Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Google, extra notes about requirement of having Phone *or hardware token* #7026

Open
2 tasks
maltfield opened this issue Oct 31, 2022 · 3 comments
Open
2 tasks

Update Google, extra notes about requirement of having Phone *or hardware token* #7026

maltfield opened this issue Oct 31, 2022 · 3 comments
Labels
update site Issue/PR updates information about a site in the repo.

Comments

@maltfield
Copy link

maltfield commented Oct 31, 2022
edited
Loading

Site name

Google (appear in multiple instances: Google Drive, Google Cloud Platform, Hangouts, Google Domains, Gmail, Google Play, Google Fit, Google Pay, Google Fi, Google Fiber)

Site URL

https://drive.google.com/, https://cloud.google.com/, https://hangouts.google.com/, https://domains.google.com/, https://mail.google.com/, https://play.google.com/, https://fit.google.com/, https://pay.google.com/, https://fi.google.com/, https://fiber.google.com/

Update reason

Other (please describe below).

Additional information

Preamble

First, I'm being forced to create a new ticket rather than just update an existing ticket because the existing ticket is locked.

Mods, please don't lock tickets. It just makes collaboration more difficult, scatters our work across multiple new tickets, and makes it harder for folks to find information about a given issue.

The Issue

While I appreciate the additional information added by the note in this PR, it's just incorrect.

notes": "To activate two factor authentication, you must provide a mobile phone number

You do not need to enter a mobile phone number. But you do need to add a backup 2FA method. Instead of adding a phone number, you can add a hardware security key.

I recently worked for an organization that switched to Google Workspace. We bought everyone in the company hardware security keys specifically to prevent us from having link our user's phone numbers into their Google Accounts (and risk Google using it as an insecure fallback).

The solution

Please change this

"notes": "To activate two factor authentication, you must provide a mobile phone number"

to this

"notes": "To activate two factor authentication, you must provide at least two distinct 2FA providers, such as TOTP, mobile phone number, or hardware security token"

Issue Eligibility

  • The issue I'm creating is not a duplicate of an existing issue.
  • The issue I'm creating is not a duplicate of an existing pull request
@maltfield maltfield added the update site Issue/PR updates information about a site in the repo. label Oct 31, 2022
@maltfield maltfield mentioned this issue Oct 31, 2022
Closed
@maltfield
Copy link
Author

maltfield commented Oct 31, 2022
edited
Loading

Besides my experiences, the proof is in the screenshot of the original issue

The user can literally just click either "Security Key" or "Google Prompt" and they won't have to provide a phone number to Google to setup 2FA.

  1. Security Key is a hardware security key
  2. afaik Google Prompt requires the user to have installed Google on an Android device. 2FA here is them clicking "I approve" or something in some popup in the app.

There may be other options as well under Show more options that I'm not aware of

@Carlgo11
Copy link
Member

Thanks for the information @maltfield.
To answer your feedback:

First, I'm being forced to create a new ticket rather than just update an existing ticket because the existing ticket is locked.
#4849
Mods, please don't lock tickets. It just makes collaboration more difficult, scatters our work across multiple new tickets, and makes it harder for folks to find information about a given issue.

The issue #4849 had to be locked as it received a lot of spam messages. We try to keep issues open as much as possible but sometimes GitHub's lacking spam detection forces us to lock an issue as deleting each new comment becomes unfeasible.

While I appreciate the additional information added by the note in this PR, it's just incorrect.
#4849
"notes": "To activate two factor authentication, you must provide a mobile phone number
You do not need to enter a mobile phone number. But you do need to add a backup 2FA method. Instead of adding a phone number, you can add a hardware security key.

If you find factual issues in a PR, the best action is to discuss those issues/remarks in the actual PR in the form of a comment or review. That way we're able to better take all the information into account when reviewing the PR.
In this case a review with your note suggestion would be ideal for both the PR author and us maintainers.

@ghost
Copy link

ghost commented Nov 10, 2022

When using 2FA with a Google account, the following options are available:

  • SMS only
  • U2F only
  • Proprietary applications only
  • Combination of any of the three above and TOTP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
update site Issue/PR updates information about a site in the repo.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Carlgo11 @maltfield