Re: [Lsf] [Lsf-pc] hello

[James Bottomley <James.Bottomley@HansenPartnership.com>]

On Thu, 2013-07-25 at 12:03 +0200, Lukáš Czerner wrote:
> On Wed, 24 Jul 2013, Theodore Ts'o wrote:
> 
> > Date: Wed, 24 Jul 2013 10:49:20 -0400
> > From: Theodore Ts'o <tytso@mit.edu>
> > To: James Bottomley <James.Bottomley@hansenpartnership.com>
> > Cc: Lukáš Czerner <lczerner@redhat.com>, linux-fsdevel@vger.kernel.org
> > Subject: Re: [Lsf] [Lsf-pc] hello
> > 
> > On Wed, Jul 24, 2013 at 07:23:23AM -0700, James Bottomley wrote:
> > > 
> > > Yes, just to emphasise, the phone number thing is completely unviable
> > > for me as well.  They want to send you a code every time you log on.
> > > It's founded on the assumption you have a single number that can reach
> > > everywhere, which obviously doesn't work when you're travelling.
> > > 
> > > I thought they had something which used the google authenticator app?
> > > Which can generate the codes without needing an active cell connnection.
> > 
> > There is a google authenticator app.  Having the codes sent via SMS is
> > an option, but it's certainly not the only way to use 2 factor
> > authentication.
> > 
> > It's been a while since I've done the 2FA signup flow, but I believe
> > they had streamlined it a bit to make it easier to use.  It may have
> > been that one of the ways the 2FA signup flow was streamlined was to
> > assume that everyone would have a cell phone which was SMS-capable,
> > but not everyone would have an Android phone.  But after you enable
> > 2FA, it is definitely possible to set it up to use the android
> > application.
> 
> Problem I've got is that in order to enable 2FA I need to go through
> a series of steps the first one of which is to send me a Google
> Authenticator application, even though I already have this installed
> on my phone. And apparently they want to send a link to me via sms.

Yes, I did try this on my sip based land line using a voice call ... it
doesn't actually work; at least it never gave me the call back.

> I do not see any way around that unfortunately. So to me this really
> looks like a cheap way to get my phone number (which is not the
> first attempt from Google I have to say).
> 
> Enabling this from the GA application does not seem to be possible
> as it tells me to look at the accounts.google.com/security which
> takes me back to what I've described earlier. It is quite annoying
> :)

I think the crux of the problem is that Google believes you're using
gmail, so they don't think you have an email they could send password
recovery to.  There's probably a small minority of us who already had
functional email accounts, thank you very much, and have tried very hard
to disable the gmail account google forces down your throat with
android.

The usual rule of security is that if you want people to do it, you make
it easy.  This isn't easy (or, in some cases, possible) by any means.

It's perfectly simple: I don't mind Google collecting the phone numbers
of people who want to give them up (or have one number to give).
However, I want account recovery and setup done by email to the address
I control not by phone because I almost always have access to email when
travelling and don't usually have access to a pre defined phone number
(except the internet one which google just failed to deliver the notice
to).

James


James



--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html