Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #146903 > unrolled thread
| Started by | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| First post | 2025-03-02 14:28 +0100 |
| Last post | 2025-03-07 22:45 +0800 |
| Articles | 20 on this page of 64 — 11 participants |
Back to article view | Back to comp.mobile.android
Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-02 14:28 +0100
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-02 14:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-02 16:41 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-02 17:45 +0000
Re: Google will no longer send SMSs with six digit codes for verification Bill Powell <bill@anarchists.org> - 2025-03-04 02:41 +0100
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-03 21:23 -0700
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:11 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:23 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 13:38 +0000
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-04 09:22 -0700
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:37 -0600
Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-04 07:05 +0000
Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:39 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 10:06 -0600
Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:39 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 15:57 -0600
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:05 -0600
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:18 -0600
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:26 +0100
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:18 +0100
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:27 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:39 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 13:45 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 21:28 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 21:58 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-03 14:20 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:28 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 12:18 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 19:42 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:53 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 20:34 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:45 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-05 14:43 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 23:14 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 00:50 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 12:38 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:46 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 23:22 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 21:21 -0600
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 03:49 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 01:53 -0600
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 09:34 +0000
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:37 +0100
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:34 +0100
Re: Phones and apps forced on you Marion <marion@facts.com> - 2025-03-08 18:18 +0000
Re: Phones and apps forced on you "Carlos E.R." <robin_listas@es.invalid> - 2025-03-09 14:52 +0100
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:00 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-06 15:00 +0000
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 19:14 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:59 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 09:44 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-05 11:23 +0000
Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-06 07:51 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-06 08:02 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 16:14 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 22:37 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:49 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:44 +0100
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 18:51 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-07 08:08 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:42 +0000
Re: Google will no longer send SMSs with six digit codes for verification Chris in Makati <mail@nospam.com> - 2025-03-07 22:45 +0800
Page 3 of 4 — ← Prev page 1 2 [3] 4 Next page →
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-06 21:21 -0600 |
| Message-ID | <1d7jrv42y0fqb$.dlg@v.nguard.lh> |
| In reply to | #147052 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > The occasions when I had to check that SMS have been very rare, not even > once a month. Going to the kitchen to fetch the phone once a month is > not a chore. Try logging into Walmart, or Home Depot, or your bank, or anywhere that currently uses 2FA via SMS to complete a login. It's hardly once a month that I'm visiting web sites employing 2FA. It is EVERY day multiple times per day. Once Google switches to QR codes, and however they transport it to your Google account to complete login, how long do you think it will be until other web sites adopt the same security mechanism? Remember when OAUTH and then OAUTH2 was unknown to users, and look at it now. The plague will spread.
[toc] | [prev] | [next] | [standalone]
| From | AJL <noemail@none.com> |
|---|---|
| Date | 2025-03-07 03:49 +0000 |
| Message-ID | <vqdqc4$38got$1@dont-email.me> |
| In reply to | #147055 |
On 3/6/25 8:21 PM, VanguardLH wrote: >"Carlos E.R." <robin_listas@es.invalid> wrote: > >> The occasions when I had to check that SMS have been very rare, not even >> once a month. Going to the kitchen to fetch the phone once a month is >> not a chore. >Try logging into Walmart, or Home Depot, or your bank, or anywhere that >currently uses 2FA via SMS to complete a login. It's hardly once a >month that I'm visiting web sites employing 2FA. It is EVERY day >multiple times per day. My sensitive apps only require ONE 2FA login (including Walmart). Once the host device is blessed it can be set so that no more 2FA is required. So like Carlos I seldom need SMS 2FA. Only the apps on my new toys for the first time. Course if I was paranoid I could set it to ask on every login. But I don't. Apparently you do?? >Once Google switches to QR codes, and however >they transport it to your Google account to complete login, how long do >you think it will be until other web sites adopt the same security >mechanism? Remember when OAUTH and then OAUTH2 was unknown to users, >and look at it now. The plague will spread.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-07 01:53 -0600 |
| Message-ID | <35yyjy1d6br.dlg@v.nguard.lh> |
| In reply to | #147056 |
AJL <noemail@none.com> wrote: > My sensitive apps only require ONE 2FA login (including Walmart). Once > the host device is blessed it can be set so that no more 2FA is > required. So like Carlos I seldom need SMS 2FA. Only the apps on my > new toys for the first time. Course if I was paranoid I could set it > to ask on every login. But I don't. Apparently you do?? I avoid web-centric site-specific apps, like apps just for one site; e.g., Walmart, bank, Home Depot, Delta (airline). Instead I visit them in a web browser. One app that does all instead one app that does one site. Maybe if I used site-specific apps then I'd get 2FA far less often, or not at all. I tend to be very frugal as to what gets installed on my smartphone. I'm unlike a lot of smartphone users that install any app just because there is one. Does any web browser store 2FA codes for reuse on login? Perhaps DOM Storage (aka site data) gets used for that. I doubt any secure site is going to use cookies. I configure my web browser (Firefox) to purge *all* its locally cached data on exit as a countermeasure to tracking, and up my privacy, and tweak the web browser to improve security. Firefox on Android permits extensions like uBlock Origin. Chrome on Android does not allow any extensions. As for web-centric apps, has there been any independent audits on each one to determine their login security, and secure local files storing any user data? Don't most use the accounts stored in Android itself, so those get reused. I don't think Android is storing any 2FA codes or other token in the accounts stored in Android.
[toc] | [prev] | [next] | [standalone]
| From | AJL <noemail@none.com> |
|---|---|
| Date | 2025-03-07 09:34 +0000 |
| Message-ID | <vqeeiu$3ffn8$1@dont-email.me> |
| In reply to | #147058 |
On 3/7/25 12:53 AM, VanguardLH wrote: >AJL <noemail@none.com> wrote: > >> My sensitive apps only require ONE 2FA login (including Walmart). Once >> the host device is blessed it can be set so that no more 2FA is >> required. So like Carlos I seldom need SMS 2FA. Only the apps on my >> new toys for the first time. Course if I was paranoid I could set it >> to ask on every login. But I don't. Apparently you do?? > >I avoid web-centric site-specific apps, like apps just for one site; >e.g., Walmart, bank, Home Depot, Delta (airline). Instead I visit them >in a web browser. One app that does all instead one app that does one >site. Maybe if I used site-specific apps then I'd get 2FA far less >often, or not at all. I tend to be very frugal as to what gets >installed on my smartphone. I'm unlike a lot of smartphone users that >install any app just because there is one. IMO specific apps are much easier to use on a phone or tablet than a browser. But the Android browser I use, Chrome, also remembers the device for each site and thus only one 2FA per site I use is required as in my apps. YMMV depending on the site I suppose but all mine be it app or browser only need one 2FA per device if so set. >Does any web browser store 2FA codes for reuse on login? The only browser I use for 2FA is Chrome on everything: Android, W11, and Chrome OS stuff. It works the same on all. Only one 2FA per app/device unless set otherwise. >Perhaps DOM >Storage (aka site data) gets used for that. I doubt any secure site is >going to use cookies. I configure my web browser (Firefox) to purge >*all* its locally cached data on exit I do the same with my Firefox browsers. But of course they won't remember anything including 2FA being set that way. If you get tired of redoing 2FA I suggest you get one browser just for that purpose. >as a countermeasure to tracking, >and up my privacy, and tweak the web browser to improve security. >Firefox on Android permits extensions like uBlock Origin. Chrome on >Android does not allow any extensions. True. That's why I use apps. >As for web-centric apps, has there been any independent audits on each >one to determine their login security, and secure local files storing >any user data? Don't most use the accounts stored in Android itself, so >those get reused. I don't think Android is storing any 2FA codes or >other token in the accounts stored in Android. Dunno. I put my trust in the individual apps. If I can't trust my bank, investment, utilities, Walmart, etc, what can I trust? Walmart does pretty good BTW. It lets me buy stuff without a new 2FA each time but to reorder prescriptions from the pharmacy section it requires a pin to get in...
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-07 10:37 +0100 |
| Message-ID | <sbrq9lxms4.ln2@Telcontar.valinor> |
| In reply to | #147058 |
On 2025-03-07 08:53, VanguardLH wrote: > AJL <noemail@none.com> wrote: > >> My sensitive apps only require ONE 2FA login (including Walmart). Once >> the host device is blessed it can be set so that no more 2FA is >> required. So like Carlos I seldom need SMS 2FA. Only the apps on my >> new toys for the first time. Course if I was paranoid I could set it >> to ask on every login. But I don't. Apparently you do?? > > I avoid web-centric site-specific apps, like apps just for one site; > e.g., Walmart, bank, Home Depot, Delta (airline). Instead I visit them > in a web browser. One app that does all instead one app that does one > site. Maybe if I used site-specific apps then I'd get 2FA far less > often, or not at all. I tend to be very frugal as to what gets > installed on my smartphone. I'm unlike a lot of smartphone users that > install any app just because there is one. > > Does any web browser store 2FA codes for reuse on login? Perhaps DOM > Storage (aka site data) gets used for that. I doubt any secure site is > going to use cookies. I configure my web browser (Firefox) to purge > *all* its locally cached data on exit as a countermeasure to tracking, That's the cause of your problem. That's why you are asked to verify your identity not once in a blue moon like us. > and up my privacy, and tweak the web browser to improve security. > Firefox on Android permits extensions like uBlock Origin. Chrome on > Android does not allow any extensions. > > As for web-centric apps, has there been any independent audits on each > one to determine their login security, and secure local files storing > any user data? Don't most use the accounts stored in Android itself, so > those get reused. I don't think Android is storing any 2FA codes or > other token in the accounts stored in Android. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-07 10:34 +0100 |
| Message-ID | <s5rq9lxms4.ln2@Telcontar.valinor> |
| In reply to | #147055 |
On 2025-03-07 04:21, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> The occasions when I had to check that SMS have been very rare, not even >> once a month. Going to the kitchen to fetch the phone once a month is >> not a chore. > > Try logging into Walmart, or Home Depot, or your bank, or anywhere that > currently uses 2FA via SMS to complete a login. It's hardly once a > month that I'm visiting web sites employing 2FA. It is EVERY day > multiple times per day. You are changing goal posts. Google doesn't ask me even once a month. That's the context of this thread, Google. > Once Google switches to QR codes, and however > they transport it to your Google account to complete login, how long do > you think it will be until other web sites adopt the same security > mechanism? Remember when OAUTH and then OAUTH2 was unknown to users, > and look at it now. The plague will spread. Of all the mail accounts I have, only googles use oauth2. In any case, it is no biggy for me to pick the phone, it is always near me. Banks are switching to some non SMS method since some time, involving their already existing bank app on the phone. That's the issue, that SMSs are not considered secure for identification purposes. Using some custom app on the phone seems to be the preferred method. It doesn't matter really if it is matching a QR photo, or a text transmitted to the app. Going against the times not wanting to use a mobile phone is not going to work for anybody. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | Marion <marion@facts.com> |
|---|---|
| Date | 2025-03-08 18:18 +0000 |
| Subject | Re: Phones and apps forced on you |
| Message-ID | <vqi1m8$28l0$1@nnrp.usenet.blueworldhosting.com> |
| In reply to | #147063 |
On 7 Mar 2025 10:18:55 GMT, Stefan Ram wrote : > Well, I'm using a mobile phone. But my security concept involves > not putting an SMS into it and not connecting it to the internet. Assuming the phone is not rooted, you can still delete from the user partition almost every app (even Google apps!) that you don't want. <https://duckduckgo.com/?q=samsung+galaxy+adb+delete+bloatware> > Also, since my youth, I'm used to the idea that it's my computer, > so I decide which software to run on it.\ Once you remove all the bloatware, you replace them with non-GSF apps. NewPipe replaces the Google YouTube app Aurora replaces the Google Play Store app Bromite replaces the Chrome web browser app FairEmail replaces the Google GMail app etc. > (I'm using the phone to make photos, read PDFs, and semi-manually > track my sleep, calculate the recommendation for next sleep, etc.) What do you think of this free sleep app that doesn't have advertisements? <https://play.google.com/store/apps/details?id=health.sleep.sounds.tracker.alarm.calm> > Now, a bank told me I need a photo TAN. A photo TAN is a security measure where a visual code is scanned by a device or app to generate a one-time transaction authorization number. > Do you know what I thought? > I thought that they were asking me to make a photo of my face right > before each transaction maybe with a newspaper of the day or in a > position only given right before the transaction. > > But no, the "photo TAN" does not involve sending a portrait photo of > yourself to your bank! > > I think I'm going to buy an extra phone, I might call the "dirty phone". > This will be used for all third party apps I am being forced to use > and get an SMS card when needed. *How to Buy a Burner Phone* <https://lifehacker.com/how-to-buy-a-burner-phone-1843905326>
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-09 14:52 +0100 |
| Subject | Re: Phones and apps forced on you |
| Message-ID | <62j0alxphd.ln2@Telcontar.valinor> |
| In reply to | #147091 |
On 2025-03-09 13:12, Stefan Ram wrote: > Marion <marion@facts.com> wrote or quoted: >> What do you think of this free sleep app that doesn't have advertisements? > > While I'm currently not able to look at this app, I can say that > I often lie without motion while still being awake at night, > so I doubt such a device would be able to detect I'm awake. I use one such app that tracks my sleep. One feature it has is the alarm clock. Instead of a fixed time to wake me up, it checks during half an hour if it is the correct phase of my sleep to wake me up. Well, sometimes I wake up on my own near that time. I lie down not moving at all, hoping to fall sleep again, and that the alarm doesn't sound. But it does. The thing finds out that I am awake feigning being sleep and it "rings", early in the half an hour interval instead of late. (I use Sleep as an Android, paid version) -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | Frank Slootweg <this@ddress.is.invalid> |
|---|---|
| Date | 2025-03-07 10:00 +0000 |
| Message-ID | <vqejjv.14ks.1@ID-201911.user.individual.net> |
| In reply to | #147049 |
VanguardLH <V@nguard.lh> wrote: [...] > I really hate to graft my smartphone to my hand to ensure it is readily > accessible for this security theater machinations. I'm too old for all > this jumping through hoops of fire. Rather than run through the house > looking for my smartphone (it's usually on a different floor of the > house in a charging cradle next to the side door by the garage where I > enter), I'll just forego the security theater, and go somewhere else for > e-mail service. Logging in is getting more complicated to the user and > at the server than the e-mail service itself. In this context, i.e. Google services, there's no "run through the house" at all: - Google phone number verification: *one* time action. - Google 2SV for login: *one* time per device, then mark the device as trusted. - Gmail access via the webUI: same as Google login. - Gmail access via POP/IMAP/SMTP: no changes AFAIK, i.e. OAUTH2 or app passwords (I still use app passwords). This (non-)discussion is only about the first situation, but you keep throwing in the other three as if they have anything to do with it. In another response, you talk about the "security theater machinations" of *other* (than Google) services, i.e. webshops, etc.. Please don't pollute this Google-related discussion with irrelevant mud. [...]
[toc] | [prev] | [next] | [standalone]
| From | Frank Slootweg <this@ddress.is.invalid> |
|---|---|
| Date | 2025-03-06 15:00 +0000 |
| Message-ID | <vqcgqd.8do.1@ID-201911.user.individual.net> |
| In reply to | #147014 |
VanguardLH <V@nguard.lh> wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: [Lots deleted.] > > You are login into google in your computer; the browser you are using, > > or the mail application you are using displays a QR code, and tells you > > «take a picture with "name of app" in your registered phone, number > > ending in XXX». You comply, and in seconds you are authorized to > > complete login to google in the computer. > > "name of app" is? Would have to be one that connects back to my Google > account. Play Services, Google app (aka Google Assistant), or what? As Carlos later said, the name of the app (if it's an app, it probably will be part of Google Play services) will have to be determinded, because the functionality - verify a phone number by a mechanism using a QR code - does not exist yet. > That would provide the mechanism used to complete the Google Prompt. As Carlos said, stay focused! 'Google Prompt' has nothing to do with the to be developed functionality, nor with any other QR code use. 'Google Prompt' is a prompt you get on your phone to tap to verify it's *you* (i.e. one of your registered devices), nothing to do with your *phone number* (the device can be a SIM-less tablet, i.e. the prompt *cannot* relate to a phone number).. So forget about 'Google prompt'. I brought that up due to a question from AJL, nothing to do with the topic of the OP. > What if I'm using a web browser on the phone? The web browser on the > phone can show a QR image the web site presents, but then what? It's > not like I can point the camera in the phone at the web page in the web > browser on the phone. Does "name of app" scan the screen? *If* you would be using a web browser on the phone in some kind of verification/authentication procedure, that procedure would obviously not be using a QR code. [Lots more deleted.]
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-06 19:14 +0100 |
| Message-ID | <o85p9lxjkc.ln2@Telcontar.valinor> |
| In reply to | #147029 |
On 2025-03-06 16:00, Frank Slootweg wrote: > VanguardLH <V@nguard.lh> wrote: >> "Carlos E.R." <robin_listas@es.invalid> wrote: > > [Lots deleted.] ... >> What if I'm using a web browser on the phone? The web browser on the >> phone can show a QR image the web site presents, but then what? It's >> not like I can point the camera in the phone at the web page in the web >> browser on the phone. Does "name of app" scan the screen? > > *If* you would be using a web browser on the phone in some kind of > verification/authentication procedure, that procedure would obviously > not be using a QR code. > > [Lots more deleted.] A person might be using a browser in the phone in desktop mode. However, the intended mode of use of a phone (er, an android phone) is "you are always logged in to google" (despite Arlen's protestations). So the behaviour of the web browser would be somewhat confusing. Still, the yet to be named app could perhaps be designed to take photos or screenshots. Another confusing use case is when the phone is used with two or more google accounts (for example, one personal, another work (or google for groups)). -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-06 15:59 -0600 |
| Message-ID | <11f4ixfh3mn8u$.dlg@v.nguard.lh> |
| In reply to | #147029 |
Frank Slootweg <this@ddress.is.invalid> wrote: > As Carlos later said, the name of the app (if it's an app, it probably > will be part of Google Play services) will have to be determinded, > because the functionality - verify a phone number by a mechanism > using a QR code - does not exist yet. While Play Services may work in tandem with the Google App (aka Google Assistant) on Android, to get Google Prompts to work on iOS (iPhone) has them just install the Google App from the Apple Play Store (https://apps.apple.com/us/app/google/id284815942). Since Google is dropping SMS for login verification, what's left for a communications venue? Looks like Google Prompts which are apparently doable with just the Google App. > As Carlos said, stay focused! 'Google Prompt' has nothing to do with > the to be developed functionality, nor with any other QR code use. > > 'Google Prompt' is a prompt you get on your phone to tap to verify > it's *you* (i.e. one of your registered devices), nothing to do with > your *phone number* (the device can be a SIM-less tablet, i.e. the > prompt *cannot* relate to a phone number).. SMS as a transport is out for when Google switches to QR codes instead of text strings. So, what other communications venue is there between the "registered device" (which is a smartphone for the vast majority of users doing Gmail on a mobile device) and Google to complete the login verification? The Google App already has a camera icon, and it connects home to your account. According to a Gmail spokeperson, SMS is getting dropped. Okay, so stay focused yourself, and get off the SMS bandwagon. What is the alternative to get the QR code scanned on your registered device aka smartphone to send to your Google account to complete login verification? You say Google Prompts won't be it, but you really don't know what Google will implement. Google says SMS won't be it. So WHAT else might /it/ be? If Google comes up with another and different "name of app" than Google App which already works with Google Prompts, oh goodie, we have to install more software to support their new scheme. I take it Google doesn't trust authenticator apps to be as secure as whatever they may come up with.
[toc] | [prev] | [next] | [standalone]
| From | Frank Slootweg <this@ddress.is.invalid> |
|---|---|
| Date | 2025-03-07 09:44 +0000 |
| Message-ID | <vqeimf.bqs.1@ID-201911.user.individual.net> |
| In reply to | #147050 |
VanguardLH <V@nguard.lh> wrote: [...] > According to a Gmail spokeperson, SMS is getting dropped. Okay, so stay > focused yourself, and get off the SMS bandwagon. What is the > alternative to get the QR code scanned on your registered device aka > smartphone to send to your Google account to complete login > verification? You say Google Prompts won't be it, but you really don't > know what Google will implement. Google says SMS won't be it. So WHAT > else might /it/ be? You're still mixing everything up and are now putting words in my mouth, so there's no point continuing, at least not for the 'QR code for phone number verification part'.
[toc] | [prev] | [next] | [standalone]
| From | Frank Slootweg <this@ddress.is.invalid> |
|---|---|
| Date | 2025-03-05 11:23 +0000 |
| Message-ID | <vq9fn2.rhg.1@ID-201911.user.individual.net> |
| In reply to | #146972 |
VanguardLH <V@nguard.lh> wrote: > Frank Slootweg <this@ddress.is.invalid> wrote: > > > VanguardLH <V@nguard.lh> wrote: > > [...] > > > >> Not relevant to my statement of having to wait for SMS messages (text or > >> QR image content) nor there is no guaranteed delivery of SMS messages. > >> > >> To where is the SMS message sent? To the phone. Okay, I'll see an SMS > >> message with a QR image. Then what? Do SMS apps have embedded scanning > >> of the content of SMS messages to then use an embedded QR decoder to > >> show the text embedded in the image (which obviates the whole point of > >> supposedly securing the text string in an image) that I then have to > >> copy/paste into some web prompt? > > > > AFAICT, "an SMS message with a QR image" is a figment of your > > imagination! > > > > I think such a thing is not mentioned anywhere and not even implied > > anywhere. > > The delivery mechanism is defined where? Not in the referenced (web) articles and sofar nobody has (read: could) come up with specifics. [...] > However, upon some further reading, Google Prompts looks to use > notifications instead of SMS/MMS messages. Maybe. > > > So perhaps it's best to come up with an actual quote from the > > referenced articles, which leads you to your assumption, instead of > > going on and on about something which is very likely a straw man / red > > herring. > > That's the crux of the problem: there are no details on how QR images by > whatever delivery mechanism are to get decoded into strings by the user > to input into a waiting field. All of us are just guessing for now what > are the possibilities. In the use of QR codes I am aware of, the QR code appears on the screen of your device (mostly a computer) and you 'take a picture' (actually you only maneuver the QR code within a viewing window) with your smartphone/tablet. That's for example the way it works for linking (adding) a new device in WhatsApp and when I want to use my phone as an (2FA/TOTP) authentication device for the websites of our banks. (I.e. on my computer, I go to the login page of my bank's website. A QR code appears. I use the bank's app on my phone to 'take a picture' of the QR code. And I'm logged in.) See also Carlos' responses. He said the same thing. And, as he said, this is a known and trusted procedure. And, by the looks of it, the procedure Google is going to use to verify phone numbers.
[toc] | [prev] | [next] | [standalone]
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2025-03-06 07:51 +0000 |
| Message-ID | <m2t2gvF5ebbU1@mid.individual.net> |
| In reply to | #146967 |
Frank Slootweg wrote: > AFAICT, "an SMS message with a QR image" is a figment of your > imagination! And if one arrived on your phone, what would you "scan" the QR code with? They don't work in a mirror.
[toc] | [prev] | [next] | [standalone]
| From | Dave Royal <dave@dave123royal.com> |
|---|---|
| Date | 2025-03-06 08:02 +0000 |
| Message-ID | <vqbkqo$2t0hv$1@dont-email.me> |
| In reply to | #147017 |
Andy Burns <usenet@andyburns.uk> Wrote in message: Two mirrors at 90 degrees, to cancel the lateral inversion ;) -- Remove numerics from my email address.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-06 16:14 -0600 |
| Message-ID | <17iatgemh8271.dlg@v.nguard.lh> |
| In reply to | #147017 |
Andy Burns <usenet@andyburns.uk> wrote: > Frank Slootweg wrote: > >> AFAICT, "an SMS message with a QR image" is a figment of your >> imagination! > > And if one arrived on your phone, what would you "scan" the QR code > with? They don't work in a mirror. Maybe Frank didn't think of MMS, an enhancement to SMS, can send images within messages. Well, Google could embed some new feature into Chrome to handle web sites presenting a QR code for login verification. Chrome would silently connect home to your Google account to send the QR code back to Google. On a smartphone, isn't the Chrome web browser always logged into your Google account? On a desktop, the Chrome web browser is also likely logged into your Google account. A later version of Chrome could be the new app guessed by Carlos. Oh goody, to log into Gmail mandates you use the Chrome web browser. I wouldn't put Google beyond enforcing that requirement to get more of the stubborn amongst to move to Chrome. Frank doesn't like my [second] guess that Google will move to using Google Prompts, a communications venue that already exists on Android phones, SMS is getting dropped by Google, but neither Frank nor Carlos have come up with an alternative communications venue. None of us know now what Google may implement later, but reusing existing functionality seems more likely than creating a whole new communications venue, and another new app solely for login verification (don't we already have that with authenticator apps?). Could be Google, as Carlos puts it, will come out with a new app we need to install to scan the QR code to send it back to your Google account to complete login verification. However, the Google App already on the smartphone connects back to your Google account, and it has a camera icon, too. In addition, to get Google Prompts on iOS (iPhones), those users can get the Google App from Apple's Play Store. Those users would have to create a Google account; however, if they're using Gmail that will move to a modified security theater then they already have a Google account.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-04 22:37 +0100 |
| Message-ID | <ie8k9lxpm3.ln2@Telcontar.valinor> |
| In reply to | #146966 |
On 2025-03-04 20:53, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> VanguardLH wrote: >> >>> So, you either have to wait for an SMS message to arrive from them, >>> or for them to get the one you send them. >> >> No, they also say: >> >> «Google spokesperson Ross Richendrfer reiterated that SMS is mainly >> used as a security and anti-abuse check, but there are plenty of >> security challenges, like phishing and traffic pumping. Consequently, >> Google plans to reimagine how it verifies phone numbers over the next >> few months. Instead of entering their phone numbers and receiving a >> six-digit code over SMS, users will see a QR code they need to scan >> with their phone camera.» > > Not relevant to my statement of having to wait for SMS messages (text or > QR image content) nor there is no guaranteed delivery of SMS messages. > > To where is the SMS message sent? To the phone. Okay, I'll see an SMS > message with a QR image. NO. Again, NO. You will see a QR displayed on the computer, and then you take a photo of it with your mobile phone. That is the procedure. I have told you this a few times already. The photo will be either taken with some Google app, or will link to an URL that you have to navigate to on the phone. This is basically the same procedure used by WhatsApp to activate whatsapp on the computer. There is no SMS involved at all. ... The rest are figments of your imagination and deleted. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-04 19:49 -0600 |
| Message-ID | <1pdppnedg6qij$.dlg@v.nguard.lh> |
| In reply to | #146969 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > On 2025-03-04 20:53, VanguardLH wrote: >> "Carlos E.R." <robin_listas@es.invalid> wrote: >> >>> VanguardLH wrote: >>> >>>> So, you either have to wait for an SMS message to arrive from them, >>>> or for them to get the one you send them. >>> >>> No, they also say: >>> >>> «Google spokesperson Ross Richendrfer reiterated that SMS is mainly >>> used as a security and anti-abuse check, but there are plenty of >>> security challenges, like phishing and traffic pumping. Consequently, >>> Google plans to reimagine how it verifies phone numbers over the next >>> few months. Instead of entering their phone numbers and receiving a >>> six-digit code over SMS, users will see a QR code they need to scan >>> with their phone camera.» >> >> Not relevant to my statement of having to wait for SMS messages (text or >> QR image content) nor there is no guaranteed delivery of SMS messages. >> >> To where is the SMS message sent? To the phone. Okay, I'll see an SMS >> message with a QR image. > > NO. Again, NO. > > You will see a QR displayed on the computer, and then you take a photo > of it with your mobile phone. That is the procedure. I have told you > this a few times already. Yes, you have been very clear on being vague. Displayed on the computer ... BY WHAT? If not an SMS or MMS message to display by a messaging app, then just WHAT is displaying the QR image? What communication protocol is used to transfer the QR message? What process is displaying the QR message? You keep referring to, um, magic displaying the message, but give no actual details - because you don't know which is why you can't explain.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-05 03:44 +0100 |
| Message-ID | <fdqk9lx6m3.ln2@Telcontar.valinor> |
| In reply to | #146973 |
On 2025-03-05 02:49, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> On 2025-03-04 20:53, VanguardLH wrote: >>> "Carlos E.R." <robin_listas@es.invalid> wrote: >>> >>>> VanguardLH wrote: >>>> >>>>> So, you either have to wait for an SMS message to arrive from them, >>>>> or for them to get the one you send them. >>>> >>>> No, they also say: >>>> >>>> «Google spokesperson Ross Richendrfer reiterated that SMS is mainly >>>> used as a security and anti-abuse check, but there are plenty of >>>> security challenges, like phishing and traffic pumping. Consequently, >>>> Google plans to reimagine how it verifies phone numbers over the next >>>> few months. Instead of entering their phone numbers and receiving a >>>> six-digit code over SMS, users will see a QR code they need to scan >>>> with their phone camera.» >>> >>> Not relevant to my statement of having to wait for SMS messages (text or >>> QR image content) nor there is no guaranteed delivery of SMS messages. >>> >>> To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>> message with a QR image. >> >> NO. Again, NO. >> >> You will see a QR displayed on the computer, and then you take a photo >> of it with your mobile phone. That is the procedure. I have told you >> this a few times already. > > Yes, you have been very clear on being vague. Displayed on the computer > ... BY WHAT? By the web browser where you are trying to login to gmail, or by the mail application trying to login using oauth2. > If not an SMS or MMS message to display by a messaging > app, then just WHAT is displaying the QR image? What communication > protocol is used to transfer the QR message? What process is displaying > the QR message? You keep referring to, um, magic displaying the > message, but give no actual details - because you don't know which is > why you can't explain. You are overcomplicating yourself. It is trivial to do. Firefox has no problem displaying a QR code in the screen, and the phone has no trouble taking a photo and sending it or doing something appropriate with it. By the same tool that now and then asks if it is you trying to login to a new machine, and you tap "yes, it is me" or "no, it is not me". -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
Page 3 of 4 — ← Prev page 1 2 [3] 4 Next page →
Back to top | Article view | comp.mobile.android
csiph-web