Google to turn on 2-factor authentication for 150MN
" By the end of the year, Google will require 150 MILLION
people to use its two-step verification process to login to
accounts, using one-time codes for apps too. YouTube will also
require around 2MN content creators to do the same.
" Google claims it is one of the most reliable ways to prevent
hacks, which requires a secondary personal device to be
registered.
10-06-21 09:06 August Abolins wrote to All about Google to turn on 2-facto Howdy! August,
Google to turn on 2-factor authentication for 150MN
" By the end of the year, Google will require 150 MILLION
people to use its two-step verification process to login to
accounts, using one-time codes for apps too. YouTube will also
require around 2MN content creators to do the same.
" Google claims it is one of the most reliable ways to prevent
hacks, which requires a secondary personal device to be
registered.
I don't have any Google accounts but I have a problem with 2-factor authentication (2FA).
I do have a Cell Phone ("secondary personal device") but only use
it as a Telephone when I'm away from the house.
I don't use it for Texting or Data.
I have a land line phone and can't receive Text Messages on it.
I was asked by my Email Provider for a 2FA phone number but learned
by reading the sites Help page that it wanted a Mobile Number not
the L/L number when I was asked for a 2FA number.
I tried entering the L/L # but later on I removed that entry.
I only give the Cell Phone number to a few people or businesses.
I won't enter it when I'm asked about 2FA.
I guess I'm just a trouble maker.
73 de Ed W9ODR dit dit
... I'm thick headed and hard of hearing - would You repeat that please?
I think Google is using TOTP, which does not require a
phone number [...]
The idea is that the TOTP device creates a One-Time-
Password which is a function of the date (in seconds) and
some cryptomaterial stored in the TOTP device. This means
if you need to know your password for NOW you tell the
device to produce it, and you get one, and the device only
needs to have a copy of your OTP key material and a working
clock.
The server can verify the password is correct by performing
the same operation, pretty much.
I learned this:
[1]
TOTP values can be phished like passwords, though this requires
attackers to proxy the credentials in real time.[a]
[a] Umawing, Jovi (21 January 2019). "Has two-factor
authentication been defeated? A spotlight on 2FA's latest
challenge". Malwarebytes Labs. Archived from the original on 25
September 2020. Retrieved 9 August 2020.
[2]
An attacker who steals the shared secret can generate new,
valid TOTP values at will. This can be a particular problem if
the attacker breaches a large authentication database.[b]
[b] Zetter, Kim. "RSA Agrees to Replace Security Tokens After
Admitting Compromise". WIRED. Archived from the original on 12
November 2020. Retrieved 17 February 2017.
I'd rather use SQRL.
I have a Nitrokey Storage 2 which I got for Linux Magazine
work (article coming next year) and I was testing OTPs with
it. I think they have some value but they are not as great
as they are hyped up to be.
Hello Arelor!
** On Friday 08.10.21 - 05:38, Arelor wrote to August Abolins:
I have a Nitrokey Storage 2 which I got for Linux Magazine
work (article coming next year) and I was testing OTPs with
it. I think they have some value but they are not as great
as they are hyped up to be.
Wow.. That Nitrokey seems to be the top of the line model
starting at 109.00 EU
Never heard of the thing.
--
../|ug
I think Yubikeys are more popular. The Nitrokeys I like
because they release the source code of their stuff.
A lot of this stuff you can do in software, but if you are
dealing with industrial data these things are a step up in
the security ladder.
| Sysop: | deepend |
|---|---|
| Location: | Calgary, Alberta |
| Users: | 255 |
| Nodes: | 10 (0 / 10) |
| Uptime: | 153:01:28 |
| Calls: | 1,724 |
| Calls today: | 4 |
| Files: | 4,107 |
| D/L today: |
10 files (9,986K bytes) |
| Messages: | 392,941 |