WTF Google.. Gave you a backup code and now I need to check my email?

[+Warwagon MVC]

On a few recent occasions I've been helping people get back into their Google account. They had printed off the two-factor authentication backup codes but when entered it then said a confirmation email had been emailed to their Google account. (the exact one we were trying to get back into) ... Da Fuk?

I always assumed the two-factor backup codes that you print off were the end all, get out of jail free card.  I was HIGHLY annoyed when that was not the case. 

I guess all I can recommend is keep a spare phone lying around that's always signed into your Google account so you can receive emails, making it a lot less of an annoying process.

[JustGeorge]

I ran into this today. Sure enough, they sent a confirmation to the very email we were trying to get access to. Thankfully, it was a case of them still having access on their phone. They just couldn't remember their password to get it on their PC. 

Do any of the Big guys have a general support email that you could use in the event that you're locked out of an account?

[binaryzero]

Or use a password manager...

https://bitwarden.com/

[i_was_here]

  On 01/12/2022 at 02:15, binaryzero said:

Or use a password manager...

https://bitwarden.com/

Expand  

That doesn't help for 2FA though.

[ThaCrip]

  On 01/12/2022 at 03:58, i_was_here said:

That doesn't help for 2FA though.

Expand  

Fair enough. but a better alternative to codes etc, which while not free is better anyways, is a standard YubiKey (although you need a minimum of two of these and use only these to get into ones Google account otherwise it defeats the purpose of a YubiKey if it can be bypassed by codes. but I get for a smart phone user these particular basic YubiKey's would be mostly useless since they don't have a USB port).

with that you only need your password (which a password manager would help greatly with(but since many are lazy, this will be too much effort already)) and then simply plug in the YubiKey and sign-in and tap it with your finger and you are in. but I understand that given these are not free and, unless you get a pretty good deal (like I did), the price is a touch steep to where I can understand why most won't even consider using them (and I would guess that the common person probably don't even know about them either). but it's the most secure 2FA option and works well since you just enter your password, insert YubiKey and tap it with your finger and you are in.

regular 2FA (which seems to often require some level of smart phone use basically) sounds somewhat like a chore to use in general as I would rather use 2FA on a random site that requires a temp one-time-use code sent to ones email to work (I get in the OP's case that's a problem though since the email they are trying to access needs to be accessed to get access to that same email account) as that's just better/easier than the rest especially given my Google email is secured with YubiKey so I don't have to worry about a account take-over even if someone gets my password (which is unlikely anyways). so in my case it's just easier to send a temporary code to my email to sign into any random account with 2FA on it than using those codes or other programs that's more effort than it's worth, at least for me personally (since I avoid smart phones).

but... I guess for say the common person I can see how the using ones email as the 2FA could potentially be a bit less secure for many given if people use the same crappy passwords for multiple accounts, if their email gets take over it could be a easy way for the shady people to take over a lot of their accounts etc if they are using their email as the 2FA instead of say the more common stuff people use like text message/mobile app authenticator (which I don't care for personally) etc.

I know that a standard YubiKey (the cheapest ones) would not work with those wanting to access their Google account on a smart phone, since they don't have a standard USB port, but I avoid smart phones in general and stick to proper computers (desktop(or laptop)) which are better anyways. less trouble this way and I trust real computers to be more secure than random smart phones. because the way I see it, smart phones might be decent enough for more casual things but anything of higher importance (like ones primary email that's tied to many of their online accounts or banking etc) I would leave to doing on desktop(or laptop) computers. but with that said, I understand a lot of people probably just stick with their smart phone for just about all online access, but I guess that's the trade off they are willing to deal with. hell, another big negative with a smart phone is I would assume many carry these with them out in the general public which makes it more likely these will get stolen and if basically everything they do is only in that phone, good luck

but I guess this is just the way things are as the general public tends not to care about security much as convenience almost always trumps security for them. I can see this to a degree but there is a certain minimum standard people need to adhere to, otherwise they are rolling-the-dice and may eventually get burned.

I guess people can look at all of this stuff in different ways with positives and negatives though but smart phones are more trouble than they are worth in my opinion to I tend to do all of my stuff on a desktop.

[Guest]

Why is everyone ignoring SMS? That's all I use to recover my accounts when I need to. No need for third-party apps or services, it's safe for the average user, unless you're a complete careless person and then you should pay the price of your mindlessness.

[neufuse Veteran]

  On 01/12/2022 at 11:25, LuisMazza said:

Why is everyone ignoring SMS? That's all I use to recover my accounts when I need to. No need for third-party apps or services, it's safe for the average user, unless you're a complete careless person and then you should pay the price of your mindlessness.

Expand  

because SMS is now considered industry wide to be insecure even though the method needed to steal a SMS message is a bit complex... so no one wants to touch it

[JustGeorge]

  On 01/12/2022 at 12:44, neufuse said:

because SMS is now considered industry wide to be insecure even though the method needed to steal a SMS message is a bit complex... so no one wants to touch it

Expand  

I'd much rather they work on ways of hardening SMS (highjacking phones in general) than dealing with authenticators n' Yubikeys. How many people do you know that back up their authenticator app and physical items are lost/stolen and broken. I guess your phone can suffer the same, but since its the most important thing in peoples' lives these days, its kept up with. 

It was a total ****show at my workplace when we had to enable 2FA on o365. The instructions/process was simple, to me but getting 100+ people on board that have no interest or desire to go through it was soul sucking and I still have people coming to me to walk them through it. 

 

[Guest]

  On 01/12/2022 at 13:13, JustGeorge said:

I'd much rather they work on ways of hardening SMS (highjacking phones in general) than dealing with authenticators n' Yubikeys. How many people do you know that back up their authenticator app and physical items are lost/stolen and broken. I guess your phone can suffer the same, but since its the most important thing in peoples' lives these days, its kept up with. 

It was a total ****show at my workplace when we had to enable 2FA on o365. The instructions/process was simple, to me but getting 100+ people on board that have no interest or desire to go through it was soul sucking and I still have people coming to me to walk them through it. 

 

Expand  

Yes. Security in general is never perfect, but we have to ensure a minimum convenience for us and users in general. No one needs to behave like being a Supreme Court judge or the CEO of whatever company... People are worried about their bank accounts being stolen, not super confidential plans and annotations. Those should be handled by IT departments or advisory services. It's better if people understand and comply with basic principles instead of doing nothing.

Thus, giving ALL of your passwords to whatever "password manager" you like is much worse than trusting your SMS or two-step from Google or Microsoft. Data leaks are commonplace almost every week.

[+Warwagon MVC]

I really think the backup code that you print off should be the end all. The buck should stop there. As at one point you would have had to have access to the account, and they make you enter your password about 3 times just to get to the point where they display the codes and let you print them off.

[Good Bot, Bad Bot]

 

  On 01/12/2022 at 13:13, JustGeorge said:

I'd much rather they work on ways of hardening SMS (highjacking phones in general) than dealing with authenticators n' Yubikeys. How many people do you know that back up their authenticator app and physical items are lost/stolen and broken. I guess your phone can suffer the same, but since its the most important thing in peoples' lives these days, its kept up with. 

It was a total ****show at my workplace when we had to enable 2FA on o365. The instructions/process was simple, to me but getting 100+ people on board that have no interest or desire to go through it was soul sucking and I still have people coming to me to walk them through it. 

 

Expand  

What does 2FA being "hard" for average users have to do with your own security? LOL

 

  On 01/12/2022 at 14:12, LuisMazza said:

Yes. Security in general is never perfect, but we have to ensure a minimum convenience for us and users in general. No one needs to behave like being a Supreme Court judge or the CEO of whatever company... People are worried about their bank accounts being stolen, not super confidential plans and annotations. Those should be handled by IT departments or advisory services. It's better if people understand and comply with basic principles instead of doing nothing.

Thus, giving ALL of your passwords to whatever "password manager" you like is much worse than trusting your SMS or two-step from Google or Microsoft. Data leaks are commonplace almost every week.

Expand  

Please don't use SMS for 2FA that is just stupid for so many reasons. As I asked JustGeorge what does what other users can or not do have to do with your personal security? What's the difference between getting the code from your  SMS or Authenticator app? Granted storing recovery codes requires a little diligence but I know you can do it.

Edited December 1, 2022 by Good Bot, Bad Bot

[Guest]

  On 01/12/2022 at 14:55, Good Bot, Bad Bot said:

 

What does 2FA being "hard' for average users have to do with your own security? LOL

 

Please don't use SMS for 2FA that is just stupid. As I asked JustGeorge what does what other users can or not do have to do with your personal security? I don't see how it's any easier to get a code from my SMS app over an Authenticator app. Granted storing recovery codes requires a little diligence but I know you can do it.

Expand  

Because I can get another phone line with the same number instead of relying on a single device or app from the store. I don't think 2fa is bad on Google, because there was never a leak regarding this company, and I can't recall any massive password leaks when you require 2fa. Being paranoid about security only gives you headaches and people don't care, neither do I and I'm pretty much a geek for decades.

 

  

  On 01/12/2022 at 14:51, Warwagon said:

I really think the backup code that you print off should be the end all. The buck should stop there. As at one point you would have had to have access to the account, and they make you enter your password about 3 times just to get to the point where they display the codes and let you print them off.

Expand  

I agree, that's actually what I thought how it should work, but I gave up on those codes because TradingView simply didn't accept the codes I had and so I went for SMS all the way.

[Good Bot, Bad Bot]

  On 01/12/2022 at 15:08, LuisMazza said:

Because I can get another phone line with the same number instead of relying on a single device or app from the store. I don't think 2fa is bad on Google, because there was never a leak regarding this company, and I can't recall any massive password leaks when you require 2fa. Being paranoid about security only gives you headaches and people don't care, neither do I and I'm pretty much a geek for decades.

 

i  agree, that's actually what I thought how it should work, but I gave up on those codes because TradingView simply didn't accept the codes I had and so I went for SMS all the way.

Expand  

You don't have to rely on a single device with 2FA. I can get codes on my phone, tablet, and PC(s). You don't need to use Google for 2FA. I just use Google prompts for my Gmail/Google account because it the most convenient method and my 2FA Authenticator app for every other account. One can also use an Authenticator app AND/OR a hardware security device for accounts while still able to use SMS for backup. Using SMS is well just SMS. SMS is not even very reliable for messaging (hence why IM) so I am not using it for security. LOL It's not being "paranoid" to use 2FA that is ridiculous. Again, no difference getting a code in my Authenticator app or SMS app.

2FA didn't work with one account so you went with SMS on everything? Are you kidding? Ummmm No working 2FA with my financial institution means I consider using a different company/service not weaken my security on everything else I use.  WTF? LOL I still have to use SMS for some things because no 2FA support. No idea why you can't mix SMS and 2FA usage.

Edited December 1, 2022 by Good Bot, Bad Bot

[Guest]

  On 01/12/2022 at 16:06, Good Bot, Bad Bot said:

You don't have to rely on a single device with 2FA. I can get codes on my phone, tablet, and PC(s). You don't need to use Google for 2FA. I just use Google prompts for my Gmail/Google account because it the most convenient method and my 2FA Authenticator app for every other account. One can also use an Authenticator app AND/OR a hardware security device for accounts while still able to use SMS for backup. Using SMS is well just SMS. SMS is not even very reliable for messaging (hence why IM) so I am not using it for security. LOL It's not being "paranoid" to use 2FA that is ridiculous. Again, no difference getting a code in my Authenticator app or SMS app.

2FA didn't work with one account so you went with SMS on everything? Are you kidding? Ummmm No working 2FA with my financial institution means I consider using a different company/service not weaken my security on everything else I use.  WTF? LOL I still have to use SMS for some things because no 2FA support. No idea why you can't mix SMS and 2FA usage.

Expand  

I use what is available and convenient in the services I use. Is that good for you? It's good for me.

[Good Bot, Bad Bot]

  On 01/12/2022 at 18:04, LuisMazza said:

I use what is available and convenient in the services I use. Is that good for you? It's good for me.

Expand  

That's fine if you think SMS is somehow more convenient. I don't really care about that except to point out codes coming from SMS or an app is no different at all. In your first comment here you suggested average people just need SMS for 2FA which is simply bad advice.  It's not just the "Supreme Court judge or the CEO" that get their accounts hacked. Most accounts that are compromised are just regular people. That is a nonsense argument.

It's OK we are done here as  we are both now just repeating ourselves. I hope you learned a little more about 2FA with an authenticator app at least as I corrected a number of your statements about it.

[Guest]

  On 01/12/2022 at 18:54, Good Bot, Bad Bot said:

That's fine if you think SMS is somehow more convenient. I don't really care about that except to point out codes coming from SMS or an app is no different at all. In your first comment here you suggested average people just need SMS for 2FA which is simply bad advice.  It's not just the "Supreme Court judge or the CEO" that get their accounts hacked. Most accounts that are compromised are just regular people. That is a nonsense argument.

It's OK we are done here as  we are both now just repeating ourselves. I hope you learned a little more about 2FA with an authenticator app at least as I corrected a number of your statements about it.

Expand  

I know lots of authenticator apps. I just don't like them. Every service wants to be a standard, every service wants their authenticator app. I don't care. In my opinion they should be used for specific banks or whatever, not for everything, or else we would have tons of apps to authenticate s### everywhere. Not every big company has its crappy authenticator and I prefer those. F### authenticators if you're not a bank! That's my final word regarding this subject. If you like them, that's great.

[+Warwagon MVC]

  On 01/12/2022 at 21:24, LuisMazza said:

I know lots of authenticator apps. I just don't like them. Every service wants to be a standard, every service wants their authenticator app. I don't care. In my opinion they should be used for specific banks or whatever, not for everything, or else we would have tons of apps to authenticate s### everywhere. Not every big company has its crappy authenticator and I prefer those. F### authenticators if you're not a bank! That's my final word regarding this subject. If you like them, that's great.

Expand  

I haven't found that to be the case at all. MOST service give you a QR code that you can scan into your authenticator app of your choice.

[Good Bot, Bad Bot]

  On 01/12/2022 at 21:24, LuisMazza said:

I know lots of authenticator apps. I just don't like them. Every service wants to be a standard, every service wants their authenticator app. I don't care. In my opinion they should be used for specific banks or whatever, not for everything, or else we would have tons of apps to authenticate s### everywhere. Not every big company has its crappy authenticator and I prefer those. F### authenticators if you're not a bank! That's my final word regarding this subject. If you like them, that's great.

Expand  

Your response to my comment was to go on to another point? LOL As Warwagon has already pointed out you are wrong (again). I use ONE authenticator app for every account that I use can use an authenticator app for 2FA except for my Google account/Gmail which is by choice.  It's not just for "banks". 2FA (via authenticator app) should be used with any important email accounts used for business  and/or personal resons, social media accounts, and your mobile carrier account.

I am glad that this is your final word as it's obvious you are not very knowledge about security, 2FA, and authenticator apps which explains why you don't use them like well most regular users.

[Sir Topham Hatt]

That reminds me of when I sign in to my 2nd Google account on the work PC, it asks me to check my phone for the 2-factor auth... which never arrives as that account isn't on my phone (it only knows my phone as the 2nd gmail account is linked to my first, which is on my phone) (no, I don't want both on my phone).

[Guest]

  On 01/12/2022 at 22:05, Good Bot, Bad Bot said:

I am glad that this is your final word as it's obvious you are not very knowledge about security, 2FA, and authenticator apps which explains why you don't use them like well most regular users.

Expand  

Yes, exactly. I give zero fuc## to your paranoia. I'm smart enough to know exactly what I'm doing and if your job is related to security, it's your task to think of ways to improve your customer's security, because I don't care and I have other people to think about this whole crap other than me.  I have Google, Microsoft, Apple, Nubank, Ebay... They all think about security and give me the correct tips on what to use, not you. I follow the rules, not your paranoid opinions. Bye!

[+Warwagon MVC]

  On 01/12/2022 at 22:46, LuisMazza said:

Yes, exactly. I give zero fuc## to your paranoia. I'm smart enough to know exactly what I'm doing and if your job is related to security, it's your task to think of ways to improve your customer's security, because I don't care and I have other people to think about this whole crap other than me.  I have Google, Microsoft, Apple, Nubank, Ebay... They all think about security and give me the correct tips on what to use, not you. I follow the rules, not your paranoid opinions. Bye!

Expand  

I used to factor authentication on my Neowin account lol

[Guest]

  On 01/12/2022 at 22:56, Warwagon said:

I used to factor authentication on my Neowin account lol

Expand  

Well, that's perfectly fine when that's the day job you're used to.

[JustGeorge]

  On 01/12/2022 at 21:26, Warwagon said:

I haven't found that to be the case at all. MOST service give you a QR code that you can scan into your authenticator app of your choice.

Expand  

Side thingy about QR codes: Does anyone else think those are a potential security nightmare? I mean they're not human readable and can send the user to who knows where once scanned. 

 

[Good Bot, Bad Bot]

  On 01/12/2022 at 22:46, LuisMazza said:

Yes, exactly. I give zero fuc## to your paranoia. I'm smart enough to know exactly what I'm doing and if your job is related to security, it's your task to think of ways to improve your customer's security, because I don't care and I have other people to think about this whole crap other than me.  I have Google, Microsoft, Apple, Nubank, Ebay... They all think about security and give me the correct tips on what to use, not you. I follow the rules, not your paranoid opinions. Bye!

Expand  

What happened to you being done here? You know what you are doing? You have made like 2-3 wrong statements here about how 2FA and  authenticator apps work but OK. I guess when argument fails yell paranoia!

 

  On 01/12/2022 at 22:56, Warwagon said:

I used to factor authentication on my Neowin account lol

Expand  

I do to but it's not really necessary as I use a secondary handle and email on Neowin but you know 2FA authenticator apps are so damn easy to use so why not.

 

  On 02/12/2022 at 01:30, JustGeorge said:

Side thingy about QR codes: Does anyone else think those are a potential security nightmare? I mean they're not human readable and can send the user to who knows where once scanned.

Expand  

No not with an authenticator app as it just reads the QR code and splits out a verification code to complete the process. It can't send the user "to who knows where" so that is just wrong. Now SMS is a security nightmare.

[binaryzero]

Don't scan random QR codes, only those you know are from a trusted source. At a restaurant and want to scan the QR code to order food? Nah.

It's not where the QR code sends you to, it's more so what it collects...