From: Theodore Ts'o <tytso@mit.edu>
To: James Bottomley <James.Bottomley@hansenpartnership.com>
Cc: "Lukáš Czerner" <lczerner@redhat.com>, linux-fsdevel@vger.kernel.org
Subject: Re: [Lsf] [Lsf-pc] hello
Date: Wed, 24 Jul 2013 10:49:20 -0400 [thread overview]
Message-ID: <20130724144920.GA29346@thunk.org> (raw)
In-Reply-To: <1374675803.4634.10.camel@dabdike>
On Wed, Jul 24, 2013 at 07:23:23AM -0700, James Bottomley wrote:
>
> Yes, just to emphasise, the phone number thing is completely unviable
> for me as well. They want to send you a code every time you log on.
> It's founded on the assumption you have a single number that can reach
> everywhere, which obviously doesn't work when you're travelling.
>
> I thought they had something which used the google authenticator app?
> Which can generate the codes without needing an active cell connnection.
There is a google authenticator app. Having the codes sent via SMS is
an option, but it's certainly not the only way to use 2 factor
authentication.
It's been a while since I've done the 2FA signup flow, but I believe
they had streamlined it a bit to make it easier to use. It may have
been that one of the ways the 2FA signup flow was streamlined was to
assume that everyone would have a cell phone which was SMS-capable,
but not everyone would have an Android phone. But after you enable
2FA, it is definitely possible to set it up to use the android
application.
Also, you don't need to enter the code every single time you log in,
at least not for consumer accounts. You can specify that this is a
trusted machine; if you do this, then after you enter the code, an 2FA
authentication cookie which is good for 30 days is set on your
browser, and you don't need to enter the code again subsequently. On
the other hand, if you're one of the people who are
carefree^H^H^H^Hless to be willing to log in on kiosk machines, or in
general on any machine which you don't personally control, you can
simply leave the check box unchecked, and the 6-digit code will only
be good for that particular login session.
You may have noticed Google employees needing to enter a code much
more frequently, and it may be that if you are using an enterprise
Google account, your enterprise I/T manager can set different policies
for enterprise account. But what I've described above is the case for
all consumer accounts --- you do have the option of using a Google
Authenticator application, which is available for Android and IOS
devices, which generates a RFC-6238 compliant time-based TOTP code;
and you have the option of designating the browser and the computer
which is running on as trusted, in which case you only need to do the
2FA authentication procedure every 30 days.
Cheers,
- Ted
next prev parent reply other threads:[~2013-07-24 14:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAFcGZ=+zEJUrkQbvsG9z1h+67xr+3nxaM_uAMVqsv3nHtJkOfQ@mail.gmail.com>
[not found] ` <F5B367DF-63C0-4770-B763-A19641E781B9@gmail.com>
[not found] ` <CANFwon2+F8PonbGv=FPfvBXxA2bSvTFD8-1KJNPC2k-cHmYN_Q@mail.gmail.com>
[not found] ` <20130721180553.GC21110@thunk.org>
[not found] ` <20130723185656.GA2134@thunk.org>
2013-07-24 6:34 ` [Lsf] [Lsf-pc] hello Lukáš Czerner
2013-07-24 14:23 ` James Bottomley
2013-07-24 14:49 ` Theodore Ts'o [this message]
2013-07-25 10:03 ` Lukáš Czerner
2013-07-25 15:55 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130724144920.GA29346@thunk.org \
--to=tytso@mit.edu \
--cc=James.Bottomley@hansenpartnership.com \
--cc=lczerner@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).