Google 2FA required from Nov9- is this a thing?

Forums › Desktop computing › Google 2FA required from Nov9- is this a thing?

1 | 2 | 3

2780 posts

Uber Geek

#2809175 8-Nov-2021 09:08

I must admit I'm pretty surprised that a major data organisation requiring 2FA is such a controversial topic on a tech forum. Google's implementation of 2FA is, imo, one of the most user friendly I've ever seen, with multiple options around how you implement and manage it, and a very low frequency of requesting it under most usage patterns.

jaymz

1133 posts

Uber Geek

#2809229 8-Nov-2021 11:24

richms:

I am wondering how this will work for accounts with no device logged into it that are just used thru the web. Will the start to insist that I give them a phone number to SMS to inorder to login? That is totally unacceptable as some of the accounts I access are shared among several people, and used thru the web only because of the mess that is android and logging into gmail on the app.

MSP's have had this battle for a while now, for securing Tenant admin accounts for Google Workspace, Microsoft 365, Apple Business/School Manager, etc.

One solution that I have implemented is to use a dedicated phone/number that has a script that will forward the incoming 2FA SMS onto an email that is tied with a Teams team. That way when a code comes in, it can be picked up by any member of the technical staff team.

2FA is not going away, and even Microsoft have implemented an ability to remove the password entirely from your Microsoft Account (https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/#:~:text=Go%20passwordless%20today%20with%20a%20few%20quick%20clicks&text=Next%2C%20visit%20your%20Microsoft%20account,notification%20from%20your%20Authenticator%20app.)

freitasm

BDFL - Memuneh
79308 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2809230 8-Nov-2021 11:34

jaymz:

2FA is not going away, and even Microsoft have implemented an ability to remove the password entirely from your Microsoft Account

I am using passwordless login on my personal Microsoft accounts and on my Geekzone Office 365 accounts. One less password to remember. I have the Microsoft Authenticator app as main notification but also have a Yubikey and Authy codes available.

Having 2FA doesn't mean losing complete access if you lose a phone. There are other ways for example I keep the Yubikey with me on my keychain but there's another key in our filling cabinet at home. To use it you need to know the PIN so it's safe enough.

openmedia

3332 posts

Uber Geek

Trusted

#2809280 8-Nov-2021 13:30

Anyone found a way to have multiple 2fa authenticator devices configured?

For work we use 2fa and I have the Android App on my phone and tablet, plus on a 3rd phone I carry when travelling. I'd like a similar level of redundancy with GMail login.

Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

freitasm

BDFL - Memuneh
79308 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2809282 8-Nov-2021 13:32

openmedia:

Anyone found a way to have multiple 2fa authenticator devices configured?

For work we use 2fa and I have the Android App on my phone and tablet, plus on a 3rd phone I carry when travelling. I'd like a similar level of redundancy with GMail login.

On a Google account? I have Authy, two Yubikeys, my phone and the option to tap Yes on the phone.

timmmay

20589 posts

Uber Geek

Trusted

Lifetime subscriber

#2809286 8-Nov-2021 13:45

openmedia:

Anyone found a way to have multiple 2fa authenticator devices configured?

For work we use 2fa and I have the Android App on my phone and tablet, plus on a 3rd phone I carry when travelling. I'd like a similar level of redundancy with GMail login.

Authy lets you have as many devices as you like with the same MFA codes. If you want multiple people to have the MFA code just set up MFA when those people are there, all of you take a photo of the QR phone and add it to your auth app.

openmedia

3332 posts

Uber Geek

Trusted

#2809398 8-Nov-2021 15:07

timmmay:

openmedia:

Anyone found a way to have multiple 2fa authenticator devices configured?

For work we use 2fa and I have the Android App on my phone and tablet, plus on a 3rd phone I carry when travelling. I'd like a similar level of redundancy with GMail login.

Authy lets you have as many devices as you like with the same MFA codes. If you want multiple people to have the MFA code just set up MFA when those people are there, all of you take a photo of the QR phone and add it to your auth app.

Interesting. I use FreeOTP so I'll try that out

Generally known online as OpenMedia, now working for Red Hat APAC as a Technology Evangelist and Portfolio Architect. Still playing with MythTV and digital media on the side.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

cyclops69

2 posts

Wannabe Geek

#2823586 3-Dec-2021 09:30

Just got the note Google pushing me to 2FA for continued account access. Problem is I do long term stints for work overseas so won't maintain my current mobile number when I go, and don't know what number I'll have there until I arrive and set up a plan. Any informed thoughts on best option?

I see reference to Google Authenticator but if I set up and start using will it still work when my sim is removed / switched to a new sim?

I see reference to Backup Codes but looks like you get 10, for use one a day, which won't even get me through quarantine in new country let alone source and set up new phone plan and get number linked to 2FA. Is there a way to get a refresh batch of codes without access to the phone number I linked to the account?

mrdrifter

579 posts

Ultimate Geek

ID Verified

Trusted

#2823592 3-Dec-2021 09:34

cyclops69:

Just got the note Google pushing me to 2FA for continued account access. Problem is I do long term stints for work overseas so won't maintain my current mobile number when I go, and don't know what number I'll have there until I arrive and set up a plan. Any informed thoughts on best option?

I see reference to Google Authenticator but if I set up and start using will it still work when my sim is removed / switched to a new sim?

I see reference to Backup Codes but looks like you get 10, for use one a day, which won't even get me through quarantine in new country let alone source and set up new phone plan and get number linked to 2FA. Is there a way to get a refresh batch of codes without access to the phone number I linked to the account?

That's where you should look at Authy as above. It can be synced across multiple devices and isn't tied to a sim card.

freitasm

BDFL - Memuneh
79308 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2823594 3-Dec-2021 09:36

@cyclops69:

Just got the note Google pushing me to 2FA for continued account access. Problem is I do long term stints for work overseas so won't maintain my current mobile number when I go, and don't know what number I'll have there until I arrive and set up a plan. Any informed thoughts on best option?

I see reference to Google Authenticator but if I set up and start using will it still work when my sim is removed / switched to a new sim?

I see reference to Backup Codes but looks like you get 10, for use one a day, which won't even get me through quarantine in new country let alone source and set up new phone plan and get number linked to 2FA. Is there a way to get a refresh batch of codes without access to the phone number I linked to the account?

One of the options is to tap [YES IT'S ME] on your Android phone. The other option is to use Google Authenticator. Yes, it will work if you switch SIMs but have in mind you should have an alternate email in your account to reset in case you lose the authenticator. I'd recommend using Authy instead (same process as Google Authenticator) as you can sync between your phone and desktop clients.

You can have multiple 2FA setup - I have [YES IT'S ME], a Yubikey, phone and Authy setup as I really don't want to lose access to my account.

allio

885 posts

Ultimate Geek

#2823652 3-Dec-2021 11:28

To make it even clearer: Do not use Google Authenticator. It's tied to your device and difficult/impossible to backup or transfer to a new device. If you lose your phone (or do a factory reset), you're screwed. There's nothing special about Google Authenticator - it uses the same TOTP system as a number of alternative apps, and whenever you see a site ask you to use Google Authenticator (including Gmail and other Google sites) you can instead use the app of your choice.

Authy is great. I personally use and highly recommend Aegis and Bitwarden. Aegis automatically syncs a backup of all of my to my Nextcloud, and Bitwarden is hosted on my own server with a full nightly backup of the entire database. I use Bitwarden for most 2FA (it has autofill via the browser extension, which is really handy) with all of the most important keys also stored in Aegis.

lxsw20

3555 posts

Uber Geek

Subscriber

#2823744 3-Dec-2021 12:52

Google Authenticator can be transferred to a new device now days. You're right it's no good if you break your screen/lose the phone.

Also a good idea to actually store the backup codes, rather than just look at them and think, naaah i'll never need that.

jim69

42 posts

Geek

Lifetime subscriber

#2823946 3-Dec-2021 18:04

lxsw20: Also a good idea to actually store the backup codes, rather than just look at them and think, naaah i'll never need that.

Thanks to this thread I now have Authy on my phone and my laptop, auto backups on, multi-devices on, and soon I'll have it on my spare phone and my tablet too, meaning not only will I not have to get up to get the phone but I'll have the app & registration tokens on 4 devices plus the Authy server. My Twitter has never felt so secure.

I think I have normal backup well covered, I think "naaah i'll never need that". What am I missing? Am I unable to recover Authy if I somehow lose all 4 devices in the same fire? I havent got to that point in my journey yet, might stop at Twitter until I have that answer.

old3eyes

9120 posts

Uber Geek

Subscriber

#2824171 4-Dec-2021 12:48

jim69:

lxsw20: Also a good idea to actually store the backup codes, rather than just look at them and think, naaah i'll never need that.

Thanks to this thread I now have Authy on my phone and my laptop, auto backups on, multi-devices on, and soon I'll have it on my spare phone and my tablet too, meaning not only will I not have to get up to get the phone but I'll have the app & registration tokens on 4 devices plus the Authy server. My Twitter has never felt so secure.

I think I have normal backup well covered, I think "naaah i'll never need that". What am I missing? Am I unable to recover Authy if I somehow lose all 4 devices in the same fire? I havent got to that point in my journey yet, might stop at Twitter until I have that answer.

If you were to lose all your devices then when you buy a new one you just login to your Authy account and gets restored in theory.

Regards,

Old3eyes

ripjack

65 posts

Master Geek

#2824721 5-Dec-2021 18:09

mrdrifter:
cyclops69:

Just got the note Google pushing me to 2FA for continued account access. Problem is I do long term stints for work overseas so won't maintain my current mobile number when I go, and don't know what number I'll have there until I arrive and set up a plan. Any informed thoughts on best option?

I see reference to Google Authenticator but if I set up and start using will it still work when my sim is removed / switched to a new sim?

I see reference to Backup Codes but looks like you get 10, for use one a day, which won't even get me through quarantine in new country let alone source and set up new phone plan and get number linked to 2FA. Is there a way to get a refresh batch of codes without access to the phone number I linked to the account?

That's where you should look at Authy as above. It can be synced across multiple devices and isn't tied to a sim card.

I don't think this is 100% true. Authy uses your phone number as your login.

1 | 2 | 3