<Back to the blog index page | Back to the main page
2 December 2024
It occurred to me that I never wrote an update on the previous post, so here goes...
As I thought, and maybe feared, Google was more than happy to be provided a phone number, to which it sent a six-digit code; after entering the code, I've been able to use my Gmail account just fine.
Furthermore, the entered phone number was not stored as the account's recovery phone number: Google still every now and then prompts me to enter a phone number and/or a recovery email (yet it won't let me enter the recovery email I'd want!).
Moral of the story? Google has none.
27 September 2024
It's been over a year since I wrote anything public in my blog, and I get to open this year during Q3 with an angry rant. Whoo, let's go!
Multi-Factor Authentication (MFA), Two-Factor Authentication (2FA), they're basically the same concept: instead of a mere "single factor" (usually always a username+password combination) you're required to provide something else, something that you have. Usually this is either a mobile phone or an authentication application of some sort; the site either sends you a code (usually six digits) as an SMS message and you're then required to input that code to proceed with your login attempt, or you're supposed to use your authenticator application to calculate such a code yourself. I'm sure there's a Wikipedia page on this if you're interested for more details; I'm not here to explain what MFA/2FA is but rather why it's a terrible thing.
Over the past couple years MFA craze has spread over the Internet like cancer. The tech illiterate as well as highly skilled security professionals in the tech domain (some of whom even I have the privilege of knowing and calling them my friends) seem to both agree that MFA is great. There's a chance that the idea might even be, but most of the implementations are atrocious at best, harmful at worst.
But let's look at Google, the tech giant that we can't avoid, no matter what we do. Like so many other people, I have a Gmail account. Two, in fact; my older one is from 2004, I was one of the early invited users, got an invite from a friend's big sister. Gmail turns (or has turned already?) 20 years old this year. Goes without saying that I am, or at least I was, fond of it. It's one of those "it just works" things, except recently Gmail's taken a serious turn for the worse.
Just yesterday I got locked out of a Gmail account of mine. It seems that Google looks for these things when determining if it "knows" you or your device:
I was aware of the risks, and thought I had figured out a seemingly clever way around getting locked out: before heading out, I'd log in to Gmail at home and before heading out, I'd put the computer to sleep. Then when I'm out and about and need to access Gmail, I'm already logged in. Brilliant! Right? ...right?! Well, apparently not so much. I was able to use my Gmail account just fine yesterday, but upon getting home, I made the error of shutting down the computer for good. As I use Private Browsing almost exclusively, this meant I wasn't logged in to Gmail upon the next boot. "No biggie", I thought, "I'll just log in again". Only that this time around Google decided that, despite having used Gmail from the same laptop a few hours earlier, both out and about as well as at home, it didn't "recognize" me as me. I don't have a recovery email set, since Google refused to add the email account I once used as a recovery email; I lost access to the "recovery email" for a few years and now I have it back again but it will "expire" before 2032. But hey, nevermind facts, Google doesn't care about those.
Having no recovery email set—and, in my experience, all too often with a recovery email set—means that Google will try phish--I mean, asking you for a phone number. You know, in the nicest ways representatives of the mob will usually ask: "give us [what we want] or else...". The "or else" here isn't anything illegal, of course, it's just "or else you lose access to your email and all the data within, now that would be real inconvenient for you, surely you don't want that to happen...".
And that brings us to some of the root issues here: this is essentially 2FA, sometimes even MFA, at work. I didn't ask for this. Maybe some did, but I'd argue that most didn't. I did not, and would never have entrusted this kind of an important decision to another person or organization. But again, Google doesn't care. If it did, there'd be an option to turn this nonsense off. But Google, being the Big Brother it is, thinks it knows better, and that you shouldn't bother your silly little head with things like this. Google knows how to best protect you, even if that "protecting" is literally "preventing you from accessing your email for no real reason".
The "Account Recovery" process is a joke, and a bad one at that, as well. It asks you for the last password you remember using. Give it (correctly, obviously) and you're presented with a screen stating that "Couldn't sign you in". Google, incorrectly, alleges that "You didn't provide enough info for Google to be sure that this account is really yours. Google asks for this info to keep your account secure." Then Google suggests that, "If possible, when signing in:
Earlier on, while out and about, I was sharing the mobile data connection of my phone to my laptop, as it was the only kind of Internet connection available at the time. That likely was one of the things that threw Google's all too strict algorithms off, since back home Google allegedly no longer "recognized" me, despite that I was literally both using a device I had used before and a "familiar" Wi-Fi network. The same thing happened with a different laptop connected to my WiFi as well, and I had used Gmail via that laptop many times before as well.
The problem with the SMS-based 2FA approach...oh boy, where do I even start? Let's start with the most obvious: Google harvests your personal data for no real reason and yet providing a phone number does not really guarantee that the number is in any way, shape or form associated with you. Real nice thinking there, Google. How much do you pay your "security" people a year to come up with this nonsense that fails very basic logic, exactly?
As for me, I do not want to give Google my main phone number. Google has no need to know, even if it de facto already knows it. But officially I stand by that: fuck you, Google, you're not getting it, try as you might. Instead I'll likely need to grab a prepaid SIM card and try that text message based 2FA nonsense. Regardless, it doesn't guarantee to Google that it's my phone number, it's just a phone number; but good to know that accounts can likely be taken over as long as you have a mobile phone number at your disposal...
Due to being very exhausted I won't go into depths explaining why other 2FA implementations suck, but basically the root problem is always the same: the user should be in control, but even when they're paying the service provider (e.g. banks), they are not. A great deal of sites do not allow you to turn off site-mandated 2FA, and site-mandated 2FA is annoyingly cumbersome and its alleged benefits are dubious at best. I'm a huge fan of personal resposibility myself, but some people are extremely opposed to the very concept of that, let alone applying it in practise.