The hard-line solution would be that you go to a post office, airport, police station, motor vehicle office, passport office, or bank, they take your fingerprints, picture, and a retinal scan, you get a new ID card and token, and your old ones are invalidated.
The US just pushed the date for REAL ID enforcement further out, again. This time from spring 2023 to 2025.[1] REAL ID terrifies illegal aliens. Once everyone legal in the US has one, getting a job or traveling will be much harder.
[1] https://www.cnn.com/travel/article/dhs-real-id-deadline-exte...
Employers who disregard the law now will continue to disregard the law.
REAL ID looks different and essentially proves that you are not undocumented.
Visually, there used to be no difference between ID for undocumented and documented, so you can travel freely. My immigration lawyer recommended against traveling to AZ with that ID.
Not sure what it changes in terms of hiring. Even with REAL ID after background check, I had to submit proof that I'm allowed to work in this country.
It's hard to enforce that when there's no easy way to prove someone isn't in the country legally.
So they can plead ignorance.
As for REAL ID, it just seems like a requirement for the plastic ID, which seems to be weaker than the old EU requirements https://en.wikipedia.org/wiki/National_identity_cards_in_the...
Federalism in the US, a large section of the population that has no intent to travel outside the country, and general suspicion of the Government in a lot of states means that there is a patchwork of different IDs with different requirements, all of which are perfectly valid for their own jurisdiction. Real ID is just a way to set a basic standard for this kind of ID that will be required for (mostly interstate) air travel.
A better analogy for you might be a European ID. Get back to me when you can file taxes and access medical records anywhere in Europe using the same ID. (I half expect someone to pipe up saying that this is indeed possible and make me eat my words.)
And then there’s the question of how the heck you scale this if you’re a new company and want to handle unlocks for global users.
The right way to implement hardware keys is to allow registering multiple of them (so that you can put at least one or two off-site -- in a secure storage) and then not let you recover the access under any circumstances without showing you still own at least one of those keys.
If you can recover access without the keys then what is the point of keys in the first place?
For services that allow it I have both a TOTP app on my phone and a YubiKey registered, which I figure is sufficient redundancy. Other people could have an old phone registered as well if they don't want to buy a security key. It's a very minor hassle to set up and I can't see why people can't do it.
It's a nice thought, but overall computer literacy is still highly varied, and it likely will be for a very long time.
We still have a large percentage of users who use computers sparingly and by rote. I have family members who need a lot of help to do day to day setups and are going to have a hard time with MFA devices or apps.
"Other people could have an old phone registered as well if they don't want to buy a security key. It's a very minor hassle to set up and I can't see why people can't do it."
Minor hassle for you. Major hassle for a lot of users. Try real hard to put yourself in the place of a 77-year-old user who has limited sight and only needs to use a computer to accomplish very specific tasks - and has zero interest in doing more than basic email, banking, and a few other things that can only be done online. They have a smartphone only because it's a connection to their grandkids.
Because of the smartphone they're saddled with a Google or Apple ID that they'd otherwise never bother with. A TOTP app or YubiKey? That's well outside their comfort zone.
This isn't because these users are dumb. But the assumption that "it's time everyone learned" is based on the idea that everybody is using computers regularly and has resources for educating them - which is simply not true.
My kids, my wife, and my in-laws all use computers very differently than I do and it's extremely educational how people outside the industry see and use computers.
My 17-year-old only uses a Chromebook for school (grudgingly) and would rather do everything on their phone. My wife is fairly computer savvy, but still hits roadblocks. (She does enjoy forwarding me screenshots of particularly bad Phishing attempts...) And my older in-laws occupy most of their time far, far away from their computer. Singular.
Anyway - it'd be lovely if folks had way more empathy for the huge swaths of people who have less experience with computers. It's not the priority for them that you imagine that it should be.
You don't go through the setup process on the sites again. The sites have no knowledge that you have 1 or 21 new totp apps set up. You just enter the saved seed keys into the app and it starts spitting out the same correct codes as the other apps you already had setup.
Gnome authenticator can export a json file containing the keys to all the sites you have in it. You can then take those (just manually read them in a text editor), and enter them into Google Authenticator on a phone, and now you have 2 working authenticator apps, both spitting out the same correct codes every 30 seconds.
Further, you take that same json and paste it into a note in a keepass record, or save the individual seed keys in individual site entries just like the passwords, and copy that keepass db file all over the place including cloud drives, and including places you can access without the totp.
Now you can reproduce a working authenticator from scratch on any device at any time no matter where you are and no matter what happens to your phone or laptop. Buy a brand new phone or laptop, have a way to get a copy of your keepass db without needing the totp app, and in a couple minutes you have a working totp app again.
You never really have to even use the single-use emergency bypass codes. Keeping copies of the initial setup seeds is really no different from keeping copies of the emergency codes, but the setup seeds reproduce a fully working app not just a one-time access to a site.
And even if some app doesn't provide an export like gnome authenticator, you can also just record the key the first time it is generated instead of just scanning the qr code. Once you've saved it, you can use it as many times as you want.
Users are hard.
Now, I am not an expert on Yubikeys and the protocols used by these tokens, but I know they have protection against reply attacks meaning they keep the sequence number that is incremented for each challenge/response. Pretty sure it could be made to support multiple keys. It would be really nice if I was able to initialise multiple yubikeys and use them interchange-ably (and keep two in safe deposit box just in case).
Google allows this.
Got logged out. I log back in (using 2FA btw). "Please give us your phone number so we can verify it's you" I enter my phone number. I don't really get the point of this because they did not have my number before, so what are they actually verifying here? Anyway, I trust Facebook with my phone number lol. I get a code, I enter it. "Your account activity is suspicious and we will limit your account for a bit" That was it. No redirect, no link to click, nothing. So I go back to instagram[.]com and have to do the same thing again?
Well maybe my browser is on a block list now or sth. So I go to my phone (where I was signed in). And the App is broken completely, looks like the session was invalidated.
I log out, log back in, do 2FA, enter the code again. Same result.
I checked back in a couple of days ago and it seems like I have access again.
It is unfathomable how this can happen. How can the front gate to your multi billion service just not work to the point where you DOS yourself?
Also this account has 0 images, and just a couple of followers, so there is literally nothing to protect.
In moments like these you really start to notice the missing communication channels to the big tech companies. Is there any other industry that has zero customer support?
Outstanding customer support would entail expense, threatening profits. The money of happy and unhappy customers turns out to be the same color.
I believe that this is much more about rate limiting than about security for the end users.
I had a case the other day where I called my insurance company. The automated system couldn't understand my answers (I was actually trying to answer the given prompts rather than just repeating "representative" over and over). It replied "it looks like we're having a problem" and proceeded to just say goodbye and hang up on me. More than infuriating, and that's an understatement.
Why make it easy for our customers to contact us (presumably to make a claim - ie the whole reason insurance products exist) when we can just pretend it's easy, collect money based on that lie and get away with it?
Capitalism responded to market forces and the needs of the customer.
It's possible that their logic has some sort of a bug, especially if it only happens when you visit a specific service - and in that case, getting on HN might be the best way to get it looked at by a human... but also make sure you don't have any other issues going on.
If the message had stated "We have removed recently added security keys" I would be a lot more understanding!
Yeah, in theory those recovery keys should still be secure, but you know for certain that a hostile attacker has the encrypted secure note, and without any confidence in lastpass it makes sense to change them as well.
Unfortunately this means you look exactly like someone doing an account takeover and changing the password and recovery keys on the account.
Right, that's likely the "bug" part. On HN of all places, people shouldn't be surprised that bugs happen.
Wait, why are we normalizing this? Getting on HN is always the second-best way to get it looked at by a human. The best would be, you know, Google devs doing their job and helping their users instead of solving LeetCode or writing their next promo packet or whatever it is they do all day.
I'm not a big fan of this trend where Google and other companies are essentially outsourcing their (horrible) customer service to this message board.
I mean I'll still upvote the post in case I need to invoke this terrible fallback in the future, but I think it's reasonable to grumble about it.
The problem might be the business model itself. Google is not attached to any one of its billions of users, but they can cause a lot of pain if they randomly cut you off - especially in a world where email is essentially online identity. But then, I'd wager that a good 90% of us are employed in places that want to replicate that model at any cost... glass houses and all.
I've previously been reported for commenting on a previous article that Google is a faceless company that produces shitty products and it doesn't actually doesn't give a shit of user experience, negative feedback nor deleting/locking accounts (and, often, years of work) for no clear reasons.
Somebody responded "on HN we often hear only one side of the story (people getting a negative experience with Google) and not Google's side".
So, since many Google employees are also here on HN, I ask you folks: do you have any words to say in defense of these crappy policies?
If yes, then I'm happy to change my mind about Google, and eat back all the countless offenses I've thrown at the company over the years if convinced by enough plausible arguments.
If no Google employees can come here (or, even better, directly reach out to those impacted by their bad decisions) and defend their policies, then I abide to my words: Google is a shitty company that produces shitty products, it is proud of being a faceless company that doesn't care about supporting users (even though it makes a lot of money out of their data), it makes horrible business decisions, and it leaves people in the dark when locked out of their accounts. Such companies, in a healthy market with enough competition, deserve to rot and fail and be mourned by nobody.
The mindset is that the company's costs must scale non-linearly against revenue for the company to survive. As a result, engineering solutions that require zero humans are preferred over hiring humans. Sometimes humans are acceptable in the short-term (usually if it results in more revenue).
Why do employees allow company leadership to allow this to happen? Internally, I think stuff like this does get raised and actions are taken to address the "bugs". But I think there is also an attitude that Google is not going to change course because they believe this is a better approach in the long run. "What's a few inconvenienced users when you can solve problems for a billion+ people??"
From a business perspective, I can understand it. From a human perspective it sucks.
Not to play the devil's advocate but Google is still a great research company, helping the open-source community and the tech industry.
And people that matter have a back channel via employees or account reps to clear things up.
Therefore, unless you fall into one of these categories, you probably shouldn't use Google products - or, even worse, rely on it for sensitive things such as your emails, your photos or your work documents.
I recently tried to play the game again but was told I had to login again. Doing so locked my account because it had been used in ways which violated Microsoft's ToS: hacking, phishing or scamming other users. They demanded my telephone number before they'd allow me to use it again.
I basically consider this account and the game lost now. I didn't buy this game when it was owned by Microsoft, but will never buy anything from Microsoft which requires me to have an account with them ever again.
Tangent, after giving in to the phone I became more disillusioned with Minecraft as 1) MS appears to have canceled a 3rd installment of music from C418 over licensing issues (C418 wanted rights) and instead got some new artists whose music is good but doesn't fit the nostalgic vibe and seems played more often as well as with regularity in certain scenarios (previously it was fully random) and 2) classic case of S****horpe censoring and bans, applied to inoffensive words, peoples names, other languages, private servers, peoples pre-existing user name, even within commands, etc...
To preempt some comments along the lines of "why are you relying on google in 20xx", I try my best not to these days but I still rely on them to forward emails from my old accounts, or for services like youtube where you must have a google account for full features.
Exactly, unless they were added during the suspicious activity. But this seems to be not the case.
I work in cybersecurity and I've seen hackers setting up PINs etc on hijacked Whatsapp accounts just to make it harder for the legit owner to recover it. So if it was a really recent addition it might make sense. If the Yubikey was there for ages it's a really stupid move because it's the one way the real owner can prove themselves.
1. You login with your key
2. Google flags you as suspicious
3. Google removes the keys from the account because the suspicious actor used them to login and could have been stolen
From the audit log in my email no new keys were added before this was tripped.
I am not using a VPN and as far as I know I am not doing anything unusual. I might be committing the crime of having a Linux Firefox user agent but I somewhat doubt that was the problem, that's not that unusual.
Thank you Google for making my account "Safe".
Edit: note I luckily had memorized all three passwords to the different e-mail addresses or I would have been up a creek.
There was a Titan Bluetooth Key (for 2FA) Vulnerability, you've said you'll replace the affected keys[1], but you're no longer doing so. Which is frustrating.
[1] https://security.googleblog.com/2019/05/titan-keys-update.ht...
(FWIW I addes YUbikeys to 2 old long-term Google accounts about 6 months ago and they are still there. I did do this from the home location I usually use Google from, though.)
:P
What Google ought to do is to display a message saying:
* Google suspects someone else, or a virus, has access to your account with malicious intent.
* Google will help you secure your account.
* It is necessary to prove you are the legitimate account owner before we can allow you access to the account. To do this, we will ask for you to log into the account with as many possible devices and methods as possible. Into each device you should type '7867' after logging in.
* We ask this because a malicious actor or virus probably will only have control of a few of your devices, passwords or security keys, so we can identify you as the true account holder because you have more.
* We will then lock out the malicious actor, and you can change any passwords or security keys they used. If one of your devices was used by a virus, we'll block it until you have reset it.
and it seems like it has 'ramped up' its paranoia recently, cause just in the last week, I got forced to change a password on one account over 'suspicious login' (me logging in through the same browser over vpn, and this is while the account has 2fa on), and got a "critical security alert" over a log in from a new browser. "Suspicious attempt to sign in with your password". Yeah, that's just me, google.
By 2030 we will need to build a social network with at least 10k users to get some attention from the Gooverlords.
