Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #146903 > unrolled thread
| Started by | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| First post | 2025-03-02 14:28 +0100 |
| Last post | 2025-03-07 22:45 +0800 |
| Articles | 20 on this page of 64 — 11 participants |
Back to article view | Back to comp.mobile.android
Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-02 14:28 +0100
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-02 14:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-02 16:41 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-02 17:45 +0000
Re: Google will no longer send SMSs with six digit codes for verification Bill Powell <bill@anarchists.org> - 2025-03-04 02:41 +0100
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-03 21:23 -0700
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:11 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:23 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 13:38 +0000
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-04 09:22 -0700
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:37 -0600
Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-04 07:05 +0000
Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-06 11:39 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 10:06 -0600
Re: Google will no longer send SMSs with six digit codes for verification Arno Welzel <usenet@arnowelzel.de> - 2025-03-07 14:39 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 15:57 -0600
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:05 -0600
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:18 -0600
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:26 +0100
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:18 +0100
Re: Google will no longer send SMSs with six digit codes for verification Jörg Lorenz <hugybear@gmx.net> - 2025-03-03 11:27 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 04:39 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 11:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 13:45 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-03 21:28 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-03 21:58 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-03 14:20 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-04 07:28 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 12:18 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 19:42 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 13:53 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 20:34 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:45 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:48 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-05 14:43 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 23:14 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 00:50 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 12:38 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:46 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 23:22 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 21:21 -0600
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 03:49 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-07 01:53 -0600
Re: Google will no longer send SMSs with six digit codes for verification AJL <noemail@none.com> - 2025-03-07 09:34 +0000
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:37 +0100
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-07 10:34 +0100
Re: Phones and apps forced on you Marion <marion@facts.com> - 2025-03-08 18:18 +0000
Re: Phones and apps forced on you "Carlos E.R." <robin_listas@es.invalid> - 2025-03-09 14:52 +0100
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:00 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-06 15:00 +0000
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-06 19:14 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 15:59 -0600
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 09:44 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-05 11:23 +0000
Re: Google will no longer send SMSs with six digit codes for verification Andy Burns <usenet@andyburns.uk> - 2025-03-06 07:51 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-06 08:02 +0000
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-06 16:14 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-04 22:37 +0100
Re: Google will no longer send SMSs with six digit codes for verification VanguardLH <V@nguard.LH> - 2025-03-04 19:49 -0600
Re: Google will no longer send SMSs with six digit codes for verification "Carlos E.R." <robin_listas@es.invalid> - 2025-03-05 03:44 +0100
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-04 18:51 +0000
Re: Google will no longer send SMSs with six digit codes for verification Dave Royal <dave@dave123royal.com> - 2025-03-07 08:08 +0000
Re: Google will no longer send SMSs with six digit codes for verification Frank Slootweg <this@ddress.is.invalid> - 2025-03-07 10:42 +0000
Re: Google will no longer send SMSs with six digit codes for verification Chris in Makati <mail@nospam.com> - 2025-03-07 22:45 +0800
Page 2 of 4 — ← Prev page 1 [2] 3 4 Next page →
| From | Jörg Lorenz <hugybear@gmx.net> |
|---|---|
| Date | 2025-03-03 11:27 +0100 |
| Message-ID | <vq405r$101js$2@solani.org> |
| In reply to | #146909 |
On 03.03.25 11:18, Carlos E.R. wrote: > On 2025-03-03 11:05, VanguardLH wrote: >> Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have >> a cellular or landline phone line to it (it cannot do telephony) which >> is typical of desktop PCs. I want to login to my Gmail account. How >> are they going to send an SMS text to my desktop PC? Not everyone >> logging into Gmail is using a smartphone to do so. > > Tough luck. The SMS is sent to the phone that is registered with the > account. +1 -- "Roma locuta, causa finita." (Augustinus)
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-03 04:39 -0600 |
| Message-ID | <1bfu5iribmwb4$.dlg@v.nguard.lh> |
| In reply to | #146909 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > On 2025-03-03 11:05, VanguardLH wrote: >> "Carlos E.R." <robin_listas@es.invalid> wrote: >> >>> Hi, >>> >>> Just read yesterday that Google will no longer send SMSs with six digit >>> codes for verification of gmail account, but instead will use QR codes. >>> This is to avoid scams in which the victim is told to tell the fraudster >>> the number he just received on the phone. >>> >>> I have a source but it is in Spanish: >>> >>> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> >>> >>> Oh, English here: >>> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> >> >> Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have >> a cellular or landline phone line to it (it cannot do telephony) which >> is typical of desktop PCs. I want to login to my Gmail account. How >> are they going to send an SMS text to my desktop PC? Not everyone >> logging into Gmail is using a smartphone to do so. > > Tough luck. The SMS is sent to the phone that is registered with the > account. What was the point of Google (and Microsoft) fucking up OAUTH, a protocol, to screw into the OAUTH2, a framework, for authenticated logins? Whether on my Android phone or Windows desktop using OAUTH2 email apps, or using a web browser with HTTPS, I've never received an SMS text (on my phone) to complete a login to Gmail. If they replace SMS texts with QR codes (delivered how?), well, I wasn't getting SMS texts before, so I won't be getting QR codes, either. If the QR codes are sent via SMS texts, instead of getting a string of numbers the users get a QR code. Um, just what is a QR code? Scan one to see it is just embedded text. Maybe Google is assuming no one has a QR scanner app on their phone to decode what text it contains. Once the QR image arrives via SMS text on the phone, what the hell am I supposed to do with it? Not like I can point the phone's cameras at the phone's screen to read the QR image to decode into the text within. So, whatever is attempting the login must incorporate a QR scanner that can look at QR images in SMS texts? >> However, my IMAP e-mail client using OAUTH2 to login never sends me >> anything to further authenticate the login. >> >> To where is Google going to send their QR code when I use a web browser >> to connect and log into https://www.gmail.com? > > To your registered smartphone. And I'm somehow supposedly to magically scan a QR code in an SMS text sent to my phone to get it to my desktop? Unlike a numeric string, I cannot transcribe a QR code into whatever is the text within it.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-03 11:48 +0100 |
| Message-ID | <s0eg9lxcan.ln2@Telcontar.valinor> |
| In reply to | #146912 |
On 2025-03-03 11:39, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> On 2025-03-03 11:05, VanguardLH wrote: >>> "Carlos E.R." <robin_listas@es.invalid> wrote: >>> >>>> Hi, >>>> >>>> Just read yesterday that Google will no longer send SMSs with six digit >>>> codes for verification of gmail account, but instead will use QR codes. >>>> This is to avoid scams in which the victim is told to tell the fraudster >>>> the number he just received on the phone. >>>> >>>> I have a source but it is in Spanish: >>>> >>>> <https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/> >>>> >>>> Oh, English here: >>>> <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/> >>> >>> Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have >>> a cellular or landline phone line to it (it cannot do telephony) which >>> is typical of desktop PCs. I want to login to my Gmail account. How >>> are they going to send an SMS text to my desktop PC? Not everyone >>> logging into Gmail is using a smartphone to do so. >> >> Tough luck. The SMS is sent to the phone that is registered with the >> account. > > What was the point of Google (and Microsoft) fucking up OAUTH, a > protocol, to screw into the OAUTH2, a framework, for authenticated > logins? 2FA. > > Whether on my Android phone or Windows desktop using OAUTH2 email apps, > or using a web browser with HTTPS, I've never received an SMS text (on > my phone) to complete a login to Gmail. If they replace SMS texts with > QR codes (delivered how?), well, I wasn't getting SMS texts before, so I > won't be getting QR codes, either. I have. > > If the QR codes are sent via SMS texts, instead of getting a string of > numbers the users get a QR code. Um, just what is a QR code? Scan one > to see it is just embedded text. Maybe Google is assuming no one has a > QR scanner app on their phone to decode what text it contains. This is undefined. Probably you get a QR graphic in the computer, and you have to take a photo of it with your phone, inside some application they still have to tell us. > > Once the QR image arrives via SMS text on the phone, what the hell am I > supposed to do with it? Not like I can point the phone's cameras at the > phone's screen to read the QR image to decode into the text within. So, > whatever is attempting the login must incorporate a QR scanner that can > look at QR images in SMS texts? See above. > >>> However, my IMAP e-mail client using OAUTH2 to login never sends me >>> anything to further authenticate the login. >>> >>> To where is Google going to send their QR code when I use a web browser >>> to connect and log into https://www.gmail.com? >> >> To your registered smartphone. > > And I'm somehow supposedly to magically scan a QR code in an SMS text > sent to my phone to get it to my desktop? Unlike a numeric string, I > cannot transcribe a QR code into whatever is the text within it. See above. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-03 13:45 -0600 |
| Message-ID | <k32dhoyfafnc$.dlg@v.nguard.lh> |
| In reply to | #146913 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > VanguardLH wrote: > >> What was the point of Google (and Microsoft) fucking up OAUTH, a >> protocol, to screw into the OAUTH2, a framework, for authenticated >> logins? > > 2FA. Separate and independent security schemes. OAUTH2 has the OAUTH2 server send a token (half the key) to the client that the client stores for later logins. The OAUTH2 server keeps the other half. The user never has to enter the token, a code string, or scan some QR image. 2FA interrupts the login making the user wait for the code to then enter into some prompt. 2FA relies on 2 criteria: what you know, and what you have. Alas, many sites fuck up 2FA by never having you enter a password, but just take your username and then send the 2FA code without you ever entering the password, so half of the 2FA scheme (what you know) is missing. I'm not part of the kiddie generation that is grafted to their smartphones. Also, smartphone penetration is not 100%. It's 83% in urban regions, and 65% in rural regions in the USA. That means there are folks without a smartphone. They have no way to get SMS messages. Lots of folks just have simple landlines. Instead of sending via SMS, the QR code could be sent via e-mail. Geez, like no one that intercepts your e-mails (which are not encrypted) could possibly use a QR scanner in a script to login before you do. Also, there is no guaranteed delivery to email or SMS. Ever have a web site send a 2FA code never to get it, and you had to request another? Well, maybe someone intercepted that insecure communication. A QR code isn't going to deter a thief any more than a numeric string. >> Whether on my Android phone or Windows desktop using OAUTH2 email apps, >> or using a web browser with HTTPS, I've never received an SMS text (on >> my phone) to complete a login to Gmail. If they replace SMS texts with >> QR codes (delivered how?), well, I wasn't getting SMS texts before, so I >> won't be getting QR codes, either. > > I have. On every login, or once in a blue moon? I can see getting the messages if you enabled 2FV in your Google account, but I did not. I recall faintly getting challenged on a login, and had to give my security answers to access my account. I didn't get a 2FA code for that. >> If the QR codes are sent via SMS texts, instead of getting a string of >> numbers the users get a QR code. Um, just what is a QR code? Scan one >> to see it is just embedded text. Maybe Google is assuming no one has a >> QR scanner app on their phone to decode what text it contains. > > This is undefined. Probably you get a QR graphic in the computer, and > you have to take a photo of it with your phone, inside some application > they still have to tell us. So, I'd need two computers to login? Ever see an old video comedy skit where it takes 3 people with both their hands to operate an overly complicated wrist watch with lots of buttons that have be pressed concurrently? Might've been on SNL, but I can't find it now. Seems they should just proclaim they will eventually require an authenticator app. However, those aren't all compatible with each other. The Google Authenticator App isn't usable at my bank where I would have to use either the Symantec VIP or the Twilio Authy app. I did use the Authy app, but it didn't work everywhere, plus Authy dropped their desktop app (Windows, Mac, Linux) leaving only their Android and iOS apps (so I'm back to grafting a smartphone to my hand). There are variances in the protocols, so no one authenticator app works everywhere. I wasn't going to install multiple authenticator apps. The bank forced SMS delivery of 2FA codes. No e-mail option. My workaround was to give my Google Voice number to my bank to where they send their SMS texts, and configure my Google Voice account to forward SMS texts to my Gmail account, so I get the 2FA codes via e-mail. I didn't have to suspend the login by having to roam through the house looking for my phone. I can read the e-mail at my desktop in an e-mail client to get the code to enter into the web site's prompt. All that jumping through hoops because the bank forced their 2FA security theater, but only via SMS. Yes, the minutes of the reported meeting where QR codes were mentioned did not delve into just how the change will be implemented hence I said the article is so uninformative as to be nearly FUD. Something might change, but no info on when or how implemented, or even how QR codes (that contain text strings) are more secure than text strings sent over insecure communication venues. Someone had a wet dream, and someone else thought it was news.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-03 21:28 +0100 |
| Message-ID | <v0gh9lxofo.ln2@Telcontar.valinor> |
| In reply to | #146927 |
On 2025-03-03 20:45, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> VanguardLH wrote: >> >>> What was the point of Google (and Microsoft) fucking up OAUTH, a >>> protocol, to screw into the OAUTH2, a framework, for authenticated >>> logins? >> >> 2FA. > > Separate and independent security schemes. OAUTH2 has the OAUTH2 server > send a token (half the key) to the client that the client stores for > later logins. The OAUTH2 server keeps the other half. The user never > has to enter the token, a code string, or scan some QR image. 2FA > interrupts the login making the user wait for the code to then enter > into some prompt. 2FA relies on 2 criteria: what you know, and what you > have. Alas, many sites fuck up 2FA by never having you enter a > password, but just take your username and then send the 2FA code without > you ever entering the password, so half of the 2FA scheme (what you > know) is missing. > > I'm not part of the kiddie generation that is grafted to their > smartphones. Also, smartphone penetration is not 100%. It's 83% in > urban regions, and 65% in rural regions in the USA. That means there > are folks without a smartphone. They have no way to get SMS messages. > Lots of folks just have simple landlines. Irrelevant. It is much higher with gmail users. > Instead of sending via SMS, the QR code could be sent via e-mail. Geez, > like no one that intercepts your e-mails (which are not encrypted) could > possibly use a QR scanner in a script to login before you do. Also, > there is no guaranteed delivery to email or SMS. Ever have a web site > send a 2FA code never to get it, and you had to request another? Well, > maybe someone intercepted that insecure communication. A QR code isn't > going to deter a thief any more than a numeric string. This is speculation of something in the future, but I expect the QR to pop up in the computer where you try to open email. > >>> Whether on my Android phone or Windows desktop using OAUTH2 email apps, >>> or using a web browser with HTTPS, I've never received an SMS text (on >>> my phone) to complete a login to Gmail. If they replace SMS texts with >>> QR codes (delivered how?), well, I wasn't getting SMS texts before, so I >>> won't be getting QR codes, either. >> >> I have. > > On every login, or once in a blue moon? I can see getting the messages > if you enabled 2FV in your Google account, but I did not. I recall > faintly getting challenged on a login, and had to give my security > answers to access my account. I didn't get a 2FA code for that. Once in a blue moon. Usually when I try a computer that has been off for months. And a tick says "never ask again in this computer". > >>> If the QR codes are sent via SMS texts, instead of getting a string of >>> numbers the users get a QR code. Um, just what is a QR code? Scan one >>> to see it is just embedded text. Maybe Google is assuming no one has a >>> QR scanner app on their phone to decode what text it contains. >> >> This is undefined. Probably you get a QR graphic in the computer, and >> you have to take a photo of it with your phone, inside some application >> they still have to tell us. > > So, I'd need two computers to login? A computer and a smartphone. > Ever see an old video comedy skit where it takes 3 people with both > their hands to operate an overly complicated wrist watch with lots of > buttons that have be pressed concurrently? Might've been on SNL, but I > can't find it now. Nah, I haven't seen it :-D > > Seems they should just proclaim they will eventually require an > authenticator app. However, those aren't all compatible with each > other. The Google Authenticator App isn't usable at my bank where I > would have to use either the Symantec VIP or the Twilio Authy app. I > did use the Authy app, but it didn't work everywhere, plus Authy dropped > their desktop app (Windows, Mac, Linux) leaving only their Android and > iOS apps (so I'm back to grafting a smartphone to my hand). There are > variances in the protocols, so no one authenticator app works > everywhere. I wasn't going to install multiple authenticator apps. > > The bank forced SMS delivery of 2FA codes. No e-mail option. My > workaround was to give my Google Voice number to my bank to where they > send their SMS texts, and configure my Google Voice account to forward > SMS texts to my Gmail account, so I get the 2FA codes via e-mail. I > didn't have to suspend the login by having to roam through the house > looking for my phone. I can read the e-mail at my desktop in an e-mail > client to get the code to enter into the web site's prompt. All that > jumping through hoops because the bank forced their 2FA security > theater, but only via SMS. My bank pushes messages to their own application on the smartphone. This is the preferred method (by the banks) over here. Only if you insist they grumble and let you use SMS. > > Yes, the minutes of the reported meeting where QR codes were mentioned > did not delve into just how the change will be implemented hence I said > the article is so uninformative as to be nearly FUD. Something might > change, but no info on when or how implemented, or even how QR codes > (that contain text strings) are more secure than text strings sent over > insecure communication venues. Someone had a wet dream, and someone > else thought it was news. I can not post what I do not know :-p -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-03 21:58 -0600 |
| Message-ID | <gvldwju36ch0.dlg@v.nguard.lh> |
| In reply to | #146929 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > I can not post what I do not know :-p But Davey Winder did in his article that started this reaction thread, and probably elsewhere, too.
[toc] | [prev] | [next] | [standalone]
| From | Frank Slootweg <this@ddress.is.invalid> |
|---|---|
| Date | 2025-03-03 14:20 +0000 |
| Message-ID | <vq4hce.l64.1@ID-201911.user.individual.net> |
| In reply to | #146912 |
VanguardLH <V@nguard.lh> wrote:
[All deleted.]
I think it's one big mixup. ("It's a 'news' article, Frank! What *did*
you expect!?")
They mixup Google and Gmail and which info is being authenticated.
The only somewhat clear part is:
"Over the next few months, we will be reimagining how we verify phone
numbers, Richendrfer told me; Specifically, instead of entering your
number and receiving a 6-digit code, youll see a QR code being
displayed, which you need to scan with the camera app on your phone."
So it's *not* about authenticating a Google account login, *nor* a
Gmail 'login', but about verifying the *phone number*, which is
associated with your Google Account.
IMO, even this part is more or less BS, because the paragraph above
talks about "If you are already using a more secure method of
authentication for your Gmail account...", but that is about
authenticating a Gmail 'login', so it conflicts with the quoted
paragraph. (And again mixes up Google and Gmail.)
Bottom line: Somebody posted nonsense on a website. News at eleven!
[toc] | [prev] | [next] | [standalone]
| From | Dave Royal <dave@dave123royal.com> |
|---|---|
| Date | 2025-03-04 07:28 +0000 |
| Message-ID | <vq6a3h$1p9sb$1@dont-email.me> |
| In reply to | #146915 |
Frank Slootweg <this@ddress.is.invalid> Wrote in message:
> VanguardLH <V@nguard.lh> wrote:
>
> [All deleted.]
>
> I think it's one big mixup. ("It's a 'news' article, Frank! What *did*
> you expect!?")
>
> They mixup Google and Gmail and which info is being authenticated.
>
> The only somewhat clear part is:
>
> "Over the next few months, we will be reimagining how we verify phone
> numbers, Richendrfer told me; Specifically, instead of entering your
> number and receiving a 6-digit code, youll see a QR code being
> displayed, which you need to scan with the camera app on your phone."
>
> So it's *not* about authenticating a Google account login, *nor* a
> Gmail 'login', but about verifying the *phone number*, which is
> associated with your Google Account.
>
> IMO, even this part is more or less BS, because the paragraph above
> talks about "If you are already using a more secure method of
> authentication for your Gmail account...", but that is about
> authenticating a Gmail 'login', so it conflicts with the quoted
> paragraph. (And again mixes up Google and Gmail.)
>
> Bottom line: Somebody posted nonsense on a website. News at eleven!
>
A *bit* more info about verifying phone numbers here
<https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>
--
Remove numerics from my email address.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-04 12:18 -0600 |
| Message-ID | <l8nlfkd5cizd.dlg@v.nguard.lh> |
| In reply to | #146950 |
Dave Royal <dave@dave123royal.com> wrote: > A *bit* more info about verifying phone numbers here > <https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/> So, you either have to wait for an SMS message to arrive from them, or for them to get the one you send them. SMS is not instantaneous. You wait. SMS is not guaranteed delivery. Some get lost, so retry, and wait some more. The security theater gets more in your way, and stalls the login, all of which (this and 2FA/2FV) was to overcome boobs that reuse the same weak login at every domain they visit (that requires a login). Use technology to overcome the weak point in security: users. Wonder if I'll need to graft my smartphone to my hand to login to Gmail at my desktop PC using an OAUTH2 e-mail client. My phone is not sitting next to my desktop. It's on a desk near the house door where I also toss postal mail, and have a laptop since the UI (small virtual keyboard and touchscreen) on a phone sucks compared to a desktop, laptop, nor netbook. I don't much use that laptop. It's mostly for something related to newly arrived postal mail. Most of my desktop computing is in a basement room. I'm not running upstairs to grab my phone because some boob wants me to jump over hurdles for nuisancing security theater mostly to reduce their manpower for tech support. Plus, I dislike that some site wants my phone number for a totally unrelated service, like e-mail. Oh yes, reduce privacy to profess increased security. The phone for account recovery is okay, but then so are security questions you preset for recovery, or recording your account ID (if you're ever given one). I'd rather have to answer a preset security question immediately on a login failure than wait for an SMS message that I have to manually transcribe or manually scan into the waiting login page. Of course, don't secure the communication venues (e-mail and SMS) used to supposedly secure the logins. Thanks for that article. It gives some more info, but looks like we have to wait, and suffer, with however Google decides to implement their new security theater. Could be months, or years, and then there's the initial pains as they work out the kinks. Perhaps Google should reassess how much they increase pushing users away from Google services. Security and convenience are the anti-thesis of each other: to get more of one means less of the other. Too much security becomes intolerable.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-04 19:42 +0100 |
| Message-ID | <96uj9lxjvi.ln2@Telcontar.valinor> |
| In reply to | #146961 |
On 2025-03-04 19:18, VanguardLH wrote: > Dave Royal <dave@dave123royal.com> wrote: > >> A *bit* more info about verifying phone numbers here >> <https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/> > > So, you either have to wait for an SMS message to arrive from them, or > for them to get the one you send them. No, they also say: «Google spokesperson Ross Richendrfer reiterated that SMS is mainly used as a security and anti-abuse check, but there are plenty of security challenges, like phishing and traffic pumping. Consequently, Google plans to reimagine how it verifies phone numbers over the next few months. Instead of entering their phone numbers and receiving a six-digit code over SMS, users will see a QR code they need to scan with their phone camera.» So, take a photo of the qr code. > SMS is not instantaneous. You > wait. SMS is not guaranteed delivery. Some get lost, so retry, and > wait some more. The security theater gets more in your way, and stalls > the login, all of which (this and 2FA/2FV) was to overcome boobs that > reuse the same weak login at every domain they visit (that requires a > login). Use technology to overcome the weak point in security: users. > > Wonder if I'll need to graft my smartphone to my hand to login to Gmail > at my desktop PC using an OAUTH2 e-mail client. My phone is not sitting > next to my desktop. It's on a desk near the house door where I also > toss postal mail, and have a laptop since the UI (small virtual keyboard > and touchscreen) on a phone sucks compared to a desktop, laptop, nor > netbook. I don't much use that laptop. It's mostly for something > related to newly arrived postal mail. Most of my desktop computing is > in a basement room. I'm not running upstairs to grab my phone because > some boob wants me to jump over hurdles for nuisancing security theater > mostly to reduce their manpower for tech support. Plus, I dislike that > some site wants my phone number for a totally unrelated service, like > e-mail. Oh yes, reduce privacy to profess increased security. The > phone for account recovery is okay, but then so are security questions > you preset for recovery, or recording your account ID (if you're ever > given one). I'd rather have to answer a preset security question > immediately on a login failure than wait for an SMS message that I have > to manually transcribe or manually scan into the waiting login page. Of > course, don't secure the communication venues (e-mail and SMS) used to > supposedly secure the logins. «But will fallback authentication methods be available if the user cannot access a mobile phone? Google answers no.» > > Thanks for that article. It gives some more info, but looks like we > have to wait, and suffer, with however Google decides to implement their > new security theater. Could be months, or years, and then there's the > initial pains as they work out the kinks. Perhaps Google should > reassess how much they increase pushing users away from Google services. > Security and convenience are the anti-thesis of each other: to get more > of one means less of the other. Too much security becomes intolerable. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-04 13:53 -0600 |
| Message-ID | <17fmpgc4tfncj$.dlg@v.nguard.lh> |
| In reply to | #146963 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > VanguardLH wrote: > >> So, you either have to wait for an SMS message to arrive from them, >> or for them to get the one you send them. > > No, they also say: > > «Google spokesperson Ross Richendrfer reiterated that SMS is mainly > used as a security and anti-abuse check, but there are plenty of > security challenges, like phishing and traffic pumping. Consequently, > Google plans to reimagine how it verifies phone numbers over the next > few months. Instead of entering their phone numbers and receiving a > six-digit code over SMS, users will see a QR code they need to scan > with their phone camera.» Not relevant to my statement of having to wait for SMS messages (text or QR image content) nor there is no guaranteed delivery of SMS messages. To where is the SMS message sent? To the phone. Okay, I'll see an SMS message with a QR image. Then what? Do SMS apps have embedded scanning of the content of SMS messages to then use an embedded QR decoder to show the text embedded in the image (which obviates the whole point of supposedly securing the text string in an image) that I then have to copy/paste into some web prompt? I'm interested in what are the mechanics involved in getting an SMS message containing a QR image to then decipher into a text string to copy and paste into some web prompt. Maybe we won't know until Google uses us to alpha test whatever scheme they come up with. > So, take a photo of the qr code. I'm supposed to take a photo using the phone where the SMS message arrived with the QR code? I don't think they make smartphones that are yet that bendable where I can point the phone's camera at the display of the SMS message on the screen. I won't be getting the SMS message on my desktop to then snapshot with a phone camera. The desktop not a phone. The phone is (must) be a smartphone, but how do I take a photo of or scan an SMS message to run through a QR decoder to convert to text to then copy/paste into a web prompt? I'm holding the smartphone. An SMS message arrives containing a QR image. Then what? Somehow, on the phone receiving the SMS message, there needs to be a means of scanning the QR image in the SMS message. Is that doable (and without the addition of more software, like an authenticator app)? Do I take a screenshot while the SMS message is displayed to then open that screenshot file into a QR scanner app (to then get the text encoded within the image which used to be sent as text in an SMS message)? You're saying it can be done. I'm asking how. Once the SMS message arrives containing a QR image, then what? No smartphone is so bendable that its camera can be pointed at its own screen.
[toc] | [prev] | [next] | [standalone]
| From | Frank Slootweg <this@ddress.is.invalid> |
|---|---|
| Date | 2025-03-04 20:34 +0000 |
| Message-ID | <vq7rjj.47s.1@ID-201911.user.individual.net> |
| In reply to | #146966 |
VanguardLH <V@nguard.lh> wrote: [...] > Not relevant to my statement of having to wait for SMS messages (text or > QR image content) nor there is no guaranteed delivery of SMS messages. > > To where is the SMS message sent? To the phone. Okay, I'll see an SMS > message with a QR image. Then what? Do SMS apps have embedded scanning > of the content of SMS messages to then use an embedded QR decoder to > show the text embedded in the image (which obviates the whole point of > supposedly securing the text string in an image) that I then have to > copy/paste into some web prompt? AFAICT, "an SMS message with a QR image" is a figment of your imagination! I think such a thing is not mentioned anywhere and not even implied anywhere. The referenced articles mention that *use* of a code in an SMS message will be replaced by *use* of a QR code, but that does not mean that the QR code is *in* an SMS message. (I think that would be obvious, because an SMS message is too small to hold a QR code, not to mention that it can only hold character data, not binary data.) So perhaps it's best to come up with an actual quote from the referenced articles, which leads you to your assumption, instead of going on and on about something which is very likely a straw man / red herring. [Much more of the same deleted.]
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-04 19:45 -0600 |
| Message-ID | <hncfhd611fab.dlg@v.nguard.lh> |
| In reply to | #146967 |
Frank Slootweg <this@ddress.is.invalid> wrote: > VanguardLH <V@nguard.lh> wrote: > [...] > >> Not relevant to my statement of having to wait for SMS messages (text or >> QR image content) nor there is no guaranteed delivery of SMS messages. >> >> To where is the SMS message sent? To the phone. Okay, I'll see an SMS >> message with a QR image. Then what? Do SMS apps have embedded scanning >> of the content of SMS messages to then use an embedded QR decoder to >> show the text embedded in the image (which obviates the whole point of >> supposedly securing the text string in an image) that I then have to >> copy/paste into some web prompt? > > AFAICT, "an SMS message with a QR image" is a figment of your > imagination! > > I think such a thing is not mentioned anywhere and not even implied > anywhere. The delivery mechanism is defined where? > The referenced articles mention that *use* of a code in an SMS message > will be replaced by *use* of a QR code, but that does not mean that the > QR code is *in* an SMS message. (I think that would be obvious, because > an SMS message is too small to hold a QR code, not to mention that it > can only hold character data, not binary data.) I figured it could be MMS (Multimedia Messaging) instead of SMS (Short Message Service). MMS can be used to send pictures. I have automatic downloads of MMS disabled in my messaging apps. However, upon some further reading, Google Prompts looks to use notifications instead of SMS/MMS messages. Maybe. > So perhaps it's best to come up with an actual quote from the > referenced articles, which leads you to your assumption, instead of > going on and on about something which is very likely a straw man / red > herring. That's the crux of the problem: there are no details on how QR images by whatever delivery mechanism are to get decoded into strings by the user to input into a waiting field. All of us are just guessing for now what are the possibilities.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-05 03:48 +0100 |
| Message-ID | <9kqk9lx6m3.ln2@Telcontar.valinor> |
| In reply to | #146972 |
On 2025-03-05 02:45, VanguardLH wrote: > Frank Slootweg <this@ddress.is.invalid> wrote: > >> VanguardLH <V@nguard.lh> wrote: >> [...] >> >>> Not relevant to my statement of having to wait for SMS messages (text or >>> QR image content) nor there is no guaranteed delivery of SMS messages. >>> >>> To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>> message with a QR image. Then what? Do SMS apps have embedded scanning >>> of the content of SMS messages to then use an embedded QR decoder to >>> show the text embedded in the image (which obviates the whole point of >>> supposedly securing the text string in an image) that I then have to >>> copy/paste into some web prompt? >> >> AFAICT, "an SMS message with a QR image" is a figment of your >> imagination! >> >> I think such a thing is not mentioned anywhere and not even implied >> anywhere. > > The delivery mechanism is defined where? > >> The referenced articles mention that *use* of a code in an SMS message >> will be replaced by *use* of a QR code, but that does not mean that the >> QR code is *in* an SMS message. (I think that would be obvious, because >> an SMS message is too small to hold a QR code, not to mention that it >> can only hold character data, not binary data.) > > I figured it could be MMS (Multimedia Messaging) instead of SMS (Short > Message Service). MMS can be used to send pictures. I have automatic > downloads of MMS disabled in my messaging apps. > > However, upon some further reading, Google Prompts looks to use > notifications instead of SMS/MMS messages. Maybe. > >> So perhaps it's best to come up with an actual quote from the >> referenced articles, which leads you to your assumption, instead of >> going on and on about something which is very likely a straw man / red >> herring. > > That's the crux of the problem: there are no details on how QR images by > whatever delivery mechanism are to get decoded into strings by the user > to input into a waiting field. All of us are just guessing for now what > are the possibilities. You are imagining it wrong. You try to login on your computer; the computer displays a picture, the phone takes a photo. There are no SMS involved, no conversions, no fields to complete. Just point and shoot, done. Instantly. Same as currently done to login to wasap on the computer. The same system. Known and tested. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-05 14:43 -0600 |
| Message-ID | <1r6si9zdyx9ek.dlg@v.nguard.lh> |
| In reply to | #146975 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > On 2025-03-05 02:45, VanguardLH wrote: >> Frank Slootweg <this@ddress.is.invalid> wrote: >> >>> VanguardLH <V@nguard.lh> wrote: >>> [...] >>> >>>> Not relevant to my statement of having to wait for SMS messages (text or >>>> QR image content) nor there is no guaranteed delivery of SMS messages. >>>> >>>> To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>>> message with a QR image. Then what? Do SMS apps have embedded scanning >>>> of the content of SMS messages to then use an embedded QR decoder to >>>> show the text embedded in the image (which obviates the whole point of >>>> supposedly securing the text string in an image) that I then have to >>>> copy/paste into some web prompt? >>> >>> AFAICT, "an SMS message with a QR image" is a figment of your >>> imagination! >>> >>> I think such a thing is not mentioned anywhere and not even implied >>> anywhere. >> >> The delivery mechanism is defined where? >> >>> The referenced articles mention that *use* of a code in an SMS message >>> will be replaced by *use* of a QR code, but that does not mean that the >>> QR code is *in* an SMS message. (I think that would be obvious, because >>> an SMS message is too small to hold a QR code, not to mention that it >>> can only hold character data, not binary data.) >> >> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short >> Message Service). MMS can be used to send pictures. I have automatic >> downloads of MMS disabled in my messaging apps. >> >> However, upon some further reading, Google Prompts looks to use >> notifications instead of SMS/MMS messages. Maybe. >> >>> So perhaps it's best to come up with an actual quote from the >>> referenced articles, which leads you to your assumption, instead of >>> going on and on about something which is very likely a straw man / red >>> herring. >> >> That's the crux of the problem: there are no details on how QR images by >> whatever delivery mechanism are to get decoded into strings by the user >> to input into a waiting field. All of us are just guessing for now what >> are the possibilities. > > You are imagining it wrong. You try to login on your computer; the > computer displays a picture, the phone takes a photo. There are no SMS > involved, no conversions, no fields to complete. Just point and shoot, > done. Instantly. > > Same as currently done to login to wasap on the computer. The same > system. Known and tested. No, not when logging into my computer. Google isn't involved in me logging into my computer. It's logging into a web site (Gmail), or when Google wants to [re]validate my phone number. Still a question which the QR image will be used for. Franks says phone number (device) validation. Online articles mention when signing in to a web site, even the Google article cited below. Since this QR stuff revolves around smart phones, why would my computer be involved? Google wants to tie a phone number to my Google account. Phone, not computer. Why would my computer be getting a message from Google about my phone? And how would Google send that message to my computer which is not a phone and has no cellular service? My computer may be off. Like many users, they only have a smartphone, not a computer. My computer is connected to the Internet. What if my ISP is down to the computer, but my cellular carrier is up to the phone? If SMS is not involved (on the phone, not my computer since it is not a phone nor use any cellular service) then notifications are involved (on the phone), and notifications are from an app or service (on the phone). I doubt Google Prompts would be using email. Google Prompts are using Google Play Services and Google Assistant (the search bar on the home screen) running on your phone, not your computer. Those connect to your account, not to your computer. https://support.google.com/accounts/answer/7026266 Phone, not computer. Google Prompts requires your PHONE to have wifi or cellular data access to the Internet for Play Services to connect to your account. I'm not sure if Play Services or Google Assistant display the notification. Your PHONE needs to be logged into your Google account from where the message originates that is sent to your phone when polled by Play Services (unless there is some push mechanism). If SMS is not involved with Google Prompts then there is connection between Google Play Services on your phone and your Google account. However, iPhone (iOS) users are told to just download the Google App (aka Google Assistant) to utilize Google Prompts which makes it look like the Google app is phoning home to detect the message which it then displays as a notification. If it's the Google app doing all the work to retrieve and display notifications, Google's scheme won't work without the Google app (for iOS), or if it is disabled (for Android). https://www.androidauthority.com/google-prompt-fingerprint-pin-authentication-3522306/ Yet that article says Google Play Services is involved in Google Prompts, but that won't be on an iPhone, just the Google App if an iPhone user installs it. Maybe the iOS Google App has functionality built into it that on Android is shared between Google App and Google Play Services.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-05 23:14 +0100 |
| Message-ID | <1vum9lxhu1.ln2@Telcontar.valinor> |
| In reply to | #147005 |
On 2025-03-05 21:43, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> On 2025-03-05 02:45, VanguardLH wrote: >>> Frank Slootweg <this@ddress.is.invalid> wrote: >>> >>>> VanguardLH <V@nguard.lh> wrote: >>>> [...] >>>> >>>>> Not relevant to my statement of having to wait for SMS messages (text or >>>>> QR image content) nor there is no guaranteed delivery of SMS messages. >>>>> >>>>> To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>>>> message with a QR image. Then what? Do SMS apps have embedded scanning >>>>> of the content of SMS messages to then use an embedded QR decoder to >>>>> show the text embedded in the image (which obviates the whole point of >>>>> supposedly securing the text string in an image) that I then have to >>>>> copy/paste into some web prompt? >>>> >>>> AFAICT, "an SMS message with a QR image" is a figment of your >>>> imagination! >>>> >>>> I think such a thing is not mentioned anywhere and not even implied >>>> anywhere. >>> >>> The delivery mechanism is defined where? >>> >>>> The referenced articles mention that *use* of a code in an SMS message >>>> will be replaced by *use* of a QR code, but that does not mean that the >>>> QR code is *in* an SMS message. (I think that would be obvious, because >>>> an SMS message is too small to hold a QR code, not to mention that it >>>> can only hold character data, not binary data.) >>> >>> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short >>> Message Service). MMS can be used to send pictures. I have automatic >>> downloads of MMS disabled in my messaging apps. >>> >>> However, upon some further reading, Google Prompts looks to use >>> notifications instead of SMS/MMS messages. Maybe. >>> >>>> So perhaps it's best to come up with an actual quote from the >>>> referenced articles, which leads you to your assumption, instead of >>>> going on and on about something which is very likely a straw man / red >>>> herring. >>> >>> That's the crux of the problem: there are no details on how QR images by >>> whatever delivery mechanism are to get decoded into strings by the user >>> to input into a waiting field. All of us are just guessing for now what >>> are the possibilities. >> >> You are imagining it wrong. You try to login on your computer; the >> computer displays a picture, the phone takes a photo. There are no SMS >> involved, no conversions, no fields to complete. Just point and shoot, >> done. Instantly. >> >> Same as currently done to login to wasap on the computer. The same >> system. Known and tested. > > No, not when logging into my computer. Google isn't involved in me > logging into my computer. I did not say "logging into my computer". I said "login on your computer", obviously to Google, which is the context. You are login into google in your computer; the browser you are using, or the mail application you are using displays a QR code, and tells you «take a picture with "name of app" in your registered phone, number ending in XXX». You comply, and in seconds you are authorized to complete login to google in the computer. In the same context, the method now is that google says "you will have received an SMS in your registered phone that ends in XXX, please copy here the six digit number you received". The rest of your writeup is irrelevant. Please focus. It is very simple, trivial really. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-06 00:50 -0600 |
| Message-ID | <1hb68gbht5hgg$.dlg@v.nguard.lh> |
| In reply to | #147011 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > On 2025-03-05 21:43, VanguardLH wrote: >> "Carlos E.R." <robin_listas@es.invalid> wrote: >> >>> On 2025-03-05 02:45, VanguardLH wrote: >>>> Frank Slootweg <this@ddress.is.invalid> wrote: >>>> >>>>> VanguardLH <V@nguard.lh> wrote: >>>>> [...] >>>>> >>>>>> Not relevant to my statement of having to wait for SMS messages (text or >>>>>> QR image content) nor there is no guaranteed delivery of SMS messages. >>>>>> >>>>>> To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>>>>> message with a QR image. Then what? Do SMS apps have embedded scanning >>>>>> of the content of SMS messages to then use an embedded QR decoder to >>>>>> show the text embedded in the image (which obviates the whole point of >>>>>> supposedly securing the text string in an image) that I then have to >>>>>> copy/paste into some web prompt? >>>>> >>>>> AFAICT, "an SMS message with a QR image" is a figment of your >>>>> imagination! >>>>> >>>>> I think such a thing is not mentioned anywhere and not even implied >>>>> anywhere. >>>> >>>> The delivery mechanism is defined where? >>>> >>>>> The referenced articles mention that *use* of a code in an SMS message >>>>> will be replaced by *use* of a QR code, but that does not mean that the >>>>> QR code is *in* an SMS message. (I think that would be obvious, because >>>>> an SMS message is too small to hold a QR code, not to mention that it >>>>> can only hold character data, not binary data.) >>>> >>>> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short >>>> Message Service). MMS can be used to send pictures. I have automatic >>>> downloads of MMS disabled in my messaging apps. >>>> >>>> However, upon some further reading, Google Prompts looks to use >>>> notifications instead of SMS/MMS messages. Maybe. >>>> >>>>> So perhaps it's best to come up with an actual quote from the >>>>> referenced articles, which leads you to your assumption, instead of >>>>> going on and on about something which is very likely a straw man / red >>>>> herring. >>>> >>>> That's the crux of the problem: there are no details on how QR images by >>>> whatever delivery mechanism are to get decoded into strings by the user >>>> to input into a waiting field. All of us are just guessing for now what >>>> are the possibilities. >>> >>> You are imagining it wrong. You try to login on your computer; the >>> computer displays a picture, the phone takes a photo. There are no SMS >>> involved, no conversions, no fields to complete. Just point and shoot, >>> done. Instantly. >>> >>> Same as currently done to login to wasap on the computer. The same >>> system. Known and tested. >> >> No, not when logging into my computer. Google isn't involved in me >> logging into my computer. > > I did not say "logging into my computer". I said "login on your > computer", obviously to Google, which is the context. > > You are login into google in your computer; the browser you are using, > or the mail application you are using displays a QR code, and tells you > «take a picture with "name of app" in your registered phone, number > ending in XXX». You comply, and in seconds you are authorized to > complete login to google in the computer. "name of app" is? Would have to be one that connects back to my Google account. Play Services, Google app (aka Google Assistant), or what? That would provide the mechanism used to complete the Google Prompt. What if I'm using a web browser on the phone? The web browser on the phone can show a QR image the web site presents, but then what? It's not like I can point the camera in the phone at the web page in the web browser on the phone. Does "name of app" scan the screen? > In the same context, the method now is that google says "you will have > received an SMS in your registered phone that ends in XXX, please copy > here the six digit number you received". That's now with a text string send via SMS. Google says they won't be using SMS (or MMS) to send QR codes. So, some app on the phone checks for and displays a Google Prompt. Apparently that would be Play Services or the Google app. The part about getting an SMS notification with a string that the user manually transfers to a waiting input field is not what I'm asking about. That uses SMS to send a string to the user sent by the web site interrupting a login that a messaging app will display in its window, or in its notification. SMS will not be involved when Google switches to sending QR codes. Looks like Google Prompts will handle delivering the QR image to the phone. It was, and still is for now, sending SMS texts to the phone. Not when Google switches to QR codes. Google won't be using SMS to send QR codes. The intend to drop SMS. From what I've read, so far, it looks like they will use Google Prompts which involve either Play Services or the Google app, or maybe both in tandem (on Android, just the Google app on iOS) that connect to your Google account. At this point, it's anyone's guess how the QR image gets from the Google Prompt into the waiting login page. Perhaps Google will update their Google App to show the image along with its decoded string the user can read and manually copy, or the Google App could convert the QR image in the Google Prompt into a string in the clipboard to let the user paste into the login form, or the Google App phones home with the QR image showing in a web page (there is a camera button in the Google App). Somehow all of this seems to be just for logging into Google service and web sites, not for use by anyone else. Gmail is not my primary e-mail service, and I won't miss not using it as a backup e-mail provider. Many other Google services have their own Android app, so they don't need QR codes. Google services I used on my desktop run in the background, like Google Drive, and they don't ask for logins (after the initial setup). Displaying a QR code at a Google web site viewed in a web browser on the desktop to complete the loop by using a phone's camera that pipes the decoded string back to Google would complete that loop. Not sure how a QR code displayed at a Google web site in a web browser on the phone is going to get scanned to send the string back to your Google account.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-06 12:38 +0100 |
| Message-ID | <93eo9lxg6r.ln2@Telcontar.valinor> |
| In reply to | #147014 |
On 2025-03-06 07:50, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> On 2025-03-05 21:43, VanguardLH wrote: >>> "Carlos E.R." <robin_listas@es.invalid> wrote: >>> >>>> On 2025-03-05 02:45, VanguardLH wrote: >>>>> Frank Slootweg <this@ddress.is.invalid> wrote: >>>>> >>>>>> VanguardLH <V@nguard.lh> wrote: >>>>>> [...] >>>>>> >>>>>>> Not relevant to my statement of having to wait for SMS messages (text or >>>>>>> QR image content) nor there is no guaranteed delivery of SMS messages. >>>>>>> >>>>>>> To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>>>>>> message with a QR image. Then what? Do SMS apps have embedded scanning >>>>>>> of the content of SMS messages to then use an embedded QR decoder to >>>>>>> show the text embedded in the image (which obviates the whole point of >>>>>>> supposedly securing the text string in an image) that I then have to >>>>>>> copy/paste into some web prompt? >>>>>> >>>>>> AFAICT, "an SMS message with a QR image" is a figment of your >>>>>> imagination! >>>>>> >>>>>> I think such a thing is not mentioned anywhere and not even implied >>>>>> anywhere. >>>>> >>>>> The delivery mechanism is defined where? >>>>> >>>>>> The referenced articles mention that *use* of a code in an SMS message >>>>>> will be replaced by *use* of a QR code, but that does not mean that the >>>>>> QR code is *in* an SMS message. (I think that would be obvious, because >>>>>> an SMS message is too small to hold a QR code, not to mention that it >>>>>> can only hold character data, not binary data.) >>>>> >>>>> I figured it could be MMS (Multimedia Messaging) instead of SMS (Short >>>>> Message Service). MMS can be used to send pictures. I have automatic >>>>> downloads of MMS disabled in my messaging apps. >>>>> >>>>> However, upon some further reading, Google Prompts looks to use >>>>> notifications instead of SMS/MMS messages. Maybe. >>>>> >>>>>> So perhaps it's best to come up with an actual quote from the >>>>>> referenced articles, which leads you to your assumption, instead of >>>>>> going on and on about something which is very likely a straw man / red >>>>>> herring. >>>>> >>>>> That's the crux of the problem: there are no details on how QR images by >>>>> whatever delivery mechanism are to get decoded into strings by the user >>>>> to input into a waiting field. All of us are just guessing for now what >>>>> are the possibilities. >>>> >>>> You are imagining it wrong. You try to login on your computer; the >>>> computer displays a picture, the phone takes a photo. There are no SMS >>>> involved, no conversions, no fields to complete. Just point and shoot, >>>> done. Instantly. >>>> >>>> Same as currently done to login to wasap on the computer. The same >>>> system. Known and tested. >>> >>> No, not when logging into my computer. Google isn't involved in me >>> logging into my computer. >> >> I did not say "logging into my computer". I said "login on your >> computer", obviously to Google, which is the context. >> >> You are login into google in your computer; the browser you are using, >> or the mail application you are using displays a QR code, and tells you >> «take a picture with "name of app" in your registered phone, number >> ending in XXX». You comply, and in seconds you are authorized to >> complete login to google in the computer. > > "name of app" is? To be determined at some future date. > Would have to be one that connects back to my Google > account. Play Services, Google app (aka Google Assistant), or what? > That would provide the mechanism used to complete the Google Prompt. > > What if I'm using a web browser on the phone? The web browser on the > phone can show a QR image the web site presents, but then what? It's > not like I can point the camera in the phone at the web page in the web > browser on the phone. Does "name of app" scan the screen? That's not the case reported in the news. Does not apply. Still, the app can take a screenshot. > >> In the same context, the method now is that google says "you will have >> received an SMS in your registered phone that ends in XXX, please copy >> here the six digit number you received". > > That's now with a text string send via SMS. Google says they won't be > using SMS (or MMS) to send QR codes. So, some app on the phone checks > for and displays a Google Prompt. Apparently that would be Play > Services or the Google app. > > The part about getting an SMS notification with a string that the user > manually transfers to a waiting input field is not what I'm asking > about. That uses SMS to send a string to the user sent by the web site > interrupting a login that a messaging app will display in its window, or > in its notification. SMS will not be involved when Google switches to > sending QR codes. Looks like Google Prompts will handle delivering the > QR image to the phone. It was, and still is for now, sending SMS texts > to the phone. Not when Google switches to QR codes. > > Google won't be using SMS to send QR codes. They did not said they would. > The intend to drop SMS. > From what I've read, so far, it looks like they will use Google Prompts > which involve either Play Services or the Google app, or maybe both in > tandem (on Android, just the Google app on iOS) that connect to your > Google account. > > At this point, it's anyone's guess how the QR image gets from the Google > Prompt into the waiting login page. Perhaps Google will update their > Google App to show the image along with its decoded string the user can > read and manually copy, or the Google App could convert the QR image in > the Google Prompt into a string in the clipboard to let the user paste > into the login form, or the Google App phones home with the QR image > showing in a web page (there is a camera button in the Google App). > > Somehow all of this seems to be just for logging into Google service and > web sites, not for use by anyone else. Gmail is not my primary e-mail > service, and I won't miss not using it as a backup e-mail provider. > Many other Google services have their own Android app, so they don't > need QR codes. Google services I used on my desktop run in the > background, like Google Drive, and they don't ask for logins (after the > initial setup). Displaying a QR code at a Google web site viewed in a > web browser on the desktop to complete the loop by using a phone's > camera that pipes the decoded string back to Google would complete that > loop. Not sure how a QR code displayed at a Google web site in a web > browser on the phone is going to get scanned to send the string back to > your Google account. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
| From | VanguardLH <V@nguard.LH> |
|---|---|
| Date | 2025-03-06 15:46 -0600 |
| Message-ID | <7sbrtsehnbnu.dlg@v.nguard.lh> |
| In reply to | #147025 |
"Carlos E.R." <robin_listas@es.invalid> wrote: > VanguardLH wrote: > >> Google won't be using SMS to send QR codes. > > They did not said they would. From the article cited in the starter thread: https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/ Gmail spokesperson Ross Richendrfer told me, “we want to move away from sending SMS messages for authentication.” There are other online article mentioning the same move away from SMS for authentication by Google, like: https://www.itpro.com/security/google-is-dropping-sms-authentication-for-qr-codes https://www.techradar.com/pro/security/google-is-ditching-sms-and-will-now-use-qr-codes-for-gmail-account-authentication There are lots of articles stating Google intends to drop SMS transport. However, it's not always evident when an article is regurgitating what someone else reported. They come back to what a Gmail spokeperson said, and I don't believe the articles are lying about that. It's in the wet dream planning stage, so how they implement the move to QR images could change to staying with SMS, or moving to Google Prompt or some other communications venue. I really hate to graft my smartphone to my hand to ensure it is readily accessible for this security theater machinations. I'm too old for all this jumping through hoops of fire. Rather than run through the house looking for my smartphone (it's usually on a different floor of the house in a charging cradle next to the side door by the garage where I enter), I'll just forego the security theater, and go somewhere else for e-mail service. Logging in is getting more complicated to the user and at the server than the e-mail service itself. As I said, Gmail is NOT my primary e-mail provider; however, what Google does, and if doable at other sites, the plague will spread. Remember what happened with Google and Microsoft fucking up OAUTH, a protocol, to turn it into the OAUTH2 framework, and OAUTH2 (Google's variant) got adopted at many other e-mail providers.
[toc] | [prev] | [next] | [standalone]
| From | "Carlos E.R." <robin_listas@es.invalid> |
|---|---|
| Date | 2025-03-06 23:22 +0100 |
| Message-ID | <upjp9lxav6.ln2@Telcontar.valinor> |
| In reply to | #147049 |
On 2025-03-06 22:46, VanguardLH wrote: > "Carlos E.R." <robin_listas@es.invalid> wrote: > >> VanguardLH wrote: >> >>> Google won't be using SMS to send QR codes. >> >> They did not said they would. > > From the article cited in the starter thread: > > https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/ > Gmail spokesperson Ross Richendrfer told me, “we want to move away from > sending SMS messages for authentication.” > > There are other online article mentioning the same move away from SMS > for authentication by Google, like: That's not saying they would be using SMS to send QR codes. > > https://www.itpro.com/security/google-is-dropping-sms-authentication-for-qr-codes > https://www.techradar.com/pro/security/google-is-ditching-sms-and-will-now-use-qr-codes-for-gmail-account-authentication > > There are lots of articles stating Google intends to drop SMS transport. > However, it's not always evident when an article is regurgitating what > someone else reported. They come back to what a Gmail spokeperson said, > and I don't believe the articles are lying about that. > > It's in the wet dream planning stage, so how they implement the move to > QR images could change to staying with SMS, or moving to Google Prompt > or some other communications venue. > > I really hate to graft my smartphone to my hand to ensure it is readily > accessible for this security theater machinations. The occasions when I had to check that SMS have been very rare, not even once a month. Going to the kitchen to fetch the phone once a month is not a chore. > I'm too old for all > this jumping through hoops of fire. Rather than run through the house > looking for my smartphone (it's usually on a different floor of the > house in a charging cradle next to the side door by the garage where I > enter), I'll just forego the security theater, and go somewhere else for > e-mail service. Logging in is getting more complicated to the user and > at the server than the e-mail service itself. > > As I said, Gmail is NOT my primary e-mail provider; however, what Google > does, and if doable at other sites, the plague will spread. Remember > what happened with Google and Microsoft fucking up OAUTH, a protocol, to > turn it into the OAUTH2 framework, and OAUTH2 (Google's variant) got > adopted at many other e-mail providers. -- Cheers, Carlos.
[toc] | [prev] | [next] | [standalone]
Page 2 of 4 — ← Prev page 1 [2] 3 4 Next page →
Back to top | Article view | comp.mobile.android
csiph-web