Conversation

Notices

1. Embed this notice
   Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 05-Nov-2024 01:29:26 JST Rich Felker

   Fucking Google put 2FA on my Gmail account without my consent and tried to force me to click a notification supposedly sent to Play Services on my phone (not a thing because it's microG not Play Services) to verify it's me logging in. 🤬

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 05-Nov-2024 01:30:13 JST Rich Felker

     in reply to

     If I didn't have another live browser session with ability to use the g.co/verifyaccount workflow instead, this would have been full account lockout. 🤬

     🖕 you Google

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 05-Nov-2024 01:37:38 JST Rich Felker

     in reply to

     Browsing through Google Account settings, it looks like anything they think is a logged-in phone is automatically treated as a valid 2FA source for your account regardless of whether you wanted it to be.

     This is not just unwanted 2FA but a huge security violation. It means a lost or stolen phone logged into your account, or one a child is using, etc., can be used as a full account takeover vector.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 05-Nov-2024 01:38:40 JST Rich Felker

     in reply to

     Probably time to delete the Gmail app and find third-party mail and chat client to use with my Gmail account instead so I can delete the account login from microG...

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 05-Nov-2024 01:40:33 JST Rich Felker

     in reply to

     Somehow they'd also gotten and added my phone number 😱 as an account recovery source, and the UI asking me to verify it made it seem like it was refusing to delete it, but then when I got to Account page, it showed "Recovery phone deleted" under recent activity. 🤦

     The clowns making this stuff have utterly no idea what they're doing, much less how they're fucking people over.

   • Embed this notice
     axleyjc (axleyjc@federate.social)'s status on Tuesday, 05-Nov-2024 03:36:26 JST axleyjc

     in reply to

     @dalias I hate that they don't let you disable push to authenticate 2fa. Especially on kid accounts.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 05-Nov-2024 03:37:10 JST Rich Felker

     in reply to

     • axleyjc

     @axleyjc Yes. Push to authenticate is an extremely dangerous account takeover vector. It should never even be an option much less impossible to disable.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Tuesday, 05-Nov-2024 07:07:38 JST Rich Felker

     in reply to

     • axleyjc

     @axleyjc Yeah I've never turned on Advanced Protection. My password is in a vault and entered maybe once a year, probably more like once every five. I do not want any 2FA or alternative weak authentication vectors.

   • Embed this notice
     axleyjc (axleyjc@federate.social)'s status on Tuesday, 05-Nov-2024 07:07:39 JST axleyjc

     in reply to

     @dalias Damn it! Just checked and advanced protection leaves that enabled. Ffs!

   • Embed this notice
     axleyjc (axleyjc@federate.social)'s status on Tuesday, 05-Nov-2024 07:07:40 JST axleyjc

     in reply to

     @dalias I think the only way to disable that wfa is to enable Advanced Protection