Discussion in 'Article Discussion' started by bit-tech, 11 Apr 2019.
For those thinking "wait, I've had those authentication pop-ups for gmail logins on my phone for years!" the key difference in this implementation is that the authentication is done locally, rather than needing to bounce between devices via Google's servers.
only problem i have found with does not make it very user friendly (no way i could put this on relatives) phones is that it does not auto fall back to Yes/No approve (you have to press cancel and press try another way) and i can only add one phone to secure key and does not work if bluetooth is not available (unsure if it defaults to yes/no if no bluetooth hardware on the PC/laptop)
if you have a constant internet connection i don't see any benefit on using the secure key what does it give me that yes/no gives me already (and lets me using it on all devices)
also i really wish google would add better recovery options as SMS and email bypasses all the 2fa stuff enabled on my account but i need it for rare time that google needs to make sure i am actually me and want to use recovery options instead of my phone to prove who i am or reset forgotten password , there needs to be 2 more options on recovery
1, a master code that you can print off and never show it again, if new master code is wanted it should go on a 30 day cool down before new master code is shown once again to prevent someone else got into the account using it to take full control of the account after getting into the account (if it's set to 30 day cool down you can use the currant code you have to regain control of the account no matter what the other person has done to the account)
2, secure key for account recovery (at the moment you can only use secure key account recovery if account is currently in hardened mode, sms/email recovery is disabled in hardened mode so is a bunch of other stuff)
3, the phone should always be the ultimate verification of account ownership even if the password was changed and phone was deleted from the account by the person who has control of the google account (the phone should stay connected as a trusted device to the account for 30 days and as long as the phone screen lock security was not changed/disabled) as that's how apple does it the phone/ipad becomes the trusted device (ideally you should keep 2 apple/google devices active so you have a trusted way to reset password or account recovery)
as at the moment if someone gets into your account they can change your recovery info and enable 2FA to basically make it impossible to recover the account (unless you know when the account was created and use your android phone to do the account recovery as it should trust the phone completely if its pin locked but does not always work or it asks for account creation date before or after using yes/no) and if someone wants you to lose your account they could start having a go at it trying to get into the account and end up triggering the google verification stuff witch a lot of people don't keep upto date (some people don't value there mobile number until they cant get back into there apple or google account and get themselves permanently locked out)
Separate names with a comma.