• Google to turn on 2-factor authentication for 150MN

    From August Abolins@618:250/1.9 to All on Wed Oct 6 09:06:00 2021
    Google to turn on 2-factor authentication for 150MN

    " By the end of the year, Google will require 150 MILLION
    people to use its two-step verification process to login to
    accounts, using one-time codes for apps too. YouTube will also
    require around 2MN content creators to do the same.

    " Google claims it is one of the most reliable ways to prevent
    hacks, which requires a secondary personal device to be
    registered.

    --- OpenXP 5.0.50
    * Origin: (} Pointy McPointface (618:250/1.9)
  • From Ed Vance@618:250/1 to August Abolins on Wed Oct 6 12:03:00 2021
    10-06-21 09:06 August Abolins wrote to All about Google to turn on 2-facto Howdy! August,

    Google to turn on 2-factor authentication for 150MN

    " By the end of the year, Google will require 150 MILLION
    people to use its two-step verification process to login to
    accounts, using one-time codes for apps too. YouTube will also
    require around 2MN content creators to do the same.

    " Google claims it is one of the most reliable ways to prevent
    hacks, which requires a secondary personal device to be
    registered.

    I don't have any Google accounts but I have a problem with 2-factor authentication (2FA).

    I do have a Cell Phone ("secondary personal device") but only use
    it as a Telephone when I'm away from the house.
    I don't use it for Texting or Data.

    I have a land line phone and can't receive Text Messages on it.

    I was asked by my Email Provider for a 2FA phone number but learned
    by reading the sites Help page that it wanted a Mobile Number not
    the L/L number when I was asked for a 2FA number.
    I tried entering the L/L # but later on I removed that entry.

    I only give the Cell Phone number to a few people or businesses.
    I won't enter it when I'm asked about 2FA.

    I guess I'm just a trouble maker.

    73 de Ed W9ODR dit dit


    ... I'm thick headed and hard of hearing - would You repeat that please?
    --- MultiMail/MS-DOS v0.49
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (618:250/1)
  • From Arelor@618:250/24 to Ed Vance on Thu Oct 7 06:29:34 2021
    Re: Google to turn on 2-facto
    By: Ed Vance to August Abolins on Wed Oct 06 2021 12:03 pm

    10-06-21 09:06 August Abolins wrote to All about Google to turn on 2-facto Howdy! August,

    Google to turn on 2-factor authentication for 150MN

    " By the end of the year, Google will require 150 MILLION
    people to use its two-step verification process to login to
    accounts, using one-time codes for apps too. YouTube will also
    require around 2MN content creators to do the same.

    " Google claims it is one of the most reliable ways to prevent
    hacks, which requires a secondary personal device to be
    registered.

    I don't have any Google accounts but I have a problem with 2-factor authentication (2FA).

    I do have a Cell Phone ("secondary personal device") but only use
    it as a Telephone when I'm away from the house.
    I don't use it for Texting or Data.

    I have a land line phone and can't receive Text Messages on it.

    I was asked by my Email Provider for a 2FA phone number but learned
    by reading the sites Help page that it wanted a Mobile Number not
    the L/L number when I was asked for a 2FA number.
    I tried entering the L/L # but later on I removed that entry.

    I only give the Cell Phone number to a few people or businesses.
    I won't enter it when I'm asked about 2FA.

    I guess I'm just a trouble maker.

    73 de Ed W9ODR dit dit


    ... I'm thick headed and hard of hearing - would You repeat that please?

    There are many mechanisms for 2FA.

    I think Google is using TOTP, which does not require a phone number (or a data plan for that matter). Hell, you can do it without a phone, using a TOTP device (such as a Nitrokey. ADMIN
    Magazine review coming soon)

    The idea is that the TOTP device creates a One-Time-Password which is a function of the date (in seconds) and some cryptomaterial stored in the TOTP device. This means if you need to know your
    password for NOW you tell the device to produce it, and you get one, and the device only needs to have a copy of your OTP key material and a working clock.

    The server can verify the password is correct by performing the same operation, pretty much.

    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.14-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)
  • From August Abolins@618:510/1.1 to Arelor on Thu Oct 7 22:55:00 2021
    Hello Arelor!

    ** On Thursday 07.10.21 - 06:29, Arelor wrote to Ed Vance:

    I think Google is using TOTP, which does not require a
    phone number [...]

    The idea is that the TOTP device creates a One-Time-
    Password which is a function of the date (in seconds) and
    some cryptomaterial stored in the TOTP device. This means
    if you need to know your password for NOW you tell the
    device to produce it, and you get one, and the device only
    needs to have a copy of your OTP key material and a working
    clock.

    The server can verify the password is correct by performing
    the same operation, pretty much.

    I learned this:

    [1]

    TOTP values can be phished like passwords, though this requires
    attackers to proxy the credentials in real time.[a]

    [a] Umawing, Jovi (21 January 2019). "Has two-factor
    authentication been defeated? A spotlight on 2FA's latest
    challenge". Malwarebytes Labs. Archived from the original on 25
    September 2020. Retrieved 9 August 2020.

    [2]

    An attacker who steals the shared secret can generate new,
    valid TOTP values at will. This can be a particular problem if
    the attacker breaches a large authentication database.[b]

    [b] Zetter, Kim. "RSA Agrees to Replace Security Tokens After
    Admitting Compromise". WIRED. Archived from the original on 12
    November 2020. Retrieved 17 February 2017.


    I'd rather use SQRL.
    --
    ../|ug

    --- OpenXP 5.0.50
    * Origin: my little micronet point (618:510/1.1)
  • From Arelor@618:250/24 to August Abolins on Fri Oct 8 05:38:08 2021
    Re: Google to turn on 2FA
    By: August Abolins to Arelor on Thu Oct 07 2021 10:55 pm

    I learned this:

    [1]

    TOTP values can be phished like passwords, though this requires
    attackers to proxy the credentials in real time.[a]

    [a] Umawing, Jovi (21 January 2019). "Has two-factor
    authentication been defeated? A spotlight on 2FA's latest
    challenge". Malwarebytes Labs. Archived from the original on 25
    September 2020. Retrieved 9 August 2020.

    [2]

    An attacker who steals the shared secret can generate new,
    valid TOTP values at will. This can be a particular problem if
    the attacker breaches a large authentication database.[b]

    [b] Zetter, Kim. "RSA Agrees to Replace Security Tokens After
    Admitting Compromise". WIRED. Archived from the original on 12
    November 2020. Retrieved 17 February 2017.


    I'd rather use SQRL.

    I didn't say it was bulletproof or necessarily a good idea.

    My experience with OTP systems is that they make support tickets skyrocket because
    people is very good at losing their OTP credentials, and those are not as easy to
    reset as passwords.

    I have a Nitrokey Storage 2 which I got for Linux Magazine work (article coming next
    year) and I was testing OTPs with it. I think they have some value but they are not as
    great as they are hyped up to be.

    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.14-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)
  • From August Abolins@618:250/1.9 to Arelor on Sat Oct 9 20:00:00 2021
    Hello Arelor!

    ** On Friday 08.10.21 - 05:38, Arelor wrote to August Abolins:

    I have a Nitrokey Storage 2 which I got for Linux Magazine
    work (article coming next year) and I was testing OTPs with
    it. I think they have some value but they are not as great
    as they are hyped up to be.

    Wow.. That Nitrokey seems to be the top of the line model
    starting at 109.00 EU

    Never heard of the thing.
    --
    ../|ug

    --- OpenXP 5.0.50
    * Origin: (} Pointy McPointface (618:250/1.9)
  • From Arelor@618:250/24 to August Abolins on Sun Oct 10 04:44:10 2021
    Re: Google to turn on 2FA
    By: August Abolins to Arelor on Sat Oct 09 2021 08:00 pm

    Hello Arelor!

    ** On Friday 08.10.21 - 05:38, Arelor wrote to August Abolins:

    I have a Nitrokey Storage 2 which I got for Linux Magazine
    work (article coming next year) and I was testing OTPs with
    it. I think they have some value but they are not as great
    as they are hyped up to be.

    Wow.. That Nitrokey seems to be the top of the line model
    starting at 109.00 EU

    Never heard of the thing.
    --
    ../|ug

    I think Yubikeys are more popular. The Nitrokeys I like because they release the source code of their stuff.

    The Nitrokey Storage can act as a GPG Smartcard, x.504 smartcard, password manager, TOTP and HOTP device, and in addition
    has hardware powered encryiption - meaning the encryption and decryption operation is carried by an internal chip instead of
    an operating system. It features anti-tampering design, so Biden's agents can break the key open and extract its contents
    easily, and the device self-bricks if you enter the wrong password too often.

    A lot of this stuff you can do in software, but if you are dealing with industrial data these things are a step up in the
    security ladder.

    --
    gopher://gopher.richardfalken.com/1/richardfalken
    --- SBBSecho 3.14-Linux
    * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)
  • From August Abolins@618:250/1.9 to Arelor on Sun Oct 10 08:03:00 2021
    Hello Arelor!

    ** On Sunday 10.10.21 - 04:44, Arelor wrote to August Abolins:

    I think Yubikeys are more popular. The Nitrokeys I like
    because they release the source code of their stuff.

    [...]

    A lot of this stuff you can do in software, but if you are
    dealing with industrial data these things are a step up in
    the security ladder.

    Industrial espionage goes on. :/ The tale of Stuxnet is
    incredible, to think it started with someone simply inserting
    an infected USB thumbrive.
    --
    ../|ug

    --- OpenXP 5.0.50
    * Origin: (} Pointy McPointface (618:250/1.9)