Where goes the future of personal data non-security?
6I just read about Google’s new program to offer optional physical dongle based security to persons with Google accounts and g-suite accounts. This program also locks the account so that non-Google programs and apps cannot access the data on a Gmail account, Google drive, Google calendar, etc.
Many people currently just don’t want to deal with physical dongles, or fear losing the dongle and hence access.
I don’t know what the recovery procedure is if the dongle is lost. Supposedly, it’s not simple.
At the same time, the financial people who run the credit economy are talking about how the economy will be crippled if everyone locks down their financial data.
(Whose economy? Theirs?)
(Apologies. I read the story in the IOS news app this morning and now can’t find it.)
Wither the future of all this?
Prognostications?
https://techcrunch.com/2017/10/17/google-launches-strongest-security-opt-in-program-for-high-risk-users/
Google launches “strongest security” opt-in program for high risk users
- 4 comments, 7 replies
- Comment
I have been using 2 factor with google for years now… as for the fear of loosing the U2F dongle… they do give you a set of key codes to recover your account in case you loose the dongle. Print them out twice (on a non wifi printer ) and store them in safe locations.
@thismyusername
I think this newly announced level of security doesn’t allow for use of the extra set of key codes as an access option.
Somehow or other you must have to prove - or “prove” - who you are.
I didn’t look up how the recovery verification is supposed to work.
I can see new inventions coming in the future.
People will use a keyboard-device that you can insert paper into. This device will be connected to nothing. After you have finished keying in, you would be able to just remove the paper from the keyboard-device.
This is where it gets tricky. I imagine there will be a way to send this piece of paper to others. As this is a complicated process, maybe there could be a tax or payment that could be paid to send the piece of paper to the other person.
I think we’re all screwed. Hackers can access shit faster than we can prevent them from accessing shit. I froze our credit (X 6 for 2 people) & I really doubt if that is foolproof. Too many places, including the ‘lesser credit report companies’ have everything a hacker needs.
sigh…
@daveinwarsh
Have you ever gone through one of those online ID verification things?
Yeah. Those mine the semi-public and public and paid-access-public databases for personal info so they can ask you questions.
They use the very same databases you and I can mine for info on anyone, if only we pay a small fee or take out an inexpensive subscription to the databases.
@f00l No, never have. I’m afraid what I’d see… lol
I won’t shed any tears for an industry that profits off of perpetual debt, though I don’t think the cash flowing to their coffers right now is likely to be redirected to anything that benefits the average person.
(Also this sounds like folks’ private information being exchanged between the companies that have access to them, which really needs to be approached with a different mindset as a privacy problem, rather than a security problem like the program at Google is trying to address, which is unauthorised logins to accounts.)
I coincidentally started carrying a physical dongle this month (like this little $10 thing that can attach to a keychain) to secure my online accounts, like Google and Facebook. Most of them also support code generators like Google Authenticator which will continue to be my primary way to verify logins, but several of them previously had SMS as a backup option.
Text messages have been recently demonstrated to be a poor choice for a “second factor” as they are easy to intercept and there isn’t much that can be done about it. For folks who are likely to be victims of targeted attacks due to financial or political reasons, SMS is completely out of the question.
The great thing is that more sites are adopting a common standard (called “U2F”, for Universal 2nd Factor) so you can use the same dongle for all of them, take it with you and plug it into any computer to confirm your login. Some of them also work with mobile devices using wireless NFC.
Many sites will let you register more than one physical token, so I’m thinking of getting a second, even cheaper dongle as a backup to keep safe somewhere, just in case I lose the one on my person.
Also I’m checking out the Google’s new security campaign and it does require you to carry two dongles, one for phones & computers and another just for computers. (And as someone else mentioned, most sites support printable recovery codes for safekeeping).
It’s funny to see that Google decided directly to link to specific devices with “Buy from Amazon” buttons. This might be a placeholder until they offer branded ones in the future.
@trisk
Thx. Good stuff.
Privacy can be related to security, when the “I wish it were actually private” info that anyone can pay to access becomes the source of identity verification for access to one’s cloud “property”.
I believe Google is responding to incidents such as the election/related Podesta account hacking.
@f00l google is just saving its back one day ppl are going to limit the info they put online due to concerns in privicy. since google is in the info biz they need ppl to keep on giving them it.
@davechait
Yeah I kept thinking that too.
So far …