Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Is Finally Making Two-Step Verification Less Annoying (theguardian.com)

Posted by msmash on from the security-measures dept.

Google, which first introduced two-factor authentication about five years ago, is now making it a little easier to utilize this security measure. Instead of users having to manually enter a code that they received in a text message, they will now see a prompt message that only requires them to tap on the phone to approve login requests. The feature will be available on Android as well as iOS soon. The Guardian reports: You do have to turn this service on even if you already use two-step. To turn it on you need to first login to Google and then go to My Account > Sign-in & security > Signing in to Google > 2-step Verification. There you will have options to turn on two-step verification, add Google prompt as an extra form of authentication or replace your existing two-step method. Google isn't the first to use notifications as a method of login verification, both Twitter and Facebook allow users to confirm logins using notifications from their respective smartphone apps. But even they require entering the app, viewing the alert and tapping confirm. Google's one-tap confirm is much faster.

91 of 136 comments (clear)

  1. Why would I want 2 step by Anonymous Coward · · Score: 2, Insightful

    And why on God's green earth would I want to give Google my telephone number?

    1. Re:Why would I want 2 step by Anonymous Coward · · Score: 5, Insightful

      You really think they don't have it already?

      That's... cute.

    2. Re:Why would I want 2 step by __aaclcg7560 · · Score: 3, Informative

      Two-factor authentication is based on what you know (your password) and what you have (your cellphone). If script kiddies tries to hack into your account by guessing your password, they will still need your cellphone before they can log into your account.

    3. Re:Why would I want 2 step by Anonymous Coward · · Score: 1

      If you use Apple or Windows Phone, you probably want to avoid it... in fact, wrap your phone in a tinfoil case, just to be safe. If you use Android..... Google already has you phone number and this just makes 2-factor authentication far easier to use with no loss in security.

    4. Re:Why would I want 2 step by JackieBrown · · Score: 2

      It's a security thing. If someone gets into my gmail account, they can reset the passwords for most of my accounts.

      With two step, even if they have the password for my gmail account, they need a random number that google sends to my phone each time I (or someone) tries to log into my account.

      My bank does this too.

    5. Re:Why would I want 2 step by andrewbaldwin · · Score: 1

      I understand the sentiment but do you honestly believe that they don't already have it?

    6. Re:Why would I want 2 step by Jawnn · · Score: 4, Insightful

      Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

    7. Re:Why would I want 2 step by cmiller173 · · Score: 2

      Alternatively a usb token like this $6 one I use would provide a secure second factor.

    8. Re:Why would I want 2 step by Anonymous Coward · · Score: 1

      It stops people from "hacking" your account and making purchases against you. E.g. Sony do not have two factor authentication, and people regularly find someone guessing their password (or logged by LAN sniffers on compromised MS Windows machines). This account is likely to have payment details stored in Sony's system, just like fleabay, Amazon, Apple et al. Naughty hacker now logs in using your PSN details, "buys" tons of games, loads on to their console, and then reverts to their own account to play them. The account that's been compromised has no knowledge of this until they get a statement, or if they still have the original email address access, a notice.

      This person then tries to dispute the transactions, Sony will say "fuck off, don't care." If you resort to reversing the charges through your bank as a fraudulent purchase, Sony will cancel your account, locking you out of everything you bought previously, and will probably remotely disable your consoles. Despite being about to see a new console appeared against the account, and the IP address could be thousands of miles away in a different state, country or continent. Sony will not aid you.

      Two factor authentication will stop this criminal activity, unless they also happen to gain access to your phone. That's why "2 step" should be a legal minimum. Furthermore, it also allows you to gain control of accounts people steal. Your FB, twatter, gmail accounts might be leave logged-in, someone can change your password, now you're fucked. Having a phone on record allows you to reset access via a code sent to your device.

    9. Re: Why would I want 2 step by ikejam · · Score: 3, Insightful

      Perhaps so, but do consider this : if you have say a hundred friends (a fair percentage of whom will be using android ) who have you in their contacts, ( not them in yours which ofcourse is under your control) , it would be trivial for Google to know your contact number with a high level of certainty

    10. Re:Why would I want 2 step by EvilSS · · Score: 1

      "What you have" in the case of a text message is your cellphone number, which we've seen companies port over to the hacker's phone with enough social engineering.

      I stick to google authenticator, and avoid using the phone for browsing the web and getting it hacked.

      Google Authenticator is what the article is talking about.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    11. Re:Why would I want 2 step by __aaclcg7560 · · Score: 3, Informative

      And how exactly does it work if I do not have a cellphone?

      Google recommends these security tokens in the US as an alternative.

      https://support.google.com/accounts/answer/6103523?hl=en
      https://www.amazon.com/s/?field-keywords=%22FIDO%20U2F%20Security%20Key%22

    12. Re:Why would I want 2 step by CrimsonAvenger · · Score: 3, Insightful

      I take it that a "Telephone Book" is a strange idea where you come from?

      Yes, I know they don't usually do them for cell phones, but there isn't a really good reason why the notion should be outrageous or anything....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
    13. Re: Why would I want 2 step by Blymie · · Score: 1

      Call logs are the real problem though. Every call Google Play Equipped phones make, every call that comes in, Google also has a record of that.

      That, combined with other people's address book, gives them all they need.

      Not that they'll ever get my phone number Willingly either.

    14. Re: Why would I want 2 step by RavenLrD20k · · Score: 1

      Ok...how about this... Do you do business with any companies that have your name and number? Have you ever had to hire some sort of service provider for a utility or home infrastructure (ie plumbing, electrical, HVAC, etc)? Have you ever placed an order for some part or device that was not kept on-site that you were required to provide a contact number for?

      No one has 100 real friends. Just about everyone in modern society has at least 100 people that maintain you on their contact list. Out of those 100+ people the chances of at least one of them using an Android based phone for their contact management is not zero. If there is one person out there with an Android device that has associated your name with a phone number, congratulations: You are now on Google's contact list under that number. You can just about guarantee that even if you don't personally use Google's services, they know your contact information. They know your employer. They know your phone number with your employer. They have a good idea of your home city, if not your exact address. They probably know your phone number. They probably know your cell phone number and what carrier it's on.

      The biggest takeaway from this is if someone wants to find out who you are, or how to contact you, there's much greater than a non-zero chance that they will. You can find out a lot about anyone without even having to acquire a Private Eye permit. All it takes is time and a reason to direct their magnifying glass over you. Welcome to modern society. Anything that makes you stand out, paints a target on your back for one group or another.

    15. Re:Why would I want 2 step by tepples · · Score: 1

      Google recommends [FIDO] security tokens in the US as an alternative.

      The page on support.google.com says this won't work with a web browser other than Chrome, such as if I'm testing my website's "Sign in with Google" functionality on other browsers (especially Firefox, Edge, and IE 11).

    16. Re:Why would I want 2 step by mlts · · Score: 1

      Two step forces an attacker to go from passive harvesting to actively targeting people for attack. A list of brute forced passwords is useless against accounts that use 2FA. Without it, there is a good chance, the attacker will be able to find some accounts with the same or similar passwords.

    17. Re:Why would I want 2 step by Darinbob · · Score: 1

      Right. And when I get a new phone then I no longer have what I had and I can't log into Google anymore. I never turned on this feature anyway because for a very long time I explicitly disabled texts. Is there an equivalent to password resets, a "I lost my dongle" button to click?

    18. Re:Why would I want 2 step by __aaclcg7560 · · Score: 1

      And when I get a new phone then I no longer have what I had and I can't log into Google anymore.

      Get a new phone, change your set up. Shouldn't be an impossible situation. Unless, of course, you have a problem with change.

      I never turned on this feature anyway because for a very long time I explicitly disabled texts.

      I was the same way until I got a data plan that provided unlimited texts.

    19. Re:Why would I want 2 step by Stan92057 · · Score: 1

      You do realize their is a difference is giving your phone number to someone as apposed to them having it because someone else gave it to them?

      --
      Jack of all trades,master of none
    20. Re:Why would I want 2 step by Jawnn · · Score: 2

      Actually, my phone number is one of the things I would most trust Google with. Unlike all that web data Google has on me, there are long established regulations that govern what an entity may and may not do with my phone number.

      Don't be naive, Google will violate any "long established regulations", with impunity, whenever they want, to advance their core ADVERTISING business.

      [citation needed]
      How has Google run afoul of regulations governing mobile or wireline telephony? Right. They haven't. Given that they're Google, if they were going to behave in the manner you fear, they would have done so by now. They have not and they will not because there's nowhere near enough profit in telephony efforts compared to what they are already squeezing out of search, Android, Chrome, etc.

    21. Re:Why would I want 2 step by jbmartin6 · · Score: 1

      Isn't just an app you install on the smartphone? No telephone number involved. You could get an affordable Android phone and only use it with wi-fi.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    22. Re:Why would I want 2 step by thegarbz · · Score: 1

      So you don't know anyone then? I know with 100% certainty that Google knows the phone number of every contact I've ever put in my phone and it's attached to their name and their most common email address, and all with zero option to opt in or out on their behalf.

      That is a feature of Android as it is the feature of any messaging app, contacts organisers (gmail), or social media apps Google has ever released.

      They know your number. Get over it.

    23. Re:Why would I want 2 step by ceoyoyo · · Score: 1

      In addition to the other suggestions, Google uses a standard two-factor encryption protocol. You should be able to use any device, including a Desktop computer, that can run that code. I know there's a Python library.

    24. Re:Why would I want 2 step by bickerdyke · · Score: 1

      Two words: Password recovery.

      Google forums are full of "clever" people who went from

      And why on God's green earth would I want to give Google my telephone number?

      to "why can't Google just text me a new password to my cell" without any transition....

      --
      bickerdyke
    25. Re:Why would I want 2 step by bickerdyke · · Score: 1

      There are emergency codes you print out and keep in a safe place in case you lose your phone. Or you can keep one of the fido tokens before as a spare, in case you lost your phone.

      And two-factor runs completely without text messages if you use an app to generate the otp. It's a standard algorithm and it can work completely offline.

      --
      bickerdyke
    26. Re:Why would I want 2 step by Nunya666 · · Score: 1

      And how exactly does it work if I do not have a cellphone?

      You're funny. Someone on /. that doesn't have a cellphone. Yeah, right!

    27. Re: Why would I want 2 step by allo · · Score: 1

      nope, they do not transfer call logs to their servers. If they do, it would be rather new and a reason to sue them.

    28. Re:Why would I want 2 step by Xicor · · Score: 1

      if you are on android they do....

  2. I am not sur this is an improvement by Anonymous Coward · · Score: 5, Interesting

    I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

    1. Re:I am not sur this is an improvement by gmack · · Score: 2

      For cases like that, you can get a U2F key. It is a USB dongle so no internet connection required.

    2. Re:I am not sur this is an improvement by GIL_Dude · · Score: 4, Informative

      So, this is an improvement because it is just one step of the process. If it fails (due to the no data connection issue you mention), you just click to use another method and it fails back to the previous text message option. So no real downside on that count. The biggest drawback I have hit with it is that Google won't let you use both this new method and a hardware security key (I was using a Yubikey). You have to remove the hardware security key from your account in order to add this new method. That's really a bummer because the hardware keys didn't rely on your phone at all. You just have a small USB key that you pop into the computer and press a button when prompted.

    3. Re:I am not sur this is an improvement by AmiMoJo · · Score: 1

      I would assume that the code entry option remains as a backup should you be unable to get a data connection.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:I am not sur this is an improvement by EvilSS · · Score: 1

      I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

      Why do you think the app won't also give you a code if you need it because you are offline? Blizzard, Microsoft (on Android, they use Google Auth or Authy on iOS weirdly enough), and LastPass all have push auth requests but give you the option to manually input the code if you need to. I'm sure Google will as well.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    5. Re:I am not sur this is an improvement by RevRagnarok · · Score: 1

      Since they allow paper backups, I would assume you could still use the numbers... (disclaimer: haven't RTFA yet)

      --
      I should put something clever here. Maybe someday.
    6. Re:I am not sur this is an improvement by cyn1c77 · · Score: 1

      I like the current setup as it does not require my phone to have a data connection. Not everywhere I have a computer connected to the internet do I have wifi available. The app generating a code seems more flexible in my opinion.

      Google is actually letting you choose from several different methods including " tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone." So they are not requiring a data connection.

      Ref: http://googleappsupdates.blogs...

  3. Perhaps I'm the only one by 93+Escort+Wagon · · Score: 4, Insightful

    But I don't find SMS two-factor with to be particularly burdensome. It's simple, it works, and it relies only on a de-facto standard method of communication that pretty much everyone already has access to - no vendor lock-in required.

    --
    #DeleteChrome
    1. Re:Perhaps I'm the only one by NotInHere · · Score: 1

      My main problem with SMS two factor is that in order to do it, I need to tell them my phone number. This gives the service an unique ID.

      I much more prefer a yubikey based solution, where the protocol is open and one can implement whatever one wants on the client side (including an app where you have to tap, or an usb stick you have to put into the computer, etc).

    2. Re:Perhaps I'm the only one by cryptizard · · Score: 1

      Get a Yubikey or other Universal 2 Factor device. Amazon has one for $6.

    3. Re:Perhaps I'm the only one by AmiMoJo · · Score: 1

      Cost is a problem. SMS is insanely expensive for what it is, and millions of users generating millions of SMS messages a day adds up to a lot of money. It also has issues traversing borders and networks, which can end up costing you a lot of money if you receive texts while roaming abroad.

      The rolling code system laid out in the RFC that Google implemented has none of those disadvantages, and the added advantage that it doesn't rely on the mobile network securing your message against eavesdropping. You also don't have to give your phone number to the service provider you are logging in to.

      There is no vendor lock-in with rolling codes either, it's an open standard (RFC 6238) and there are multiple open implementations available on most platforms. You don't have to use Google's app.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Perhaps I'm the only one by EvilSS · · Score: 1

      > I don't find SMS two-factor with to be particularly burdensome

      I do. This year I spent my vacation on a boat. No phone signals. But, at the top of mast was a 4G dongle, so we had fast WiFi on board.

      This summer, I'll spend two weeks in another remote location with little/no phone coverage - but plenty of wifi hotspots.

      How do I access my email if I have WiFi, but no phone coverage to receive SMS?

      At least I'll be able to get into GitHub - they let you use your prefered TOTP software one your own device. No SMS.

      You use the authenticator app and use the code it gives you and enter it manually. Jesus this isn't an either/or. Every other push-auth app out there does this.

      --
      I browse on +1 so AC's need not respond, I won't see it.
    5. Re:Perhaps I'm the only one by Solandri · · Score: 1

      SMS is notoriously unsecure. The encryption is only between the phone and the tower. A hacker could potentially intercept the message anywhere else along the transmission route. To truly be secure, it has to be end-to-end encryption, like SSL on websites. Apple sort of has the right idea with iMessage, except they manage the end-to-end keys themselves so they (or a hacker who breaks into their servers) could potentially read your messages. It needs to be done using keys generated and stored only on the endpoint device. (Which has the obvious drawback of past messages becoming unreadable if you lose your device. The keys should be backed up onto another personal device, but because people are lazy/foolish/ignorant Apple decided to back it up on their servers.)

      And even end-to-end encryption isn't completely secure. There are apps out there which when installed on your phone will surreptitiously forward a copy of all your text messages to someone else. Likewise, if you lose your phone (unheard of I know, but it happens) your security is blown. In particular, for people with Android phones, 2FA for Google accounts via SMS is just 1FA. If a thief steals your phone, it's already got access to your Google accounts. And now they're going to 2FA validate you're you by sending a text to the phone in the thief's possession?

      This is the same reason I switched from Google's Authenticator 2FA app to Authy. Authenticator just runs - it assumes your phone is secure and always in your possession. Yes you can and should put a password on your phone, but sometimes you do hand your phone unlocked to other people so they can use it, or a thief can steal it from your hands while it's unlocked and you're using it. Authy at least requires you to enter a PIN or password each time you use it.

    6. Re:Perhaps I'm the only one by Bengie · · Score: 1

      Too bad it's not secure. SMS is easily intercepted because the telcom systems have no authentication. Lots of stories about SMS and phone call trivial interception have hit the tech news over the years.

    7. Re:Perhaps I'm the only one by crashumbc · · Score: 1

      ^^ this

      And Google give you back-up codes to use, you do have them right?

    8. Re:Perhaps I'm the only one by crashumbc · · Score: 2

      True, but how often does THAT happen? Just like locks on your door 2 FFA isn't meant to be the holy grail. Its just another layer of security and a very formidable one at that.

    9. Re:Perhaps I'm the only one by alvarogmj · · Score: 1

      I understand the concern, but if your phone gets stolen, the thief will only have one of the pieces, right? they'd still need the actual password for the account

    10. Re:Perhaps I'm the only one by Threni · · Score: 1

      If you're using android (on a phone) then they have your mobile number. I think you need a phone number to sign up for any google service, don't you?

    11. Re:Perhaps I'm the only one by thegarbz · · Score: 2

      Maybe there's something I don't understand here because I grew up in a world where there was such a thing as a phone book which listed everyone's number, but ... do you really think Google doesn't already have your phone number?

    12. Re:Perhaps I'm the only one by ceoyoyo · · Score: 1

      Google's authenticator is just a front end for a standard two-factor scheme. It's simple, it works, it relies on an actual standard, and pretty much anyone who has access to a computing device, including a cheap dongle, can use it, on or off line. Plus it doesn't involve your phone company.

      The encryption-based second factor is also good because anyone can implement it, for free, from random Slashdotter in his basement on up. Actually, anyone can use Google's authenticator app. Apparently even Microsoft recommends it for their second factor.

    13. Re:Perhaps I'm the only one by ceoyoyo · · Score: 1

      "You don't have to use Google's app."

      Even better, you CAN use Google's app. I'm looking into implementing secure authentication for a small project at work but I wasn't looking forward to having to write an app just for that. A bit of research and it turns out that I can just ask the end users to download Google's authenticator, Authy, or any of a bunch of apps, dongles, etc.

    14. Re:Perhaps I'm the only one by AmiMoJo · · Score: 1

      I wish RDP supported two factor auth.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    15. Re:Perhaps I'm the only one by sabbede · · Score: 1
      I don't like having to retype the code, and if I don't get it while the notification is showing, I have to tap my phone up to THREE WHOLE TIMES to open it in the messaging app!

      Oh, okay, it's not that big a hassle. It's only slightly more convenient, but I still like that. The Microsoft Authenticator already works that way (and is compatible with anything that can use the Google Authenticator), and I've found that it feels much faster and easier, even if the actual difference is pretty minor.

  4. Re:Oh joy - more clickthrough. by __aaclcg7560 · · Score: 1

    That's not the IT industry, it's the software industry. The IT industry, of course, doesn't allow users to install software willy-nilly, especially if downloaded off the Internet and mindlessly clicking "Yes"/"I Accept" everything.

  5. Re:Oh joy - more clickthrough. by Anonymous Coward · · Score: 1

    The point of this form of two-step authentication is that you prove that you have physical possession of the cellphone associated with the account in addition to the password for the account. Having to manually enter a code does not provide any additional security over tapping on the phone - you either have the phone or you don't. So you might as well do it in the most convenient way possible.

  6. Re:Late to the party by Jawnn · · Score: 1

    LOL, Microsoft has been doing this for a long time already.

    So has Duo Security. I wonder what this move by Google will do to their business model.

  7. Google Authenticator by pauljlucas · · Score: 1

    Does Google allow you to use Google Authenticator?

    --
    If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
    1. Re:Google Authenticator by EvilSS · · Score: 2

      No, obviously not.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  8. Requires data by ubergeek65536 · · Score: 3, Interesting

    It's useless if you don't have a data plan on your phone.

    1. Re:Requires data by cyn1c77 · · Score: 1

      It's useless if you don't have a data plan on your phone.

      Google is actually letting you choose from several different methods including " tapping a Security Key, by entering a verification code sent to their phone or, starting today, by approving a prompt like the one below that will pop up on their phone." So they are not requiring a data connection.

      Ref: http://googleappsupdates.blogs...

    2. Re:Requires data by thegarbz · · Score: 1

      It's useless if you don't have a data plan on your phone.

      That depends. I find every situation where I am able to access the internet on a PC I'm usually in range of free WiFi too.

      Not to mention that the fallback of SMS still exists.

  9. Re:A Google App? by cryptizard · · Score: 3, Insightful

    I'm not sure you understand what this does. You might as well say how long do you think it will take for someone to make a fake Gmail app that steals your Google password? Or any other service for that matter? It is a completely orthogonal question to this topic.

  10. Re:Why in hell would I want this? by cryptizard · · Score: 1

    Ok, but if they get your phone they can still read the SMS messages so the attack is exactly the same...

  11. Re:Why in hell would I want this? by NotInHere · · Score: 1

    Simple: get a new email address only used for "important" logins: emails domain names, everything important to you.

    Then stash the login credentials for that one away in a safe or something and hope the provider doesn't delete it because you almost don't use it.

  12. Re:Oh joy - more clickthrough. by Qzukk · · Score: 4, Insightful

    But how else am i going to watch tits.avi.scr.js.jpg.exe.com if I don't click Allow?!

    BTW, how many more versions of windows will continue to "hide extensions for known file types"?

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  13. Worse security by WPIDalamar · · Score: 4, Insightful

    This is probably way worse security for the techno-illiterate.

    Attacker enters password.
    Clueless user gets notification, taps it.
    Attacker is let in.

    Whereas before it would be:

    Attacker enters password.
    Clueless user gets a number that they don't know what to do with
    Attacker is not let in.

    1. Re:Worse security by EvilSS · · Score: 1

      To be fair the moron in your scenario probably won't turn on 2-factor to begin with since it's required or enable by default.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  14. Re:Oh joy - more clickthrough. by __aaclcg7560 · · Score: 2

    BTW, how many more versions of windows will continue to "hide extensions for known file types"?

    I don't expect that to change in any future version of Windows. Here's a link to fix your problem.

    http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions

  15. Obstacle by Vlijmen+Fileer · · Score: 2

    Ah yes.
    That obstacle to logging in, making it impossible to access Google services if you do not carry your phone, lost it, it got stolen, the battery is empty, it crashed, it's out of coverage area.
    Not sure how that can be made "less annoying".

  16. Wish this standard were open... by mlts · · Score: 1

    Blizzard has similar functionality where the app will look at queued login attempts and ask for approval. Before that, it was IBM's ZTIC which was one of the first 2FA systems which did this.

    I wish this were open source, just like TOTP is right now. I use a third party application that allows me to sync my 2FA codes (encrypted, of course) among my devices, including my Linux boxes, and my NAS machines. Having the ability to just tap "approve" for SSH connections would be nice, but it likely would require more moving parts outside my LAN, which could make things less secure.

    1. Re:Wish this standard were open... by Ash-Fox · · Score: 1

      I wish this were open source

      It is open source, https://github.com/google/goog...

      --
      Change is certain; progress is not obligatory.
  17. Re:Will it turn on the phone's flash? by mlts · · Score: 1

    There are more than just Google's app for authentication. Amazon has similar, and there are a number of third party alternatives, some with dark themes.

  18. Nobody has a hundred friends? by maggard · · Score: 4, Insightful

    I do. I'm nearly 50 years old, have lived in several places, have worked at a number of jobs over the years, had multiple romantic relationships in my life. I've made friends every year, in all of those places, through many diverse ways. Are all of the folks I've friended currently on my short list? No. But that list of a dozen close friends has evolved over time with new ones entering and others dropping off as we move about, go through various stages of life, some have died, etc. But they have my phone number. I have theirs. I may also have their closest friends or family members phone numbers. That adds up to well over a hundred people. And while I'm social I'm nobody compared to some of the butterflies I know. More than two people for every year of life? Those gregarious folks get, and use, that many numbers in a night on the town. No, for most of us non-hermetic folks I'd guess a hundred friends or more is entirely unsurprising.

    --
    I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
  19. Aweseome With Smart Watches! by friedmud · · Score: 1

    If they implement this properly it will be awesome with smartwatches!

    My school uses 2FA through a company called Duo and anytime I go to log in to a school website a notification pops up on my Apple Watch and I just need to touch "Approve" and I'm in. No fumbling for my phone or a key-fob... it's instant and convenient... takes all of the pain out of 2FA.

    1. Re:Aweseome With Smart Watches! by viperidaenz · · Score: 1

      This requires your phone to have been recently unlocked, so you can't just steal someones phone. If it hasn't been recently unlocked, it makes you enter your unlock code.

    2. Re: Aweseome With Smart Watches! by friedmud · · Score: 1

      Not that I can tell... do you have some documentation stating that?

  20. Re:Late to the party by friedmud · · Score: 1

    Duo's solution is awesome... even works perfectly with my Apple Watch! When I try to sign on to a website using Duo I get a message on my Watch that allows me to immediately approve the access... without getting out my phone or fumbling for a key-fob.

    Can't wait to see this in action in other places! Hopefully Google will add this capability to Authenticator...

  21. Re:Oh joy - more clickthrough. by friedmud · · Score: 3, Insightful

    While I think this is a good idea... I can kind of understand what he's saying.

    Imagine this:

    1. Bad guys steal password
    2. Bad guys go to gmail.com and enter password
    3. Good guy receives notification that approval is needed for a login
    4. So used to just clicking Approve for this notification the good guy clicks Approve... and the Bad guys are in.

    That scenario couldn't happen with a pin code being sent... because the Bad guys would not receive the pin code and the Good guy wouldn't have anywhere to enter the pin code...

    I agree that it's pretty boneheaded... but the point of the parent is that we're all so used to clicking OK/Approve (and we REALLY will be if every website requires this kind of authentication) that many normal people might accidentally click Approve for bad requests...

  22. How could they? by HalAtWork · · Score: 1

    I have no phone!

    --
    Twinstiq, game news
    1. Re:How could they? by Ash-Fox · · Score: 1

      I have no phone!

      Use your tablet!

      --
      Change is certain; progress is not obligatory.
    2. Re:How could they? by HalAtWork · · Score: 1

      No sim card... Or do you mean I should get a hangouts phone number and get SMS that way? That kinda puts me in a weird authentication loop

      --
      Twinstiq, game news
    3. Re:How could they? by Ash-Fox · · Score: 1

      You can run the Google Authenticator app instead of SMS.

      --
      Change is certain; progress is not obligatory.
    4. Re:How could they? by HalAtWork · · Score: 1

      Oh :) Thanks never looked into it, I will now! Hope that will stop them asking me to enter a phone number about every 10 times I log into the web client

      --
      Twinstiq, game news
  23. Re:You still need a phone for this? by Ash-Fox · · Score: 1

    I don't have a phone! Can't you buy some rolling key fob somewhere and register the code with them?

    Yes, you can use the FIDO Universal 2nd Factor (U2F) fob.

    --
    Change is certain; progress is not obligatory.
  24. Re:Why in hell would I want this? by Ash-Fox · · Score: 1

    Hell all they now need is to get hold of your smart phone

    Oh, how will you unlock it?

    steal not only your Gmail

    I have a Google account, but I don't have gmail.

    I'll stick with the simple text message and enter it into the website instead of allowing my phone to simply be tapped to confirm.

    If my e-mail is somehow compromised regardless, I could unplug the server?

    --
    Change is certain; progress is not obligatory.
  25. Re:Oh joy - more clickthrough. by Ash-Fox · · Score: 2

    4. So used to just clicking Approve for this notification the good guy clicks Approve... and the Bad guys are in.

    You have to unlock the phone first...

    --
    Change is certain; progress is not obligatory.
  26. Re:Oh joy - more clickthrough. by thegarbz · · Score: 1

    BTW, how many more versions of windows will continue to "hide extensions for known file types"?

    Before you complain about this ask yourself:
    1) Did people know what a filetype was?
    2) Did the rate of success for these attacks change dramatically as a result?

    The most common infection vector for these types of files do NOT go through windows explorer. They are downloads complete with box asking if you want to open the file, or email attachments which show the file name in full. People were fooled before, people will continue to be fooled, and hiding or showing the file extension in an operating system doesn't change this one bit.

  27. Do not want by scdeimos · · Score: 1
    Thank goodness it's optional. I'll stick with the existing 2-factor authentication via SMS, thanks:
    • Existing 2-factor authentication can work with any old dumb phone
    • New 2-factor authentication requires a tablet or smartphone with a data connection *and* it requires you to install the Google Search app (which will no doubt be reporting back to Googs on your every action.
  28. Slashdot is finally hearing about old news by viperidaenz · · Score: 1

    I've been doing this for months. I'm sure the service has been available for much longer.

  29. Re:Oh joy - more clickthrough. by friedmud · · Score: 1

    You don't when using Duo at least...

  30. I want this for servers by allo · · Score: 1

    But without google.

    Something like an android app and some web service coupled with a pam module. The login prompt then displays a number, the app displays the number as well and i can accept the login from the app with a single tap. Fallback to normal google authenticator.

  31. Software alternative: OTP by DrYak · · Score: 1

    Another alternative is to use TOTP (Time-derived One-time password):
    an ever changing code that is based on a hash, computed out of the current time (hence the ever changing) and a shared secret that only you and google know.

    Only someone possessing the shared secret can compute the correct code for that time.
    The secret itself is never sent on the wire, only the current-time code derived of the secret is.

    You can find apps running on tons of other hardware if you don't own an Android nor an iPhone (or simply don't want to give that phone number to google).

    You could even built your own, using an Arduino, an LCD display and some mean to get accurate(-ish enough*) time (e.g.: GPS chip or a DCF77 receiver if you're in Europe, or a RDS FM radio receiver, or extract it from TV broadcast, etc.)

    TOTP is supported as a two-factor standard at lots of other companies (Facebook has it as a possibility, nearly every bitcoin-related website I've seen has it, Microsoft too, etc.)

    (*) - a new code gets generated every 30 seconds, and some server-side implementation also compare against the past couple of code.
    So your clock doesn't necessarily need to be that much precise.

    You could get the time from your wrist watch if you don't have any time source.

    Or you could run the TOTP *on* the wrist watch if yours happen to be programmable (e.g.: Pebble)

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]