: 2

      True, but how often does THAT happen? Just like locks on your door 2 FFA isn't meant to be the holy grail. Its just another layer of security and a very formidable one at that.

    14. Re:Perhaps I'm the only one by alvarogmj · · Score: 1

      I understand the concern, but if your phone gets stolen, the thief will only have one of the pieces, right? they'd still need the actual password for the account

    15. Re: Perhaps I'm the only one by Anonymous Coward · · Score: 0

      Not necessarily. It prevents unintentional electromagnet emissions (e.g., side channels) from causing harm.

    16. Re:Perhaps I'm the only one by Threni · · Score: 1

      If you're using android (on a phone) then they have your mobile number. I think you need a phone number to sign up for any google service, don't you?

    17. Re:Perhaps I'm the only one by thegarbz · · Score: 2

      Maybe there's something I don't understand here because I grew up in a world where there was such a thing as a phone book which listed everyone's number, but ... do you really think Google doesn't already have your phone number?

    18. Re:Perhaps I'm the only one by ceoyoyo · · Score: 1

      Google's authenticator is just a front end for a standard two-factor scheme. It's simple, it works, it relies on an actual standard, and pretty much anyone who has access to a computing device, including a cheap dongle, can use it, on or off line. Plus it doesn't involve your phone company.

      The encryption-based second factor is also good because anyone can implement it, for free, from random Slashdotter in his basement on up. Actually, anyone can use Google's authenticator app. Apparently even Microsoft recommends it for their second factor.

    19. Re:Perhaps I'm the only one by ceoyoyo · · Score: 1

      "You don't have to use Google's app."

      Even better, you CAN use Google's app. I'm looking into implementing secure authentication for a small project at work but I wasn't looking forward to having to write an app just for that. A bit of research and it turns out that I can just ask the end users to download Google's authenticator, Authy, or any of a bunch of apps, dongles, etc.

    20. Re:Perhaps I'm the only one by AmiMoJo · · Score: 1

      I wish RDP supported two factor auth.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    21. Re:Perhaps I'm the only one by sabbede · · Score: 1
      I don't like having to retype the code, and if I don't get it while the notification is showing, I have to tap my phone up to THREE WHOLE TIMES to open it in the messaging app!

      Oh, okay, it's not that big a hassle. It's only slightly more convenient, but I still like that. The Microsoft Authenticator already works that way (and is compatible with anything that can use the Google Authenticator), and I've found that it feels much faster and easier, even if the actual difference is pretty minor.

  7. Late to the party by Anonymous Coward · · Score: 0

    LOL, Microsoft has been doing this for a long time already.

    1. Re:Late to the party by Jawnn · · Score: 1

      LOL, Microsoft has been doing this for a long time already.

      So has Duo Security. I wonder what this move by Google will do to their business model.

    2. Re:Late to the party by friedmud · · Score: 1

      Duo's solution is awesome... even works perfectly with my Apple Watch! When I try to sign on to a website using Duo I get a message on my Watch that allows me to immediately approve the access... without getting out my phone or fumbling for a key-fob.

      Can't wait to see this in action in other places! Hopefully Google will add this capability to Authenticator...

  8. Why in hell would I want this? by Anonymous Coward · · Score: 0

    I've already enabled 2factor on my Google Accounts, yet I don't have a smart phone so what use is this? Hell all they now need is to get hold of your smart phone and steal not only your Gmail but any accounts that use it for the reset pw's. Once they've got that, you're screwed, blued and tattooed in hot pink/lime/dayglo orange just to make sure they remember who've they've already pawned.

    I'll stick with the simple text message and enter it into the website instead of allowing my phone to simply be tapped to confirm. This way, I have the possibility of preventing any changes as I get the request.

    1. Re:Why in hell would I want this? by cryptizard · · Score: 1

      Ok, but if they get your phone they can still read the SMS messages so the attack is exactly the same...

    2. Re:Why in hell would I want this? by NotInHere · · Score: 1

      Simple: get a new email address only used for "important" logins: emails domain names, everything important to you.

      Then stash the login credentials for that one away in a safe or something and hope the provider doesn't delete it because you almost don't use it.

    3. Re:Why in hell would I want this? by Ash-Fox · · Score: 1

      Hell all they now need is to get hold of your smart phone

      Oh, how will you unlock it?

      steal not only your Gmail

      I have a Google account, but I don't have gmail.

      I'll stick with the simple text message and enter it into the website instead of allowing my phone to simply be tapped to confirm.

      If my e-mail is somehow compromised regardless, I could unplug the server?

      --
      Change is certain; progress is not obligatory.
  9. About time by Anonymous Coward · · Score: 0

    Air Droid has this since a while...

  10. Google Authenticator by pauljlucas · · Score: 1

    Does Google allow you to use Google Authenticator?

    --
    If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
    1. Re:Google Authenticator by EvilSS · · Score: 2

      No, obviously not.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  11. Requires data by ubergeek65536 · · Score: 3, Interesting

    It's useless if you don't have a data plan on your phone.

    1. Re:Requires data by Anonymous Coward · · Score: 0

      Which is why it is one of many options Google provides for 2-factor authentication
      Code by voice message (requires phone service)
      Code by text (requires texting service)
      Code from (Google) Authenticator (requires smartphone/tablet with authenticator app, can run offline)
      Security Key (requires USB dongle, can run offline)
      Yes/No prompt from Google Prompt (requires data service and Android device, IOS device soon)

      You can choose which one(s) to use based on your device capabilities and desired convenience level.

    2. Re:Requires data by cyn1c77 · · Score: 1

      It's useless if you don't have a data plan on your phone.

      Google is actually letting you choose from several different methods including " tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone." So they are not requiring a data connection.

      Ref: http://googleappsupdates.blogs...

    3. Re:Requires data by thegarbz · · Score: 1

      It's useless if you don't have a data plan on your phone.

      That depends. I find every situation where I am able to access the internet on a PC I'm usually in range of free WiFi too.

      Not to mention that the fallback of SMS still exists.

    4. Re:Requires data by Anonymous Coward · · Score: 0

      Erm, the page you linked to says, literally:

      A data connection is required to use Google prompt.

      (which is unsurprising - how else would you expect it to work?)

      It's true that the old mechanism (sending you a secondary password as a text message) does not require a data plan. That's not what this article is about.

  12. Wont this be slower and more cumbersome? by Anonymous Coward · · Score: 0

    Previously I could read the auth code off of my home screen and type it in.

    If I enable this I will have to :
    1) enter my 6 digit pin number to unlock my phone.
    2) Pull down the notifications bar.
    3) Pull down again to expand the notifications / scroll through them.
    4) Tap the notification
    5) Tap 'Yes/Accept'
    6) Lock Phone

    Your Android steps may differ (I'm running custom cyanogenmod) and haven't tested it yet. I think I'll stick to Read, Swipe, and Type.

  13. Worse security by WPIDalamar · · Score: 4, Insightful

    This is probably way worse security for the techno-illiterate.

    Attacker enters password.
    Clueless user gets notification, taps it.
    Attacker is let in.

    Whereas before it would be:

    Attacker enters password.
    Clueless user gets a number that they don't know what to do with
    Attacker is not let in.

    1. Re:Worse security by EvilSS · · Score: 1

      To be fair the moron in your scenario probably won't turn on 2-factor to begin with since it's required or enable by default.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    2. Re:Worse security by Anonymous Coward · · Score: 0

      Good thing it's turned off by default so the techno-illiterate will never have any idea it exists.

    3. Re:Worse security by Anonymous Coward · · Score: 0

      Yup. This is a real problem for me. I'm a Google Apps for Work admin with 2FA enforced on my domain and, so far, there isn't any way to disable this mechanism.

      I don't want my users to even have this option, precisely because of the scenario you just described.

  14. Obstacle by Vlijmen+Fileer · · Score: 2

    Ah yes.
    That obstacle to logging in, making it impossible to access Google services if you do not carry your phone, lost it, it got stolen, the battery is empty, it crashed, it's out of coverage area.
    Not sure how that can be made "less annoying".

  15. Will it turn on the phone's flash? by Anonymous Coward · · Score: 0

    Will it turn on the phone's flash to see the FUCKING KEYBOARD? Google wants everything BRIGHT FUCKING WHITE instead of dark. C'mon Google, why is a dark theme for your Google Authenticator like a suppository you you won't cram up your ass?

    1. Re:Will it turn on the phone's flash? by mlts · · Score: 1

      There are more than just Google's app for authentication. Amazon has similar, and there are a number of third party alternatives, some with dark themes.

  16. Wish this standard were open... by mlts · · Score: 1

    Blizzard has similar functionality where the app will look at queued login attempts and ask for approval. Before that, it was IBM's ZTIC which was one of the first 2FA systems which did this.

    I wish this were open source, just like TOTP is right now. I use a third party application that allows me to sync my 2FA codes (encrypted, of course) among my devices, including my Linux boxes, and my NAS machines. Having the ability to just tap "approve" for SSH connections would be nice, but it likely would require more moving parts outside my LAN, which could make things less secure.

    1. Re:Wish this standard were open... by Ash-Fox · · Score: 1

      I wish this were open source

      It is open source, https://github.com/google/goog...

      --
      Change is certain; progress is not obligatory.
  17. Nobody has a hundred friends? by maggard · · Score: 4, Insightful

    I do. I'm nearly 50 years old, have lived in several places, have worked at a number of jobs over the years, had multiple romantic relationships in my life. I've made friends every year, in all of those places, through many diverse ways. Are all of the folks I've friended currently on my short list? No. But that list of a dozen close friends has evolved over time with new ones entering and others dropping off as we move about, go through various stages of life, some have died, etc. But they have my phone number. I have theirs. I may also have their closest friends or family members phone numbers. That adds up to well over a hundred people. And while I'm social I'm nobody compared to some of the butterflies I know. More than two people for every year of life? Those gregarious folks get, and use, that many numbers in a night on the town. No, for most of us non-hermetic folks I'd guess a hundred friends or more is entirely unsurprising.

    --
    I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
  18. Security Keys by Anonymous Coward · · Score: 0

    There is another option, which is the the FIDO U2F Authenticator, which Google calls a Security Key. While not flawless (see below) it provides much better security than SMS based authentication and is designed from the ground up to protect privacy.

    The Security Key is really the right solution to solving the second factor problems as it is based on public key crypto and incorporates additional security mechanisms (TLS Channel and Web Origin are included in the signature) that make the authentication not phishable.

    The biggest flaw right now to the problem is adoption, Chrome is the only browser that currently supports it and NFC is just getting started so mobile support is lacking. However, if your setup lends itself to a security key solution then you will benefit greatly from the configuration.

  19. Aweseome With Smart Watches! by friedmud · · Score: 1

    If they implement this properly it will be awesome with smartwatches!

    My school uses 2FA through a company called Duo and anytime I go to log in to a school website a notification pops up on my Apple Watch and I just need to touch "Approve" and I'm in. No fumbling for my phone or a key-fob... it's instant and convenient... takes all of the pain out of 2FA.

    1. Re:Aweseome With Smart Watches! by viperidaenz · · Score: 1

      This requires your phone to have been recently unlocked, so you can't just steal someones phone. If it hasn't been recently unlocked, it makes you enter your unlock code.

    2. Re: Aweseome With Smart Watches! by friedmud · · Score: 1

      Not that I can tell... do you have some documentation stating that?

  20. You still need a phone for this? by Anonymous Coward · · Score: 0

    I don't have a phone! Can't you buy some rolling key fob somewhere and register the code with them?

    1. Re:You still need a phone for this? by Ash-Fox · · Score: 1

      I don't have a phone! Can't you buy some rolling key fob somewhere and register the code with them?

      Yes, you can use the FIDO Universal 2nd Factor (U2F) fob.

      --
      Change is certain; progress is not obligatory.
  21. How could they? by HalAtWork · · Score: 1

    I have no phone!

    --
    Twinstiq, game news
    1. Re:How could they? by Ash-Fox · · Score: 1

      I have no phone!

      Use your tablet!

      --
      Change is certain; progress is not obligatory.
    2. Re:How could they? by HalAtWork · · Score: 1

      No sim card... Or do you mean I should get a hangouts phone number and get SMS that way? That kinda puts me in a weird authentication loop

      --
      Twinstiq, game news
    3. Re:How could they? by Ash-Fox · · Score: 1

      You can run the Google Authenticator app instead of SMS.

      --
      Change is certain; progress is not obligatory.
    4. Re:How could they? by HalAtWork · · Score: 1

      Oh :) Thanks never looked into it, I will now! Hope that will stop them asking me to enter a phone number about every 10 times I log into the web client

      --
      Twinstiq, game news
    5. Re:How could they? by Anonymous Coward · · Score: 0

      Or better, use a neutral app like Authy which also does TOTP and can handle Amazon, Google, DNSMadeEasy, GitHub and lots of other accounts without needing to install unique snowflake applications for each account provider.

      It really sucks that Steam and Microsoft both insist on rolling their own flavor instead of supporting TOTP.

  22. Do not want by scdeimos · · Score: 1
    Thank goodness it's optional. I'll stick with the existing 2-factor authentication via SMS, thanks:
    • Existing 2-factor authentication can work with any old dumb phone
    • New 2-factor authentication requires a tablet or smartphone with a data connection *and* it requires you to install the Google Search app (which will no doubt be reporting back to Googs on your every action.
    1. Re:Do not want by Anonymous Coward · · Score: 0

      Existing 2FA can also work without a data connection since Google uses TOTP. You don't have to use Google's app to enable 2FA with Google accounts, you can use any application (i.e. Authy) that implemenets TOTP.

  23. Slashdot is finally hearing about old news by viperidaenz · · Score: 1

    I've been doing this for months. I'm sure the service has been available for much longer.

  24. I want this for servers by allo · · Score: 1

    But without google.

    Something like an android app and some web service coupled with a pam module. The login prompt then displays a number, the app displays the number as well and i can accept the login from the app with a single tap. Fallback to normal google authenticator.

  25. Software alternative: OTP by DrYak · · Score: 1

    Another alternative is to use TOTP (Time-derived One-time password):
    an ever changing code that is based on a hash, computed out of the current time (hence the ever changing) and a shared secret that only you and google know.

    Only someone possessing the shared secret can compute the correct code for that time.
    The secret itself is never sent on the wire, only the current-time code derived of the secret is.

    You can find apps running on tons of other hardware if you don't own an Android nor an iPhone (or simply don't want to give that phone number to google).

    You could even built your own, using an Arduino, an LCD display and some mean to get accurate(-ish enough*) time (e.g.: GPS chip or a DCF77 receiver if you're in Europe, or a RDS FM radio receiver, or extract it from TV broadcast, etc.)

    TOTP is supported as a two-factor standard at lots of other companies (Facebook has it as a possibility, nearly every bitcoin-related website I've seen has it, Microsoft too, etc.)

    (*) - a new code gets generated every 30 seconds, and some server-side implementation also compare against the past couple of code.
    So your clock doesn't necessarily need to be that much precise.

    You could get the time from your wrist watch if you don't have any time source.

    Or you could run the TOTP *on* the wrist watch if yours happen to be programmable (e.g.: Pebble)

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]