It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.
I just tried to create a new account but it didn't allow me to register because I didn't want to give them a phone number. I was expecting to be allowed to use an email.
It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.
I just tried to create a new account but it didn't allow me to
register because I didn't want to give them a phone number. I was
expecting to be allowed to use an email.
On 2/20/2024 at 4:40 PM, A.Brehme wrote:
It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.
I just tried to create a new account but it didn't allow me to register
because I didn't want to give them a phone number. I was expecting to be
allowed to use an email.
Would it accept 999-999-9999?
Bill H <billh@domain.is.invalid> wrote:
On 2/20/2024 at 4:40 PM, A.Brehme wrote:
It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.
I just tried to create a new account but it didn't allow me to register
because I didn't want to give them a phone number. I was expecting to be >>> allowed to use an email.
Would it accept 999-999-9999?
When you specify a phone number, they send a 2FA text to that number.
You need to use the 2FA code to complete the new-account registration.
They aren't that dumb.
On 2/20/2024 at 4:40 PM, A.Brehme wrote:
It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.
I just tried to create a new account but it didn't allow me to register
because I didn't want to give them a phone number. I was expecting to be
allowed to use an email.
Would it accept 999-999-9999?
When you specify a phone number, they send a 2FA text to that number.
You need to use the 2FA code to complete the new-account registration.
They aren't that dumb.
Oh well. Just a thought. Some site will accept 999-999-9999, but they
don't do 2FA.
On 2024-02-21 02:01, Bill H wrote:
On 2/20/2024 at 4:40 PM, A.Brehme wrote:
It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.
I just tried to create a new account but it didn't allow me to register
because I didn't want to give them a phone number. I was expecting to be >>> allowed to use an email.
Would it accept 999-999-9999?
They verify you can receive a message on whatever number you give.
I suspect part of their decision was to allow a means of recovery.
VanguardLH wrote:
I suspect part of their decision was to allow a means of recovery.
I think it is 'too bad'/ tragic/ that the user can't make his own
decisions about the conditions which should trigger lockouts and
recoveries, instead of the provider unilaterally making all of the
decisions and restrictions.
VanguardLH wrote:
I suspect part of their decision was to allow a means of recovery.
I think it is 'too bad'/ tragic/ that the user can't make his own
decisions about the conditions which should trigger lockouts and
recoveries, instead of the provider unilaterally making all of the
decisions and restrictions.
Ideally security protocols should be 'advised' and then the suggested protocols optionally available.
It is NO GOOD when security rules work to the disadvantage of the user instead of to his advantage.
It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.
I just tried to create a new account but it didn't allow me to register because I didn't want to give them a phone number. I was expecting to be allowed to use an email.
Mike Easter wrote:
VanguardLH wrote:
I suspect part of their decision was to allow a means of recovery.
I think it is 'too bad'/ tragic/ that the user can't make his own
decisions about the conditions which should trigger lockouts and
recoveries, instead of the provider unilaterally making all of the
decisions and restrictions.
Hey! We're Google! We know what's best for you!
Searching on the Internet, EMail, online storage - all for free!! FOR FREE!! You don't have to pay anything, we just want to have as much of your data
as we can get. Don't worry, we just try to overtake this whole internet-thing.
If you're already in our fenced garden you don't have to worry at all.
Get your free Gmail, Gstorage, Gnet, Ginternet, Ggroups, Gforums, Gsale now!!!
Mike Easter <MikeE@ster.invalid> wrote:
VanguardLH wrote:
I suspect part of their decision was to allow a means of recovery.
I think it is 'too bad'/ tragic/ that the user can't make his own
decisions about the conditions which should trigger lockouts and
recoveries, instead of the provider unilaterally making all of the
decisions and restrictions.
Well, when your bank enforces 2FA to login, you can argue until you die.
They rely on the advise of their web devs, and advice from their lawyers trying to indemnify the bank against hacked accounts.
I hate running around to find my smartphone when my bank sends a text
with the 2FA login code. I'm not grafted to my phones. I had to use
Authy to work with their 2FA login, but Authy discontinued their desktop client, and I obviously don't need their mobile app since the phone is
where I'd be getting their 2FA text, anyway. Their only other choice to
get their 2FA codes is to get them via SMS. Geez, like that's a more
secure setup: use an insecure communications venue (SMS) to complete
login using HTTPS and me using long strong passwords that are unique to
every domain. Since Authy is dropping their desktop client, and I'm not going to bother with the Symantec alternative (which I think is just
mobile apps which are unnecessary on the phone where the SMS text gets
sent), I have them send their 2FA code to my Google Voice phone number. Google Voice sends me a copy of texts to my e-mail address. So, I get
the 2FA code via e-mail (which they don't offer as a choice). Complain, suggest, or opine however much as I have, the bank is not going to alter
what choices they have to shove a 2FA code at me - security theater to
allow tracking while compensating for boobs that reuse weak passwords at every site they login.
Ideally security protocols should be 'advised' and then the suggested
protocols optionally available.
It is NO GOOD when security rules work to the disadvantage of the user
instead of to his advantage.
Often "security" is an allusion by making the user busy. Gee, if the
user is busy jumping through hoops, security just must be better.
Reminds of a programmer that had an airline as a customer. Their
real-time reservation system was getting really slow, and embarrasing
their counter agents while customers had to wait a long time. When he
showed up, he made simple edits to the code which added status messages basically saying "You got here", "Now you're here", "Still working", and
so on. That placated the impatience by the counter agents. They saw /something/ was changing instead of staring at a stalled screen. That
got them of his back, so he could focus all his time on analysing and
fixing the problem (requires database maintenance, like deleting delete-flagged records over some expiration, and compacting the
database). He salved the anxiety of the agents until the real problem
got fixed.
2FA is pretending to users that sending codes over insecure
communications venues (e-mail, SMS) is better security. Users are
misled into thinking their logins are more secure. It's like you want
to get into your house, but your neighbor down the block has to send you
a letter with a code to unlock your door, but the letter is not in an envelope, and the letter gets passed to the intervening neighbors who
can each see the contents of the letter.
E-mail is not secure. Rare few users install x.509 or PGP certs into
their e-mail client, or now how to use them (they are by invite: you
send someone your public key they optionally use to encrypt their
message to you that you decrypt using the private key that only you
have). The free e-mail certs (is there more than 1 provider now?) only
have your e-mail address, no other details (you have to pay to get a
more detailed cert). Your only identity in a free e-mail cert is your
e-mail address. So, we have 2FA codes securing a login that are sent
via an insecure e-mail route.
SMS is also insecure. It is not encrypted. We're not talking about
using end-to-end encryption using WhatsApp, but just simple texting.
So, we have 2FA codes securing a login that are sent via an insecure SMS texting route.
By nuisancing users with more steps during the login process, they hope
the majority of them are boobs assuming "Ooh, it's harder to login, so
it just must be more secure."
SMS is also insecure. It is not encrypted. We're not talking about
using end-to-end encryption using WhatsApp, but just simple texting.
So, we have 2FA codes securing a login that are sent via an insecure SMS texting route.
Mike Easter <MikeE@ster.invalid> wrote:
VanguardLH wrote:
By nuisancing users with more steps during the login process, they hope
the majority of them are boobs assuming "Ooh, it's harder to login, so
it just must be more secure."
What pisses me off is Google's preoccupation with SMS for their 2FA.
Some of us live in places like New Zealand where there's not much
interest in providing decent communications in rural areas and as I have
no cellular coverage SMS is a bit of a problem for me. Most
organisations I deal with offer 2FA via email or even voice message via
a land line - not ultra-secure, but better than nothing. But it seems
Google is far too arrogant and indifferent to customers to consider
those options....
It is NO GOOD when security rules work to the disadvantage of the user instead of to his advantage.
On Tue, 20 Feb 2024 17:24:31 -0800, Bill H wrote:
When you specify a phone number, they send a 2FA text to that number.
You need to use the 2FA code to complete the new-account registration.
They aren't that dumb.
Oh well. Just a thought. Some site will accept 999-999-9999, but they
don't do 2FA.
I wonder if a second line existing voip account number would work?
TextNow? 2ndLine? Hushed? TextPlus? Talkatone? Burner? GoogleVoice?
In alt.comp.os.windows-10, on Tue, 20 Feb 2024 19:19:06 -0700, Nick Cine ><nickcine@is.invalid> wrote:
On Tue, 20 Feb 2024 17:24:31 -0800, Bill H wrote:
When you specify a phone number, they send a 2FA text to that number.
You need to use the 2FA code to complete the new-account registration. >>>> They aren't that dumb.
Oh well. Just a thought. Some site will accept 999-999-9999, but they
don't do 2FA.
I wonder if a second line existing voip account number would work?
TextNow? 2ndLine? Hushed? TextPlus? Talkatone? Burner? GoogleVoice?
This is not my question,
but I read it anyhow and installed 2ndLine on
my 85-yo friend's phone with no sim, and it seems to work fine, comelete >witha new phone number. Thank you. they did send an email but only to
my paypal email address, because I decided it was easier to use my
paypal than to convince her to use her credit card. And maybe they
wrote to her gmail address too, but I know they didn't call any phone
numbers or do any 2FA.
I also had tried Google Voice and did something wrong and tonight it
looks like tha would work too, but I have no reports.
Textnow I have not tried to install but it is like the others and it's
free to use with wifi, except for $5 you can get a sim card and then use
it to make and receive calls and texts even if you're not connected to
wifi. How can they do that? I'm very confused.
The others you name and 2 more all seemed to have some bigger weakness.
Well, when your bank enforces 2FA to login, you can argue until you
die. They rely on the advise of their web devs, and advice from their
lawyers trying to indemnify the bank against hacked accounts.
I hate running around to find my smartphone when my bank sends a
text with the 2FA login code. I'm not grafted to my phones.
I have GV googlevoice number/s that provide some mitigation to a
desktop, but I generally keep my ancient cell (flip type 'feature'
phone, ancient linux kernel OS in a VTE dumb phone) near my desktop
computers so that I can turn it on if I need a text.
I would be unhappy if I had to have that kind of 2FA to use gmail, which
is where this thread started.
It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.
malone <malone@nospam.net.nz> wrote:
On Wed-21-Feb-2024 4:42 pm, VanguardLH wrote:
Mike Easter <MikeE@ster.invalid> wrote:
What pisses me off is Google's preoccupation with SMS for their 2FA.
Some of us live in places like New Zealand where there's not much
interest in providing decent communications in rural areas and as I have
no cellular coverage SMS is a bit of a problem for me. Most
organisations I deal with offer 2FA via email or even voice message via
a land line - not ultra-secure, but better than nothing. But it seems
Google is far too arrogant and indifferent to customers to consider
those options....
Does your cellular provider
have the option to send received texts to
your account with them to an e-mail address? I have that with Google
Voice, and it eliminates having to find and use my phone to manually
copy the 2FA code from the phone to the web form at the site to complete
the login. GV sends me a copy of the text to my e-mail address. I can
then open e-mail on the same computer where I'm trying to login.
Sometimes I can just copy-n-paste the 2FA code from the e-mail to the
login web form, but sometimes I'm stuck entering the 2FA code character
by character, because the web form has separate input elements
separately for each character.
I figure if GV has the text-to-email option that other telcos might have
it, too.
VanguardLH <V@nguard.lh> wrote:
SMS is also insecure. It is not encrypted. We're not talking about
using end-to-end encryption using WhatsApp, but just simple texting.
So, we have 2FA codes securing a login that are sent via an insecure SMS
texting route.
But is it practicable for an adversary to intercept the SMS message in
the few seconds it takes for the user to log in with it?
On Wed-21-Feb-2024 4:42 pm, VanguardLH wrote:
Mike Easter <MikeE@ster.invalid> wrote:
VanguardLH wrote:
I suspect part of their decision was to allow a means of recovery.
I think it is 'too bad'/ tragic/ that the user can't make his own
decisions about the conditions which should trigger lockouts and
recoveries, instead of the provider unilaterally making all of the
decisions and restrictions.
Well, when your bank enforces 2FA to login, you can argue until you die.
They rely on the advise of their web devs, and advice from their lawyers
trying to indemnify the bank against hacked accounts.
I hate running around to find my smartphone when my bank sends a text
with the 2FA login code. I'm not grafted to my phones. I had to use
Authy to work with their 2FA login, but Authy discontinued their desktop
client, and I obviously don't need their mobile app since the phone is
where I'd be getting their 2FA text, anyway. Their only other choice to
get their 2FA codes is to get them via SMS. Geez, like that's a more
secure setup: use an insecure communications venue (SMS) to complete
login using HTTPS and me using long strong passwords that are unique to
every domain. Since Authy is dropping their desktop client, and I'm not
going to bother with the Symantec alternative (which I think is just
mobile apps which are unnecessary on the phone where the SMS text gets
sent), I have them send their 2FA code to my Google Voice phone number.
Google Voice sends me a copy of texts to my e-mail address. So, I get
the 2FA code via e-mail (which they don't offer as a choice). Complain,
suggest, or opine however much as I have, the bank is not going to alter
what choices they have to shove a 2FA code at me - security theater to
allow tracking while compensating for boobs that reuse weak passwords at
every site they login.
Ideally security protocols should be 'advised' and then the suggested
protocols optionally available.
It is NO GOOD when security rules work to the disadvantage of the user
instead of to his advantage.
Often "security" is an allusion by making the user busy. Gee, if the
user is busy jumping through hoops, security just must be better.
Reminds of a programmer that had an airline as a customer. Their
real-time reservation system was getting really slow, and embarrasing
their counter agents while customers had to wait a long time. When he
showed up, he made simple edits to the code which added status messages
basically saying "You got here", "Now you're here", "Still working", and
so on. That placated the impatience by the counter agents. They saw
/something/ was changing instead of staring at a stalled screen. That
got them of his back, so he could focus all his time on analysing and
fixing the problem (requires database maintenance, like deleting
delete-flagged records over some expiration, and compacting the
database). He salved the anxiety of the agents until the real problem
got fixed.
2FA is pretending to users that sending codes over insecure
communications venues (e-mail, SMS) is better security. Users are
misled into thinking their logins are more secure. It's like you want
to get into your house, but your neighbor down the block has to send you
a letter with a code to unlock your door, but the letter is not in an
envelope, and the letter gets passed to the intervening neighbors who
can each see the contents of the letter.
E-mail is not secure. Rare few users install x.509 or PGP certs into
their e-mail client, or now how to use them (they are by invite: you
send someone your public key they optionally use to encrypt their
message to you that you decrypt using the private key that only you
have). The free e-mail certs (is there more than 1 provider now?) only
have your e-mail address, no other details (you have to pay to get a
more detailed cert). Your only identity in a free e-mail cert is your
e-mail address. So, we have 2FA codes securing a login that are sent
via an insecure e-mail route.
SMS is also insecure. It is not encrypted. We're not talking about
using end-to-end encryption using WhatsApp, but just simple texting.
So, we have 2FA codes securing a login that are sent via an insecure SMS
texting route.
By nuisancing users with more steps during the login process, they hope
the majority of them are boobs assuming "Ooh, it's harder to login, so
it just must be more secure."
What pisses me off is Google's preoccupation with SMS for their 2FA.
Some of us live in places like New Zealand where there's not much
interest in providing decent communications in rural areas and as I have
no cellular coverage SMS is a bit of a problem for me. Most
organisations I deal with offer 2FA via email or even voice message via
a land line - not ultra-secure, but better than nothing. But it seems
Google is far too arrogant and indifferent to customers to consider
those options....
As I mentioned, you don't (have to use 2FA (actually 2SV in this
case) to use Gmail). You just use it *once* per device (i.e. your
desktop) and tick the box to add that device as a trusted device. No
more 2SV/2FA for that device.
Frank Slootweg <this@ddress.is.invalid> wrote:
As I mentioned, you don't (have to use 2FA (actually 2SV in this
case) to use Gmail). You just use it *once* per device (i.e. your
desktop) and tick the box to add that device as a trusted device. No
more 2SV/2FA for that device.
That won't work if you configure your web browser to purge all locally
cached data on its exit, as I do with Firefox. That tickbox will use
DOM/Web Storage, or maybe cookies, in the web browser to create a
fingerprint on your return visit. No matter how many times I have
ticked the "Remember me" checkbox to supposedly allow quick reentry to
an account, on a return the site doesn't know my web browser, and I have
to do the 2FA process again.
When I exit Firefox, all of the following are purged: browsing &
download history, active logins, form & search history, cookies, [web]
cache, site settings, offline website data (DOM Storage). When I
revisit a web site, it is as if it is the first time I visit there. The
site doesn't get to use any locally cached data to remember me. They
know nothing about my client, so they know nothing about my device,
either. They don't get to track me between web sessions.
Have you ever measured the time from when you click Send in the web form
to have the site send you the 2FA code to when you view it and manually
enter the characters from the message into the web form to click Okay
there to complete the roundabout routing of the 2FA code?
The point isn't about how fast you can enter the 2FA code. It's about >claiming 2FA is more secure when you're already at an HTTPS site to then
send the code using INSECURE communication venues. E-mail is not
secure. SMS is not secure. Phone calls are not secure. The window of >opportunity exists when the 2FA code is insecurely transmitted.
2FA is security theater.
If someone else has my password to a specific site, for example as the result of
a data breach, I might receive the code via SMS or email, which would be an indicator that someone is trying to log in and it's probably time for me to change that password.
2FA is security theater.
Char Jackson wrote:
[snip]
If someone else has my password to a specific site, for example as the result of
a data breach, I might receive the code via SMS or email, which would be an >> indicator that someone is trying to log in and it's probably time for me to >> change that password.
2FA is security theater.
The issue is not with the code.
It is that your phone may be cloned
so that you don't receive the code,
but the criminal does.
Char Jackson wrote:
[snip]
If someone else has my password to a specific site, for example as
the result of a data breach, I might receive the code via SMS or
email, which would be an indicator that someone is trying to log in
and it's probably time for me to change that password.
2FA is security theater.
The issue is not with the code.
It is that your phone may be cloned so that you don't receive the code,
but the criminal does. This is because phone companies have
historically not been good at preventing such cloning - and from their
point of view their loss is only the potential revenue from a few phone calls.
It is true that the criminal needs access to your bank account; but if
he can clone your phone then stealing your login credentials may not be
too difficult.
If he works for the bank it's even easier!
From the bank's point of view it's quite a challenge to confirm that
you really are who you claim to be, and that you're not acting under
duress. This is the area that needs innovative development.
Graham J <nobody@nowhere.co.uk> wrote:
Char Jackson wrote:
[snip]
If someone else has my password to a specific site, for example as
the result of a data breach, I might receive the code via SMS or
email, which would be an indicator that someone is trying to log in
and it's probably time for me to change that password.
2FA is security theater.
The issue is not with the code.
It is that your phone may be cloned so that you don't receive the code,
but the criminal does. This is because phone companies have
historically not been good at preventing such cloning - and from their
point of view their loss is only the potential revenue from a few phone
calls.
It's not the phone which is/can_be cloned, but the SIM.
It is true that the criminal needs access to your bank account; but if
he can clone your phone then stealing your login credentials may not be
too difficult.
There's no way that the other phone with the cloned SIM has the login
credentials. *If* the criminal has the login credentials, he must have
gotten them by other means.
If he works for the bank it's even easier!
Can we get back to earth please!?
From the bank's point of view it's quite a challenge to confirm that
you really are who you claim to be, and that you're not acting under
duress. This is the area that needs innovative development.
That's why banks have developed better 2SV (actually 2FA) means than
SMS, but that does not mean that SMS is dangerous. 2SV by SMS is used >billions of times witout any great problems.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 297 |
| Nodes: | 16 (2 / 14) |
| Uptime: | 11:09:31 |
| Calls: | 6,666 |
| Files: | 12,213 |
| Messages: | 5,336,375 |