Re: Google will no longer send SMSs with six digit codes for verification

On 2025-03-04 19:18, VanguardLH wrote:

Dave Royal <dave@dave123royal.com> wrote:
 

A *bit* more info about verifying phone numbers here
<https://www.androidauthority.com/google-ditch-sms-codes-authentication-details-3529425/>

 So, you either have to wait for an SMS message to arrive from them, or
for them to get the one you send them.

No, they also say:
«Google spokesperson Ross Richendrfer reiterated that SMS is mainly used as a security and anti-abuse check, but there are plenty of security challenges, like phishing and traffic pumping. Consequently, Google plans to reimagine how it verifies phone numbers over the next few months. Instead of entering their phone numbers and receiving a six-digit code over SMS, users will see a QR code they need to scan with their phone camera.»
So, take a photo of the qr code.

SMS is not instantaneous.  You
wait.  SMS is not guaranteed delivery.  Some get lost, so retry, and
wait some more.  The security theater gets more in your way, and stalls
the login, all of which (this and 2FA/2FV) was to overcome boobs that
reuse the same weak login at every domain they visit (that requires a
login).  Use technology to overcome the weak point in security: users.
 Wonder if I'll need to graft my smartphone to my hand to login to Gmail
at my desktop PC using an OAUTH2 e-mail client.  My phone is not sitting
next to my desktop.  It's on a desk near the house door where I also
toss postal mail, and have a laptop since the UI (small virtual keyboard
and touchscreen) on a phone sucks compared to a desktop, laptop, nor
netbook.  I don't much use that laptop.  It's mostly for something
related to newly arrived postal mail.  Most of my desktop computing is
in a basement room.  I'm not running upstairs to grab my phone because
some boob wants me to jump over hurdles for nuisancing security theater
mostly to reduce their manpower for tech support.  Plus, I dislike that
some site wants my phone number for a totally unrelated service, like
e-mail.  Oh yes, reduce privacy to profess increased security.  The
phone for account recovery is okay, but then so are security questions
you preset for recovery, or recording your account ID (if you're ever
given one).  I'd rather have to answer a preset security question
immediately on a login failure than wait for an SMS message that I have
to manually transcribe or manually scan into the waiting login page.  Of
course, don't secure the communication venues (e-mail and SMS) used to
supposedly secure the logins.

«But will fallback authentication methods be available if the user cannot access a mobile phone? Google answers no.»

 Thanks for that article.  It gives some more info, but looks like we
have to wait, and suffer, with however Google decides to implement their
new security theater.  Could be months, or years, and then there's the
initial pains as they work out the kinks.  Perhaps Google should
reassess how much they increase pushing users away from Google services.
Security and convenience are the anti-thesis of each other: to get more
of one means less of the other.  Too much security becomes intolerable.

--
Cheers, Carlos.