this post was submitted on 28 Jan 2024

32 points (97.1% liked)

No Stupid Questions

34964 readers

530 users here now

No such thing. Ask away!

!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.

The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:

Rules (interactive)

Rule 1- All posts must be legitimate questions. All post titles must include a question.

All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.

Rule 2- Your question subject cannot be illegal or NSFW material.

Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.

Rule 3- Do not seek mental, medical and professional help here.

Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.

Rule 4- No self promotion or upvote-farming of any kind.

That's it.

Rule 5- No baiting or sealioning or promoting an agenda.

Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.

Rule 6- Regarding META posts and joke questions.

Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.

On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.

If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.

Rule 7- You can't intentionally annoy, mock, or harass other members.

If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.

Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.

Rule 8- All comments should try to stay relevant to their parent content.

Rule 9- Reposts from other platforms are not allowed.

Let everyone have their own content.

Rule 10- Majority of bots aren't allowed to participate here.

Credits

Our breathtaking icon was bestowed upon us by @Cevilia!

The greatest banner of all time: by @TheOneWithTheHair!

founded 1 year ago

MODERATORS

[email protected]

When people setup two factor authentication on an account on sites that allow it and insert a phone number, does that site assume by default that it's their own number or do they see it as "a" number? (lemm.ee)

submitted 7 months ago by [email protected] to c/[email protected]

12 comments fedilink hide all child comments

I ask inspired by experiences with Google. Google/YouTube, for as long as I can remember, always had a strange habit of assuming absolutely anyone even near to you is you. Back when I had my first YouTube account (which was also back when I was in a completely different part of the world), for the last few years of having it, it had my sister's channel listed under "alternate accounts" and it wouldn't even ask me for the password to log into her account, I could simply click over to it like it was nothing (led to a lot of sister rivalry moments). Of note, on a less severe scale, something akin to this mindset is also credited to leading me to witnessing a documented and verifiable triple banning of cherished accounts, how lovely.

So yeah, my first curious hypothetical question I have of the year. How common/normal would this stance be on the net, with something like 2FA where it could mean the difference between data and makeshift DNA (secondary question, does it actually work as well as touted years ago)?

all 13 comments

sorted by: hot top controversial new old

[–] [email protected] 13 points 7 months ago (1 children)

If it doesn't ask you to verify the number by entering a code that it texts you, it's not true 2fa.

As for your sister's account. Are you sure it was her account and not you just viewing her channel? If you were actually logged in to her account it stuck around because sites store credentials via cookies it's not unheard of to be able to access previously logged in accounts for a very very long time even after moving across the globe.

And what the fuck do mean by "makeshift DNA"? Unless you meant makeshift 2fa which is still confusing as a term.

[–] [email protected] 2 points 7 months ago (2 children)

That's what I mean, we had a family computer way back then and YouTube assumed once and remembered its assumption forever. By "makeshift DNA" I mean a set-in-place identifier. I never said it was true two factor authentication if it didn't text someone, I was asking if, when you choose to be texted, if it's normal to assume the number chosen to be texted on is property of the person setting it up, versus, for example, a family member lending a number to use. I for one don't even have a phone number right now.

[–] [email protected] 6 points 7 months ago

It uses whatever phone number you gave it when you created the account. They do not guess what phone number you might have.

[–] [email protected] 4 points 7 months ago (1 children)

Numbers can belong to anyone and yes, they do "assume" that the number you enter is at the least accessible by you. It would make no sense for you to make up a number or give them a relative or friends number especially for 2fa.

Why don't you have a phone number? You can get a cheap prepaid phone and if you don't want to pay for cell service you can import that number to Google Voice or other services like textnow, you could even go straight to textnow and get a free number from them. I have one that I pay like $5/year for them to hold on to just in case I feel like I need it.

[–] [email protected] 0 points 7 months ago (1 children)

You mean a burner phone, right? Those are good for verification but not if you regularly need something to log in with.

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

Which is why I said you could port that number elsewhere. Google Voice, textnow, etc.

I personally have at least 5 numbers.

GV that was ported from tmo a good 15+ years ago
My direct personal line
My direct business line

4)My GV business line

My textnow number that I am just sitting on.
I'm going to set up a family number attached to our family email.

[–] [email protected] 9 points 7 months ago* (last edited 7 months ago) (1 children)

If it was a family computer it sounds more like she had signed in too. YouTube and Google support multiple accounts being signed in at once and have for years, with an account picker (Instagram does too, on the mobile app). Assuming it was you only due to location or IP would be a huge and highly publicized security lapse, think of college, workplace, coffee shop. The deviantart thing is because they had the same IP address, that has long been a way of checking for ban evasion or banning people in the first place. Spillover to other people in the household is expected and accepted when designing it that way.

If you were using a phone number, which is generally the worst form of 2FA, they could potentially correlate that the accounts are at least related. Most sites wouldn't, but places like Google or Facebook might. Other forms like TOTP or passkeys should not.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

Why do you say telephone 2FA is the worst method? Seems pretty secure to me if each person has their own phone that no one else has access to.

Except for OP who doesn't have a phone, But that's another mystery and I honestly don't understand how or even IF YouTube thinks that she and her sister are the same person 🤷🏻‍♀️🤔

[–] [email protected] 1 points 7 months ago

It isn't

[–] [email protected] 7 points 7 months ago

Wow, ok hopefully I am unpacking this question correctly. But let's start with the question from the title.
Does Google et al. assume it's your number or just a number you have access to? It's the former. Google assumes you are entering your number. If you put in a communal number, that's on you for screwing up the base assumption underpinning SMS as a second factor for authentication. When working with a factor which is supposed to be "something you have" it needs to be something that you control. Think of it like the keys to your home. If you aren't the only person with a copy of that key, then that lock does not provide security for your home against others with the key.

As for the "DNA" question. I'm going to guess this is about websites "remembering" you for login purposes. The way this usually works is that, after the first login, the website sets a cookie in your browser. This cookie contains a cryptographic value which is also stored on the web server. When you go back to the site, your browser uses this value with your request for the site. The server then compares it to the stored value. If it matches, you are logged in, without needing to reauthenticate. It's more complex than just sending the value, but that's not worth getting into.

If you have multiple logins "remembered" this way, it may be possible to move to different accounts without the need to reauthenticate. Also, many modern browsers can save passwords for you. This lets the browser auto-fill your credentials for you. It's universally a bad idea to save your passwords this way, but it could allow you to switch accounts without knowing the passwords.

[–] [email protected] 3 points 7 months ago (1 children)

https://www.eff.org/deeplinks/2019/07/fixed-ftc-orders-facebook-stop-using-your-2fa-number-ads

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago)

not even the only time it's happened - this is such a stupid situation!

https://www.eff.org/deeplinks/2019/10/twitter-uninentionally-uses-your-2fa-number-targeted-advertising