Ever heard of TOTP or HOTP? Those are 2FA, fyi… no phone number needed.
What does this even mean? You can’t have 2FA without knowing user/pass… and that would be enough to login from now on, right?
They trust you to login… they trust you to put a phone number…
Google is trying to make things more secure for the normal user here. To log on you need username/password and a 2nd token. If you use a security key then you can enable totp/hotp as a second method, as far as i recall.
generating app passwords means that you can only access part of your google account with a username and a password. that’s the point of an app password. It is less than ideal, but it enables you to use your google account with older clients that don’t support various 2FA methods.
Again, no need to reiterate what’s been discussed, or why 2FA might be a good thing.
Not sure why you posted here since no one said “it’s a bad thing”, but… specifically… said: “it’s a bad thing to ask for phone numbers”
Are we lost in translation?
Again: if a user had taken the time to organize this in the months before Google activated 2FA there would be no need to give Google a telephone number.
I wonder how many people this actually affects? i’d imagine it would be very few.
Can you link to when they announced that TOTP/HOTP, eg. Google Authenticator, will no longer be permitted?
As far as i know you can still use TOTP/HOTP with a google account, but you need to activate one of the 3 main access methods first (usb-key, mobile phone, something else)
As you can read my posts above, the “something else” means “a Google Services dependent device”.
Anyway… yeah
Presuming this: World and affected people as per your logic is then very few, how much do you think it means when your phone number gets leaked which in many countries are the main and only number and used for banking. Google like everyone has leaks, maybe knowingly, maybe… If I “in that very few” were to lose, I can come to you asking for my living? I say this since I see you advocating for Foogle even when others here are pretty pleasing asking you to read what we are discussing in actuality.
So here it is: those very few accoring to your thought process and their privacy, money, safety, etc, means much higher than foogle and people ARE trying to move away.
All we are doing here is trying to identify and become more aware of how not to divulge my data to big sharks from my own hand. How to save a very small grass root like myself to not get trampled upon.
Also funny that OTP passcodes end up in Google databases too: Messages, Dialer apps sent text, call info to Google • The Register so much for… security?
if you read the article you link to, you’ll find that otp passcodes don’t end up in google databases
I’m not sure there’s an easy way to make sure that your information does not get into the wrong hands. you could operate your own infrastructure but that’s more likely to be hacked than Google is, I’d imagine.
I certainly trust Google’s security more than anything I could maintain myself.
Google is trying to create a safe 2FA zone for its users. One of the ways to make this zone safer is to require username, password and proof of telephone number to get access. I imagine Google’s own push notification on Android checks a number of things about the phone as well.
Where exactly?
Good indirect press for F-Droid and some apps (p. 2 of PDF report), for those who dig:
At archive: Wayback Machine
Mitigations
Probably the simplest, safest way to reliably check is to install the APK Explorer app from the F-Droid app store . This is a verified open source app without embedded trackers. Opening the app displays a list of installed apps and their unique package names.
- Tracker-Free Alternatives: On Android it is possible to change the default dialer and messages apps. Verified open-source, tracker-free dialer and messages apps are available on the F-Droid app store. For example, Simple Dialer , QKSMS and Simple SMS Messenger.
Maybe a little disturbing how easy to MITM and decrypt “secure” connections (p. 6-). Or is that difficult?
Disclaimers: The guy Doug Leith is putting out a lot of stuff, and The Register is publicizing it. Some needs and gets corrections. Peer review may or not come later. YMMV.
Couple of questions - please verify:
I have checked in my google account settings and it says less secure access option “will be turned off if it’s not used. On 30th of May 2022 this setting will not be accessible”
Correct me if I’m wrong, but it means:
it that correct?
While thinking about some workaround - is there any option to plug an emulator of USB authenticator to firefox while setting up authentication to google account? Anyone has tried something like software YubiKey ?
I’m not willing to provide google my phone number as I treat this information with my personal data as confidential.
It’s not a question of frequency
The settings disappears, and it’s off
Of course
Err, that is odd. I have degoogled and even removed all accesses (which I can without root) and I get 2fa and no need for anything else. Like I mentioned earlier. I still use the 2fa with otp client and codes.
Since this is rolled out unevenly, and depends on past actions, what you see now might not apply to others
BTW any suggestion for a good email server?
Depends on your threat model, if can pay, time etc
tutanota? migadu? protonmail? posteo? self-host? mailbox dot org?