Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #146903 > unrolled thread
| Started by | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| First post | 2025-03-02 14:28 +0100 |
| Last post | 2025-03-07 22:45 +0800 |
| Articles | 20 on this page of 64 — 11 participants |
Back to article view | Back to comp.mobile.android
Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-02 14:28 +0100
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-02 14:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-02 16:41 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-02 17:45 +0000
Re: Google will no longer send SMSs with six digit codes for verification Bill Powell <bill@anarchists.org> - 2025-03-04 02:41 +0100
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-03 21:23 -0700
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:11 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:23 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 13:38 +0000
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-04 09:22 -0700
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:37 -0600
Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-04 07:05 +0000
Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:39 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 10:06 -0600
Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:39 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 15:57 -0600
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:05 -0600
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:18 -0600
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:26 +0100
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:18 +0100
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:27 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:39 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 13:45 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 21:28 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 21:58 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-03 14:20 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:28 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 12:18 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 19:42 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:53 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 20:34 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:45 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-05 14:43 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 23:14 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 00:50 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 12:38 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:46 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 23:22 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 21:21 -0600
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 03:49 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 01:53 -0600
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 09:34 +0000
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:37 +0100
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:34 +0100
Re: Phones and apps forced on you Marion <marion@facts.com> - 2025-03-08 18:18 +0000
Re: Phones and apps forced on you "Carlos E.R." <robin_listas@es.invalid> - 2025-03-09 14:52 +0100
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:00 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-06 15:00 +0000
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 19:14 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:59 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 09:44 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-05 11:23 +0000
Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-06 07:51 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-06 08:02 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 16:14 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 22:37 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:49 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:44 +0100
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 18:51 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-07 08:08 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:42 +0000
Re: Google will no longer send SMSs with six digit codes for verification Chris in Makati <mail@nospam.com> - 2025-03-07 22:45 +0800
Page 1 of 4 [1] 2 3 4 Next page →
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-02 14:28 +0100 |
| Subject | Google will no longer send SMSs with six digit codes for verification |
| Message-ID | <803e9lxp44.ln2@Telcontar.valinor> |
Hi, Just read yesterday that Google will no longer send SMSs with six digit codes for verification of gmail account, but instead will use QR codes. This is to avoid scams in which the victim is told to tell the fraudster the number he just received on the phone. I have a source but it is in Spanish: <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> Oh, English here: <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> -- Cheers, Carlos.
[toc] | [next] | [standalone]
| From | Jörg Lorenz <hugybear@gmx.net> |
|---|---|
| Date | 2025-03-02 14:48 +0100 |
| Message-ID | <vq1niv$q2gh$1@dont-email.me> |
| In reply to | #146903 |
On 02.03.25 14:28, Carlos E.R. wrote: > Hi, > > Just read yesterday that Google will no longer send SMSs with six digit > codes for verification of gmail account, but instead will use QR codes. > This is to avoid scams in which the victim is told to tell the fraudster > the number he just received on the phone. > > I have a source but it is in Spanish: > > <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> > > Oh, English here: > <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> Technology cannot solve social problems. -- "Mille viae ducunt hominem per saecula Romam." (Alanus ab Insulis 1120-1202)
[toc] | [prev] | [next] | [standalone]
| From | AJL <noemail@none.com> |
|---|---|
| Date | 2025-03-02 16:41 +0000 |
| Message-ID | <vq21n7$rq33$1@dont-email.me> |
| In reply to | #146903 |
On 3/2/25 6:28 AM, Carlos E.R. wrote: >Hi, > >Just read yesterday that Google will no longer send SMSs with six digit >codes for verification of gmail account, but instead will use QR codes. >This is to avoid scams in which the victim is told to tell the fraudster >the number he just received on the phone. > >I have a source but it is in Spanish: > ><https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> > >Oh, English here: ><https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> I've been using the Google Authenticator app for quite awhile now to verify new devices. Very easy to use. Just push the yes it's me button. Surprisingly it even works on my Amazon Fire converted to Google account tablets. Hope it stays...
[toc] | [prev] | [next] | [standalone]
| From | Dave Royal <dave@dave123royal.com> |
|---|---|
| Date | 2025-03-02 17:45 +0000 |
| Message-ID | <vq25gd$sfo6$1@dont-email.me> |
| In reply to | #146905 |
AJL <noemail@none.com> Wrote in message: > On 3/2/25 6:28 AM, Carlos E.R. wrote: >>Hi, >> >>Just read yesterday that Google will no longer send SMSs with six digit >>codes for verification of gmail account, but instead will use QR codes. >>This is to avoid scams in which the victim is told to tell the fraudster >>the number he just received on the phone. >> >>I have a source but it is in Spanish: >> >><https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> >> >>Oh, English here: >><https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> > > I've been using the Google Authenticator app for quite awhile now to verify > new devices. Very easy to use. Just push the yes it's me button. > Surprisingly it even works on my Amazon Fire converted to Google account > tablets. Hope it stays... You can use standard OTP authenticators too. I use andOTP on Android (and FreeOTP on iOS). Also for GitHub, Yahoo, PayPal and Mozilla.) -- Remove numerics from my email address.
[toc] | [prev] | [next] | [standalone]
| From | Bill Powell <bill@anarchists.org> |
|---|---|
| Date | 2025-03-04 02:41 +0100 |
| Message-ID | <vq5lo0$3sv4j$1@matrix.hispagatos.org> |
| In reply to | #146905 |
On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote: > I've been using the Google Authenticator app for quite awhile now to verify > new devices. Very easy to use. Just push the yes it's me button. > Surprisingly it even works on my Amazon Fire converted to Google account > tablets. Hope it stays... How does the Google Authenticator compare to the Microsoft Authenticator? https://play.google.com/store/apps/details?id=com.azure.authenticator
[toc] | [prev] | [next] | [standalone]
| From | AJL <noemail@none.com> |
|---|---|
| Date | 2025-03-03 21:23 -0700 |
| Message-ID | <vq5v83$1nj23$1@dont-email.me> |
| In reply to | #146940 |
On 3/3/2025 6:41 PM, Bill Powell wrote: > On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote: > >> I've been using the Google Authenticator app for quite awhile now >> to verify new devices. Very easy to use. Just push the yes it's me >> button. Surprisingly it even works on my Amazon Fire converted to >> Google account tablets. Hope it stays... > > How does the Google Authenticator compare to the Microsoft > Authenticator? Dunno. All I've ever had was the Google Authenticator on my Android devices. And I'm not sure I even use that. When I fire up a NEW Android device and sign into my Google accounts for the first time, after I put in my user name and password it sends a white screen to my other Android devices on which I pick one and push a "Yes it's me" button for verification and the new device is then signed on. I always thought that Google Authenticator was responsible but after my last post I looked at it and don't see any indication that it is or is not responsible for this verification. Perhaps one of the more technical folks here can explain how this (non-SMS) verification process works...
[toc] | [prev] | [next] | [standalone]
| From | Dave Royal <dave@dave123royal.com> |
|---|---|
| Date | 2025-03-04 07:11 +0000 |
| Message-ID | <vq692u$1p51h$1@dont-email.me> |
| In reply to | #146944 |
AJL <noemail@none.com> Wrote in message: > On 3/3/2025 6:41 PM, Bill Powell wrote: >> On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote: >> >>> I've been using the Google Authenticator app for quite awhile now >>> to verify new devices. Very easy to use. Just push the yes it's me >>> button. Surprisingly it even works on my Amazon Fire converted to >>> Google account tablets. Hope it stays... >> >> How does the Google Authenticator compare to the Microsoft >> Authenticator? > > Dunno. All I've ever had was the Google Authenticator on my Android > devices. And I'm not sure I even use that. > > When I fire up a NEW Android device and sign into my Google accounts for > the first time, after I put in my user name and password it sends a > white screen to my other Android devices on which I pick one and push a > "Yes it's me" button for verification and the new device is then signed on. > > I always thought that Google Authenticator was responsible but after my > last post I looked at it and don't see any indication that it is or is > not responsible for this verification. Perhaps one of the more technical > folks here can explain how this (non-SMS) verification process works... > Google Authenicator, and the ones I use - andOTP (Android only) and FreeOTP - use TOTP: <https://en.m.wikipedia.org/wiki/Time-based_one-time_password> I don't know anything about Microsoft Authenticator. -- Remove numerics from my email address.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-04 13:23 -0600 |
| Message-ID | <1ewh0fkbpkzsg$.dlg@v.nguard.lh> |
| In reply to | #146948 |
Dave Royal <dave@dave123royal.com> wrote: > Google Authenicator, and the ones I use - andOTP (Android only) > and FreeOTP - use TOTP: > <https://en.m.wikipedia.org/wiki/Time-based_one-time_password> > > I don't know anything about Microsoft Authenticator. Yet different authenticators, also all using TOTP, think they know better how to improve security. Google's, Symantec's, Authy's, and others' authenticators are not 100% compatible. You'll find you have to use one as some sites, a different one at some other sites, and so on. You may end up with a suite of authenticators to cover all the sites where you login. Many sites will work with any TOTP authenticator, but not all. https://en.wikipedia.org/wiki/Comparison_of_OTP_applications None of them are Yes (green) across the board, and the Yes/No don't match across different authenticators. Bitwarden has more Yeses than Google and Microsoft that only support iOS and Android. I used Authy before, because it had a desktop app (Windows, Linux, Mac), but they dropped their desktop apps a year ago. Bitwarden supports desktops OSes, but TOTP and Yubikey are a premium features ($10 or $40 per year subscriptionware). I'm not paying to let sites force security theater on me. Maybe I might buy a Yubikey, but only if that helps automate the authenticator to eliminate nuisancing the user on login with the security theater crap, and only if just the hardware key is the only cost (~$55). Yubico has their own authenticators for desktops (Windows, Mac, Linux), and mobiles (ioS, Android) that work with their own Yubikeys. However, Yubico doesn't support Epoch, but then neither do most the authenticators listed in the wiki article (hence my mention about compatibility, and possibly having to use multiple authenticators to cover all the sites where you login that foist 2FA). Unfortunately that wiki comparison article doesn't show which authenticators work with hardware security keys. Yubikey works with Google Authenticator, but then it desparately needs a hardware security key since it stores keys in plain text. https://saaspass.com/authenticator/ "SAASPASS encrypts all data, whereas Google Authenticator stores keys in plain/clear text; this is a problem especially with rooted devices and backup programs, where unencrypted data can be viewed easily" I didn't see QR mentioned in their features list, but QR is mentioned at https://saaspass.com/faq/ yet requires an Internet connection. Maybe SASSPASS works with my bank although the bank only lists Symtantec VIP and Authy as supported. However, since there is no free tier with SASSPASS, just trials and subscriptionware, that candidate is scrapped.
[toc] | [prev] | [next] | [standalone]
| From | Frank Slootweg <this@ddress.is.invalid> |
|---|---|
| Date | 2025-03-04 13:38 +0000 |
| Message-ID | <vq7392.162c.1@ID-201911.user.individual.net> |
| In reply to | #146944 |
AJL <noemail@none.com> wrote:
[...]
> When I fire up a NEW Android device and sign into my Google accounts for
> the first time, after I put in my user name and password it sends a
> white screen to my other Android devices on which I pick one and push a
> "Yes it's me" button for verification and the new device is then signed on.
>
> I always thought that Google Authenticator was responsible but after my
> last post I looked at it and don't see any indication that it is or is
> not responsible for this verification. Perhaps one of the more technical
> folks here can explain how this (non-SMS) verification process works...
The 2SV mechanism you're using is called 'Google prompt', i.e. you get
a prompt on your device(s).
See the '2-Step Verification' section of your Google account [1].
There you will see 'Google prompt' as one of the options in 'Second
steps'. It will list the number of devices which can get the prompt and
('>') which devices (in my case my phone and a tablet).
[1] <https://myaccount.google.com/signinoptions/twosv>
List of your 'Google prompt' devices:
<https://myaccount.google.com/two-step-verification/prompt>
[toc] | [prev] | [next] | [standalone]
| From | AJL <noemail@none.com> |
|---|---|
| Date | 2025-03-04 09:22 -0700 |
| Message-ID | <vq79bc$1ulmv$1@dont-email.me> |
| In reply to | #146954 |
On 3/4/2025 6:38 AM, Frank Slootweg wrote:
> AJL <noemail@none.com> wrote: [...]
>> When I fire up a NEW Android device and sign into my Google
>> accounts for the first time, after I put in my user name and
>> password it sends a white screen to my other Android devices on
>> which I pick one and push a "Yes it's me" button for verification
>> and the new device is then signed on.
>>
>> I always thought that Google Authenticator was responsible but
>> after my last post I looked at it and don't see any indication that
>> it is or is not responsible for this verification. Perhaps one of
>> the more technical folks here can explain how this (non-SMS)
>> verification process works...
>
> The 2SV mechanism you're using is called 'Google prompt', i.e. you
> get a prompt on your device(s).
>
> See the '2-Step Verification' section of your Google account [1].
> There you will see 'Google prompt' as one of the options in 'Second
> steps'. It will list the number of devices which can get the prompt
> and ('>') which devices (in my case my phone and a tablet).
Ah. Thanks for that. Google works so smoothly for me I haven't been to
the settings in many moons. So I take back what I said about Google
Authenticator. I apparently haven't and don't use it. And I'm still an
old fashioned password person. But judging from the nudges I keep
getting from Google that may not last...
> [1] <https://myaccount.google.com/signinoptions/twosv> List of your
> 'Google prompt' devices:
> <https://myaccount.google.com/two-step-verification/prompt>
>
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-04 19:37 -0600 |
| Message-ID | <8ddwq1cqhyxm.dlg@v.nguard.lh> |
| In reply to | #146954 |
Frank Slootweg <this@ddress.is.invalid> wrote:
> AJL <noemail@none.com> wrote:
> [...]
>> When I fire up a NEW Android device and sign into my Google accounts for
>> the first time, after I put in my user name and password it sends a
>> white screen to my other Android devices on which I pick one and push a
>> "Yes it's me" button for verification and the new device is then signed on.
>>
>> I always thought that Google Authenticator was responsible but after my
>> last post I looked at it and don't see any indication that it is or is
>> not responsible for this verification. Perhaps one of the more technical
>> folks here can explain how this (non-SMS) verification process works...
>
> The 2SV mechanism you're using is called 'Google prompt', i.e. you get
> a prompt on your device(s).
>
> See the '2-Step Verification' section of your Google account [1].
> There you will see 'Google prompt' as one of the options in 'Second
> steps'. It will list the number of devices which can get the prompt and
> ('>') which devices (in my case my phone and a tablet).
>
> [1] <https://myaccount.google.com/signinoptions/twosv>
> List of your 'Google prompt' devices:
> <https://myaccount.google.com/two-step-verification/prompt>
I don't have 2FV enabled. Deliberately left it disabled.
What on the phone presents the prompt? A service, and auth app, what?
How does the prompt get to the phone? What communications venue?
Google claims their scheme is more secure than SMS texts, but no mention
regarding delivery mechanism, or display mechanism.
When text gets replaced with a QR code, then what? While they are
currently SMS texts showing a string, I can transcribe them into some
input dialog awaiting that string. I don't read QR. When some prompt
by some undescribed delivery mechanism gets delivered to my phone and
display by some undescribed process that is apparently always running on
my phone, how do I decode the QR image to then transcribe its content
(the text string) to some input dialog?
https://support.google.com/accounts/answer/7026266
No info there on HOW it works other than the phone must be signed into a
Google account (and where Google Prompt is enabled for selected phones).
You said "So it's *not* about authenticating a Google account login,
*nor* a Gmail 'login', but about verifying the *phone number*, which is
associated with your Google Account." Yet the above article is about
getting the "Prompt" when signing in. "You can use Google prompts to
sign in: ..."
https://guidebooks.google.com/online-security/understand-online-security/sign-in-challenges?hl=en
Still missing the basics of how delivered, what displays the prompt, and
how the user is going to decode a QR image (when Google switches) to
then enter its encoded string into a waiting input dialog.
At most, it appears from some online hits, including Youtube searches,
that Google Prompts rely on using the Google App (which, for me, is the
search bar aka Google Assistant shown on the home screen). Under
settings -> General -> Apps, "Google" can be disabled. While it cannot
be easily disabled, I'm sure someone can remark how to remove it. Some
users don't want it, and prefer their choice of search engine in their
choice of web browser. Will disabling the "Google" app also disable
Google Prompts? Again, the inquiry comes back to how the Prompt gets
delivered, and what is used to display it.
https://youtu.be/p5EuBBAbfPY?t=12
That says "When signing in using the Google prompt, the Google app on
your phone will ask if you are trying to sign in." Okay, so through
what communications venue does the Prompt get delivered? Looks like the
Google App gets used to display the Prompt provided it has not been
disabled (or removed). For iOS users (assuming they bother with Gmail
services where they have to login), they have to install the Google App
on their iPhones.
https://youtu.be/p5EuBBAbfPY?t=37
That shows you signing into your Google account. After entering your
username and password, and if 2FV is enabled, you get prompted for
two-step verification. From some Prompt, you transcribe the numeric
string into the waiting input field. When the Prompt changes to a QR
image, just how are users to decode it into a string to enter into the
waiting input field?
Doesn't anyone know just how notifications are sent to the phone (i.e. ,
what communications protocols are used)? Or is that the alchemy of
Android that users aren't supposed to know? I suspect no one will know
how the user is going to decode the QR image into a text string to input
the numbers into a waiting input field until Google decides just how
they are going to implement the switch from text strings via SMS (or
text strings via Google Prompt) to dropping a QR image on the user's
phone (which is still unclear if SMS or Google Prompt is used).
https://www.phonearena.com/news/google-adds-extra-security-to-account-login-with-enhanced-2fa-prompt_id167200
https://9to5google.com/2025/01/31/google-prompt-2fa-fingerprint/
Those mention Google Play Services is involved, yet iPhone users are
told to just install the Google App. The enhancements come to Android's
[Google] Play Services in version 25 Although iPhone users are told to
install the Google App to make use of all this security theater, maybe
iPhone users even after installing the Google App won't be getting the
enhance features of Google Prompts unless Google rolls them into a new
Google App for both platforms.
Will there be a minimum Android version for Google Prompts, and however
the received QR image gets inputted to some waiting dialog? Seems an
Android-only thing with an iOS workaround; however, just because I have
an Android phone doesn't mean I must let Google control it, or use
anything of Google on it. What do de-Googled users do?
From searching their help, and having forum posts show up in results,
users often remark that Google Prompt is insecure. Alas, they don't
detail just what is insecure, or what are the vulnerabilities. Maybe
it's about this:
https://www.forbes.com/sites/daveywinder/2025/01/04/gmail-security-threat-confirmed-google-wont-fix-it-heres-why/
[toc] | [prev] | [next] | [standalone]
| From | Andy Burns <usenet@andyburns.uk> |
|---|---|
| Date | 2025-03-04 07:05 +0000 |
| Message-ID | <m2nn15Fb25rU3@mid.individual.net> |
| In reply to | #146940 |
Bill Powell wrote: > How does the Google Authenticator compare to the Microsoft Authenticator? In terms of functionally they're equivalent, if a website says you have to use one, you can in fact use the other, the bells and whistles vary.
[toc] | [prev] | [next] | [standalone]
| From | Arno Welzel <usenet@arnowelzel.de> |
|---|---|
| Date | 2025-03-06 11:39 +0100 |
| Message-ID | <m2tcb1F6l2mU5@mid.individual.net> |
| In reply to | #146940 |
Bill Powell, 2025-03-04 02:41: > On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote: > >> I've been using the Google Authenticator app for quite awhile now to verify >> new devices. Very easy to use. Just push the yes it's me button. >> Surprisingly it even works on my Amazon Fire converted to Google account >> tablets. Hope it stays... > > How does the Google Authenticator compare to the Microsoft Authenticator? > https://play.google.com/store/apps/details?id=com.azure.authenticator If you only need this for TOTP, you can also use Aegis - no need to get all other Microsoft related stuff as well which "Authenticator" provides: <https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis> Bitwarden also allows storing TOTP to password entries - and there is even a community server which you can host on your own machine, if you want: <https://play.google.com/store/apps/details?id=com.x8bit.bitwarden> <https://bitwarden.com/self-hosted-password-manager-on-premises/> And Vaultwarden is a compapatible open source server for Bitwarden clients: <https://www.vaultwarden.net> -- Arno Welzel https://arnowelzel.de
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-06 10:06 -0600 |
| Message-ID | <gdgnn0a575j9$.dlg@v.nguard.lh> |
| In reply to | #147023 |
Arno Welzel <usenet@arnowelzel.de> wrote: > Bitwarden also allows storing TOTP to password entries - and there is > even a community server which you can host on your own machine, if you > want: > > <https://play.google.com/store/apps/details?id=com.x8bit.bitwarden> > > <https://bitwarden.com/self-hosted-password-manager-on-premises/> > > And Vaultwarden is a compapatible open source server for Bitwarden clients: > > <https://www.vaultwarden.net> I use Bitwarden as a password manager mostly because sites have begun to use Javascript to add the input login fields after page load which is too late for password managers built into web browsers. Plus it gives me the same password vault across web browsers across different hosts. I'm using the free version. However, when I looked at Bitwarden as an authenticator, TOTP was a paid feature. See: https://bitwarden.com/pricing/ $10/year is cheap, but not free. If I later decide to incorporate a Yubikey 5 at $55 hoping to automate all this security theater (get me out of the loop, and speed up authentication to minimize interruption to logins), I'd probably go with a paid (Premium) Bitwarden account.
[toc] | [prev] | [next] | [standalone]
| From | Arno Welzel <usenet@arnowelzel.de> |
|---|---|
| Date | 2025-03-07 14:39 +0100 |
| Message-ID | <m30b7nFkj1jU3@mid.individual.net> |
| In reply to | #147032 |
VanguardLH, 2025-03-06 17:06: [...] > However, when I looked at Bitwarden as an authenticator, TOTP was a paid > feature. See: > > https://bitwarden.com/pricing/ You can set up Vaultwarden on your own server and use TOTP without any paid license. -- Arno Welzel https://arnowelzel.de
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-07 15:57 -0600 |
| Message-ID | <19wii162eis4x$.dlg@v.nguard.lh> |
| In reply to | #147076 |
Arno Welzel <usenet@arnowelzel.de> wrote: > VanguardLH, 2025-03-06 17:06: > > [...] >> However, when I looked at Bitwarden as an authenticator, TOTP was a paid >> feature. See: >> >> https://bitwarden.com/pricing/ > > You can set up Vaultwarden on your own server and use TOTP without any > paid license. But to use elsewhere outside my home's network I would have to go through the hassle of making the server accessible only by me from outside along with securing it. I'm not really into all that anymore. Thanks for the mention, though. For $10/year, I'd rather have someone else do all that. I used to change my own engine oil and filter, and do other car maintenance, to save a few dollars, but I don't need nor want to that anymore. I used to have free Usenet at Albanani, AIOE, now Eternal-September, and other free Usenet providers, but I wanted something more stable, and pay 10 euro per year for NIN (news.individual.net).
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-03 04:05 -0600 |
| Message-ID | <1begjrynfhjra$.dlg@v.nguard.lh> |
| In reply to | #146903 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > Hi, > > Just read yesterday that Google will no longer send SMSs with six digit > codes for verification of gmail account, but instead will use QR codes. > This is to avoid scams in which the victim is told to tell the fraudster > the number he just received on the phone. > > I have a source but it is in Spanish: > > <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> > > Oh, English here: > <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have a cellular or landline phone line to it (it cannot do telephony) which is typical of desktop PCs. I want to login to my Gmail account. How are they going to send an SMS text to my desktop PC? Not everyone logging into Gmail is using a smartphone to do so. However, my IMAP e-mail client using OAUTH2 to login never sends me anything to further authenticate the login. To where is Google going to send their QR code when I use a web browser to connect and log into https://www.gmail.com? The articles are about discussions about possible future changes, but the article or discussions have been very incomplete, like a proposal without a scheme. The articles are as worthless as telling you a grocery store will have a weekly sale sometime months in the future, but not when, or what will be on sale for what price.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-03 04:18 -0600 |
| Message-ID | <i61r04m7gjb3$.dlg@v.nguard.lh> |
| In reply to | #146907 |
VanguardLH <V@nguard.LH> wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> Hi, >> >> Just read yesterday that Google will no longer send SMSs with six digit >> codes for verification of gmail account, but instead will use QR codes. >> This is to avoid scams in which the victim is told to tell the fraudster >> the number he just received on the phone. >> >> I have a source but it is in Spanish: >> >> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> >> >> Oh, English here: >> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> > > Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have > a cellular or landline phone line to it (it cannot do telephony) which > is typical of desktop PCs. I want to login to my Gmail account. How > are they going to send an SMS text to my desktop PC? Not everyone > logging into Gmail is using a smartphone to do so. > > However, my IMAP e-mail client using OAUTH2 to login never sends me > anything to further authenticate the login. > > To where is Google going to send their QR code when I use a web browser > to connect and log into https://www.gmail.com? > > The articles are about discussions about possible future changes, but > the article or discussions have been very incomplete, like a proposal > without a scheme. The articles are as worthless as telling you a > grocery store will have a weekly sale sometime months in the future, but > not when, or what will be on sale for what price. Oops, forgot I was in the Android newsgroup which eliminates desktops.
[toc] | [prev] | [next] | [standalone]
| From | Jörg Lorenz <hugybear@gmx.net> |
|---|---|
| Date | 2025-03-03 11:26 +0100 |
| Message-ID | <vq4045$101js$1@solani.org> |
| In reply to | #146908 |
On 03.03.25 11:18, VanguardLH wrote: > VanguardLH <V@nguard.LH> wrote: >> Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have >> a cellular or landline phone line to it (it cannot do telephony) which >> is typical of desktop PCs. I want to login to my Gmail account. How >> are they going to send an SMS text to my desktop PC? Not everyone >> logging into Gmail is using a smartphone to do so. >> >> However, my IMAP e-mail client using OAUTH2 to login never sends me >> anything to further authenticate the login. >> >> To where is Google going to send their QR code when I use a web browser >> to connect and log into https://www.gmail.com? >> >> The articles are about discussions about possible future changes, but >> the article or discussions have been very incomplete, like a proposal >> without a scheme. The articles are as worthless as telling you a >> grocery store will have a weekly sale sometime months in the future, but >> not when, or what will be on sale for what price. > > Oops, forgot I was in the Android newsgroup which eliminates desktops. Are you serious with all that? -- "Roma locuta, causa finita." (Augustinus)
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-03 11:18 +0100 |
| Message-ID | <k8cg9lx8uf.ln2@Telcontar.valinor> |
| In reply to | #146907 |
On 2025-03-03 11:05, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> Hi, >> >> Just read yesterday that Google will no longer send SMSs with six digit >> codes for verification of gmail account, but instead will use QR codes. >> This is to avoid scams in which the victim is told to tell the fraudster >> the number he just received on the phone. >> >> I have a source but it is in Spanish: >> >> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> >> >> Oh, English here: >> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> > > Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have > a cellular or landline phone line to it (it cannot do telephony) which > is typical of desktop PCs. I want to login to my Gmail account. How > are they going to send an SMS text to my desktop PC? Not everyone > logging into Gmail is using a smartphone to do so. Tough luck. The SMS is sent to the phone that is registered with the account. > > However, my IMAP e-mail client using OAUTH2 to login never sends me > anything to further authenticate the login. > > To where is Google going to send their QR code when I use a web browser > to connect and log into https://www.gmail.com? To your registered smartphone. > > The articles are about discussions about possible future changes, but > the article or discussions have been very incomplete, like a proposal > without a scheme. The articles are as worthless as telling you a > grocery store will have a weekly sale sometime months in the future, but > not when, or what will be on sale for what price. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
Page 1 of 4 [1] 2 3 4 Next page →
Back to top | Article view | comp.mobile.android
csiph-web