How to enable two-step authentication on Google, Facebook, etc

[Permalink]

I don’t trust Facebook - or any of them - with my phone number.

2 Likes

Unless you stick to single-use burner phones, your phone number is probably already attached to your profile in the great abyssal consumer data aggregate.

3 Likes
Is it perfect? No. But it's way better than just irrationally hoping nobody ever gets a hold of your password.

Not as good as rationally ensuring nobody ever gets hold of your password, though.

Facebook’s 2-factor Auth process is disingenuous to say the least - if you want to enable it, it forces you to add the number TO YOUR PROFILE and pulls it from there instead of (like google etc.) asking you to add it to one sandboxed place purely for verification.

Facebook: doing it wrong, all of it, since forever.

4 Likes

Be advised that many poorly maintained Google tools (i.e. the only ones you use or care about or do anything useful) will not function properly if you turn on 2-factor. I had to turn it back off to be able to use Picasa.

1 Like

Ok, that’s insane. You mean that anyone who has access to your profile on any level has access to the phone number?

Surely there is some tipping point of invasiveness that will pop the Facebook bubble. It’s hard to imagine what it will be though.

Fortunately many of them – including Facebook – have 2FA that doesn’t require your phone number, via TOTP (RFC 6238).

I enable 2FA when it’s implemented as RFC 6238. When it’s a crappy SMS message to a phone, I don’t, because (a) SMS delivery isn’t guaranteed, (b) phone numbers are easily spoofed, © I might not have cell coverage but still want to log on, and so on.

I’m also not interested in proprietary 2FA apps. I just want the one app to handle all my codes, and I don’t trust “roll your own” security protocols.

I really wish Apple would get their act together and implement proper 2FA.

You can get special passwords for those apps (I see that TFA mentions them in passing) – I’m pretty sure that is what I did for Picasa.
Sign in using App Passwords - Accounts Help

Why? Isn’t the responsibility of safety all on Google? Not my fault if something is stolen.

I prefer not to have my stuff stolen whether it’s my fault or not.

You can choose who your number is visible to. If you’d like it can be visible only to yourself.

They can’t ensure that you don’t use the same password everywhere.

Yup. Google doesn’t get my phone number, Google YouTube doesn’t get it, Google Android has it but gets email addresses only used for that device, Yahoo doesn’t get it, I only log in to Facebook every 3-6 months from a dedicated virtual machine. The reason I use Yahoo is to create disposable email accounts that aren’t linked to the real world, so of course they don’t get my phone number.

OTOH, I was travelling recently and YouTube said it was really suspicious that I was logging in to my YouTube account from a different location, and it wanted a phone number to connect to. Ummm, nope, absolutely not, especially since I hadn’t given them a phone number in the first place to compare it to, so if it had been a bad guy who’d guessed the wimpy password I use for YouTube, they could have given them their own phone number and stolen my account. (Which wouldn’t have been a big deal, because I’d just have to build another YouTube account.) When I got home, YouTube said “Oh, maybe it’s you after all, change your password.”

2FA can be useful, sometime. If you use your phone to access Facebook or Google, though, and it gets stolen/cloned, then it’s not worth much.

This topic was automatically closed after 5 days. New replies are no longer allowed.