Google is trying to make things more secure for the normal user here. To log on you need username/password and a 2nd token. If you use a security key then you can enable totp/hotp as a second method, as far as i recall.
generating app passwords means that you can only access part of your google account with a username and a password. that’s the point of an app password. It is less than ideal, but it enables you to use your google account with older clients that don’t support various 2FA methods.
Again: if a user had taken the time to organize this in the months before Google activated 2FA there would be no need to give Google a telephone number.
I wonder how many people this actually affects? i’d imagine it would be very few.
As far as i know you can still use TOTP/HOTP with a google account, but you need to activate one of the 3 main access methods first (usb-key, mobile phone, something else)
Presuming this: World and affected people as per your logic is then very few, how much do you think it means when your phone number gets leaked which in many countries are the main and only number and used for banking. Google like everyone has leaks, maybe knowingly, maybe… If I “in that very few” were to lose, I can come to you asking for my living? I say this since I see you advocating for Foogle even when others here are pretty pleasing asking you to read what we are discussing in actuality.
So here it is: those very few accoring to your thought process and their privacy, money, safety, etc, means much higher than foogle and people ARE trying to move away.
All we are doing here is trying to identify and become more aware of how not to divulge my data to big sharks from my own hand. How to save a very small grass root like myself to not get trampled upon.
I’m not sure there’s an easy way to make sure that your information does not get into the wrong hands. you could operate your own infrastructure but that’s more likely to be hacked than Google is, I’d imagine.
I certainly trust Google’s security more than anything I could maintain myself.
Google is trying to create a safe 2FA zone for its users. One of the ways to make this zone safer is to require username, password and proof of telephone number to get access. I imagine Google’s own push notification on Android checks a number of things about the phone as well.
Probably the simplest, safest way to reliably check is to install the APK Explorer app from the F-Droid app store . This is a verified open source app without embedded trackers. Opening the app displays a list of installed apps and their unique package names.
Tracker-Free Alternatives: On Android it is possible to change the default dialer and messages apps. Verified open-source, tracker-free dialer and messages apps are available on the F-Droid app store. For example, Simple Dialer , QKSMS and Simple SMS Messenger.
Maybe a little disturbing how easy to MITM and decrypt “secure” connections (p. 6-). Or is that difficult?
Disclaimers: The guy Doug Leith is putting out a lot of stuff, and The Register is publicizing it. Some needs and gets corrections. Peer review may or not come later. YMMV.
I have checked in my google account settings and it says less secure access option “will be turned off if it’s not used. On 30th of May 2022 this setting will not be accessible”
Correct me if I’m wrong, but it means:
If I’m not logging on to my gmail IMAP account frequently the “less secure” setting will be turned off automatically?
After 30th May I will not be able to configure this setting, however it will be still set to: ON if prior that it was on?
“Less secure access” is access via IMAP/SMTP, if it’s OFF I still can log on using master password without 2FA using web browser and check my mail within browser to provide more ads revenue to Google & affiliates?
it that correct?
While thinking about some workaround - is there any option to plug an emulator of USB authenticator to firefox while setting up authentication to google account? Anyone has tried something like software YubiKey ?
I’m not willing to provide google my phone number as I treat this information with my personal data as confidential.
Err, that is odd. I have degoogled and even removed all accesses (which I can without root) and I get 2fa and no need for anything else. Like I mentioned earlier. I still use the 2fa with otp client and codes.