Google sign in changing Nov 9th

[Rich Engelhardt]

I got an email from Google earlier this morning & I've checked it out.
As far as I can tell, it's 100% legit -but - I wouldn't click on any of the links in it if you get this email - just to be extra careful.

On Nov 9th, Google is going to put in a two step sign in. The normal sign in - followed by a phone verification.

If anyone is at all like me - I have had three cell phones and two landline numbers over the last 20 years & sometimes forget which one I may have used years ago to first sign up - you might want to go to your Google settings and make sure everything is current.

[Lee DeRaud]

On Nov 9th, Google is going to put in a two step sign in. The normal sign in - followed by a phone verification.

I'm trying (and failing miserably) to figure out how that works (and what problem it solves) if I'm signing into Google from my phone, e.g. to get an app from Google Play.

I suspect that procedure may only apply when Google detects a sign-in attempt from a device that's not already on your account's list...currently it just sends an after-the-fact "Was that really you?" notification. The whole thing may also depend on your account privacy settings: they may just have bumped the default setting up a notch or eliminated a "loose" sign-in option.

[Myk Rian]

I suspect that procedure may only apply when Google detects a sign-in attempt from a device that's not already on your account's list...

That's what it is. A good security measure.

[Bill Dufour]

They already changed mine. I went to my linked sign in page and got to a generic google is great page, I should join up and get a free email addresss. No where to sign in. I had to google the web and find it that way!
Bill D

[Jim Becker]

It's not arduous...and you only have to verify via two factor periodically if you are using your regular device(s) and indicate they are personal and private. It's no different than most financial institutions. Microsoft and other similar entities also adopted this for account verification some time ago. Two-factor basically makes sure that it's "you" when certain things happen, such as requests for certain account changes. But you also do need to make sure that your wireless phone number is secured...be sure that you have a PIN set with your carrier to significantly reduce the risk of having your number taken over and also don't fall for the "Google Voice" scam where someone you're trying to do business with says they are sending you a code to your phone/computer to verify it's really you. That scam can compromise your phone number...

[Jim Koepke]

On Nov 9th, Google is going to put in a two step sign in. The normal sign in - followed by a phone verification.

What happens if you live in an area without cell service?

Then there are those of us who do not have a cell phone…

jtk

[Wade Lippman]

You can instead get a list of 8 digit numbers that will get you logged in.

[Jim Becker]

What happens if you live in an area without cell service?

Then there are those of us who do not have a cell phone…

jtk

There are alternative methods.

That said, SSA requires two factor for online access to one's SS account and initially for awhile, it only worked with texting to a cell phone. That was fun for some folks like you describe.

[Doug Garson]

What happens if you live in an area without cell service?

Then there are those of us who do not have a cell phone…

jtk

Maybe this is just a ploy to sell cell phones to the 3% of Americans who don't have a cell phone.

[Edwin Santos]

I'm a big fan of 2FA after it saved my bacon when someone hacked my Ebay account but 2FA blocked them from being able to check out with a whole lot of stuff in the shopping cart. It looks like Google is compelling it, but for any of your accounts that make 2FA optional, I turning it on.

BTW, most of my accounts will allow an email address as the destination for the generated code, if a cell phone is not practical for you.
Even SMS messages are not as secure as people think. If you are security conscious, it's very easy to use an authenticator app. Google and Microsoft both offer them and there are a dozen others in the app stores. Just google Authenticator apps and you'll find articles that explain how to use them and how they add security and convenience to the 2FA process.

[Derek Meyer]

I had an incident last week where someone tried to hack my Office 365 account. The attack triggered my 2FA through the Microsoft Authenticator app, so I was able to log in and change the password to prevent any more attempts. I'm glad that I had 2FA turned on for this account, as it has auto billing for my Office 365 subscription, so an attacker could gain access to a credit card if they were successful.

[Lee DeRaud]

BTW, most of my accounts will allow an email address as the destination for the generated code, if a cell phone is not practical for you.

I've got a couple that also will do it by 'voice': calls your phone (landline or cell) and reads off the code when you answer.

[Lee DeRaud]

... I'm glad that I had 2FA turned on for this account, as it has auto billing for my Office 365 subscription, so an attacker could gain access to a credit card if they were successful.

Eh? How does that work? I don't think any of the sites that store my CC info will display the whole number, even after they verify that I'm really me.

[Steve Demuth]

I think Google is doing the right thing here. Multi-factor authentication is the norm for any account that is potentially valuable or sensitive. It is based on the principle that authenticating that a person claiming to be you is you, should require two things - generally something you know (your password), something separate you have (your cell phone), or possibly something you are (a biometric identifier, such as facial or fingerprint recognition). For most people with smart phones these days, you really have all three, since your account is protected by your password, by your possession of the phone, and by the fact that you authenticate to the phone with a facial or fingerprint scan.

We required multifactor authentication on almost everything that was externally accessible at the hospital/clinic where I worked. This did not please the physicians, many of whom considered it a serious imposition, but greatly raised the security posture of the organization, protecting patient, employee and corporate information. For a small minority of people, their Google account may not have anything justifying the additional security, but for the vast majority, it does. Google makes it so easy, and convenient to remember passwords to multiple other services, to store sensitive or valuable information, and at bottom, most Google accounts are pretty good gateways for identity theft or other mischief, if compromised. Google's implementation of multi-factor is very good, and has flexible options for establishing the second factor. As a retired information technology and security professional, I applaud their move.

For those who dislike the cell phone approach, or who don't have one, Google sells Titan hardware second factor keys. If the only log on device you use is a computer, these are a good substitute for the smart phone approach.

[Ronald Blue]

MFA isn't new and it's a good thing. If the Colonial pipeline and Smithfield meat packing had used such technology the hack likely wouldn't have happened. We've been using it for 6 years at my work and it works well. Like Steve said if logging in from a non-network location verification is required. Usually if it pops up and asks that you verify it's you all but a couple digits in the phone number are blanked out. You have to tell it what number to send it to. The system is well proven and worthwhile. My laptop uses my fingerprint to log on and for making purchases. Ebay makes me use my finger print to log in. More security is a good thing.