Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Gmail and two factor authentification

Seek assistance with all types of tech. - computer, phone, TV, heating controls etc.
Midsmartin
Lemon Slice
Posts: 778
Joined: November 4th, 2016, 7:18 am
Has thanked: 211 times
Been thanked: 491 times

Re: Gmail and two factor authentification

#464139

Postby Midsmartin » December 8th, 2021, 8:28 am

"the user should be allowed to opt in or out of 2FA, rather than have that imposed upon them"

Yes, I mostly agree. But putting myself in Google's shoes, they probably have to put a lot of effort into dealing with hacked accounts. Much easier for them to enforce 2fa. Perhaps they feel it's their duty to do so to protect customers. It's not as though most people are paying for Gmail (other than through viewing adverts). It's also good for their reputation if fewer accounts are broken into.

And if your account is compromised, everyone you've communicated with may receive malicious/fraudulent email that appears convincing because it comes from you.

Imagine that I break into your email account. Browsing it I'm maybe able to gain access to your mobile phone provider, by clicking "I forgot my password"on their website. Armed with your personal information, I convince your phone provider to transfer your number to my SIM. It's not supposed to happen of course, but it does. I think phone operators have tightened up their procedures now.

Now I have access to your mobile number as well as your email. Next stop: phone your bank and convince them I'm you .

Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: Gmail and two factor authentification

#464149

Postby Lanark » December 8th, 2021, 9:11 am

The biggest problem with 2FA is when your authentication device (phone/generator) stops working for whatever reason (lost, stolen, broken) so you need an alternative way of generating codes otherwise you can kiss goodbye to your email account.

Google will let you generate a bunch of spare codes in advance for this situation, it is a good idea to print those out and store somewhere safe.

JohnB
Lemon Quarter
Posts: 2497
Joined: January 15th, 2017, 9:20 am
Has thanked: 677 times
Been thanked: 997 times

Re: Gmail and two factor authentification

#464150

Postby JohnB » December 8th, 2021, 9:12 am

Too many companies now require a mobile number for 2FA, and delight in the opportunity in sending you pointless text messages. "Your bill for this month was £20 as it was for the previous 12 months"

BigB
Lemon Slice
Posts: 260
Joined: January 8th, 2021, 1:56 pm
Has thanked: 329 times
Been thanked: 81 times

Re: Gmail and two factor authentification

#464151

Postby BigB » December 8th, 2021, 9:14 am

Lootman wrote:
Breelander wrote:
Lootman wrote:Yeah, I can see the value of 2FA for my financial accounts. But for email?

There have been countless reports of email accounts being hacked, usually by malware stealing your login cookies so they can be used on another device. 2FA protects against that.

Agreed, but whether or not that matters depends crucially on what I use that email account for. I am suggesting that the user should be allowed to opt in or out of 2FA, rather than have that imposed upon them.


So you'd be in favour of using 2FA for the email account you use attached to your financial accounts?

If so, it should be a prompt for all email accounts. Not all users (not many at all I'd guess) will be as organised as you in completely isolating their different email accounts.

servodude
Lemon Half
Posts: 8271
Joined: November 8th, 2016, 5:56 am
Has thanked: 4435 times
Been thanked: 3564 times

Re: Gmail and two factor authentification

#464160

Postby servodude » December 8th, 2021, 9:52 am

BigB wrote:
Lootman wrote:
Breelander wrote:There have been countless reports of email accounts being hacked, usually by malware stealing your login cookies so they can be used on another device. 2FA protects against that.

Agreed, but whether or not that matters depends crucially on what I use that email account for. I am suggesting that the user should be allowed to opt in or out of 2FA, rather than have that imposed upon them.


So you'd be in favour of using 2FA for the email account you use attached to your financial accounts?

If so, it should be a prompt for all email accounts. Not all users (not many at all I'd guess) will be as organised as you in completely isolating their different email accounts.


This isn't 2FA for "email" - neither the MS or Google offering
- both are online identities used for SSO accounts (even if any given customer doesn't know that)
If you just want email and a password - use Yahoo, and get hacked...again

Enforcing 2FA is a good way to get rid of customers that you don't what to support
- I've done it in the past and it makes your life a lot easier when you don't have to deal with folk who don't realize what your service gives them (or anyone-else who got access)

-sd

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Gmail and two factor authentification

#464163

Postby Infrasonic » December 8th, 2021, 10:07 am

Lanark wrote:The biggest problem with 2FA is when your authentication device (phone/generator) stops working for whatever reason (lost, stolen, broken) so you need an alternative way of generating codes otherwise you can kiss goodbye to your email account.

Google will let you generate a bunch of spare codes in advance for this situation, it is a good idea to print those out and store somewhere safe.


You can run authenticator apps on more than one device - I've got the MS Android app installed on my Chromebook Android VM as well as my Pixel phone.

Breelander
Lemon Quarter
Posts: 4179
Joined: November 4th, 2016, 9:42 pm
Has thanked: 1000 times
Been thanked: 1855 times

Re: Gmail and two factor authentification

#464199

Postby Breelander » December 8th, 2021, 11:44 am

servodude wrote:If you just want email and a password - use Yahoo, and get hacked...

Not true now, though it was once. Yahoo introduced 2FA long before gMail did.

Enable two-step verification to require a code (in addition to your password) any time a login attempt is made from a new device or browser.
https://help.yahoo.com/kb/SLN5013.html

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Gmail and two factor authentification

#464211

Postby Lootman » December 8th, 2021, 12:29 pm

Breelander wrote:
servodude wrote:If you just want email and a password - use Yahoo, and get hacked...

Not true now, though it was once. Yahoo introduced 2FA long before gMail did.

Enable two-step verification to require a code (in addition to your password) any time a login attempt is made from a new device or browser.
https://help.yahoo.com/kb/SLN5013.html

Yes but 2FA is optional with Yahoo mail, is it not? I have never had to enter a code with my yahoo email address so presumably I would have to opt into using 2FA, and that is my preference for gmail as well.

servodude
Lemon Half
Posts: 8271
Joined: November 8th, 2016, 5:56 am
Has thanked: 4435 times
Been thanked: 3564 times

Re: Gmail and two factor authentification

#464223

Postby servodude » December 8th, 2021, 12:57 pm

Lootman wrote:
Breelander wrote:
servodude wrote:If you just want email and a password - use Yahoo, and get hacked...

Not true now, though it was once. Yahoo introduced 2FA long before gMail did.

Enable two-step verification to require a code (in addition to your password) any time a login attempt is made from a new device or browser.
https://help.yahoo.com/kb/SLN5013.html

Yes but 2FA is optional with Yahoo mail, is it not? I have never had to enter a code with my yahoo email address so presumably I would have to opt into using 2FA, and that is my preference for gmail as well.


Yeah they don't enforce it and famously their customers get hacked a fair bit
But then it's "just" email and not a peer of a Google account
-sd

Midsmartin
Lemon Slice
Posts: 778
Joined: November 4th, 2016, 7:18 am
Has thanked: 211 times
Been thanked: 491 times

Re: Gmail and two factor authentification

#464254

Postby Midsmartin » December 8th, 2021, 2:22 pm

I have this minute set up 2FA on a google account. Most of this has probably already been covered above, but:

1) I can add more than one phone number. If I lose my mobile, I can set it to receive SMS messages on my wife's phone, or by a voice call to our landline
2) In addition I have 10 single use codes printed out to gain access. Perhaps I will leave a copy of this next to my will. I'll have a think! You could take one of these in your wallet if you travel .
2) It understands that my mobile phone is mine, and does not attempt to use 2FA on that. Ditto an old ipad that I actually only use to display music scores.
3) More to my surprise, I was not asked to sign in to Gmail again or supply 2FA on my desktop Outlook on my PC. It still just works.

So the process is not remotely intrusive. It will really only prompt me if someone attempts to log in from an unexpected device. I have plenty of different ways of logging in with 2FA if I need to: app on my phone, text messages, voice to my landline, emergency codes.

I encourage everyone to do it - it's not a big deal.

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Gmail and two factor authentification

#464262

Postby Infrasonic » December 8th, 2021, 3:07 pm

Another reason that Google and other major providers might want to force the MFA/2FA issue (with email in particular) is that spammers and phishers have taken a particular liking to using their free accounts - I've seen a marked increase in the last year or so from Gmail, but also Outlook.com, Zoho and other authenticated ecosystems.

The reason is they get an authenticated SPF/DKIM/ARC environment in which to operate. If they can also keep their spammyness content under the radar of the filters then they stand a much better chance of getting delivered to peoples inboxes rather than junked or bounced/blackholed. Same issue with AWS/Azure/Google cloud VPS, hosting phishers cloned websites/services et al.

It makes sense therefore for providers to get more ID validation data in place to deter spammers and malware spreaders by making them jump through more and more hoops.

There's been a few tin foil hat privacy types moaning about this on YT and other social media tech channels. It's a valid argument, but I'm afraid if you use free services you are completely at the mercy of the provider when they change the rules of engagement - and in this case if it cuts down on the mountains of spam and malware being sent out on a daily basis then there is another upside in addition to the account hacking prevention benefit.

There are more boutique hosting operations out there that will give you more anonymity - court order only third party access, VPN/E2E encrypted email/calendar/cloud storage with paid accounts. e.g Proton Mail, but it isn't cheap when you go for the lot - even with their bundled package stacked discounts.

BobbyD
Lemon Half
Posts: 7814
Joined: January 22nd, 2017, 2:29 pm
Has thanked: 665 times
Been thanked: 1289 times

Re: Gmail and two factor authentification

#464320

Postby BobbyD » December 8th, 2021, 6:24 pm

Lootman wrote:
Infrasonic wrote:
Alaric wrote:There are contradictory statements. The email announcing 2FA doesn't caveat it by saying it only applies when using a new device. Elsewhare that caveat is stated. I've already noticed that despite being the same machine, Google will complain when I'm using a hotel wifi rather than the home connection.

Hotel WiFi is notoriously flaky from a security perspective - so that may be a separate Google alert issue!
There have also been quite a few successful database breaches and ransomware attacks on hotel chains - if you can use a 4/5G mobile phone wifi hotspot do so.

If not try a VPN, but again that might cause issues with Google/Gmail off the bat. Split tunnel VPN should help there so you can bypass if needs be.

But why should I have to jump through all those hoops? At minimum it should be optional.


You don't. If google don't offer a product you are happy with use somebody else's.

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Gmail and two factor authentification

#464326

Postby Lootman » December 8th, 2021, 6:48 pm

BobbyD wrote:
Lootman wrote:
Infrasonic wrote:Hotel WiFi is notoriously flaky from a security perspective - so that may be a separate Google alert issue!
There have also been quite a few successful database breaches and ransomware attacks on hotel chains - if you can use a 4/5G mobile phone wifi hotspot do so.

If not try a VPN, but again that might cause issues with Google/Gmail off the bat. Split tunnel VPN should help there so you can bypass if needs be.

But why should I have to jump through all those hoops? At minimum it should be optional.

You don't. If google don't offer a product you are happy with use somebody else's.

I can avoid Yahoo if I choose to. But avoiding Google is pretty difficult. My phone requires a Google account for a start. And Gmail is the standard these days unless you want to be bombarded by video ads (Yahoo).

Plus I have had my main couple of email accounts now for 10/20 years. Everyone knows them and it would be a right royal pain in the butt to switch them over, and I would lose my instantly recognisable email addresses.

So no, I cannot just switch as easily as you suggest.

servodude
Lemon Half
Posts: 8271
Joined: November 8th, 2016, 5:56 am
Has thanked: 4435 times
Been thanked: 3564 times

Re: Gmail and two factor authentification

#464331

Postby servodude » December 8th, 2021, 7:56 pm

Lootman wrote:
BobbyD wrote:
Lootman wrote:But why should I have to jump through all those hoops? At minimum it should be optional.

You don't. If google don't offer a product you are happy with use somebody else's.

I can avoid Yahoo if I choose to. But avoiding Google is pretty difficult. My phone requires a Google account for a start. And Gmail is the standard these days unless you want to be bombarded by video ads (Yahoo).

Plus I have had my main couple of email accounts now for 10/20 years. Everyone knows them and it would be a right royal pain in the butt to switch them over, and I would lose my instantly recognisable email addresses.

So no, I cannot just switch as easily as you suggest.


So you see it's not just email?
There's little you can do but move - they're in their rights and you agreed to the EULA when you signed up

-sd

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Gmail and two factor authentification

#464337

Postby Lootman » December 8th, 2021, 8:04 pm

servodude wrote:
Lootman wrote:
BobbyD wrote:You don't. If google don't offer a product you are happy with use somebody else's.

I can avoid Yahoo if I choose to. But avoiding Google is pretty difficult. My phone requires a Google account for a start. And Gmail is the standard these days unless you want to be bombarded by video ads (Yahoo).

Plus I have had my main couple of email accounts now for 10/20 years. Everyone knows them and it would be a right royal pain in the butt to switch them over, and I would lose my instantly recognisable email addresses.

So no, I cannot just switch as easily as you suggest.

So you see it's not just email? There's little you can do but move - they're in their rights and you agreed to the EULA when you signed up

My point was not about the legality of what they are proposing but rather the customer-friendliness of it, or rather the lack of it.

I want optional features not mandatory restrictions.

servodude
Lemon Half
Posts: 8271
Joined: November 8th, 2016, 5:56 am
Has thanked: 4435 times
Been thanked: 3564 times

Re: Gmail and two factor authentification

#464343

Postby servodude » December 8th, 2021, 8:23 pm

Lootman wrote:
servodude wrote:
Lootman wrote:I can avoid Yahoo if I choose to. But avoiding Google is pretty difficult. My phone requires a Google account for a start. And Gmail is the standard these days unless you want to be bombarded by video ads (Yahoo).

Plus I have had my main couple of email accounts now for 10/20 years. Everyone knows them and it would be a right royal pain in the butt to switch them over, and I would lose my instantly recognisable email addresses.

So no, I cannot just switch as easily as you suggest.

So you see it's not just email? There's little you can do but move - they're in their rights and you agreed to the EULA when you signed up

My point was not about the legality of what they are proposing but rather the customer-friendliness of it, or rather the lack of it.

I want optional features not mandatory restrictions.


Customers like that aren't worth it to Google; it would make it harder for them to offer the services and security they do
- time moves on and people are using their Google accounts for do much more than email that simple password protection doesn't cut it

There are other options - Google will probably refund what you paid
-sd

swill453
Lemon Half
Posts: 7962
Joined: November 4th, 2016, 6:11 pm
Has thanked: 984 times
Been thanked: 3643 times

Re: Gmail and two factor authentification

#464349

Postby swill453 » December 8th, 2021, 8:42 pm

Lootman wrote:My point was not about the legality of what they are proposing but rather the customer-friendliness of it, or rather the lack of it.

Isn't it said that users aren't the customers of Google/Facebook/Twitter etc., they're the product.

Advertisers are the customers.

Scott.

BobbyD
Lemon Half
Posts: 7814
Joined: January 22nd, 2017, 2:29 pm
Has thanked: 665 times
Been thanked: 1289 times

Re: Gmail and two factor authentification

#464366

Postby BobbyD » December 8th, 2021, 9:32 pm

Lootman wrote:
BobbyD wrote:
Lootman wrote:But why should I have to jump through all those hoops? At minimum it should be optional.

You don't. If google don't offer a product you are happy with use somebody else's.

I can avoid Yahoo if I choose to. But avoiding Google is pretty difficult. My phone requires a Google account for a start. And Gmail is the standard these days unless you want to be bombarded by video ads (Yahoo).

Plus I have had my main couple of email accounts now for 10/20 years. Everyone knows them and it would be a right royal pain in the butt to switch them over, and I would lose my instantly recognisable email addresses.

So no, I cannot just switch as easily as you suggest.


That's the very definition of you don't have to.

Midsmartin
Lemon Slice
Posts: 778
Joined: November 4th, 2016, 7:18 am
Has thanked: 211 times
Been thanked: 491 times

Re: Gmail and two factor authentification

#464375

Postby Midsmartin » December 8th, 2021, 10:18 pm

I think it's a fact of life that big companies are free to offer whatever products and services they wish, within legal limits, and it's up to us to accept them or not.

You can't buy a car with one optional feature; you can only buy an upgrade pack which also has several things you don't want. If you decide you don't want an airbag you're completely out of luck of course.

Lootman
The full Lemon
Posts: 18681
Joined: November 4th, 2016, 3:58 pm
Has thanked: 628 times
Been thanked: 6564 times

Re: Gmail and two factor authentification

#464395

Postby Lootman » December 8th, 2021, 11:52 pm

BobbyD wrote:
Lootman wrote:
BobbyD wrote:You don't. If google don't offer a product you are happy with use somebody else's.

I can avoid Yahoo if I choose to. But avoiding Google is pretty difficult. My phone requires a Google account for a start. And Gmail is the standard these days unless you want to be bombarded by video ads (Yahoo).

Plus I have had my main couple of email accounts now for 10/20 years. Everyone knows them and it would be a right royal pain in the butt to switch them over, and I would lose my instantly recognisable email addresses.

So no, I cannot just switch as easily as you suggest.

That's the very definition of you don't have to.

Not from my perspective.


Return to “Technology - Computers, TV, Phones etc.”

Who is online

Users browsing this forum: No registered users and 13 guests