My school is requiring students to instal specifically Microsoft 2fa (uses microsoft’s proprietary algorithm). So I’m sure that people can figure how to download an app and scan a qr code.
If this is for a M365 account you don’t have to use the Microsoft authenticator. It’ll nag every login but it’ll let you use a different authenticator. I set up my college email last year with Duo as the 2FA because I already needed Duo for work, and it was fine
I mean, if you come back years later and lay a claim to an account you’re going to have to show something that proves who you are.
An SMS sent to the phone number stored on the account is no more reliable than asking the user to generate a code with an authenticator app (based on a secret that is stored in both the account and the app). People can lose the app/phone just as easily as the number. Also, SMS confirmations suffer from many vulnerabilities that TOTP codes do not.
The main point is that these methods are not related. Google could and should offer them side by side. Let people take their pick of any of the following:
Confirmation message sent by email (and let people add multiple address not just one).
SMS to phone number (again, let them add multiple numbers).
TOTP code generated with authenticator app.
One-time-use secret codes written down somewhere.
Secret question/answer pairs.
Codes generated by USB key fobs.
Confirmation on a phone that’s still logged in to that Google account (this doesn’t require the phone number).
Google is witholding some of these methods until you give them your main phone number, which is obviously a ploy to get your main number so they can track you.
I’m frankly surprised that a privacy-oriented community is not aware of the fact phone numbers are an excellent means of tracking people across services and databases for extended periods of time.
I’m not familiar enough with TOTP codes, but they don’t seem feasible for your average user as a reliable way to recover your account
My school is requiring students to instal specifically Microsoft 2fa (uses microsoft’s proprietary algorithm). So I’m sure that people can figure how to download an app and scan a qr code.
If this is for a M365 account you don’t have to use the Microsoft authenticator. It’ll nag every login but it’ll let you use a different authenticator. I set up my college email last year with Duo as the 2FA because I already needed Duo for work, and it was fine
I attempted to use Aegis and there was an error popping up that said Microsoft’s 2fa is proprietary and isn’t supported.
What you do is when you’re setting up the 2FA token in M365 select the type of 2FA since it supports a wide variety of 2FA types, including SMS
It was only the proprietary 2fa and sms. I’d rather do the totp.
Huh I had not realized that. Like I said, I used Duo just because I already needed it for work
I mean, if you come back years later and lay a claim to an account you’re going to have to show something that proves who you are.
An SMS sent to the phone number stored on the account is no more reliable than asking the user to generate a code with an authenticator app (based on a secret that is stored in both the account and the app). People can lose the app/phone just as easily as the number. Also, SMS confirmations suffer from many vulnerabilities that TOTP codes do not.
The main point is that these methods are not related. Google could and should offer them side by side. Let people take their pick of any of the following:
Google is witholding some of these methods until you give them your main phone number, which is obviously a ploy to get your main number so they can track you.
I’m frankly surprised that a privacy-oriented community is not aware of the fact phone numbers are an excellent means of tracking people across services and databases for extended periods of time.