Google to auto-enroll 150 million user accounts into 2FA

Disagree strongly with "No 2FA for end users" -- No, they are the ones who need it, and as I tell everyone, 2FA is not the end-all-be-all, but moreso like an extra step. Every user should have 2FA on their email at minimum, and anything of financial consequence, directly or indirectly.

The reason for email 2FA? Easy. TONS of websites/services will permit you to trigger a password reset, with no verification, from a link into email alone. I've seen financial institutions, ecommerce sites with saved credit cards, and MANY more scenarios, where a password reset was triggered via access to email.

I can tell you I've had a client lose 6 figures from their investment account on a simple password reset via email and enough info gleaned from inside their email to withdraw. I've seen MANY 4- and 5-figure losses from 2FA missing. Same idea behind 2FA on accounts with a financial risk.

But people need to be aware that 2FA isn't the end-all-be-all. I see people using their same email as their account log in for 2FA. That defeats any protections 2FA offers. We have also seen scenarios where cellular hijacking/SIMjacking has netted in losses. Cell phones with no passwords and lost the phone and "didn't bother replacing the phone for a couple weeks." Obviously the apps or yubikeys are some of the strongest options, but still not flawless.

You're doing a big disservice to your clients telling them to ignore 2FA. Google wouldn't be forcing the dialog for entertainment purposes. You're also lining yourself up for some serious liability issues if you tell them to DISABLE a security feature a company has defaulted on and forcing existing user base to turn on.

You should design a common dialog (Even a documented "Increase your online security" document that either you stick to for bolstering your clients' strength, or hand to them directly in printed format. Obviously got to stick a "This is on you and always more can be done. Good starting point" clause. Explain unique passwords. Explain password managers. Explain adblockers. Yes, use it to upsell.

It will become more and more of an issue, and anyone serious about security, both business and personal, need to focus on reducing chances. You can never bring to 0% risk. And 0% risk would be financially expensive. It's a cost vs risk, not only for the entire client, but on an account-by-account basis.

Wait until we see how well quantum computing breaks security. THAT. That scares me. The idea of every password able to be tested in a single pass, and then regular silicon used to validate results... Rapid decryption actions. It will become about obfuscating even further, and could boil down to 2FA being only way to log in (You already seeing it start to pop up. Websites where there is no password field, just a button to send a log in link, and then it prompts for a non-email 2FA. Mandatory.)
 
@MudRock Not to mention with Google and Microsoft personal accounts it's getting easier by the day to go fully passwordless.

I love passwordless signon... it's not only easier for the user, but a ton safer. The phishing people cannot steal a password that doesn't exist! And even the most technically illiterate people can get behind oh... my phone is my keys! Easy!

Instant reduction of digital risk to the pool of people that can physically steal your phone is a HUGE improvement in cloud services globally accessible on internet backbones online 24/7 to anyone with an Internet connection.
 
Sky-Knight said:
@MudRock Not to mention with Google and Microsoft personal accounts it's getting easier by the day to go fully passwordless.

I love passwordless signon... it's not only easier for the user, but a ton safer. The phishing people cannot steal a password that doesn't exist! And even the most technically illiterate people can get behind oh... my phone is my keys! Easy!

Instant reduction of digital risk to the pool of people that can physically steal your phone is a HUGE improvement in cloud services globally accessible on internet backbones online 24/7 to anyone with an Internet connection.
Click to expand...
I love the idea. They know that there is STILL a human risk to 2FA. So they eliminated more human factors. I do wonder what the long term implication of passwordless login is going to be outside the obvious "Lost my phone".
 
MudRock said:
I love the idea. They know that there is STILL a human risk to 2FA. So they eliminated more human factors. I do wonder what the long term implication of passwordless login is going to be outside the obvious "Lost my phone".
Click to expand...
I wonder as well, on M365 it's no big deal because you have another admin on the tenant that can trigger the resets of the appropriate bits. The same thing is true on the Google tenant.

But what about the free logins? That's why I haven't done passwordless sign-on for my Hotmail account. BUT... that account does have a recovery email, and phone number. So it probably falls back to an SMS and an email, you'd need both to get into the account otherwise? Perhaps can only be triggered if the authenticator of record is offline? There is also a recovery code for the loss of the authenticator itself, that I've got filed away.

Yeah... TON of questions. At some point I'm going to have to simulate a phone loss to see how I can break the glass on the account.
 
Sky-Knight said:
I wonder as well, on M365 it's no big deal because you have another admin on the tenant that can trigger the resets of the appropriate bits. The same thing is true on the Google tenant.

But what about the free logins? That's why I haven't done passwordless sign-on for my Hotmail account. BUT... that account does have a recovery email, and phone number. So it probably falls back to an SMS and an email, you'd need both to get into the account otherwise? Perhaps can only be triggered if the authenticator of record is offline? There is also a recovery code for the loss of the authenticator itself, that I've got filed away.

Yeah... TON of questions. At some point I'm going to have to simulate a phone loss to see how I can break the glass on the account.
Click to expand...
My experience? Passwordless MS so far will let you log in with last password and still reset with whatever 2FA you set up... So still easily breechable and recoverable, unless, of course, you used a random password and no recovery options set up besides passwordless...
 
MudRock said:
My experience? Passwordless MS so far will let you log in with last password and still reset with whatever 2FA you set up... So still easily breechable and recoverable, unless, of course, you used a random password and no recovery options set up besides passwordless...
Click to expand...
I don't follow. Are you saying that M365 will let you login with an old password?
 
nlinecomputers said:
I don't follow. Are you saying that M365 will let you login with an old password?
Click to expand...

Passwordless sign-on means there is no password, but it seems in M365 that's not really the case. Which actually makes sense... but I'm not terribly worried yet because that's basically a new feature. I've got many users operating under that model now... I reset their password to random gibberish, get their phones enrolled in phone sign-on then reset their password with a 14 character cat jumped on the keyboard mess they never know...

Because the only reason they need that password is to enroll a new mobile device, I need to know they're doing that, so now they're calling me for a password that I reset, and repeat the above to get the new phone going.
 
Sky-Knight said:
Passwordless sign-on means there is no password, but it seems in M365 that's not really the case. Which actually makes sense... but I'm not terribly worried yet because that's basically a new feature. I've got many users operating under that model now... I reset their password to random gibberish, get their phones enrolled in phone sign-on then reset their password with a 14 character cat jumped on the keyboard mess they never know...

Because the only reason they need that password is to enroll a new mobile device, I need to know they're doing that, so now they're calling me for a password that I reset, and repeat the above to get the new phone going.
Click to expand...
Yeah but true Passwordless logins mean that you’re SOL if your phone is out of service. Not sure I like my clients forced to call a third party to reset the account. I have recovery codes in my safe but who does that?
 
nlinecomputers said:
Yeah but true Passwordless logins mean that you’re SOL if your phone is out of service. Not sure I like my clients forced to call a third party to reset the account. I have recovery codes in my safe but who does that?
Click to expand...
MFA without self service password reset already means they're SOL if their phone is out of service. The phone is a set of keys, if they aren't available they're SOL... just like they cannot start their car without their keys.

This is a non-issue as far as I'm concerned. No one can leave the house without their phone these days, go home and get it.

And no, I do not allow self service password reset. Because that defeats the entire purpose.
 
Sky-Knight said:
MFA without self service password reset already means they're SOL if their phone is out of service. The phone is a set of keys, if they aren't available they're SOL... just like they cannot start their car without their keys.

This is a non-issue as far as I'm concerned. No one can leave the house without their phone these days, go home and get it.

And no, I do not allow self service password reset. Because that defeats the entire purpose.
Click to expand...
Definitely in a business setting, self-service resets aren't smartest idea, but flipside, I've seen some AWFUL employer verification practices.

"I lost my password"

"What's your user name?"

"a.smith@email.com"

"Okay, your password is Companyname1940"
Click to expand...
--- And no forced password change at first log in.... They called me in to find out why trade secrets kept being leaked and why they kept being flagged non-stop. *slaps forehead* Worse off, their IT Director was FURIOUS about the plan I wanted them to put in place... Until I flashed him a job offer he got from another company a few months before (I had a few signed documents permitting me to pentest them. I'm not a pentester, it was just stupid simple.)

Managed to get my own company email, get into a SLEW of staff member's accounts. They did have self-service resets but no one knew where and no one cared to do so.

Thought to add: How I got my own email addy; I called the helpdesk (3 guys, actually made my job tougher because they all talked AND they all knew there was something abrew), acted all irritated I couldn't log into my work email, that <Hiring manager> said she was sending me all this information I needed to know and the <CEO> was sending me some info too. I hope I don't have to call them back to send it again." Asked my name and email addy. "Oh no, we don't see an account. Here, lets make it quick and hope we didn't miss <CEO>'s emails." (He apparently was a whip-cracker when things weren't done pronto)
 
MudRock said:
How I got my own email addy
Click to expand...

Again, the number of issues at play here are myriad. They've got more security holes from policy and procedure lapses (or non-existence) than Swiss cheese.

The fact you were able to get that address, and with such ease, is just jaw-dropping.
 
britechguy said:
Again, the number of issues at play here are myriad. They've got more security holes from policy and procedure lapses (or non-existence) than Swiss cheese.

The fact you were able to get that address, and with such ease, is just jaw-dropping.
Click to expand...
Wasn't part of the original plan, but I was given a licence to do anything to find holes I could find, and I saw such a glaring hole. I was fly on the wall to a few conversations that lead me to a plan, and I explained a disgruntled (ex)employee could do the same easily, and an outsider with a bit more knowledge. It was clear there was already disgruntled with the leaks. I'm sure there were a million other things too that a full-time pentester could find. I think they actually hired one after me on my recommendations too.
 
BTW, just got my notice today that I'm to be auto-enrolled by Google in 2FA on November 9th. What will be interesting is to see if they even give the option to turn it off. I have several "junk" addresses where I definitely neither need nor want it and where no phone is, or will be, associated with them.
 
I don't like 2FA either. I mean you could have two emails One for banking and another one that gets all the other crap. I think it's an excuse to keep getting personal data. Then you have to care more for your phone because if it gets stolen you have to erase it remotely or something. Most people don't know how to do that and if their phones get stolen so is their identity. I had great 2FA experience with Skype. I was an old Skype user. Before MS got them. But I haven't used it for years. A few months ago I installed again to see if my old contacts were alive. I know the user name and password. But it still wouldn't let me log in. It wanted my phone number. And if I didn't give my phone I needed to type the exact username of someone from my contact list. I said screw MS. Never going to use Skype again.
 
tekkaman said:
I don't like 2FA either. I mean you could have two emails One for banking and another one that gets all the other crap.
Click to expand...
Be careful to not lump all forms of 2FA together. Email or SMS based 2FA IS a terrible form of 2FA. Google Auth/Authy/Duo/Yubico are excellent secure forms of 2FA.
tekkaman said:
I think it's an excuse to keep getting personal data.
Click to expand...
2FA is an excuse to keep getting personal data? That's a new one to me.
 
tekkaman said:
I don't like 2FA either. I mean you could have two emails One for banking and another one that gets all the other crap. I think it's an excuse to keep getting personal data. Then you have to care more for your phone because if it gets stolen you have to erase it remotely or something. Most people don't know how to do that and if their phones get stolen so is their identity. I had great 2FA experience with Skype. I was an old Skype user. Before MS got them. But I haven't used it for years. A few months ago I installed again to see if my old contacts were alive. I know the user name and password. But it still wouldn't let me log in. It wanted my phone number. And if I didn't give my phone I needed to type the exact username of someone from my contact list. I said screw MS. Never going to use Skype again.
Click to expand...

Yeah, that's not how 2FA works...

You might think that's how passwordless or phone sign-on works, but that's also wrong. These two things require a lock code, pattern, or biometric unlock for the device. So if someone steals your phone, they cannot use it as a token to get into your junk without the ability to unlock it first. The forms of 2FA that work without a screen lock require a password on the login attempt to use. There is a password (something that you know) somewhere in all of these chains. So theft of device is covered. Besides, dis-enrolling such a device is also fairly easy.

And while I'm on this topic, I'm going to point out that biometric unlocks are a bad idea for anyone in the US. Law enforcement can compel you to use biometrics to unlock the device. They cannot compel you to give up an unlock code of any sort, including a pattern.

As for Skype, that's a personal account with Microsoft. It doesn't require a phone number, I just made a personal account a few days ago for another local client. However, it does bug you for one, because SMS based recovery is the assumed way to recover a lost account. Not ideal by any stretch, but it's far from a great evil. As paranoid as I am, I think this is a stretch too far. It's not as if your cell number is private information, heck it's not even YOURS!
 
Sky-Knight said:
[re: cell phone number] heck it's not even YOURS!
Click to expand...

Unless telecomm laws have changed very recently, this is not correct. Once a phone number is assigned to an individual it does belong to them and they may port it between providers at will. In the eyes of the law, you do own your phone number(s). Many, however, don't bother porting (which I'll never understand, as it's very easy to do and if you want to keep a well-known number, well worth doing).

And unless something else has changed very recently, it is possible to port a landline number over to cellular service, but you cannot port it back to a landline afterward. Nor can you port a number initially issued for mobile service to a landline.
 
You must log in or register to reply here.

Similar threads

ThatPlace928
31 Million Users Affected by Internet Archives Data Breach
Replies
4
Views
547
ThatPlace928
ThatPlace928
Velvis
Question about 2FA
Replies
11
Views
941
YeOldeStonecat
YeOldeStonecat
Porthos
Google shares “fix” for deleted Google Drive files
Replies
1
Views
522
sapphirescales
sapphirescales
Velvis
Moving a Google Chrome Profile from Mac to PC without a Google password
Replies
5
Views
282
timeshifter
timeshifter
JoelM
Offboarding User in Google Workspace
Replies
0
Views
246
JoelM
JoelM
Back
Top