On Sun, Jan 26, 2020 at 10:35 AM Andrew C Aitchison via mailop < mailop@mailop.org> wrote:
> On Sun, 26 Jan 2020, Jaroslaw Rafa via mailop wrote: > > > Similar thing happened to me recently when I wanted to re-login to one of > > those test accounts from my home computer, but I installed a new browser > > which was not yet used with that account. Usually there are no problems > in > > such a case, but my home Internet connection just went down that day and > I > > had to switch to a backup connection via cellular modem. Probably because > > of IP address belonging to a generally-accessible mobile operator's pool, > > Google behaved differently when I logged in to the account. After I > already > > provided a correct password, Google demanded from me to enter a phone > number > > that can be used for verification (!) and I couldn't successfully > complete > > the login procedure, because I didn't want to associate any phone number > > with that account. > > Hmm. > Proving that you can read a text sent to a number you provide today > does not prove that you are the person who used the ID and password > yesterday. > So they demand you provide a new verification channel so that you can > prove your ID *next* time ? > > I find these multi-factor verifications unsettling because it takes > a significant effort to convince myself that the verification does > indeed prove what it is supposed to prove and that it is safe from > man-in-the-middle. > I have lost enough physical keys over the years to worry about what > happens if I lose my phone (which does not have a finger print reader) ... > It's hard to determine what happened based on the descriptions, but the general answer is pretty simple. Passwords are terrible and completely broken. They are generally poorly chosen, weak, and re-used. The result is extreme levels of hijacking. On top of that, people forget their passwords and this isn't something like your home electricity bill or even your bank... how does Google know it's you? At the one end, that makes account recovery challenging, and it certainly seems that Google decides that losing your account is better than giving it to someone else. There's probably extensive arguments and concerns about how exactly the draw that line, but that's the tension. Your Google account can contain multitudes of personal information, granting it to the wrong person can be crippling to the main owner. Losing access can also be terrible. The other end of this, what do you do when someone presents the right password to log in, is it a hijacking or not? What happens is a risk assessment of the login, is it from the usual location? Usual country? Usual device type? Is it from somewhere where you see a lot of unusual logins? Does it look like some automated software and not a normal browser? How strong is the password? How common is the password? The end result of that risk assessment is whether to let the user in, or to make the login more complicated. That started with captchas, sometimes requiring up to 5 or more of them in the riskiest case. The next level is requiring a phone number. Better if the phone number used was already known to Google, but really any phone number will do because a phone number costs money to obtain, so limiting how many accounts can use a number or how frequently, and you have raised the cost of accessing the account. Of course, then you need to know what all of the free or almost free phone number services are, to not allow those to be used, as they don't cost enough. Of course, if there's money to be made, there's a way, so you get people stealing entire boxes of sim cards and creating special hardware to use them, see the pictures from this article: https://cyberpolice.gov.ua/news/kiberpolicziya-prypynyla-diyalnist-masshtabnogo-servisu-dlya-reyestracziyi-riznyx-akauntiv-u-mesendzherax-soczmerezhax-ta-poshtovyx-servisax-8596/ This isn't about tracking, this is about keeping your data safe, and protecting everyone else from what can be done with a hijacked account, from sending spam to click fraud to YT abuse to bitcoin mining on GCP. In many respects, actually setting up 2FA on your account puts you in a better situation. It means that access to your account is hard to abuse, and so the risk assessment is completely different. Yes, it means that you need to keep both the password and 2FA source secure and available... but that's better than forcing Google to guess at some secondary thing to verify you and choosing wrong. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop