Hi,
Just read yesterday that Google will no longer send SMSs with six digit
codes for verification of gmail account, but instead will use QR codes.
This is to avoid scams in which the victim is told to tell the fraudster
the number he just received on the phone.
I have a source but it is in Spanish:
<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
Oh, English here: <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
Hi,
Just read yesterday that Google will no longer send SMSs with six digit
codes for verification of gmail account, but instead will use QR codes.
This is to avoid scams in which the victim is told to tell the fraudster
the number he just received on the phone.
I have a source but it is in Spanish:
<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
Oh, English here: ><https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
On 3/2/25 6:28 AM, Carlos E.R. wrote:
Hi,
Just read yesterday that Google will no longer send SMSs with six digit >>codes for verification of gmail account, but instead will use QR codes. >>This is to avoid scams in which the victim is told to tell the fraudster >>the number he just received on the phone.
I have a source but it is in Spanish:
<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
Oh, English here: >><https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
I've been using the Google Authenticator app for quite awhile now to verify
new devices. Very easy to use. Just push the yes it's me button.
Surprisingly it even works on my Amazon Fire converted to Google account
tablets. Hope it stays...
Hi,
Just read yesterday that Google will no longer send SMSs with six digit
codes for verification of gmail account, but instead will use QR codes.
This is to avoid scams in which the victim is told to tell the fraudster
the number he just received on the phone.
I have a source but it is in Spanish:
<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
Oh, English here: <https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
On 2025-03-03 11:05, VanguardLH wrote:
Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have
a cellular or landline phone line to it (it cannot do telephony) which
is typical of desktop PCs. I want to login to my Gmail account. How
are they going to send an SMS text to my desktop PC? Not everyone
logging into Gmail is using a smartphone to do so.
Tough luck. The SMS is sent to the phone that is registered with the
account.
"Carlos E.R." <[email protected]d> wrote:
Hi,
Just read yesterday that Google will no longer send SMSs with six digit
codes for verification of gmail account, but instead will use QR codes.
This is to avoid scams in which the victim is told to tell the fraudster
the number he just received on the phone.
I have a source but it is in Spanish:
<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
Oh, English here:
<https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have
a cellular or landline phone line to it (it cannot do telephony) which
is typical of desktop PCs. I want to login to my Gmail account. How
are they going to send an SMS text to my desktop PC? Not everyone
logging into Gmail is using a smartphone to do so.
However, my IMAP e-mail client using OAUTH2 to login never sends me
anything to further authenticate the login.
To where is Google going to send their QR code when I use a web browser
to connect and log into https://www.gmail.com?
The articles are about discussions about possible future changes, but
the article or discussions have been very incomplete, like a proposal
without a scheme. The articles are as worthless as telling you a
grocery store will have a weekly sale sometime months in the future, but
not when, or what will be on sale for what price.
VanguardLH <[email protected]> wrote:
Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have
a cellular or landline phone line to it (it cannot do telephony) which
is typical of desktop PCs. I want to login to my Gmail account. How
are they going to send an SMS text to my desktop PC? Not everyone
logging into Gmail is using a smartphone to do so.
However, my IMAP e-mail client using OAUTH2 to login never sends me
anything to further authenticate the login.
To where is Google going to send their QR code when I use a web browser
to connect and log into https://www.gmail.com?
The articles are about discussions about possible future changes, but
the article or discussions have been very incomplete, like a proposal
without a scheme. The articles are as worthless as telling you a
grocery store will have a weekly sale sometime months in the future, but
not when, or what will be on sale for what price.
Oops, forgot I was in the Android newsgroup which eliminates desktops.
"Carlos E.R." <[email protected]d> wrote:
Hi,
Just read yesterday that Google will no longer send SMSs with six digit
codes for verification of gmail account, but instead will use QR codes.
This is to avoid scams in which the victim is told to tell the fraudster
the number he just received on the phone.
I have a source but it is in Spanish:
<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
Oh, English here:
<https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have
a cellular or landline phone line to it (it cannot do telephony) which
is typical of desktop PCs. I want to login to my Gmail account. How
are they going to send an SMS text to my desktop PC? Not everyone
logging into Gmail is using a smartphone to do so.
However, my IMAP e-mail client using OAUTH2 to login never sends me
anything to further authenticate the login.
To where is Google going to send their QR code when I use a web browser
to connect and log into https://www.gmail.com?
The articles are about discussions about possible future changes, but
the article or discussions have been very incomplete, like a proposal
without a scheme. The articles are as worthless as telling you a
grocery store will have a weekly sale sometime months in the future, but
not when, or what will be on sale for what price.
On 2025-03-03 11:05, VanguardLH wrote:
"Carlos E.R." <[email protected]d> wrote:
Hi,
Just read yesterday that Google will no longer send SMSs with six digit
codes for verification of gmail account, but instead will use QR codes.
This is to avoid scams in which the victim is told to tell the fraudster >>> the number he just received on the phone.
I have a source but it is in Spanish:
<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
Oh, English here:
<https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have
a cellular or landline phone line to it (it cannot do telephony) which
is typical of desktop PCs. I want to login to my Gmail account. How
are they going to send an SMS text to my desktop PC? Not everyone
logging into Gmail is using a smartphone to do so.
Tough luck. The SMS is sent to the phone that is registered with the
account.
However, my IMAP e-mail client using OAUTH2 to login never sends me
anything to further authenticate the login.
To where is Google going to send their QR code when I use a web browser
to connect and log into https://www.gmail.com?
To your registered smartphone.
"Carlos E.R." <[email protected]d> wrote:
On 2025-03-03 11:05, VanguardLH wrote:
"Carlos E.R." <[email protected]d> wrote:
Hi,
Just read yesterday that Google will no longer send SMSs with six digit >>>> codes for verification of gmail account, but instead will use QR codes. >>>> This is to avoid scams in which the victim is told to tell the fraudster >>>> the number he just received on the phone.
I have a source but it is in Spanish:
<https://www.20minutos.es/tecnologia/ciberseguridad/novedad-google-luchar-contra-estafas-adios-autenticacion-digitos-sms-5685840/>
Oh, English here:
<https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/>
Doesn't make sense. Say I'm using a desktop PC. Nope, it doesn't have
a cellular or landline phone line to it (it cannot do telephony) which
is typical of desktop PCs. I want to login to my Gmail account. How
are they going to send an SMS text to my desktop PC? Not everyone
logging into Gmail is using a smartphone to do so.
Tough luck. The SMS is sent to the phone that is registered with the
account.
What was the point of Google (and Microsoft) fucking up OAUTH, a
protocol, to screw into the OAUTH2, a framework, for authenticated
logins?
Whether on my Android phone or Windows desktop using OAUTH2 email apps,
or using a web browser with HTTPS, I've never received an SMS text (on
my phone) to complete a login to Gmail. If they replace SMS texts with
QR codes (delivered how?), well, I wasn't getting SMS texts before, so I won't be getting QR codes, either.
If the QR codes are sent via SMS texts, instead of getting a string of numbers the users get a QR code. Um, just what is a QR code? Scan one
to see it is just embedded text. Maybe Google is assuming no one has a
QR scanner app on their phone to decode what text it contains.
Once the QR image arrives via SMS text on the phone, what the hell am I supposed to do with it? Not like I can point the phone's cameras at the phone's screen to read the QR image to decode into the text within. So, whatever is attempting the login must incorporate a QR scanner that can
look at QR images in SMS texts?
However, my IMAP e-mail client using OAUTH2 to login never sends me
anything to further authenticate the login.
To where is Google going to send their QR code when I use a web browser
to connect and log into https://www.gmail.com?
To your registered smartphone.
And I'm somehow supposedly to magically scan a QR code in an SMS text
sent to my phone to get it to my desktop? Unlike a numeric string, I
cannot transcribe a QR code into whatever is the text within it.
VanguardLH wrote:
What was the point of Google (and Microsoft) fucking up OAUTH, a
protocol, to screw into the OAUTH2, a framework, for authenticated
logins?
2FA.
Whether on my Android phone or Windows desktop using OAUTH2 email apps,
or using a web browser with HTTPS, I've never received an SMS text (on
my phone) to complete a login to Gmail. If they replace SMS texts with
QR codes (delivered how?), well, I wasn't getting SMS texts before, so I
won't be getting QR codes, either.
I have.
If the QR codes are sent via SMS texts, instead of getting a string of
numbers the users get a QR code. Um, just what is a QR code? Scan one
to see it is just embedded text. Maybe Google is assuming no one has a
QR scanner app on their phone to decode what text it contains.
This is undefined. Probably you get a QR graphic in the computer, and
you have to take a photo of it with your phone, inside some application
they still have to tell us.
"Carlos E.R." <[email protected]d> wrote:
VanguardLH wrote:
What was the point of Google (and Microsoft) fucking up OAUTH, a
protocol, to screw into the OAUTH2, a framework, for authenticated
logins?
2FA.
Separate and independent security schemes. OAUTH2 has the OAUTH2 server
send a token (half the key) to the client that the client stores for
later logins. The OAUTH2 server keeps the other half. The user never
has to enter the token, a code string, or scan some QR image. 2FA
interrupts the login making the user wait for the code to then enter
into some prompt. 2FA relies on 2 criteria: what you know, and what you have. Alas, many sites fuck up 2FA by never having you enter a
password, but just take your username and then send the 2FA code without
you ever entering the password, so half of the 2FA scheme (what you
know) is missing.
I'm not part of the kiddie generation that is grafted to their
smartphones. Also, smartphone penetration is not 100%. It's 83% in
urban regions, and 65% in rural regions in the USA. That means there
are folks without a smartphone. They have no way to get SMS messages.
Lots of folks just have simple landlines.
Instead of sending via SMS, the QR code could be sent via e-mail. Geez,
like no one that intercepts your e-mails (which are not encrypted) could possibly use a QR scanner in a script to login before you do. Also,
there is no guaranteed delivery to email or SMS. Ever have a web site
send a 2FA code never to get it, and you had to request another? Well,
maybe someone intercepted that insecure communication. A QR code isn't
going to deter a thief any more than a numeric string.
Whether on my Android phone or Windows desktop using OAUTH2 email apps,
or using a web browser with HTTPS, I've never received an SMS text (on
my phone) to complete a login to Gmail. If they replace SMS texts with
QR codes (delivered how?), well, I wasn't getting SMS texts before, so I >>> won't be getting QR codes, either.
I have.
On every login, or once in a blue moon? I can see getting the messages
if you enabled 2FV in your Google account, but I did not. I recall
faintly getting challenged on a login, and had to give my security
answers to access my account. I didn't get a 2FA code for that.
If the QR codes are sent via SMS texts, instead of getting a string of
numbers the users get a QR code. Um, just what is a QR code? Scan one
to see it is just embedded text. Maybe Google is assuming no one has a
QR scanner app on their phone to decode what text it contains.
This is undefined. Probably you get a QR graphic in the computer, and
you have to take a photo of it with your phone, inside some application
they still have to tell us.
So, I'd need two computers to login?
Ever see an old video comedy skit where it takes 3 people with both
their hands to operate an overly complicated wrist watch with lots of
buttons that have be pressed concurrently? Might've been on SNL, but I
can't find it now.
Seems they should just proclaim they will eventually require an
authenticator app. However, those aren't all compatible with each
other. The Google Authenticator App isn't usable at my bank where I
would have to use either the Symantec VIP or the Twilio Authy app. I
did use the Authy app, but it didn't work everywhere, plus Authy dropped their desktop app (Windows, Mac, Linux) leaving only their Android and
iOS apps (so I'm back to grafting a smartphone to my hand). There are variances in the protocols, so no one authenticator app works
everywhere. I wasn't going to install multiple authenticator apps.
The bank forced SMS delivery of 2FA codes. No e-mail option. My
workaround was to give my Google Voice number to my bank to where they
send their SMS texts, and configure my Google Voice account to forward
SMS texts to my Gmail account, so I get the 2FA codes via e-mail. I
didn't have to suspend the login by having to roam through the house
looking for my phone. I can read the e-mail at my desktop in an e-mail client to get the code to enter into the web site's prompt. All that
jumping through hoops because the bank forced their 2FA security
theater, but only via SMS.
Yes, the minutes of the reported meeting where QR codes were mentioned
did not delve into just how the change will be implemented hence I said
the article is so uninformative as to be nearly FUD. Something might
change, but no info on when or how implemented, or even how QR codes
(that contain text strings) are more secure than text strings sent over insecure communication venues. Someone had a wet dream, and someone
else thought it was news.
I've been using the Google Authenticator app for quite awhile now to verify
new devices. Very easy to use. Just push the yes it's me button.
Surprisingly it even works on my Amazon Fire converted to Google account
tablets. Hope it stays...
I can not post what I do not know :-p
On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote:
I've been using the Google Authenticator app for quite awhile now
to verify new devices. Very easy to use. Just push the yes it's me
button. Surprisingly it even works on my Amazon Fire converted to
Google account tablets. Hope it stays...
How does the Google Authenticator compare to the Microsoft
Authenticator?
On 3/3/2025 6:41 PM, Bill Powell wrote:
On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote:
I've been using the Google Authenticator app for quite awhile now
to verify new devices. Very easy to use. Just push the yes it's me
button. Surprisingly it even works on my Amazon Fire converted to
Google account tablets. Hope it stays...
How does the Google Authenticator compare to the Microsoft
Authenticator?
Dunno. All I've ever had was the Google Authenticator on my Android
devices. And I'm not sure I even use that.
When I fire up a NEW Android device and sign into my Google accounts for
the first time, after I put in my user name and password it sends a
white screen to my other Android devices on which I pick one and push a
"Yes it's me" button for verification and the new device is then signed on.
I always thought that Google Authenticator was responsible but after my
last post I looked at it and don't see any indication that it is or is
not responsible for this verification. Perhaps one of the more technical folks here can explain how this (non-SMS) verification process works...
How does the Google Authenticator compare to the Microsoft Authenticator?In terms of functionally they're equivalent, if a website says you have
VanguardLH <[email protected]> wrote:
[All deleted.]
I think it's one big mixup. ("It's a 'news' article, Frank! What *did*
you expect!?")
They mixup Google and Gmail and which info is being authenticated.
The only somewhat clear part is:
"Over the next few months, we will be reimagining how we verify phone numbers, Richendrfer told me; Specifically, instead of entering your
number and receiving a 6-digit code, youll see a QR code being
displayed, which you need to scan with the camera app on your phone."
So it's *not* about authenticating a Google account login, *nor* a
Gmail 'login', but about verifying the *phone number*, which is
associated with your Google Account.
IMO, even this part is more or less BS, because the paragraph above
talks about "If you are already using a more secure method of
authentication for your Gmail account...", but that is about
authenticating a Gmail 'login', so it conflicts with the quoted
paragraph. (And again mixes up Google and Gmail.)
Bottom line: Somebody posted nonsense on a website. News at eleven!
When I fire up a NEW Android device and sign into my Google accounts for
the first time, after I put in my user name and password it sends a
white screen to my other Android devices on which I pick one and push a
"Yes it's me" button for verification and the new device is then signed on.
I always thought that Google Authenticator was responsible but after my
last post I looked at it and don't see any indication that it is or is
not responsible for this verification. Perhaps one of the more technical folks here can explain how this (non-SMS) verification process works...
') which devices (in my case my phone and a tablet).
AJL <[email protected]> wrote: [...]
When I fire up a NEW Android device and sign into my Google
accounts for the first time, after I put in my user name and
password it sends a white screen to my other Android devices on
which I pick one and push a "Yes it's me" button for verification
and the new device is then signed on.
I always thought that Google Authenticator was responsible but
after my last post I looked at it and don't see any indication that
it is or is not responsible for this verification. Perhaps one of
the more technical folks here can explain how this (non-SMS)
verification process works...
The 2SV mechanism you're using is called 'Google prompt', i.e. you
get a prompt on your device(s).
See the '2-Step Verification' section of your Google account [1].
There you will see 'Google prompt' as one of the options in 'Second
steps'. It will list the number of devices which can get the prompt
and ('>') which devices (in my case my phone and a tablet).
[1] <https://myaccount.google.com/signinoptions/twosv> List of your
'Google prompt' devices: <https://myaccount.google.com/two-step-verification/prompt>
Dave Royal <[email protected]> wrote:
A *bit* more info about verifying phone numbers here <https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>
So, you either have to wait for an SMS message to arrive from them, or
for them to get the one you send them. SMS is not instantaneous. You
wait. SMS is not guaranteed delivery. Some get lost, so retry, and
wait some more. The security theater gets more in your way, and stalls
the login, all of which (this and 2FA/2FV) was to overcome boobs that
reuse the same weak login at every domain they visit (that requires a
login). Use technology to overcome the weak point in security: users.
Wonder if I'll need to graft my smartphone to my hand to login to Gmail
at my desktop PC using an OAUTH2 e-mail client.
A *bit* more info about verifying phone numbers here <https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>
Dave Royal <[email protected]> wrote:
A *bit* more info about verifying phone numbers here
<https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>
So, you either have to wait for an SMS message to arrive from them, or
for them to get the one you send them.
SMS is not instantaneous. You
wait. SMS is not guaranteed delivery. Some get lost, so retry, and
wait some more. The security theater gets more in your way, and stalls
the login, all of which (this and 2FA/2FV) was to overcome boobs that
reuse the same weak login at every domain they visit (that requires a
login). Use technology to overcome the weak point in security: users.
Wonder if I'll need to graft my smartphone to my hand to login to Gmail
at my desktop PC using an OAUTH2 e-mail client. My phone is not sitting
next to my desktop. It's on a desk near the house door where I also
toss postal mail, and have a laptop since the UI (small virtual keyboard
and touchscreen) on a phone sucks compared to a desktop, laptop, nor
netbook. I don't much use that laptop. It's mostly for something
related to newly arrived postal mail. Most of my desktop computing is
in a basement room. I'm not running upstairs to grab my phone because
some boob wants me to jump over hurdles for nuisancing security theater mostly to reduce their manpower for tech support. Plus, I dislike that
some site wants my phone number for a totally unrelated service, like
e-mail. Oh yes, reduce privacy to profess increased security. The
phone for account recovery is okay, but then so are security questions
you preset for recovery, or recording your account ID (if you're ever
given one). I'd rather have to answer a preset security question
immediately on a login failure than wait for an SMS message that I have
to manually transcribe or manually scan into the waiting login page. Of course, don't secure the communication venues (e-mail and SMS) used to supposedly secure the logins.
Thanks for that article. It gives some more info, but looks like we
have to wait, and suffer, with however Google decides to implement their
new security theater. Could be months, or years, and then there's the initial pains as they work out the kinks. Perhaps Google should
reassess how much they increase pushing users away from Google services. Security and convenience are the anti-thesis of each other: to get more
of one means less of the other. Too much security becomes intolerable.
Google Authenicator, and the ones I use - andOTP (Android only)
and FreeOTP - use TOTP: <https://en.m.wikipedia.org/wiki/Time-based_one-time_password>
I don't know anything about Microsoft Authenticator.
VanguardLH wrote:
So, you either have to wait for an SMS message to arrive from them,
or for them to get the one you send them.
No, they also say:
�Google spokesperson Ross Richendrfer reiterated that SMS is mainly
used as a security and anti-abuse check, but there are plenty of
security challenges, like phishing and traffic pumping. Consequently,
Google plans to reimagine how it verifies phone numbers over the next
few months. Instead of entering their phone numbers and receiving a
six-digit code over SMS, users will see a QR code they need to scan
with their phone camera.�
So, take a photo of the qr code.
Not relevant to my statement of having to wait for SMS messages (text or
QR image content) nor there is no guaranteed delivery of SMS messages.
To where is the SMS message sent? To the phone. Okay, I'll see an SMS message with a QR image. Then what? Do SMS apps have embedded scanning
of the content of SMS messages to then use an embedded QR decoder to
show the text embedded in the image (which obviates the whole point of supposedly securing the text string in an image) that I then have to copy/paste into some web prompt?
"Carlos E.R." <[email protected]d> wrote:
VanguardLH wrote:
So, you either have to wait for an SMS message to arrive from them,
or for them to get the one you send them.
No, they also say:
«Google spokesperson Ross Richendrfer reiterated that SMS is mainly
used as a security and anti-abuse check, but there are plenty of
security challenges, like phishing and traffic pumping. Consequently,
Google plans to reimagine how it verifies phone numbers over the next
few months. Instead of entering their phone numbers and receiving a
six-digit code over SMS, users will see a QR code they need to scan
with their phone camera.»
Not relevant to my statement of having to wait for SMS messages (text or
QR image content) nor there is no guaranteed delivery of SMS messages.
To where is the SMS message sent? To the phone. Okay, I'll see an SMS message with a QR image.
AJL <[email protected]> wrote:
[...]
When I fire up a NEW Android device and sign into my Google accounts for
the first time, after I put in my user name and password it sends a
white screen to my other Android devices on which I pick one and push a
"Yes it's me" button for verification and the new device is then signed on. >>
I always thought that Google Authenticator was responsible but after my
last post I looked at it and don't see any indication that it is or is
not responsible for this verification. Perhaps one of the more technical
folks here can explain how this (non-SMS) verification process works...
The 2SV mechanism you're using is called 'Google prompt', i.e. you get
a prompt on your device(s).
See the '2-Step Verification' section of your Google account [1].
There you will see 'Google prompt' as one of the options in 'Second
steps'. It will list the number of devices which can get the prompt and
') which devices (in my case my phone and a tablet).
[1] <https://myaccount.google.com/signinoptions/twosv>
List of your 'Google prompt' devices: <https://myaccount.google.com/two-step-verification/prompt>
On 2025-03-04 20:53, VanguardLH wrote:
"Carlos E.R." <[email protected]d> wrote:
VanguardLH wrote:
So, you either have to wait for an SMS message to arrive from them,
or for them to get the one you send them.
No, they also say:
�Google spokesperson Ross Richendrfer reiterated that SMS is mainly
used as a security and anti-abuse check, but there are plenty of
security challenges, like phishing and traffic pumping. Consequently,
Google plans to reimagine how it verifies phone numbers over the next
few months. Instead of entering their phone numbers and receiving a
six-digit code over SMS, users will see a QR code they need to scan
with their phone camera.�
Not relevant to my statement of having to wait for SMS messages (text or
QR image content) nor there is no guaranteed delivery of SMS messages.
To where is the SMS message sent? To the phone. Okay, I'll see an SMS
message with a QR image.
NO. Again, NO.
You will see a QR displayed on the computer, and then you take a photo
of it with your mobile phone. That is the procedure. I have told you
this a few times already.
VanguardLH <[email protected]> wrote:
[...]
Not relevant to my statement of having to wait for SMS messages (text or
QR image content) nor there is no guaranteed delivery of SMS messages.
To where is the SMS message sent? To the phone. Okay, I'll see an SMS
message with a QR image. Then what? Do SMS apps have embedded scanning
of the content of SMS messages to then use an embedded QR decoder to
show the text embedded in the image (which obviates the whole point of
supposedly securing the text string in an image) that I then have to
copy/paste into some web prompt?
AFAICT, "an SMS message with a QR image" is a figment of your
imagination!
I think such a thing is not mentioned anywhere and not even implied anywhere.
The referenced articles mention that *use* of a code in an SMS message
will be replaced by *use* of a QR code, but that does not mean that the
QR code is *in* an SMS message. (I think that would be obvious, because
an SMS message is too small to hold a QR code, not to mention that it
can only hold character data, not binary data.)
So perhaps it's best to come up with an actual quote from the
referenced articles, which leads you to your assumption, instead of
going on and on about something which is very likely a straw man / red herring.
"Carlos E.R." <[email protected]d> wrote:
On 2025-03-04 20:53, VanguardLH wrote:
"Carlos E.R." <[email protected]d> wrote:
VanguardLH wrote:
So, you either have to wait for an SMS message to arrive from them,
or for them to get the one you send them.
No, they also say:
«Google spokesperson Ross Richendrfer reiterated that SMS is mainly
used as a security and anti-abuse check, but there are plenty of
security challenges, like phishing and traffic pumping. Consequently,
Google plans to reimagine how it verifies phone numbers over the next
few months. Instead of entering their phone numbers and receiving a
six-digit code over SMS, users will see a QR code they need to scan
with their phone camera.»
Not relevant to my statement of having to wait for SMS messages (text or >>> QR image content) nor there is no guaranteed delivery of SMS messages.
To where is the SMS message sent? To the phone. Okay, I'll see an SMS
message with a QR image.
NO. Again, NO.
You will see a QR displayed on the computer, and then you take a photo
of it with your mobile phone. That is the procedure. I have told you
this a few times already.
Yes, you have been very clear on being vague. Displayed on the computer
... BY WHAT?
If not an SMS or MMS message to display by a messaging
app, then just WHAT is displaying the QR image? What communication
protocol is used to transfer the QR message? What process is displaying
the QR message? You keep referring to, um, magic displaying the
message, but give no actual details - because you don't know which is
why you can't explain.
Frank Slootweg <[email protected]d> wrote:
VanguardLH <[email protected]> wrote:
[...]
Not relevant to my statement of having to wait for SMS messages (text or >>> QR image content) nor there is no guaranteed delivery of SMS messages.
To where is the SMS message sent? To the phone. Okay, I'll see an SMS
message with a QR image. Then what? Do SMS apps have embedded scanning >>> of the content of SMS messages to then use an embedded QR decoder to
show the text embedded in the image (which obviates the whole point of
supposedly securing the text string in an image) that I then have to
copy/paste into some web prompt?
AFAICT, "an SMS message with a QR image" is a figment of your
imagination!
I think such a thing is not mentioned anywhere and not even implied
anywhere.
The delivery mechanism is defined where?
The referenced articles mention that *use* of a code in an SMS message
will be replaced by *use* of a QR code, but that does not mean that the
QR code is *in* an SMS message. (I think that would be obvious, because
an SMS message is too small to hold a QR code, not to mention that it
can only hold character data, not binary data.)
I figured it could be MMS (Multimedia Messaging) instead of SMS (Short Message Service). MMS can be used to send pictures. I have automatic downloads of MMS disabled in my messaging apps.
However, upon some further reading, Google Prompts looks to use
notifications instead of SMS/MMS messages. Maybe.
So perhaps it's best to come up with an actual quote from the
referenced articles, which leads you to your assumption, instead of
going on and on about something which is very likely a straw man / red
herring.
That's the crux of the problem: there are no details on how QR images by whatever delivery mechanism are to get decoded into strings by the user
to input into a waiting field. All of us are just guessing for now what
are the possibilities.
Frank Slootweg <[email protected]d> wrote:
VanguardLH <[email protected]> wrote:
[...]
Not relevant to my statement of having to wait for SMS messages (text or >> QR image content) nor there is no guaranteed delivery of SMS messages.
To where is the SMS message sent? To the phone. Okay, I'll see an SMS
message with a QR image. Then what? Do SMS apps have embedded scanning >> of the content of SMS messages to then use an embedded QR decoder to
show the text embedded in the image (which obviates the whole point of
supposedly securing the text string in an image) that I then have to
copy/paste into some web prompt?
AFAICT, "an SMS message with a QR image" is a figment of your imagination!
I think such a thing is not mentioned anywhere and not even implied anywhere.
The delivery mechanism is defined where?
However, upon some further reading, Google Prompts looks to use
notifications instead of SMS/MMS messages. Maybe.
So perhaps it's best to come up with an actual quote from the
referenced articles, which leads you to your assumption, instead of
going on and on about something which is very likely a straw man / red herring.
That's the crux of the problem: there are no details on how QR images by whatever delivery mechanism are to get decoded into strings by the user
to input into a waiting field. All of us are just guessing for now what
are the possibilities.
On 2025-03-05 02:45, VanguardLH wrote:
Frank Slootweg <[email protected]d> wrote:
VanguardLH <[email protected]> wrote:
[...]
Not relevant to my statement of having to wait for SMS messages (text or >>>> QR image content) nor there is no guaranteed delivery of SMS messages. >>>>
To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>>> message with a QR image. Then what? Do SMS apps have embedded scanning >>>> of the content of SMS messages to then use an embedded QR decoder to
show the text embedded in the image (which obviates the whole point of >>>> supposedly securing the text string in an image) that I then have to
copy/paste into some web prompt?
AFAICT, "an SMS message with a QR image" is a figment of your
imagination!
I think such a thing is not mentioned anywhere and not even implied
anywhere.
The delivery mechanism is defined where?
The referenced articles mention that *use* of a code in an SMS message >>> will be replaced by *use* of a QR code, but that does not mean that the
QR code is *in* an SMS message. (I think that would be obvious, because
an SMS message is too small to hold a QR code, not to mention that it
can only hold character data, not binary data.)
I figured it could be MMS (Multimedia Messaging) instead of SMS (Short
Message Service). MMS can be used to send pictures. I have automatic
downloads of MMS disabled in my messaging apps.
However, upon some further reading, Google Prompts looks to use
notifications instead of SMS/MMS messages. Maybe.
So perhaps it's best to come up with an actual quote from the
referenced articles, which leads you to your assumption, instead of
going on and on about something which is very likely a straw man / red
herring.
That's the crux of the problem: there are no details on how QR images by
whatever delivery mechanism are to get decoded into strings by the user
to input into a waiting field. All of us are just guessing for now what
are the possibilities.
You are imagining it wrong. You try to login on your computer; the
computer displays a picture, the phone takes a photo. There are no SMS involved, no conversions, no fields to complete. Just point and shoot,
done. Instantly.
Same as currently done to login to wasap on the computer. The same
system. Known and tested.
"Carlos E.R." <[email protected]d> wrote:
On 2025-03-05 02:45, VanguardLH wrote:
Frank Slootweg <[email protected]d> wrote:
VanguardLH <[email protected]> wrote:
[...]
Not relevant to my statement of having to wait for SMS messages (text or >>>>> QR image content) nor there is no guaranteed delivery of SMS messages. >>>>>
To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>>>> message with a QR image. Then what? Do SMS apps have embedded scanning >>>>> of the content of SMS messages to then use an embedded QR decoder to >>>>> show the text embedded in the image (which obviates the whole point of >>>>> supposedly securing the text string in an image) that I then have to >>>>> copy/paste into some web prompt?
AFAICT, "an SMS message with a QR image" is a figment of your
imagination!
I think such a thing is not mentioned anywhere and not even implied >>>> anywhere.
The delivery mechanism is defined where?
The referenced articles mention that *use* of a code in an SMS message >>>> will be replaced by *use* of a QR code, but that does not mean that the >>>> QR code is *in* an SMS message. (I think that would be obvious, because >>>> an SMS message is too small to hold a QR code, not to mention that it
can only hold character data, not binary data.)
I figured it could be MMS (Multimedia Messaging) instead of SMS (Short
Message Service). MMS can be used to send pictures. I have automatic
downloads of MMS disabled in my messaging apps.
However, upon some further reading, Google Prompts looks to use
notifications instead of SMS/MMS messages. Maybe.
So perhaps it's best to come up with an actual quote from the
referenced articles, which leads you to your assumption, instead of
going on and on about something which is very likely a straw man / red >>>> herring.
That's the crux of the problem: there are no details on how QR images by >>> whatever delivery mechanism are to get decoded into strings by the user
to input into a waiting field. All of us are just guessing for now what >>> are the possibilities.
You are imagining it wrong. You try to login on your computer; the
computer displays a picture, the phone takes a photo. There are no SMS
involved, no conversions, no fields to complete. Just point and shoot,
done. Instantly.
Same as currently done to login to wasap on the computer. The same
system. Known and tested.
No, not when logging into my computer. Google isn't involved in me
logging into my computer.
On 2025-03-05 21:43, VanguardLH wrote:
"Carlos E.R." <[email protected]d> wrote:
On 2025-03-05 02:45, VanguardLH wrote:
Frank Slootweg <[email protected]d> wrote:
VanguardLH <[email protected]> wrote:
[...]
Not relevant to my statement of having to wait for SMS messages (text or >>>>>> QR image content) nor there is no guaranteed delivery of SMS messages. >>>>>>
To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>>>>> message with a QR image. Then what? Do SMS apps have embedded scanning >>>>>> of the content of SMS messages to then use an embedded QR decoder to >>>>>> show the text embedded in the image (which obviates the whole point of >>>>>> supposedly securing the text string in an image) that I then have to >>>>>> copy/paste into some web prompt?
AFAICT, "an SMS message with a QR image" is a figment of your
imagination!
I think such a thing is not mentioned anywhere and not even implied >>>>> anywhere.
The delivery mechanism is defined where?
The referenced articles mention that *use* of a code in an SMS message
will be replaced by *use* of a QR code, but that does not mean that the >>>>> QR code is *in* an SMS message. (I think that would be obvious, because >>>>> an SMS message is too small to hold a QR code, not to mention that it >>>>> can only hold character data, not binary data.)
I figured it could be MMS (Multimedia Messaging) instead of SMS (Short >>>> Message Service). MMS can be used to send pictures. I have automatic >>>> downloads of MMS disabled in my messaging apps.
However, upon some further reading, Google Prompts looks to use
notifications instead of SMS/MMS messages. Maybe.
So perhaps it's best to come up with an actual quote from the
referenced articles, which leads you to your assumption, instead of
going on and on about something which is very likely a straw man / red >>>>> herring.
That's the crux of the problem: there are no details on how QR images by >>>> whatever delivery mechanism are to get decoded into strings by the user >>>> to input into a waiting field. All of us are just guessing for now what >>>> are the possibilities.
You are imagining it wrong. You try to login on your computer; the
computer displays a picture, the phone takes a photo. There are no SMS
involved, no conversions, no fields to complete. Just point and shoot,
done. Instantly.
Same as currently done to login to wasap on the computer. The same
system. Known and tested.
No, not when logging into my computer. Google isn't involved in me
logging into my computer.
I did not say "logging into my computer". I said "login on your
computer", obviously to Google, which is the context.
You are login into google in your computer; the browser you are using,
or the mail application you are using displays a QR code, and tells you
�take a picture with "name of app" in your registered phone, number
ending in XXX�. You comply, and in seconds you are authorized to
complete login to google in the computer.
In the same context, the method now is that google says "you will have received an SMS in your registered phone that ends in XXX, please copy
here the six digit number you received".
AFAICT, "an SMS message with a QR image" is a figment of your
imagination!
On Sun, 2 Mar 2025 16:41:11 -0000 (UTC), AJL wrote:
I've been using the Google Authenticator app for quite awhile now to verify >> new devices. Very easy to use. Just push the yes it's me button.
Surprisingly it even works on my Amazon Fire converted to Google account
tablets. Hope it stays...
How does the Google Authenticator compare to the Microsoft Authenticator? https://play.google.com/store/apps/details?id=com.azure.authenticator
"Carlos E.R." <[email protected]d> wrote:
On 2025-03-05 21:43, VanguardLH wrote:
"Carlos E.R." <[email protected]d> wrote:
On 2025-03-05 02:45, VanguardLH wrote:
Frank Slootweg <[email protected]d> wrote:
VanguardLH <[email protected]> wrote:
[...]
Not relevant to my statement of having to wait for SMS messages (text or
QR image content) nor there is no guaranteed delivery of SMS messages. >>>>>>>
To where is the SMS message sent? To the phone. Okay, I'll see an SMS >>>>>>> message with a QR image. Then what? Do SMS apps have embedded scanning
of the content of SMS messages to then use an embedded QR decoder to >>>>>>> show the text embedded in the image (which obviates the whole point of >>>>>>> supposedly securing the text string in an image) that I then have to >>>>>>> copy/paste into some web prompt?
AFAICT, "an SMS message with a QR image" is a figment of your >>>>>> imagination!
I think such a thing is not mentioned anywhere and not even implied >>>>>> anywhere.
The delivery mechanism is defined where?
The referenced articles mention that *use* of a code in an SMS message
will be replaced by *use* of a QR code, but that does not mean that the >>>>>> QR code is *in* an SMS message. (I think that would be obvious, because >>>>>> an SMS message is too small to hold a QR code, not to mention that it >>>>>> can only hold character data, not binary data.)
I figured it could be MMS (Multimedia Messaging) instead of SMS (Short >>>>> Message Service). MMS can be used to send pictures. I have automatic >>>>> downloads of MMS disabled in my messaging apps.
However, upon some further reading, Google Prompts looks to use
notifications instead of SMS/MMS messages. Maybe.
So perhaps it's best to come up with an actual quote from the >>>>>> referenced articles, which leads you to your assumption, instead of >>>>>> going on and on about something which is very likely a straw man / red >>>>>> herring.
That's the crux of the problem: there are no details on how QR images by >>>>> whatever delivery mechanism are to get decoded into strings by the user >>>>> to input into a waiting field. All of us are just guessing for now what >>>>> are the possibilities.
You are imagining it wrong. You try to login on your computer; the
computer displays a picture, the phone takes a photo. There are no SMS >>>> involved, no conversions, no fields to complete. Just point and shoot, >>>> done. Instantly.
Same as currently done to login to wasap on the computer. The same
system. Known and tested.
No, not when logging into my computer. Google isn't involved in me
logging into my computer.
I did not say "logging into my computer". I said "login on your
computer", obviously to Google, which is the context.
You are login into google in your computer; the browser you are using,
or the mail application you are using displays a QR code, and tells you
«take a picture with "name of app" in your registered phone, number
ending in XXX». You comply, and in seconds you are authorized to
complete login to google in the computer.
"name of app" is?
Would have to be one that connects back to my Google
account. Play Services, Google app (aka Google Assistant), or what?
That would provide the mechanism used to complete the Google Prompt.
What if I'm using a web browser on the phone? The web browser on the
phone can show a QR image the web site presents, but then what? It's
not like I can point the camera in the phone at the web page in the web browser on the phone. Does "name of app" scan the screen?
In the same context, the method now is that google says "you will have
received an SMS in your registered phone that ends in XXX, please copy
here the six digit number you received".
That's now with a text string send via SMS. Google says they won't be
using SMS (or MMS) to send QR codes. So, some app on the phone checks
for and displays a Google Prompt. Apparently that would be Play
Services or the Google app.
The part about getting an SMS notification with a string that the user manually transfers to a waiting input field is not what I'm asking
about. That uses SMS to send a string to the user sent by the web site interrupting a login that a messaging app will display in its window, or
in its notification. SMS will not be involved when Google switches to sending QR codes. Looks like Google Prompts will handle delivering the
QR image to the phone. It was, and still is for now, sending SMS texts
to the phone. Not when Google switches to QR codes.
Google won't be using SMS to send QR codes.
The intend to drop SMS.
From what I've read, so far, it looks like they will use Google Prompts which involve either Play Services or the Google app, or maybe both in
tandem (on Android, just the Google app on iOS) that connect to your
Google account.
At this point, it's anyone's guess how the QR image gets from the Google Prompt into the waiting login page. Perhaps Google will update their
Google App to show the image along with its decoded string the user can
read and manually copy, or the Google App could convert the QR image in
the Google Prompt into a string in the clipboard to let the user paste
into the login form, or the Google App phones home with the QR image
showing in a web page (there is a camera button in the Google App).
Somehow all of this seems to be just for logging into Google service and
web sites, not for use by anyone else. Gmail is not my primary e-mail service, and I won't miss not using it as a backup e-mail provider.
Many other Google services have their own Android app, so they don't
need QR codes. Google services I used on my desktop run in the
background, like Google Drive, and they don't ask for logins (after the initial setup). Displaying a QR code at a Google web site viewed in a
web browser on the desktop to complete the loop by using a phone's
camera that pipes the decoded string back to Google would complete that
loop. Not sure how a QR code displayed at a Google web site in a web
browser on the phone is going to get scanned to send the string back to
your Google account.
"Carlos E.R." <[email protected]d> wrote:
You are login into google in your computer; the browser you are using,
or the mail application you are using displays a QR code, and tells you �take a picture with "name of app" in your registered phone, number
ending in XXX�. You comply, and in seconds you are authorized to
complete login to google in the computer.
"name of app" is? Would have to be one that connects back to my Google account. Play Services, Google app (aka Google Assistant), or what?
That would provide the mechanism used to complete the Google Prompt.
What if I'm using a web browser on the phone? The web browser on the
phone can show a QR image the web site presents, but then what? It's
not like I can point the camera in the phone at the web page in the web browser on the phone. Does "name of app" scan the screen?
Bitwarden also allows storing TOTP to password entries - and there is
even a community server which you can host on your own machine, if you
want:
<https://play.google.com/store/apps/details?id=com.x8bit.bitwarden>
<https://bitwarden.com/self-hosted-password-manager-on-premises/>
And Vaultwarden is a compapatible open source server for Bitwarden clients:
<https://www.vaultwarden.net>
VanguardLH <[email protected]> wrote:
"Carlos E.R." <[email protected]d> wrote:
[Lots deleted.]
What if I'm using a web browser on the phone? The web browser on the
phone can show a QR image the web site presents, but then what? It's
not like I can point the camera in the phone at the web page in the web
browser on the phone. Does "name of app" scan the screen?
*If* you would be using a web browser on the phone in some kind of verification/authentication procedure, that procedure would obviously
not be using a QR code.
[Lots more deleted.]
As Carlos later said, the name of the app (if it's an app, it probably
will be part of Google Play services) will have to be determinded,
because the functionality - verify a phone number by a mechanism
using a QR code - does not exist yet.
As Carlos said, stay focused! 'Google Prompt' has nothing to do with
the to be developed functionality, nor with any other QR code use.
'Google Prompt' is a prompt you get on your phone to tap to verify
it's *you* (i.e. one of your registered devices), nothing to do with
your *phone number* (the device can be a SIM-less tablet, i.e. the
prompt *cannot* relate to a phone number)..
VanguardLH wrote:
Google won't be using SMS to send QR codes.
They did not said they would.
Frank Slootweg wrote:
AFAICT, "an SMS message with a QR image" is a figment of your
imagination!
And if one arrived on your phone, what would you "scan" the QR code
with? They don't work in a mirror.
"Carlos E.R." <[email protected]d> wrote:
VanguardLH wrote:
Google won't be using SMS to send QR codes.
They did not said they would.
From the article cited in the starter thread:
https://www.forbes.com/sites/daveywinder/2025/02/26/google-confirms-gmail-to-ditch-sms-code-authentication/
Gmail spokesperson Ross Richendrfer told me, “we want to move away from sending SMS messages for authentication.”
There are other online article mentioning the same move away from SMS
for authentication by Google, like:
https://www.itpro.com/security/google-is-dropping-sms-authentication-for-qr-codes
https://www.techradar.com/pro/security/google-is-ditching-sms-and-will-now-use-qr-codes-for-gmail-account-authentication
There are lots of articles stating Google intends to drop SMS transport. However, it's not always evident when an article is regurgitating what someone else reported. They come back to what a Gmail spokeperson said,
and I don't believe the articles are lying about that.
It's in the wet dream planning stage, so how they implement the move to
QR images could change to staying with SMS, or moving to Google Prompt
or some other communications venue.
I really hate to graft my smartphone to my hand to ensure it is readily accessible for this security theater machinations.
I'm too old for all
this jumping through hoops of fire. Rather than run through the house looking for my smartphone (it's usually on a different floor of the
house in a charging cradle next to the side door by the garage where I enter), I'll just forego the security theater, and go somewhere else for e-mail service. Logging in is getting more complicated to the user and
at the server than the e-mail service itself.
As I said, Gmail is NOT my primary e-mail provider; however, what Google does, and if doable at other sites, the plague will spread. Remember
what happened with Google and Microsoft fucking up OAUTH, a protocol, to
turn it into the OAUTH2 framework, and OAUTH2 (Google's variant) got
adopted at many other e-mail providers.
The occasions when I had to check that SMS have been very rare, not even
once a month. Going to the kitchen to fetch the phone once a month is
not a chore.
"Carlos E.R." <[email protected]d> wrote:
The occasions when I had to check that SMS have been very rare, not even
once a month. Going to the kitchen to fetch the phone once a month is
not a chore.
Try logging into Walmart, or Home Depot, or your bank, or anywhere that >currently uses 2FA via SMS to complete a login. It's hardly once a
month that I'm visiting web sites employing 2FA. It is EVERY day
multiple times per day.
Once Google switches to QR codes, and however
they transport it to your Google account to complete login, how long do
you think it will be until other web sites adopt the same security
mechanism? Remember when OAUTH and then OAUTH2 was unknown to users,
and look at it now. The plague will spread.
My sensitive apps only require ONE 2FA login (including Walmart). Once
the host device is blessed it can be set so that no more 2FA is
required. So like Carlos I seldom need SMS 2FA. Only the apps on my
new toys for the first time. Course if I was paranoid I could set it
to ask on every login. But I don't. Apparently you do??
A *bit* more info about verifying phone numbers here <https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>
But will fallback authentication methods be available if
the user cannot access a mobile phone? Google answers no.
Since access to a phone is needed to receive SMS messages
even now, the requirement for having a mobile device won’t change.
"Carlos E.R." <[email protected]d> wrote:
The occasions when I had to check that SMS have been very rare, not even
once a month. Going to the kitchen to fetch the phone once a month is
not a chore.
Try logging into Walmart, or Home Depot, or your bank, or anywhere that currently uses 2FA via SMS to complete a login. It's hardly once a
month that I'm visiting web sites employing 2FA. It is EVERY day
multiple times per day.
Once Google switches to QR codes, and however
they transport it to your Google account to complete login, how long do
you think it will be until other web sites adopt the same security
mechanism? Remember when OAUTH and then OAUTH2 was unknown to users,
and look at it now. The plague will spread.
According to a Gmail spokeperson, SMS is getting dropped. Okay, so stay focused yourself, and get off the SMS bandwagon. What is the
alternative to get the QR code scanned on your registered device aka smartphone to send to your Google account to complete login
verification? You say Google Prompts won't be it, but you really don't
know what Google will implement. Google says SMS won't be it. So WHAT
else might /it/ be?
AJL <[email protected]> wrote:
My sensitive apps only require ONE 2FA login (including Walmart). Once
the host device is blessed it can be set so that no more 2FA is
required. So like Carlos I seldom need SMS 2FA. Only the apps on my
new toys for the first time. Course if I was paranoid I could set it
to ask on every login. But I don't. Apparently you do??
I avoid web-centric site-specific apps, like apps just for one site;
e.g., Walmart, bank, Home Depot, Delta (airline). Instead I visit them
in a web browser. One app that does all instead one app that does one
site. Maybe if I used site-specific apps then I'd get 2FA far less
often, or not at all. I tend to be very frugal as to what gets
installed on my smartphone. I'm unlike a lot of smartphone users that install any app just because there is one.
Does any web browser store 2FA codes for reuse on login? Perhaps DOM
Storage (aka site data) gets used for that. I doubt any secure site is
going to use cookies. I configure my web browser (Firefox) to purge
*all* its locally cached data on exit as a countermeasure to tracking,
and up my privacy, and tweak the web browser to improve security.
Firefox on Android permits extensions like uBlock Origin. Chrome on
Android does not allow any extensions.
As for web-centric apps, has there been any independent audits on each
one to determine their login security, and secure local files storing
any user data? Don't most use the accounts stored in Android itself, so those get reused. I don't think Android is storing any 2FA codes or
other token in the accounts stored in Android.
AJL <[email protected]> wrote:
My sensitive apps only require ONE 2FA login (including Walmart). Once
the host device is blessed it can be set so that no more 2FA is
required. So like Carlos I seldom need SMS 2FA. Only the apps on my
new toys for the first time. Course if I was paranoid I could set it
to ask on every login. But I don't. Apparently you do??
I avoid web-centric site-specific apps, like apps just for one site;
e.g., Walmart, bank, Home Depot, Delta (airline). Instead I visit them
in a web browser. One app that does all instead one app that does one
site. Maybe if I used site-specific apps then I'd get 2FA far less
often, or not at all. I tend to be very frugal as to what gets
installed on my smartphone. I'm unlike a lot of smartphone users that >install any app just because there is one.
Does any web browser store 2FA codes for reuse on login?
Perhaps DOM
Storage (aka site data) gets used for that. I doubt any secure site is
going to use cookies. I configure my web browser (Firefox) to purge
*all* its locally cached data on exit
as a countermeasure to tracking,
and up my privacy, and tweak the web browser to improve security.
Firefox on Android permits extensions like uBlock Origin. Chrome on
Android does not allow any extensions.
As for web-centric apps, has there been any independent audits on each
one to determine their login security, and secure local files storing
any user data? Don't most use the accounts stored in Android itself, so >those get reused. I don't think Android is storing any 2FA codes or
other token in the accounts stored in Android.
I really hate to graft my smartphone to my hand to ensure it is readily accessible for this security theater machinations. I'm too old for all
this jumping through hoops of fire. Rather than run through the house looking for my smartphone (it's usually on a different floor of the
house in a charging cradle next to the side door by the garage where I enter), I'll just forego the security theater, and go somewhere else for e-mail service. Logging in is getting more complicated to the user and
at the server than the e-mail service itself.
Where Google leads others will follow.
My brother has a hotmail account. He doesn't have internet at
home, he uses a PC at the library. Recently outlook.com required
a 2FA/SMS authentication because he was using an unfamiliar
device. (I was surprised this hadn't happened before - that MS
were previously allowing signon with just a password. He's had
this account taken over once already - quite a faff.) He has a
non-smartphone which he occasionally uses for 2FA/SMS when making
online purchases.
It will be interesting to see whether Google offer any
authentication methods that don't involve a smartphone. My guess
is no. Voice recognition might be a possibily; my telephone bank
claims to recognise me by voice and no longer requires passwords,
though it probably uses other clues too, like the call
origin.
However, when I looked at Bitwarden as an authenticator, TOTP was a paid feature. See:
https://bitwarden.com/pricing/
VanguardLH, 2025-03-06 17:06:
[...]
However, when I looked at Bitwarden as an authenticator, TOTP was a paid
feature. See:
https://bitwarden.com/pricing/
You can set up Vaultwarden on your own server and use TOTP without any
paid license.
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 715 |
| Nodes: | 16 (0 / 16) |
| Uptime: | 169:13:57 |
| Calls: | 12,097 |
| Calls today: | 5 |
| Files: | 15,003 |
| Messages: | 6,517,830 |