Forced two-factor authentication...?

edited July 2019 in Software

I know I've made many rants here and there about aspects of modern-age tech including unnecessary changes to the Internet but, this needs to be said and hopefully, some of you can relate, and perhaps SomeGuy also if he sees this.

Many of you would know about a thing called two-factor authentication which adds an extra layer of security to your account on any site you're on, and it is entirely optional from what I've been seeing. Now, it seems that some companies are trying to force it on everyone should they log in from another computer or perhaps try making a new account. As someone who does not use a phone (and I have my reasons), this is entirely unfair.

So far, only Google tries to force it on people when I tried to sign in to my older Gmail account only for the site to ask for my phone number. It couldn't even give me other alternatives and by this, it's as if that and other companies (such as Facebook and Amazon) expect people to have a phone on them but let me say this, I know I'm not the only one. There could be the elderly that probably won't be entertained by this either, or anybody unfamiliar with tech in general. That's just like forcing everyone to use self-checkouts in a supermarket, or force everyone to use credit cards instead of physical money.

This would be a bigger problem for me if sometime in the future, I get a new system only then to find myself locked out from major sites and if that's how it's going to be, then fine. My internet activity would have to drop and I would have to remain a "ghost" in every site I browse, and that would be terrible. If two-factor authentication was possible on my Amazon Fire 7 tablet then that would be better. I don't want to use a bloody phone just to tell some site of who I am. Is choosing a strong password and a security question or two simply not good enough for you, Google? Besides, 2FA by use of a phone has more cons than pros anyway.

Hope I'm not the only one expressing his angst for it, because I'm not a happy bunny about it right now.

«1

Comments

  • edited July 2019

    Google tried forcing this on me about 8 years ago but guess what I didn't have! Then when I tried signing up for mail.ru (because of the numerous disadvantages of American e-mail services), they couldn't even reach my phone.

    Thankfully I gave facebook (big mistake) a burner phone number that hasn't been active in years.

    And the day when all checkouts will be self-checkouts is not far away. McDonald's has no qualms directing people to the iPhone-shaped kiosks over the shrinking cashier base. Luckily, many Canadian-owned businesses haven't even brought a single self-checkout into their quarters, but they may be tempted once they hear about how Walmart rolled back their HR budget after replacing a fraction of their in-store staff.

    People around me really want to shift parts of my PC workload to smartphones. My father suggested that I should replace my MS Entertainment Pack Tetris with some freemium or ad-supported app on my phone. Infected ads could easily create more security issues on a device used for authentication.

    hell, my sister's old phone had ads on the lock screen and randomly appearing when browsing the android UI.

  • edited July 2019

    Sadly as more and more people get off actual computers more companies will do this. For Google I only really use Google search and YouTube, so it isn’t that big of a deal for me. I also don’t really buy much from Amazon, and I don’t use Facebook. But in general it becoming much harder to not live with a “smart”phone.

  • There are other forms of two factor authentication. Personally, I prefer the standard OTP that's compatible with Google Authenticator. There are numerous compatible apps that work with it, including desktop apps. I used to use WinAuth and it worked pretty well. Don't use the actual Google Authenticator app though. You want an app that lets you back up the keys so you're not screwed if you lose your phone or have to factory reset it.

    I also like physical two factor tokens like the Yubikey. That's easy enough for anyone to use. Just don't lose it.

    I do not like sites that only offer texting as an option for the second factor. It's better than nothing I suppose, but that just makes your cell provider a target for hackers. There have already been cases of social engineering the provider and getting them to transfer the number to a different SIM so people can hijack the account. But it's generally easier for Average Joe to manage.

    And yes, modern society expects you to have a phone number. That has pretty much been expected for a little under 100 years now. The ability for said number to receive text messages is a relatively new thing, though. Some sites do offer a voice code instead. You could also use something like Google Voice (although you'd need to have a real number initially to get it set up. You could borrow someone else's if you don't have a number) or another VOIP provider so you could have a soft phone that receives the 2nd factor messages. This would work well for the most part, but there are some places that won't accept a VOIP number for security codes, which is annoying.

    Two factor authentication is just a necessary evil these days. People suck at making passwords and keeping them secure. Security questions, if you answer them truthfully, are just stupid. They can easily be answered by either social engineering you or someone you know that knows you. You should treat them like another password field and use a randomly generated string as an answer.

    There are numerous companies trying to get rid of passwords altogether, but I'm not sure how that'll play out.

    As for self-checkout, what's wrong with that? The less I have to interact with another person, the better. If you're worried about jobs, those jobs suck anyway. No one really wants to do them, so the more we can automate them away, the better. The people that would have had those jobs will just have to learn to do other jobs. I'm sure that eventually, all jobs will be automated away and we'll be free to focus on improving ourselves or spending our time enjoying life instead of slaving away in service of faceless corporations.

  • Back when Stitch was running the servers, he tried to set up two factor authentication. Every time I made a connection to the server to process files my phone would ring and I had to enter something. And SCP makes multiple connection, plus my ISP sometimes like to flake out and forces a reconnect. Very annoying, and limited when I could do stuff. Apparently "smart phones" can somehow handle this automatically. It didn't even seem to occur to him that a proper desk phone would operate differently.

    I HATE self checkouts. I might use one if I had just one or two simple things and lines were insanely long, but I have zero patience with machines so I lose my temper when something goes wrong. When a cashier is handling the stuff, then any problem is not MY fault.

    I had to go to Home Depot for the first time in more than a year, and the one here has changed to 100% self checkout. The place feels like one giant vending machine now. Very, very unpleasant place to shop now. Compare that to the little ACE Hardware down the road, and every time I go in there, there are always helpful PEOPLE ready to assist with everything.

    Another thing about self checkouts, if you use cash, you have to feed it in to the machine yourself. Unlike cash registers, it automatically scans dollar bill serial numbers and links them to your purchase. They can and do aggregate this data with bank data, so the majority of the time they can link the money to who you got it from. Of course, they say it is just to catch "counterfeiting".

    Self checkouts also drive me nuts with the highly repetitive voice prompts, even when I am just near them. "Please place the item in your ass", "Please select your your method of suicide from the options shown below.", "Do you have any brains?"

    One of the consumertard craters, I mean stadiums, around here is trying to go cashless (they are already brainless :P ). They have been pushing it like it is some major advance rather than a big step backwards.

    They really don't want peons possessing anything of any value, and absolutely not where they can't track it.

    As for cell phones, people get ridiculously religious about them. They can't even imagine that someone would want or need to do something DIFFERENT from them. I know there are some people who think I'm somehow technologically behind because I don't own a "smart" phone, but I honestly can't think of anything I would actually NEED one for that would be worth all the money.

    But most people seem to care more about what is in fashion. The other day there was some random news story about a cell phone store break in, and they interview some woman who talked about how she was buying some $1000 iPhone... why? "cuz it has Siiiiriiii". Seriously, WTF? Idiots.

    Since cell phones have come in to fashion, I have saved myself $$$$$ by not having one, and having to constantly replace it every couple years even though it would just sit around unused. (I could also go on about cable TV)

  • edited July 2019

    The thing about self-checkouts was just a lame analogy of what I talked about earlier. Didn't think that'd spark a separate discussion, ha.

    I didn't think Google had forced people to use 2FA from that time ago. I thought it was only in recent times. In regards to Google services, for me it's mostly Gmail, Maps and Translate. I don't really give two shits about YouTube these days what with it being a cesspit of "vines" and "fails". Oh yeah, people reacting to random crap also as an attention-seeking tactic. Being serious though, if Google decides to lock me out from Gmail when on another computer then I'm afraid it's the end of that, after 14 years.

    Then again, I make use of strong passwords for wherever I go so I don't really need 2FA on top of that, do I?

    @SomeGuy said:
    The other day there was some random news story about a cell phone store break in, and they interview some woman who talked about how she was buying some $1000 iPhone... why? "cuz it has Siiiiriiii". Seriously, WTF? Idiots.

    I honestly hope you're joking there :|

  • @Bry89 said:
    I honestly hope you're joking there :|

    Nope. Productivity is antonymous with smartphones. Many people seem to change them every year or two just for what? I could understand their purpose as entry-level cameras (which would, hopefully, improve in resolution and storage capability) but the iPhone 4 probably plays videos and sends facebook messages as well as the iPhone XXXR or whatever it's called.

  • Strong passwords don’t help if it gets intercepted or if the site owner has a data breach.

  • edited July 2019

    @win32 said:
    And the day when all checkouts will be self-checkouts is not far away. McDonald's has no qualms directing people to the iPhone-shaped kiosks over the shrinking cashier base.

    I've actually refused to use those kiosks before. The only time I will use one is if the line is really long and I'm short on time. Sometimes they will direct me to one of them, but usually I can just say I'd rather order the normal way and they will ring me up at the register. The one time they said I have to use the kiosk to place my order, I walked out and went to the Chick-fil-A next door. They don't have kiosks at all, even after completely rebuilding the place. They really have excellent customer service (and I am NOT paid to say that) !

    I also have not had to use 2-factor authentication very often. Discord made me use it, though. Google hasn't asked me for it, neither has Facebook or AOL.

  • @nick99nack said:
    Discord made me use it, though.

    It didn't for me, funnily enough. Maybe, it's forcing on it now?

  • Not sure. It only made me use it when I signed in at a different locations.

  • Yes, I had a feeling that would happen to do with location, as well as a changed IP address even.

  • Well, looks like I've become an unwilling victim of 2FA after all... found myself locked out of Google and Discord when trying to sign in to a tablet and library, and even my own system (when I had unknowingly wiped all cookies from my browser, but don't ask me why about that). You have no idea how pissed off I was when trying to reaccess my Gmail account until I had no choice but to make a brand new Google account (and used that so I can receive the verification code), after Google itself flipped me off numerous times. A shame though, because I've got stuff on my Drive and recently started a YouTube channel under it.

    Considering I don't have a phone to reaccess my old account and I am not going to waste my time getting one just for authorisation, I wonder if using someone else's phone may do the trick, even if it's just for the one time. What do you all think? Good idea, or not?

  • I think you should just get a phone already.

    Whether it's two factor authentication, applying for jobs, making appointments, etc. you will need a phone for something at some point in order to function in our modern society. So there's no point in avoiding it unless you plan to go live off the land in a cabin in the woods and forsake society entirely.

    And it doesn't have to be a smart phone. It could be a basic burner phone with a pay-as-you-go card. It could even be a landline and you could use Google Voice if you need texting for something.

    Whatever it is, you will need it at some point. So find the least objectionable way for you to make it happen.

  • Are your sure you got "locked out"? In the past gmail has nagged me about adding a phone number, sometimes it isn't obvious how to get past that screen, but a bookmark directly to the mailbox would skip it.

    Then again, every time I try to log in to my old youtube account (made before google assimilated it) it gets more and more dick-headed about wanting a "recovery" e-mail or such every time I log in. Eventually I had to give it another e-mail address, but I don't recall giving it any phone number. Haven't checked lately though.

  • edited August 2019

    I second what @SomeGuy said. It will nag you sometimes about adding a phone number after signing in, but usually you can just navigate to Gmail again and it will bypass that. You don't need a phone. A second e-mail address is still an option.

  • edited August 2019

    @SomeGuy said:
    Are your sure you got "locked out"? In the past gmail has nagged me about adding a phone number, sometimes it isn't obvious how to get past that screen, but a bookmark directly to the mailbox would skip it.

    Well I'm always shown to a screen to add in a number after the ones for email address and password, that is all.

    And @BlueSun, I could actually use the landline number of this house as you mentioned it, because the other day my mother received a text on it and perhaps that would be same for this situation. I'll try that whenever I can, and get back to you.

  • Sorry for the early bump but, I'm sad to say that I can't use my landline to get me in. Looks like I need a phone after all... but none of that "smart" crap because I'm not a rich kid or anything like that. Probably a burner/disposable phone would be better for me at this point...

  • You can probably find a cheap Android for less than 20 bucks on ebay or get a prepaid+phone plan at a supermarket for a slightly more. But you get a plan with it so...
    I'm starting to see budget Androids getting into the cheapness realm of flip phones.

    Stay off of Samsungs. Their amoled screens burn in worse than an airport departure schedule CRT.

  • Ug. That is just evil. Google is now nothing but cell phone salesmen. Requiring a cell phone instead of just a normal plain old telephone only serves the purpose of selling cell phones.

  • In my opinion, though, it may serve as a method to bolster sales of their own garbage pixel. I'm surprised Google hasn't made some special "Pixel Optimized" thing to advertise it more.

    But I do agree. Paypal and ebay of all companies offer call-in verification if they can't let you in for some reason. Why a text must be required, when that can be as exploitable as a computerized call...
    Also most likely because a cell phone->analytical apps->data mining->profit for google.

  • @yourepicfailure said:
    You can probably find a cheap Android for less than 20 bucks on ebay or get a prepaid+phone plan at a supermarket for a slightly more. But you get a plan with it so...

    Or that I can get one from a small mobile shop just down the road from me. And yeah, thanks for the advice about Samsungs. I'll keep it in mind, ha.

    And yeah @SomeGuy, that's what it's become apparently. Facebook and Amazon could be next :\

  • I logged into my old youtube account from 2011 a few times recently. I haven't been forced to provide authentication methods aside from the now inaccessible yahoo account that was used to sign up for it back then.

    Maybe this is presently a regional thing, where it is being forced in the UK and U.S. but not Canada. Maybe it would react differently with a 2000 or 7 user agent as opposed to a win10 one (which I used).

  • @win32 said:
    Maybe this is presently a regional thing, where it is being forced in the UK and U.S. but not Canada. Maybe it would react differently with a 2000 or 7 user agent as opposed to a win10 one (which I used).

    It doesn't seem to be a US thing as it's never forced me to verify anything.

  • edited August 2019

    So, it's only a UK thing then? That's strange... but considering that I've not gotten myself a "burner phone" as of yet to finally solve this, I did try using a site called Receive SMS Online where you can use any of the active SMS numbers to get verification codes. The problem is, I've used at least three different numbers (even an American one) and I've waited minutes for an SMS to appear under a number's page, when it should've been instantly as what the site said. If it didn't work for me, how come I've seen others getting Google verification codes? :\ But even when I tried to use a different number, Google would then be a dick and lock me out again, because I tried to sign-in "too many times". That's bullshit. I've only tried to get in twice.

    If supposing I don't get a burner phone either from that local shop I know or even Amazon, then I will speak to a friend whom I know in my place of work and hopefully I can have their number, just to finally get in (although I'd be on a different system). Now, supposing if this works, would that number be tied to my account? And if so, would I not need to verify again if I'm on another system/browser (i.e. my own)?

    EDIT: I've noticed that part of that page's URL of the verification step contains /signin/v2/challenge/, and I wonder if there's a way to bypass it with Greasemonkey or something. That would be good.

  • edited August 2019

    It's strange that you can't use a regular landline phone to have them call you. Their own page says that it's possible: https://www.google.com/landing/2step/features.html

    What's really sad is that Google's own advice is to consider creating a replacement Google account. https://support.google.com/accounts/troubleshooter/2402620?hl=en&ref_topic=3382255#ts=2402626%2C2402725

  • @nick99nack said:
    What's really sad is that Google's own advice is to consider creating a replacement Google account.

    That's what I had to do... but I'm hoping it will only be temporary. And as for using a landline number, guess I've messed up with trying to put in my home number to go in line with the +44 dialling code.

    Even if I get this sorted, I may think about ditching Gmail altogether in the future, and use a different email provider that isn't so stringent with security (and all I can think of just now is Outlook.com. Any more suggestions, hit me up with them).

  • Yandex is quite good and is not nearly as naggy as Google.

  • @Bry89 said:
    Even if I get this sorted, I may think about ditching Gmail altogether in the future, and use a different email provider that isn't so stringent with security (and all I can think of just now is Outlook.com. Any more suggestions, hit me up with them).

    AOL isn't as strict and still follows the classic format of message display, rather than threaded view and the highly annoying double inbox on Outlook.com (featured vs other or something like that).

  • I turned that featured thing off.
    It was painful.

  • Good news everyone... I've got things sorted. I had managed to log in to my main Gmail account under a computer at my volunteering place, after I had set my new Gmail address as a recovery email, and also verified the most recent log-in attempts too from my own IP addresses. I also got back on Discord successfully too.

    Although I'm happy now, it's ridiculous for anyone to go through these lengths to access their account. Just hope this doesn't happen again.

Sign In or Register to comment.