217
submitted 1 year ago* (last edited 1 year ago) by doctorcrimson@lemmy.today to c/mildlyinfuriating@lemmy.world

EDIT: You know, after some time to cool off, Google Authenticator 2FA can still be enabled and isn't being phased out like the less secure SMS 2FA, so it's really not the end of the world here. The chance of permanent lockout is avoided, even if the whole Google Prompt system is still wack.

all 44 comments
sorted by: hot top controversial new old
[-] skip0110@lemm.ee 24 points 1 year ago

If you login to the Gmail app on any device, it can also act as 2FA. Does not need to be the one where they send the push…any logged in device will work.

[-] doctorcrimson@lemmy.today 2 points 1 year ago

Yeah thats the problem, you can't turn it off.

[-] redcalcium@lemmy.institute 22 points 1 year ago

Last time I login, there is a "try another way" button that allow me to use sms or totp code. Is this not the case for you?

[-] doctorcrimson@lemmy.today 1 points 1 year ago* (last edited 1 year ago)

Cool but that doesn't fix the fact that the default method is one that literally does not function and can result in a permanent lockout. Though, I admit, SMS is way less secure than the Authenticator App.

[-] SameOldInternet@lemmy.world 18 points 1 year ago* (last edited 1 year ago)

It's the default because you made it the default. Change your damn security settings Google can't do that for you! Quick to rant about something without knowing how it works or how you got there is on you and not Google.

[-] tdawg@lemmy.world 2 points 1 year ago

This is Lemmy you can't expect people to be calm or rational

[-] doctorcrimson@lemmy.today 2 points 1 year ago

Well he's also just wrong, Google Prompts cannot be disabled.

[-] ultratiem@lemmy.ca 1 points 1 year ago

OMG THIS GUYS RIGHT GET HIM!!!!

[-] doctorcrimson@lemmy.today 0 points 1 year ago

They

Do Not

Allow you

To turn off

Google Prompts Default Option

[-] lobo@lemm.ee 14 points 1 year ago

something similar happened to me too, account that didnt have 2fa enabled at all suddenly asking for confirmation on a device i just wiped

it sorted itself after a couple of hours, maybe a bug

[-] meepmeep@lemm.ee 8 points 1 year ago

This is like uninstalling Windows, installing Linux, and then blaming Microsoft because a feature you used in Windows doesn't work in Linux

[-] NRoach44@lemmy.ml 16 points 1 year ago

No, this is

  • buying a surface from Microsoft
  • immediately wiping it and installing Linux
  • Microsoft then forcing you to authenticate using the device that is only tied to your account via purchase, and NOT login records, AND disabling other forms of auth
[-] doctorcrimson@lemmy.today 11 points 1 year ago

If installing linux was a feature sold to you by Microsoft, and then Microsoft removed the ability for the feature to work on Linux, then that would be accurate.

[-] FinalRemix@lemmy.world 5 points 1 year ago

I stalling Linux is now a feature from Microsoft. They even rolled out a guide recently.

[-] thepiguy@lemmy.ml 4 points 1 year ago

It's like installing Linux, then Microsoft not allowing you to access GitHub from any device.

[-] PM_ME_YOUR_SNDCLOUD@lemmy.world 7 points 1 year ago

Even if you turned it back at this point, it still wouldn’t work.

This is pretty infuriating though; Google works just fine with any device that doesn’t run Android so why would they care that you’re running a custom ROM?

My guess is something less evil and more mundane: something about your number changed in their system and now they can’t send codes to it, which is why it’s grayed out. Maybe it was previously classified as a mobile number but now is classified as a landline.

Your only option, if you don’t have any backup codes, is to use that “Get Help” option they have that takes a few days and then either start carrying around backup codes, a Yubikey, or De-Google.

Hey, maybe all 3!

[-] doctorcrimson@lemmy.today 1 points 1 year ago

As a few people pointed out, it's only SMS thats being phased out, so using Google Auth is a superior option if you still have access to set it up. But yeah, backup codes would be great for those already locked out by accident.

[-] ultratiem@lemmy.ca 5 points 1 year ago
[-] Chozo@kbin.social 0 points 1 year ago

I don't get this. Is this an SMS-based 2FA? If so, I'm not sure that Google has any ability to block that. Your carrier might, though, but that wouldn't be controlled by your device's OS. The option being greyed out on a third-party site has little to do with anything happening locally on your device.

If this is a push-based 2FA, then... yeah, you wiped the device, along with any tokens previously stored on it. This is also why any time you set up 2FA on any service, almost all of them warn you like a million times "If you lose or transfer your device before disabling 2FA, you will lose access to your account" before you complete the process.

[-] doctorcrimson@lemmy.today 0 points 1 year ago* (last edited 1 year ago)

The problem is they are turning OFF the SMS and instead sending a special dialogue to a nonexistent device for the user to hit a prompt. The device was never used, though, and it was never set up for 2FA. My default has always been SMS which they are now disabling.

[-] Chozo@kbin.social 1 points 1 year ago

Deprecating SMS authentication is a good thing, in all honesty. SMS is not a secure form of data transfer, and is trivially intercepted. You can buy and setup an illegal Stingray device relatively easily, and capture basically all wireless data from a phone within range.

That said, if the device was truly never used for 2FA, then there wouldn't be any push-based 2FA on the account to begin with. Unless there's another device that's been authenticated with your account somewhere, like an old phone. In which case, that's where your login requests are being pushed to. That's a setting that can only be enabled by successfully authenticating with a device at least once in the past.

If there was never any other authenticated device, then that setting on your account isn't there. Enabling that feature is a two-step process, and step 1 involves configuration on a local device before it can be enabled remotely on your account.

[-] doctorcrimson@lemmy.today 0 points 1 year ago* (last edited 1 year ago)

SMS could potentially be a secure form of Data Transfer if companies weren't allowed by limp dinosaur legislators to gut your phone for any useable data with a simple app, but yeah I can see how it's current state is lackluster.

You're wrong, btw, the Google Prompts feature is Default and cannot be turned off.

[-] Chozo@kbin.social 0 points 1 year ago

You’re wrong, btw, the Google Prompts feature is Default and cannot be turned off.

Only if there's a previously-authenticated device. That setting can't be enabled without a key, and one of the required keys is produced locally by a logged-in device (which is why your device is trusted to stay logged in indefinitely). If enabled without a key, it's nonfunctional and should error itself out and revert to a disabled state.

If that somehow hasn't happened (which, in all honesty, would be very surprising to learn) and the setting is enabled on your account, then that'd be something you'd need to submit a request to Google to have fixed, otherwise you have zero recovery on that account.

Are you a thousand percent sure you've never had any other device logged into that Google account? When you attempt to log in, it should show you the device name it's sending the request to. For instance, when I log into my Gmail from an Incognito window right now, it says to check my Pixel 6 Pro. What's it saying for you?

[-] doctorcrimson@lemmy.today 0 points 1 year ago

No, I'm telling you, it's on by default when you purchase a Google Device. It doesn't need to be set up.

[-] Chozo@kbin.social 0 points 1 year ago

What device does it say it's sending the request to?

[-] doctorcrimson@lemmy.today 0 points 1 year ago

A device. The fact that any device is getting a google prompt and it cannot be disabled is the issue.

[-] Chozo@kbin.social 0 points 1 year ago

Right. I think you can see where I'm going with this. The fact that you're being dodgy with the question is making me question your motives with this post.

So, what device? You don't have to tell me the name, but describe it to me. Is it the device that you flashed a new OS onto?

[-] doctorcrimson@lemmy.today 0 points 1 year ago

It's not constructive to answer your question instead of explain the situation to you for the 8th time. There is only one device and it was wiped and can never be recovered, not even by restoring the OS, but the Google Prompt is still the default option forever now. I found this mildly infuriating.

The best solution is to use something like Google Auth since only the SMS is being phased out. Do you understand now or de we need to repeat this again and again?

[-] Chozo@kbin.social 1 points 1 year ago

So, when you said "The device has never existed", you realize how that was a bit misleading, right? The way you've been presenting this situation would suggest that Google enabled 2FA in an impossible manner.

The device existed. You ignored the warnings and wiped the device before transferring your authentication elsewhere. There's plenty of things to be critical of Google over, but flagrant user error like this isn't one of them.

[-] EFZL5NM0@lemmy.world -2 points 1 year ago
[-] doctorcrimson@lemmy.today 16 points 1 year ago

I never have and will never ask to use 2FA via the device. This isn't sown, it's just crappy design.

[-] squaresinger@feddit.de 7 points 1 year ago

How dare you using the phone in a different way than Google intended! /s

[-] thepiguy@lemmy.ml 7 points 1 year ago* (last edited 1 year ago)

Using your device to do whatever is op's right. From reading the post, it seems to me that the problem is that they disable other forms of auth. This is for sure intentional, or at least a low priority bug for obvious reasons. I had the same issue, but it was failing to pull up the menu in my stock nothing phone 1. It got fixed later, but why are my backup emails or phone numbers not being used as other forms of 2fa. That is when I realised that despite my efforts, I have ended up relying on Google too much. In the process of changing that, even if it costs me money to host the servers.

this post was submitted on 13 Oct 2023
217 points (89.2% liked)

Mildly Infuriating

35440 readers
628 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.


Rules:

1. Be Respectful


Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...


2. No Illegal Content


Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...


3. No Spam


Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...


4. No Porn/ExplicitContent


-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...


5. No Enciting Harassment,Brigading, Doxxing or Witch Hunts


-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...


6. NSFW should be behind NSFW tags.


-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...


7. Content should match the theme of this community.


-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

...


8. Reposting of Reddit content is permitted, try to credit the OC.


-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

...


Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense


Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 1 year ago
MODERATORS