Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #146903 > unrolled thread

Google will no longer send SMSs with six digit codes for verification

Started by"Carlos E.R." <robin_listas@es.invalid>
First post2025-03-02 14:28 +0100
Last post2025-03-07 22:45 +0800
Articles 20 on this page of 64 — 11 participants

Back to article view | Back to comp.mobile.android


Contents

  Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-02 14:28 +0100
    Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-02 14:48 +0100
    Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-02 16:41 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-02 17:45 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Bill Powell <bill@anarchists.org> - 2025-03-04 02:41 +0100
        Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-03 21:23 -0700
          Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:11 +0000
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:23 -0600
          Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 13:38 +0000
            Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-04 09:22 -0700
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:37 -0600
        Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-04 07:05 +0000
        Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:39 +0100
          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 10:06 -0600
            Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:39 +0100
              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 15:57 -0600
    Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:05 -0600
      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:18 -0600
        Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:26 +0100
      Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:18 +0100
        Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:27 +0100
        Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:39 -0600
          Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:48 +0100
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 13:45 -0600
              Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 21:28 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 21:58 -0600
          Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-03 14:20 +0000
            Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:28 +0000
              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 12:18 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 19:42 +0100
                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:53 -0600
                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 20:34 +0000
                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:45 -0600
                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:48 +0100
                          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-05 14:43 -0600
                            Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 23:14 +0100
                              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 00:50 -0600
                                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 12:38 +0100
                                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:46 -0600
                                    Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 23:22 +0100
                                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 21:21 -0600
                                        Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 03:49 +0000
                                          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 01:53 -0600
                                            Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 09:34 +0000
                                            Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:37 +0100
                                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:34 +0100
                                          Re: Phones and apps forced on you Marion <marion@facts.com> - 2025-03-08 18:18 +0000
                                            Re: Phones and apps forced on you "Carlos E.R." <robin_listas@es.invalid> - 2025-03-09 14:52 +0100
                                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:00 +0000
                                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-06 15:00 +0000
                                  Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 19:14 +0100
                                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:59 -0600
                                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 09:44 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-05 11:23 +0000
                      Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-06 07:51 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-06 08:02 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 16:14 -0600
                    Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 22:37 +0100
                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:49 -0600
                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:44 +0100
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 18:51 +0000
              Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-07 08:08 +0000
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:42 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Chris in Makati <mail@nospam.com> - 2025-03-07 22:45 +0800

Page 1 of 4  [1] 2 3 4  Next page →


#146903 — Google will no longer send SMSs with six digit codes for verification

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-02 14:28 +0100
SubjectGoogle will no longer send SMSs with six digit codes for verification
Message-ID<803e9lxp44.ln2@Telcontar.valinor>
Hi,

Just read yesterday that Google will no longer send SMSs with six digit 
codes for verification of gmail account, but instead will use QR codes. 
This is to avoid scams in which the victim is told to tell the fraudster 
the number he just received on the phone.

I have a source but it is in Spanish:

<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>

Oh, English here: 
<https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>

-- 
Cheers, Carlos.

[toc] | [next] | [standalone]


#146904

FromJörg Lorenz <hugybear@gmx.net>
Date2025-03-02 14:48 +0100
Message-ID<vq1niv$q2gh$1@dont-email.me>
In reply to#146903
On 02.03.25 14:28, Carlos E.R. wrote:
> Hi,
> 
> Just read yesterday that Google will no longer send SMSs with six digit 
> codes for verification of gmail account, but instead will use QR codes. 
> This is to avoid scams in which the victim is told to tell the fraudster 
> the number he just received on the phone.
> 
> I have a source but it is in Spanish:
> 
> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
> 
> Oh, English here: 
> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>

Technology cannot solve social problems.

-- 
"Mille viae ducunt hominem per saecula Romam." (Alanus ab Insulis 1120-1202)

[toc] | [prev] | [next] | [standalone]


#146905

FromAJL <noemail@none.com>
Date2025-03-02 16:41 +0000
Message-ID<vq21n7$rq33$1@dont-email.me>
In reply to#146903
On 3/2/25 6:28 AM, Carlos E.R. wrote:
>Hi,
>
>Just read yesterday that Google will no longer send SMSs with six digit 
>codes for verification of gmail account, but instead will use QR codes. 
>This is to avoid scams in which the victim is told to tell the fraudster 
>the number he just received on the phone.
>
>I have a source but it is in Spanish:
>
><https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
>
>Oh, English here: 
><https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>

I've been using the Google Authenticator app for quite awhile now to verify
 new devices. Very easy to use. Just push the yes it's me button.
 Surprisingly it even works on my Amazon Fire converted to Google account
 tablets. Hope it stays...

[toc] | [prev] | [next] | [standalone]


#146906

FromDave Royal <dave@dave123royal.com>
Date2025-03-02 17:45 +0000
Message-ID<vq25gd$sfo6$1@dont-email.me>
In reply to#146905
AJL <noemail@none.com> Wrote in message:

> On 3/2/25 6:28 AM, Carlos E.R. wrote:
>>Hi,
>>
>>Just read yesterday that Google will no longer send SMSs with six digit 
>>codes for verification of gmail account, but instead will use QR codes. 
>>This is to avoid scams in which the victim is told to tell the fraudster 
>>the number he just received on the phone.
>>
>>I have a source but it is in Spanish:
>>
>><https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
>>
>>Oh, English here: 
>><https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
> 
> I've been using the Google Authenticator app for quite awhile now to verify
>  new devices. Very easy to use. Just push the yes it's me button.
>  Surprisingly it even works on my Amazon Fire converted to Google account
>  tablets. Hope it stays...

You can use standard OTP authenticators too. I use andOTP on
 Android (and FreeOTP on iOS). Also for GitHub, Yahoo, PayPal and
 Mozilla.)
-- 
Remove numerics from my email address.

[toc] | [prev] | [next] | [standalone]


#146940

FromBill Powell <bill@anarchists.org>
Date2025-03-04 02:41 +0100
Message-ID<vq5lo0$3sv4j$1@matrix.hispagatos.org>
In reply to#146905
On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote:

> I've been using the Google Authenticator app for quite awhile now to verify
>  new devices. Very easy to use. Just push the yes it's me button.
>  Surprisingly it even works on my Amazon Fire converted to Google account
>  tablets. Hope it stays...

How does the Google Authenticator compare to the Microsoft Authenticator?
https://play.google.com/store/apps/details?id=com.azure.authenticator

[toc] | [prev] | [next] | [standalone]


#146944

FromAJL <noemail@none.com>
Date2025-03-03 21:23 -0700
Message-ID<vq5v83$1nj23$1@dont-email.me>
In reply to#146940
On 3/3/2025 6:41 PM, Bill Powell wrote:
> On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote:
>
>> I've been using the Google Authenticator app for quite awhile now
>> to verify new devices. Very easy to use. Just push the yes it's me
>>  button. Surprisingly it even works on my Amazon Fire converted to
>>  Google account tablets. Hope it stays...
>
> How does the Google Authenticator compare to the Microsoft
> Authenticator?

Dunno. All I've ever had was the Google Authenticator on my Android
devices. And I'm not sure I even use that.

When I fire up a NEW Android device and sign into my Google accounts for
the first time, after I put in my user name and password it sends a
white screen to my other Android devices on which I pick one and push a
"Yes it's me" button for verification and the new device is then signed on.

I always thought that Google Authenticator was responsible but after my
last post I looked at it and don't see any indication that it is or is
not responsible for this verification. Perhaps one of the more technical
folks here can explain how this (non-SMS) verification process works...

[toc] | [prev] | [next] | [standalone]


#146948

FromDave Royal <dave@dave123royal.com>
Date2025-03-04 07:11 +0000
Message-ID<vq692u$1p51h$1@dont-email.me>
In reply to#146944
AJL <noemail@none.com> Wrote in message:

> On 3/3/2025 6:41 PM, Bill Powell wrote:
>> On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote:
>>
>>> I've been using the Google Authenticator app for quite awhile now
>>> to verify new devices. Very easy to use. Just push the yes it's me
>>>  button. Surprisingly it even works on my Amazon Fire converted to
>>>  Google account tablets. Hope it stays...
>>
>> How does the Google Authenticator compare to the Microsoft
>> Authenticator?
> 
> Dunno. All I've ever had was the Google Authenticator on my Android
> devices. And I'm not sure I even use that.
> 
> When I fire up a NEW Android device and sign into my Google accounts for
> the first time, after I put in my user name and password it sends a
> white screen to my other Android devices on which I pick one and push a
> "Yes it's me" button for verification and the new device is then signed on.
> 
> I always thought that Google Authenticator was responsible but after my
> last post I looked at it and don't see any indication that it is or is
> not responsible for this verification. Perhaps one of the more technical
> folks here can explain how this (non-SMS) verification process works...
> 

Google Authenicator, and the ones I use - andOTP (Android only)
 and FreeOTP - use TOTP:
<https://en.m.wikipedia.org/wiki/Time-based_one-time_password>

I don't know anything about Microsoft Authenticator.
-- 
Remove numerics from my email address.

[toc] | [prev] | [next] | [standalone]


#146965

FromVanguardLH <V@nguard.LH>
Date2025-03-04 13:23 -0600
Message-ID<1ewh0fkbpkzsg$.dlg@v.nguard.lh>
In reply to#146948
Dave Royal <dave@dave123royal.com> wrote:

> Google Authenicator, and the ones I use - andOTP (Android only)
>  and FreeOTP - use TOTP:
> <https://en.m.wikipedia.org/wiki/Time-based_one-time_password>
> 
> I don't know anything about Microsoft Authenticator.

Yet different authenticators, also all using TOTP, think they know
better how to improve security.  Google's, Symantec's, Authy's, and
others' authenticators are not 100% compatible.  You'll find you have to
use one as some sites, a different one at some other sites, and so on.
You may end up with a suite of authenticators to cover all the sites
where you login.  Many sites will work with any TOTP authenticator, but
not all.

https://en.wikipedia.org/wiki/Comparison_of_OTP_applications

None of them are Yes (green) across the board, and the Yes/No don't
match across different authenticators.  Bitwarden has more Yeses than
Google and Microsoft that only support iOS and Android.  I used Authy
before, because it had a desktop app (Windows, Linux, Mac), but they
dropped their desktop apps a year ago.  Bitwarden supports desktops
OSes, but TOTP and Yubikey are a premium features ($10 or $40 per year
subscriptionware).  I'm not paying to let sites force security theater
on me.  

Maybe I might buy a Yubikey, but only if that helps automate the
authenticator to eliminate nuisancing the user on login with the
security theater crap, and only if just the hardware key is the only
cost (~$55).  Yubico has their own authenticators for desktops (Windows,
Mac, Linux), and mobiles (ioS, Android) that work with their own
Yubikeys.  However, Yubico doesn't support Epoch, but then neither do
most the authenticators listed in the wiki article (hence my mention
about compatibility, and possibly having to use multiple authenticators
to cover all the sites where you login that foist 2FA).

Unfortunately that wiki comparison article doesn't show which
authenticators work with hardware security keys.  Yubikey works with
Google Authenticator, but then it desparately needs a hardware security
key since it stores keys in plain text.

https://saaspass.com/authenticator/
"SAASPASS encrypts all data, whereas Google Authenticator stores keys in
plain/clear text; this is a problem especially with rooted devices and
backup programs, where unencrypted data can be viewed easily"

I didn't see QR mentioned in their features list, but QR is mentioned at
https://saaspass.com/faq/ yet requires an Internet connection.  Maybe
SASSPASS works with my bank although the bank only lists Symtantec VIP
and Authy as supported.  However, since there is no free tier with
SASSPASS, just trials and subscriptionware, that candidate is scrapped.

[toc] | [prev] | [next] | [standalone]


#146954

FromFrank Slootweg <this@ddress.is.invalid>
Date2025-03-04 13:38 +0000
Message-ID<vq7392.162c.1@ID-201911.user.individual.net>
In reply to#146944
AJL <noemail@none.com> wrote:
[...]
> When I fire up a NEW Android device and sign into my Google accounts for
> the first time, after I put in my user name and password it sends a
> white screen to my other Android devices on which I pick one and push a
> "Yes it's me" button for verification and the new device is then signed on.
> 
> I always thought that Google Authenticator was responsible but after my
> last post I looked at it and don't see any indication that it is or is
> not responsible for this verification. Perhaps one of the more technical
> folks here can explain how this (non-SMS) verification process works...

  The 2SV mechanism you're using is called 'Google prompt', i.e. you get
a prompt on your device(s).

  See the '2-Step Verification' section of your Google account [1].
There you will see 'Google prompt' as one of the options in 'Second
steps'. It will list the number of devices which can get the prompt and
('>') which devices (in my case my phone and a tablet).

[1] <https://myaccount.google.com/signinoptions/twosv>
List of your 'Google prompt' devices:
<https://myaccount.google.com/two-step-verification/prompt>

[toc] | [prev] | [next] | [standalone]


#146956

FromAJL <noemail@none.com>
Date2025-03-04 09:22 -0700
Message-ID<vq79bc$1ulmv$1@dont-email.me>
In reply to#146954
On 3/4/2025 6:38 AM, Frank Slootweg wrote:
> AJL <noemail@none.com> wrote: [...]
>> When I fire up a NEW Android device and sign into my Google
>> accounts for the first time, after I put in my user name and
>> password it sends a white screen to my other Android devices on
>> which I pick one and push a "Yes it's me" button for verification
>> and the new device is then signed on.
>>
>> I always thought that Google Authenticator was responsible but
>> after my last post I looked at it and don't see any indication that
>> it is or is not responsible for this verification. Perhaps one of
>> the more technical folks here can explain how this (non-SMS)
>> verification process works...
>
> The 2SV mechanism you're using is called 'Google prompt', i.e. you
> get a prompt on your device(s).
>
> See the '2-Step Verification' section of your Google account [1].
> There you will see 'Google prompt' as one of the options in 'Second
> steps'. It will list the number of devices which can get the prompt
> and ('>') which devices (in my case my phone and a tablet).

Ah. Thanks for that. Google works so smoothly for me I haven't been to
the settings in many moons. So I take back what I said about Google
Authenticator. I apparently haven't and don't use it. And I'm still an
old fashioned password person. But judging from the nudges I keep
getting from Google that may not last...

> [1] <https://myaccount.google.com/signinoptions/twosv> List of your
> 'Google prompt' devices:
> <https://myaccount.google.com/two-step-verification/prompt>
>

[toc] | [prev] | [next] | [standalone]


#146971

FromVanguardLH <V@nguard.LH>
Date2025-03-04 19:37 -0600
Message-ID<8ddwq1cqhyxm.dlg@v.nguard.lh>
In reply to#146954
Frank Slootweg <this@ddress.is.invalid> wrote:

> AJL <noemail@none.com> wrote:
> [...]
>> When I fire up a NEW Android device and sign into my Google accounts for
>> the first time, after I put in my user name and password it sends a
>> white screen to my other Android devices on which I pick one and push a
>> "Yes it's me" button for verification and the new device is then signed on.
>> 
>> I always thought that Google Authenticator was responsible but after my
>> last post I looked at it and don't see any indication that it is or is
>> not responsible for this verification. Perhaps one of the more technical
>> folks here can explain how this (non-SMS) verification process works...
> 
>   The 2SV mechanism you're using is called 'Google prompt', i.e. you get
> a prompt on your device(s).
> 
>   See the '2-Step Verification' section of your Google account [1].
> There you will see 'Google prompt' as one of the options in 'Second
> steps'. It will list the number of devices which can get the prompt and
> ('>') which devices (in my case my phone and a tablet).
> 
> [1] <https://myaccount.google.com/signinoptions/twosv>
> List of your 'Google prompt' devices:
> <https://myaccount.google.com/two-step-verification/prompt>

I don't have 2FV enabled.  Deliberately left it disabled.

What on the phone presents the prompt?  A service, and auth app, what?
How does the prompt get to the phone?  What communications venue?
Google claims their scheme is more secure than SMS texts, but no mention
regarding delivery mechanism, or display mechanism.

When text gets replaced with a QR code, then what?  While they are
currently SMS texts showing a string, I can transcribe them into some
input dialog awaiting that string.  I don't read QR.  When some prompt
by some undescribed delivery mechanism gets delivered to my phone and
display by some undescribed process that is apparently always running on
my phone, how do I decode the QR image to then transcribe its content
(the text string) to some input dialog?

https://support.google.com/accounts/answer/7026266
No info there on HOW it works other than the phone must be signed into a
Google account (and where Google Prompt is enabled for selected phones).  

You said "So it's *not* about authenticating a Google account login,
*nor* a Gmail 'login', but about verifying the *phone number*, which is
associated with your Google Account."  Yet the above article is about
getting the "Prompt" when signing in.  "You can use Google prompts to
sign in:  ..."

https://guidebooks.google.com/online-security/understand-online-security/sign-in-challenges?hl=en
Still missing the basics of how delivered, what displays the prompt, and
how the user is going to decode a QR image (when Google switches) to
then enter its encoded string into a waiting input dialog.

At most, it appears from some online hits, including Youtube searches,
that Google Prompts rely on using the Google App (which, for me, is the
search bar aka Google Assistant shown on the home screen).  Under
settings -> General -> Apps, "Google" can be disabled.  While it cannot
be easily disabled, I'm sure someone can remark how to remove it.  Some
users don't want it, and prefer their choice of search engine in their
choice of web browser.  Will disabling the "Google" app also disable
Google Prompts?  Again, the inquiry comes back to how the Prompt gets
delivered, and what is used to display it.

https://youtu.be/p5EuBBAbfPY?t=12
That says "When signing in using the Google prompt, the Google app on
your phone will ask if you are trying to sign in."  Okay, so through
what communications venue does the Prompt get delivered?  Looks like the
Google App gets used to display the Prompt provided it has not been
disabled (or removed).  For iOS users (assuming they bother with Gmail
services where they have to login), they have to install the Google App
on their iPhones.

https://youtu.be/p5EuBBAbfPY?t=37
That shows you signing into your Google account.  After entering your
username and password, and if 2FV is enabled, you get prompted for
two-step verification.  From some Prompt, you transcribe the numeric
string into the waiting input field.  When the Prompt changes to a QR
image, just how are users to decode it into a string to enter into the
waiting input field?

Doesn't anyone know just how notifications are sent to the phone (i.e. ,
what communications protocols are used)?  Or is that the alchemy of
Android that users aren't supposed to know?  I suspect no one will know
how the user is going to decode the QR image into a text string to input
the numbers into a waiting input field until Google decides just how
they are going to implement the switch from text strings via SMS (or
text strings via Google Prompt) to dropping a QR image on the user's
phone (which is still unclear if SMS or Google Prompt is used).

https://www.phonearena.com/news/google-adds-extra-security-to-account-login-with-enhanced-2fa-prompt_id167200
https://9to5google.com/2025/01/31/google-prompt-2fa-fingerprint/

Those mention Google Play Services is involved, yet iPhone users are
told to just install the Google App.  The enhancements come to Android's
[Google] Play Services in version 25  Although iPhone users are told to
install the Google App to make use of all this security theater, maybe
iPhone users even after installing the Google App won't be getting the
enhance features of Google Prompts unless Google rolls them into a new
Google App for both platforms.

Will there be a minimum Android version for Google Prompts, and however
the received QR image gets inputted to some waiting dialog?  Seems an
Android-only thing with an iOS workaround; however, just because I have
an Android phone doesn't mean I must let Google control it, or use
anything of Google on it.  What do de-Googled users do?

From searching their help, and having forum posts show up in results,
users often remark that Google Prompt is insecure.  Alas, they don't
detail just what is insecure, or what are the vulnerabilities.  Maybe
it's about this:

https://www.forbes.com/sites/daveywinder/2025/01/04/gmail-security-threat-confirmed-google-wont-fix-it-heres-why/

[toc] | [prev] | [next] | [standalone]


#146947

FromAndy Burns <usenet@andyburns.uk>
Date2025-03-04 07:05 +0000
Message-ID<m2nn15Fb25rU3@mid.individual.net>
In reply to#146940
Bill Powell wrote:

> How does the Google Authenticator compare to the Microsoft Authenticator?
In terms of functionally they're equivalent, if a website says you have 
to use one, you can in fact use the other, the bells and whistles vary.

[toc] | [prev] | [next] | [standalone]


#147023

FromArno Welzel <usenet@arnowelzel.de>
Date2025-03-06 11:39 +0100
Message-ID<m2tcb1F6l2mU5@mid.individual.net>
In reply to#146940
Bill Powell, 2025-03-04 02:41:

> On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote:
> 
>> I've been using the Google Authenticator app for quite awhile now to verify
>>  new devices. Very easy to use. Just push the yes it's me button.
>>  Surprisingly it even works on my Amazon Fire converted to Google account
>>  tablets. Hope it stays...
> 
> How does the Google Authenticator compare to the Microsoft Authenticator?
> https://play.google.com/store/apps/details?id=com.azure.authenticator

If you only need this for TOTP, you can also use Aegis - no need to get
all other Microsoft related stuff as well which "Authenticator" provides:

<https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis>

Bitwarden also allows storing TOTP to password entries - and there is
even a community server which you can host on your own machine, if you
want:

<https://play.google.com/store/apps/details?id=com.x8bit.bitwarden>

<https://bitwarden.com/self-hosted-password-manager-on-premises/>

And Vaultwarden is a compapatible open source server for Bitwarden clients:

<https://www.vaultwarden.net>


-- 
Arno Welzel
https://arnowelzel.de

[toc] | [prev] | [next] | [standalone]


#147032

FromVanguardLH <V@nguard.LH>
Date2025-03-06 10:06 -0600
Message-ID<gdgnn0a575j9$.dlg@v.nguard.lh>
In reply to#147023
Arno Welzel <usenet@arnowelzel.de> wrote:

> Bitwarden also allows storing TOTP to password entries - and there is
> even a community server which you can host on your own machine, if you
> want:
> 
> <https://play.google.com/store/apps/details?id=com.x8bit.bitwarden>
> 
> <https://bitwarden.com/self-hosted-password-manager-on-premises/>
> 
> And Vaultwarden is a compapatible open source server for Bitwarden clients:
> 
> <https://www.vaultwarden.net>

I use Bitwarden as a password manager mostly because sites have begun to
use Javascript to add the input login fields after page load which is
too late for password managers built into web browsers.  Plus it gives
me the same password vault across web browsers across different hosts.
I'm using the free version.

However, when I looked at Bitwarden as an authenticator, TOTP was a paid
feature.  See:

https://bitwarden.com/pricing/

$10/year is cheap, but not free.  If I later decide to incorporate a
Yubikey 5 at $55 hoping to automate all this security theater (get me
out of the loop, and speed up authentication to minimize interruption to
logins), I'd probably go with a paid (Premium) Bitwarden account.

[toc] | [prev] | [next] | [standalone]


#147076

FromArno Welzel <usenet@arnowelzel.de>
Date2025-03-07 14:39 +0100
Message-ID<m30b7nFkj1jU3@mid.individual.net>
In reply to#147032
VanguardLH, 2025-03-06 17:06:

[...]
> However, when I looked at Bitwarden as an authenticator, TOTP was a paid
> feature.  See:
> 
> https://bitwarden.com/pricing/

You can set up Vaultwarden on your own server and use TOTP without any
paid license.


-- 
Arno Welzel
https://arnowelzel.de

[toc] | [prev] | [next] | [standalone]


#147087

FromVanguardLH <V@nguard.LH>
Date2025-03-07 15:57 -0600
Message-ID<19wii162eis4x$.dlg@v.nguard.lh>
In reply to#147076
Arno Welzel <usenet@arnowelzel.de> wrote:

> VanguardLH, 2025-03-06 17:06:
> 
> [...]
>> However, when I looked at Bitwarden as an authenticator, TOTP was a paid
>> feature.  See:
>> 
>> https://bitwarden.com/pricing/
> 
> You can set up Vaultwarden on your own server and use TOTP without any
> paid license.

But to use elsewhere outside my home's network I would have to go
through the hassle of making the server accessible only by me from
outside along with securing it.  I'm not really into all that anymore.
Thanks for the mention, though.  

For $10/year, I'd rather have someone else do all that.  I used to
change my own engine oil and filter, and do other car maintenance, to
save a few dollars, but I don't need nor want to that anymore.  I used
to have free Usenet at Albanani, AIOE, now Eternal-September, and other
free Usenet providers, but I wanted something more stable, and pay 10
euro per year for NIN (news.individual.net).  

[toc] | [prev] | [next] | [standalone]


#146907

FromVanguardLH <V@nguard.LH>
Date2025-03-03 04:05 -0600
Message-ID<1begjrynfhjra$.dlg@v.nguard.lh>
In reply to#146903
"Carlos E.R." <robin_listas@es.invalid> wrote:

> Hi,
> 
> Just read yesterday that Google will no longer send SMSs with six digit 
> codes for verification of gmail account, but instead will use QR codes. 
> This is to avoid scams in which the victim is told to tell the fraudster 
> the number he just received on the phone.
> 
> I have a source but it is in Spanish:
> 
> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
> 
> Oh, English here: 
> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>

Doesn't make sense.  Say I'm using a desktop PC.  Nope, it doesn't have
a cellular or landline phone line to it (it cannot do telephony) which
is typical of desktop PCs.  I want to login to my Gmail account.  How
are they going to send an SMS text to my desktop PC?  Not everyone
logging into Gmail is using a smartphone to do so.

However, my IMAP e-mail client using OAUTH2 to login never sends me
anything to further authenticate the login.

To where is Google going to send their QR code when I use a web browser
to connect and log into https://www.gmail.com?

The articles are about discussions about possible future changes, but
the article or discussions have been very incomplete, like a proposal
without a scheme.  The articles are as worthless as telling you a
grocery store will have a weekly sale sometime months in the future, but
not when, or what will be on sale for what price.  

[toc] | [prev] | [next] | [standalone]


#146908

FromVanguardLH <V@nguard.LH>
Date2025-03-03 04:18 -0600
Message-ID<i61r04m7gjb3$.dlg@v.nguard.lh>
In reply to#146907
VanguardLH <V@nguard.LH> wrote:

> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> Hi,
>> 
>> Just read yesterday that Google will no longer send SMSs with six digit 
>> codes for verification of gmail account, but instead will use QR codes. 
>> This is to avoid scams in which the victim is told to tell the fraudster 
>> the number he just received on the phone.
>> 
>> I have a source but it is in Spanish:
>> 
>> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
>> 
>> Oh, English here: 
>> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
> 
> Doesn't make sense.  Say I'm using a desktop PC.  Nope, it doesn't have
> a cellular or landline phone line to it (it cannot do telephony) which
> is typical of desktop PCs.  I want to login to my Gmail account.  How
> are they going to send an SMS text to my desktop PC?  Not everyone
> logging into Gmail is using a smartphone to do so.
> 
> However, my IMAP e-mail client using OAUTH2 to login never sends me
> anything to further authenticate the login.
> 
> To where is Google going to send their QR code when I use a web browser
> to connect and log into https://www.gmail.com?
> 
> The articles are about discussions about possible future changes, but
> the article or discussions have been very incomplete, like a proposal
> without a scheme.  The articles are as worthless as telling you a
> grocery store will have a weekly sale sometime months in the future, but
> not when, or what will be on sale for what price.

Oops, forgot I was in the Android newsgroup which eliminates desktops.  

[toc] | [prev] | [next] | [standalone]


#146910

FromJörg Lorenz <hugybear@gmx.net>
Date2025-03-03 11:26 +0100
Message-ID<vq4045$101js$1@solani.org>
In reply to#146908
On 03.03.25 11:18, VanguardLH wrote:
> VanguardLH <V@nguard.LH> wrote:
>> Doesn't make sense.  Say I'm using a desktop PC.  Nope, it doesn't have
>> a cellular or landline phone line to it (it cannot do telephony) which
>> is typical of desktop PCs.  I want to login to my Gmail account.  How
>> are they going to send an SMS text to my desktop PC?  Not everyone
>> logging into Gmail is using a smartphone to do so.
>>
>> However, my IMAP e-mail client using OAUTH2 to login never sends me
>> anything to further authenticate the login.
>>
>> To where is Google going to send their QR code when I use a web browser
>> to connect and log into https://www.gmail.com?
>>
>> The articles are about discussions about possible future changes, but
>> the article or discussions have been very incomplete, like a proposal
>> without a scheme.  The articles are as worthless as telling you a
>> grocery store will have a weekly sale sometime months in the future, but
>> not when, or what will be on sale for what price.
> 
> Oops, forgot I was in the Android newsgroup which eliminates desktops.  

Are you serious with all that?


-- 
"Roma locuta, causa finita." (Augustinus)

[toc] | [prev] | [next] | [standalone]


#146909

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-03 11:18 +0100
Message-ID<k8cg9lx8uf.ln2@Telcontar.valinor>
In reply to#146907
On 2025-03-03 11:05, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> Hi,
>>
>> Just read yesterday that Google will no longer send SMSs with six digit
>> codes for verification of gmail account, but instead will use QR codes.
>> This is to avoid scams in which the victim is told to tell the fraudster
>> the number he just received on the phone.
>>
>> I have a source but it is in Spanish:
>>
>> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
>>
>> Oh, English here:
>> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
> 
> Doesn't make sense.  Say I'm using a desktop PC.  Nope, it doesn't have
> a cellular or landline phone line to it (it cannot do telephony) which
> is typical of desktop PCs.  I want to login to my Gmail account.  How
> are they going to send an SMS text to my desktop PC?  Not everyone
> logging into Gmail is using a smartphone to do so.

Tough luck. The SMS is sent to the phone that is registered with the 
account.

> 
> However, my IMAP e-mail client using OAUTH2 to login never sends me
> anything to further authenticate the login.
> 
> To where is Google going to send their QR code when I use a web browser
> to connect and log into https://www.gmail.com?

To your registered smartphone.

> 
> The articles are about discussions about possible future changes, but
> the article or discussions have been very incomplete, like a proposal
> without a scheme.  The articles are as worthless as telling you a
> grocery store will have a weekly sale sometime months in the future, but
> not when, or what will be on sale for what price.


-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


Page 1 of 4  [1] 2 3 4  Next page →

Back to top | Article view | comp.mobile.android


csiph-web