●Stories
●Firehose
●All
●Popular
●Polls
●Software
●Thought Leadership
Submit
●
Login
●or
●
Sign up
●Topics:
●Devices
●Build
●Entertainment
●Technology
●Open Source
●Science
●YRO
●Follow us:
●RSS
●Facebook
●LinkedIn
●Twitter
●
Youtube
●
Mastodon
●Bluesky
Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!
Forgot your password?
Close
This discussion has been archived.
No new comments can be posted.
Load All Comments
Full
Abbreviated
Hidden
/Sea
Score:
5
4
3
2
1
0
-1
More
Login
Forgot your password?
Close
Close
Log In/Create an Account
●
All
●
Insightful
●
Informative
●
Interesting
●
Funny
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
byVidar Leathershod ( 41663 ) writes:
Pray I don't alter it any further.
Having dealt with the fallout of people losing access to their accounts due to MFA, and not just from compromise, I am completely convinced that passkeys will result in the same. The whole system is completely ridiculous, and their whole claim of improved security has been demonstrated to be a fabrication.
byAmiMoJo ( 196126 ) writes:
You seem to be a bit confused. This is for if you have 2FA set up on your account. One option is to use SMS as the second factor, but it's optional and there are much, much better options. You can use a security key (e.g. Yubikey or Google's own Titan keys), a pop-up message on your Android devices, or a time-based code (TOTP).
SMS has poor security and sometimes doesn't work if you are abroad.
Passkeys are a different thing. You can use them for MFA but usually they used in addition to it for high security accounts. You can also use them to bypass logging in manually, or remove the need for cookies.
As for Google's security, the simple fact is that they are the only major tech company offering extensive online services that hasn't been badly hacked. While individuals do get targetted, and they have had some data loss incidents, it's never been on a mass scale, a systematic failure that allowed an attacker to get into specific accounts without phishing or stealing keys. If there is only one thing that they are good at, it's security.
Parent
twitter
facebook
byomnichad ( 1198475 ) writes:
They're talking about when you DON'T have 2FA set up at all. Google one day decided that they still won't let you sign in with just your password. And then all the accounts with old phone numbers that never got updated suddenly became locked out. Devices that were authenticated continued to work but the user still couldn't get to the account settings to update the phone number.
byAmiMoJo ( 196126 ) writes:
Which is why you should never have just a phone number as your only way of recovering an account. Google asks you to set up a recovery email address as well, and as I mentioned you can also download recovery codes, and tap "yes" on your Android device (enabled by default).
So to get locked out you have to lose your old phone number, lose your old email address, opt out of Android notifications, and don't bother with the recovery codes. At that point, it's your own fault.
byAnonymous Coward writes:
I have several old accounts with a recovery e-mail set up by no phone number associated. Enter the password, then they e-mail a code to the address, and then after you enter *that* they ask for a phone number.
Fuck that. it's pure data collection for $$$ at that point.
bywhoever57 ( 658626 ) writes:
SMS has poor security and sometimes doesn't work if you are abroad.
Is there another 2FA scheme that doesn't carry the risk that you may lose access to your accounts if you lose your phone?
bybill_mcgonigle ( 4333 ) * writes:
Put your TOTP key in your password manager.
Works good.
Have an offline backup of your password manager datastore.
byAmiMoJo ( 196126 ) writes:
Security key, ideally two of them. Keep one safe somewhere away from the other.
You can also download backup codes that you can use to log in. Keep them in your password manager, or even print them and put them in a safe.
You can also use a password manager that supports TOTP codes. Keepass can do it. Then you have a backup on your computers.
byflink ( 18449 ) writes:
Security key, ideally two of them. Keep one safe somewhere away from the other.
This is what has always kept me from adopting hardware security keys. There is no way to clone them, which means going through the registration ritual on every account multiple times. And if the second key is in a secure remote location like it's supposed to be that means the added hassle to travel to that location and check out the key every time I create a new account so I can register the backup key, plus a window of vulnerability while that key is checked out when I have both in my possession so I can
byAmiMoJo ( 196126 ) writes:
You don't have to add both keys at the same time, you can wait until you get back to your other location before adding the second one.
I use the recovery codes, they are easy to store in Keepass.
byWaffleMonster ( 969671 ) writes:
You seem to be a bit confused. This is for if you have 2FA set up on your account.
MFA is either already mandatory for gmail or will soon be.
One option is to use SMS as the second factor, but it's optional and there are much, much better options. You can use a security key (e.g. Yubikey or Google's own Titan keys), a pop-up message on your Android devices, or a time-based code (TOTP).
SMS has poor security and sometimes doesn't work if you are abroad.
SMS, TOTP, pop-up messages and authenticator apps offer no protection against verifier impersonation neither can these systems be judged on their individual merits without consideration of requirements for successful credential recovery. If you can simply bypass a factor by saying you forgot/lost it then the actual point of these systems is reducing administrative costs not improving security.
While individuals do get targetted, and they have had some data loss incidents, it's never been on a mass scale, a systematic failure that allowed an attacker to get into specific accounts without phishing or stealing keys. If there is only one thing that they are good at, it's security.
This is simply not the case, phishing attacks are a wides
byAmiMoJo ( 196126 ) writes:
What I like about Google's solution is that they let your choose which options you want to use. So you can evaluate your own threat model and decide which suits you best.
You can opt into enhanced security too, which locks it down even further. Of course the risk of getting locked out increases too.
●ent threshold.
There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.
Slashdot
●
●
Submit Story
It is much harder to find a job than to keep one.
●FAQ
●Story Archive
●Hall of Fame
●Advertising
●Terms
●Privacy Statement
●About
●Feedback
●Mobile View
●Blog
Do Not Sell or Share My Personal Information
Copyright © 2026 Slashdot Media. All Rights Reserved.
×
Close
Working...
Working...