Re: [Lsf] [Lsf-pc] hello

["Lukáš Czerner" <lczerner@redhat.com>]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 3446 bytes --]

On Wed, 24 Jul 2013, Theodore Ts'o wrote:

> Date: Wed, 24 Jul 2013 10:49:20 -0400
> From: Theodore Ts'o <tytso@mit.edu>
> To: James Bottomley <James.Bottomley@hansenpartnership.com>
> Cc: Lukáš Czerner <lczerner@redhat.com>, linux-fsdevel@vger.kernel.org
> Subject: Re: [Lsf] [Lsf-pc] hello
> 
> On Wed, Jul 24, 2013 at 07:23:23AM -0700, James Bottomley wrote:
> > 
> > Yes, just to emphasise, the phone number thing is completely unviable
> > for me as well.  They want to send you a code every time you log on.
> > It's founded on the assumption you have a single number that can reach
> > everywhere, which obviously doesn't work when you're travelling.
> > 
> > I thought they had something which used the google authenticator app?
> > Which can generate the codes without needing an active cell connnection.
> 
> There is a google authenticator app.  Having the codes sent via SMS is
> an option, but it's certainly not the only way to use 2 factor
> authentication.
> 
> It's been a while since I've done the 2FA signup flow, but I believe
> they had streamlined it a bit to make it easier to use.  It may have
> been that one of the ways the 2FA signup flow was streamlined was to
> assume that everyone would have a cell phone which was SMS-capable,
> but not everyone would have an Android phone.  But after you enable
> 2FA, it is definitely possible to set it up to use the android
> application.

Problem I've got is that in order to enable 2FA I need to go through
a series of steps the first one of which is to send me a Google
Authenticator application, even though I already have this installed
on my phone. And apparently they want to send a link to me via sms.
I do not see any way around that unfortunately. So to me this really
looks like a cheap way to get my phone number (which is not the
first attempt from Google I have to say).

Enabling this from the GA application does not seem to be possible
as it tells me to look at the accounts.google.com/security which
takes me back to what I've described earlier. It is quite annoying
:)

-Lukas

> 
> Also, you don't need to enter the code every single time you log in,
> at least not for consumer accounts.  You can specify that this is a
> trusted machine; if you do this, then after you enter the code, an 2FA
> authentication cookie which is good for 30 days is set on your
> browser, and you don't need to enter the code again subsequently.  On
> the other hand, if you're one of the people who are
> carefree^H^H^H^Hless to be willing to log in on kiosk machines, or in
> general on any machine which you don't personally control, you can
> simply leave the check box unchecked, and the 6-digit code will only
> be good for that particular login session.
> 
> You may have noticed Google employees needing to enter a code much
> more frequently, and it may be that if you are using an enterprise
> Google account, your enterprise I/T manager can set different policies
> for enterprise account.  But what I've described above is the case for
> all consumer accounts --- you do have the option of using a Google
> Authenticator application, which is available for Android and IOS
> devices, which generates a RFC-6238 compliant time-based TOTP code;
> and you have the option of designating the browser and the computer
> which is running on as trusted, in which case you only need to do the
> 2FA authentication procedure every 30 days.
> 
> Cheers,
> 
> 						- Ted
>