The Lemon Fool

I have had an email from Google saying they are implenting two factor authentication in the near future.

Unless they make a single authentication last a month or more that's going to make using gmail extremely annoying very quickly. Having upgraded to a new computer with Windows 11, it's nice that gmail automically syncs so there's no gruesome process of transferring data, but Mail for Windows can be a horror when you aren't used to it.

I've been using 2FA with Gmail for ages and (touch wood) the only time it ever really bothers me is if I try and access from a new client device, for which you'll get an alert.
AFAIK all that's happening is they are forcing 2FA to be used - not upping the ante in terms of making it more awkward to use.

Same with Microsoft/Outlook.live.com. and other MS or linked API services.
Authenticator can generate offline access codes (when needed) so will still work without a mobile/Wi-Fi signal.

If you have Gmail set up in outlook or something, you don't have to use 2fa every time for this. It's not as intrusive as you fear, and less intrusive than having your account hacked into.

Midsmartin wrote:If you have Gmail set up in outlook or something, you don't have to use 2fa every time for this.

There are contradictory statements. The email announcing 2FA doesn't caveat it by saying it only applies when using a new device. Elsewhare that caveat is stated. I've already noticed that despite being the same machine, Google will complain when I'm using a hotel wifi rather than the home connection.

Alaric wrote:

Midsmartin wrote:If you have Gmail set up in outlook or something, you don't have to use 2fa every time for this.

There are contradictory statements. The email announcing 2FA doesn't caveat it by saying it only applies when using a new device. Elsewhare that caveat is stated. I've already noticed that despite being the same machine, Google will complain when I'm using a hotel wifi rather than the home connection.

I'm assuming it works the same way as office365 2fa. You have to use the second factor when you first configure outlook on your desktop, but it does not ask you every time you open outlook. In some cases you need to use an "app password",a generated password that only works for one application..a bit of a bypass of 2fa.

Alaric wrote:I have had an email from Google saying they are implenting two factor authentication in the near future.

Unless they make a single authentication last a month or more that's going to make using gmail extremely annoying very quickly. Having upgraded to a new computer with Windows 11, it's nice that gmail automically syncs so there's no gruesome process of transferring data, but Mail for Windows can be a horror when you aren't used to it.

Yeah, I can see the value of 2FA for my financial accounts. But for email?

I already have issues accessing email if I suddenly materalise in another country, as I do quite often, and this will just make that worse, not least because my designated phone may not work in the location I am in.

At least give me the option to opt out of the extra security.

Alaric wrote:

Midsmartin wrote:If you have Gmail set up in outlook or something, you don't have to use 2fa every time for this.

There are contradictory statements. The email announcing 2FA doesn't caveat it by saying it only applies when using a new device. Elsewhare that caveat is stated. I've already noticed that despite being the same machine, Google will complain when I'm using a hotel wifi rather than the home connection.

Hotel WiFi is notoriously flaky from a security perspective - so that may be a separate Google alert issue!
There have also been quite a few successful database breaches and ransomware attacks on hotel chains - if you can use a 4/5G mobile phone wifi hotspot do so.
If not try a VPN, but again that might cause issues with Google/Gmail off the bat. Split tunnel VPN should help there so you can bypass if needs be.

I think the key thing here is that your Gmail password is the password to everything that the Google environment offers you. Whether you are using them or not. There is far more at stake here than access to a Gmail account. I advise everyone to implement 2FA for their Google (gmail) account.

Infrasonic wrote:

Alaric wrote:

Midsmartin wrote:If you have Gmail set up in outlook or something, you don't have to use 2fa every time for this.

There are contradictory statements. The email announcing 2FA doesn't caveat it by saying it only applies when using a new device. Elsewhare that caveat is stated. I've already noticed that despite being the same machine, Google will complain when I'm using a hotel wifi rather than the home connection.

Hotel WiFi is notoriously flaky from a security perspective - so that may be a separate Google alert issue!
There have also been quite a few successful database breaches and ransomware attacks on hotel chains - if you can use a 4/5G mobile phone wifi hotspot do so.

If not try a VPN, but again that might cause issues with Google/Gmail off the bat. Split tunnel VPN should help there so you can bypass if needs be.

But why should I have to jump through all those hoops? At minimum it should be optional.

Lootman wrote:

Infrasonic wrote:

Alaric wrote:There are contradictory statements. The email announcing 2FA doesn't caveat it by saying it only applies when using a new device. Elsewhare that caveat is stated. I've already noticed that despite being the same machine, Google will complain when I'm using a hotel wifi rather than the home connection.

Hotel WiFi is notoriously flaky from a security perspective - so that may be a separate Google alert issue!
There have also been quite a few successful database breaches and ransomware attacks on hotel chains - if you can use a 4/5G mobile phone wifi hotspot do so.

If not try a VPN, but again that might cause issues with Google/Gmail off the bat. Split tunnel VPN should help there so you can bypass if needs be.

But why should I have to jump through all those hoops? At minimum it should be optional.

Because there are liability issues and loads of data beaches - stupid people do stupid things all the time and I suppose Google and the other big corps. have got to the stage where they are limiting their legal liability by enforcing 2FA.
I was resistant for ages as 2FA was a PITA in the early days - I tried it and backed out. My recent experiences have been fine though and I'm slowly working my way through various accounts turning 2FA on. No issues whatsoever (so far...).

Infrasonic wrote:

Lootman wrote:

Infrasonic wrote:Hotel WiFi is notoriously flaky from a security perspective - so that may be a separate Google alert issue!
There have also been quite a few successful database breaches and ransomware attacks on hotel chains - if you can use a 4/5G mobile phone wifi hotspot do so.

If not try a VPN, but again that might cause issues with Google/Gmail off the bat. Split tunnel VPN should help there so you can bypass if needs be.

But why should I have to jump through all those hoops? At minimum it should be optional.

Because there are liability issues and loads of data beaches - stupid people do stupid things all the time and I suppose Google and the other big corps. have got to the stage where they are limiting their legal liability by enforcing 2FA.

I was resistant for ages as 2FA was a PITA in the early days - I tried it and backed out. My recent experiences have been fine though and I'm slowly working my way through various accounts turning 2FA on. No issues whatsoever (so far...).

Like you I have come around to the value of 2FA when it comes to financial accounts.

But email?

Lootman wrote:

Infrasonic wrote:

Lootman wrote:But why should I have to jump through all those hoops? At minimum it should be optional.

Because there are liability issues and loads of data beaches - stupid people do stupid things all the time and I suppose Google and the other big corps. have got to the stage where they are limiting their legal liability by enforcing 2FA.

I was resistant for ages as 2FA was a PITA in the early days - I tried it and backed out. My recent experiences have been fine though and I'm slowly working my way through various accounts turning 2FA on. No issues whatsoever (so far...).

Like you I have come around to the value of 2FA when it comes to financial accounts.

But email?

Why do you think spammers jump through so many authentication hoops (SPF/DKIM/ARC) to deliver phishing emails / malware et al? Because it works well enough financially to keep them persisting, despite the might of Google / Microsoft and others trying to stop them.
ID theft can occur over a long period of time as they knit together disparate bits of info garnered from different database sources. Pay attention to how many different entities get successfully hacked and the sensitive personal data that gets exposed if not properly encrypted. I've pointed this out to you before on other threads, nothing has changed there.

Infrasonic wrote:

Lootman wrote:

Infrasonic wrote:Because there are liability issues and loads of data beaches - stupid people do stupid things all the time and I suppose Google and the other big corps. have got to the stage where they are limiting their legal liability by enforcing 2FA.

I was resistant for ages as 2FA was a PITA in the early days - I tried it and backed out. My recent experiences have been fine though and I'm slowly working my way through various accounts turning 2FA on. No issues whatsoever (so far...).

Like you I have come around to the value of 2FA when it comes to financial accounts.

But email?

Why do you think spammers jump through so many authentication hoops (SPF/DKIM/ARC) to deliver phishing emails / malware et al? Because it works well enough financially to keep them persisting, despite the might of Google / Microsoft and others trying to stop them.

ID theft can occur over a long period of time as they knit together disparate bits of info garnered from different database sources. Pay attention to how many different entities get successfully hacked and the sensitive personal data that gets exposed if not properly encrypted. I've pointed this out to you before on other threads, nothing has changed there.

I keep my personal and financial data in very separate emails from the more general stuff that can do me no harm.

So I draw a distinction between email accounts that can cause me harm and those that cannot. Unless you think me letting my buddy know that I will see him in the pub this Friday night can somehow be used against me.

Give me the choice!!!

Lootman wrote:

Infrasonic wrote:

Lootman wrote:Like you I have come around to the value of 2FA when it comes to financial accounts.

But email?

Why do you think spammers jump through so many authentication hoops (SPF/DKIM/ARC) to deliver phishing emails / malware et al? Because it works well enough financially to keep them persisting, despite the might of Google / Microsoft and others trying to stop them.

ID theft can occur over a long period of time as they knit together disparate bits of info garnered from different database sources. Pay attention to how many different entities get successfully hacked and the sensitive personal data that gets exposed if not properly encrypted. I've pointed this out to you before on other threads, nothing has changed there.

I keep my personal and financial data in very separate emails from the more general stuff that can do me no harm.

So I draw a distinction between email accounts that can cause me harm and those that cannot. Unless you think me letting my buddy know that I will see him in the pub this Friday night can somehow be used against me.

Give me the choice!!!

Unless your sensitive emails are encrypted at source (which requires the receive end to be similarly set up to decrypt them) then having different email accounts makes very little difference - you're effectively sending electronic postcards, not wax sealed letters.

Infrasonic wrote:

Lootman wrote:

Infrasonic wrote:Why do you think spammers jump through so many authentication hoops (SPF/DKIM/ARC) to deliver phishing emails / malware et al? Because it works well enough financially to keep them persisting, despite the might of Google / Microsoft and others trying to stop them.

ID theft can occur over a long period of time as they knit together disparate bits of info garnered from different database sources. Pay attention to how many different entities get successfully hacked and the sensitive personal data that gets exposed if not properly encrypted. I've pointed this out to you before on other threads, nothing has changed there.

I keep my personal and financial data in very separate emails from the more general stuff that can do me no harm.

So I draw a distinction between email accounts that can cause me harm and those that cannot. Unless you think me letting my buddy know that I will see him in the pub this Friday night can somehow be used against me.

Give me the choice!!!

Unless your sensitive emails are encrypted at source (which requires the receive end to be similarly set up to decrypt them) then having different email accounts makes very little difference - you're effectively sending electronic postcards, not wax sealed letters.

Again, there is a clear distinction between the information contained in the email account I use for financial data and the account I use for personal stuff that cannot do me any harm. I am running out of different ways to explain that to you.

BullDog wrote:I think the key thing here is that your Gmail password is the password to everything that the Google environment offers you.

If what you are looking for is a reliable email account, the security of bells and whistkes should not be there to cause grief. I don't suppose the Microsoft rival (something@outlook.com ? ) is any better.

Alaric wrote:

BullDog wrote:I think the key thing here is that your Gmail password is the password to everything that the Google environment offers you.

If what you are looking for is a reliable email account, the security of bells and whistkes should not be there to cause grief. I don't suppose the Microsoft rival (something@outlook.com ? ) is any better.

I use both free Gmail/Outlook.com with 2FA and both are pain free - I just click 'yes' on the MS authenticator app when it asks if I want to grant access - which is only an 'every time' event when I access my MS account (rarely).
For email access it will only get involved if I change to something like a new client, or need to set up another alias address (that has to be done via the MS account).

I also use the MS authenticator app for my domain mail (Fasthosts) - again it only gets involved when there are changes. I've just logged in to the webmail and it was two clicks. The bookmark and the user/password entry confirmation - exactly the same as before I started using 2FA.

Infrasonic wrote:

Alaric wrote:

BullDog wrote:I think the key thing here is that your Gmail password is the password to everything that the Google environment offers you.

If what you are looking for is a reliable email account, the security of bells and whistkes should not be there to cause grief. I don't suppose the Microsoft rival (something@outlook.com ? ) is any better.

I use both free Gmail/Outlook.com with 2FA and both are pain free - I just click 'yes' on the MS authenticator app when it asks if I want to grant access - which is only an 'every time' event when I access my MS account (rarely).
For email access it will only get involved if I change to something like a new client, or need to set up another alias address (that has to be done via the MS account).

I also use the MS authenticator app for my domain mail (Fasthosts) - again it only gets involved when there are changes. I've just logged in to the webmail and it was two clicks. The bookmark and the user/password entry confirmation - exactly the same as before I started using 2FA.

it's configurable at an org level by whomever is running your MS email
- i.e. the duration of authentication can be set to expire sooner if need been (or only on changes in things like IP or client)

I think BullDog's point is correct as to why Google are acting the way there are... in that there's no "just email" gmail account
- even enterprise hosted google ones I have come with the full gammut of drive, and SSO login capabilities
- access to one of them even if I am not interested in the resources or data stored therein affords a decent opportunity for identify theft

- sd

Lootman wrote:Yeah, I can see the value of 2FA for my financial accounts. But for email?

There have been countless reports of email accounts being hacked, usually by malware stealing your login cookies so they can be used on another device. 2FA protects against that.

Breelander wrote:

Lootman wrote:Yeah, I can see the value of 2FA for my financial accounts. But for email?

There have been countless reports of email accounts being hacked, usually by malware stealing your login cookies so they can be used on another device. 2FA protects against that.

Agreed, but whether or not that matters depends crucially on what I use that email account for. I am suggesting that the user should be allowed to opt in or out of 2FA, rather than have that imposed upon them.