Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
PSA: Google Authenticator's Cloud-Synced 2FA Codes Aren't End-to-End Encrypted
- Thread starter MacRumors
- Start date
- Sort by reaction score
Bitwarden lets you link your password wallet to an associated 2-factor secret - it works great. Syncs across your devices, works in any browser, it's open source, and the paid version is only $10/year.
It was a slog, but I moved all my passwords out of Keychain and over to Bitwarden a few years ago - and I'm very happy I did.
It was a slog, but I moved all my passwords out of Keychain and over to Bitwarden a few years ago - and I'm very happy I did.
2FA is a massive fail in itself. How many applications do we have that you can log into via your phone.... and have to then enter a 2FA code that is sent to your..... phone! Pure genius. Who is the moron who thought up 2FA without realising that ~97% of all internet connections are now via mobile devices.
That's not how two-factor works. Codes aren't "sent" to you, they are calculated based on a one-time shared secret (generated when you first initiate two-factor auth for a specific account) combined with the current time. It is quite secure.
While this story talking about Google Authenticator, the algorithm is open - you can choose from any number of applications that do exactly this. I used to use the OTP app on my phone; now I use the built-in support in Bitwarden's password manager.
What you're thinking of is "two step" authentication, which indeed is pretty weak security (but still better than nothing). Unfortunately some web sites and companies muddy the waters by incorrectly referring to two-step auth as "two factor".
Google and Privacy?! ...nah, I used to rip on them for that all the time!
But lately I've stopped.
Google isn't in bed with China like Apple.
So for that, I admire them. I'd much rather they spy on my personal boring life and consumer interests than oppress the biggest segment of the human race in every way imaginable...
But lately I've stopped.
Google isn't in bed with China like Apple.
So for that, I admire them. I'd much rather they spy on my personal boring life and consumer interests than oppress the biggest segment of the human race in every way imaginable...
I don't trust any of them with data on the internet, Apple's no better than the others. I figure if it's on the internet, it's pretty much public. On data I don't want public, never sees the internet.
As does Microsoft with their authenticator. Big deal, that's what happens on a pubic internet with governments being afraid to make better laws, and truth be told, most of the data being collected on the internet really doesn't matter to the users at all. Now the bad guy that steal identities by having data scrapers in apps that get approved for the Apple Store and Google Play, those guys are the one's to worry about. I couldn't care any less about Google, or Microsoft, or whoever knows I looked for a new SSD last night, or whatever I looked for last night.
You are of course entitled to your opinion on the matter but I find your viewpoint extremely unfortunate. Google, Amazon, Facebook, Microsoft, etc are REALLY good at data collection and they most likely have significant collections identifiable to individuals. Now, what happens when your entire collective of information, location tracking, search history, purchase history, etc. is sold to someone like insurance providers? In the case of a health insurance provider your eating habits are now known, your every ailment is known because they have your search history, etc. If it is auto insurance your location tracking could be very valuable, etc. Could be a perspective employer, they already scour the web for your social media presence, how about if an employer knows every single web search you make or the fact that your car is frequently parked outside a cannabis dispensary? A perspective employer could have access to the answers to questions they are not allowed to ask during an interview. Perhaps your financial institution leverages your health data against you in a loan/mortgage situation? There are already a ton of "background check" websites that collect and arrange data, can you imagine what big tech could do if they chose to?
Is the cat out of the bag already... yes.
Can we do anything about it... I don't know, but I choose to try and limit my exposure as much as I can and wish others would at least try as well.
YMMV
Nothing. Most of that data isn't personally identifiable, and that that is like Medical insurance -- they already have much more detailed information, from my doctors, than my eating habits. Car insurance, they have any tickets I've ever had purchased from towns and cities, and any accidents, from DOT. Home, they know the value of the home and any crimes in the area. So again, nothing of importance, even if it were all personally identifiable, it just doesn't hurt me whichever way.
They could indeed, not sure I'd want to work for them though that would delve so low into their employees lives, but saying I needed a job, if that info doesn't have anything in it that's bad, it could actually help my cause, who knows.
Like I said, they already could be getting info from other sources I can't control, including the bankers, real estate agents, doctors, ... I do have a house and a mortgage btw, and I was actually a little surprised I was approved. I have the money, job/job history, and the credit history, to swing it, but I was older than most home buyers and disabled. (Not mobility, hands and arm capability). No problem, got a great rate. If some financial institution tried to use leverage, I'd go somewhere else, or pay off the loan and forget about it.
You don't think they already do? I worked for a bank holding company years ago...
Yes, and there's no way to stuff it back in, that's just what a connect society is.
Like I said, if there is something I want to keep private, I do. The only difference between me and you is what level of information we want to keep private, and you seem to trust some megacorps over others and I don't. They'll do anything legal to make more money, it's what they do, and some of it illegal. If you want to change things, working on what's legal and illegal and punishments for such is the only way.
They’ll just cheat or use morally reprehensible loopholes that go unchecked
Take the FAA for example, they are not allowed to access your medical information, so they got ahold of a insurance database that was intended to prevent insurance fraud, it doesn’t say your medical history…but it has all the insurance billing codes, because somehow that’s different 🙄
Alphabet I wager is even worse than the FAA, so yeah I’d highly wager they are snooping your data
And before someone says Apple isn’t much better
And I still have advanced data protection enabled lol
The other one is when people say do you have anything to hide? YESSSS! Frankly what color my socks are IMHO is need to know, anything I don’t openly share is secret
It funny how’s the government/corps market this line of if you don’t want your stuff public you must be hiding something and thus be a “bad guy” when at the same time
Operations security - Wikipedia
There is a fundamental difference between advertising companies like Facebook/Google and companies that collect data for sale/buy data from data brokers. Since Facebook/Google’s business is ads (using the data they collect of course), selling personal data is against their interests. Their whole business models are built around being the middlemen between advertisers and consumers and using proprietary user data to increase advertising efficiency. I’m not saying this kind of tracking is better or less invasive, but it’s not very likely that data collected by them will proliferate elsewhere unless there was a data breach.
If you’re worried about Apple spying on you, turning off iCloud services doesn’t really do anything especially if you have advanced data protection enabled. You should instead make sure the analytics toggles under privacy are off.
Yeah, same here. We use both AWS and GCP. I lean towards GCP. Both are not perfect. But, AWS seems to care less when we report issues. Google seems to react. But, maybe because Google is behind and is more eager to please customers.
That's not been my experience. AWS support is really pretty decent. GCP support is non-existent. GCP is also much, much, much less mature. I don't care for it much at all. I spend far too much time creating custom GCP solutions to problems that are just handled by AWS.
Interesting. So, not sure what level of GCP support you have. We have some sort of Enterprise support that we get as part of our deal. But, we have a guarantee spend with them yearly in the millions of dollars. I agree, feature-wise, GCP is well less mature. Good point and fully correct. AWS is king of functionality and features.
But, because GCP is hungry, I can get some one a call and help instantly. And, even got a patch same day for some issues. AWS could care less. And, I get it. They are the big dog and we are not one of their big customers. Although we spend millions with them as well. My issue with AWS lately is that things can change multiple times during the day as push code. I'll open a case and it can be resolved later that day. Which is cool. But, I burned time trying to get help. That said, it's pretty solid.
There is also the cost. GCP is trying to get the business and we get better deals with them. But, someone could argue, you get what you pay for as well.
Again, on the security front, AWS is not the beacon. Amazon is not really about that in my opinion. Not that is insecure. Far from that. But, not their first priority. Again, just my 2 cents.