Gmail prompt to provide phone number sounds like a threat

  • DoomBot5@lemmy.world
    link
    fedilink
    English
    arrow-up
    182
    arrow-down
    9
    ·
    1 year ago

    Dumb take. All it’s warning you is that without those, you won’t have a way to recover your account it you lose your password or if it’s hacked and someone changes it.

    • Matomo@lemmy.ml
      link
      fedilink
      arrow-up
      69
      arrow-down
      5
      ·
      1 year ago

      Yeah, I’m all for bashing companies regarding privacy and whatnot, but this is just informing/warning you about account security.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        8
        arrow-down
        16
        ·
        1 year ago

        It’s facetious though. They don’t need phone numbers to verify you, they can just use TOTP codes which can be used by anybody. Ask yourself why they insist on you giving them your phone to enable TOTP, when there’s no relation between the two. They want phone numbers because lots of people stick with one number all their life so it’s an excellent means of identifying them.

        • fapforce5@lemmy.world
          link
          fedilink
          arrow-up
          8
          arrow-down
          1
          ·
          1 year ago

          I’m not familiar enough with TOTP codes, but they don’t seem feasible for your average user as a reliable way to recover your account

          • /home/pineapplelover@lemm.ee
            link
            fedilink
            arrow-up
            3
            arrow-down
            1
            ·
            1 year ago

            My school is requiring students to instal specifically Microsoft 2fa (uses microsoft’s proprietary algorithm). So I’m sure that people can figure how to download an app and scan a qr code.

            • Trainguyrom@reddthat.com
              link
              fedilink
              English
              arrow-up
              2
              ·
              1 year ago

              If this is for a M365 account you don’t have to use the Microsoft authenticator. It’ll nag every login but it’ll let you use a different authenticator. I set up my college email last year with Duo as the 2FA because I already needed Duo for work, and it was fine

                • Trainguyrom@reddthat.com
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  What you do is when you’re setting up the 2FA token in M365 select the type of 2FA since it supports a wide variety of 2FA types, including SMS

          • lemmyvore@feddit.nl
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            4
            ·
            edit-2
            1 year ago

            I mean, if you come back years later and lay a claim to an account you’re going to have to show something that proves who you are.

            An SMS sent to the phone number stored on the account is no more reliable than asking the user to generate a code with an authenticator app (based on a secret that is stored in both the account and the app). People can lose the app/phone just as easily as the number. Also, SMS confirmations suffer from many vulnerabilities that TOTP codes do not.

            The main point is that these methods are not related. Google could and should offer them side by side. Let people take their pick of any of the following:

            • Confirmation message sent by email (and let people add multiple address not just one).
            • SMS to phone number (again, let them add multiple numbers).
            • TOTP code generated with authenticator app.
            • One-time-use secret codes written down somewhere.
            • Secret question/answer pairs.
            • Codes generated by USB key fobs.
            • Confirmation on a phone that’s still logged in to that Google account (this doesn’t require the phone number).

            Google is witholding some of these methods until you give them your main phone number, which is obviously a ploy to get your main number so they can track you.

            I’m frankly surprised that a privacy-oriented community is not aware of the fact phone numbers are an excellent means of tracking people across services and databases for extended periods of time.

            • Amju Wolf@pawb.social
              link
              fedilink
              English
              arrow-up
              3
              ·
              1 year ago

              Google kinda does do that though. You can have a recovery email (or multiple IIRC), or you can have a phone number.

              TOTP and hardware authenticators are more for second factor authentication; you’re probably more likely to use those than a password, and they don’t really make sense for recovery.

              • lemmyvore@feddit.nl
                link
                fedilink
                English
                arrow-up
                2
                ·
                1 year ago

                Why wouldn’t they make sense for recovery? They’re authentication factors just like passwords.

                “Second” factor means you should have multiple, not that one of them is beneath the others. And they all work just as well for authentication and recovery.

                • Amju Wolf@pawb.social
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  Because you’re much more likely to lose or break a hardware fob than lose a password, let alone change (lose or whatever) recovery email or phone.

                  Like, it would be a neat option; ideally you could set up literally anything and say what combination of factors you want to use for recovery and which to use for authentication, but it’d be a pretty big change for a tiny minority of users.

              • DoomBot5@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                2
                ·
                1 year ago

                Google can use the phone number on file to text a verification code for password reset.

    • Max-P@lemmy.max-p.me
      link
      fedilink
      arrow-up
      30
      arrow-down
      1
      ·
      1 year ago

      People here don’t realize how dumb the average user can be. I’ve helped countless people attempt to recover their accounts to which they forgot the password to because they were logged in on their computer and just went to it, and were shocked once they let the cookie expire.

      Backup security questions? “Oh, I put random garbage there, there’s no way I remember”.

      I’ve known people that end up with a new email more often than they end up with a new phone number for that exact reason. Or worse, they also got a new phone number without thinking about their 2FA SMS and lose a whole bunch of accounts.

      With social engineering attacks all over the place, more and more companies just won’t help you in the name of security.

      Those users absolutely need to be nudged towards adding backup account recovery info.

    • Blizzard@lemmy.zip
      link
      fedilink
      English
      arrow-up
      12
      arrow-down
      7
      ·
      1 year ago

      There are other ways to recover an account. Google just wants to have your phone number, security is an excuse and use of fear mongering to get is pathetic and shameless.

    • KhalBrogo@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      arrow-down
      1
      ·
      1 year ago

      Actually I had to let go of an email because Google wouldn’t let me login without giving my number or alternative email