Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's $50 Titan Security Keys Are Now Available in the US (engadget.com)

Posted by msmash on from the for-the-record dept.

Last month, Google introduced its Titan Key -- a physical security key used for two-factor authentication -- and now it's widely available for purchase in the US through company's Google Store. Almost any modern browser and mobile device, as well as services such as Dropbox, Twitter, Facebook, Salesforce, Stripe support the Titan Key. It's Google's take on a Fast Identity Online key, a physical device used to authenticate logins over Bluetooth. From a report: For $50, you'll get a USB security key and a Bluetooth security key as well as a USB-C to USB-A adapter and a USB-C to USB-A connecting cable. What happens if you lose them? From a report: A downside of physical keys is that if lose them, you're toast. That's why you have two keys -- one is meant to be a backup. Google says it can help you gain access to your account again but the recovery process can take days. VentureBeat adds: It's not meant to compete with other FIDO keys on the market, stressed Sam Srinivas, product management director for information security at Google, during a press pre-briefing. Rather, it's "for customers who want security keys and trust Google," he said. Further reading: None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA.

69 of 127 comments (clear)

  1. TFA? by rjune · · Score: 1

    Am I missing something? Is there a full article? Who supports this? Amazon? Shopping Sites? Banking or Investment? It seems that more effort could have been put into this post.

    1. Re:TFA? by Tomahawk · · Score: 1

      Use the 2nd link for a longer article. It lists a few sites that use it (facebook and twitter being in there, along with Google)

    2. Re:TFA? by Fly+Swatter · · Score: 1

      At least mention the ones that matter, this is slashdot after all. It will be supported by the Worldwide Web Consortium’s Web Authentication API, as well as github.

    3. Re:TFA? by Stan92057 · · Score: 1

      who? "Posted by msmash" "Google" does. this story has been re-posted plenty of times here at /. its a slashvertisement. click the related links it goes on and on from their.

      --
      Jack of all trades,master of none
  2. Curious by the_skywise · · Score: 3, Interesting

    None of Google's 85,000 Employees Have Been Phished in More Than a Year After Company Required Them to Use Physical Security Keys For 2FA

    How many of them using 2FA and NOT using physical keys got phished?
    Getting phished for the password sure - but who gives out the 2FA code? Even presuming a hacked website I would think the key would just hand over the data to the fake website?

    1. Re:Curious by olsmeister · · Score: 4, Interesting

      I was closing an account at Capital One a couple of weeks ago, and as a security precaution they asked me for my phone #, sent me a code via text message, and had me repeat that code back to them. I was like, I don't understand what the hell that just accomplished but whatever, I just want to close the damn account. Maybe that's their idea of 2FA.

    2. Re: Curious by Anonymous Coward · · Score: 2, Insightful

      Well they just proved that whoever was closing the account had a phone number. Can never be too sure these days. It's not like just anyone can have a phone number.

    3. Re:Curious by fibonacci8 · · Score: 2, Insightful

      It sounds like you got phished by Capital One for you phone number, have you taken any steps in case they misuse it?

      --
      Inheritance is the sincerest form of nepotism.
    4. Re:Curious by darkmeridian · · Score: 1

      Actually, the FIDO U2F standard would not allow man-in-the-middle attacks with a spoofed website. The key will only work with the specific domain that authenticated the key, so a fake domain wouldn't work. If the website itself is hacked on the back end, then all bets are off. Same thing if the user's browser/computer is hacked.

      https://www.yubico.com/2017/10...

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    5. Re:Curious by bogd · · Score: 1

      Getting phished for the password sure - but who gives out the 2FA code?

      Oh, you would be surprised how many people do... There have been plenty of attacks in the wild doing exactly that - persuading people to give out 2FA codes (from Steam Authenticator codes to banking token codes). And it is amazing how many people willingly hand them out.

      Even presuming a hacked website I would think the key would just hand over the data to the fake website?

      That's the beauty of U2F - the generated code depends (among others) on the actual URL. So if you get a phishing link on goog1e.com, that site will receive a totally different 2FA code, one that will NOT work on the original website.

      More details here, for example.

      The downside of this design is that it requires support from the browser (someone has to provide the actual URL when requesting the 2FA code), and major browser manufacturers don't seem that eager to implement it. Maybe the new WebAuthn standard will change this...

    6. Re:Curious by hoggoth · · Score: 1

      That is moronic!

      Also, Vanguard has TOPT 2FA (Authy, Google Authenticator, etc), but on the page that asks you to enter your code there is a button 'I don't have my security device with me, send me an SMS instead'. This cannot be disabled. I am not making this up. I complained but the support rep couldn't understand why this is bad. She just kept asking if I wanted to turn off 2FA altogether.

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
    7. Re: Curious by Anonymous Coward · · Score: 1

      This isn't the worst thing. I mean, it would be (and might be) stupid if they required the ability to text your number, since land lines are still a thing and not everyone has unlimited texting, but it does add *some* level of validation.

      When you call in, they (probably) get your caller ID number, but that can easily be forged (this isn't theory; I've done it, and it's done as a normal course of business on nearly all business and 800 lines). The feedback loop they provided by sending you a code and having you read it back means that you have access to that phone number. That might be small, but it's way more than trusting caller id, and it can provide a means to trace that back to an account holder at that time should some legal issue arise from the cancellation.

      It would have been better if you had some form of 2fa setup with them already, and I hope they asked some other security-ish questions to verify your identity, but it doesn't seem like a bad thing.

    8. Re:Curious by Hadlock · · Score: 1

      I would imagine they're in a transitionary stage and/or the project manager in charge of this doesn't trust their implementation enough to switch cold turkey.

      --
      moox. for a new generation.
    9. Re:Curious by thegarbz · · Score: 1

      It sounds like you got phished by Capital One for you phone number, have you taken any steps in case they misuse it?

      Are you implying that there are people out there who have dealings with a financial institution like Capital One who haven't already given them their phone number? To be clear we are talking about a financial services company here. If there's one group of people I want to be able to contact me urgently, it's the damn ones looking after my money.

  3. Trust Google? by Anonymous Coward · · Score: 2, Insightful

    Would you trust Google to make you secure when Google mines details about as many people as it can?

    1. Re: Trust Google? by dbialac · · Score: 2, Insightful

      Yep. Donâ(TM)t think for a second that this isnâ(TM)t another way to track you online.

    2. Re: Trust Google? by jareth-0205 · · Score: 1

      Yep. Donâ(TM)t think for a second that this isnâ(TM)t another way to track you online.

      [citation needed]

      Oh no, wait, it's 2018. Spouting unfounded bullshit without having to back it up with anything is just how things are now.

    3. Re: Trust Google? by dissy · · Score: 1

      Yep. DonÃ(TM)t think for a second that this isnÃ(TM)t another way to track you online.

      Well without a 2FA hardware token, that means you are currently typing in a username and password.

      I don't see how your claim that entering a username and password doesn't let the website you enter it into track the fact you just logged into them.
      By definition you have identified yourself with a username, and proven it really is you with your password.

      As a 2FA hardware device does the same two tasks with one certificate, of course the website you use it to login to can track you equally the same.

      That includes if you sign in to google, google will know you signed into them.

      I would however highly suggest you stop trying to sign into google using your username/password for other websites. It isn't going to actually work, and there is no good reason to give google that info.

    4. Re:Trust Google? by AHuxley · · Score: 1

      All the crypto is then back to one ad company.

      --
      Domestic spying is now "Benign Information Gathering"
    5. Re: Trust Google? by dbialac · · Score: 1

      Because that 2FA token sends info from the website you're logging into to Google. Google knows the ID of your 2FA and now knows you are a user of that website and when you log in.

    6. Re: Trust Google? by dissy · · Score: 1

      Because that 2FA token sends info from the website you're logging into to Google. Google knows the ID of your 2FA and now knows you are a user of that website and when you log in.

      But I use them on internal systems without Internet access at all.
      How exactly are you saying the token keys send anything to google?

      My Yubico key, which uses the exact same protocol and backend PAM modules, I've used for years to login to a machine that not only doesn't have Internet access, but has no network access at all.

      Perhaps you are just confused because for the first couple months google only sold the keys to people with google cloud accounts, not realizing they now sell them to anyone?

      Or perhaps you are mistakenly thinking google invented the fido u2f protocol, and don't understand it's existed for years?

      The PAM module is open source: https://developers.yubico.com/...
      No networking required after you download the GIT tree.

  4. Google Authenticator by Tomahawk · · Score: 1

    I use Google Authenticator on my phone for my MFA needs. I think I'm more likely to notice my phone going missing than I am to notice a small usb key going missing, and I'm also more likely to remember to bring my phone wherever I'm going.

    So I think I'll just stick with using my phone and save the $50.

    1. Re:Google Authenticator by AmiMoJo · · Score: 4, Interesting

      There are a few benefits to using these kinds of keys. I don't know about the Google one specifically but others have features like being able to act as a USB keyboard and enter very long, complex passwords for you when you press the button. There is also the speed factor, no opening an app and copying a code manually.

      The down side is that these keys have no physical security. Your phone is at least lockable, but if someone takes your key there is nothing to stop them using it. Mainly a concern for people who might get targeted specifically or people at risk from law enforcement in bad countries.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Google Authenticator by Frederic54 · · Score: 1

      Same, I don't use SMS anymore for 2FA, I setup my google, FB, reddit, using the Google Authenticator, works well for me.

      --
      "Science will win because it works." - Stephen Hawking
    3. Re:Google Authenticator by bogd · · Score: 1
      Google Authenticator is nice, but:

      1) it is vulnerable to man-in-the-middle and phishing attacks. While U2F is designed to resist those (if someone gets a user to generate a code on a phishing website hosted on "goog1e.com", that code will not work on "google.com").

      2) it is impossible to backup the keys. Lost/destroyed/changed your phone? You're going to spend the next two days resetting 2FA on all those accounts... (I know there are workarounds for this second part, but some of them trade convenience for lower security...)

    4. Re:Google Authenticator by Lab+Rat+Jason · · Score: 1

      Does that same switch also unlock the key? I think you missed the point.

      --
      Which has more power: the hammer, or the anvil?
    5. Re:Google Authenticator by davecb · · Score: 1

      If you don't have to also provide a pin as part of the key response, it's "something you have" without "something you know". Ie, 1FA instead of 2FA.

      --
      davecb@spamcop.net
    6. Re:Google Authenticator by davecb · · Score: 1

      Good! Thanks, AC!

      --
      davecb@spamcop.net
    7. Re:Google Authenticator by AmiMoJo · · Score: 1

      Typically you would have a password as well, and then re-authenticate using just the key periodically when you want to perform specific actions.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  5. Curious if different from the Feitian model by PhrostyMcByte · · Score: 1

    These Titan keys are the same hardware as the Feitian FIDO keys, but supposedly with a custom firmware so not a simple rebranding.

    I'm curious to know how these compare.

    1. Re:Curious if different from the Feitian model by Wolfrider · · Score: 1

      --Bring the price down to $25 and I might consider it

      --
      .
      == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
    2. Re:Curious if different from the Feitian model by q4Fry · · Score: 1

      Not to be coy: They do give you two keys for the $50.

    3. Re:Curious if different from the Feitian model by tmshort · · Score: 1

      And adapter cables!

  6. Who cares? by jittles · · Score: 5, Interesting

    Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.

    1. Re:Who cares? by jareth-0205 · · Score: 1

      Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.

      There is a difference between personal security, web security, which is something that is both in your and Google's interest to secure, and the mining of personal information, which is in their interest, but not yours. This is obviously a product for the first.

      Not everything Google does fits into the hysterical OH MAH GAWD THEYRE TAHKIN ALL MAH DATA narrative.

    2. Re:Who cares? by jittles · · Score: 1

      Seriously, who cares? Who trusts Google, a company that makes all of its money by spying on the users of its platform, with anything that has to do with security? Their whole business model is based around taking your data. I would trust it more if it was a product of the NSA or CIA.

      There is a difference between personal security, web security, which is something that is both in your and Google's interest to secure, and the mining of personal information, which is in their interest, but not yours. This is obviously a product for the first.

      Not everything Google does fits into the hysterical OH MAH GAWD THEYRE TAHKIN ALL MAH DATA narrative.

      If you’re right then there is still no reason to buy it. Google drops basically every service they offer that does not provide value to their advertising platform. They do it time and time again. So if they aren’t actually harvesting useful metrics through the use of this device then they will just EOL it after 2-3 years.

    3. Re:Who cares? by jareth-0205 · · Score: 1

      Well that I would agree with...

    4. Re:Who cares? by kosmosik · · Score: 1

      Google customers care. The ones that are actually paying Google for their cloud services. You know that Google is not only web and email right? There is also the Cloud Platform. I personally would like a strong 2FA device to protect my accounts for running my business on GCP.

      Trust is one issue, cost and business is other. Lots of business pay Google for services so they also trust Google to run their business. Ones like Snapchat, Airbnb, Costco, Philips, TiVo, Citrix, Ubisoft... etc.

      https://cloud.google.com/custo...

    5. Re:Who cares? by thegarbz · · Score: 1

      Me, and here's why:

      Security and and a business model of handling your data are not exclusive. In fact one would hope that the people who make a business of handling your data are also some of the best in the aspects of security. Now this isn't applied universally. If you take a company like Verizon who will bulk sell your data to the highest bidder then security (of that data) is a non issue. However if you deal with a company whose sole source of income is selling access to you by way of profiling your data, and while maintaining that your data is effectively their carefully guarded CocaCola recipe, then you should apply a bit more nuanced thought.

      On top of that you should also take care to look at the quality of products and code produced to date, as well as security practices, hiring and staffing practices, and general industry standings.

      With all that in mind I trust Google more on matters of security than a company like Semantic, and a fuck ton more than a company which collects my data as an incidental revenue stream (looking at you Samsung, Verizon etc).

      But then you throw thought out the window when it comes to data as evident that you prefer to trust security to agencies which almost exclusively are out to determine if you are thinking wrong and to punish you for it.

    6. Re:Who cares? by jittles · · Score: 1

      Me, and here's why:

      Security and and a business model of handling your data are not exclusive. In fact one would hope that the people who make a business of handling your data are also some of the best in the aspects of security. Now this isn't applied universally. If you take a company like Verizon who will bulk sell your data to the highest bidder then security (of that data) is a non issue. However if you deal with a company whose sole source of income is selling access to you by way of profiling your data, and while maintaining that your data is effectively their carefully guarded CocaCola recipe, then you should apply a bit more nuanced thought.

      On top of that you should also take care to look at the quality of products and code produced to date, as well as security practices, hiring and staffing practices, and general industry standings.

      With all that in mind I trust Google more on matters of security than a company like Semantic, and a fuck ton more than a company which collects my data as an incidental revenue stream (looking at you Samsung, Verizon etc).

      But then you throw thought out the window when it comes to data as evident that you prefer to trust security to agencies which almost exclusively are out to determine if you are thinking wrong and to punish you for it.

      Your problem is that you're misunderstanding whose security Google cares about. They care about their own. Whatever protection they provide to your data is only due to the fact that they make money off of that data. At least I know that the NSA and CIA are going to spy on me and generally do things that aren't in my interest. Google is the kind of company that, with their "Do no evil" mantra claim that they're a great company. And yet they spy on you worse than even Facebook does. There are plenty of companies who make this kind of hardware that do not make their money on spying. Why should you trust Google more than one of them?

    7. Re:Who cares? by AHuxley · · Score: 1

      With PRISM 2.0 a user can get that security service part for free.

      --
      Domestic spying is now "Benign Information Gathering"
    8. Re:Who cares? by thegarbz · · Score: 1

      Your problem is that you're misunderstanding whose security Google cares about. They care about their own.

      Not at all. Re-read my post. My post talked about caring about their own security for protecting their Cocacola recipe: your data. That also means they invest in security. That also means security trickles down to their retail products. Companies don't typically waste time writing lots of new things from the ground up to suite nearly identical needs.

      And yet they spy on you [wsj.com] worse than even Facebook does.

      And they are the one group whose spying I'm not worried about. Google spy on users in order to make money by selling access. That makes them orders of magnitude more trustworthy than those who spy on users in order to sell data wholesale (Verizon) , or spy on users to actively attack the users in question (NSA / CIA)

      There are plenty of companies who make this kind of hardware that do not make their money on spying.

      There are. And there are few who are putting as much effort into integration efforts across products as Google. If this form of compatibility didn't matter, Apple wouldn't exist. It was their entire reason for being when they were making their comeback: It Just Works.

  7. I just love it by nospam007 · · Score: 1

    Before, if they didn't get to me by phishing they were bust.
    Now they have to come to my home and hit me over the head with a wrench and take my titan-dongle.

  8. Curious to have a product with no customers by SuperKendall · · Score: 4, Funny

    it's "for customers who want security keys and trust Google

    It doesn't seem like anyone there ran through the Venn diagram on that one, because I come up with approximately zero customers...

    And that includes Google employees.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Curious to have a product with no customers by fibonacci8 · · Score: 2

      I suspect you mistakenly substituted "should trust Google" in your own diagram, when the customers are those who "do trust Google".

      --
      Inheritance is the sincerest form of nepotism.
    2. Re:Curious to have a product with no customers by doconnor · · Score: 1

      There are people who mange multi-million dollar adwords/adsense accounts with Google. There are people who make their living from their YouTube videos.

    3. Re:Curious to have a product with no customers by SuperKendall · · Score: 1

      Yep, and you seriously think EITHER of those groups trust Google?

      Just ask any YouTuber about play counts and get a sense of how much "trust" and "love" there is for Google.

      Even on the ad side I don't see much trust that Google is actually accurate with counts. But what else are the advertisers going to do?

      You don't have to trust or even like someone to do business with them you know.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    4. Re: Curious to have a product with no customers by doconnor · · Score: 1

      Well not trusting Google doesn't mean they want thier account hacked by someone else.

  9. Two Things: by Cornwallis · · Score: 4, Interesting

    1) "A downside of physical keys is that if lose them, you're toast." Bullshit. I use Yubikey and if I lose it I simply use the backup alpanumeric codes I created when I established the 2FA account on the site.

    2) You're gonna trust Google?

    1. Re:Two Things: by kosmosik · · Score: 1

      2) Lots of serious corporations use commercial Google products especially G Suite. I worked in two such corporations. Such 2FA product is mostly targeted for power (these are few) and corporate users (these are hundreds of thousands and they are paying). So if they are using it they are probably also trusting Google. If you use G Suite it is a very good idea to protect at least the administrative accounts (eg. with domain control) with strong 2FA devices.

      1) Take look at 2 - this is targeted to corporate environments. In corporate environment when you loose your 2FA device you usually have a procedure to recover your account and get a new one.

    2. Re:Two Things: by SuperKendall · · Score: 1

      2) You're gonna trust Google?

      I posted a joke response earlier, but I kid you not - I was reading through the summary and thinking about buying one, then I came to the line "and those who trust Google" and I instantly decided not to buy it after all.

      --
      "There is more worth loving than we have strength to love." - Brian Jay Stanley
    3. Re:Two Things: by thegarbz · · Score: 1

      2) You're gonna trust Google?

      Trust with what? Trust is not a universal concept. It is contextualised. I trust my mother to have my best interests in heart. I don't trust her not to fill my computer with viruses and therefore she doesn't get to touch it.

      I don't trust Google with a lot of things, however they have quite consistently shown to produce quite good back end code and generally don't appear frequently in the list of companies which have left users to malicious exploits due to poor code, or sold out customers. Mind you I don't trust them to code a functional UI to enter the 2FA codes into, however that doesn't really come into when talking about security.

  10. This device is for whom exactly? by AnthonywC · · Score: 2

    If you actually want a 2FA you would probably have enabled it with your phone or possibly a physical key device (similar to this one). However this is a Bluetooth device and we all know how secure that is.

  11. Really slashdot? by Anonymous Coward · · Score: 1

    Why does the "and now it's widely available for purchase in the US through company's Google Store" link go to an engadget article instead of the fucking Google Store?

  12. IT'S BULLSHIT by the_B0fh · · Score: 4, Interesting

    To use a hardware token as 2FA on FaceBook, Twitter, DropBox and so on, YOU FIRST HAVE TO ENABLE 2FA VIA SMS.

    AFTER THEY HAVE FUCKING COLLECTED YOUR PHONE NUMBER, THEN AND ONLY THEN WILL HARDWARE TOKEN 2FA BE AVAILABLE AS AN OPTION.

    WHAT THE FUCK?

    1. Re:IT'S BULLSHIT by bogd · · Score: 1
      Your shift key seems to be stuck :)

      There is a reason for requiring your phone number - most likely, they are using SMS as a backup recovery mechanisms - so that you are not "toast" when you lose your security key. If you lose the physical key, you will still be able to recover your account via SMS.

    2. Re:IT'S BULLSHIT by jittles · · Score: 2

      most likely, they are using SMS as a backup recovery mechanisms - so that you are not "toast" when you lose your security key. If you lose the physical key, you will still be able to recover your account via SMS.

      Well then I will save my $50 and not buy a security key if they’re going to insecure it in that manner. It just takes a few minutes of social engineering to hijack someone’s number and therefore their SMS.

    3. Re:IT'S BULLSHIT by nine-times · · Score: 1

      Ok, here's the problem with that:

      If you can use SMS as a recovery path when you lose your 2FA token, that means you don't need the 2FA token. You can just use SMS. Though that might sound handy, SMS is insecure.

      It's the same basic problem with "security questions". A lot of services have the option where, if you forget your password, you can reset it with security questions. And then, they ask you security questions like, "What's your mother's maiden name?" That's information that isn't necessarily hard to find out these days. So now, instead of having to hack the site or guess someone's password, you can get unauthorized access to the account just by knowing the person's mother's maiden name.

      "Security is only as strong as its weakest point." It's a bit of an oversimplification, but accurate enough. If, in the name of security, you make your default method of authentication so onerous that people need an easy and insecure backup method, then you've just undermined your own security.

    4. Re:IT'S BULLSHIT by bogd · · Score: 1

      Well, I won't argue with you there :) . It's one of those cases in which they choose usability over security. :/

    5. Re:IT'S BULLSHIT by tlhIngan · · Score: 2

      If you lose the physical key, you will still be able to recover your account via SMS.

      Have we not learned? a phone number is not something you have. NIST discovered this a few years ago and updated their guidelines - no SMS, phone call, or other thing can be valid for identification at all.

      Hell, this existed even before cellphones were popular - phone phreaking was a thing and it was possible to reprogram a switch to temporarily redirect a phone call to another phone. Many used it to bypass "phone verification" systems that banks and such implemented where they would call you back at your home or something. And this was done in the late 80s.\

      2FA is only as strong as the weakest mechanism. The fact you can "recover" by SMS means it doesn't matter how strong your 2FA mechanism is, you're bound by the weakest link, in this case, SMS. (Think about it - why have the most secure key in the world, if anyone else can claim to "lose" it and thus revert to SMS?()

    6. Re:IT'S BULLSHIT by bogd · · Score: 1
      As I answered above, that is true. Unfortunately, this is one of the many cases in which they (the companies implementing the security options) chose usability over security.

      Unfortunately, there is no magic bullet here - very strong security would lead to many users being locked out of their accounts, and many very unhappy customers (who will happily scream at the support people, even when they are themselves to blame for locking themselves out - maybe by losing the security key, or forgetting their passwords, etc).

      Even Google offers alternatives - when logging in these days, you have at least 5 or 6 methods of verifying your identity (approval on an Android device, U2F key, Authenticator, offline codes, SMS codes, pre-generated keys, etc). All of them equivalent - if a single one of those is compromised, so is your account. This is somewhat mitigated by the "new login detected" prompts and emails, but it does remain a valid security concern.

    7. Re:IT'S BULLSHIT by afaiktoit · · Score: 1

      yes! exactly what I was thinking when I tried to set up a u2f on facebook. what the hell?

    8. Re:IT'S BULLSHIT by the_B0fh · · Score: 1

      No. You can remove your phone number as a 2FA after you've added physical tokens.

      So it's bullshit.

    9. Re:IT'S BULLSHIT by thegarbz · · Score: 1

      AFTER THEY HAVE FUCKING COLLECTED YOUR PHONE NUMBER

      I take it you've never used Google Maps, or Android, or any services by Google. Here's a hint: They have your phone number. Don't pretend to think that they don't. That would be incredibly foolish.

      Also as an aside, when did you become so petrified that you freak out about giving out something that we used to give out to everyone, and routinely also publish in a big book that was freely delivered to everyone?

      Google has my phone number? Oh the humanity! What will I do!

    10. Re:IT'S BULLSHIT by the_B0fh · · Score: 1

      Apparently Android users feel that being abused is the right thing to do, so why worry, be happy.

    11. Re:IT'S BULLSHIT by thegarbz · · Score: 1

      No, Android users don't need to run off to some safe space because someone has their phone number.

  13. nope not me by renegade600 · · Score: 1

    as nice as it sounds to be more secure, I would lose it within a week. me iz gettin old and tend to misplace things a lot :-(

  14. Google announces new Micro USB-C connector by Eric+Smith · · Score: 1

    That's the most impressive part of the announcement, if you ask me. Their store page says that they have a "USB-C to USB-A adapter", which is nothing special, but also a "Micro USB-C to USB-A connecting cable".

    I'm eager to hear when this new "Micro USB-C" connector will start appearing on Android phones and tablets.

  15. Security? by Agripa · · Score: 1

    How can they be secure if Google can restore access even if it takes days? Doesn't that mean Google can restore access for someone else?