On Sat, 14 May 2022 at 04:40, Brian <a...@cityscape.co.uk> wrote: > On Fri 13 May 2022 at 20:01:20 +0200, Kamil Jońca wrote: > > Brian <a...@cityscape.co.uk> writes: > > > On Fri 13 May 2022 at 08:42:21 -0400, Michael Stone wrote: > > >> On Fri, May 13, 2022 at 07:16:11AM +0200, to...@tuxteam.de wrote:
> > >> > A loong password is not "equivalent" to 2FA, that's right. Good > > >> > password management (of which length is but a part) is as secure > > >> > as 2FA. [...] > > Password can be stolen, while with 2fa you have to take control over two > > factors. [...] > Your claim is a good example of "frighten the user into doing what we want". [Statements above are heavily trimmed and provide context only. They are independent and do not represent a conversation.] Speaking of "frighten the user into doing what we want" ... Yesterday I needed to log in to a (different) gmail account that I had not used for some time, so gmail reasonably required some authentication. 1) Username (email address) ... I provided it. 2) Password (random chars, medium length) ... I provided it. 3) One-time auth token (sent to an unidentified non-gmail mailbox) ... I provided it. You would think that would be enough to satisfy 2FA, but it wasn't. I was then prompted to enter a phone number, and it was impossible to proceed without doing so, to obtain a onetime token sent by SMS. "so that we can verify your identity" or words to that effect. The point is, I have never in my life before given gmail any phone number. So gmail claiming that one was required to identify me was a lie. At that point, any phone number would satisfy the process. And denying access until I provided one, gave me a very unpleasant feeling of being blackmailed into coughing up a phone number in response to a lie. Luckily, I was able to satisfy the requirement without revealing any information that I care about. It will be annoying for future logins though, so I now intend to move that content to a different hosting service. Diversity, not having all eggs (email, phones) in one basket is my best solution to this. Use multiple, cheap, minimal, easily swappable solutions where possible. The gmail account I'm using to write this is only used for mailing lists, for example.
