Also, fully acknowledging Google and other bigtechs 2FA is far from ideal:
The other thing is, we want at the same time Gmail to be unhackable against best hackers and state sponsored adversaries for the billions of users, including high profile dissidents, journalists, and senators who will inevitably have accounts; and at the same time to homeless people who can't keep any physical thing. It's kinda difficult to meet those conflicting requirements well at the same time.
Maybe the solution should be to have some basic free state-paid email provider for those people. They are not forced to use Gmail specifically (albeit the number of non-sucking and free email providers is probably close to zero).
How about the homeless person remembers a good password, and that's all that's needed for authentication? You know, just like it used to be. What exactly is wrong with that?
Gosh, I don't know, how about literally all of the problems that 2FA solves in the first place? Passwords alone are a bad solution (often forgotten, easily re-used insecurely) for people without all of the challenges and frequent mental issues that accompany homelessness, why would you think they'd be a good solution for people who, as the OP says, aren't capable of keeping track of a physical device for more than N weeks?
I'm not unsympathetic to the problems of the homeless ant the burdens 2FA entails, but I'm also not willing to ignore the huge problems the 2FA solves, and realizing there will often be a tradeoff between making it very difficult to hack into accounts and making it easy for people with mental and other problems access their accounts.
Pretty much EVERYONE will have cognitive decline in their twilight years. It would be nice if we could have communication systems that are compatible with basic human biology.
Which would go one of two ways:
1. One uses the same password one uses everywhere else, and now one is much more vulnerable to credential stuffing
2. One is reliant on a book of passwords or a password management app on one's phone, resulting in the same exact problem we're trying to solve
> PS: Many unhoused people access their email rarely, intermittently; they don't stay logged in. They often have to guess several times to remember their password.
2FA doesn’t work, and remembering passwords doesn’t work either. Checkmate.
I don’t think that is the solution. I also don’t know what is.
Public services that somehow provide safe access to email etc?
I think Google faced a trolley problem and made the right decision. You need a different tool "homeless mail" for them.
It's Gmail. You don't have to use it. There's a lot of mail providers out there.
Whatever, if this guy won't set it up I will. I'll stick a 20 msg / hr, 100 / day limit on it and call it a nice anti-spam day.
And google is not alone here; many other major "free" email providers require a phone as well (dagger eyes at you, MS, yahoo, ect); and the icing on the cake are some websites even require a particular set of domains to register with them to prevent multi-accounts/bots/spammers/ect => just a big ol download-spiral of decisions that feed into eachother, just to put a physical ID on anybody to tag-em-to-sell-em
The biggest gripe is that it is mandatory; it is not an option and nothing we can do about it other than "vote with our wallets" - and google does not even allow ToTP use as an alternative to phones, lol
The beatings will continue until morale improves; always has been, always will
Seems to me it should mean that it has to be optional, at least until we solve that problem.
USPS serves every US address. Lone Star Overnight is allowed to mostly serve Texas without a requirement to also serve Maine.
Which category do we want Google to fall into? This kinda smells like we're expecting it to be a universally provisioned public service, but provided by a private entity with private funding.
There are three factor categories, what you know, what you are, and what you have. A password is what you know. A phone is what you have. Biometrics are what you are - facial recognition, thumbprints, etc.
2FA in one manner or another is used by various services, because the security recommendation is to pillar identification by at least two of the three factors.
For your question, there are any two from the three factor categories that could be used.
However, there are also limited versions of a single category that are often used as a backup when 2fa is not available. In this case, google uses backup codes when "what you have" is not available. Backup codes are functionally equivalent to passwords, except that they are limited to a single-time use. Limiting use is often a method of using a single factor category, when another factor is not available.
Another method is to rely upon another authority, such as using a physical ID card that can be validated in order to let a person back in.
And so forth.
This is not a technical problem and should not be automated away.
Rely on trustworthy third parties. Universal utilities like Google should have retail outlets which are adapted to local conditions and can exercise educated judgement. In some countries, the police might certify the identity of the individual, and then Google could trust that certification. In another place, it might be some combination of the Red Cross and a public hospital. Obviously some identifications will be easier and others harder - if a person in New York claims they are the owner of an account based in Spain, the employee should be suspicious and require a higher burden of proof (and the reactivation might be logistically more difficult).
> The other thing is, we want at the same time Gmail to be unhackable against best hackers and state sponsored adversaries for the billions of users, including high profile dissidents, journalists, and senators who will inevitably have accounts;
I'm not really convinced high profile dissidents, journalists and senators (why senators?) should be trusting Gmail to protect them from state sponsored adversaries. Google generally wants to do business in territories controlled by states which means they have to follow laws and will sometimes be subject to intimidation; but they have no intrinsic motivation to be unhackable.
Sorry but this just isn't happening, and if there is regulation to make something like this happen, companies will just turn off their services. Plus this would essentially seal off competition: want to run an email hosting startup? Guess you have to manage real estate all over the world and work with every government.
This whole conversation seems backwards to me. Yes, it should be easier for people to recover their accounts, but should governments be totally reliant on private email providers for communicating with people who need services?
The story, as I understand it, goes something like this: a case worker emails a homeless person, the homeless person can't access their email, and then the case worker denies them access to programs because they never got a response. That is not solely an email problem---it's also a huge problem with these programs and services! Why don't they provide identity services and retail outlets to help people get the resources they need? Why are governments shoving this responsibility into the private sector?
Why Senators? They’re high ranking US government officials, they’re a prime target for state sponsored attackers.
Other than Protonmail I wouldn’t trust anyone else with my email. Gmail is close to if not the #1 non-governmental target for state sponsored attackers. The NSA runs secure email for TS-SCI communications but they don’t want to have to teach John Podesta how to not get phished, and Google has the best defense against those attacks if you enable advanced protection.
How?
You don't need to use Gmail. There are a lot of good free mail providers.
I guess too bad! Should have thought of my future homelessness when I was signing up for an email service a decade ago!
Drop the password requirement. Use fingerprints + face. Very hard to lose these, but not impossible. Note, this solution is 1.5FA, but would solve the issue at hand. (pun alert)
Ignoring the issue of device accessibility - which is the crux of the 2FA problem.
If they truly can't keep anything on them, someone who recognizes them needs to represent them. (A locker won't do - they'll lose the key.)
And if they have no friends they can trust (which is likely) then it probably needs to be a government worker of some sort, who has their photo on the computer.
I mean, unless you want to have retina scans to log into library computers or something. Or really reliable face recognition.
It's only hard if you adopt a one size fits all approach to security.
Google's proclivity towards treating its users as an undifferentiated commodity isnt proof that its users couldnt be treated differently.
There is none. That's the entire point of the post: "something you have" doesn't work if you're at risk of losing all of your possessions at any time. So let them disable 2FA and rely on passwords - or even better yet, provide some way to actually talk to a person and verify identity.
Almost certainly is a bad idea. But the first thing that seems like it could work would be an implantable nfc yubikey. Then making more devices support nfc.
I know I would be pretty tempted to get an implantable 2FA device if one was available and seemed like it would have both broad and long term support.
I can read the headline now
“GOVERNMENT PROGRAM TO CHIP HOMELESS PEOPLE LIKE DOGS TO PROVE IDENTITY”
I implore you to read The Scarlet Letter and perhaps read up on [similar such things](https://en.wikipedia.org/wiki/Identification_of_inmates_in_G...).
Biometric? Amazon One's hand recognition would be a decent solution here, though I'll be damned if I've ever met someone willing to try it. And I ask, every time I go to Whole Foods.
What kind of 2FA would be human-proof?
Also, the tweet uses the word "permanent" but doesn't explain. How is it any more "permanent" than anyone else?
I disagree with the idea that because a very, very niche audience is in dire straits that the design decisions should be based on their needs. The forced 2FA system has probably prevented identify theft and financial loss for a very large number of people. I'm saying this as someone who thinks Google is a shady and dangerous entity in general.
It's similar to the idea that hard cases make bad law.
Turns out 2FA is also being used as a low-effort form of a captcha in addition to being a tool for data harvesting and “device identification”. I wouldn’t be surprised if legitimate users simply never receive a 2FA SMS because someone used a prepaid phone or something.
I pray for the rise of esims! I feel like it's on the cards.
You do need to be able to receive a texted code at a phone number to create a brand-new account. This is to deter spammers from creating lots of accounts. But once that's done, you can remove the phone number from the account.
I also don't use my phone much, and the only reason I even have one of those things is because it's "needed" for so many things.
Yeah I have no idea why phones still use numbers. It would be so easier if same address for e-mail worked for voice, just add some DNS records that point at my phone provider to domain and done.
Then again, spam calls would probably be so much worse...
Almost every free email service I've tried now requires a phone number to setup. Even protonmail required it for a brief while, although they now are back to captcha and a stern warning. I actually can't think of another free service besides protonmail that this isn't now true for.
An annoying trick some of them use is to allow you to setup the account and then lock it some time later. I've seen on immediate login (irritating waste of time) or after you've used it for awhile (what you used the account for is now held hostage unless you cough up a phone number).
Among those half a million homeless, how many use gmail and are unable to change for whatever reason? Among those, how many have issues with 2FA? Thus we advocate for increasing the vulnerability of millions to do something that would not even help the homeless that much. The whole problem of having to replace their phones every 12 weeks sounds like a far more pressing issue to investigate and find solutions for.
The homeless are certainly not a niche audience. There might be between 13 and 26 million people in the US alone who have experienced homelessness at some point in their lives [0].
Besides, issues around permanent access to security devices are not exclusive to the homeless. The problem described in TFA impacts a far larger segment of society.
Critical services are increasingly only available online -- and online services are increasingly critical. The people governing access to critical services are willfully ignorant to the difficulties that vulnerable people face, and often make those difficulties worse.
Not very niche.
Besides the fact that this doesn't scale at all, not using gmail is arguably a bad decision. If you have an email address at shiftydomain.com, some services won't accept it because its low barriers to entry may have been exploited by spammers or similar.
They are a vulnerable niche, but a niche nonetheless.
Half of you in here have never met a non-technical user. These folks should not have 2FA on ever, because they can't even use the damn thing with it on.
Yes, those users run a higher risk and should be notified of that extremely clearly. But 2FA is a garbage solution to the problem and it should always be possible to disable it.
I'm going to continue using 2FA happily like most of those in here - but man the lack of empathy is outstanding in here. I feel bad for your users.
And fuck Discord for not allowing me to reset my account with my own damn email address when my phone broke that one time. Total morons, through and through. I'd never want to work with anyone so objectively ignorant and unwilling to admit their ass backwards position.
I find it disturbing to imagine that people are stuck with phone numbers as de facto ID.
Trump for example. Which is why his account was regularly hacked.
Problems would happen when the new person tried to log in to the account. Since the login was from an unrecognized device and an unrecognized IP address, security was tightened. Even after inputting the correct password and entering the right backup email, it was mandatory to enter an SMS message from the phone number tied to the account, even after various troubleshooting and attempted workarounds. That meant getting ahold of the previous executive, who may be busy or changed their number.
You could argue that Gmails weren't meant to be used this way, which is fair; the goal of this comment is just to provide additional evidence that the description provided by the parent comment is true. (In the end, we went for a low-cost, reliable email service to fix the issue in the long-term. We also found that registered non-profits are eligible for free Google Workspace or Microsoft Outlook email plans subject to certain eligibility conditions, though we did not have a need of becoming an officially registered non-profit at the time.)
1) Not providing phone number for 2FA. Never.
2) Using multiple (3 pcs.) physical keys for 2FA (like Yubikey and similar). Authentication app is an alternative for one choice of 2FA (but not the sole one!)
3) Only using a limited set of Google functionality. Use for secondary purposes mostly.
Alternatively you can purchase a hardware key and store it in a trusted place, but admittedly they are expensive, so OTBC is the usual route.
I'm logged in to such an account right now and there's no way to do this. The account primary email is also set as the recovery email address and there's no way to add another.
It's actually deceptive to the user to even call it a recovery email address in this case, since Google will never offer to alternatively send a verification code there if the 2FA device is unavailable.
Heck, here’s an idea for a startup: a digital “moving” service. IRL I could pay a company to take everything I own, pack it up, ship it somewhere else, and even unpack it too. I’d like to see a digital equivalent.
A much less critical or important thing but underlines the bad attitudes: I just tried to renew my cancelled Netflix membership yesterday. I am not allowed to do that without providing a phone number (I used Netflix for ca. 8 years without it). I do not provide that because I do not want to. I do not tie every aspect of my life to my phone number. In fact I do not want to tie any aspect of it to my phone exclusively. Phone number based authentication is not safe and reliable anyway (can loose, stolen, damaged, then I'll have a cascading effect of problems instantly).
I talked long to the helpdesk lady and the conclusion is that I am not allowed to renew my Netflix account without providing a phone number. End of story.
I permanently remain a non-Netflix user this way. Their loss actually.
(A secondary trouble with them is that they are trying to misinform me, giving false reasons! The support lady reasoned that they need the phone number for validating bank transaction. Since they - Netflix - want to use this to send a code in text that I am required to type into their - Netflix - system it has nothing to do with my bank and with authenticating the transaction! (my bank would never use phone for authienticating a transaction btw, I am not even sure if I updated my phone number with them, they reach me other electronic ways). She was just bullsh%ting! Also the renewal pages stated differently, saying that authenticating my account is where the phone number is required. Not to mention that a friend of mine registered recently and for him the reason to register a phone number was to retrieve password recovery messages. Three sources, three different reasons, one of them is complete bullsh%t. Very repelling kind of practice, I am actually glad staying away.)
(A third smaller aspect was that the helpdesk lady tried to interview me about my phone usage strategy and my reasons instead of answering my question about alternatives. It is not her business how I use phone and trying to pressure me into some rigid lifestyle strategy they determine. There are many alternative ways to carry out the same task, they should provide more and better choices.)
If you've got some spare time, have you considered taking them to small-claims court for refusing to cancel your membership and still charging you? It'll cost them a huge amount if they show up, and if they don't then you get a judgement against them by default. Or if you signed some contract agreeing to only use specified some Netflix-specified legal intermediator, use that.
If everybody who was screwed over by tech companies took legal action against them, it'd cost the companies a huge amount of money and they'd have to improve the way they treated people.
No ads, easy to use, free, and doesn't require a phone number or email.
Phone numbers are often included in billing address inputs, so I imagine it's at least logged in the bank's system and perhaps used as a heuristic signal for fraud.
I've been caught out recently twice: once I was away on work and had to access my email. Google demanded that I verify it using my phone that I'd previously accessed my work email with. However, this phone was just a phone I use for development, had never had a sim card inserted, and was on my desk at home. I hadn't agreed that it should be used for 2FA. It was tremendously inconvenient because I needed to find where my hotel was.
Another time recently I managed to destroy my phone in an accident and got the phone replaced. Despite taking the sim card from the old phone and putting it in the new one, doing a factory reset on the old one, and it not being active for a week, Google still demanded I 2FA authenticate on the old one.
I feel these problems could have easily been avoided, but it's typical latter-day Google experience: a tin ear for the customer experience and a general attitude of automation knows better than users.
I've never seen this issue. I don't have 2FA enabled for any personal Google account. There are some dark patterns to try and get you to enable 2FA that I don't agree with, e.g. a big "add a phone number to your account" page after you log in, with a small "skip for now" button at the bottom.
If you delve though GMail's settings, under "Sign-in and recovery":
Trusted mobile devices
Google can verify that it's you by sending sign-in notifications to a private
phone or tablet. You can remove it in your recently used devices.
It's idiotic. It's essentially: "confirm that you're allowed to access your email by confirming that you already have access to your email".
If you are wondering how I authenticated the first place onto the burner, I used TOTP, but she would not let me use it again; she wanted my burner.
Google then decided that it was going to ignore TOTP set up and prefer the "Trusted mobile device."
In a way it actually made my account less secure, since that was a testing device and had no passcode on it.
And maybe the government should consider providing an email account too. The cost would be negligible compared to buying people new phones every 12 weeks...
You can force people to use 2FA, but then you discriminate against people who can't. You can build an account recovery flow that requires government-issued proof of ID, but then you sacrifice privacy. You can do neither, but then you make accounts easier to compromise and harder to recover. There's no good solution here, it's all tradeoffs.
Captchas are another situation where this problem arises. You can implement easy audio and text captchas, available in all the languages your signup form supports, but then you get a lot more fraudulent signups. You can eliminate captchas altogether, relying on invasive user fingerprinting instead, but then you sacrifice privacy. You can do neither, but then you discriminate against visually impaired users. Once again, no good solution, just tradeoffs.
Most of us have at least one email account that's already under our real name, where we have no big interest in hiding our real identity, but we do have a big interest in not being randomly shut down by Google. We hear about such shutdowns every few weeks on HN, if not more.
Google has unfathomable financial and technical resources, much of which goes to projects of speculative value at best. I can't help but feel that they could provide a slightly more customized login experience to help diverse people with diverse needs.
But most people aren't aware of any of this, choose the one they know of or see first, and get angry when 'it doesn't work right'.
Like OP said, all cover is temporary.
If you've every tried to teach an old person how to use 2FA you know it's an uphill battle. Using a fingerprint reader isn't even doable for some. And we're all going to be old one day.
Practically, we need ideas like to 2FA to gain tractionas widely as possible, while realising that isn't everywhere. And some people will never use 2FA, need higher thresholds for triggering lockouts, and need alternative methods for re-establishing identity to their ID provider (google in this case). For some people that might be their local librarians or community shelter, legal aid groups, and banks.
The problem here is that misapplied empathy can lead to terrible decisions. Having Google change their 2FA system for this group would be one such decision. It's similar to the 'think of the kids + terrorism' attacks on encryption. It's socially difficult to argue against these ideas because you are then labeled as a terrible and non-empathetic person, but the solutions themselves make one other thing worse without really being helpful other than for garnering retweets and likes.
In this case, we actually aren't being ambitious enough. Why are we having a system where we give out phones every 12 weeks to each homeless person? We'd probably save money for the program by developing some sort of dedicated device designed to be harder to steal or lose. Maybe a high-autonomy low-powered KaiOS smartphone that can be attached as a strap? It's not like the current devices are working.
Why is it such a hassle to keep the same number after a theft? We could investigate there too. Improving this would be better than decreasing the effectiveness of gmail's measures.
Heck, if we want to focus on Gmail, why not focus on why it's the default choice for the homeless to begin with, as opposed to removing features.
We could try to solve the problem structurally but we prefer the caseworker approach, because it's more easily packaged 'empathy' than actually fixing the homelessness issue. It's like people who travel to developing countries to 'help', when the locals need investments and training facilities, not extra warm bodies. Actually giving homes to the homeless would probably be cheaper than whatever we are doing now, even taking into account the mental illness and drug-abuse problems that factor into this.
Google could put a toggle in Google Account settings titled something like "Allow anyone who knows my password to log in to my Google account (less secure)." It could sit above a description of the risks involved. It would need to be disabled by default, and it wouldn't help users who don't know about it. It certainly would not fix homelessness in society. But it would do a lot of good for a lot of people!
Would this option lead to some increased number of hacked accounts? Probably, but these would be accounts that explicitly opted in to that risk! I think it's excessively paternalistic to not provide the option. Every life situation is unique, and people know their own lives better than Google does.
This point is worth reiterating. Homelessness can be solved by providing housing. Yes, homelessness is a complex multi-faceted problem, but the first order solution to the problem is to provide housing.
Homelessness is a problem with huge externalities to society. Put another way, homelessness is an enormously expensive solution to the problem of providing space for humans to live.
Mark spent considerable time earning the trust of LA's skid row population – a large roadside tent community – and has a series of 1:1 interviews with a slice of the population, exploring their histories, challenges, preferences, and culture.
Mark doesn't believe that many (most?) of the skid row population would benefit from being provided with housing, and that issues of trauma, mental health, and childhood family environment are what he believes would have the highest leverage on the problem.
This is of course just one perspective on the problem, but Mark's perspective taught me quite a bit.
It could be opt-out.
> It's similar to the 'think of the kids + terrorism' attacks on encryption.
No, it's not. Nobody choosing whether _they_ enable 2FA affects your decision to use it or not. It's more like forcing drugs down somebody's throat because you believe it benefits them and everybody else is doing it anyway.
> Why is it such a hassle to keep the same number after a theft? We could investigate there too.
Sim-jacking. Somebody could claim to have lost it and just take your number. This has happened before. The problem of authentication is fundamental in security and Google are just passing the buck onto phone service providers.
> Heck, if we want to focus on Gmail, why not focus on why it's the default choice for the homeless to begin with, as opposed to removing features.
Because it's free and the emails don't bounce. Most big tech has 2FA now.
We have to break out of the stereotype that homelessness is a city problem. It isn't. Far from it.
Homelessness is more obvious in cities because there are fewer places for homeless people to be. But there are plenty of homeless people camped out in rural and suburban towns, if you know what to look for.
I recently lived in a snooty city suburb where most of the homes cost from $600,000 to $10 million, and guess what — the drainage tunnels beneath the Home Depot, the maintenance underpasses in the parks, the undeveloped wooded lots were all full of homeless people.
Promulgating the notion that homelessness is a city problem is what allows suburban and rural politicians to cut funding for homeless services because "it doesn't affect my constituents."
google isn't requiring specific 2FA data, like address, because they are stalwart guardians of data. They are harvesting data because that is their business.
The homeless don't have enough data to be of value to an entity like goolge
E-mail needs to be a regulated utility, given that getting locked out of one’s email happens all the time with catastrophic consequences.
That's not the problem, that's a vague wave at a generic class of innuendo that could be used just as easily to rationalize not allowing your child to eat ice cream or Japanese internment. You have to make the case why Google changing their 2FA system is so much more important than the homeless having phone service, you can't just say "sometimes, empathy can be bad."
I'm not getting that from the rest of the comment, which seems like a gish gallop around a bunch of other things that we're also not going to do for the homeless, and about which you or somebody else can say "it's only human to be worried about other people going through these issues, but empathy can be bad. The answer isn't that HUD should change the second line of the third section of Form B, it's that we should fix the homeless problem completely."
edit: We can't use as an excuse for not making small changes that we should be making larger changes. The excuses that one makes to avoid making small changes will apply more so to larger changes.
You're putting the cart before the horse. The far simpler solution is for the government to provide the homeless with email. Now the auth can work however you want.
Also, homelessness isn’t the problem we think it is. It’s millions of problems. Any solution will never help more than a subset of the homeless population. We need to iterate on small solutions to make progress.
May I introduce you to the concept of scissors?
Let's say I care. Let's say I care a lot. I care so much that I'm willing to make it my personal problem to address the very real, very pressing needs of a critically vulnerable and marginalized part of my community from inside Google.
What am I going to do? Is anyone going to be happier if I stand up and proclaim loudly how much I care? Probably not.
Could I say "Gee, what if we just let everyone put themselves in the group of people who don't do 2FA"? Yes, if I wanted to be responsible for a lot of people not securing their accounts. Could I outsource identity verification to a wide assortment of groups (libraries, non-profits, etc.)? Absolutely, so long as I'm alright with this being used to gain improper access to a LOT of accounts outside the target segment. Could I offer more password chances and friendlier lockout times? Sure, so long as I'm OK with the negative consequences of this for a lot of people.
OK. Let's end the game now. We don't really have any major steps towards real solutions here. Empathy is very useful for showing where a problem is. Demanding what amounts to lowering the global bar for account security is perhaps not the ideal approach here.
Sometimes problems are just hard. Taking ownership and feeling empathy and sincerely wanting to solve the problem does not render them easy.
If you dont know how to control what happens in the park you build, then the park will be shutdown.
In the case of Google its not hard to speed up the process of shutdown. I just encourage them to keep working on more and more mindless ivory tower trash like Pixel phones, watches etc and inject more Ads into everything. They dont have the imagination for anything else but want a pat on the head for whatever they build. Give it to them.
As I wrote, THIS WOULD NOT BE THE DEFAULT. It is quite possible to pre nominate the specific groups that can allow unlocking of an individual account. And that's all it is, account unlock when they use a new device, or putting the account into PW only mode for a period.
If the PW is forgotten you require a higher level of identity verification, like a bank/USPS/DMV process.
Facebook already has this enabled, you can have a friend/family member (or two of them!) validate your account.
If you're determined not to find solutions then you won't progress.
"Sometimes problems are just hard. Taking ownership and feeling empathy and sincerely wanting to solve the problem does not render them easy."
No one said it did and it's better than not caring at all.
Recent story was a 65yo + veteran living in a shelter. They hadn’t started collecting social security due to some debts and was worried it would ALL be garnished.
After explaining that veterans get expedited in line for housing and that they would still get almost all of their SS, they have applied for it and should be housed soon.
It doesn’t surprise me at all that 2FA causes problems after hearing many stories similar to this one.
Is this common? I knew a guy who had the same mindset. I ended up paying him in cash for some work, he was convinced that if he made any money in a traditional role it would be instantly garnished.
This is not black and white. It is possible to encourage 2FA but allow to opt out. The same for phone numbers.
And that's why companies enforce 2FA: they want your juicy phone-number or other data. And yeah, maybe they also want to reduce support costs and avoid bad publicity. Still, it's not in your interest, it's in theirs.
If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
EDIT: Yes, Google offers more than a phone number when creating a gmail account. I didn't say they don't. However: they don't make it easy and I would even go as far as saying that they are evil here. If you don't believe me, try to create a gmail account right now and don't google/search how to do it without phone number.
The key takeaway is not about how we should promote 2FA or how we should promote long ass passwords, the main issue at hand is google's neglectful lack of customer support.
I was once caught in this non-sense many moons ago. But I learned my lesson, I absolutely do not rely on any google products for anything that has any potential to impact me personally (with the unfortunate exception of the Android OS on my phone).
Google as a brand is absolutely dead in the water for anyone that has woken up from the 'Don't be evil' kool-aid of the early days.
Sometimes you have to make hard choices where some people get burned because the alternatives are worse. That doesn’t mean you don’t care.
I'm in my early 40s, computer programmer, and I've temporarily lost access to my WhatsApp account because I don't have a recent enough mobile phone, and the phone that I do have doesn't have a relatively recent OS installed.
It's a 4-year old (I think I've got it for 4 years) iPhone SE, on which I never updated the OS because I hadn't feel the need to do it. When I started getting pop-ups that "hey, our app will stop functioning on your phone unless you upgrade the OS" was already too late for that, I was afraid that upgrading the phone to the latest OS will cripple it permanently in terms of performance (the battery is already on its way out by this point).
So, assuming I get to 70, in no way I'll be up to date by then in terms of having the latest OS installed and all that crazy stuff, who has the time and the nerves for that? (especially the nerves).
The DMV works with people like this all the time; perhaps something could be done there where you have a government issued email address that you can't lose or be locked out of (worst case you take your ID to the DMV and the nice clerk helps you reset your password/sign in).
Google is already providing a free service to homeless people. It's not empathy to tell someone else to solve a problem that you care about. That's virtue signaling. If he cares, he should take matters into his own hands.
Is it too much to ask a single person to build a free email service for all homeless people? Perhaps, but the good news is that he doesn't have to. Google already allows you to disable 2FA [1]. He could have started a campaign to disable 2FA on homeless people's phones, but instead he uses this as an opportunity to shame Google to boost his own Twitter follower count.
I think that empathy is highly overrated. I doubt anyone notorious for flashing their big Johnson is particularly empathetic, yet LBJ expanded social services more than any other President. The problem isn't that people have too little empathy these days. It's that people are too easily impressed by broadcasting their intentions rather than actually trying to solve a problem.
What's stopping any of those groups becoming a homeless person's 2FA?
It’s a problem all around - the elderly are most vulnerable to the types of account takeovers that MFA will prevent.
UX for good security can exist, but it does need a little bit of education.
We will all be old one day but I have trouble believing we will just forget how to use computers. On the other hand, we do need to carefully consider the role google plays in our lives… especially for us Europeans, who are just at the mercy of a US company’s whims.
I think we also have to realize that not everyone who is homeless has problems that can explain it away.
It's easy to look at someone who is homeless and tell yourself, "Oh, he's a dope addict. He did this to himself." It's only very rarely true, and you're only making excuses for not helping another human being.
Just last year there were newspaper articles about how a shocking number of perfectly normal public school teachers in California live out of their cars, just because they cannot afford a place to live on what they're paid.
Most people, especially in the SV bubble, would be shocked to learn how many of the baristas, maids, security guards, convenience store clerks, and other people they encounter every single day are homeless, living in their cars, or sleeping on other people's couches through no fault of their own.
If we can "solve" the problem for the dopest of dope addicts, the problem will also be solved for the homeless barista.
That still doesn't solve the problem for homelessness, of course.
thats just one opinion on security. you see this world where google is an identity provider, and you prove your identity to it via a librarian or bank. i dont. an internet service should absolutely never require any form of government id nor separate network like cell.
But not for ALL people. Just for the people who need it.
You keep using TOTP and GPG email all you want, just don't get in the way of them getting basic services like social security.
No, 2FA needs to die in a fire. Easily circumvented in most social attacks that actually matter, false sense of security, massive timewaster/usability-hell/pain in the butt, acts as a novel social/corporate/accessibility barrier to technology for a large number of previously unaffected groups, and poses a threat to software freedoms.
There are many ways to strengthen security and this has got to be the shittiest one.
Down grading security for the benefit of a tiny minority with an especially ridiculous use case is not the greater good. If the homeless people think they are at risk of losing their phone then they should pick another free email vendor.
1. Vulnerable populations need more assistance accessing essential services required to participate in society
2. Service providers need to maintain a reasonable level of security for their customers
Can both be true. Saying that maximum (or minimum) levels of security are required at all time completely misses the point of security--which is to mitigate risk. How much risk is appropriate varies a lot by context.
Beyond the context of risk, there is reasonable debate to be had on how to best provide access to essential services to vulnerable populations. It's pretty important to have an email nowadays and if you're not tech savvy or an individual/community has little to no money to spend it's not unreasonable to have the reality of the matter be that there may simply not be many good alternatives (or awareness of alternatives) to GMail.
I'm not sure what a correct answer here looks like, but I don't think ignoring the need is an approach that gets us to a better society or enables vulnerable populations to better care for themselves.
A lot of the downsides are mitigated by using Google Voice as the SMS number, since attackers can't migrate your number away from Google.
But in general, I totally agree with you from a security perspective. I just think that it's a difficult thing to get people to use authenticator apps. Apple has resorted to baking the functionality into their OS.
And that's disregarding the elephant in the room, i.e. Google inevitably pulling the plug on Voice at some point.
1. Somebody has a phone
2. Somebody has a smart phone
3. They are in contact with the phone 24/7
4. They are the unique user of that phone
5. The SIM card and/or number cannot be taken from the phone (virtually or physically)
I currently have to use this for work, with the only positive being that if I get locked out, I can go tell the admin team to let me back in. With someone like Google, it's not even possible to get them on the phone to explain, let alone have them believe it is really you.
The tough issue here is that these access edge cases look a lot like malicious use. The aren't but authenticating someone who has no device or ID or really much else to authenticate themselves is a Hard Problem. Passwords also aren't the solution here, the industry is moving away from them precisely because they provide poor authentication, particularly for vulnerable people.
A library solution may not scale. Sure, a librarian might develop a personal relationship and do this as a favor for someone. But the author mentions talking to about 30 people with this problem in his neighborhood, which suggests that if word got out a librarian was doing this and they tried to institutionalize it, a library might have to store codes for dozens or hundreds of people it has no way to authenticate.
It wouldn't be a librarian doing someone a favour, but rather a service that libraries provide.
This could be a great evolution for libraries. They are already a distributed, public system, that people in general trust, but their role in society has changed with the rise of the internet and online services, and this could be a really useful role they could fill.
Defining a state-sponsored email account that can only be logged in from specific government machines (imagine a kiosk at the DMV, say) where there are trained clerks who can identify homeless in some way could work.
If the person has ID, then many options work, but if they don't what can a DMV and trained clerks do that others can't in some way?
Lastly, I'm not from the US but even I've heard that the DMV is a hellish place with queues hours long. Putting more barriers in front of those who are already in a tough spot (and may need to spend that time working, queueing for shelters, etc) is a big ask.
When setting up thunderbird, I've had multiple Google accounts lie about suspicious activity and demand I go through about 10 captcha checks and enter my old password and answer my security questions and verify my phone number. After passing all of that without error, they STILL won't let me log in with a blanket statement about security.
Why oh why would they ask users to jump through extreme hoops just looking for any possible questionable failure to point to as an excuse, but still reject you after passing everything? If you're not going to let people use their account, farming free AI detection and personal information out of them doesn't seem like a legitimate tactic one should be doing.
They discriminate against some phone numbers too. They have to be in whatever they think the correct country is, they often can't be VOIP or VOIP related, and there's unknown blacklists of some famous numbers sometimes.
What happens when we run out of phone numbers? I won't be surprised when accounts start getting banned for "sharing" or "ban evading" phone numbers (aka getting a new phone number for any reason) because it screws up their ad tracking of you... Or they'll force you to first log into an account in order to delete it even though it belongs to somebody else. Or your new phone number you bought specifically for authenticating a separate account is banned (just like voip number) because a previous user was banned using it.
We shouldn't have to rely on Gmail for what may be the only way to get information/apply for on basic government services!
https://www.congress.gov/bill/117th-congress/house-bill/4258
The majority of companies seem to view email addresses and phone numbers as largely permanent identifiers.
Then there are the companies that actually provide you those things. To them, what they provide you is definitely not permanent.
The whole reason I use an authenticator app is so that my accounts aren't dependent on having the same phone number forever!
We should not be treating phonenumbers as SSN round two, where everyone relies on it for your identity, and it should never be changed because of how much shit was needlessly tied to it.
I rue the day I need to change my phone number and my digital identity becomes a huge headache, especially for far flung services that decided they wanted my phone number, but I wouldn't have considered going explicitly to them to update it.
I'm not proposing a solution for the real issue, simply a way of making things easier for people who have a hard enough time already.
Google's authenticator app is brain dead because they want to encourage 2FA over SMS. Why? Because it has the wonderful side effect of destroying your privacy. With your phone number, Google can easily identify you personally. Ain't that special --- privacy invasion wrapped up in security clothing! Much too tempting for Google to resist.
Google didn't invent OTP so there are other apps that are perfectly compatible.
Word to the wise, it should be obvious by now that all things "Google" are synonymous with "privacy invasion".
The lack of key backup and restore is one big reason not to use Google's authenticator app. Other compatible apps are not so brain dead. I backup every time I add a new sign in.
If you don't have the ability to sign in from multiple devices and the ability to install access onto any new device, then you're doing it wrong.
Phones are highly portable devices subject to being stolen, damaged or just dying for no obvious reason --- so always be prepared. This is simply not possible with 2FA over SMS.
And since it's always more productive to assume malice, not stupidity — obviously, this is the point. Somebody wants you to depend on your phone number, something you don't really control and cannot easily change. This isn't about comfort and security, it never was. What else is new.
But, I mean, if I have to pretend that it's not about me, but about homeless people for something to be changed — I guess I'm homeless' rights supporter #1 from now on.
One of the worst examples I've heard is that Overwatch 2 not only requires a phone number, but they actually check with your carrier if it's a prepaid number, and if it is, you're banned. Sorry poor people, Blizzard doesn't want scum like you playing their game.
Assuming someone's phone number never changes, or that they'll have access to their old and new numbers at the same time, is simply wrong and does not work.
I haven't been locked out of Google yet, somehow, but maybe it's just a matter of time.
Maybe my house will get burgled, maybe I will lose all my stuff in travel, or a fire, or ... I don't know. Email is kind of the key to everything, which makes 2FA important, but can also a huge pain in all sorts of exceptional situations, and losing access to your email often means losing access to lots of other stuff, too.
I feel account access is still an unsolved problem; 2FA is a meh stop-gap solution at best with lots of trade-offs. Ideally your account should be tied to your identity (e.g. passport or the like) in a privacy-secure manner.
Or, he can safely store their 2FA backup codes in his house.
The homeless make up like 0.1% of society. And not every homeless person has this issue. It would be insane to make any feature for like 0.02% of the population. Especially a feature which diminished security. Because yes, those 0.02% of people might have an easier time accessing their accounts, but probably 100x that amount of people are going to end up getting tricked into de-securing their account, or do it by accident, and end up getting compromised.
> Or, he can safely store their 2FA backup codes in his house.
Why even have security? Your solution practically screams for those 30+ people to be taken advantage of.
Just use a different email provider whose procedures align with how you regularly change your phone number.
Why have security? So some random, untrusted person can't compromise the account. If Chad holds the codes, then only he can compromise the account, and maybe their relationships are good enough that they would trust him.
Using a different email provider also works, but I assumed there would be some reason that doesn't work - android effectively has a built in gmail client, non-tech people might just autocomplete "@gmail.com" and mess up someone's address if it is a non-expected domain, etc.
I don't work for google, and recognize they have many other issues, but this person on twitter is incorrect. There are other methods in addition to backup codes. There are voice authentication and id upload. I've even had Google call me back, and I spoke to a person who manually authenticated me.
This particular system isn't broken.
Of course, there are many other email providers. Why would someone keep choosing the same provider, when it doesn't act in the way they expect?
But, I mean, why are they not railing on the phone companies, to make it easy for the homeless to keep the same phone number?!
Why is this Google's fault?
======
Addition, 08/02/2022, 3:03pm: I don’t know how this got shared to HackerNews. I appreciate all of the positive responses we have gotten. However, this was not an open letter. It was meant to be shared internally to Google. It went directly to the security team and we had a conversation about it about a year ago. Things have improved significantly since then and this is no longer a daily problem. Please stop calling the branch or emailing me about it. It’s interfering with my work. Press inquiries can be made through https://libwww.freelibrary.org/contact/ and the public relations department will be in touch with you.
If you want to learn more about patron privacy and support librarians advocating for patron privacy and against big tech please check out https://libraryfreedom.org/ which is a wonderful organization I am a part of that does work like this. I still firmly believe in and stand by everything that I wrote. But this particular action was not meant to be a public letter.
Also! If you’re in Philadelphia you should check out this big program we’re doing on August 12th called Empathy Versus Misinformation where a panel of experts will address questions and misconceptions about transgender youth!! Boy am I relieved that this was a Google Doc and I can just put whatever I want onto the front page of HackerNews now :)
People lose their phones all the times, I personally lost countless phones, and I am very far from being homeless.
The problem is forcing 2FA on everyone
Google is actually doing much better than the competition here in many aspects (e.g. it is possible to operate a Google account completely without a phone number for 2FA or account recovery), but as far as I understand, one is still required to initially create an account.
This is only true for a limited time. I've tried to use a couple Google accounts this way and inevitably I log in from a new IP and Google's 2FA system kicks in - forcing me to either furnish a phone number or lose access to the account.
It's similar to how Twitter forces phone numbers out of people - just not as immediate.
These spy phones and the apps they peddle have become a plaque upon humanity. They use addiction and coercion (denied services) to keep you under there spell. The worst part is that they are being forced upon our children, way worse than the tobacco industry ever tried.
For over a decade, I've been using my Google Voice number as my identity, with whatever number is on whatever SIM I happen to have at the time being an implementation detail. Ticketmaster doesn't accept that, so now I have to schlep myself over to the venue (which often includes a bridge toll) to buy tickets at the box office. It's infuriating.
I believe Credit Karma Tax also had this problem, which is moot now that Square owns it (since Square doesn't have this problem).
With Passkeys, your credentials will automatically sync between devices. So as long as you have some way to log in to your main account (Apple/Google/Microsoft, etc.), then you should be able to maintain access to all other accounts, even if you’re always moving between devices.
And there is a solution to the single point of failure problem as well, because there is a built-in flow where you can copy the credentials to other platforms, in case you lose access to your main account.
The newspeak is strong with this one. There was never anything wrong with the word homeless.
Have progressives gone too far?
For example, if Google wants people (who have a tendency to lose their 2FA devices more often) to always use this feature, and in case they lose access to their device, they could use a trusted designate who can verify on their behalf that they are the ones signing into the service. But then again, this alternative will impose some new challenges such as:
- What if the designate is not available? - Designate is available but also lost their access to verify the other person?
As with this case being raised here, it will always be a process wherein Google (or any other organization) will have to explore and find meaningful solutions that is both inclusive and considerate on specific conditions.
The variability alone of such premise is huge that I am quite sure when the next edge case comes up, there are other edge cases boiling down that will become the next set of issues.
To you and me 2FA doesn't seem that complicated. But to less technical people it's just overwhelming and they don't want to bother with the learning curve.
For that situation no 2FA solution is going to work.
They get phones from a government program. Each new phone has a new number, and due to the above challenges, it'd be challenging to port numbers and keep a consistent number.
Authy accounts are keyed to your phone number, and to set one up on a new phone you have to receive a verification call/text.
EDIT: It looks like you can turn off 2FA, I think I'm going to do that now so I don't get locked out of my Gmail.
E.g. John.doe1234@people.gov
There are many other usable (and free) email providers out there. It doesn't have to be Google.
I mean I've always fantasized about getting NFC into everything so that NFC-based tags could provide convenient "something you have" taps. Like, give me a simple ring on my finger to tap-in to a scanner on my keyboard rather than having to meander through an app on my phone.
The other problem is that with every org running their own auth systems, if you're trying to help a person with this problem you have to set them up on a dozen services. I really wish something like Mozilla Persona had took off.
Since I've been able to keep the same number through various phones and Sims, this seems technically possible.
The government has the resources to navigate complex situations that digital safeguards can’t.
If someone has no paperwork, lost the device they made their account with, and cannot remember a password they made—no tech company has the resources or expertise to handle this at scale as well as local institutions can. If someone needs to take over an account of a loved one that they have legal guardianship of, you don’t want a support agent at a call center to make these decisions.
Similar idea behind web-of-trust or multisig cryptocurrency wallets, except without the cryptographic mumbo-jumbo.
Isn't there a service like this already ? If not, there is your billion dollar startup idea.
Reminds me of a case in Moscow (iirc): a homeless guy bought a gym pass that came with a locker, and was storing his things in said locker. The gym administration decided to deny him this arrangement, but he sued them and the court said “since the locker is in the contract, it's his privilege now”.
Even backup otp keys would be a challenge in this scenario.
What solutions would help with this? I would think even having two passwords on the account (as in you need both to log in) would be an improvement over plain password auth.
Just stop using Gmail. Here is a very small number of other providers: https://www.ionos.co.uk/digitalguide/e-mail/technical-matter...
Google is not being immoral.
The homeless people can use a different service.
Dealing with the use case of someone losing their phone every few weeks when you have billions of others to worry about is unreasonable. I think handling that situation should be considered out of scope.
And if they don't give a list of "workable free email providers" then the government has failed.
Imagine the howling if you had to have an email address to vote.
GMail offers backup codes to somewhat solve the phone number problem by the way.
Allowing for a case-worker, for instance, to act as a secondary 2FA method, and making it easy for the custodian to update the users information.
Wouldn't be all that different than corporate ownership policies or family accounts.
None of these folks are desirable advertising targets.
The reason this is not offered (IMHO) is that a lot the use (on the users side) of 2FA is from people that want better security, while a lot of the push (on the developer side) for 2FA is from people that would like to see the use of passwords almost disappear.
The only way to win is to not play the game.
IMO this approach would be a good way to confirm identity over a sms.
It's all so tiresome honestly. One of the absolute worst things about western culture is the apparent creeping obsession with political correctness that has been escalating for the past few decades.
If only more westerners were like the great George Carlin. Grateful for once to live in the third world.
This is why every app and vendor asks you for it.
I change mine every 90 days.
As a result I planned for that phone stopping to work and my understanding is that I will be able to emergency 2FA with those code once it broke. Am I wrong?
What are the best available alternatives?
There are many other (free) email providers. Not all require 2FA via SMS.
How many homeless have been so for longer than four months?
In this case it’s not even a criticism of Google. I don’t see an easy solution here that couldn’t introduce a more gameable system for hackers.
It sucks, but there are alternatives besides gmail and if google is going to spend time on this, I'd rather they not and instead spend time on getting homeless into homes.
Why not lobby those engineers and product managers to improve something that they are actually have agency and arguably a mandate to improve, helping users homeless and otherwise?
If they do so, I would rather they put that money into actually helping the homeless.
I also wonder if this person on twitter would be willing to let his friends use his email or phone.
The homeless have challenges, no doubt, but that does not imply google worrying about 2FA for the homeless is the best way to solve those challenges. It wouldn't even BE an issue if they weren't homeless in the first place, for example.
My solution to this problem was simple: don't use Google. Use Yandex instead because they never require a phone for 2FA and they allow you to set your own custom security questions for account recovery as well as link a backup email account to reset your password. It would be trivial for Google to have these features too, but they won't because this is about spying and tracking and controlling users by forcing everyone to use a SIM card.
The Federal Govt doesn't "give" you a free phone. Cellular carriers give you the phone and the service when you sign up at one of their kiosks usually setup outside local Govt offices that provide services to the homeless. Like the food stamps office.
So you sign up witg T-Mobile or Verizon or smaller carriers nobody has heard of and you get your cheapo off-brand phone with low specs like 1GB of RAM and 3GB of cellular data per month. Great, that is an amazing way to help the homeless since doing everything requires a cell phone now.
But when you sign up, the carriers require you to provide a cirrebtly valid food stamps EBT card and a govt ID like a drivers license with your mailing address on it. They mail a form to that address within 60 days that you must sign and mail back to them to prove you are who you claim to be. I guess this is for fraud detection.
But if you are homeless, then obviously you will never be able to receive that form in the mail to prove you are who you claim to be. Then after 90 days if you have not returned your form in the mail, your free phone service is terminated.
You can immediately go and get a new Obamaphone, but you will have a new number and a new account. There is no way to port your old number because each carrier has totally separate systems to store your account.
This whole Obamaphone program is extremely wasteful because it is intended to help the homeless, but it is implemented to force the homeless to constantly churn through getting new phones every 90 days. I went through several different Obamaphones because of this. Typical Big Govt inefficiency I guess.
It is too bad that Google is so obsessed with spying on people and blibdly trusting SIM cards because you can still use Wifi on an Obamaphone that has been deactivated for cellular service. I don't know why Google refuses to base 2FA on something other than a SIM card. They already control the hardware through Android, so the phone hardware IMEI ID itself should be able to be used as a unique identifier.
Unmoored, trillion dollar megacorporations on autopilot like Google who are managed by multimillionaires Executives living in Silicon Valley and who are staffed by millionaire developers designing these systems of global information control do not think of the use case needs of the poorest, disadvantaged users who fall through the cracks.
I think it is fair to guess that many people reading this have achieved some level of success building solutions to technology problems. Much like solving for malicious use for the average user with 2FA - or privacy with things like protonmail - why shouldn't some of us attempt to solve this rather than expect/complain that Google hasn't?
Mail hosting isn't particularly expensive - companies like mxroute are sub $1 per GB per year with deliverability, etc taken care of - or at least well enough to make it better than constantly changing addresses.
I know that I personally would be willing to invest time and non-trivial amounts of money to offer a solution and gauge adoption and feedback.
Some opinions (open to feedback!) on where to start:
1. Use existing mail provider from the start - mxroute looks like a possibility
2. Overprovision storage by some reasonable factor - say 1GB accounts with 10x overprovisioning - interested to hear from those who know more than me about this but I wonder if more unhoused/homeless people generally use email for mostly transactional purposes not 20mb JPEGs, etc.
3. Ensure the webmail interface (possibly build it) is Ultra simple and Super accessible - screen readers, text to speech, and of course mobile first. Again I (perhaps naively) imagine that features like tagging, rich content composing, and filtering are super low priority here.
4. Have a sign up flow that is mildly fraud resistant - mobile number verification (VoIP not accepted) with a cool off before it can be used for another account (how often do Obamaphone numbers rotate/deactivate once stolen?) and an (accessible) captcha type system to avoid mass sign ups. This could then in V2 be expanded to include more corner cases - possibly invites in lieu of phone numbers, etc. If fraud/spam became an issue it should be easy to detect given these will generally be low volume users.
5. Require only a modestly secure password for login. Use malicious use detection to trigger recovery/verification mode (see next).
6. Have a recovery/verification mode that fits the user group - need ideas here - but 5 questions that you have to answer 4 of and have some verification that the answers are not just simple words at setup? Combine that with verify with a real (but possibly different) mobile (non-VOIP) number that hasn't been used in X days to verify another account? Trusted friend recovery address? Seems like lots of possible solutions to explore here, and no doubt lots of people smarter then me who could provided ideas.
Is there interest in doing this? Am I the only one that feels frustrated when we (including myself) debate what google should do, or why people are unhoused (or what to call people how are) when many of us are capable and financially able to at least try to offer a solution?
With 500k-1M homeless/unhoused in the US (no reason it couldn't be international, just starting somewhere) - let's say it was crazy successful and had a 10% adoption rate of actual active usage. Maybe that's 7.5 TB of storage. I'm sure a reputable provider would be willing to partner to provide that at $1/gb/year or less (plus hosting webmail, etc) - I'd be willing to pay that bill personally for that kind of adoption/benefit. Would others? Would others dedicate their time?
Homelessness is multifaceted - that seems to be the one thing everyone agrees on - so offering possible solutions to any given facet - from fragmented communications to safe shelter - is at least a start and possibly a small part of making a difficult life situation a little easier to overcome/deal with.
Maybe that's part of the issue. Why recycle numbers so aggressively? Give the user a few months to recover their old number if they can prove they are the same person.
And 2FA can be defeated through social engineering, and it is defeated constantly in this way. I would far preferred password requirements with 80-bits of entropy than everywhere I log into requiring I collect a 6 digit number from an email, app, SMS message, etc.
But nearly everyone here seems to think this extra little bit of work at every login is a good thing, assuming they would ever have an account compromised. Seriously, how many here ever was compromised prior to 2FA? I've been online since 1983, and I had never come across it personally until after 2FA was rolled out.
Ignoring the personal inconvenience, 2FA's inconvenience increases exponentially for every 10 users being supported. Supporting 2FA among 10K users globally, just 2FA in itself, becomes a full time job for more than one administrator, when previously, those 10K users were commonly supported by a single tech.
Frankly, I'd far far rather take the risk of unauthorized access than being strong-armed into using 2FA. The amount of time 2FA wastes is far more than the time wasted by unauthorized access. The solution is far worse than the problem ever was.
Sorry for question, but it is a bit mind blowing for me, in my country homeless people are rare and the ones I see don't worry about anything besides something to eat and alcohol. So having a mobile for them would be like having cash to buy the mentioned things.
And just to compare, the cheapest completely useful (4G, 3GB RAM, 3000mAh battery, Android 11) smartphone is $30, the average monthly rent of a two-bedroom apartment in the United States is $1300.