Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #146929

Re: Google will no longer send SMSs with six digit codes for verification

From "Carlos E.R." <robin_listas@es.invalid>
Newsgroups comp.mobile.android
Subject Re: Google will no longer send SMSs with six digit codes for verification
Date 2025-03-03 21:28 +0100
Message-ID <v0gh9lxofo.ln2@Telcontar.valinor> (permalink)
References (1 earlier) <1begjrynfhjra$.dlg@v.nguard.lh> <k8cg9lx8uf.ln2@Telcontar.valinor> <1bfu5iribmwb4$.dlg@v.nguard.lh> <s0eg9lxcan.ln2@Telcontar.valinor> <k32dhoyfafnc$.dlg@v.nguard.lh>

Show all headers | View raw


On 2025-03-03 20:45, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> VanguardLH wrote:
>>
>>> What was the point of Google (and Microsoft) fucking up OAUTH, a
>>> protocol, to screw into the OAUTH2, a framework, for authenticated
>>> logins?
>>
>> 2FA.
> 
> Separate and independent security schemes.  OAUTH2 has the OAUTH2 server
> send a token (half the key) to the client that the client stores for
> later logins.  The OAUTH2 server keeps the other half.  The user never
> has to enter the token, a code string, or scan some QR image.  2FA
> interrupts the login making the user wait for the code to then enter
> into some prompt.  2FA relies on 2 criteria: what you know, and what you
> have.  Alas, many sites fuck up 2FA by never having you enter a
> password, but just take your username and then send the 2FA code without
> you ever entering the password, so half of the 2FA scheme (what you
> know) is missing.
> 
> I'm not part of the kiddie generation that is grafted to their
> smartphones.  Also, smartphone penetration is not 100%.  It's 83% in
> urban regions, and 65% in rural regions in the USA.  That means there
> are folks without a smartphone.  They have no way to get SMS messages.
> Lots of folks just have simple landlines.

Irrelevant. It is much higher with gmail users.


> Instead of sending via SMS, the QR code could be sent via e-mail.  Geez,
> like no one that intercepts your e-mails (which are not encrypted) could
> possibly use a QR scanner in a script to login before you do.  Also,
> there is no guaranteed delivery to email or SMS.  Ever have a web site
> send a 2FA code never to get it, and you had to request another?  Well,
> maybe someone intercepted that insecure communication.  A QR code isn't
> going to deter a thief any more than a numeric string.

This is speculation of something in the future, but I expect the QR to 
pop up in the computer where you try to open email.


> 
>>> Whether on my Android phone or Windows desktop using OAUTH2 email apps,
>>> or using a web browser with HTTPS, I've never received an SMS text (on
>>> my phone) to complete a login to Gmail.  If they replace SMS texts with
>>> QR codes (delivered how?), well, I wasn't getting SMS texts before, so I
>>> won't be getting QR codes, either.
>>
>> I have.
> 
> On every login, or once in a blue moon?  I can see getting the messages
> if you enabled 2FV in your Google account, but I did not.  I recall
> faintly getting challenged on a login, and had to give my security
> answers to access my account.  I didn't get a 2FA code for that.

Once in a blue moon. Usually when I try a computer that has been off for 
months. And a tick says "never ask again in this computer".


> 
>>> If the QR codes are sent via SMS texts, instead of getting a string of
>>> numbers the users get a QR code.  Um, just what is a QR code?  Scan one
>>> to see it is just embedded text.  Maybe Google is assuming no one has a
>>> QR scanner app on their phone to decode what text it contains.
>>
>> This is undefined. Probably you get a QR graphic in the computer, and
>> you have to take a photo of it with your phone, inside some application
>> they still have to tell us.
> 
> So, I'd need two computers to login?

A computer and a smartphone.

> Ever see an old video comedy skit where it takes 3 people with both
> their hands to operate an overly complicated wrist watch with lots of
> buttons that have be pressed concurrently?  Might've been on SNL, but I
> can't find it now.

Nah, I haven't seen it :-D

> 
> Seems they should just proclaim they will eventually require an
> authenticator app.  However, those aren't all compatible with each
> other.  The Google Authenticator App isn't usable at my bank where I
> would have to use either the Symantec VIP or the Twilio Authy app.  I
> did use the Authy app, but it didn't work everywhere, plus Authy dropped
> their desktop app (Windows, Mac, Linux) leaving only their Android and
> iOS apps (so I'm back to grafting a smartphone to my hand).  There are
> variances in the protocols, so no one authenticator app works
> everywhere.  I wasn't going to install multiple authenticator apps.
> 
> The bank forced SMS delivery of 2FA codes.  No e-mail option.  My
> workaround was to give my Google Voice number to my bank to where they
> send their SMS texts, and configure my Google Voice account to forward
> SMS texts to my Gmail account, so I get the 2FA codes via e-mail.  I
> didn't have to suspend the login by having to roam through the house
> looking for my phone.  I can read the e-mail at my desktop in an e-mail
> client to get the code to enter into the web site's prompt.  All that
> jumping through hoops because the bank forced their 2FA security
> theater, but only via SMS.

My bank pushes messages to their own application on the smartphone. This 
is the preferred method (by the banks) over here. Only if you insist 
they grumble and let you use SMS.


> 
> Yes, the minutes of the reported meeting where QR codes were mentioned
> did not delve into just how the change will be implemented hence I said
> the article is so uninformative as to be nearly FUD.  Something might
> change, but no info on when or how implemented, or even how QR codes
> (that contain text strings) are more secure than text strings sent over
> insecure communication venues.  Someone had a wet dream, and someone
> else thought it was news.


I can not post what I do not know :-p

-- 
Cheers, Carlos.

Back to comp.mobile.android | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread


Thread

Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-02 14:28 +0100
  Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-02 14:48 +0100
  Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-02 16:41 +0000
    Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-02 17:45 +0000
    Re: Google will no longer send SMSs with six digit codes for verification Bill Powell <bill@anarchists.org> - 2025-03-04 02:41 +0100
      Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-03 21:23 -0700
        Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:11 +0000
          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:23 -0600
        Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 13:38 +0000
          Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-04 09:22 -0700
          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:37 -0600
      Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-04 07:05 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:39 +0100
        Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 10:06 -0600
          Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:39 +0100
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 15:57 -0600
  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:05 -0600
    Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:18 -0600
      Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:26 +0100
    Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:18 +0100
      Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:27 +0100
      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:39 -0600
        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:48 +0100
          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 13:45 -0600
            Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 21:28 +0100
              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 21:58 -0600
        Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-03 14:20 +0000
          Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:28 +0000
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 12:18 -0600
              Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 19:42 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:53 -0600
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 20:34 +0000
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:45 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:48 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-05 14:43 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 23:14 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 00:50 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 12:38 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:46 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 23:22 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 21:21 -0600
                Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 03:49 +0000
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 01:53 -0600
                Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 09:34 +0000
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:37 +0100
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:34 +0100
                Re: Phones and apps forced on you Marion <marion@facts.com> - 2025-03-08 18:18 +0000
                Re: Phones and apps forced on you "Carlos E.R." <robin_listas@es.invalid> - 2025-03-09 14:52 +0100
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:00 +0000
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-06 15:00 +0000
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 19:14 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:59 -0600
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 09:44 +0000
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-05 11:23 +0000
                Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-06 07:51 +0000
                Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-06 08:02 +0000
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 16:14 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 22:37 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:49 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:44 +0100
              Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 18:51 +0000
            Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-07 08:08 +0000
              Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:42 +0000
    Re: Google will no longer send SMSs with six digit codes for verification Chris in Makati <mail@nospam.com> - 2025-03-07 22:45 +0800

csiph-web