[180190] in North American Network Operators' Group
Re: gmail security is a joke
daemon@ATHENA.MIT.EDU (Harald Koch)
Wed May 27 16:52:23 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <70986901-348F-415A-92B9-40997F4F8E26@anilkumar.com>
Date: Wed, 27 May 2015 16:52:19 -0400
From: Harald Koch <chk@pobox.com>
To: Anil Kumar <akumar@anilkumar.com>
Cc: nanog <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On 26 May 2015 at 23:43, Anil Kumar <akumar@anilkumar.com> wrote:
>
> According to this page, the 2-factor authentication does kick in when you
> finally try to reset the password.
>
>
> http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabl=
ing-googles-password-recovery-feature
>
> =E2=80=9C=E2=80=A6 I was presented with an emailed link to a reset page. =
When I clicked
> that link, since I have two-step verification set up, I was presented
> with a demand for a number provided by the Google Authenticator
> app on my phone. I provided that number and only then was I allowed
> to reset the password.=E2=80=9D
>
Y'all are way too trusting ;)
If I recall from a brief experiment yesterday, three of the four options on
that page are variations on "I'd like to bypass 2-factor authentication".
There is really no point in any of Google's fancy account security if I can
bypass all of it using Google's Identity Verification process, especially
if that process is based on PII that isn't terribly difficult to obtain.
This is just a variation on Apple's "give us the last four digits of your
credit card to reset your password" gigantic security failure, and frankly
I expected better from Google. Silly me.
--=20
Harald (who once upon a time worked in the IAM space ;)
