Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #146903 > unrolled thread

Google will no longer send SMSs with six digit codes for verification

Started by"Carlos E.R." <robin_listas@es.invalid>
First post2025-03-02 14:28 +0100
Last post2025-03-07 22:45 +0800
Articles 20 on this page of 64 — 11 participants

Back to article view | Back to comp.mobile.android


Contents

  Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-02 14:28 +0100
    Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-02 14:48 +0100
    Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-02 16:41 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-02 17:45 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Bill Powell <bill@anarchists.org> - 2025-03-04 02:41 +0100
        Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-03 21:23 -0700
          Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:11 +0000
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:23 -0600
          Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 13:38 +0000
            Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-04 09:22 -0700
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:37 -0600
        Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-04 07:05 +0000
        Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:39 +0100
          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 10:06 -0600
            Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:39 +0100
              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 15:57 -0600
    Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:05 -0600
      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:18 -0600
        Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:26 +0100
      Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:18 +0100
        Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:27 +0100
        Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:39 -0600
          Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:48 +0100
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 13:45 -0600
              Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 21:28 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 21:58 -0600
          Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-03 14:20 +0000
            Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:28 +0000
              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 12:18 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 19:42 +0100
                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:53 -0600
                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 20:34 +0000
                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:45 -0600
                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:48 +0100
                          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-05 14:43 -0600
                            Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 23:14 +0100
                              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 00:50 -0600
                                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 12:38 +0100
                                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:46 -0600
                                    Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 23:22 +0100
                                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 21:21 -0600
                                        Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 03:49 +0000
                                          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 01:53 -0600
                                            Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 09:34 +0000
                                            Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:37 +0100
                                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:34 +0100
                                          Re: Phones and apps forced on you Marion <marion@facts.com> - 2025-03-08 18:18 +0000
                                            Re: Phones and apps forced on you "Carlos E.R." <robin_listas@es.invalid> - 2025-03-09 14:52 +0100
                                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:00 +0000
                                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-06 15:00 +0000
                                  Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 19:14 +0100
                                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:59 -0600
                                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 09:44 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-05 11:23 +0000
                      Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-06 07:51 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-06 08:02 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 16:14 -0600
                    Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 22:37 +0100
                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:49 -0600
                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:44 +0100
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 18:51 +0000
              Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-07 08:08 +0000
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:42 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Chris in Makati <mail@nospam.com> - 2025-03-07 22:45 +0800

Page 3 of 4 — ← Prev page 1 2 [3] 4  Next page →


#147055

FromVanguardLH <V@nguard.LH>
Date2025-03-06 21:21 -0600
Message-ID<1d7jrv42y0fqb$.dlg@v.nguard.lh>
In reply to#147052
"Carlos E.R." <robin_listas@es.invalid> wrote:

> The occasions when I had to check that SMS have been very rare, not even 
> once a month. Going to the kitchen to fetch the phone once a month is 
> not a chore.

Try logging into Walmart, or Home Depot, or your bank, or anywhere that
currently uses 2FA via SMS to complete a login.  It's hardly once a
month that I'm visiting web sites employing 2FA.  It is EVERY day
multiple times per day.  Once Google switches to QR codes, and however
they transport it to your Google account to complete login, how long do
you think it will be until other web sites adopt the same security
mechanism?  Remember when OAUTH and then OAUTH2 was unknown to users,
and look at it now.  The plague will spread.

[toc] | [prev] | [next] | [standalone]


#147056

FromAJL <noemail@none.com>
Date2025-03-07 03:49 +0000
Message-ID<vqdqc4$38got$1@dont-email.me>
In reply to#147055
On 3/6/25 8:21 PM, VanguardLH wrote:
>"Carlos E.R." <robin_listas@es.invalid> wrote:
>
>> The occasions when I had to check that SMS have been very rare, not even 
>> once a month. Going to the kitchen to fetch the phone once a month is 
>> not a chore.


>Try logging into Walmart, or Home Depot, or your bank, or anywhere that
>currently uses 2FA via SMS to complete a login.  It's hardly once a
>month that I'm visiting web sites employing 2FA.  It is EVERY day
>multiple times per day.

My sensitive apps only require ONE 2FA login (including Walmart). Once the
 host device is blessed it can be set so that no more 2FA is required. So
 like Carlos I seldom need SMS 2FA. Only the apps on my new toys for the
 first time. Course if I was paranoid I could set it to ask on every login.
 But I don't. Apparently you do??



>Once Google switches to QR codes, and however
>they transport it to your Google account to complete login, how long do
>you think it will be until other web sites adopt the same security
>mechanism?  Remember when OAUTH and then OAUTH2 was unknown to users,
>and look at it now.  The plague will spread.

[toc] | [prev] | [next] | [standalone]


#147058

FromVanguardLH <V@nguard.LH>
Date2025-03-07 01:53 -0600
Message-ID<35yyjy1d6br.dlg@v.nguard.lh>
In reply to#147056
AJL <noemail@none.com> wrote:

> My sensitive apps only require ONE 2FA login (including Walmart). Once
> the host device is blessed it can be set so that no more 2FA is
> required. So like Carlos I seldom need SMS 2FA. Only the apps on my
> new toys for the first time. Course if I was paranoid I could set it
> to ask on every login. But I don't. Apparently you do??

I avoid web-centric site-specific apps, like apps just for one site;
e.g., Walmart, bank, Home Depot, Delta (airline).  Instead I visit them
in a web browser.  One app that does all instead one app that does one
site.  Maybe if I used site-specific apps then I'd get 2FA far less
often, or not at all.  I tend to be very frugal as to what gets
installed on my smartphone.  I'm unlike a lot of smartphone users that
install any app just because there is one.

Does any web browser store 2FA codes for reuse on login?  Perhaps DOM
Storage (aka site data) gets used for that.  I doubt any secure site is
going to use cookies.  I configure my web browser (Firefox) to purge
*all* its locally cached data on exit as a countermeasure to tracking,
and up my privacy, and tweak the web browser to improve security.
Firefox on Android permits extensions like uBlock Origin.  Chrome on
Android does not allow any extensions.  

As for web-centric apps, has there been any independent audits on each
one to determine their login security, and secure local files storing
any user data?  Don't most use the accounts stored in Android itself, so
those get reused.  I don't think Android is storing any 2FA codes or
other token in the accounts stored in Android.

[toc] | [prev] | [next] | [standalone]


#147062

FromAJL <noemail@none.com>
Date2025-03-07 09:34 +0000
Message-ID<vqeeiu$3ffn8$1@dont-email.me>
In reply to#147058
On 3/7/25 12:53 AM, VanguardLH wrote:
>AJL <noemail@none.com> wrote:
>
>> My sensitive apps only require ONE 2FA login (including Walmart). Once
>> the host device is blessed it can be set so that no more 2FA is
>> required. So like Carlos I seldom need SMS 2FA. Only the apps on my
>> new toys for the first time. Course if I was paranoid I could set it
>> to ask on every login. But I don't. Apparently you do??
>
>I avoid web-centric site-specific apps, like apps just for one site;
>e.g., Walmart, bank, Home Depot, Delta (airline).  Instead I visit them
>in a web browser.  One app that does all instead one app that does one
>site.  Maybe if I used site-specific apps then I'd get 2FA far less
>often, or not at all.  I tend to be very frugal as to what gets
>installed on my smartphone.  I'm unlike a lot of smartphone users that
>install any app just because there is one.

IMO specific apps are much easier to use on a phone or tablet than a
 browser. But the Android browser I use, Chrome, also remembers the device
 for each site and thus only one 2FA per site I use is required as in my
 apps. YMMV depending on the site I suppose but all mine be it app or
 browser only need one 2FA per device if so set.

>Does any web browser store 2FA codes for reuse on login? 

The only browser I use for 2FA is Chrome on everything: Android, W11, and
 Chrome OS stuff. It works the same on all. Only one 2FA per app/device
 unless set otherwise.


>Perhaps DOM
>Storage (aka site data) gets used for that.  I doubt any secure site is
>going to use cookies.  I configure my web browser (Firefox) to purge
>*all* its locally cached data on exit 

I do the same with my Firefox browsers. But of course they won't remember
 anything including 2FA being set that way. If you get tired of redoing 2FA
 I suggest you get one browser just for that purpose.


>as a countermeasure to tracking,
>and up my privacy, and tweak the web browser to improve security.
>Firefox on Android permits extensions like uBlock Origin.  Chrome on
>Android does not allow any extensions.  

True. That's why I use apps.

>As for web-centric apps, has there been any independent audits on each
>one to determine their login security, and secure local files storing
>any user data?  Don't most use the accounts stored in Android itself, so
>those get reused.  I don't think Android is storing any 2FA codes or
>other token in the accounts stored in Android.

Dunno. I put my trust in the individual apps. If I can't trust my bank,
 investment, utilities, Walmart, etc, what can I trust? Walmart does pretty
 good BTW. It lets me buy stuff without a new 2FA each time but to reorder
 prescriptions from the pharmacy section it requires a pin to get in...

[toc] | [prev] | [next] | [standalone]


#147064

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-07 10:37 +0100
Message-ID<sbrq9lxms4.ln2@Telcontar.valinor>
In reply to#147058
On 2025-03-07 08:53, VanguardLH wrote:
> AJL <noemail@none.com> wrote:
> 
>> My sensitive apps only require ONE 2FA login (including Walmart). Once
>> the host device is blessed it can be set so that no more 2FA is
>> required. So like Carlos I seldom need SMS 2FA. Only the apps on my
>> new toys for the first time. Course if I was paranoid I could set it
>> to ask on every login. But I don't. Apparently you do??
> 
> I avoid web-centric site-specific apps, like apps just for one site;
> e.g., Walmart, bank, Home Depot, Delta (airline).  Instead I visit them
> in a web browser.  One app that does all instead one app that does one
> site.  Maybe if I used site-specific apps then I'd get 2FA far less
> often, or not at all.  I tend to be very frugal as to what gets
> installed on my smartphone.  I'm unlike a lot of smartphone users that
> install any app just because there is one.
> 
> Does any web browser store 2FA codes for reuse on login?  Perhaps DOM
> Storage (aka site data) gets used for that.  I doubt any secure site is
> going to use cookies.  I configure my web browser (Firefox) to purge
> *all* its locally cached data on exit as a countermeasure to tracking,

That's the cause of your problem. That's why you are asked to verify 
your identity not once in a blue moon like us.

> and up my privacy, and tweak the web browser to improve security.
> Firefox on Android permits extensions like uBlock Origin.  Chrome on
> Android does not allow any extensions.
> 
> As for web-centric apps, has there been any independent audits on each
> one to determine their login security, and secure local files storing
> any user data?  Don't most use the accounts stored in Android itself, so
> those get reused.  I don't think Android is storing any 2FA codes or
> other token in the accounts stored in Android.


-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#147063

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-07 10:34 +0100
Message-ID<s5rq9lxms4.ln2@Telcontar.valinor>
In reply to#147055
On 2025-03-07 04:21, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> The occasions when I had to check that SMS have been very rare, not even
>> once a month. Going to the kitchen to fetch the phone once a month is
>> not a chore.
> 
> Try logging into Walmart, or Home Depot, or your bank, or anywhere that
> currently uses 2FA via SMS to complete a login.  It's hardly once a
> month that I'm visiting web sites employing 2FA.  It is EVERY day
> multiple times per day. 

You are changing goal posts. Google doesn't ask me even once a month. 
That's the context of this thread, Google.

> Once Google switches to QR codes, and however
> they transport it to your Google account to complete login, how long do
> you think it will be until other web sites adopt the same security
> mechanism?  Remember when OAUTH and then OAUTH2 was unknown to users,
> and look at it now.  The plague will spread.

Of all the mail accounts I have, only googles use oauth2. In any case, 
it is no biggy for me to pick the phone, it is always near me.

Banks are switching to some non SMS method since some time, involving 
their already existing bank app on the phone. That's the issue, that 
SMSs are not considered secure for identification purposes. Using some 
custom app on the phone seems to be the preferred method. It doesn't 
matter really if it is matching a QR photo, or a text transmitted to the 
app.

Going against the times not wanting to use a mobile phone is not going 
to work for anybody.

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#147091 — Re: Phones and apps forced on you

FromMarion <marion@facts.com>
Date2025-03-08 18:18 +0000
SubjectRe: Phones and apps forced on you
Message-ID<vqi1m8$28l0$1@nnrp.usenet.blueworldhosting.com>
In reply to#147063
On 7 Mar 2025 10:18:55 GMT, Stefan Ram wrote :


>   Well, I'm using a mobile phone. But my security concept involves
>   not putting an SMS into it and not connecting it to the internet.

Assuming the phone is not rooted, you can still delete from the user
partition almost every app (even Google apps!) that you don't want.
  <https://duckduckgo.com/?q=samsung+galaxy+adb+delete+bloatware>

>   Also, since my youth, I'm used to the idea that it's my computer,
>   so I decide which software to run on it.\

Once you remove all the bloatware, you replace them with non-GSF apps.
 NewPipe replaces the Google YouTube app
 Aurora replaces the Google Play Store app
 Bromite replaces the Chrome web browser app
 FairEmail replaces the Google GMail app
 etc.
 
>   (I'm using the phone to make photos, read PDFs, and semi-manually
>   track my sleep, calculate the recommendation for next sleep, etc.)

What do you think of this free sleep app that doesn't have advertisements?
 <https://play.google.com/store/apps/details?id=health.sleep.sounds.tracker.alarm.calm>

>   Now, a bank told me I need a photo TAN.

A photo TAN is a security measure where a visual code is scanned by a
device or app to generate a one-time transaction authorization number.

> Do you know what I thought?
>   I thought that they were asking me to make a photo of my face right
>   before each transaction maybe with a newspaper of the day or in a
>   position only given right before the transaction.
> 
>   But no, the "photo TAN" does not involve sending a portrait photo of
>   yourself to your bank!
> 
>   I think I'm going to buy an extra phone, I might call the "dirty phone".
>   This will be used for all third party apps I am being forced to use
>   and get an SMS card when needed.

 *How to Buy a Burner Phone*
 <https://lifehacker.com/how-to-buy-a-burner-phone-1843905326>

[toc] | [prev] | [next] | [standalone]


#147100 — Re: Phones and apps forced on you

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-09 14:52 +0100
SubjectRe: Phones and apps forced on you
Message-ID<62j0alxphd.ln2@Telcontar.valinor>
In reply to#147091
On 2025-03-09 13:12, Stefan Ram wrote:
> Marion <marion@facts.com> wrote or quoted:
>> What do you think of this free sleep app that doesn't have advertisements?
> 
>    While I'm currently not able to look at this app, I can say that
>    I often lie without motion while still being awake at night,
>    so I doubt such a device would be able to detect I'm awake.

I use one such app that tracks my sleep. One feature it has is the alarm 
clock. Instead of a fixed time to wake me up, it checks during half an 
hour if it is the correct phase of my sleep to wake me up.

Well, sometimes I wake up on my own near that time. I lie down not 
moving at all, hoping to fall sleep again, and that the alarm doesn't 
sound. But it does. The thing finds out that I am awake feigning being 
sleep and it "rings", early in the half an hour interval instead of late.

(I use Sleep as an Android, paid version)

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#147067

FromFrank Slootweg <this@ddress.is.invalid>
Date2025-03-07 10:00 +0000
Message-ID<vqejjv.14ks.1@ID-201911.user.individual.net>
In reply to#147049
VanguardLH <V@nguard.lh> wrote:
[...]

> I really hate to graft my smartphone to my hand to ensure it is readily
> accessible for this security theater machinations.  I'm too old for all
> this jumping through hoops of fire.  Rather than run through the house
> looking for my smartphone (it's usually on a different floor of the
> house in a charging cradle next to the side door by the garage where I
> enter), I'll just forego the security theater, and go somewhere else for
> e-mail service.  Logging in is getting more complicated to the user and
> at the server than the e-mail service itself.

  In this context, i.e. Google services, there's no "run through the
house" at all:

- Google phone number verification: *one* time action.

- Google 2SV for login: *one* time per device, then mark the device as
  trusted.

- Gmail access via the webUI: same as Google login.

- Gmail access via POP/IMAP/SMTP: no changes AFAIK, i.e. OAUTH2 or app
  passwords (I still use app passwords).

  This (non-)discussion is only about the first situation, but you keep
throwing in the other three as if they have anything to do with it.

  In another response, you talk about the "security theater
machinations" of *other* (than Google) services, i.e. webshops, etc..
Please don't pollute this Google-related discussion with irrelevant
mud.

[...]

[toc] | [prev] | [next] | [standalone]


#147029

FromFrank Slootweg <this@ddress.is.invalid>
Date2025-03-06 15:00 +0000
Message-ID<vqcgqd.8do.1@ID-201911.user.individual.net>
In reply to#147014
VanguardLH <V@nguard.lh> wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:

[Lots deleted.]

> > You are login into google in your computer; the browser you are using, 
> > or the mail application you are using displays a QR code, and tells you 
> > «take a picture with "name of app" in your registered phone, number 
> > ending in XXX». You comply, and in seconds you are authorized to 
> > complete login to google in the computer.
> 
> "name of app" is?  Would have to be one that connects back to my Google
> account.  Play Services, Google app (aka Google Assistant), or what?

  As Carlos later said, the name of the app (if it's an app, it probably
will be part of Google Play services) will have to be determinded,
because the functionality - verify a phone number by a mechanism using a
QR code - does not exist yet.

> That would provide the mechanism used to complete the Google Prompt.

  As Carlos said, stay focused! 'Google Prompt' has nothing to do with
the to be developed functionality, nor with any other QR code use.

  'Google Prompt' is a prompt you get on your phone to tap to verify
it's *you* (i.e. one of your registered devices), nothing to do with
your *phone number* (the device can be a SIM-less tablet, i.e. the
prompt *cannot* relate to a phone number)..

  So forget about 'Google prompt'. I brought that up due to a question
from AJL, nothing to do with the topic of the OP.

> What if I'm using a web browser on the phone?  The web browser on the
> phone can show a QR image the web site presents, but then what?  It's
> not like I can point the camera in the phone at the web page in the web
> browser on the phone.  Does "name of app" scan the screen?

  *If* you would be using a web browser on the phone in some kind of
verification/authentication procedure, that procedure would obviously
not be using a QR code.

[Lots more deleted.]

[toc] | [prev] | [next] | [standalone]


#147042

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-06 19:14 +0100
Message-ID<o85p9lxjkc.ln2@Telcontar.valinor>
In reply to#147029
On 2025-03-06 16:00, Frank Slootweg wrote:
> VanguardLH <V@nguard.lh> wrote:
>> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
> [Lots deleted.]

...

>> What if I'm using a web browser on the phone?  The web browser on the
>> phone can show a QR image the web site presents, but then what?  It's
>> not like I can point the camera in the phone at the web page in the web
>> browser on the phone.  Does "name of app" scan the screen?
> 
>    *If* you would be using a web browser on the phone in some kind of
> verification/authentication procedure, that procedure would obviously
> not be using a QR code.
> 
> [Lots more deleted.]

A person might be using a browser in the phone in desktop mode. However, 
the intended mode of use of a phone (er, an android phone) is "you are 
always logged in to google" (despite Arlen's protestations). So the 
behaviour of the web browser would be somewhat confusing. Still, the yet 
to be named app could perhaps be designed to take photos or screenshots.

Another confusing use case is when the phone is used with two or more 
google accounts (for example, one personal, another work (or google for 
groups)).

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#147050

FromVanguardLH <V@nguard.LH>
Date2025-03-06 15:59 -0600
Message-ID<11f4ixfh3mn8u$.dlg@v.nguard.lh>
In reply to#147029
Frank Slootweg <this@ddress.is.invalid> wrote:

> As Carlos later said, the name of the app (if it's an app, it probably
> will be part of Google Play services) will have to be determinded,
> because the functionality - verify a phone number by a mechanism
> using a QR code - does not exist yet.

While Play Services may work in tandem with the Google App (aka Google
Assistant) on Android, to get Google Prompts to work on iOS (iPhone) has
them just install the Google App from the Apple Play Store
(https://apps.apple.com/us/app/google/id284815942).

Since Google is dropping SMS for login verification, what's left for a
communications venue?  Looks like Google Prompts which are apparently
doable with just the Google App.

>   As Carlos said, stay focused! 'Google Prompt' has nothing to do with
> the to be developed functionality, nor with any other QR code use.
> 
>   'Google Prompt' is a prompt you get on your phone to tap to verify
> it's *you* (i.e. one of your registered devices), nothing to do with
> your *phone number* (the device can be a SIM-less tablet, i.e. the
> prompt *cannot* relate to a phone number)..

SMS as a transport is out for when Google switches to QR codes instead
of text strings.  So, what other communications venue is there between
the "registered device" (which is a smartphone for the vast majority of
users doing Gmail on a mobile device) and Google to complete the login
verification?  The Google App already has a camera icon, and it connects
home to your account.

According to a Gmail spokeperson, SMS is getting dropped.  Okay, so stay
focused yourself, and get off the SMS bandwagon.  What is the
alternative to get the QR code scanned on your registered device aka
smartphone to send to your Google account to complete login
verification?  You say Google Prompts won't be it, but you really don't
know what Google will implement.  Google says SMS won't be it.  So WHAT
else might /it/ be?

If Google comes up with another and different "name of app" than Google
App which already works with Google Prompts, oh goodie, we have to
install more software to support their new scheme.  I take it Google
doesn't trust authenticator apps to be as secure as whatever they may
come up with.

[toc] | [prev] | [next] | [standalone]


#147065

FromFrank Slootweg <this@ddress.is.invalid>
Date2025-03-07 09:44 +0000
Message-ID<vqeimf.bqs.1@ID-201911.user.individual.net>
In reply to#147050
VanguardLH <V@nguard.lh> wrote:
[...]

> According to a Gmail spokeperson, SMS is getting dropped.  Okay, so stay
> focused yourself, and get off the SMS bandwagon.  What is the
> alternative to get the QR code scanned on your registered device aka
> smartphone to send to your Google account to complete login
> verification?  You say Google Prompts won't be it, but you really don't
> know what Google will implement.  Google says SMS won't be it.  So WHAT
> else might /it/ be?

  You're still mixing everything up and are now putting words in my
mouth, so there's no point continuing, at least not for the 'QR code for
phone number verification part'.

[toc] | [prev] | [next] | [standalone]


#146978

FromFrank Slootweg <this@ddress.is.invalid>
Date2025-03-05 11:23 +0000
Message-ID<vq9fn2.rhg.1@ID-201911.user.individual.net>
In reply to#146972
VanguardLH <V@nguard.lh> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
> 
> > VanguardLH <V@nguard.lh> wrote:
> > [...]
> > 
> >> Not relevant to my statement of having to wait for SMS messages (text or
> >> QR image content) nor there is no guaranteed delivery of SMS messages.
> >> 
> >> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
> >> message with a QR image.  Then what?  Do SMS apps have embedded scanning
> >> of the content of SMS messages to then use an embedded QR decoder to
> >> show the text embedded in the image (which obviates the whole point of
> >> supposedly securing the text string in an image) that I then have to
> >> copy/paste into some web prompt?  
> > 
> >   AFAICT, "an SMS message with a QR image" is a figment of your
> > imagination!
> > 
> >   I think such a thing is not mentioned anywhere and not even implied
> > anywhere.
> 
> The delivery mechanism is defined where?

  Not in the referenced (web) articles and sofar nobody has (read:
could) come up with specifics.

[...]

> However, upon some further reading, Google Prompts looks to use
> notifications instead of SMS/MMS messages.  Maybe.
> 
> >   So perhaps it's best to come up with an actual quote from the
> > referenced articles, which leads you to your assumption, instead of
> > going on and on about something which is very likely a straw man / red
> > herring.
> 
> That's the crux of the problem: there are no details on how QR images by
> whatever delivery mechanism are to get decoded into strings by the user
> to input into a waiting field.  All of us are just guessing for now what
> are the possibilities.

  In the use of QR codes I am aware of, the QR code appears on the
screen of your device (mostly a computer) and you 'take a picture'
(actually you only maneuver the QR code within a viewing window) with
your smartphone/tablet.

  That's for example the way it works for linking (adding) a new device
in WhatsApp and when I want to use my phone as an (2FA/TOTP)
authentication device for the websites of our banks. (I.e. on my
computer, I go to the login page of my bank's website. A QR code
appears. I use the bank's app on my phone to 'take a picture' of the QR
code. And I'm logged in.)

  See also Carlos' responses. He said the same thing. And, as he said,
this is a known and trusted procedure. And, by the looks of it, the
procedure Google is going to use to verify phone numbers.

[toc] | [prev] | [next] | [standalone]


#147017

FromAndy Burns <usenet@andyburns.uk>
Date2025-03-06 07:51 +0000
Message-ID<m2t2gvF5ebbU1@mid.individual.net>
In reply to#146967
Frank Slootweg wrote:

> AFAICT, "an SMS message with a QR image" is a figment of your 
> imagination!

And if one arrived on your phone, what would you "scan" the QR code 
with?  They don't work in a mirror.

[toc] | [prev] | [next] | [standalone]


#147018

FromDave Royal <dave@dave123royal.com>
Date2025-03-06 08:02 +0000
Message-ID<vqbkqo$2t0hv$1@dont-email.me>
In reply to#147017
Andy Burns <usenet@andyburns.uk> Wrote in message:

Two mirrors at 90 degrees, to cancel the lateral inversion ;)
-- 
Remove numerics from my email address.

[toc] | [prev] | [next] | [standalone]


#147051

FromVanguardLH <V@nguard.LH>
Date2025-03-06 16:14 -0600
Message-ID<17iatgemh8271.dlg@v.nguard.lh>
In reply to#147017
Andy Burns <usenet@andyburns.uk> wrote:

> Frank Slootweg wrote:
> 
>> AFAICT, "an SMS message with a QR image" is a figment of your 
>> imagination!
> 
> And if one arrived on your phone, what would you "scan" the QR code 
> with?  They don't work in a mirror.

Maybe Frank didn't think of MMS, an enhancement to SMS, can send images
within messages.

Well, Google could embed some new feature into Chrome to handle web
sites presenting a QR code for login verification.  Chrome would
silently connect home to your Google account to send the QR code back to
Google.  On a smartphone, isn't the Chrome web browser always logged
into your Google account?  On a desktop, the Chrome web browser is also
likely logged into your Google account.  A later version of Chrome could
be the new app guessed by Carlos.  Oh goody, to log into Gmail mandates
you use the Chrome web browser.  I wouldn't put Google beyond enforcing
that requirement to get more of the stubborn amongst to move to Chrome.

Frank doesn't like my [second] guess that Google will move to using
Google Prompts, a communications venue that already exists on Android
phones, SMS is getting dropped by Google, but neither Frank nor Carlos
have come up with an alternative communications venue.  None of us know
now what Google may implement later, but reusing existing functionality
seems more likely than creating a whole new communications venue, and
another new app solely for login verification (don't we already have
that with authenticator apps?).  

Could be Google, as Carlos puts it, will come out with a new app we need
to install to scan the QR code to send it back to your Google account to
complete login verification.  However, the Google App already on the
smartphone connects back to your Google account, and it has a camera
icon, too.  In addition, to get Google Prompts on iOS (iPhones), those
users can get the Google App from Apple's Play Store.  Those users would
have to create a Google account; however, if they're using Gmail that
will move to a modified security theater then they already have a Google
account.

[toc] | [prev] | [next] | [standalone]


#146969

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-04 22:37 +0100
Message-ID<ie8k9lxpm3.ln2@Telcontar.valinor>
In reply to#146966
On 2025-03-04 20:53, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> VanguardLH wrote:
>>
>>> So, you either have to wait for an SMS message to arrive from them,
>>> or for them to get the one you send them.
>>
>> No, they also say:
>>
>> «Google spokesperson Ross Richendrfer reiterated that SMS is mainly
>> used as a security and anti-abuse check, but there are plenty of
>> security challenges, like phishing and traffic pumping. Consequently,
>> Google plans to reimagine how it verifies phone numbers over the next
>> few months. Instead of entering their phone numbers and receiving a
>> six-digit code over SMS, users will see a QR code they need to scan
>> with their phone camera.»
> 
> Not relevant to my statement of having to wait for SMS messages (text or
> QR image content) nor there is no guaranteed delivery of SMS messages.
> 
> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
> message with a QR image.

NO. Again, NO.

You will see a QR displayed on the computer, and then you take a photo 
of it with your mobile phone. That is the procedure. I have told you 
this a few times already.

The photo will be either taken with some Google app, or will link to an 
URL that you have to navigate to on the phone.

This is basically the same procedure used by WhatsApp to activate 
whatsapp on the computer.

There is no SMS involved at all.

...

The rest are figments of your imagination and deleted.

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#146973

FromVanguardLH <V@nguard.LH>
Date2025-03-04 19:49 -0600
Message-ID<1pdppnedg6qij$.dlg@v.nguard.lh>
In reply to#146969
"Carlos E.R." <robin_listas@es.invalid> wrote:

> On 2025-03-04 20:53, VanguardLH wrote:
>> "Carlos E.R." <robin_listas@es.invalid> wrote:
>> 
>>> VanguardLH wrote:
>>>
>>>> So, you either have to wait for an SMS message to arrive from them,
>>>> or for them to get the one you send them.
>>>
>>> No, they also say:
>>>
>>> «Google spokesperson Ross Richendrfer reiterated that SMS is mainly
>>> used as a security and anti-abuse check, but there are plenty of
>>> security challenges, like phishing and traffic pumping. Consequently,
>>> Google plans to reimagine how it verifies phone numbers over the next
>>> few months. Instead of entering their phone numbers and receiving a
>>> six-digit code over SMS, users will see a QR code they need to scan
>>> with their phone camera.»
>> 
>> Not relevant to my statement of having to wait for SMS messages (text or
>> QR image content) nor there is no guaranteed delivery of SMS messages.
>> 
>> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
>> message with a QR image.
> 
> NO. Again, NO.
> 
> You will see a QR displayed on the computer, and then you take a photo 
> of it with your mobile phone. That is the procedure. I have told you 
> this a few times already.

Yes, you have been very clear on being vague.  Displayed on the computer
... BY WHAT?  If not an SMS or MMS message to display by a messaging
app, then just WHAT is displaying the QR image?  What communication
protocol is used to transfer the QR message?  What process is displaying
the QR message?  You keep referring to, um, magic displaying the
message, but give no actual details - because you don't know which is
why you can't explain.

[toc] | [prev] | [next] | [standalone]


#146974

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-05 03:44 +0100
Message-ID<fdqk9lx6m3.ln2@Telcontar.valinor>
In reply to#146973
On 2025-03-05 02:49, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> On 2025-03-04 20:53, VanguardLH wrote:
>>> "Carlos E.R." <robin_listas@es.invalid> wrote:
>>>
>>>> VanguardLH wrote:
>>>>
>>>>> So, you either have to wait for an SMS message to arrive from them,
>>>>> or for them to get the one you send them.
>>>>
>>>> No, they also say:
>>>>
>>>> «Google spokesperson Ross Richendrfer reiterated that SMS is mainly
>>>> used as a security and anti-abuse check, but there are plenty of
>>>> security challenges, like phishing and traffic pumping. Consequently,
>>>> Google plans to reimagine how it verifies phone numbers over the next
>>>> few months. Instead of entering their phone numbers and receiving a
>>>> six-digit code over SMS, users will see a QR code they need to scan
>>>> with their phone camera.»
>>>
>>> Not relevant to my statement of having to wait for SMS messages (text or
>>> QR image content) nor there is no guaranteed delivery of SMS messages.
>>>
>>> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
>>> message with a QR image.
>>
>> NO. Again, NO.
>>
>> You will see a QR displayed on the computer, and then you take a photo
>> of it with your mobile phone. That is the procedure. I have told you
>> this a few times already.
> 
> Yes, you have been very clear on being vague.  Displayed on the computer
> ... BY WHAT? 

By the web browser where you are trying to login to gmail, or by the 
mail application trying to login using oauth2.

> If not an SMS or MMS message to display by a messaging
> app, then just WHAT is displaying the QR image?  What communication
> protocol is used to transfer the QR message?  What process is displaying
> the QR message?  You keep referring to, um, magic displaying the
> message, but give no actual details - because you don't know which is
> why you can't explain.

You are overcomplicating yourself. It is trivial to do. Firefox has no 
problem displaying a QR code in the screen, and the phone has no trouble 
taking a photo and sending it or doing something appropriate with it. By 
the same tool that now and then asks if it is you trying to login to a 
new machine, and you tap "yes, it is me" or "no, it is not me".


-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


Page 3 of 4 — ← Prev page 1 2 [3] 4  Next page →

Back to top | Article view | comp.mobile.android


csiph-web