Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #146903 > unrolled thread

Google will no longer send SMSs with six digit codes for verification

Started by"Carlos E.R." <robin_listas@es.invalid>
First post2025-03-02 14:28 +0100
Last post2025-03-07 22:45 +0800
Articles 20 on this page of 64 — 11 participants

Back to article view | Back to comp.mobile.android


Contents

  Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-02 14:28 +0100
    Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-02 14:48 +0100
    Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-02 16:41 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-02 17:45 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Bill Powell <bill@anarchists.org> - 2025-03-04 02:41 +0100
        Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-03 21:23 -0700
          Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:11 +0000
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:23 -0600
          Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 13:38 +0000
            Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-04 09:22 -0700
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:37 -0600
        Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-04 07:05 +0000
        Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:39 +0100
          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 10:06 -0600
            Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:39 +0100
              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 15:57 -0600
    Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:05 -0600
      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:18 -0600
        Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:26 +0100
      Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:18 +0100
        Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:27 +0100
        Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:39 -0600
          Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:48 +0100
            Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 13:45 -0600
              Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 21:28 +0100
                Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 21:58 -0600
          Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-03 14:20 +0000
            Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:28 +0000
              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 12:18 -0600
                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 19:42 +0100
                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:53 -0600
                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 20:34 +0000
                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:45 -0600
                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:48 +0100
                          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-05 14:43 -0600
                            Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 23:14 +0100
                              Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 00:50 -0600
                                Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 12:38 +0100
                                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:46 -0600
                                    Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 23:22 +0100
                                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 21:21 -0600
                                        Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 03:49 +0000
                                          Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 01:53 -0600
                                            Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 09:34 +0000
                                            Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:37 +0100
                                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:34 +0100
                                          Re: Phones and apps forced on you Marion <marion@facts.com> - 2025-03-08 18:18 +0000
                                            Re: Phones and apps forced on you "Carlos E.R." <robin_listas@es.invalid> - 2025-03-09 14:52 +0100
                                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:00 +0000
                                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-06 15:00 +0000
                                  Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 19:14 +0100
                                  Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:59 -0600
                                    Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 09:44 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-05 11:23 +0000
                      Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-06 07:51 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-06 08:02 +0000
                        Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 16:14 -0600
                    Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 22:37 +0100
                      Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:49 -0600
                        Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:44 +0100
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 18:51 +0000
              Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-07 08:08 +0000
                Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:42 +0000
      Re: Google will no longer send SMSs with six digit codes for verification Chris in Makati <mail@nospam.com> - 2025-03-07 22:45 +0800

Page 2 of 4 — ← Prev page 1 [2] 3 4  Next page →


#146911

FromJörg Lorenz <hugybear@gmx.net>
Date2025-03-03 11:27 +0100
Message-ID<vq405r$101js$2@solani.org>
In reply to#146909
On 03.03.25 11:18, Carlos E.R. wrote:
> On 2025-03-03 11:05, VanguardLH wrote:
>> Doesn't make sense.  Say I'm using a desktop PC.  Nope, it doesn't have
>> a cellular or landline phone line to it (it cannot do telephony) which
>> is typical of desktop PCs.  I want to login to my Gmail account.  How
>> are they going to send an SMS text to my desktop PC?  Not everyone
>> logging into Gmail is using a smartphone to do so.
> 
> Tough luck. The SMS is sent to the phone that is registered with the 
> account.

+1


-- 
"Roma locuta, causa finita." (Augustinus)

[toc] | [prev] | [next] | [standalone]


#146912

FromVanguardLH <V@nguard.LH>
Date2025-03-03 04:39 -0600
Message-ID<1bfu5iribmwb4$.dlg@v.nguard.lh>
In reply to#146909
"Carlos E.R." <robin_listas@es.invalid> wrote:

> On 2025-03-03 11:05, VanguardLH wrote:
>> "Carlos E.R." <robin_listas@es.invalid> wrote:
>> 
>>> Hi,
>>>
>>> Just read yesterday that Google will no longer send SMSs with six digit
>>> codes for verification of gmail account, but instead will use QR codes.
>>> This is to avoid scams in which the victim is told to tell the fraudster
>>> the number he just received on the phone.
>>>
>>> I have a source but it is in Spanish:
>>>
>>> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
>>>
>>> Oh, English here:
>>> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
>> 
>> Doesn't make sense.  Say I'm using a desktop PC.  Nope, it doesn't have
>> a cellular or landline phone line to it (it cannot do telephony) which
>> is typical of desktop PCs.  I want to login to my Gmail account.  How
>> are they going to send an SMS text to my desktop PC?  Not everyone
>> logging into Gmail is using a smartphone to do so.
> 
> Tough luck. The SMS is sent to the phone that is registered with the 
> account.

What was the point of Google (and Microsoft) fucking up OAUTH, a
protocol, to screw into the OAUTH2, a framework, for authenticated
logins?

Whether on my Android phone or Windows desktop using OAUTH2 email apps,
or using a web browser with HTTPS, I've never received an SMS text (on
my phone) to complete a login to Gmail.  If they replace SMS texts with
QR codes (delivered how?), well, I wasn't getting SMS texts before, so I
won't be getting QR codes, either.

If the QR codes are sent via SMS texts, instead of getting a string of
numbers the users get a QR code.  Um, just what is a QR code?  Scan one
to see it is just embedded text.  Maybe Google is assuming no one has a
QR scanner app on their phone to decode what text it contains.

Once the QR image arrives via SMS text on the phone, what the hell am I
supposed to do with it?  Not like I can point the phone's cameras at the
phone's screen to read the QR image to decode into the text within.  So,
whatever is attempting the login must incorporate a QR scanner that can
look at QR images in SMS texts?

>> However, my IMAP e-mail client using OAUTH2 to login never sends me
>> anything to further authenticate the login.
>> 
>> To where is Google going to send their QR code when I use a web browser
>> to connect and log into https://www.gmail.com?
> 
> To your registered smartphone.

And I'm somehow supposedly to magically scan a QR code in an SMS text
sent to my phone to get it to my desktop?  Unlike a numeric string, I
cannot transcribe a QR code into whatever is the text within it.

[toc] | [prev] | [next] | [standalone]


#146913

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-03 11:48 +0100
Message-ID<s0eg9lxcan.ln2@Telcontar.valinor>
In reply to#146912
On 2025-03-03 11:39, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> On 2025-03-03 11:05, VanguardLH wrote:
>>> "Carlos E.R." <robin_listas@es.invalid> wrote:
>>>
>>>> Hi,
>>>>
>>>> Just read yesterday that Google will no longer send SMSs with six digit
>>>> codes for verification of gmail account, but instead will use QR codes.
>>>> This is to avoid scams in which the victim is told to tell the fraudster
>>>> the number he just received on the phone.
>>>>
>>>> I have a source but it is in Spanish:
>>>>
>>>> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
>>>>
>>>> Oh, English here:
>>>> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
>>>
>>> Doesn't make sense.  Say I'm using a desktop PC.  Nope, it doesn't have
>>> a cellular or landline phone line to it (it cannot do telephony) which
>>> is typical of desktop PCs.  I want to login to my Gmail account.  How
>>> are they going to send an SMS text to my desktop PC?  Not everyone
>>> logging into Gmail is using a smartphone to do so.
>>
>> Tough luck. The SMS is sent to the phone that is registered with the
>> account.
> 
> What was the point of Google (and Microsoft) fucking up OAUTH, a
> protocol, to screw into the OAUTH2, a framework, for authenticated
> logins?

2FA.

> 
> Whether on my Android phone or Windows desktop using OAUTH2 email apps,
> or using a web browser with HTTPS, I've never received an SMS text (on
> my phone) to complete a login to Gmail.  If they replace SMS texts with
> QR codes (delivered how?), well, I wasn't getting SMS texts before, so I
> won't be getting QR codes, either.

I have.

> 
> If the QR codes are sent via SMS texts, instead of getting a string of
> numbers the users get a QR code.  Um, just what is a QR code?  Scan one
> to see it is just embedded text.  Maybe Google is assuming no one has a
> QR scanner app on their phone to decode what text it contains.

This is undefined. Probably you get a QR graphic in the computer, and 
you have to take a photo of it with your phone, inside some application 
they still have to tell us.

> 
> Once the QR image arrives via SMS text on the phone, what the hell am I
> supposed to do with it?  Not like I can point the phone's cameras at the
> phone's screen to read the QR image to decode into the text within.  So,
> whatever is attempting the login must incorporate a QR scanner that can
> look at QR images in SMS texts?

See above.

> 
>>> However, my IMAP e-mail client using OAUTH2 to login never sends me
>>> anything to further authenticate the login.
>>>
>>> To where is Google going to send their QR code when I use a web browser
>>> to connect and log into https://www.gmail.com?
>>
>> To your registered smartphone.
> 
> And I'm somehow supposedly to magically scan a QR code in an SMS text
> sent to my phone to get it to my desktop?  Unlike a numeric string, I
> cannot transcribe a QR code into whatever is the text within it.

See above.

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#146927

FromVanguardLH <V@nguard.LH>
Date2025-03-03 13:45 -0600
Message-ID<k32dhoyfafnc$.dlg@v.nguard.lh>
In reply to#146913
"Carlos E.R." <robin_listas@es.invalid> wrote:

> VanguardLH wrote:
>
>> What was the point of Google (and Microsoft) fucking up OAUTH, a
>> protocol, to screw into the OAUTH2, a framework, for authenticated
>> logins?
> 
> 2FA.

Separate and independent security schemes.  OAUTH2 has the OAUTH2 server
send a token (half the key) to the client that the client stores for
later logins.  The OAUTH2 server keeps the other half.  The user never
has to enter the token, a code string, or scan some QR image.  2FA
interrupts the login making the user wait for the code to then enter
into some prompt.  2FA relies on 2 criteria: what you know, and what you
have.  Alas, many sites fuck up 2FA by never having you enter a
password, but just take your username and then send the 2FA code without
you ever entering the password, so half of the 2FA scheme (what you
know) is missing.

I'm not part of the kiddie generation that is grafted to their
smartphones.  Also, smartphone penetration is not 100%.  It's 83% in
urban regions, and 65% in rural regions in the USA.  That means there
are folks without a smartphone.  They have no way to get SMS messages.
Lots of folks just have simple landlines.

Instead of sending via SMS, the QR code could be sent via e-mail.  Geez,
like no one that intercepts your e-mails (which are not encrypted) could
possibly use a QR scanner in a script to login before you do.  Also,
there is no guaranteed delivery to email or SMS.  Ever have a web site
send a 2FA code never to get it, and you had to request another?  Well,
maybe someone intercepted that insecure communication.  A QR code isn't
going to deter a thief any more than a numeric string.

>> Whether on my Android phone or Windows desktop using OAUTH2 email apps,
>> or using a web browser with HTTPS, I've never received an SMS text (on
>> my phone) to complete a login to Gmail.  If they replace SMS texts with
>> QR codes (delivered how?), well, I wasn't getting SMS texts before, so I
>> won't be getting QR codes, either.
> 
> I have.

On every login, or once in a blue moon?  I can see getting the messages
if you enabled 2FV in your Google account, but I did not.  I recall
faintly getting challenged on a login, and had to give my security
answers to access my account.  I didn't get a 2FA code for that.

>> If the QR codes are sent via SMS texts, instead of getting a string of
>> numbers the users get a QR code.  Um, just what is a QR code?  Scan one
>> to see it is just embedded text.  Maybe Google is assuming no one has a
>> QR scanner app on their phone to decode what text it contains.
> 
> This is undefined. Probably you get a QR graphic in the computer, and 
> you have to take a photo of it with your phone, inside some application 
> they still have to tell us.

So, I'd need two computers to login?

Ever see an old video comedy skit where it takes 3 people with both
their hands to operate an overly complicated wrist watch with lots of
buttons that have be pressed concurrently?  Might've been on SNL, but I
can't find it now.

Seems they should just proclaim they will eventually require an
authenticator app.  However, those aren't all compatible with each
other.  The Google Authenticator App isn't usable at my bank where I
would have to use either the Symantec VIP or the Twilio Authy app.  I
did use the Authy app, but it didn't work everywhere, plus Authy dropped
their desktop app (Windows, Mac, Linux) leaving only their Android and
iOS apps (so I'm back to grafting a smartphone to my hand).  There are
variances in the protocols, so no one authenticator app works
everywhere.  I wasn't going to install multiple authenticator apps.  

The bank forced SMS delivery of 2FA codes.  No e-mail option.  My
workaround was to give my Google Voice number to my bank to where they
send their SMS texts, and configure my Google Voice account to forward
SMS texts to my Gmail account, so I get the 2FA codes via e-mail.  I
didn't have to suspend the login by having to roam through the house
looking for my phone.  I can read the e-mail at my desktop in an e-mail
client to get the code to enter into the web site's prompt.  All that
jumping through hoops because the bank forced their 2FA security
theater, but only via SMS.

Yes, the minutes of the reported meeting where QR codes were mentioned
did not delve into just how the change will be implemented hence I said
the article is so uninformative as to be nearly FUD.  Something might
change, but no info on when or how implemented, or even how QR codes
(that contain text strings) are more secure than text strings sent over
insecure communication venues.  Someone had a wet dream, and someone
else thought it was news.

[toc] | [prev] | [next] | [standalone]


#146929

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-03 21:28 +0100
Message-ID<v0gh9lxofo.ln2@Telcontar.valinor>
In reply to#146927
On 2025-03-03 20:45, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> VanguardLH wrote:
>>
>>> What was the point of Google (and Microsoft) fucking up OAUTH, a
>>> protocol, to screw into the OAUTH2, a framework, for authenticated
>>> logins?
>>
>> 2FA.
> 
> Separate and independent security schemes.  OAUTH2 has the OAUTH2 server
> send a token (half the key) to the client that the client stores for
> later logins.  The OAUTH2 server keeps the other half.  The user never
> has to enter the token, a code string, or scan some QR image.  2FA
> interrupts the login making the user wait for the code to then enter
> into some prompt.  2FA relies on 2 criteria: what you know, and what you
> have.  Alas, many sites fuck up 2FA by never having you enter a
> password, but just take your username and then send the 2FA code without
> you ever entering the password, so half of the 2FA scheme (what you
> know) is missing.
> 
> I'm not part of the kiddie generation that is grafted to their
> smartphones.  Also, smartphone penetration is not 100%.  It's 83% in
> urban regions, and 65% in rural regions in the USA.  That means there
> are folks without a smartphone.  They have no way to get SMS messages.
> Lots of folks just have simple landlines.

Irrelevant. It is much higher with gmail users.


> Instead of sending via SMS, the QR code could be sent via e-mail.  Geez,
> like no one that intercepts your e-mails (which are not encrypted) could
> possibly use a QR scanner in a script to login before you do.  Also,
> there is no guaranteed delivery to email or SMS.  Ever have a web site
> send a 2FA code never to get it, and you had to request another?  Well,
> maybe someone intercepted that insecure communication.  A QR code isn't
> going to deter a thief any more than a numeric string.

This is speculation of something in the future, but I expect the QR to 
pop up in the computer where you try to open email.


> 
>>> Whether on my Android phone or Windows desktop using OAUTH2 email apps,
>>> or using a web browser with HTTPS, I've never received an SMS text (on
>>> my phone) to complete a login to Gmail.  If they replace SMS texts with
>>> QR codes (delivered how?), well, I wasn't getting SMS texts before, so I
>>> won't be getting QR codes, either.
>>
>> I have.
> 
> On every login, or once in a blue moon?  I can see getting the messages
> if you enabled 2FV in your Google account, but I did not.  I recall
> faintly getting challenged on a login, and had to give my security
> answers to access my account.  I didn't get a 2FA code for that.

Once in a blue moon. Usually when I try a computer that has been off for 
months. And a tick says "never ask again in this computer".


> 
>>> If the QR codes are sent via SMS texts, instead of getting a string of
>>> numbers the users get a QR code.  Um, just what is a QR code?  Scan one
>>> to see it is just embedded text.  Maybe Google is assuming no one has a
>>> QR scanner app on their phone to decode what text it contains.
>>
>> This is undefined. Probably you get a QR graphic in the computer, and
>> you have to take a photo of it with your phone, inside some application
>> they still have to tell us.
> 
> So, I'd need two computers to login?

A computer and a smartphone.

> Ever see an old video comedy skit where it takes 3 people with both
> their hands to operate an overly complicated wrist watch with lots of
> buttons that have be pressed concurrently?  Might've been on SNL, but I
> can't find it now.

Nah, I haven't seen it :-D

> 
> Seems they should just proclaim they will eventually require an
> authenticator app.  However, those aren't all compatible with each
> other.  The Google Authenticator App isn't usable at my bank where I
> would have to use either the Symantec VIP or the Twilio Authy app.  I
> did use the Authy app, but it didn't work everywhere, plus Authy dropped
> their desktop app (Windows, Mac, Linux) leaving only their Android and
> iOS apps (so I'm back to grafting a smartphone to my hand).  There are
> variances in the protocols, so no one authenticator app works
> everywhere.  I wasn't going to install multiple authenticator apps.
> 
> The bank forced SMS delivery of 2FA codes.  No e-mail option.  My
> workaround was to give my Google Voice number to my bank to where they
> send their SMS texts, and configure my Google Voice account to forward
> SMS texts to my Gmail account, so I get the 2FA codes via e-mail.  I
> didn't have to suspend the login by having to roam through the house
> looking for my phone.  I can read the e-mail at my desktop in an e-mail
> client to get the code to enter into the web site's prompt.  All that
> jumping through hoops because the bank forced their 2FA security
> theater, but only via SMS.

My bank pushes messages to their own application on the smartphone. This 
is the preferred method (by the banks) over here. Only if you insist 
they grumble and let you use SMS.


> 
> Yes, the minutes of the reported meeting where QR codes were mentioned
> did not delve into just how the change will be implemented hence I said
> the article is so uninformative as to be nearly FUD.  Something might
> change, but no info on when or how implemented, or even how QR codes
> (that contain text strings) are more secure than text strings sent over
> insecure communication venues.  Someone had a wet dream, and someone
> else thought it was news.


I can not post what I do not know :-p

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#146943

FromVanguardLH <V@nguard.LH>
Date2025-03-03 21:58 -0600
Message-ID<gvldwju36ch0.dlg@v.nguard.lh>
In reply to#146929
"Carlos E.R." <robin_listas@es.invalid> wrote:

> I can not post what I do not know :-p

But Davey Winder did in his article that started this reaction thread,
and probably elsewhere, too.

[toc] | [prev] | [next] | [standalone]


#146915

FromFrank Slootweg <this@ddress.is.invalid>
Date2025-03-03 14:20 +0000
Message-ID<vq4hce.l64.1@ID-201911.user.individual.net>
In reply to#146912
VanguardLH <V@nguard.lh> wrote:

[All deleted.]

  I think it's one big mixup. ("It's a 'news' article, Frank! What *did*
you expect!?")

  They mixup Google and Gmail and which info is being authenticated.

  The only somewhat clear part is:

"Over the next few months, we will be reimagining how we verify phone
numbers, Richendrfer told me; Specifically, instead of entering your
number and receiving a 6-digit code, youll see a QR code being
displayed, which you need to scan with the camera app on your phone."

  So it's *not* about authenticating a Google account login, *nor* a
Gmail 'login', but about verifying the *phone number*, which is
associated with your Google Account.

  IMO, even this part is more or less BS, because the paragraph above
talks about "If you are already using a more secure method of
authentication for your Gmail account...", but that is about
authenticating a Gmail 'login', so it conflicts with the quoted
paragraph. (And again mixes up Google and Gmail.)

  Bottom line: Somebody posted nonsense on a website. News at eleven!

[toc] | [prev] | [next] | [standalone]


#146950

FromDave Royal <dave@dave123royal.com>
Date2025-03-04 07:28 +0000
Message-ID<vq6a3h$1p9sb$1@dont-email.me>
In reply to#146915
Frank Slootweg <this@ddress.is.invalid> Wrote in message:

> VanguardLH <V@nguard.lh> wrote:
> 
> [All deleted.]
> 
>   I think it's one big mixup. ("It's a 'news' article, Frank! What *did*
> you expect!?")
> 
>   They mixup Google and Gmail and which info is being authenticated.
> 
>   The only somewhat clear part is:
> 
> "Over the next few months, we will be reimagining how we verify phone
> numbers, Richendrfer told me; Specifically, instead of entering your
> number and receiving a 6-digit code, youll see a QR code being
> displayed, which you need to scan with the camera app on your phone."
> 
>   So it's *not* about authenticating a Google account login, *nor* a
> Gmail 'login', but about verifying the *phone number*, which is
> associated with your Google Account.
> 
>   IMO, even this part is more or less BS, because the paragraph above
> talks about "If you are already using a more secure method of
> authentication for your Gmail account...", but that is about
> authenticating a Gmail 'login', so it conflicts with the quoted
> paragraph. (And again mixes up Google and Gmail.)
> 
>   Bottom line: Somebody posted nonsense on a website. News at eleven!
> 

A *bit* more info about verifying phone numbers here
<https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>
-- 
Remove numerics from my email address.

[toc] | [prev] | [next] | [standalone]


#146961

FromVanguardLH <V@nguard.LH>
Date2025-03-04 12:18 -0600
Message-ID<l8nlfkd5cizd.dlg@v.nguard.lh>
In reply to#146950
Dave Royal <dave@dave123royal.com> wrote:

> A *bit* more info about verifying phone numbers here
> <https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>

So, you either have to wait for an SMS message to arrive from them, or
for them to get the one you send them.  SMS is not instantaneous.  You
wait.  SMS is not guaranteed delivery.  Some get lost, so retry, and
wait some more.  The security theater gets more in your way, and stalls
the login, all of which (this and 2FA/2FV) was to overcome boobs that
reuse the same weak login at every domain they visit (that requires a
login).  Use technology to overcome the weak point in security: users.

Wonder if I'll need to graft my smartphone to my hand to login to Gmail
at my desktop PC using an OAUTH2 e-mail client.  My phone is not sitting
next to my desktop.  It's on a desk near the house door where I also
toss postal mail, and have a laptop since the UI (small virtual keyboard
and touchscreen) on a phone sucks compared to a desktop, laptop, nor
netbook.  I don't much use that laptop.  It's mostly for something
related to newly arrived postal mail.  Most of my desktop computing is
in a basement room.  I'm not running upstairs to grab my phone because
some boob wants me to jump over hurdles for nuisancing security theater
mostly to reduce their manpower for tech support.  Plus, I dislike that
some site wants my phone number for a totally unrelated service, like
e-mail.  Oh yes, reduce privacy to profess increased security.  The
phone for account recovery is okay, but then so are security questions
you preset for recovery, or recording your account ID (if you're ever
given one).  I'd rather have to answer a preset security question
immediately on a login failure than wait for an SMS message that I have
to manually transcribe or manually scan into the waiting login page.  Of
course, don't secure the communication venues (e-mail and SMS) used to
supposedly secure the logins.

Thanks for that article.  It gives some more info, but looks like we
have to wait, and suffer, with however Google decides to implement their
new security theater.  Could be months, or years, and then there's the
initial pains as they work out the kinks.  Perhaps Google should
reassess how much they increase pushing users away from Google services.
Security and convenience are the anti-thesis of each other: to get more
of one means less of the other.  Too much security becomes intolerable.

[toc] | [prev] | [next] | [standalone]


#146963

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-04 19:42 +0100
Message-ID<96uj9lxjvi.ln2@Telcontar.valinor>
In reply to#146961
On 2025-03-04 19:18, VanguardLH wrote:
> Dave Royal <dave@dave123royal.com> wrote:
> 
>> A *bit* more info about verifying phone numbers here
>> <https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>
> 
> So, you either have to wait for an SMS message to arrive from them, or
> for them to get the one you send them. 

No, they also say:

«Google spokesperson Ross Richendrfer reiterated that SMS is mainly used 
as a security and anti-abuse check, but there are plenty of security 
challenges, like phishing and traffic pumping. Consequently, Google 
plans to reimagine how it verifies phone numbers over the next few 
months. Instead of entering their phone numbers and receiving a 
six-digit code over SMS, users will see a QR code they need to scan with 
their phone camera.»

So, take a photo of the qr code.


> SMS is not instantaneous.  You
> wait.  SMS is not guaranteed delivery.  Some get lost, so retry, and
> wait some more.  The security theater gets more in your way, and stalls
> the login, all of which (this and 2FA/2FV) was to overcome boobs that
> reuse the same weak login at every domain they visit (that requires a
> login).  Use technology to overcome the weak point in security: users.
> 
> Wonder if I'll need to graft my smartphone to my hand to login to Gmail
> at my desktop PC using an OAUTH2 e-mail client.  My phone is not sitting
> next to my desktop.  It's on a desk near the house door where I also
> toss postal mail, and have a laptop since the UI (small virtual keyboard
> and touchscreen) on a phone sucks compared to a desktop, laptop, nor
> netbook.  I don't much use that laptop.  It's mostly for something
> related to newly arrived postal mail.  Most of my desktop computing is
> in a basement room.  I'm not running upstairs to grab my phone because
> some boob wants me to jump over hurdles for nuisancing security theater
> mostly to reduce their manpower for tech support.  Plus, I dislike that
> some site wants my phone number for a totally unrelated service, like
> e-mail.  Oh yes, reduce privacy to profess increased security.  The
> phone for account recovery is okay, but then so are security questions
> you preset for recovery, or recording your account ID (if you're ever
> given one).  I'd rather have to answer a preset security question
> immediately on a login failure than wait for an SMS message that I have
> to manually transcribe or manually scan into the waiting login page.  Of
> course, don't secure the communication venues (e-mail and SMS) used to
> supposedly secure the logins.

«But will fallback authentication methods be available if the user 
cannot access a mobile phone? Google answers no.»

> 
> Thanks for that article.  It gives some more info, but looks like we
> have to wait, and suffer, with however Google decides to implement their
> new security theater.  Could be months, or years, and then there's the
> initial pains as they work out the kinks.  Perhaps Google should
> reassess how much they increase pushing users away from Google services.
> Security and convenience are the anti-thesis of each other: to get more
> of one means less of the other.  Too much security becomes intolerable.


-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#146966

FromVanguardLH <V@nguard.LH>
Date2025-03-04 13:53 -0600
Message-ID<17fmpgc4tfncj$.dlg@v.nguard.lh>
In reply to#146963
"Carlos E.R." <robin_listas@es.invalid> wrote:

> VanguardLH wrote:
> 
>> So, you either have to wait for an SMS message to arrive from them,
>> or for them to get the one you send them. 
> 
> No, they also say:
> 
> «Google spokesperson Ross Richendrfer reiterated that SMS is mainly
> used as a security and anti-abuse check, but there are plenty of
> security challenges, like phishing and traffic pumping. Consequently,
> Google plans to reimagine how it verifies phone numbers over the next
> few months. Instead of entering their phone numbers and receiving a
> six-digit code over SMS, users will see a QR code they need to scan
> with their phone camera.»

Not relevant to my statement of having to wait for SMS messages (text or
QR image content) nor there is no guaranteed delivery of SMS messages.

To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
message with a QR image.  Then what?  Do SMS apps have embedded scanning
of the content of SMS messages to then use an embedded QR decoder to
show the text embedded in the image (which obviates the whole point of
supposedly securing the text string in an image) that I then have to
copy/paste into some web prompt?  

I'm interested in what are the mechanics involved in getting an SMS
message containing a QR image to then decipher into a text string to
copy and paste into some web prompt.  Maybe we won't know until Google
uses us to alpha test whatever scheme they come up with.

> So, take a photo of the qr code.

I'm supposed to take a photo using the phone where the SMS message
arrived with the QR code?  I don't think they make smartphones that are
yet that bendable where I can point the phone's camera at the display of
the SMS message on the screen.  I won't be getting the SMS message on my
desktop to then snapshot with a phone camera.  The desktop not a phone.
The phone is (must) be a smartphone, but how do I take a photo of or
scan an SMS message to run through a QR decoder to convert to text to
then copy/paste into a web prompt?  I'm holding the smartphone.  An SMS
message arrives containing a QR image.  Then what?

Somehow, on the phone receiving the SMS message, there needs to be a
means of scanning the QR image in the SMS message.  Is that doable (and
without the addition of more software, like an authenticator app)?  Do I
take a screenshot while the SMS message is displayed to then open that
screenshot file into a QR scanner app (to then get the text encoded
within the image which used to be sent as text in an SMS message)?

You're saying it can be done.  I'm asking how.  Once the SMS message
arrives containing a QR image, then what?  No smartphone is so bendable
that its camera can be pointed at its own screen.

[toc] | [prev] | [next] | [standalone]


#146967

FromFrank Slootweg <this@ddress.is.invalid>
Date2025-03-04 20:34 +0000
Message-ID<vq7rjj.47s.1@ID-201911.user.individual.net>
In reply to#146966
VanguardLH <V@nguard.lh> wrote:
[...]

> Not relevant to my statement of having to wait for SMS messages (text or
> QR image content) nor there is no guaranteed delivery of SMS messages.
> 
> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
> message with a QR image.  Then what?  Do SMS apps have embedded scanning
> of the content of SMS messages to then use an embedded QR decoder to
> show the text embedded in the image (which obviates the whole point of
> supposedly securing the text string in an image) that I then have to
> copy/paste into some web prompt?  

  AFAICT, "an SMS message with a QR image" is a figment of your
imagination!

  I think such a thing is not mentioned anywhere and not even implied
anywhere.

  The referenced articles mention that *use* of a code in an SMS message
will be replaced by *use* of a QR code, but that does not mean that the
QR code is *in* an SMS message. (I think that would be obvious, because
an SMS message is too small to hold a QR code, not to mention that it
can only hold character data, not binary data.)

  So perhaps it's best to come up with an actual quote from the
referenced articles, which leads you to your assumption, instead of
going on and on about something which is very likely a straw man / red
herring.

[Much more of the same deleted.]

[toc] | [prev] | [next] | [standalone]


#146972

FromVanguardLH <V@nguard.LH>
Date2025-03-04 19:45 -0600
Message-ID<hncfhd611fab.dlg@v.nguard.lh>
In reply to#146967
Frank Slootweg <this@ddress.is.invalid> wrote:

> VanguardLH <V@nguard.lh> wrote:
> [...]
> 
>> Not relevant to my statement of having to wait for SMS messages (text or
>> QR image content) nor there is no guaranteed delivery of SMS messages.
>> 
>> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
>> message with a QR image.  Then what?  Do SMS apps have embedded scanning
>> of the content of SMS messages to then use an embedded QR decoder to
>> show the text embedded in the image (which obviates the whole point of
>> supposedly securing the text string in an image) that I then have to
>> copy/paste into some web prompt?  
> 
>   AFAICT, "an SMS message with a QR image" is a figment of your
> imagination!
> 
>   I think such a thing is not mentioned anywhere and not even implied
> anywhere.

The delivery mechanism is defined where?

>   The referenced articles mention that *use* of a code in an SMS message
> will be replaced by *use* of a QR code, but that does not mean that the
> QR code is *in* an SMS message. (I think that would be obvious, because
> an SMS message is too small to hold a QR code, not to mention that it
> can only hold character data, not binary data.)

I figured it could be MMS (Multimedia Messaging) instead of SMS (Short
Message Service).  MMS can be used to send pictures.  I have automatic
downloads of MMS disabled in my messaging apps.

However, upon some further reading, Google Prompts looks to use
notifications instead of SMS/MMS messages.  Maybe.

>   So perhaps it's best to come up with an actual quote from the
> referenced articles, which leads you to your assumption, instead of
> going on and on about something which is very likely a straw man / red
> herring.

That's the crux of the problem: there are no details on how QR images by
whatever delivery mechanism are to get decoded into strings by the user
to input into a waiting field.  All of us are just guessing for now what
are the possibilities.

[toc] | [prev] | [next] | [standalone]


#146975

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-05 03:48 +0100
Message-ID<9kqk9lx6m3.ln2@Telcontar.valinor>
In reply to#146972
On 2025-03-05 02:45, VanguardLH wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
> 
>> VanguardLH <V@nguard.lh> wrote:
>> [...]
>>
>>> Not relevant to my statement of having to wait for SMS messages (text or
>>> QR image content) nor there is no guaranteed delivery of SMS messages.
>>>
>>> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
>>> message with a QR image.  Then what?  Do SMS apps have embedded scanning
>>> of the content of SMS messages to then use an embedded QR decoder to
>>> show the text embedded in the image (which obviates the whole point of
>>> supposedly securing the text string in an image) that I then have to
>>> copy/paste into some web prompt?
>>
>>    AFAICT, "an SMS message with a QR image" is a figment of your
>> imagination!
>>
>>    I think such a thing is not mentioned anywhere and not even implied
>> anywhere.
> 
> The delivery mechanism is defined where?
> 
>>    The referenced articles mention that *use* of a code in an SMS message
>> will be replaced by *use* of a QR code, but that does not mean that the
>> QR code is *in* an SMS message. (I think that would be obvious, because
>> an SMS message is too small to hold a QR code, not to mention that it
>> can only hold character data, not binary data.)
> 
> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short
> Message Service).  MMS can be used to send pictures.  I have automatic
> downloads of MMS disabled in my messaging apps.
> 
> However, upon some further reading, Google Prompts looks to use
> notifications instead of SMS/MMS messages.  Maybe.
> 
>>    So perhaps it's best to come up with an actual quote from the
>> referenced articles, which leads you to your assumption, instead of
>> going on and on about something which is very likely a straw man / red
>> herring.
> 
> That's the crux of the problem: there are no details on how QR images by
> whatever delivery mechanism are to get decoded into strings by the user
> to input into a waiting field.  All of us are just guessing for now what
> are the possibilities.

You are imagining it wrong. You try to login on your computer; the 
computer displays a picture, the phone takes a photo. There are no SMS 
involved, no conversions, no fields to complete. Just point and shoot, 
done. Instantly.

Same as currently done to login to wasap on the computer. The same 
system. Known and tested.

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#147005

FromVanguardLH <V@nguard.LH>
Date2025-03-05 14:43 -0600
Message-ID<1r6si9zdyx9ek.dlg@v.nguard.lh>
In reply to#146975
"Carlos E.R." <robin_listas@es.invalid> wrote:

> On 2025-03-05 02:45, VanguardLH wrote:
>> Frank Slootweg <this@ddress.is.invalid> wrote:
>> 
>>> VanguardLH <V@nguard.lh> wrote:
>>> [...]
>>>
>>>> Not relevant to my statement of having to wait for SMS messages (text or
>>>> QR image content) nor there is no guaranteed delivery of SMS messages.
>>>>
>>>> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
>>>> message with a QR image.  Then what?  Do SMS apps have embedded scanning
>>>> of the content of SMS messages to then use an embedded QR decoder to
>>>> show the text embedded in the image (which obviates the whole point of
>>>> supposedly securing the text string in an image) that I then have to
>>>> copy/paste into some web prompt?
>>>
>>>    AFAICT, "an SMS message with a QR image" is a figment of your
>>> imagination!
>>>
>>>    I think such a thing is not mentioned anywhere and not even implied
>>> anywhere.
>> 
>> The delivery mechanism is defined where?
>> 
>>>    The referenced articles mention that *use* of a code in an SMS message
>>> will be replaced by *use* of a QR code, but that does not mean that the
>>> QR code is *in* an SMS message. (I think that would be obvious, because
>>> an SMS message is too small to hold a QR code, not to mention that it
>>> can only hold character data, not binary data.)
>> 
>> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short
>> Message Service).  MMS can be used to send pictures.  I have automatic
>> downloads of MMS disabled in my messaging apps.
>> 
>> However, upon some further reading, Google Prompts looks to use
>> notifications instead of SMS/MMS messages.  Maybe.
>> 
>>>    So perhaps it's best to come up with an actual quote from the
>>> referenced articles, which leads you to your assumption, instead of
>>> going on and on about something which is very likely a straw man / red
>>> herring.
>> 
>> That's the crux of the problem: there are no details on how QR images by
>> whatever delivery mechanism are to get decoded into strings by the user
>> to input into a waiting field.  All of us are just guessing for now what
>> are the possibilities.
> 
> You are imagining it wrong. You try to login on your computer; the 
> computer displays a picture, the phone takes a photo. There are no SMS 
> involved, no conversions, no fields to complete. Just point and shoot, 
> done. Instantly.
> 
> Same as currently done to login to wasap on the computer. The same 
> system. Known and tested.

No, not when logging into my computer.  Google isn't involved in me
logging into my computer.  It's logging into a web site (Gmail), or when
Google wants to [re]validate my phone number.  Still a question which
the QR image will be used for.  Franks says phone number (device)
validation.  Online articles mention when signing in to a web site, even
the Google article cited below.

Since this QR stuff revolves around smart phones, why would my computer
be involved?  Google wants to tie a phone number to my Google account.
Phone, not computer.  Why would my computer be getting a message from
Google about my phone?  And how would Google send that message to my
computer which is not a phone and has no cellular service?  My computer
may be off.  Like many users, they only have a smartphone, not a
computer.  My computer is connected to the Internet.  What if my ISP is
down to the computer, but my cellular carrier is up to the phone?

If SMS is not involved (on the phone, not my computer since it is not a
phone nor use any cellular service) then notifications are involved (on
the phone), and notifications are from an app or service (on the phone).
I doubt Google Prompts would be using email.

Google Prompts are using Google Play Services and Google Assistant (the
search bar on the home screen) running on your phone, not your computer.
Those connect to your account, not to your computer.

https://support.google.com/accounts/answer/7026266

Phone, not computer.  Google Prompts requires your PHONE to have wifi or
cellular data access to the Internet for Play Services to connect to
your account.  I'm not sure if Play Services or Google Assistant display
the notification.  Your PHONE needs to be logged into your Google
account from where the message originates that is sent to your phone
when polled by Play Services (unless there is some push mechanism).

If SMS is not involved with Google Prompts then there is connection
between Google Play Services on your phone and your Google account.
However, iPhone (iOS) users are told to just download the Google App
(aka Google Assistant) to utilize Google Prompts which makes it look
like the Google app is phoning home to detect the message which it then
displays as a notification.  If it's the Google app doing all the work
to retrieve and display notifications, Google's scheme won't work
without the Google app (for iOS), or if it is disabled (for Android).

https://www.androidauthority.com/google-prompt-fingerprint-pin-authentication-3522306/

Yet that article says Google Play Services is involved in Google
Prompts, but that won't be on an iPhone, just the Google App if an
iPhone user installs it.  Maybe the iOS Google App has functionality
built into it that on Android is shared between Google App and Google
Play Services.

[toc] | [prev] | [next] | [standalone]


#147011

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-05 23:14 +0100
Message-ID<1vum9lxhu1.ln2@Telcontar.valinor>
In reply to#147005
On 2025-03-05 21:43, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> On 2025-03-05 02:45, VanguardLH wrote:
>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>
>>>> VanguardLH <V@nguard.lh> wrote:
>>>> [...]
>>>>
>>>>> Not relevant to my statement of having to wait for SMS messages (text or
>>>>> QR image content) nor there is no guaranteed delivery of SMS messages.
>>>>>
>>>>> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
>>>>> message with a QR image.  Then what?  Do SMS apps have embedded scanning
>>>>> of the content of SMS messages to then use an embedded QR decoder to
>>>>> show the text embedded in the image (which obviates the whole point of
>>>>> supposedly securing the text string in an image) that I then have to
>>>>> copy/paste into some web prompt?
>>>>
>>>>     AFAICT, "an SMS message with a QR image" is a figment of your
>>>> imagination!
>>>>
>>>>     I think such a thing is not mentioned anywhere and not even implied
>>>> anywhere.
>>>
>>> The delivery mechanism is defined where?
>>>
>>>>     The referenced articles mention that *use* of a code in an SMS message
>>>> will be replaced by *use* of a QR code, but that does not mean that the
>>>> QR code is *in* an SMS message. (I think that would be obvious, because
>>>> an SMS message is too small to hold a QR code, not to mention that it
>>>> can only hold character data, not binary data.)
>>>
>>> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short
>>> Message Service).  MMS can be used to send pictures.  I have automatic
>>> downloads of MMS disabled in my messaging apps.
>>>
>>> However, upon some further reading, Google Prompts looks to use
>>> notifications instead of SMS/MMS messages.  Maybe.
>>>
>>>>     So perhaps it's best to come up with an actual quote from the
>>>> referenced articles, which leads you to your assumption, instead of
>>>> going on and on about something which is very likely a straw man / red
>>>> herring.
>>>
>>> That's the crux of the problem: there are no details on how QR images by
>>> whatever delivery mechanism are to get decoded into strings by the user
>>> to input into a waiting field.  All of us are just guessing for now what
>>> are the possibilities.
>>
>> You are imagining it wrong. You try to login on your computer; the
>> computer displays a picture, the phone takes a photo. There are no SMS
>> involved, no conversions, no fields to complete. Just point and shoot,
>> done. Instantly.
>>
>> Same as currently done to login to wasap on the computer. The same
>> system. Known and tested.
> 
> No, not when logging into my computer.  Google isn't involved in me
> logging into my computer.

I did not say "logging into my computer". I said "login on your 
computer", obviously to Google, which is the context.

You are login into google in your computer; the browser you are using, 
or the mail application you are using displays a QR code, and tells you 
«take a picture with "name of app" in your registered phone, number 
ending in XXX». You comply, and in seconds you are authorized to 
complete login to google in the computer.

In the same context, the method now is that google says "you will have 
received an SMS in your registered phone that ends in XXX, please copy 
here the six digit number you received".


The rest of your writeup is irrelevant. Please focus. It is very simple, 
trivial really.

-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#147014

FromVanguardLH <V@nguard.LH>
Date2025-03-06 00:50 -0600
Message-ID<1hb68gbht5hgg$.dlg@v.nguard.lh>
In reply to#147011
"Carlos E.R." <robin_listas@es.invalid> wrote:

> On 2025-03-05 21:43, VanguardLH wrote:
>> "Carlos E.R." <robin_listas@es.invalid> wrote:
>> 
>>> On 2025-03-05 02:45, VanguardLH wrote:
>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>
>>>>> VanguardLH <V@nguard.lh> wrote:
>>>>> [...]
>>>>>
>>>>>> Not relevant to my statement of having to wait for SMS messages (text or
>>>>>> QR image content) nor there is no guaranteed delivery of SMS messages.
>>>>>>
>>>>>> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
>>>>>> message with a QR image.  Then what?  Do SMS apps have embedded scanning
>>>>>> of the content of SMS messages to then use an embedded QR decoder to
>>>>>> show the text embedded in the image (which obviates the whole point of
>>>>>> supposedly securing the text string in an image) that I then have to
>>>>>> copy/paste into some web prompt?
>>>>>
>>>>>     AFAICT, "an SMS message with a QR image" is a figment of your
>>>>> imagination!
>>>>>
>>>>>     I think such a thing is not mentioned anywhere and not even implied
>>>>> anywhere.
>>>>
>>>> The delivery mechanism is defined where?
>>>>
>>>>>     The referenced articles mention that *use* of a code in an SMS message
>>>>> will be replaced by *use* of a QR code, but that does not mean that the
>>>>> QR code is *in* an SMS message. (I think that would be obvious, because
>>>>> an SMS message is too small to hold a QR code, not to mention that it
>>>>> can only hold character data, not binary data.)
>>>>
>>>> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short
>>>> Message Service).  MMS can be used to send pictures.  I have automatic
>>>> downloads of MMS disabled in my messaging apps.
>>>>
>>>> However, upon some further reading, Google Prompts looks to use
>>>> notifications instead of SMS/MMS messages.  Maybe.
>>>>
>>>>>     So perhaps it's best to come up with an actual quote from the
>>>>> referenced articles, which leads you to your assumption, instead of
>>>>> going on and on about something which is very likely a straw man / red
>>>>> herring.
>>>>
>>>> That's the crux of the problem: there are no details on how QR images by
>>>> whatever delivery mechanism are to get decoded into strings by the user
>>>> to input into a waiting field.  All of us are just guessing for now what
>>>> are the possibilities.
>>>
>>> You are imagining it wrong. You try to login on your computer; the
>>> computer displays a picture, the phone takes a photo. There are no SMS
>>> involved, no conversions, no fields to complete. Just point and shoot,
>>> done. Instantly.
>>>
>>> Same as currently done to login to wasap on the computer. The same
>>> system. Known and tested.
>> 
>> No, not when logging into my computer.  Google isn't involved in me
>> logging into my computer.
> 
> I did not say "logging into my computer". I said "login on your 
> computer", obviously to Google, which is the context.
> 
> You are login into google in your computer; the browser you are using, 
> or the mail application you are using displays a QR code, and tells you 
> «take a picture with "name of app" in your registered phone, number 
> ending in XXX». You comply, and in seconds you are authorized to 
> complete login to google in the computer.

"name of app" is?  Would have to be one that connects back to my Google
account.  Play Services, Google app (aka Google Assistant), or what?
That would provide the mechanism used to complete the Google Prompt.

What if I'm using a web browser on the phone?  The web browser on the
phone can show a QR image the web site presents, but then what?  It's
not like I can point the camera in the phone at the web page in the web
browser on the phone.  Does "name of app" scan the screen?

> In the same context, the method now is that google says "you will have 
> received an SMS in your registered phone that ends in XXX, please copy 
> here the six digit number you received".

That's now with a text string send via SMS.  Google says they won't be
using SMS (or MMS) to send QR codes.  So, some app on the phone checks
for and displays a Google Prompt.  Apparently that would be Play
Services or the Google app.

The part about getting an SMS notification with a string that the user
manually transfers to a waiting input field is not what I'm asking
about.  That uses SMS to send a string to the user sent by the web site
interrupting a login that a messaging app will display in its window, or
in its notification.  SMS will not be involved when Google switches to
sending QR codes.  Looks like Google Prompts will handle delivering the
QR image to the phone.  It was, and still is for now, sending SMS texts
to the phone.  Not when Google switches to QR codes.

Google won't be using SMS to send QR codes.  The intend to drop SMS.
From what I've read, so far, it looks like they will use Google Prompts
which involve either Play Services or the Google app, or maybe both in
tandem (on Android, just the Google app on iOS) that connect to your
Google account.  

At this point, it's anyone's guess how the QR image gets from the Google
Prompt into the waiting login page.  Perhaps Google will update their
Google App to show the image along with its decoded string the user can
read and manually copy, or the Google App could convert the QR image in
the Google Prompt into a string in the clipboard to let the user paste
into the login form, or the Google App phones home with the QR image
showing in a web page (there is a camera button in the Google App).

Somehow all of this seems to be just for logging into Google service and
web sites, not for use by anyone else.  Gmail is not my primary e-mail
service, and I won't miss not using it as a backup e-mail provider.
Many other Google services have their own Android app, so they don't
need QR codes.  Google services I used on my desktop run in the
background, like Google Drive, and they don't ask for logins (after the
initial setup).  Displaying a QR code at a Google web site viewed in a
web browser on the desktop to complete the loop by using a phone's
camera that pipes the decoded string back to Google would complete that
loop.  Not sure how a QR code displayed at a Google web site in a web
browser on the phone is going to get scanned to send the string back to
your Google account.

[toc] | [prev] | [next] | [standalone]


#147025

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-06 12:38 +0100
Message-ID<93eo9lxg6r.ln2@Telcontar.valinor>
In reply to#147014
On 2025-03-06 07:50, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> On 2025-03-05 21:43, VanguardLH wrote:
>>> "Carlos E.R." <robin_listas@es.invalid> wrote:
>>>
>>>> On 2025-03-05 02:45, VanguardLH wrote:
>>>>> Frank Slootweg <this@ddress.is.invalid> wrote:
>>>>>
>>>>>> VanguardLH <V@nguard.lh> wrote:
>>>>>> [...]
>>>>>>
>>>>>>> Not relevant to my statement of having to wait for SMS messages (text or
>>>>>>> QR image content) nor there is no guaranteed delivery of SMS messages.
>>>>>>>
>>>>>>> To where is the SMS message sent?  To the phone.  Okay, I'll see an SMS
>>>>>>> message with a QR image.  Then what?  Do SMS apps have embedded scanning
>>>>>>> of the content of SMS messages to then use an embedded QR decoder to
>>>>>>> show the text embedded in the image (which obviates the whole point of
>>>>>>> supposedly securing the text string in an image) that I then have to
>>>>>>> copy/paste into some web prompt?
>>>>>>
>>>>>>      AFAICT, "an SMS message with a QR image" is a figment of your
>>>>>> imagination!
>>>>>>
>>>>>>      I think such a thing is not mentioned anywhere and not even implied
>>>>>> anywhere.
>>>>>
>>>>> The delivery mechanism is defined where?
>>>>>
>>>>>>      The referenced articles mention that *use* of a code in an SMS message
>>>>>> will be replaced by *use* of a QR code, but that does not mean that the
>>>>>> QR code is *in* an SMS message. (I think that would be obvious, because
>>>>>> an SMS message is too small to hold a QR code, not to mention that it
>>>>>> can only hold character data, not binary data.)
>>>>>
>>>>> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short
>>>>> Message Service).  MMS can be used to send pictures.  I have automatic
>>>>> downloads of MMS disabled in my messaging apps.
>>>>>
>>>>> However, upon some further reading, Google Prompts looks to use
>>>>> notifications instead of SMS/MMS messages.  Maybe.
>>>>>
>>>>>>      So perhaps it's best to come up with an actual quote from the
>>>>>> referenced articles, which leads you to your assumption, instead of
>>>>>> going on and on about something which is very likely a straw man / red
>>>>>> herring.
>>>>>
>>>>> That's the crux of the problem: there are no details on how QR images by
>>>>> whatever delivery mechanism are to get decoded into strings by the user
>>>>> to input into a waiting field.  All of us are just guessing for now what
>>>>> are the possibilities.
>>>>
>>>> You are imagining it wrong. You try to login on your computer; the
>>>> computer displays a picture, the phone takes a photo. There are no SMS
>>>> involved, no conversions, no fields to complete. Just point and shoot,
>>>> done. Instantly.
>>>>
>>>> Same as currently done to login to wasap on the computer. The same
>>>> system. Known and tested.
>>>
>>> No, not when logging into my computer.  Google isn't involved in me
>>> logging into my computer.
>>
>> I did not say "logging into my computer". I said "login on your
>> computer", obviously to Google, which is the context.
>>
>> You are login into google in your computer; the browser you are using,
>> or the mail application you are using displays a QR code, and tells you
>> «take a picture with "name of app" in your registered phone, number
>> ending in XXX». You comply, and in seconds you are authorized to
>> complete login to google in the computer.
> 
> "name of app" is? 

To be determined at some future date.

> Would have to be one that connects back to my Google
> account.  Play Services, Google app (aka Google Assistant), or what?
> That would provide the mechanism used to complete the Google Prompt.
> 
> What if I'm using a web browser on the phone?  The web browser on the
> phone can show a QR image the web site presents, but then what?  It's
> not like I can point the camera in the phone at the web page in the web
> browser on the phone.  Does "name of app" scan the screen?

That's not the case reported in the news. Does not apply.

Still, the app can take a screenshot.

> 
>> In the same context, the method now is that google says "you will have
>> received an SMS in your registered phone that ends in XXX, please copy
>> here the six digit number you received".
> 
> That's now with a text string send via SMS.  Google says they won't be
> using SMS (or MMS) to send QR codes.  So, some app on the phone checks
> for and displays a Google Prompt.  Apparently that would be Play
> Services or the Google app.
> 
> The part about getting an SMS notification with a string that the user
> manually transfers to a waiting input field is not what I'm asking
> about.  That uses SMS to send a string to the user sent by the web site
> interrupting a login that a messaging app will display in its window, or
> in its notification.  SMS will not be involved when Google switches to
> sending QR codes.  Looks like Google Prompts will handle delivering the
> QR image to the phone.  It was, and still is for now, sending SMS texts
> to the phone.  Not when Google switches to QR codes.
> 
> Google won't be using SMS to send QR codes.

They did not said they would.

>  The intend to drop SMS.
>  From what I've read, so far, it looks like they will use Google Prompts
> which involve either Play Services or the Google app, or maybe both in
> tandem (on Android, just the Google app on iOS) that connect to your
> Google account.
> 
> At this point, it's anyone's guess how the QR image gets from the Google
> Prompt into the waiting login page.  Perhaps Google will update their
> Google App to show the image along with its decoded string the user can
> read and manually copy, or the Google App could convert the QR image in
> the Google Prompt into a string in the clipboard to let the user paste
> into the login form, or the Google App phones home with the QR image
> showing in a web page (there is a camera button in the Google App).
> 
> Somehow all of this seems to be just for logging into Google service and
> web sites, not for use by anyone else.  Gmail is not my primary e-mail
> service, and I won't miss not using it as a backup e-mail provider.
> Many other Google services have their own Android app, so they don't
> need QR codes.  Google services I used on my desktop run in the
> background, like Google Drive, and they don't ask for logins (after the
> initial setup).  Displaying a QR code at a Google web site viewed in a
> web browser on the desktop to complete the loop by using a phone's
> camera that pipes the decoded string back to Google would complete that
> loop.  Not sure how a QR code displayed at a Google web site in a web
> browser on the phone is going to get scanned to send the string back to
> your Google account.


-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


#147049

FromVanguardLH <V@nguard.LH>
Date2025-03-06 15:46 -0600
Message-ID<7sbrtsehnbnu.dlg@v.nguard.lh>
In reply to#147025
"Carlos E.R." <robin_listas@es.invalid> wrote:

> VanguardLH wrote:
>
>> Google won't be using SMS to send QR codes.
> 
> They did not said they would.

From the article cited in the starter thread:

https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/
Gmail spokesperson Ross Richendrfer told me, “we want to move away from
sending SMS messages for authentication.”

There are other online article mentioning the same move away from SMS
for authentication by Google, like:

https://www.itpro.com/security/google-is-dropping-sms-authentication-for-qr-codes
https://www.techradar.com/pro/security/google-is-ditching-sms-and-will-now-use-qr-codes-for-gmail-account-authentication

There are lots of articles stating Google intends to drop SMS transport.
However, it's not always evident when an article is regurgitating what
someone else reported.  They come back to what a Gmail spokeperson said,
and I don't believe the articles are lying about that.

It's in the wet dream planning stage, so how they implement the move to
QR images could change to staying with SMS, or moving to Google Prompt
or some other communications venue.

I really hate to graft my smartphone to my hand to ensure it is readily
accessible for this security theater machinations.  I'm too old for all
this jumping through hoops of fire.  Rather than run through the house
looking for my smartphone (it's usually on a different floor of the
house in a charging cradle next to the side door by the garage where I
enter), I'll just forego the security theater, and go somewhere else for
e-mail service.  Logging in is getting more complicated to the user and
at the server than the e-mail service itself.

As I said, Gmail is NOT my primary e-mail provider; however, what Google
does, and if doable at other sites, the plague will spread.  Remember
what happened with Google and Microsoft fucking up OAUTH, a protocol, to
turn it into the OAUTH2 framework, and OAUTH2 (Google's variant) got
adopted at many other e-mail providers.

[toc] | [prev] | [next] | [standalone]


#147052

From"Carlos E.R." <robin_listas@es.invalid>
Date2025-03-06 23:22 +0100
Message-ID<upjp9lxav6.ln2@Telcontar.valinor>
In reply to#147049
On 2025-03-06 22:46, VanguardLH wrote:
> "Carlos E.R." <robin_listas@es.invalid> wrote:
> 
>> VanguardLH wrote:
>>
>>> Google won't be using SMS to send QR codes.
>>
>> They did not said they would.
> 
>  From the article cited in the starter thread:
> 
> https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/
> Gmail spokesperson Ross Richendrfer told me, “we want to move away from
> sending SMS messages for authentication.”
> 
> There are other online article mentioning the same move away from SMS
> for authentication by Google, like:

That's not saying they would be using SMS to send QR codes.

> 
> https://www.itpro.com/security/google-is-dropping-sms-authentication-for-qr-codes
> https://www.techradar.com/pro/security/google-is-ditching-sms-and-will-now-use-qr-codes-for-gmail-account-authentication
> 
> There are lots of articles stating Google intends to drop SMS transport.
> However, it's not always evident when an article is regurgitating what
> someone else reported.  They come back to what a Gmail spokeperson said,
> and I don't believe the articles are lying about that.
> 
> It's in the wet dream planning stage, so how they implement the move to
> QR images could change to staying with SMS, or moving to Google Prompt
> or some other communications venue.
> 
> I really hate to graft my smartphone to my hand to ensure it is readily
> accessible for this security theater machinations.  

The occasions when I had to check that SMS have been very rare, not even 
once a month. Going to the kitchen to fetch the phone once a month is 
not a chore.


> I'm too old for all
> this jumping through hoops of fire.  Rather than run through the house
> looking for my smartphone (it's usually on a different floor of the
> house in a charging cradle next to the side door by the garage where I
> enter), I'll just forego the security theater, and go somewhere else for
> e-mail service.  Logging in is getting more complicated to the user and
> at the server than the e-mail service itself.
> 
> As I said, Gmail is NOT my primary e-mail provider; however, what Google
> does, and if doable at other sites, the plague will spread.  Remember
> what happened with Google and Microsoft fucking up OAUTH, a protocol, to
> turn it into the OAUTH2 framework, and OAUTH2 (Google's variant) got
> adopted at many other e-mail providers.


-- 
Cheers, Carlos.

[toc] | [prev] | [next] | [standalone]


Page 2 of 4 — ← Prev page 1 [2] 3 4  Next page →

Back to top | Article view | comp.mobile.android


csiph-web