[HN Gopher] Gmail 2FA causes the homeless to permanently lose ac... ___________________________________________________________________ Gmail 2FA causes the homeless to permanently lose access 3 times a year Author : horseAMcharlie Score : 707 points Date : 2022-10-07 12:51 UTC (10 hours ago) (HTM) web link (twitter.com) (TXT) w3m dump (twitter.com) | matthewcford wrote: | N26 I see (as my phone died and needed to setup a new one) uses | facial recognition to determine identity, you take a selfie video | when signing up. | | IMO this approach would be a good way to confirm identity over a | sms. | sb057 wrote: | FWIW I have pretty much given up on trying to use any sort of | online banking or other financial website because I do not have | cell service at my home, and practically every financial | institute requires SMS 2FA these days. | jochakovsky wrote: | Some carriers have apps to allow you to receive an SMS over | data (eg. Message+ on Verizon) | A4ET8a8uTh0 wrote: | I will offer an unpopular take. Maybe we should not be focusing | on ensuring homeless have access to email. Maybe we should be | focusing on ensuring basic services do not require email and/or | cell phone. | sholladay wrote: | I wonder how WebAuthn Passkeys will fare here, as they can | replace both passwords and existing 2FA systems. | | With Passkeys, your credentials will automatically sync between | devices. So as long as you have some way to log in to your main | account (Apple/Google/Microsoft, etc.), then you should be able | to maintain access to all other accounts, even if you're always | moving between devices. | | And there is a solution to the single point of failure problem as | well, because there is a built-in flow where you can copy the | credentials to other platforms, in case you lose access to your | main account. | shadowgovt wrote: | Yep. Recent changes to Gmail security make Gmail a bad fit for | the homeless. | | What are the best available alternatives? | crooked-v wrote: | Personally, I find it particularly infuriating that more and more | companies are demanding to use phone-based 2FA _even when I | already have 2FA authentication set up_. This applies to Google, | too, which has forced me to add a phone number and get a SMS 2FA | code for accounts that already had non-SMS 2FA configured. | | The whole reason I use an authenticator app is so that my | accounts _aren 't_ dependent on having the same phone number | forever! | Liquix wrote: | Being strongarmed into giving up your phone number is as much | "for your security" as manifest v3 is "for your privacy". They | could care less that you have 2FA enabled, they want that phone | number. Many people never change their numbers and enter them | into hundreds of sites, creating a wealth of data which can | then be profitably correlated with your email content, google | account activity, searches, location, etc. | beauHD wrote: | SMS as a second factor should be deprecated. I got locked out | once because my phone was stolen that had the SIM inside, and I | couldn't get back into my Google account. Now I just use a | Yubikey and am _never_ asked for OTP codes that are sent to my | phone. | ineedasername wrote: | Just one more way in which being on a lower rung of the | socioeconomic ladder is a self-reinforcing situation. | | In this case it's not even a criticism of Google. I don't see an | easy solution here that couldn't introduce a more gameable system | for hackers. | Slow_Hand wrote: | Perhaps an opt-out version for homeless users? | [deleted] | danpalmer wrote: | I agree there should be more explicit support here, but can this | not be "solved" with backup codes? One or more could be given to | a trusted person - a family member, a friend, or even a trusted | librarian - or a backup code could be remembered. | | The tough issue here is that these access edge cases look a lot | like malicious use. The aren't but authenticating someone who has | no device or ID or really much else to authenticate themselves is | a Hard Problem. Passwords also aren't the solution here, the | industry is moving away from them precisely because they provide | poor authentication, particularly for vulnerable people. | smelendez wrote: | This is potentially a solution for some but it's not perfect. | If they had a trusted friend or family member who could store | backup codes and deliver them as needed, they could probably | also just stay logged in on that person's phone or even have | emails sent you that person. Keep in mind that they have | limited transportation and likely lose their contacts when they | lose their phones, and many will have strained relationships | with the housed people in their lives. | | A library solution may not scale. Sure, a librarian might | develop a personal relationship and do this as a favor for | someone. But the author mentions talking to about 30 people | with this problem in his neighborhood, which suggests that if | word got out a librarian was doing this and they tried to | institutionalize it, a library might have to store codes for | dozens or hundreds of people it has no way to authenticate. | jamesrr39 wrote: | I think there are possible solutions here for a library, off | the top of my head, taking a picture of your face when | dropping off the codes, so that when you come back and ask | for your codes, the librarian can ID you against the picture | they have. Basically what is done when verifying your ID | card/passport when you travel/go to the bank etc... | | It wouldn't be a librarian doing someone a favour, but rather | a service that libraries provide. | | This could be a great evolution for libraries. They are | already a distributed, public system, that people in general | trust, but their role in society has changed with the rise of | the internet and online services, and this could be a really | useful role they could fill. | danpalmer wrote: | Yes this is sort of what I was envisioning. Not as much one | trusted librarian doing a favour, but a librarian team | having a filing cabinet full of backup codes and an ID | process that they trust and that is appropriate for their | community. | | This is the sort of thing that I think Google could support | explicitly with more access control around it, but I don't | think that's entirely necessary to get the benefits. | bombcar wrote: | Backup codes could work - but if they have the support of a | trusted person they likely can be assisted in other ways, too. | | Defining a state-sponsored email account that can only be | logged in from specific government machines (imagine a kiosk at | the DMV, say) where there are trained clerks who can identify | homeless in some way could work. | danpalmer wrote: | An interesting idea, but I suspect it just pushes the issue | back one more step. How do you authenticate for login to that | email account? Specific machines limits but doesn't | fundamentally change the attack surface. | | If the person has ID, then many options work, but if they | don't what can a DMV and trained clerks do that others can't | in some way? | | Lastly, I'm not from the US but even I've heard that the DMV | is a hellish place with queues hours long. Putting more | barriers in front of those who are already in a tough spot | (and may need to spend that time working, queueing for | shelters, etc) is a big ask. | bombcar wrote: | Yeah, you have to keep falling back - my idea was that | assuming homeless don't move very rapidly from one location | to another, you'd have people at the DMV or shelter or | wherever you put this who actually recognize the person and | can "vouch" for them. | | It's not an easy problem to solve with "one quick trick" by | any means. Part of the reason the DMV can be hellish (in | the US at least) is they have to deal with _everyone_ who | has an ID, not just the "good customers". | etchalon wrote: | This could be remedied with "Custodian" 2FA, couldn't it? | | Allowing for a case-worker, for instance, to act as a secondary | 2FA method, and making it easy for the custodian to update the | users information. | | Wouldn't be all that different than corporate ownership policies | or family accounts. | krzyk wrote: | I'm a bit surprised, homeless people have phones and email | addresses? | | Sorry for question, but it is a bit mind blowing for me, in my | country homeless people are rare and the ones I see don't worry | about anything besides something to eat and alcohol. So having a | mobile for them would be like having cash to buy the mentioned | things. | guywithahat wrote: | I was walking to a convenience store two nights ago and I saw a | girl venmo'ing a homeless man money. Realistically it's hard to | exist without a phone and bank account, and there are a lot of | financial aid/benefit programs for homeless people to pay for | these sorts of things | adgjlsfhk1 wrote: | Most homeless people aren't permanently homeless. Of the | homeless population at any given time (very) roughly 50% will | only be homeless for a few days, 20% will be homeless for a few | weeks, and 30% will be homeless for months or longer. | Comevius wrote: | They are homeless not Amish. People can have jobs too while | being homeless, since you often can't afford rent in many parts | of the world with just a single income. You have to choose | between a roof over your head, or eating and having a car to be | able to go to work. Or you can get a second income, either | another job or a relationship, but that's not always an option, | hence why so many people live in their cars. Around 200,000 | people live in their cars in the United States alone, but that | number is climbing rapidly and will reach a million in a few | years, because housing is a luxury now. | | And just to compare, the cheapest completely useful (4G, 3GB | RAM, 3000mAh battery, Android 11) smartphone is $30, the | average monthly rent of a two-bedroom apartment in the United | States is $1300. | WithinReason wrote: | Just turn off 2FA | Maursault wrote: | Finally. Everyone seems to assume that 2FA is a great idea, but | it is, in fact, a problem in itself, and a much larger problem | than unauthorized access ever was. Unauthorized access was | never an ubiquitous problem like 2FA definitely is. | Unauthorized access was an exception. The only UA I had heard | of prior to 2FA being rolled out was with users of Yahoo Mail. | I can understand that some institutions may have experienced it | more because they had so many users, but 2FA punishes | _everyone_. Just consider the sheer amount of time it has | wasted since being rolled out everywhere, 30 seconds at a time. | It 's centuries of wasted time by now to solve an issue | affecting as little as 1% of users. | | And 2FA can be defeated through social engineering, and it is | defeated constantly in this way. I would far preferred password | requirements with 80-bits of entropy than everywhere I log into | requiring I collect a 6 digit number from an email, app, SMS | message, etc. | | But nearly everyone here seems to think this extra little bit | of work at every login is a good thing, assuming they would | ever have an account compromised. Seriously, how many here ever | was compromised prior to 2FA? I've been online since 1983, and | I had never come across it personally until after 2FA was | rolled out. | | Ignoring the personal inconvenience, 2FA's inconvenience | increases exponentially for every 10 users being supported. | Supporting 2FA among 10K users globally, just 2FA in itself, | becomes a full time job for more than one administrator, when | previously, those 10K users were commonly supported by a single | tech. | | Frankly, I'd far far rather take the risk of unauthorized | access than being strong-armed into using 2FA. The amount of | time 2FA wastes is far more than the time wasted by | unauthorized access. The solution is far worse than the problem | ever was. | jakub_g wrote: | In one of the later posts, the OP writes that the homeless will | lose any physical thing after N weeks. So what kind of 2FA would | be homeless-proof? I don't see a solution. | | Also, fully acknowledging Google and other bigtechs 2FA is far | from ideal: | | The other thing is, we want at the same time Gmail to be | unhackable against best hackers and state sponsored adversaries | for the billions of users, including high profile dissidents, | journalists, and senators who will inevitably have accounts; and | at the same time to homeless people who can't keep any physical | thing. It's kinda difficult to meet those conflicting | requirements well at the same time. | | Maybe the solution should be to have some basic free state-paid | email provider for those people. They are not forced to use Gmail | specifically (albeit the number of non-sucking and free email | providers is probably close to zero). | nirimda wrote: | > In one of the later posts, the OP writes that the homeless | will lose any physical thing after N weeks. So what kind of 2FA | would be homeless-proof? I don't see a solution. | | This is not a technical problem and should not be automated | away. | | Rely on trustworthy third parties. Universal utilities like | Google should have retail outlets which are adapted to local | conditions and can exercise educated judgement. In some | countries, the police might certify the identity of the | individual, and then Google could trust that certification. In | another place, it might be some combination of the Red Cross | and a public hospital. Obviously some identifications will be | easier and others harder - if a person in New York claims they | are the owner of an account based in Spain, the employee should | be suspicious and require a higher burden of proof (and the | reactivation might be logistically more difficult). | | > The other thing is, we want at the same time Gmail to be | unhackable against best hackers and state sponsored adversaries | for the billions of users, including high profile dissidents, | journalists, and senators who will inevitably have accounts; | | I'm not really convinced high profile dissidents, journalists | and senators (why senators?) should be trusting Gmail to | protect them from state sponsored adversaries. Google generally | wants to do business in territories controlled by states which | means they have to follow laws and will sometimes be subject to | intimidation; but they have no intrinsic motivation to be | unhackable. | kweingar wrote: | > Universal utilities like Google should have retail outlets | which are adapted to local conditions and can exercise | educated judgement. | | Sorry but this just isn't happening, and if there is | regulation to make something like this happen, companies will | just turn off their services. Plus this would essentially | seal off competition: want to run an email hosting startup? | Guess you have to manage real estate all over the world and | work with every government. | | This whole conversation seems backwards to me. Yes, it should | be easier for people to recover their accounts, but should | governments be totally reliant on private email providers for | communicating with people who need services? | | The story, as I understand it, goes something like this: a | case worker emails a homeless person, the homeless person | can't access their email, and then the case worker denies | them access to programs because they never got a response. | That is not solely an email problem---it's also a huge | problem with these programs and services! Why don't _they_ | provide identity services and retail outlets to help people | get the resources they need? Why are governments shoving this | responsibility into the private sector? | SpicyLemonZest wrote: | I don't think there's any universe where a company runs an | international chain of retail outlets in order to support a | free email service. If that were the standard, free email | providers just wouldn't exist outside of bundles with other | services. | snotrockets wrote: | We treat email almost as we used to treat postal mail: we | expect it to be available to all ("digital transition" | replacing human-fronted public services with digital one). | | If we treat it as a utility, it's fine to regulate it as | such. If <big corp> want to make money, directly or | indirectly, by offering email service, they should have | some standard of service. If they can't we can just make it | public service, which wouldn't let <big corp> make money | out of it, but would also guarantee it's available to all. | | Either way, eating the cake and leaving it whole, like it | is now, shouldn't be an option. | IncRnd wrote: | > So what kind of 2FA would be homeless-proof? I don't see a | solution. | | There are three factor categories, what you know, what you are, | and what you have. A password is what you know. A phone is what | you have. Biometrics are what you are - facial recognition, | thumbprints, etc. | | 2FA in one manner or another is used by various services, | because the security recommendation is to pillar identification | by at least two of the three factors. | | For your question, there are any two from the three factor | categories that could be used. | | However, there are also limited versions of a single category | that are often used as a backup when 2fa is not available. In | this case, google uses backup codes when "what you have" is not | available. Backup codes are functionally equivalent to | passwords, except that they are limited to a single-time use. | Limiting use is often a method of using a single factor | category, when another factor is not available. | | Another method is to rely upon another authority, such as using | a physical ID card that can be validated in order to let a | person back in. | | And so forth. | skybrian wrote: | One possibility would be to solve the "can't keep anything on | them" problem with a bracelet or something like that, like they | do in hospitals. Something more durable and less valuable than | a cell phone. | | If they truly can't keep anything on them, someone who | recognizes them needs to represent them. (A locker won't do - | they'll lose the key.) | | And if they have no friends they can trust (which is likely) | then it probably needs to be a government worker of some sort, | who has their photo on the computer. | | I mean, unless you want to have retina scans to log into | library computers or something. Or really reliable face | recognition. | 1970-01-01 wrote: | >So what kind of 2FA would be homeless-proof? | | Drop the password requirement. Use fingerprints + face. Very | hard to lose these, but not impossible. Note, this solution is | 1.5FA, but would solve the issue at hand. (pun alert) | patmcc wrote: | This assumes they have a device that can read | fingerprints/face. I'm going to homeless folks are also more | likely to be on library computers, old phones, etc. and not | have access to biometric sensors. | radford-neal wrote: | > ... the homeless will lose any physical thing after N weeks. | So what kind of 2FA would be homeless-proof? I don't see a | solution. | | How about the homeless person remembers a good password, and | that's all that's needed for authentication? You know, just | like it used to be. What exactly is wrong with that? | hn_throwaway_99 wrote: | > How about the homeless person remembers a good password, | and that's all that's needed for authentication? | | Gosh, I don't know, how about literally _all of the problems_ | that 2FA solves in the first place? Passwords alone are a bad | solution (often forgotten, easily re-used insecurely) for | people _without_ all of the challenges and frequent mental | issues that accompany homelessness, why would you think they | 'd be a good solution for people who, as the OP says, aren't | capable of keeping track of a physical device for more than N | weeks? | | I'm not unsympathetic to the problems of the homeless ant the | burdens 2FA entails, _but_ I 'm also not willing to ignore | the huge problems the 2FA _solves_ , and realizing there will | often be a tradeoff between making it very difficult to hack | into accounts and making it easy for people with mental and | other problems access their accounts. | clint wrote: | Many of the reasons 2FA is added by product managers and | engineers is because they are too lazy to actually solve | the problem in a way that is empathetic to actual, | breathing humans and instead bulldoze through the problem | in the least usable method possible, call the problem | "solved" and move on to shinier problems. | | Just because 2FA "solves" the extremely narrowly defined | problem, doesn't mean it is the best solution or even | something that people can and will actually use. Upon those | metrics alone, 2FA is usually one of the worst "solutions" | to the problem. | krick wrote: | If you forget your password -- it's YOUR fault. If you | reuse your password and it gets leaked -- it's YOUR fault. | If for some reason you cannot fix yourself, and have to | rely on Google 2FA for that -- good. Somebody who can | manage their own passwords alright shouldn't suffer because | of you. How about his just using his password, and lose his | accounts because he fucked up, not because Google (or | anybody else) suddenly thinks (incorrectly) that it's not | him anymore, who uses that login and password. | upofadown wrote: | >...often forgotten... | | The great thing about something like an email service is | that password guessing can be extremely rate limited. You | miss three guesses and you can't log in for several hours. | So an easily remembered password is perfectly fine unless | it is blindingly obvious. As a homeless person loosing | access to a phone on a regular basis, I am going to be | comfortable with the risk that the Gmail password hashes | might get leaked. I think others would be quite comfortable | with that risk as well... | LightHugger wrote: | 2fa is a good option, but there are many situations where a | plain password is just superior. if you ignore this | reality, that passwords are legitimately more secure and | better for a lot of people, then you're undermining an | existing working security system and will just cause chaos | and loss for people. | ethbr0 wrote: | And to generalize, I'd say that... | | _" There is an imperfect existing solution, with a | problem, therefore we will ban the existing solution and | move to a new, better one"_ | | ... should require extraordinary certainty in | completeness of ones new solution before banning the | previous. | | There are very few times when the legacy method should be | deprecated, and Google is the poster child of someone who | shouldn't be trusted to recognize them. | | (Looks pointedly at Chrome mv2/3 hubris and | implementation clusterfuck) | AdamJacobMuller wrote: | > Chrome mv2/3 hubris and implementation clusterfuck | | I'm not sure why you think MV3 is a clusterfuck, it seems | like it's doing exactly what Google wants. If you're | confused by that, remember, you're the product, not the | customer. | ethbr0 wrote: | Assume I'm talking about something deeper than generic HN | cliches. ;) | | Pushing an implementation cutover by +6 months, and | changing it from a hard to a soft date, because it has so | many unresolved issues, incomplete APIs, and angry | developers seems a fair definition of "clusterfuck." | timmytokyo wrote: | >why would you think they'd be a good solution for people | who aren't capable of keeping track of a physical device | for more than N weeks | | Homeless people have no physically secure place to store | their possessions. The reason so many of them lose cell | phones is because they get stolen or destroyed. It's not | because they're incapable of "keeping track" of them. | mplewis wrote: | OK, so what solution are you proposing for someone who | doesn't have permanent, safe storage for their property? | xani_ wrote: | > Gosh, I don't know, how about literally all of the | problems that 2FA solves in the first place? | | Well, it isn't solving this one. Option to opt out would be | nice. | | > aren't capable of keeping track of a physical device for | more than N weeks? | | Bit ignorant of you. They could be just plainly stolen by | someone else. A piece of rag working as a tent doesn't | exactly have best physical security... | | > I'm not unsympathetic to the problems of the homeless ant | the burdens 2FA entails, but I'm also not willing to ignore | the huge problems the 2FA solves, and realizing there will | often be a tradeoff between making it very difficult to | hack into accounts and making it easy for people with | mental and other problems access their accounts. | | It's not either or. | bennyp101 wrote: | How do you remember a complex password? By practice? On what | device? I'm sure those involved have bigger things to worry | about/remember than a complex password to email. | | I don't think that is the solution. I also don't know what | is. | | Public services that somehow provide safe access to email | etc? | franga2000 wrote: | Complex doesn't mean hard to remember. XKCD936-style | passwords (four words with no special chars) are nearly | uncrackable and quite easy to remember. Something even | simpler like [mother's name][father's name][year of birth] | is also very strong when you aren't being targeted | specifically (you almost certainly aren't, especially if | you're homeless). The remaining issue is password reuse, | but that's mostly solved by having two passwords - one for | your email and one for everything else. | ImPostingOnHN wrote: | The same way I remember everything else: I think about it | enough. There are plenty of good memorable password | mnemonics out there, too. So that seems a non-issue. | | In any case, I'm sure those involved would prefer the | option of remembering a password to not having that option | and getting locked out forever. Seems like a good solution. | There may be better ones you can implement once this one | is, always room for improvement you know | laptop-man wrote: | I always recommend a easy to remember sentence as a | password. | | with spaces, punctuation, some sort of capilatiozation | scheme (cap every last letter, or every other ,etc) and | throw a number in there. | | lot easier to remember than 32 random bits. | | purposely misspelling something, adding spaces, and your | own cap scheme make it a secure password. | pflenker wrote: | What works great for me is using _songs_ , ideally a | sentence not directly from the chorus of a lesser-known | song, complete with punctutation and some obvious | replacement rules (such as `and` -> `&` ) . The reason | why this works so great is that many people have some | obscure song "in them" that they know by heart but which | are not super widely known. | | I only had to change one of my passwords once when my | coworkers discovered I was reliably whistling "Stayin' | alive" after logging in. | renewiltord wrote: | Quite simply there are multiple factors at play here. Do you | force 2FA on almost everyone and reduce hostile account | takeovers to negligible? Do you allow for no 2FA and permit | the homeless use case? | | I think Google faced a trolley problem and made the right | decision. You need a different tool "homeless mail" for them. | | It's Gmail. You don't have to use it. There's a lot of mail | providers out there. | | Whatever, if this guy won't set it up I will. I'll stick a 20 | msg / hr, 100 / day limit on it and call it a nice anti-spam | day. | lazyasciiart wrote: | Many people exist and use email _before_ becoming homeless. | When that email is gmail - they actually do have to use it | when they become homeless! | SkyBelow wrote: | The average person cannot remember a good password without | some help, be it using it everywhere, writing it down, or | using a password manager. Homeless individuals, on average, | have many more stressors in life, much higher rates of | traumatic brain injury, and a number of other factors that | make their ability to remember good passwords much worse than | the average person. Given this solution doesn't work for the | average person, it will have even less success applied to the | homeless. | makeitdouble wrote: | How many passwords does an homeless person need to remember | ? | | I'm with you that an average person is probably using at | least dozens of services that need credentials, but these | people are probably not login on Amazon or checking their | 401k online for instance, nd can probably get by with a a | very limited set of stuff to remember. | jabroni_salad wrote: | Over on /r/sysadmin there was a discussion this morning about | email systems for dementia patients. How do you provide for | someone that is forgetting that they are forgetting? | | Pretty much EVERYONE will have cognitive decline in their | twilight years. It would be nice if we could have | communication systems that are compatible with basic human | biology. | kweingar wrote: | > It would be nice if we could have communication systems | that are compatible with basic human biology. | | At some point, this becomes a problem better suited to the | government. | | Imagine you have a loved one who has dementia or is | homeless and incapable of administering their digital | accounts with traditional authentication methods. You want | to take over their accounts. | | You will need to present evidence that: | | - they are indeed incapacitated | | - they are who they say they are, aside from you vouching | for them | | - you are who you say you are | | - you legitimately represent this person | | - there isn't somebody else who has a better claim at | representing that person | | I personally don't want _any_ tech company in the position | to sort through all of that on a case-by-case basis and | decide which accounts to unlock or transfer ownership to. | Let the government or the courts figure that out. | googlryas wrote: | That's literally how it was before 2FA. You can just look up | the reasons for 2FA to answer your question. | IncRnd wrote: | If a person can remember a password that is a minimum of | 8-digits, they can remember an 8-digit backup code that is | already provided by google. They are functionally equivalent, | but a backup code is one-time use. | tmnvix wrote: | Using a password multiple times helps you remember it. | [deleted] | Double_a_92 wrote: | People can't remember many good passwords. So they start | reusing them. If one site has a leak, everything is lost | without 2FA. | sph wrote: | So the choice is for them to permanently lose access to | their email? | | Homeless people aren't stupid and strong password don't | have to be incredibly hard to remember. I'd rather get my | accounts hacked because of password reuse than lose access | to my email, forever. | | There is literally nothing more important than your email. | Even stuff like your bank account has secondary means of | recovery, whereas if you lose access to your email you're | pretty much fucked. | bombcar wrote: | I would rank a home as more important than email; I'd | certainly rather lose access to my email than my home. | | But by definition, the homeless have already lost a home | (assuming they weren't born homeless) - and I've | forgotten passwords before. So "the stupid homeless just | need to memorize their password" isn't a solution. | Wowfunhappy wrote: | It's not a solution, but it's a heck of a lot better than | locking them out of their accounts _even if they still | know their password!_ | everforward wrote: | > I'd rather get my accounts hacked because of password | reuse than lose access to my email, forever. | | This is functionally the outcome of getting hacked, if | you want any kind of decent security measures. | | Any way that Google can give you access back on a | password-only account is going to be rife with bad actors | using social engineering to gain control of accounts. As | long as that form/page exists, it is a threat vector. | | What you're asking is for the password to be the only | proof that someone owns an account, which means a hacker | can demonstrate ownership just as much as you can. | | Banks have more options for account recovery because | we're willing to give them a lot more info. They can | force me to come in to a branch and compare my ID to my | face, or ask for my SSN, or any number of things we're | not comfortable handing over to Google (especially over | the web). | judge2020 wrote: | Who's to say that your email account getting hacked is | less dire than losing access to it? Attackers can easily | search your inbox for 'verify your email', visit any | website of value, and use their access to change the | account away from your email to an address that they own, | effectively removing your access to your third-party | website accounts entirely. | Wowfunhappy wrote: | I don't know that it is less dire, but I do think it's | less likely. Are homeless people's email accounts getting | hacked three times per year? | | Also... maybe getting hacked is worse, or maybe loosing | access is worse, but the user should have the right to | make that decision! Google can set the default, but the | user knows his or her own life. | yellowapple wrote: | > Are homeless people's email accounts getting hacked | three times per year? | | The aversion to 2FA makes them seem like easy targets if | I'm looking for addresses to use for spam. | | > maybe getting hacked is worse, or maybe loosing access | is worse, but the user should have the right to make that | decision | | Getting hacked makes losing access considerably more | likely. This ain't one or the other. | Wowfunhappy wrote: | > The aversion to 2FA makes them seem like easy targets | if I'm looking for addresses to use for spam. | | If you want to spam people, why not just sign up for your | own gmail account? | sph wrote: | Because you can still use an account everybody knows the | password of. | | It's a terrible place to be in, but isn't nowhere as bad | as being a homeless person with no access to HN and | Twitter, having Google delete your account and nowhere to | complain about. Because that is even worse. | yellowapple wrote: | > So the choice is for them to permanently lose access to | their email? | | If an attacker breaks in and changes your password, you | already do very likely permanently lose access to your | email. Account recovery from that point is a hairy | process even for people who have a place to safely store | important documents, let alone those who don't. | | > Even stuff like your bank account has secondary means | of recovery | | Those rely on forms of identification that the unhoused | disproportionately lack (for the same reasons that they | are more prone to lose access to phone numbers). This is | also among the reasons why being unhoused tends to | correlate with being unbanked. | syrrim wrote: | > I'd rather get my accounts hacked because of password | reuse than lose access to my email, forever. | | step 1: get your account hacked | | step 2: hacker changes password | | step 3: lose access to your email, forever | | What you've presented is not in fact a dichotomy, for any | practical purposes. | UncleMeat wrote: | > I'd rather get my accounts hacked because of password | reuse than lose access to my email, forever. | | When your account is stolen the attacker changes your | password. You lose access to your email forever _and_ | lose access to all of the services that use your email as | a recovery platform. | n8cpdx wrote: | Is it though? Just because a password leaked doesn't mean | it will actually be abused. A homeless person without a | credit card in their Google account is naturally limited in | the amount of damage that can be done. | | Security questions are probably enough, at least for people | who can't handle 2FA. | yellowapple wrote: | > How about the homeless person remembers a good password, | | Which would go one of two ways: | | 1. One uses the same password one uses everywhere else, and | now one is much more vulnerable to credential stuffing | | 2. One is reliant on a book of passwords or a password | management app on one's phone, resulting in the same exact | problem we're trying to solve | LightHugger wrote: | being homeless doesn't mean you don't have the ability to | remember a good password. good means not duplicated. | yellowapple wrote: | Even people _not_ dealing with the stress and trauma of | being unhoused have trouble remembering passwords - even | when they 're shared across accounts, let alone when | they're unique. This ain't a "homeless people are dumb" | argument; it's a "humans gonna human" argument. | radford-neal wrote: | No. One can just remember a good password for gmail, and | either use other passwords elsewhere (maybe bad, re-used, | ones, or maybe good ones, not relevant if we're talking | about gmail), or just always authenticate elsewhere using | your gmail account. | | Remembering one good password is not too onerous. Easier, | it seems, that keeping any physical object in your | possession if you're homeless. (I would assume that most | losses are not due to cognitive failure, but instead are | things like thefts when one is asleep.) | rbone80 wrote: | A good password is one that is difficult to crack which | potentially means it will be difficult to remember. Long | phrase passwords are recommended to be the most secure, but | ironically the more convoluted the password, the harder it is | to remember. In the case that a service requires a new | password every x months, remembering a secure password is out | the window. This type of practice encourages unsafe and | easily guessable passwords such as "password1", "password2", | etc... | out-of-ideas wrote: | I've often wondered that with a valid ID, that the gov does not | give us an email noawdays. Especially one that does not require | this asinine phone-validity garbage. I'd even suggest that | _maybe_ not use email-addresses as a login-name along with | plenty of alias 's for inbound and outbound that do not expose | your "main" or account. | | And google is not alone here; many other major "free" email | providers require a phone as well (dagger eyes at you, MS, | yahoo, ect); and the icing on the cake are some websites even | require a particular set of domains to register with them to | prevent multi-accounts/bots/spammers/ect => just a big ol | download-spiral of decisions that feed into eachother, just to | put a physical ID on anybody to tag-em-to-sell-em | | The biggest gripe is that it is mandatory; it is not an option | and nothing we can do about it other than "vote with our | wallets" - and google does not even allow ToTP use as an | alternative to phones, lol | | The beatings will continue until morale improves; always has | been, always will | [deleted] | esperent wrote: | So if there are certain vulnerable categories of people who | cannot use any form of 2FA, where does that leave 2FA? | | Seems to me it should mean that it has to be optional, at least | until we solve that problem. | pydry wrote: | >The other thing is, we want at the same time Gmail to be | unhackable against best hackers and state sponsored adversaries | for the billions of users, including high profile dissidents, | journalists, and senators who will inevitably have accounts; | and at the same time to homeless people who can't keep any | physical thing. It's kinda difficult to meet those conflicting | requirements well at the same time. | | It's only hard if you adopt a one size fits all approach to | security. | | Google's proclivity towards treating its users as an | undifferentiated commodity isnt proof that its users couldnt be | treated differently. | zoredache wrote: | > So what kind of 2FA would be homeless-proof? | | Almost certainly is a bad idea. But the first thing that seems | like it could work would be an implantable nfc yubikey. Then | making more devices support nfc. | | I know I would be pretty tempted to get an implantable 2FA | device if one was available and seemed like it would have both | broad and long term support. | xani_ wrote: | xvector wrote: | How could you possibly come to the conclusion that a homeless | person could afford a surgically implanted 2fa token? | indrora wrote: | Ah, yes | | I can read the headline now | | "GOVERNMENT PROGRAM TO CHIP HOMELESS PEOPLE LIKE DOGS TO | PROVE IDENTITY" | | I implore you to read The Scarlet Letter and perhaps read up | on [similar such things](https://en.wikipedia.org/wiki/Identi | fication_of_inmates_in_G...). | Cerium wrote: | Maybe we don't need to meet all those requirements | simultaneously. The on boarding process could try to | determining if 2fa would actually benefit you or not. | macspoofing wrote: | >The on boarding process could try to determining if 2fa | would actually benefit you or not. | | How? | adgjlsfhk1 wrote: | By asking you? | macspoofing wrote: | Well .. yeah. And I think that's what OP (of the twitter | thread) is advocating (without explicitly stating it). | Namely, that 2FA doesn't work for homeless. | MonkeyMalarky wrote: | Ask. Default to yes but allow to opt out. | scyzoryk_xyz wrote: | ,,Maybe the solution should be to have some basic free state- | paid email provider for those people." | gmm1990 wrote: | Probably a dna solution, not that you'd want google to have | that info directly. | cdot2 wrote: | The problem with biometrics like that is that if the data is | stolen or otherwise accessed then it can't be reset. If an | attacker has your fingerprint and you use that for 2FA you | can't reset that to prevent them from having access. | xani_ wrote: | Or just let people to disable 2FA. That's simplest and easiest | solution. Slap a red warning label if you need to. | macspoofing wrote: | >Maybe the solution should be to have some basic free state- | paid email provider for those people. They are not forced to | use Gmail specifically (albeit the number of non-sucking and | free email providers is probably close to zero). | | You don't need to use Gmail. There are a lot of good free mail | providers. | xani_ wrote: | Yea till they add 2FA too... | fknorangesite wrote: | And what happens if I've already been using that gmail | address and _then_ become homeless? | | I guess too bad! Should have thought of my future | homelessness when I was signing up for an email service a | decade ago! | macspoofing wrote: | OK ... who are you arguing with? | | OP stated "Maybe the solution should be to have some basic | free state-paid email provider for those people." | | I replied that there are a lot of good free email providers | already. | lazyasciiart wrote: | You, when you said "they don't have to use Gmail". | WithinReason wrote: | Then you change your password to a strong one and turn off | 2FA | newaccount2021 wrote: | ravel-bar-foo wrote: | Gmail allows users to generate 10 one-time use 2FA codes at | a time. Even if you are not going to become homeless, you | should generate these and write them down somewhere secure. | You never know if your phone battery will suddenly die. | joshka wrote: | Replace something you know, something you have with something | you know, someone you know or something similar. | kylehotchkiss wrote: | They should try other free email services. It'd be nice if Google | voice was still free and somebody could help set that up as their | persistent number. That said, Google 2FA is mission critical for | many people's online identity and is protecting them from a world | of online evils, this is not a reason to step back from a | security posture that Google has rightly decided protects its | users. | bArray wrote: | Again, this idea of "secure by default" should at least have an | option to opt-out. A few misunderstandings about phones: | | 1. Somebody has a phone | | 2. Somebody has a smart phone | | 3. They are in contact with the phone 24/7 | | 4. They are the unique user of that phone | | 5. The SIM card and/or number cannot be taken from the phone | (virtually or physically) | | I currently have to use this for work, with the only positive | being that if I get locked out, I can go tell the admin team to | let me back in. With someone like Google, it's not even possible | to get them on the phone to explain, let alone have them believe | it is really you. | ChoGGi wrote: | Last time I checked Google will issue backup codes, the | individuals and this person can both hang on to them when the | phones go missing. | bongoman37 wrote: | arbuge wrote: | You lose your entire Google account if you lose your 2FA device | or number (assuming it's a phone number), for any reason. Even if | your Google account is set up with a non-Google email address | which you still have access to, and you still know the correct | password. And there's nobody you can reach at Google about it, no | appeals process, nothing. | | https://news.ycombinator.com/item?id=33098261 | edgecasestdio wrote: | I verify that this is true at the time of posting. In previous | volunteer work at a non-profit run by university students, the | organization assigned a free Gmail account to each executive. | Each year, we ran into a problem where the executives would | change, and we needed to transfer the Gmail account to the new | person. | | Problems would happen when the new person tried to log in to | the account. Since the login was from an unrecognized device | and an unrecognized IP address, security was tightened. Even | after inputting the correct password and entering the right | backup email, it was mandatory to enter an SMS message from the | phone number tied to the account, even after various | troubleshooting and attempted workarounds. That meant getting | ahold of the previous executive, who may be busy or changed | their number. | | You could argue that Gmails weren't meant to be used this way, | which is fair; the goal of this comment is just to provide | additional evidence that the description provided by the parent | comment is true. (In the end, we went for a low-cost, reliable | email service to fix the issue in the long-term. We also found | that registered non-profits are eligible for free Google | Workspace or Microsoft Outlook email plans subject to certain | eligibility conditions, though we did not have a need of | becoming an officially registered non-profit at the time.) | pfooti wrote: | FWIW, if you're the administrator of the organization, you | can disable 2FA from the admin console for that user's next | login. I've done this a few times for similar reasons. | edgecasestdio wrote: | Thanks for the tip, though this just works for a paid | Google Workspace email plan (or a free Google Workspace for | Nonprofits plan) [1]. We couldn't do this because we were | using free personal Gmail accounts at the time (by | transferring the credentials from retired executives to new | executives) as we lacked budget and formal non-profit | registration (to be eligible for the Nonprofits plan) since | the group was fairly small and undergraduate student-run. | | The difficulties were to be expected as personal Gmails | weren't meant to be used like this (the goal was just to | share an anecdote about the difficulties of phone numbers | used for two-factor authentication with the free service | even once a year). The long-term solution we used was to | pay for a reliable but low-cost (in comparison to Outlook | and Google) email host initially recommended on HN and a | few sysadmin forums, to gain access to organization-wide | admin features. | | [1] https://support.google.com/a/answer/2537800?hl=en#zippy | =%2Cc... | mihaaly wrote: | I took three steps against this happening: 1) | Not providing phone number for 2FA. Never. 2) Using | multiple (3 pcs.) physical keys for 2FA (like Yubikey and | similar). Authentication app is an alternative for one choice | of 2FA (but not the sole one!) 3) Only using a limited | set of Google functionality. Use for secondary purposes mostly. | | Well, the last one is mainly to mitigate the consequences if | happens anyway, for other reasons too (like with that poor guy | who made picture of his own naked baby for a remote diagnostics | with his doctor and the Google locked him out for months - and | still counting at the time of the article - for child | pornography) | aliqot wrote: | I took one step: 1) Don't use anything | Google. | ugjka wrote: | I get funny looks when people ask for my email. I have | @protonmail.com email | mihaaly wrote: | I have that too! : ) That is dedicated for the important | things. | aliqot wrote: | My sympathies go out to you, I get similar looks for not | having a phone. | indrora wrote: | You took a step that requires a _lot_ of skill, wealth, and | privilege. | alpentmil wrote: | Please tell this to all homeless people. | [deleted] | arubania2 wrote: | This is what one-time backup codes are for. | | Alternatively you can purchase a hardware key and store it in a | trusted place, but admittedly they are expensive, so OTBC is | the usual route. | anotherman554 wrote: | That link involves someone with no backup email address | connected to their google account for recovery purposes, for | what it's worth. | arbuge wrote: | You can set a backup email address for Google accounts if | they're using Google email addresses, but you can't do this | if they're using non-Google email addresses as the primary | address, such as the one in that link. | | I'm logged in to such an account right now and there's no way | to do this. The account primary email is also set as the | recovery email address and there's no way to add another. | | It's actually deceptive to the user to even call it a | recovery email address in this case, since Google will never | offer to alternatively send a verification code there if the | 2FA device is unavailable. | whoooooo123 wrote: | One of the many reasons why I switched from GMail to Fastmail. | arbuge wrote: | Google accounts are required for many other Google services | besides Gmail. Replacing Gmail is the easy part. | GraphenePants wrote: | Agreed. It's irresponsible that the homeless don't have $50 a | year for Fastmail. It's worth going hungry to be the customer | and not the product. | ineedasername wrote: | It's this sort of thing that has prevented me from activating | 2FA on my gmail account. I pay for Google Drive (as a tertiary | backup) and would be willing to pay more for service that | include _actual customer service_. At this point though I feel | locked in. I could switch (any suggestions on paid email with | *real* support available?) but it's a pretty big burden to go | through every site & service that uses my email as either a | login or password reset vector and change things over. | | Heck, here's an idea for a startup: a digital "moving" service. | IRL I could pay a company to take everything I own, pack it up, | ship it somewhere else, and even unpack it too. I'd like to see | a digital equivalent. | aaaaaaaaaaab wrote: | Wtf is "unhoused". | golemotron wrote: | It is the next step on the euphemism treadmill. Apparently, | "homeless" is tainted or declasse now. | himinlomax wrote: | I wonder what the next step will be. Probably an acronym, | PWFA (Person Without Fixed Abode). | RichardCNormos wrote: | My city government here in California calls them "people who | live outside". | sicp-enjoyer wrote: | I wonder how much time is used for 2fa in the entire economy each | day. | yellowapple wrote: | An elegant solution here might be to allow users to designate a | list of other users who can "vouch" for them; if multiple people | who you previously designated as trustworthy say "hey, this is my | friend's new phone number, use it instead of the old one for | account recovery", then that should satisfy the "who you are" | authentication factor (and set the new "what you have" factor). | | Similar idea behind web-of-trust or multisig cryptocurrency | wallets, except without the cryptographic mumbo-jumbo. | rch wrote: | It seems to me that the government service responsible for | providing the phone should be expanded to provide a permanent | digital identity, including email, and a lasting phone number. A | permanent address (open and scan, with selective forwarding) for | physical mail would also be worth investigating. | hammock wrote: | Is homeless a temporary or permanent state? | | How many homeless have been so for longer than four months? | charcircuit wrote: | It is temporary because they can just buy / rent a home | tiku wrote: | Just stop being poor or mentally ill, easy. | l72 wrote: | Every single American should be able to get a free, permanent | email account through our Postal Service! | | We shouldn't have to rely on Gmail for what may be the only way | to get information/apply for on basic government services! | alpentmil wrote: | This. The provider/USPS will then realise how challenging it is | to do verify identity. | mcshicks wrote: | There was a bill to improve digital identity in the us | Congress but I don't think it went anywhere. I do think govt | issued digital id, while in some ways problematic would be a | step in the right direction | | https://www.congress.gov/bill/117th-congress/house-bill/4258 | tobyhinloopen wrote: | "Unhoused people"? | virtualritz wrote: | Won't using e.g. Authy with Gmail for 2FA alleviate the need for | a phone number after the initial setup (i.e. requiring a number | only once, to initially enable 2FA)? | | https://authy.com/guides/googleandgmail/ | jffry wrote: | The issue is described further in the Tweet chain: Physical | property retention is more or less impossible; these people | typically end up getting their phones stolen every month to 4 | months. The same would be true of IDs or other paperwork that | could be used to prove their identity. | | They get phones from a government program. Each new phone has a | new number, and due to the above challenges, it'd be | challenging to port numbers and keep a consistent number. | | Authy accounts are keyed to your phone number, and to set one | up on a new phone you have to receive a verification call/text. | [deleted] | Taek wrote: | Yes, but that's a highly technical solution. I've been trying | to get my girlfriend to use Authy for 6 months now, and the | solution we landed on is that my Authy app has all of her 2FA | codes, and she just calls me if she needs one. | | To you and me 2FA doesn't seem that complicated. But to less | technical people it's just overwhelming and they don't want to | bother with the learning curve. | kioleanu wrote: | What learning curve? Setting up the account in the first | place? Sure, that's a tad complicated, but I really don't | understand why your girlfriend finds it easier to call you | when she just has to open the app and the code is simply | there. | macspoofing wrote: | There are various approaches to 2FA, from backup codes, to SMS, | to external physical keys - none of them workable for the | specific use-case OP defined: person is homeless and losses | their stuff every few weeks. | | For that situation no 2FA solution is going to work. | valenterry wrote: | Of course there is. For instance a printed paper tan list. | Yes, this is not as safe a proper 2FA device. But it's easy | to access, cheap (just go to a copyshop and 10 cents to print | it, then put in a plastic bag) and it's so small that it's | easy to put it somewhere where you don't lose it and is hard | to get stolen. | macspoofing wrote: | You're not arguing with me, you're arguing with the author | of the twitter thread. | | "Any solution requiring long-term retention of a physical | 2FA key or high-entropy secret will not work." | valenterry wrote: | No, I'm certainly arguing with you. :) | | Maybe, on top of that, I'm also arguing with the author. | But I assume he implicitly talked about Google (which | doesn't provide that option). | macspoofing wrote: | >But I assume he implicitly talked about Google (which | doesn't provide that option). | | Google provides backup codes. You can print them on any | kind of paper you want. | | Regardless, OP argued that printed backup codes don't | work because everything is lost every few weeks. | valenterry wrote: | Oh really? I didn't see that option. Maybe it's new? If | so, that's good! | mmcgaha wrote: | Or maybe they don't exist any more because I still have | mine on an index card from ten or so years ago. | abraham wrote: | How do you use Authy if you lose all of your possessions every | few months? | [deleted] | saghm wrote: | From what I remember when I used Authy briefly (Google | Authenticator finally added the ability to mass import/export | codes shortly after I ended up trying Authy), you create a | login and set a master password, and then you have access to | your codes on any device when you log into the app. Of | course, this means that you have to trust Authy with your | codes being stored externally, but this might be one of the | sets of circumstances where that's preferable. | faller_slive wrote: | Authy recovery requires you to have access to the same | phone number when you want to restore to a new device. | saghm wrote: | Oh, interesting, I didn't even realize that when I used | it! I guess that goes to show how easy it is to take | something like that for granted | faller_slive wrote: | I did some more research. It looks like there is a way to | recover if you don't have the phone number or the old | device. They have an online form you fill out with your | old phone number and new phone number. Then they have | some process to verify ownership of the phone numbers | which they say will take several days for security | purposes. | | https://support.authy.com/hc/en- | us/articles/115001953247-Pho... | dexterdog wrote: | Authy doesn't store your codes. They store encrypted | copies. They are encrypted on your device and only | decrypted with your password which does not leave your | device. As long as their encryption is not broken your | codes are secure. | courgette wrote: | It's a valid point that I don't expect Alphabet to address. | Honest question : what about those security code? I'm not | homeless but I expect my phone to die anytime. It's from 2015. I | want to bring it to 2025 but it might not make it. | | As a result I planned for that phone stopping to work and my | understanding is that I will be able to emergency 2FA with those | code once it broke. Am I wrong? | nyuszika7h wrote: | How do you expect homeless people who can't hold on to their | phones to hold on to the backup codes? | spoonjim wrote: | Probably a genuinely useful application of biometric | authentication. | ZeroGravitas wrote: | It feels like having a way for them to transfer the Obamaphone | numbers would solve this, and probably some related issues. | | Since I've been able to keep the same number through various | phones and Sims, this seems technically possible. | [deleted] | exabrial wrote: | 2FA that delegates to SMS needs to be illegal and addressed by | congress at this point. Whats "actual" happening is you're | delegating authentication to another company that performed | either a hard credit check the person (the vast majority of us) | or has a prepaid (likely the situation above). In both cases, | it's delegating of IDV and needs to be outlawed. | aaron695 wrote: | errorik wrote: | How about building a solution (or a possible solution)? | | I think it is fair to guess that many people reading this have | achieved some level of success building solutions to technology | problems. Much like solving for malicious use for the average | user with 2FA - or privacy with things like protonmail - why | shouldn't some of us attempt to solve this rather than | expect/complain that Google hasn't? | | Mail hosting isn't particularly expensive - companies like | mxroute are sub $1 per GB per year with deliverability, etc taken | care of - or at least well enough to make it better than | constantly changing addresses. | | I know that I personally would be willing to invest time and non- | trivial amounts of money to offer a solution and gauge adoption | and feedback. | | Some opinions (open to feedback!) on where to start: | | 1. Use existing mail provider from the start - mxroute looks like | a possibility | | 2. Overprovision storage by some reasonable factor - say 1GB | accounts with 10x overprovisioning - interested to hear from | those who know more than me about this but I wonder if more | unhoused/homeless people generally use email for mostly | transactional purposes not 20mb JPEGs, etc. | | 3. Ensure the webmail interface (possibly build it) is Ultra | simple and Super accessible - screen readers, text to speech, and | of course mobile first. Again I (perhaps naively) imagine that | features like tagging, rich content composing, and filtering are | super low priority here. | | 4. Have a sign up flow that is mildly fraud resistant - mobile | number verification (VoIP not accepted) with a cool off before it | can be used for another account (how often do Obamaphone numbers | rotate/deactivate once stolen?) and an (accessible) captcha type | system to avoid mass sign ups. This could then in V2 be expanded | to include more corner cases - possibly invites in lieu of phone | numbers, etc. If fraud/spam became an issue it should be easy to | detect given these will generally be low volume users. | | 5. Require only a modestly secure password for login. Use | malicious use detection to trigger recovery/verification mode | (see next). | | 6. Have a recovery/verification mode that fits the user group - | need ideas here - but 5 questions that you have to answer 4 of | and have some verification that the answers are not just simple | words at setup? Combine that with verify with a real (but | possibly different) mobile (non-VOIP) number that hasn't been | used in X days to verify another account? Trusted friend recovery | address? Seems like lots of possible solutions to explore here, | and no doubt lots of people smarter then me who could provided | ideas. | | Is there interest in doing this? Am I the only one that feels | frustrated when we (including myself) debate what google should | do, or why people are unhoused (or what to call people how are) | when many of us are capable and financially able to at least try | to offer a solution? | | With 500k-1M homeless/unhoused in the US (no reason it couldn't | be international, just starting somewhere) - let's say it was | crazy successful and had a 10% adoption rate of actual active | usage. Maybe that's 7.5 TB of storage. I'm sure a reputable | provider would be willing to partner to provide that at | $1/gb/year or less (plus hosting webmail, etc) - I'd be willing | to pay that bill personally for that kind of adoption/benefit. | Would others? Would others dedicate their time? | | Homelessness is multifaceted - that seems to be the one thing | everyone agrees on - so offering possible solutions to any given | facet - from fragmented communications to safe shelter - is at | least a start and possibly a small part of making a difficult | life situation a little easier to overcome/deal with. | bgro wrote: | Does anyone else notice old accounts that were working fine in | the past randomly get demanded to enter your phone number for | verification. "We detected unusual activity" is such an obvious | lie. | | When setting up thunderbird, I've had multiple Google accounts | lie about suspicious activity and demand I go through about 10 | captcha checks and enter my old password and answer my security | questions and verify my phone number. After passing all of that | without error, they STILL won't let me log in with a blanket | statement about security. | | Why oh why would they ask users to jump through extreme hoops | just looking for any possible questionable failure to point to as | an excuse, but still reject you after passing everything? If | you're not going to let people use their account, farming free AI | detection and personal information out of them doesn't seem like | a legitimate tactic one should be doing. | | They discriminate against some phone numbers too. They have to be | in whatever they think the correct country is, they often can't | be VOIP or VOIP related, and there's unknown blacklists of some | famous numbers sometimes. | | What happens when we run out of phone numbers? I won't be | surprised when accounts start getting banned for "sharing" or | "ban evading" phone numbers (aka getting a new phone number for | any reason) because it screws up their ad tracking of you... Or | they'll force you to first log into an account in order to delete | it even though it belongs to somebody else. Or your new phone | number you bought specifically for authenticating a separate | account is banned (just like voip number) because a previous user | was banned using it. | ynbl_ wrote: | [deleted] | P5fRxh5kUvp2th wrote: | I don't think access to email is the biggest concern the homeless | have. | | It sucks, but there are alternatives besides gmail and if google | is going to spend time on this, I'd rather they not and instead | spend time on getting homeless into homes. | adgjlsfhk1 wrote: | What about when you want to apply to a job or an apartment | which requires email? | P5fRxh5kUvp2th wrote: | I would expect it to require a phone number and physical | address before an email. | | I also wonder if this person on twitter would be willing to | let his friends use his email or phone. | | The homeless have challenges, no doubt, but that does not | imply google worrying about 2FA for the homeless is the best | way to solve those challenges. It wouldn't even BE an issue | if they weren't homeless in the first place, for example. | lxgr wrote: | Did you even read the linked thread, of a person apparently | actually working with homeless people? It explicitly | mentions that email is the preferred method of | communication for many of them, for reasons also mentioned | in the thread. | | > The homeless have challenges, no doubt, but that does not | imply google worrying about 2FA for the homeless is the | best way to solve those challenges. | | You seem to be under the impression that improvements to | the condition of people's lives are only ethically | acceptable if they happen ordered strictly by descending | impact. In my experience, that's not realistic. | P5fRxh5kUvp2th wrote: | And you seem to think doing the easiest thing is actually | useful. | lxgr wrote: | Yes, I do think that doing something useful is useful, | even if it is easy. | P5fRxh5kUvp2th wrote: | and thus does the problem continue because those who | could help are too busy making themselves feel better | with as little effort as possible. | | It's 2FA ... for homeless people. | adgjlsfhk1 wrote: | Partial solutions that take minimum effort are great. | It's like replacing a single incandescent light with an | LED. Sure it doesn't solve climate change, but it | definitely helps, and doing easy helpful things is way | better than not doing them and complaining that the | problem is big. | P5fRxh5kUvp2th wrote: | pretty much every ineffective strategy has been | rationalized at some point. | | email implies internet, 2FA implies realtime internet. | The lack implies very poor at the very least up to and | including homelessness. | | "this one company uses 2FA, we should bitch at them until | they remove that need" doesn't actually help anything. | | This person who posted the tweet could offer their | personal phone, email, and internet for these homeless | friends they have. Why don't they? I bet they'll say it's | because it doesn't solve the "real" problem. | | Yeah, neither does asking google to spend money on | removing 2FA for the homeless. | lxgr wrote: | Who do you think would be spending time on this at Google? I | highly doubt that their software engineers and product managers | in charge of 2FA would, when idle between pull requests, go out | and help the homeless. | | Why not lobby those engineers and product managers to improve | something that they are actually have agency and arguably a | mandate to improve, helping users homeless and otherwise? | P5fRxh5kUvp2th wrote: | I don't understand the question, google cannot attempt to | solve this without assigning someone to spend their time on | it. | | If they do so, I would rather they put that money into | actually helping the homeless. | lxgr wrote: | I think you vastly overestimate the fungibility of | engineering resources in large corporations. | | Also, which one do you think the involved stakeholders at | Google would have an easier time getting signed-off: | Decreasing reliance on stable phone numbers as an | authentication factor, or firing a couple of people and | donating their salaries to an organization helping the | homeless? | | Sometimes, depending on the probability of success, the | pragmatic choice is also the ethical one. | P5fRxh5kUvp2th wrote: | oh stop it, tech people always think the world works in | binary. | | Apparently this multi-billion dollar company can't see | fit to help humanity because it's literally hard (or | impossible?). That somehow I, as an individual, have more | of an effect because charities only ever accept money | from individuals and not billion dollar corporations? | | seriously, just stop. | tzury wrote: | The title "Gmail 2FA causes" is misleading. Every phone-based MFA | will lock out users once phone is lost, and no proper back up was | taking place. | tiku wrote: | You could tattoo your recovery code somewhere on your body | perhaps? And the re enter it in your 2fa app. Not ideal but | unloseable. | dexterdog wrote: | Tattoos are not cheap and recovery codes are 1-time use. | kazinator wrote: | Separately from the Gmail 2FA cluster fuck, maybe that Obamaphone | program should fix its number nonportability problem? | pmarreck wrote: | Doesn't Authy persist Google Authenticator codes through devices? | jqpabc123 wrote: | An authenticator app is a much better 2FA solution that I opt for | at every opportunity. | | Google's authenticator app is brain dead because they want to | encourage 2FA over SMS. Why? Because it has the wonderful side | effect of destroying your privacy. With your phone number, Google | can easily identify you personally. Ain't that special --- | privacy invasion wrapped up in security clothing! Much too | tempting for Google to resist. | | Google didn't invent OTP so there are other apps that are | perfectly compatible. | | Word to the wise, it should be obvious by now that all things | "Google" are synonymous with "privacy invasion". | sp332 wrote: | How are you going to sign in to your OTP app on a new device? | jqpabc123 wrote: | Reinstall the app and restore private keys from off device | backup. | | The lack of key backup and restore is one big reason not to | use Google's authenticator app. Other compatible apps are not | so brain dead. I backup every time I add a new sign in. | | If you don't have the ability to sign in from multiple | devices and the ability to install access onto any new | device, then you're doing it wrong. | | Phones are highly portable devices subject to being stolen, | damaged or just dying for no obvious reason --- so always be | prepared. This is simply not possible with 2FA over SMS. | Kalium wrote: | The problem here boils down to this: how does this help | people who don't have secure, reliable storage for off | device backup? | jqpabc123 wrote: | pcloud.com | joshuamorton wrote: | Replace sms with yubikey and he first part of this post is | correct. But it invalidates the second part. | lxgr wrote: | SMS 2FA needs to disappear (or be relegated to a strictly | optional, discouraged method) yesterday, and so does using a | phone number as the primary user identifier. | nordsieck wrote: | > SMS 2FA needs to disappear (or be relegated to a strictly | optional, discouraged method) yesterday, and so does using a | phone number as the primary user identifier. | | A lot of the downsides are mitigated by using Google Voice as | the SMS number, since attackers can't migrate your number away | from Google. | | But in general, I totally agree with you from a security | perspective. I just think that it's a difficult thing to get | people to use authenticator apps. Apple has resorted to baking | the functionality into their OS. | lxgr wrote: | That's what I'm doing, and it works fairly well - until I get | to one of the many corporations regarding VoIP numbers as | inherently insecure, and they don't let you use it for 2FA | purposes... (Nevermind Google supporting robust 2FA for | logins, and my phone operator not even offering 2FA for eSIM | swaps.) | | And that's disregarding the elephant in the room, i.e. Google | inevitably pulling the plug on Voice at some point. | Pxtl wrote: | Fundamentally this is a hard problem - how do you have "something | you have plus something you know" which is security best- | practice, for somebody who will regularly lose all their | possessions? | | I mean I've always fantasized about getting NFC into everything | so that NFC-based tags could provide convenient "something you | have" taps. Like, give me a simple ring on my finger to tap-in to | a scanner on my keyboard rather than having to meander through an | app on my phone. | | The other problem is that with every org running their own auth | systems, if you're trying to help a person with this problem you | have to set them up on a dozen services. I really wish something | like Mozilla Persona had took off. | kuwoze wrote: | sorry but why are they losing their phones ? stolen ? sell it for | drugs? | kotaKat wrote: | Shit gets stolen nonstop, and not just by fellow unhoused. When | the police come and tear down camps, there's no expectation of | recovering anything left behind. 9 times out of 10 they're | followed by a public works crew throwing everything into | dumpsters. Good luck getting your phone (or any of your other | possessions) back. | Workaccount2 wrote: | When you are on the street your stuff gets stolen a lot. | webdoodle wrote: | I went cellphone-less 2 years ago, and have experienced this | first hand. I've been locked out of my Gmail, Ebay, LinkedIn, and | other services multiple times. I was unable to apply for | government services either, until I finally found a decent soul | that used there own phone to register me. But they shouldn't have | needed to do that, and we shouldn't be required to have a spy | phone just to be part of society. | | These spy phones and the apps they peddle have become a plaque | upon humanity. They use addiction and coercion (denied services) | to keep you under there spell. The worst part is that they are | being forced upon our children, way worse than the tobacco | industry ever tried. | from wrote: | I want out the ability to opt out of this 2FA nonsense. I'm not a | journalist in a war zone, I'm just a guy who wants to read his | email (with a 64 character password containing random ASCII | characters). 2FA is just an excuse to make the abuse departments | life easier by raising the cost of botting accounts. | [deleted] | hatware wrote: | "Unhoused people" | | The newspeak is strong with this one. There was never anything | wrong with the word homeless. | | Have progressives gone too far? | theandrewbailey wrote: | Maybe. Look up George Carlin's soft language skit. It's | happening to "homeless" now. | ajhurliman wrote: | Back in Seattle the lingo was "persons experiencing | homelessness". I feel like the more syllables you can get in | there, the more PC it gets. | BulaVinaka wrote: | ifqwz wrote: | I hate services that forcibly enable 2fa on you. Even if you have | it disabled, if they detect that you have changed browsers, IP | addresses, etc. they make you go through 2fa whether you want it | or not. Or just lock you out, or even suspend your account. Fuck | that. | 867-5309 wrote: | maybe just.. don't use gmail? if it happens twice then that | should tell them something | angry_octet wrote: | This problem, and the not-my-problem responses, really highlight | the self centered mindset we have encouraged. What if that | homeless person was your substance-abusing sibling? A friend from | school with mental health issues? We need to collectively take | more responsibility for those in the worst situations. | | If you've every tried to teach an old person how to use 2FA you | know it's an uphill battle. Using a fingerprint reader isn't even | doable for some. And we're all going to be old one day. | | Practically, we need ideas like to 2FA to gain tractionas widely | as possible, while realising that isn't _everywhere_. And some | people will never use 2FA, need higher thresholds for triggering | lockouts, and need alternative methods for re-establishing | identity to their ID provider (google in this case). For some | people that might be their local librarians or community shelter, | legal aid groups, and banks. | UncleMeat wrote: | "Not-my-problem" is a bad response, but the actual response is | that without 2FA _even more people_ lose access to their | accounts. Anything that makes it harder for adversaries to take | over an account almost necessarily adds friction for the users | themselves. This isn 't a "fuck the people who don't have | regular access to a phone, they don't matter" situation. It is | a "there is an aggravating balancing act in this situation and | no solution will avoid harming everybody." | dmix wrote: | Yep, reducing standards for everyone in an attempt to help a | small minority is _also_ a growing trend in the west. Schools | dumbing down so everyone gets A's type of top level decision | making. | | Sometimes you have to make hard choices where some people get | burned because the alternatives are worse. That doesn't mean | you don't care. | paganel wrote: | > to help a small minority | | In this case the people asking for 2FA are the "small | minority", and the rest of us have to suffer through 2FA- | authentication hell because of them. | judge2020 wrote: | > In this case the people asking for 2FA are the "small | minority", and the rest of us have to suffer through 2FA- | authentication hell because of them. | | How many people don't like 2fa because they don't know | about all the times it's saved them from total account | takeover? | arubania2 wrote: | AKA https://en.m.wikipedia.org/wiki/Preparedness_paradox | valenterry wrote: | > but the actual response is that without 2FA even more | people lose access to their accounts | | This is not black and white. It is possible to encourage 2FA | but allow to opt out. The same for phone numbers. | | And that's why companies enforce 2FA: they want your juicy | phone-number or other data. And yeah, maybe they also want to | reduce support costs and avoid bad publicity. Still, it's not | in your interest, it's in theirs. | | If they at least would allow for a sufficient number of | options. Like paper-tan (even self printed), yubikey or | similar, second email address, an authenticator, ... but even | big companies often only require a phone number. | | EDIT: Yes, Google offers more than a phone number when | creating a gmail account. I didn't say they don't. However: | they don't make it easy and I would even go as far as saying | that they are evil here. If you don't believe me, try to | create a gmail account right now and don't google/search how | to do it without phone number. | UncleMeat wrote: | > And that's why companies enforce 2FA: they want your | juicy phone-number or other data. | | It is possible. And, as far as understand it, the teams at | Google in charge of this have evaluated this option and | found that it leads to more lost accounts. | | The people responsible for user authentication at Google | are in a _completely_ different part of the company as | advertising and, in my experience, are especially stubborn | about their focus on security. "This is about phone | numbers" doesn't make sense to me given my personal | experience. | | > If they at least would allow for a sufficient number of | options. Like paper-tan (even self printed), yubikey or | similar, second email address, an authenticator, ... but | even big companies often only require a phone number. | | We are talking about Google specifically here, which offers | all of these options. | hdjsksjd wrote: | cmeacham98 wrote: | > It is possible to encourage 2FA but allow to opt out. | | You might be surprised to learn that this is how it works | for Google accounts: it is default-on but you can turn it | off. | | > If they at least would allow for a sufficient number of | options. Like paper-tan (even self printed), yubikey or | similar, second email address, an authenticator, ... but | even big companies often only require a phone number. | | You might be even more surprised to discover that all of | these options are supported for Google accounts. | valenterry wrote: | Not only have I not said that Google doesn't offer 2FA - | yes they do. | | However, Google tries _very hard_ to prevent people from | e.g. creating a gmail account without a phone number. Try | it if you don't believe me. | judge2020 wrote: | I definitely vividly remember needing it a few years ago, | but right now I can try to sign up and it says "Mobile | Number (optional)" (Maybe that's based on some security | heuristics). | valenterry wrote: | Yeah and it also only works on your phone (or if you know | how to make Google think you are on your phone) and in | certain countries. All to my knowledge and based on my | tests. | nahkoots wrote: | I just did it from Firefox on Linux in a private tab near | Washington, D.C.. Fake name, no phone, no backup email. I | was able to log out, sign back in, and send an email | without any trouble. | | No doubt they're letting me through because some security | heuristic says I'm a real human, and I'm sure they'd | eventually make me provide a number if I continued using | the account (this happened to me with my university G | Suite account a couple years ago and I needed to contact | my IT department to manually disable the phone | challenge), but so far I can't see any evidence that | they're doing anything unreasonable. | | Perhaps they're requiring you to use a number because | you've tested it a lot. | a_JIT_pie wrote: | I thought the same but I just tried on firefox desktop | (Windows) and spun up a new google account with email, | password, fake first+last name and fake bday. Really, I | was expecting to be stopped at "Phone Number required" | but it is indeed optional. | ranger_danger wrote: | Google only allows non-U2F 2FA methods (like TOTP) to be | enabled AFTER enabling a hardware U2F device. And signing | up without a working mobile number is impossible. Anyone | who says that's not true hasn't actually tried in the | last several years. | nyuszika7h wrote: | I definitely had TOTP before I had U2F. I think you mean | after enabling _SMS_ 2FA, not U2F. | exodust wrote: | Can't turn it off for Google Ads account any more. Won't | let you in. This is a real pain for shared google account | in a small team like ours. Sick of Google removing user | choice. | | We all knew password, no problems at all. Now it mandates | 2FA. And because they mandate it for Google Ads, now it's | on for everything like Google Drive etc. | awinder wrote: | Gmail offers all of these (except for the second email | address): paper backup codes, hardware authenticators, non- | Google/gmail authenticator apps. The problem is that | homeless people can/do routinely lose the "thing you have" | part of 2fa. | ranger_danger wrote: | Huh? Gmail most certainly supports paper codes, hardware | authenticators, and non-google auth apps. | awinder wrote: | Ugh yeah that was punctuation hell, updated | james_pm wrote: | For our product, 2FA is pretty important as a security | feature (domain registrar). That said, if you don't want to | use it, that's on you as the user. We help out in a | different way for those users - we make it impossible to | disable account sign in email notifications if you don't | use 2FA and those email notifications include a "nuke all | active sessions and lock my account" button that can (and | has) saved users if their account is compromised due to | things like leaks of credentials that they've reused on | multiple sites. | | 2FA is a major hassle for support when users get locked out | because they smash their phone or change phone numbers or | somehow lose access to the 2FA method. But, the benefits of | 2FA largely outweigh those downsides for the majority of | users. Offering the choice though, is something we think is | important. | valenterry wrote: | > For our product, 2FA is pretty important as a security | feature (domain registrar). That said, if you don't want | to use it, that's on you as the user. | | That's all I'm asking for as a user - thank you for being | on the good side. Optimally you allow for multiple MFA | options, so that I can e.g. use an authenticator app and | a yubikey, as well as a recovery code in my bank. | lotsofpulp wrote: | > Still, it's not in your interest, it's in theirs. | | Which is okay, because it is a business. | | If society wants homeless people to have reliable access to | email without having SMS 2FA or whatever requirements a | business requires, then society should elect a government | to provide it as a utility. | | There is no reason to expect or want businesses to pick up | the slack for the government not providing adequate safety | nets. Let businesses be businesses, and let governments | handle redistributing wealth. | md_ wrote: | I think this is a better answer than it first appears. | | Initiatives at for profit corporations will always exist | within some business constraints, shareholder | obligations, and so forth. | | It would be very reasonable for governments to provide | tax-supported digital services. I could easily imagine | that spending a few dollars per year to provide the | homeless with basic digital services would pay off simply | in easing administrative overhead. | | But we don't do it, because, in America, our sense of | what government can or should provide is atrophied, and | we, mistakenly, look to private actors to provide basic | public services. | s1artibartfast wrote: | >But we don't do it, because, in America, our sense of | what government can or should provide is atrophied, and | we, mistakenly, look to private actors to provide basic | public services. | | I don't think this matches reality. The US government is | doing more today than any time point in the past. | Spending and taxation as a percent of dgp is at an all | time high. | | There's also a sense that nobody should have to do | anything themselves. There's nothing stopping anyone from | talking to a homeless person and helping them set up an | email account without 2fa. | md_ wrote: | That's fair that I shouldn't make such an unqualified | statement. | | While public spending as a % of GDP has indeed increased, | that's primarily driven by two things: increased defence | (and related) spending, and increased spending on health | costs. | | In the US, the growth in social assistance spending over | the last 3 decades is driven almost entirely by the | latter: https://ourworldindata.org/grapher/social- | expenditure-as-per.... | | At the same time, we continue to believe in privatizing | basic government services: outsourcing social assistance | to charities (including religious charities), outsourcing | military and intelligence functions to mercenaries, or, | on point for this thread, outsourcing ID verification to | VC-funded private startups. | s1artibartfast wrote: | Looking at your numbers or just social spending, it is | increased 50% since 1990 as a portion of GDP. Real GDP | adjusted for inflation itself has increased more than 3x | since 1990. This means that us social spending in terms | of inflation adjusted purchases has gone up more than | 450% from 1990 levels. | | This excludes military spending and is adjusted for the | purchasing power of those dollars. | | I don't know about you, but I don't feel like we are | getting 450% more value out of the government services. | The numbers are pretty clear that the government is | collecting more and more inflation adjusted dollars from | people's income than ever before. | | I Suspect we would probably agree that the government is | not being a responsible steward of this money that it is | collecting. | | My primary point was that I don't think that the belief | that a decrease in government spending and Revenue is | reflected in the numbers. Further, I think it is | important to push back on the idea that the systemic | issues we see can simply be solved by throwing more money | into an increasingly inefficient system. | md_ wrote: | Sure. My point was indeed to suggest we rethink what | government _can_ do. | | Can governments (not necessarily the federal government) | run a public service internet system? Sure, and probably | more easily than we can, as another poster suggested, | regulate tech companies into providing the right | tradeoffs for housed and unhoused users. | valenterry wrote: | > Which is okay, because it is a business. | | It might be legal and maybe even legitimate, but OP said: | | > This isn't a "fuck the people who don't have regular | access to a phone, they don't matter" situation. | | So yeah, those people don't matter (enough) in the sense | that it's not worth to offer more methods of 2FA. Let's | not pretend otherwise. | lotsofpulp wrote: | Am I pretending otherwise? Obviously businesses value | certain people more than others. It is a business. | valenterry wrote: | Not you, but the OP certainly gives this vibe. | ImPostingOnHN wrote: | I find your worldview overly constrains the range of | possibilities and eliminates reasonable ones, like | expecting companies to not disproportionately harm those | in our society who are least able to recover from or | avoid the harm | lotsofpulp wrote: | Businesses are not harming anyone by not providing | charity. | | I struggle to see a reasonable possibility to the | government either directly or legislating others to | provide identification and communications services. One | of the greatest utilities in the US is USPS, a monumental | accomplishment to be able to provide communications to | all people in the US. | | Tacking on email (and identity verification services - | which USPS already does via passports) should be a no | brainer. | yamtaddle wrote: | IMO it became plainly a good idea to have the US Post | Office provide email service no later than a decade ago. | md_ wrote: | > If they at least would allow for a sufficient number of | options. Like paper-tan (even self printed), yubikey or | similar, second email address, an authenticator, ... but | even big companies often only require a phone number. | | Google seems to support all of those? | valenterry wrote: | Did you recently try to create a gmail account? If not, I | suggest you try it right now. Maybe you will be | surprised. | | Hint: it is still possible to create a gmail account | without phone number, but it has become quite tricky to | do so. | md_ wrote: | Oddly, I suspect if Google provided no free accounts at | all--if you had to give a credit card and pay $5 to sign | up--nobody would be complaining about this. | | Which leads me back to the point made elsewhere in this | thread: we have too high an expectation for what private | companies can or should do, because they have taken the | place in our minds if government. | | And our expectations for what government can or should do | are too limited, because we've convinced ourselves | government is ineffective and unaccountable. | Eisenstein wrote: | > Oddly, I suspect if Google provided no free accounts at | all--if you had to give a credit card and pay $5 to sign | up--nobody would be complaining about this. | | That is like saying 'if the DMV didn't offer IDs to | people, no one would complain about not being able to get | an ID'. | | The fact of the matter is that email is 'de facto' online | ID, and gmail has positioned itself into this role. They | are now a societal need, not a luxury. They need to be | regulated. | vel0city wrote: | _Email_ may be a societal need, but Gmail === Email. They | 're _one_ email provider in a sea of providers. There are | dozens to hundreds of free email provider choices out | there. | | One doesn't _need_ Gmail to have a functioning email | address. | md_ wrote: | My point was that this is a dumb argument. | | If email is a societal requirement--and maybe it is, or | should be--public utilities should provide it. | | It's easy to build an email provider. Why shouldn't your | state or local government provide one? | valenterry wrote: | I can assure you that this suspection is wrong, at least | about me. | | I've personally bought/subscribed to various companies | both personally and professionally. Just recently (a | couple of weeks ago) I evaluated a couple of | mailproviders. I discarded all of those that enforced 2FA | with a phone-number. | | For instance mailgun. At least the support helped me: | | > Hello XXX, > > Thanks for bringing this to our | attention. > > At this time, I have successfully | activated your account so that it is now fully | operational and you are all set! You may need to log out, | then back in, to reflect this change. Also, your users | can indeed utilize Google Auth without using a phone | number. > > Please reach back out if any other questions | arise. > > Regards, > XXX | Mailgun by Sinch | | Others weren't as flexible. E.g. Sendgrind: | | > Hello, > > Thanks for reaching out to Twilio SendGrid | Support and for your interest in our products. My name is | XXX and I'll be more than happy to assist you in this | matter. > > I am sorry for the inconvenience caused by | the 2 Factor Authentication process, but this is | mandatory for all accounts, as a security feature. > The | only options available are to setup 2FA through Authy: to | receive an SMS code or use the Authy app, which you can | download here. > > I apologise for the inconvenience | caused by the fact that we do not have any other options | available at the time. > > Please do let me know if you | have any additional questions in regards to this matter | and I will be more than happy to further assist. > > Kind | Regards, > > XXX | Technical Support Engineer Twilio- | Sendgrid | | Forcing me to use your own homegrown authenticator or a | phone number? No thank you. | | In the end I decided for a provider that offers 2FA but | offers multiple options and doesn't enforce it. | | Doesn't matter if I pay or not, really. | ranger_danger wrote: | > it is still possible to create a gmail account without | phone number | | Nope. Not possible. | | Oh how I would love to be proven wrong though. | valenterry wrote: | It's possible. Try to do it from your phone with your | browser in incognito mode. | jakelazaroff wrote: | That's also a bad response. The tech industry literally | exists to invent things. That's its entire purpose. Why | should we satisfied with a status quo that neglects the most | vulnerable among us? What is the point of technology if not | to solve these problems? | UncleMeat wrote: | Is there a solution? | | The claim in the link is that homeless people lose every | single one of their possessions after a period of time. | They also have minimal access to support structures that | could be used as a recovery system. We've had decades of | work on authentication and pretty much every solution | either involves using a password manager to create unique | passwords or having possession of a physical thing. | nyuszika7h wrote: | Password managers are absolutely not required. While | they're a good idea for most of us who don't have to | worry about having somewhere to sleep, homeless people | can still most likely memorize a password and remember it | after a few tries. They can't do that if 2FA is forced on | them. | UncleMeat wrote: | Everybody sucks at memorizing unique passwords. I'd be | _stunned_ if homeless people are consistently not reusing | passwords. Credential stuffing is the #1 form of account | takeover and 2FA is the solution. | jakelazaroff wrote: | Consider that the decades of work has probably been done | with the exact same blind spots we're discussing now. | UncleMeat wrote: | I'm really curious. What would you propose? | | The best I can think of is trusted backup accounts, which | already exist. A homeless person with regular attachment | to a family member or a social worker could set up that | person's account as a backup. But this already exists and | is likely to fail for a large number of homeless people, | who tend to struggle at maintaining long term | relationships with family members or social workers who'd | be able to help them. | nyuszika7h wrote: | > I'm really curious. What would you propose? | | The solution is very simple. Don't force 2FA. I'm sure | most homeless people would rather risk the unlikely case | of their accounts being hacked if they didn't choose a | strong enough password to memorize than risk getting | locked out of their accounts permanently. | | You can encourage 2FA but forcibly enabling it for | everyone does more harm than good, especially to homeless | people but also non-tech-savvy parents and such (though | the latter would be more likely to have a working | recovery method). | UncleMeat wrote: | > The solution is very simple. Don't force 2FA. | | And then in alternative-universe HN people are | complaining about the rate of account takeovers via | credential stuffing and calling Google irresponsible for | making it easy to disable a powerful security measure. | | > You can encourage 2FA but forcibly enabling it for | everyone does more harm than good | | I'd wager that pretty much the only people on the planet | who can definitively say this are the people who handle | account takeovers and lockouts of large email services. | My understanding is that the folks at Google responsible | for this have concluded that making it behave the way it | currently does is the setup that causes the fewest people | to lose access to their accounts. | jakelazaroff wrote: | I don't have one. I'm not a security expert or researcher | or anything like that. But the tech industry has invented | thousands of things that to most people would have been | inconceivable beforehand. That doesn't mean there's a way | to improve on the tradeoffs we have now -- but the fact | that no one's invented it yet doesn't mean it can't | exist. | | The tech industry self-styles as the smartest people in | the world, who try to solve the hardest problems. All I'm | saying is that we shouldn't throw our hands up when we | can't immediately come up with a solution to something we | only learned about five minutes ago. | Arainach wrote: | This isn't something we learned about five minutes ago. | It's been known that people lose their phones for a very | long time. The tradeoffs were considered when designing | the system. | | Treating the tech industry as a magical black box that | can "solve anything" is disingenous and dangerous. This | is the exact same attitude that leads to things such as | legislation that says "find a way for any communication | to be decrypted upon subpoena. You're tech people, figure | it out" | b3morales wrote: | > The tech industry self-styles as the smartest people in | the world, who try to solve the hardest problems. | | I think this is a good point, but the catch is that | there's an implicit footnote that needs to be attached to | "the hardest problems*": "*Which generate sufficient | monetary returns". This particular problem isn't one that | has much revenue potential. | GraphenePants wrote: | The 3-2-1 backup strategy requires an offsite backup. | It's unclear what advantage was forseen by the homeless | when the decision was made to forgo this guidance. | bombcar wrote: | Surgical implanting yubikeys. | | That won't at all bother anyone homeless, because there's | never been a homeless person who was a conspiracy | theorist. | | (Obvious sarcasm detected) | yellowapple wrote: | An only-slightly-less-sarcastic solution would be to get | a tattoo of the recovery codes. | DoingIsLearning wrote: | I wonder how many people suffer identity theft versus how | many have a working recovery email but are denied to use it | because some algo finds it suspicious that you moved country | or logged in from a linux machine? | | The key takeaway is not about how we should promote 2FA or | how we should promote long ass passwords, the main issue at | hand is google's neglectful lack of customer support. | | I was once caught in this non-sense many moons ago. But I | learned my lesson, I absolutely do not rely on any google | products for anything that has any potential to impact me | personally (with the unfortunate exception of the Android OS | on my phone). | | Google as a brand is absolutely dead in the water for anyone | that has woken up from the 'Don't be evil' kool-aid of the | early days. | judge2020 wrote: | > the main issue at hand is google's neglectful lack of | customer support. | | Customer support is the main entrypoint into 99% of sim | swapping attacks and would be similarly for any targeted | account takeovers. What sort of information do you possibly | think would be enough to prove someone actually owns a | Google account over the phone? | UncleMeat wrote: | I've heard of some system for reviewing identification | like drivers licenses in extreme cases, but homeless | people are largely not going to have access to this | either. | ImPostingOnHN wrote: | that is a phenomenal question that deserves to be | answered by the highly paid engineers at Google | | they're smart, I'm sure they can find a way, even if it | contains such horrible, detestable ideas like "more | support staff" and "more training for support staff" | joshuamorton wrote: | Companies with highly trained support staff regularly | fall for these attacks. | | The answer has been figured out by the highly trained | engineers. It's "don't provide account recovery options | that bypass 2fa". Yeah that sucks for a segment if | people, but it sucks less than regularly getting your | account stolen due to a social engineering attack. There | really, truly, doesn't exist a panacea. You don't have | and can't create an oracle that knows when an account | recovery attempt is legitimate or not. | Eisenstein wrote: | Why don't we expand physical IDs into the network space. | We need some way to verify ourselves online that doesn't | rely on a private company and a TOS. | UncleMeat wrote: | > the main issue at hand is google's neglectful lack of | customer support | | Imagine Google had a full service customer support system | for account recovery that everybody could access rapidly. | How would a homeless person use it? They lose all their | possessions regularly so they don't have a reliable form of | identification. They'd need to enroll their drivers license | (which they probably don't have) in the system and then | still have that license when they need to recover their | account. Or they could be vouched for by a pre-enrolled | trusted party account that does have strong authentication | systems. But... homeless people are often transient and | don't have access to regular support networks like a family | member or social worker who could be enrolled as a backup | account. In fact, you can _already_ enroll as backup | account if you want to. | | > Google as a brand is absolutely dead in the water for | anyone that has woken up from the 'Don't be evil' kool-aid | of the early days. | | Google has a pretty bad reputation at this point on tech | blogs and forums. But, believe it or not, it actually shows | up near the very top of trusted brands when 3rd party | analysts do surveys on the wider population. Maybe this | data is wrong, I don't know. But it is interesting. | everdrive wrote: | Right now, technology has reached a point where it's expected | to be ubiquitous, however is not as accessible as other | ubiquitous and necessary services. This has been brought up | before, buy can someone in their 70s keep up with the changing | UIs and websites and security requirements these days? This is | all fine for something like Netflix or Spotify. But for | government services, access to jobs, and fundamental | communications this poses a problem. | bombcar wrote: | We're crippling along depending on family, libraries, | charities, and other NGO support services. | | The DMV works with people like this all the time; perhaps | something could be done there where you have a government | issued email address that you can't lose or be locked out of | (worst case you take your ID to the DMV and the nice clerk | helps you reset your password/sign in). | paganel wrote: | > someone in their 70s keep | | I'm in my early 40s, computer programmer, and I've | temporarily lost access to my WhatsApp account because I | don't have a recent enough mobile phone, and the phone that I | do have doesn't have a relatively recent OS installed. | | It's a 4-year old (I think I've got it for 4 years) iPhone | SE, on which I never updated the OS because I hadn't feel the | need to do it. When I started getting pop-ups that "hey, our | app will stop functioning on your phone unless you upgrade | the OS" was already too late for that, I was afraid that | upgrading the phone to the latest OS will cripple it | permanently in terms of performance (the battery is already | on its way out by this point). | | So, assuming I get to 70, in no way I'll be up to date by | then in terms of having the latest OS installed and all that | crazy stuff, who has the time and the nerves for that? | (especially the nerves). | flerchin wrote: | If your face hurts, maybe you should stop punching yourself | in the face. Update your software. | paganel wrote: | Equating lack of software updates to punching oneself in | the face is part of the whole problem. | flerchin wrote: | It's not though. No one writes perfect software on first | release. Even perfect software adapts to the changing | realities of our world. Staying up to date is not | optional. | arubania2 wrote: | What's your speciality in programming? | | Keeping all your software, and that includes the OS, up to | date, is one of the most important aspects of personal | security. | paganel wrote: | I also don't have a WiFi password at home, if it matters. | Of course, I don't have Internet banking nor do I do much | (if at all) money-related things with my phone, something | tells me that makes me more secure than people who trust | Apple and Google with their money (at least the local | banks have to answer to the authorities). | | What's your employment specialty that makes you trust | Apple and Google? | flerchin wrote: | That something would be wrong. I can steal all your money | with the information on the front of one of your checks. | Kalium wrote: | OK. Let's play a game. | | Let's say I care. Let's say I care _a lot_. I care so much that | I 'm willing to make it my personal problem to address the very | real, very pressing needs of a critically vulnerable and | marginalized part of my community from inside Google. | | What am I going to do? Is anyone going to be happier if I stand | up and proclaim loudly how much I care? Probably not. | | Could I say "Gee, what if we just let everyone put themselves | in the group of people who don't do 2FA"? Yes, if I wanted to | be responsible for a lot of people not securing their accounts. | Could I outsource identity verification to a wide assortment of | groups (libraries, non-profits, etc.)? Absolutely, so long as | I'm alright with this being used to gain improper access to a | LOT of accounts outside the target segment. Could I offer more | password chances and friendlier lockout times? Sure, so long as | I'm OK with the negative consequences of this for a lot of | people. | | OK. Let's end the game now. We don't really have any major | steps towards real solutions here. Empathy is very useful for | showing where a problem is. Demanding what amounts to lowering | the global bar for account security is perhaps not the ideal | approach here. | | Sometimes problems are just _hard_. Taking ownership and | feeling empathy and sincerely wanting to solve the problem does | not render them easy. | themitigating wrote: | Empathy is the motivation and starting point. Even if you | don't go beyond that step you can vote for those that will. | | "Sometimes problems are just hard. Taking ownership and | feeling empathy and sincerely wanting to solve the problem | does not render them easy." | | No one said it did and it's better than not caring at all. | Kalium wrote: | While I agree that empathy is the motivation and starting | point, I do want to note that a lot of people in this | discussion do seem to sincerely believe that this problem | would be easy for Google to solve if they just cared | enough. The framing of "Google's product designers should | talk to my unhoused friends" in the tweet linked seems | invested in this idea. | | What if the most empathetic answer here is "This isn't | really the right service for you"? | gsatic wrote: | What do you think the moral of Jurassic Park was? | | If you dont know how to control what happens in the park you | build, then the park will be shutdown. | | In the case of Google its not hard to speed up the process of | shutdown. I just encourage them to keep working on more and | more mindless ivory tower trash like Pixel phones, watches | etc and inject more Ads into everything. They dont have the | imagination for anything else but want a pat on the head for | whatever they build. Give it to them. | Kalium wrote: | It seems to me that Google is in full control of what | they've built here. They've chosen not to put in the effort | to find a way to meet the needs of this portion of their | user community. | | On the one hand, this can be quite reasonably derided as a | lack of imagination. Surely there must be a way to do it! | | On the other hand, well, we as a society accept that | businesses are generally allowed to decide they just don't | want to be in a market segment or produce some features. | Bridgestone is not compelled by law to have a store in | every neighborhood. Montblanc is not forced to produce | disposable ballpoint pens. | | Perhaps we should treat this as Google admitting the limits | of what they're willing and able to build. There is no | shame in knowing your limits. | x0x0 wrote: | It seems likely that enabling insecure account usage | would be a net negative to huge swaths of their user | base. | | Gmail is functionally the root of trust / skeleton key to | millions of people's online lives. The only real | competitor is Facebook and, for some, Apple. I think | Gmail is far better (more secure, more privacy | respecting, less capricious) than Facebook. | | With the admission by Chad that that homeless he | advocates for can't retain mobile numbers, or ID cards, | or 2fa keys, I have no idea how he thinks any secure | access could possibly work. | Kalium wrote: | I have the nagging sense that what we're seeing amounts | to throwing one's hands in the air and exclaiming "There | must be a way!" | | As others have pointed out, turning off 2FA is available. | Apparently that doesn't work either because the people in | question forget their passwords. So I guess we should add | passwords and biometrics (not available on all hardware) | to the list of things that aren't going to work. | | Like you, I'm left wondering what there is to anchor any | level of security. | hairofadog wrote: | I guess I don't see a lot of difference between the practical | results of loudly proclaiming empathy vs. loudly proclaiming | cynicism. | [deleted] | [deleted] | tdehnel wrote: | Someone with a drug addiction or mental health issues needs | treatment _now_. Access to email is a lower priority. | stevesearer wrote: | My dad helps people navigate the system to find housing. | | Recent story was a 65yo + veteran living in a shelter. They | hadn't started collecting social security due to some debts and | was worried it would ALL be garnished. | | After explaining that veterans get expedited in line for | housing and that they would still get almost all of their SS, | they have applied for it and should be housed soon. | | It doesn't surprise me at all that 2FA causes problems after | hearing many stories similar to this one. | the_only_law wrote: | > They hadn't started collecting social security due to some | debts and was worried it would ALL be garnished. | | Is this common? I knew a guy who had the same mindset. I | ended up paying him in cash for some work, he was convinced | that if he made any money in a traditional role it would be | instantly garnished. | canuckintime wrote: | > They hadn't started collecting social security due to | some debts and was worried it would ALL be garnished. | | Your contractor's actions makes a some twisted sense to me | as he's still receiving 'undisclosed' cash. The homeless | veteran doesn't make any sense to me as he was not | receiving the social security funds at all. | bombcar wrote: | If I told you that you had a bunch of forms to fill out, | and after doing all the work you'd get no money (and it | would all go to your hated ex-wife or something), you | might not bother doing it. | anotherman554 wrote: | The above example was someone who FEARED all of their | money would be garnished. Not someone who was TOLD all of | the money would be garnished. | | That isn't the same thing. | acdha wrote: | First, anyone skipping out on their responsibilities | shouldn't be getting a sympathetic reaction (and, yeah, I | know they always have stories about how it's justified in | their case - my dad spent a lot of time hanging out with | other deadbeats but every time details came out, | surprise, surprise, they were leaving out a lot). | | Paying people under the table has a lot of potential | liability for you and it almost always catches up with | them. Especially now it's just not viable to live off the | grid (e.g. hoping you don't get sick isn't effective) and | all this does is ensure that the amount they owe the IRS | is unaffordable when the bill finally arrives, usually | when their earning potential has gone down. | bombcar wrote: | Sure - all of those are true; just explaining why someone | might not sign up for social security, even if the | reasons don't actually pan out. | bombcar wrote: | It is unfortunately common. We're not perfectly rational | robots, and so for a decent subset of the population, they | go off what has happened to them. | | And being paid $1k and assuming they'd have $1k and then | discovering they only had $500 because of garnishment tells | them "don't accept checks, cash is the only safe method". | | And then it's not a step much further to be "it's not worth | setting up social security because it'll all be taken". | | People forget that there is a population group where fines | are MORE HARMFUL than jail time. At least with jail, you | can serve your time and be done. | 8note wrote: | Don't you still leave jail with new debts because they | charge you for your stay? | sidewndr46 wrote: | You do realize jail isn't some magical unifying force of | social justice right? | | A while back a guy destroyed a vehicle of mine and drove | off. Per criminal law in my jurisdiction, he should have | served at least 45 days for that offense. But it isn't | like that would ever give me my property back. It's also | unlikely to deter that particular crime in the | population. | bombcar wrote: | Sure, jail isn't a solution in many cases, but fines | aren't either. | stevesearer wrote: | In many cases I think it has more to do with having to jump | through a bunch of hoops with no assurance of what the | outcome will be. | | Another person needed an ID. In order to apply for the ID | they needed a birth certificate. In order to apply for it | they had to fill out the application, mail it with money, | and then have a permanent place to have the birth | certificate mailed an unknown amount of time later. At | which point they then needed to apply for the ID and go | through that process. | deelowe wrote: | It's no different than people not investing in their 401k | and getting the free match because they're worried about | paying "penalties" when they take it back out. My employer | has a 50% match and early withdrawal penalty is only 10% | and yet, people still refuse to do it. | yamtaddle wrote: | Real, actual people exist who turn down raises because | they're convinced it'd cause them to lose money, because | they don't understand how marginal tax rates work. I don't | mean low-income earners who may in fact lose out or not | gain from a raise due to benefits cliffs, I mean people | earning low-six-figures who think if their pay goes any | higher "my tax rate will go up and I'll lose money" and are | weirdly resistant to being convinced otherwise. | kodah wrote: | It sounds like they're used to being nickel -and-dimed or | having money taken away from them. | [deleted] | Bakary wrote: | This is missing the forest for the trees. Of course we'd be | more emotionally involved if it was someone we knew, that's not | hypocritical. Most people aren't against fixing societal | problems, either. As it stands, homelessness is definitely | something that affects a ton of people so it definitely is our | problem as long as we are city dwellers. | | The problem here is that misapplied empathy can lead to | terrible decisions. Having Google change their 2FA system for | this group would be one such decision. It's similar to the | 'think of the kids + terrorism' attacks on encryption. It's | socially difficult to argue against these ideas because you are | then labeled as a terrible and non-empathetic person, but the | solutions themselves make one other thing worse without really | being helpful other than for garnering retweets and likes. | | In this case, we actually aren't being ambitious enough. Why | are we having a system where we give out phones every 12 weeks | to each homeless person? We'd probably save money for the | program by developing some sort of dedicated device designed to | be harder to steal or lose. Maybe a high-autonomy low-powered | KaiOS smartphone that can be attached as a strap? It's not like | the current devices are working. | | Why is it such a hassle to keep the same number after a theft? | We could investigate there too. Improving this would be better | than decreasing the effectiveness of gmail's measures. | | Heck, if we want to focus on Gmail, why not focus on why it's | the default choice for the homeless to begin with, as opposed | to removing features. | | We could try to solve the problem structurally but we prefer | the caseworker approach, because it's more easily packaged | 'empathy' than actually fixing the homelessness issue. It's | like people who travel to developing countries to 'help', when | the locals need investments and training facilities, not extra | warm bodies. Actually giving homes to the homeless would | probably be cheaper than whatever we are doing now, even taking | into account the mental illness and drug-abuse problems that | factor into this. | upsidesinclude wrote: | I would argue yours is a poor point of comparison and you | have missed the forest. | | google isn't requiring specific 2FA data, like address, | because they are stalwart guardians of data. They are | _harvesting data_ because that is their business. | | The homeless don't have enough data to be of value to an | entity like goolge | Bakary wrote: | If Google were to shrivel up and dissolve, I would not mind | at all. But what's currently happening is that a metric ton | of people are using their free email service and won't stop | doing so any time soon, and so they had an incentive to | hand-hold and force along 2FA that coincides with some form | of public utility: fewer security breaks and financial ruin | for massive globs of vulnerable, tech-illiterate people. | blfr wrote: | Google demands 2FA because popped accounts are used to | abuse their services. | | Homeless people don't have enough of anything to be an | attractive target for advertisers. | [deleted] | pessimizer wrote: | > The problem here is that misapplied empathy can lead to | terrible decisions. | | That's not the problem, that's a vague wave at a generic | class of innuendo that could be used just as easily to | rationalize not allowing your child to eat ice cream or | Japanese internment. You have to make the case _why_ Google | changing their 2FA system is so much more important than the | homeless having phone service, you can 't just say | "sometimes, empathy can be bad." | | I'm not getting that from the rest of the comment, which | seems like a gish gallop around a bunch of other things that | we're also not going to do for the homeless, and about which | you or somebody else can say "it's only human to be worried | about other people going through these issues, but empathy | can be bad. The answer isn't that HUD should change the | second line of the third section of Form B, it's that we | should fix the homeless problem completely." | | edit: We can't use as an excuse for not making small changes | that we should be making larger changes. The excuses that one | makes to avoid making small changes will apply more so to | larger changes. | Bakary wrote: | I can make a very specific case for it. Out of 1.5+ billion | users, millions of which are barely tech-literate and | vulnerable, with gmail a constant target for malicious | entities. That means intuitively at least hundreds of | thousands of vulnerable people getting cleaned out of their | life savings. Changing things for billions in exchange for | a marginal benefit to thousands is bizarre. | | It's not a 'gish gallop' but a framework for looking at the | issue. I'm not saying that empathy is sometimes bad, I'm | saying that it can't be the starting point for our | reasoning. It can be the impetus that makes us act, but the | actual solution should come first. Sure, maybe none of the | things I'm proposing will be implemented. Maybe they're all | godawful ideas, but I can't fix the problem in the five | minutes it took to write the post or even five decades of | intense research on my own. But it's clear that keeping to | that pseudo-empathy performative martyrdom mindset is an | active roadblock against the more ambitious solutions. And | it leads to truly awful ideas such as getting rid of | encryption, rights, and so on. | rini17 wrote: | So you don't want Google to do anything or what is the | purpose of all this verbiage? Which moreover, unjustly | dismisses whole issue as "marginal benefit to thousands". | Being able to keep/recover email address is so much more | than a marginal benefit, and there are many more than | thousands of homeless in the US alone. | peatmoss wrote: | > Actually giving homes to the homeless would probably be | cheaper than whatever we are doing now, even taking into | account the mental illness and drug-abuse problems that | factor into this. | | This point is worth reiterating. Homelessness can be solved | by providing housing. Yes, homelessness is a complex multi- | faceted problem, but the first order solution to the problem | is to provide housing. | | Homelessness is a problem with huge externalities to society. | Put another way, homelessness is an enormously expensive | solution to the problem of providing space for humans to | live. | cscurmudgeon wrote: | Or by removing barriers for new housing. A lot of these are | govt created barriers. | | https://www.nytimes.com/2021/11/09/opinion/democrats-blue- | st... | | But yeah let us blame Google. | daniel-cussen wrote: | warent wrote: | Unfortunately it's more complicated than this. There have | been nonprofit organizations and government initiatives to | give homeless people space in unoccupied hotels for | example. | | What ends up happening is they generally just destroy the | living space in a variety of ways. | | It's because the majority of homelessness is an issue of | mental health. In the USA, there are pretty much zero | mental health resources for people in poverty. | acdha wrote: | What sometimes ends up happening. It's true that we have | huge gaps for mental health and substance abuse but there | are examples (famously, Salt Lake City) of such programs | working. The mixed history says we need to take the | problem seriously, not give up. | faitswulff wrote: | There's a positive feedback loop between mental health | and housing, so it takes more than tilting either end of | the equation to fix it. | clint wrote: | What you describe is not "giving the homeless a home" its | giving them a temporary, poor substitute for a home that | they have no personal interest in" | | Also your sweeping statement about the destruction of | their living space smells to high heaven prejudiced | thinking based on myth or hearsay rather than actual | data. | Entinel wrote: | > It's because the majority of homelessness is an issue | of mental health. | | This isn't true or at least it doesn't start that way. | What people don't understand is that there isn't a single | homeless population. You have people who are temporarily | homeless and people who are chronically homeless. The | temporarily homeless are people who lost jobs, fell on | hard times, etc etc. The simplest solution for them is | yes to give them housing. The chronically homeless is | where things get more complicated and those are the | people who typically need mental health and abuse | services. The simplest and most efficient thing we can do | is help the temporarily homeless and prevent them from | becoming chronically homeless. | vorpalhex wrote: | We're pretty good at getting the temporarily homeless | into housing. Obviously any improvements are good, but | fundamentally the issue is with the chronically homeless | who often have other factors going on. | michaelt wrote: | _> We 're pretty good at getting the temporarily homeless | into housing._ | | I'll take tautological statements for $200 please Alex | vorpalhex wrote: | This is the industry term for people between housing | (they can't make rent, they got kicked out, etc). It | differentiates from the chronically homeless who can not | be rehoused simply by giving them a place to live. | rolph wrote: | yes there are different castes of homeless, some do quite | well, and are not problematic. others are of disorganized | psyche, and cause much of thier own problems, resulting | in no one wanting them around. | carapace wrote: | That's a good argument for giving them some other housing | arrangement. It's not an argument for leaving them on the | street. | peatmoss wrote: | > What ends up happening is they generally just destroy | the living space in a variety of ways. | | Citation very much needed here. This certainly does | happen. But, I don't believe this the _general_ (i.e. | typical) outcome. From what I understand talking to | acquaintances who work in this area, wrecking the place | is not the typical outcome. And property damage is | generally cheaper to address than the constant provision | of emergency services. | | I agree that mental health (and substance use) are major | factors in homelessness, but those issues are more or | less impossible to address when people are living on the | street with no permanent address and no place to keep | e.g. a cell phone without it being stolen. | vorpalhex wrote: | At least a data point here - my city of Austin is buying | a hotel to convert into housing for the homeless. | | This has gone badly. The property sees intense vandalism | and destruction, the neighbors are afraid for their | safety, and the whole thing is an amazingly expensive | boondoggle. | | [0]: https://www.foxnews.com/us/austin-hotel-purchased- | homeless-s... | | [1]: | https://www.statesman.com/story/news/2022/05/16/austin- | homel... | Vvector wrote: | That's a bad example. The unoccupied hotel was vandalized | before the homeless were moved in. Yes, it a boondoggle, | but nothing to do with homeless. | vorpalhex wrote: | I don't think it was the local homeowners stealing live | copper from the walls. | threatofrain wrote: | Sounds like it could be a ring of criminals who are | connected to those who can buy copper. | HWR_14 wrote: | But it also wasn't homeless people being legally housed | there. If your point is "people who live there take | better care of the space", then that's what Austin is | trying to do. Convert squatters stealing copper to the | kind of people who live there. | Ardon wrote: | We also don't know it was the homeless, that kind of | thing is often actual gang activity | heavyset_go wrote: | Where do you suspect that homeless are storing their | caches of copper? Do you think they're carrying them | around with them at all times? | zuminator wrote: | Seems like a bad situation. But follow the timetable: | | 1) Austin buys the property | | 2) Begins renovations on vacant premises | | 3) Vandalism takes place | | --------------- | | 4) The conversion is complete | | 5) Property officially offered to homeless residents | | Steps 4 and 5 haven't happened yet. So homeless people | who "generally just destroy the living space" isn't a | good fit for what's going on. This is simply a situation | of an unsecured construction site that has attracted | squatters and vandals. | jakelazaroff wrote: | The problem is multifaceted. And homeless people are not | a monolith. There are large cohorts for whom simply | receiving a home _would_ make life significantly easier. | newaccount2021 wrote: | themitigating wrote: | Source on both mental health being the majority and that | generally the homeless will destroy the space they are | given? | foobarian wrote: | > Homelessness can be solved by providing housing. | | They used to be called asylums, and the problem is what to | do if the homeless person refuses to go. I wonder why you | don't hear about homelessness in totalitarian states... | Hitton wrote: | >I wonder why you don't hear about homelessness in | totalitarian states... | | Because vagrancy is punishable by prison time there. | jotm wrote: | Heh, well homeless people are voluntold to gtfo the | streets and go to a homeless shelter or get a fine or | jail time in Europe... | themitigating wrote: | Asylum is one type of housing for people. | etchalon wrote: | Because totalitarian states don't talk about them? | zdragnar wrote: | Some homeless people don't want to deal with the | maintenance of a home. | | Some homeless people aren't capable of the maintenance of a | home due to mental or physical issues. | | Some homeless people refuse to accept help for mental | issues for fear of being trapped in a psych ward. | | Simply put, you need to split homelessness into temporary | and chronic populations. For the temporary group, | homelessness is the problem. For the chronic group, it is a | symptom. Treating the symptom will not have a long-term | impact on much of the population. | | Source: conversations with a social worker friend who spent | years working with the homeless population in our metro | area. | mindslight wrote: | > _Some homeless people don 't want to deal with the | maintenance of a home._ | | You've got a good point. These leaves are really starting | to pile up, and the snow will be upon us soon. I think | I'll just say fuck it and sleep under a bridge, and leave | the grounds keeping to the parks department. | | You did set up a straw man solely to get knocked down, | right? In actuality, the idea of giving "housing to | everyone" doesn't mean an idyllic single family stick- | and-drywall dwelling with a yard, but rather something | communal - like a less-populous more-dignified shelter | with a modicum of persistent personal space. The | maintenance would be institutional, and come out of the | same operating budget as administration, utilities, etc. | | I feel like most of the "some homeless just want to be | homeless" argument revolves around baking in assumptions | that public housing should come with a bunch of strings | attached, to make the residents' lives "better". In your | comment, this is the responsibility for maintenance or | mental health treatment. Such conditions are what turns | people off, not some intrinsic love for sleeping rough. | ryukafalz wrote: | How many of those chronic homeless would have only been | temporarily homeless if they had the security of housing | early on before their situation went even further | downhill? | | Sometimes mental issues are purely genetic but often they | can also arise from or be exacerbated by trauma. And | homelessness sure is traumatic. | ch71r22 wrote: | Yes, some of them -- but not most of them. | | Most homeless people do not have a severe mental illness | (around 70%) [1]. For most homeless people, it's | primarily an issue of housing affordability. The solution | is to reduce the cost of housing. | | For the people who need more support -- due to mental | illness or otherwise -- the affordable, effective | solution is permanent supportive housing [2]. | | [1] https://www.treatmentadvocacycenter.org/evidence-and- | researc... | | [2] https://www.coalitionforthehomeless.org/proven- | solutions/ | bsder wrote: | Wait, what? That's precisely opposite of what your source | [1] says: | | "70% were receiving mental health treatment or had in the | past." "An April 2016 survey of New York City's homeless | population reported that unsheltered homeless individuals | were most likely to be severely mentally ill single | males." Something like 1 in 5 of the homeless in San | Francisco have a _traumatic brain injury_. | | None of these people are going to be fixed with mere | "housing". | | Even worse, putting these people who desperately need | medical treatment in "mere housing" is very likely to | cause the "mere housing" program to _fail_ when it could | have succeeded. The homeless who need "mere housing" | don't want to be near the homeless who need "significant | medical treatment" any more than anybody else does. | | Homelessness has an "Amdahl's Law" nature to it. You have | to separate out the different types of homelessness and | apply the correct solution. And you will only gain the | improvement for the group you "solved". | | Consequently, you can solve 20% of the homeless problem | and people will still say you "failed" because 80% of the | homeless are still in their vision. | [deleted] | highwaylights wrote: | To be fair, some of us have been calling attention to this | problem for a long ass time, and nothing is being done about | it. | | E-mail needs to be a regulated utility, given that getting | locked out of one's email happens all the time with | catastrophic consequences. | themitigating wrote: | Why does email need to be a regulaty utility when there are | other methods of communication? | highwaylights wrote: | Great question! | | The long version (if it's patronising please skim | forward, I'm writing as an explainer for anyone else that | comes along): | | E-mail was originally a means to communicate informally | between two participants over the Internet. | | In this early version of the system the message would | leave your machine, go to your Mail server, then the | recipients mail server, then their inbox. This would | complete the transmission and a copy would exist at both | ends. | | Companies providing ostensibly free online e-mail inboxes | have slick sign-up funnels that on the surface seem to be | offering a very similar system as the one above, with | very little in the way of regulation around either the | sign-up funnel or the mailbox (and which do not explain | the catastrophic life consequences that can occur as a | result of losing access to your mailbox). | | These new mailboxes work differently from those of the | early Internet, though: | | 1) Your mail is sent to your mail server. A copy may or | may not be retained locally. | | 2) Your mail server transmits the message to the | recipients mail server as before. | | 3) The recipient receives a notification of the e-mail | and may or may not retain a copy locally. | | This infrastructure is ubiquitous and now not quite 30 | years after the early Internet we have an issue where | you'll be required to have an e-mail address for almost | all public services and common accounts that have little | to no online component. Your entire life, more or less, | may pass through that inbox. | | If one day you lose access to the account (in that you | insert your password and the provider says no), you will | lose access to your entire e-mail history. | | You may attempt to reset some passwords for essential | services, but you can't, because they're sending e-mails | to verify your identity - which you'll never be able to | receive. | | You move on, create a new account, and attempt to start | over. However, e-mails - potentially important e-mails | containing personal information - continue to be | delivered to a mailbox that you can't access ever again. | Maybe you miss some important alerts. | | Perhaps it was a gmail account that had your entire photo | and video history in google photos. That's now gone too. | With your passwords, if you're using chrome passwords. | | You rebuild, and a couple of years pass, and perhaps | someone else gets access to your account (either through | a hack, or a rogue employee with access rights, or | someone who guessed a badly thought out password). | | You never find out that the account was accessed, so have | no-one to complain to, and maybe you end up with savings | or 401K/pensions getting emptied. Which in a lot of cases | wouldn't be discovered until they're due to be collected. | | Some of the above might sound far-fetched, but you'd be | surprised how much having access to an email inbox is | accepted proof-of-identity in 2022. | | Hence the need for regulation. | twobitshifter wrote: | Really Original e-mail, the mail server was your computer | (mainframe) where your account was. It's Greg@ because | that's Greg's username when he logs in. Greg doesn't need | outlook because his mail is just a folder of text files. | There's a mail agent but it's running on Greg's computer. | pas wrote: | Don't single out email. The problem is much larger than | that. Any big megacorp nowadays figured out that the best | way to do whatever they are doing is to provide the service | to the median consumer, and just cut the rest out as | perfectly as they can. It started with the idiotic get a | number to wait in line at the branch offices, IVR audio | labyrinths on the phone, completely useless self-service | portals, and now there are no branch offices anymore, and | in many cases the "helpdesk" is just a dumb caricature of a | robot in a fucking submenu of a tragedy of a hacked | together mobile app. | | Sure, it's great that gmail is cheap, after all "it's | free". But Google (and MSFT, fuck outlook.com in particular | for their completely anti-competitive spam "protection" | that only accepts email from other big providers) cross- | finances gmail from their ad business, completely | distorting every kind of service and product markets. | | --- | | For email in particular what's needed is a LetsEncrypt-like | community-driven solution for reputation management and | acceptance of emails from reputable sources by the big | inbox providers. | Wowfunhappy wrote: | Look, I'd love to fix homelessness in America! Really, I | would! But Google's policies are causing people to get locked | out of their accounts _now_ , today. | | Google could put a toggle in Google Account settings titled | something like "Allow anyone who knows my password to log in | to my Google account (less secure)." It could sit above a | description of the risks involved. It would need to be | disabled by default, and it wouldn't help users who don't | know about it. It certainly would not fix homelessness in | society. But it would do a lot of good for a lot of people! | | Would this option lead to some increased number of hacked | accounts? Probably, but these would be accounts that | explicitly opted in to that risk! I think it's excessively | paternalistic to not provide the option. Every life situation | is unique, and people know their own lives better than Google | does. | tick_tock_tick wrote: | That wouldn't help at all unless it was the default. | Wowfunhappy wrote: | Why? The homeless aren't stupid, and we have libraries | and other institutions that can provide education. | mattmcknight wrote: | The case workers could have an email account to use as the | recovery email account. This already exists. | Wowfunhappy wrote: | While I don't think that's a bad idea in some situations, | it means trusting the case worker with access to the | entire account (as they could use the recovery email to | reset the password). It's also an extra burden to put on | the case worker, and the individual who has to coordinate | with the case worker. | notabee wrote: | Additionally, this only exists in some magical, | fantastical world where the unhoused only have one case | worker. In reality the unhoused bounce between a | patchwork of government and non-profit services, and | because of the soul-crushing workload and emotional labor | of those jobs the individuals in each role are also | subject to frequent turnover. So the only way this would | work is an account that's shared between everyone who | might work with that unhoused client at each organization | (there are often multiple handling different aspects such | as housing, mental health, money for groceries, etc.), | and as clients move geographically or do other things | that make them eligible or ineligible for each | organization's services, that recovery account would also | need to change or transition to some new org. Even a | single recovery email address is just a totally | unworkable solution for the reality they face. | puglr wrote: | While your proposal is perfectly reasonable, I couldn't | help but notice that your opening was an example of the | "'think of the kids + terrorism'" mentioned by GP. | | > Look, I'd love to stop CP distribution in America! | Really, I would! But Google's encryption policies are | preventing law enforcement from intercepting pedophile | communications _now_ , today. | | It's the same "think of [vulnerable group]" type of | statement. | Wowfunhappy wrote: | The purpose of that sentence was to bring us back to the | issue at hand. GP was essentially saying (as I | interpreted it) that we should focus on the root causes | of homelessness instead of worrying about day-to-day | concerns like how the homeless access email. I think we | should do both, especially when the latter would be | relatively simple. | | But also, yes, there are in fact many times when it's | important to consider the needs of different groups of | people! That isn't to say that the ends always justify | the means--it depends on what the means are--but | reasonable accommodations should be made where possible. | bobsmith432 wrote: | How about just don't use Google services, Tutanota is free | and is just as good. | everforward wrote: | The problems are downstream of that. | | Not having 2FA is going to allow some portion of users to | get hacked. When those users do get hacked they will need a | way to regain control of the account. Methods of regaining | access to an account are notorious for bad actors social | engineering their way to gaining control of accounts. | | 2FA relieves some of that, because even if you do get | hacked you can provide a token from the authenticator that | was attached to the account, proving that you do in fact | own that account. | | > I think it's excessively paternalistic to not provide | that option. | | I don't find it paternalistic. The goal is to cut down on | support costs by reducing the number of users who get | hacked and need assistance regaining access to their | accounts, and to force users to have a method of | demonstrating they own the account even if they can't log | in. That it confers some additional security to users is | nice, but not really the end goal. | Wowfunhappy wrote: | > Not having 2FA is going to allow some portion of users | to get hacked. When those users do get hacked they will | need a way to regain control of the account. | | I don't think they do! This would be part of the | tradeoff. | | Currently, people who cannot use or rely on 2FA are | getting locked out of their accounts even if they _weren | 't_ hacked _and_ knew their password! Isn 't that worse? | chaostheory wrote: | Doesn't Google offer the option of disabling 2FA? | jotm wrote: | What, how? | | I got "hacked", I mean yeah it was a hack using an | Android phone and Google's automated recovery system. | | If not for the latter, my incredibru strong password | would've saved me. | | They also removed the phone and backup email from that | account because I recovered the account _once_. | | I sure hope 2FA cannot be removed once someone gains | access (not without a call to the 2FA number/whatever) | lol. | | Either way, I'm not using it because it's a pain in the | ass. I already hate that they lock me out if I try to log | in from another country. | | Gee, yeah I travel between EU countries, that's very | unusual for most people. | MichaelCollins wrote: | > _Currently, people who cannot use or rely on 2FA are | getting locked out of their accounts even if they weren | 't hacked and knew their password! Isn't that worse?_ | | Not if it's happening to fewer people than the | alternative. | everforward wrote: | > Currently, people who cannot use or rely on 2FA are | getting locked out of their accounts even if they weren't | hacked and knew their password! Isn't that worse? | | I don't think so. You seem to presume the end state of | both is that the user is locked out, which is only half | true. | | With a lost 2FA device, the user and everyone else is | locked out of the account. | | With a compromised account, the user may be locked out | but the hacker is not. The hacker is free to impersonate | the user to social services, hospitals, potential | employers, etc. If there's no mechanism for the user to | regain control of the account, the hacker will have that | access until the user can contact all of those people and | give them a new email address. That could take a while, | especially if we're considering that the user has a high | chance of not having a phone at the moment. | elcomet wrote: | But the locked account is much more likely than the | compromised password in the real world. | tsimionescu wrote: | > I don't find it paternalistic. The goal is to cut down | on support costs by reducing the number of users who get | hacked and need assistance regaining access to their | accounts, and to force users to have a method of | demonstrating they own the account even if they can't log | in. That it confers some additional security to users is | nice, but not really the end goal. | | So we should be mindful of Google's profit margins, | instead of homeless people's access to vital services? | asdfasgasdgasdg wrote: | If the service is truly vital it should be provided by | the government, not Google. The government would also be | free to set security policies and provide support at the | level and cost demanded by the public. It is not and | should not be the role of a private enterprise to act as | a backstop for the fabric of society when it is not in | their interests or their customers' overall interests. | tsimionescu wrote: | The vital services are provided by the government, but | require an email address. Some people have trusted Google | to be their email provider, and Google is failing some of | those people by denying them access unnecessarily. | 8note wrote: | If vital services rely on email, email is a vital service | paintman252 wrote: | umm you DO know that Gmail isn't only free email, right? | Like, just use another one which doesn't force 2FA. Why | is this become an issue? I don't get it | asdfasgasdgasdg wrote: | I'm saying that if the public/government doesn't feel | like Google's security policies are compatible with the | homeless, the simplest solution is to set up a | government-run email host. | parineum wrote: | We should probably not force private companies to spend | (or lose, no difference) money to solve societal problems | that they are in no way responsible for. | | That's like forcing pepboys to change the tires of senior | citizens for free because social security isn't paying | enough. | | Maybe we should put our efforts towards fixing problems | instead of asking private companies to put a bandaid on | it at their expense. | lancesells wrote: | Is Google a vital service or is email a vital service? | tsimionescu wrote: | Neither. Gmail is an email provider which has provided | access to an account that these people have registered | with providers of vital services. | paintman252 wrote: | And? Not every service is homeless-friendly. That's fine. | There are literally hundreds of free email services. | themitigating wrote: | It's security vs homeless access to vital services. I | think it's a diffiult line to draw | Wowfunhappy wrote: | I don't think it's difficult! | | * The people who want security get to keep all the | security they get today. | | * The people who don't think about security and leave | default settings intact keep all the security they get | today. | | * The people who explicitly ask for less security get | less security. | | * Some of the homeless will get increased access to vital | services. | | It's a win-win--unless you believe, for some reason, that | people should have security _forced_ on them even if they | explicitly ask to not have it. I fundamentally don 't | understand this mindset. People should have the right to | do dangerous things if they are warned of the risks | involved. | Karunamon wrote: | > _The people who explicitly ask for less security get | less security._ | | The problem with that is less security is almost always | more usable than more security, which leads to the | greater amount of people being in that state, which is | not just a danger to the user making the choice, it is a | danger to others. | 1MachineElf wrote: | Not sure why this is being downvited. You could argue | that forcing security upon users is why everyone knows | about password-based logon today. Same could be said | about the initiative for HTTPS everywhere. | slavik81 wrote: | Keeping wrong people out is only half of what is required | for security. You also have to let the right people in. | sdenton4 wrote: | This seems like something the homeless services are best | positioned to fix by providing email hosting to their | clients. They know their clients are actual humans, not | hackers, so can provide the continuity that the giant | providers can't. | [deleted] | jonas21 wrote: | That's almost exactly what Google has done. Here's how you | turn off 2FA on your account: | | 1. Go to myaccount.google.com | | 2. Press "Security" | | 3. Press "2 step verification" | | 4. Enter your password | | 5. Press "Turn off" | | 6. Confirm the dialog that says "Turning off 2-Step | Verification will remove the extra security on your | account, and you'll only use your password to sign in." | aetch wrote: | Those steps don't actually turn off 2FA for Google | accounts. | | If you login from a new computer or unrecognized IP, | Google forces you to use the YouTube app on your phone to | enter a "code" to login. It sometimes doesn't even let | you get a text code. God forbid I lose my phone or delete | the YouTube app and login from a new IP. I don't know how | I would even get into my account. | | I don't know how this isn't a wider spread issue | affecting more people but I guess Google developers live | in a perfect world where the YouTube app auth can never | fail and you never lose your phone. | astura wrote: | That's Weird, I've never had to do that. I can just login | to Google with my username/password. If it doesn't | recognize the device it just pushes a notification of the | sign in to my phone | hirsin wrote: | That's exactly what they are describing - the push | notification to the phone _that the user has lost_. | astura wrote: | It's just a _notification_ , it can be ignored (for me). | I don't usually even notice its there until hours later. | You don't have to acknowledge it in any way. | | It also has nothing to do with the YouTube app, and there | is no code I have to enter anywhere. | | I've never had any form of 2FA on my Google account. | Wowfunhappy wrote: | You may have never experienced it, but it does happen. | Not just a notification. | chaostheory wrote: | Then don't use Google for email. There are plenty of | other free email providers that do not employ that much | security. Problem solved | [deleted] | [deleted] | tyingq wrote: | I recall that the problem was broader than 2FA. They also | re-verify accounts that have been idle, or that are being | accessed from a new location. Or issues if you've | forgotten the password and don't have a phone. | Wowfunhappy wrote: | This is exactly it. And if you don't have a verification | method on file, Google will just lock the account if it | thinks something about your browser or IP address is | unusual. Even if you know your password. | mrec wrote: | Speaking as a long-time Gmail user who doesn't have a | mobile, this is kind of terrifying. Sounds like I need to | look into moving to Fastmail or somesuch pronto. | professorTuring wrote: | I can understand your statement, but by doing that you will | find that A LOT of people will check the insecure options | because "that a not going to happen to me". | | Remember you have the "rescue keys" from google to avoid | these kind of problems. | | The bigger problem is how you teach those people how to use | the services in their situation. | TacticalCoder wrote: | > Google could put a toggle in Google Account settings | titled something like "Allow anyone who knows my password | to log in to my Google account (less secure)." | | Google allows someone of your choosing, who must also have | a GMail account, to takeover one's account after x months | of inactivity. It's not great but it's better than nothing | and it has the benefit of being an option that exists | today. | thereddaikon wrote: | This is a result of taking a product made by someone else | for a certain purpose and then using it for one it isn't | intended. Its not Google's fault gmail is a bad fit here. | They didn't design it with this use case in mind. | | The solution is to use one that is. Why are case workers | directing the homeless to setup gmail accounts? Because | they haven't been provided with a better solution by the | system they work within. | | So its the government's problem to fix. They are the ones | handing out phones and setting the expectation to | communicate through email. So they can either design an | email service themselves that fits their needs. Or they can | work with an industry partner, such as google or someone | else to provide the service. | | Normal gmail is a one size fits all commodity solution. It | works well enough for most people, most of the time. | Specialized problems call for specialized solutions. | Complaining that google didn't think of you is misplaced. | Ar-Curunir wrote: | If Google is going to position itself as the face of the | internet, then it has to live up to that responsibility; | it can't go, hm yes, use our browser and our email | service and our phones, but only if you fit into this | category of prescribed users. | dublin wrote: | Of course they can. It's the only thing they've ever | done. I honestly can't think of a company that thinks | less of its users than Google does - that's because in | their view, they have no users - they only have eyeballs, | that are worth anywhere from fractional cents to hundreds | of dollars every time they can grab them. | | Using "support" and "Google" in the same sentence is | laughable. They barely support the ad clients that pay | their freight. Google's entire business model is built | around NEVER providing support for the users of their | technologies, and killing off any products that don't | monetize. | michaelmrose wrote: | Gmail is a perfect fit in theory. Google provides a | product, workspace, where you can hand out gmail | addresses and reset them at need. Given that the cost of | providing such accounts is actually less because the | support burden falls on the city it might be possible to | convince Google to provide them at less than the standard | cost. | xg15 wrote: | > _They didn 't design it with this use case in mind._ | | Where on the gmail page does it say "not for homeless | people, sorry"? | | Adding (and forcing) 2FA was a recent decision from | Google, which came a _long_ time after Gmail the product | was already introduced. There are millions of accounts | which were created long before anyone had an idea what a | smartphone was, let alone phone-based 2FA. | Wowfunhappy wrote: | Should users with poor vision also have to use a special | blind-person email provider? Because, I'd expect | supporting screen readers to take significantly more | effort than adding the setting I outlined. | | Also, if I was homeless, I wouldn't want my email address | to indicate I was homeless. | | I broadly agree that it isn't Google's job to cater to | _everyone_ , but in this instance, the ask seems | overwhelmingly reasonable--and less than what we expect | in other circumstances. | Kalium wrote: | What is the ask that is overwhelmingly reasonable? As has | been pointed out to me and others, Google already offers | a way to turn off 2FA - | https://support.google.com/accounts/answer/1064203 | Naively this seems like it should solve the 2FA problem | for the unhoused community members in question. | | With this in mind, what else should Google do? | Wowfunhappy wrote: | Even when 2FA is disabled, Google will insist on | additional verification (phone, recovery email, etc) if | it thinks something about your browser or IP address is | unusual, even if you know your password. If you don't | have a verification method (or cannot access it), Google | will literally just lock you out. I have personally | experienced this. | | It should be possible to turn this off! | Kalium wrote: | OK. That raises all sorts of follow-up questions, as | turning off security measures can be expected to have | consequences. | | What should Google do in the scenario that this | purposely-low-security-for-the-unhoused account is | breached? What about abuse? Are we OK with Google just | shutting off accounts in that scenario? Are we prepared | to accept that the members of our community experiencing | being unhoused will find themselves constantly creating | new accounts as their old ones are shut off or rendered | unusual from the consequences of purposely-low-security- | for-the-vulnerable? | | Remember, things like gmail accounts are under constant | attack. Security measures, the very ones we're talking | about disabling, help keep those attacks at bay. Each of | those things that triggers verification actually lines up | with real attack patterns. | | So while this may be a small-ish thing to ask for, I'm a | little concerned about the consequences. We're literally | asking to offer the most vulnerable and marginalized | members of society shittier security and ignoring the | effects of this. | Wowfunhappy wrote: | > Are we OK with Google just shutting off accounts in | that scenario? Are we prepared to accept that the members | of our community experiencing being unhoused will find | themselves constantly creating new accounts as their old | ones are shut off or rendered unusual from the | consequences of purposely-low-security-for-the- | vulnerable? | | I am, yes, if the alternative is that they loose access | to their account every few months! | | Also, at least this way people have the _ability_ to keep | their accounts truly safe _if_ they choose a strong, | unique password. If Google just locks them out no matter | what, there 's no recourse. | maxerickson wrote: | The state could run an email service. | ranger_danger wrote: | Bakary wrote: | Is that really your only takeaway here? Feels like a parody | of HN comments. It could be any other equivalent, I don't | know. Even if it's KaiOS the homeless probably have other | things on their mind than the CCP or whatever. | tut-urut-utut wrote: | > You do realize that KaiOS is Chinese, right? | | What's the point of this comment? | | Google is American, so what? And people all over the world | still use it regardless. | yardstick wrote: | And Linus is Finnish! | j_k_eter wrote: | jakelazaroff wrote: | I like your comment because it gradually stumbles upon the | actual solution. We aren't being ambitious enough, but | developing a device designed to be harder to steal or lose is | timidly incremental. By the last paragraph, we're talking | about ending homelessness entirely. _That_ is an ambitious -- | but achievable! -- goal, and one that actually addresses the | root of the problem. | Bakary wrote: | If you mean a stumble in the sense that I'm not truly aware | of the implications of what I'm proposing, that's not | really the case. I personally believe we could be yet more | ambitious than what I am describing here, but I realize | that most people aren't going to be on board. So the next | best thing is to propose a different framework of looking | at the problem and a different methodology for looking for | solutions. A dedicated device would be incremental, yes, | but what matters is that if we unlock the capacity to think | towards this sort of innovation the big changes will follow | naturally. | jakelazaroff wrote: | Just to clarify, I meant "stumble" as in it seemed to be | somewhat stream of consciousness; just happening to end | up at "give everyone a home" rather than planning a route | there from the opening sentence. | tbagman wrote: | Homelessness in the US is a complex problem. I found the Soft | White Underbelly interview series by Mark Laita insightful | when learning more about it: | https://www.softwhiteunderbelly.com | | Mark spent considerable time earning the trust of LA's skid | row population - a large roadside tent community - and has a | series of 1:1 interviews with a slice of the population, | exploring their histories, challenges, preferences, and | culture. | | Mark doesn't believe that many (most?) of the skid row | population would benefit from being provided with housing, | and that issues of trauma, mental health, and childhood | family environment are what he believes would have the | highest leverage on the problem. | | This is of course just one perspective on the problem, but | Mark's perspective taught me quite a bit. | tayo42 wrote: | I have a feeling that the issue isn't homelessness really, | but the kinds of people that end up homeless cause problems | anyway. Someone won't stop being violent or committing | crime because they got moved from a tent to a studio. | | I don't think the temporally homeless, like someone down on | their luck. makes up the issues people have with homeless. | You see some crazy person, then you see that person is | homeless, your answer to that is "oh give them a studio | apartment!" and not lets help them with their issue. Police | should be policing violent people, for some reason instead | of that we want to build homes in the middle of nowhere and | drop them off their. They're still going to cause issues. | MichaelCollins wrote: | I think people would be a lot more compassionate towards | homeless people generally if the violent and destructive | subset of homeless people were put in prison where they | belong. With the awful ones out of the way, the peaceful | sympathetic homeless people would become the public face | of homelessness and the general public would be much more | willing to to address their problems constructively (e.g. | provide housing to them.) | | But instead the justice system is set up to give | effective impunity to the worst sort of homeless people; | they're back on the street days after being arrested (if | they are even arrested in the first place.) They cause | incredible damage and commotion, so they hog all the | public attention and give all homeless people a very bad | name through association. | spinlock wrote: | Yup. Why break 2FA when we could have the Obamaphone program | work with the case workers so that they don't loose track of | people in the first place? | | Also, homelessness isn't the problem we think it is. It's | millions of problems. Any solution will never help more than | a subset of the homeless population. We need to iterate on | small solutions to make progress. | tdehnel wrote: | Utter nonsense. Mandated treatment for drug addiction and | severe mental illness would tackle half the problem. | | Then provide contingent housing based on staying sober, | sticking to your treatment plan, and getting a job. You can | graduate when you're able to pay your own way. | | For non-addict/mentally ill homeless, it's housing | contingent on employment, graduate when you can pay your | own way. | | This would solve 90% of the problem. | bArray wrote: | > Having Google change their 2FA system for this group would | be one such decision. | | It could be opt-out. | | > It's similar to the 'think of the kids + terrorism' attacks | on encryption. | | No, it's not. Nobody choosing whether _they_ enable 2FA | affects your decision to use it or not. It's more like | forcing drugs down somebody's throat because you believe it | benefits them and everybody else is doing it anyway. | | > Why is it such a hassle to keep the same number after a | theft? We could investigate there too. | | Sim-jacking. Somebody could claim to have lost it and just | take your number. This has happened before. The problem of | authentication is fundamental in security and Google are just | passing the buck onto phone service providers. | | > Heck, if we want to focus on Gmail, why not focus on why | it's the default choice for the homeless to begin with, as | opposed to removing features. | | Because it's free and the emails don't bounce. Most big tech | has 2FA now. | xg15 wrote: | > _Maybe a high-autonomy low-powered KaiOS smartphone that | can be attached as a strap?_ | | May I introduce you to the concept of scissors? | reaperducer wrote: | _homelessness is definitely something that affects a ton of | people so it definitely is our problem as long as we are city | dwellers._ | | We have to break out of the stereotype that homelessness is a | city problem. It isn't. Far from it. | | Homelessness is more obvious in cities because there are | fewer places for homeless people to be. But there are plenty | of homeless people camped out in rural and suburban towns, if | you know what to look for. | | I recently lived in a snooty city suburb where most of the | homes cost from $600,000 to $10 million, and guess what -- | the drainage tunnels beneath the Home Depot, the maintenance | underpasses in the parks, the undeveloped wooded lots were | all full of homeless people. | | Promulgating the notion that homelessness is a city problem | is what allows suburban and rural politicians to cut funding | for homeless services because "it doesn't affect _my_ | constituents. " | Bakary wrote: | What I mean is that it's almost impossible not to be | affected if you are a city-dweller, it's a lot harder to | ignore. Most will ignore it, but still acknowledge it as a | problem for them. Even in a cynical and dehumanizing way. | throwawaysleep wrote: | If you can't notice it is what makes it not a problem for | most people. | reaperducer wrote: | It's absolutely noticeable, even obvious, but people | choose to not see it. | scythe wrote: | >In this case, we actually aren't being ambitious enough. Why | are we having a system where we give out phones every 12 | weeks to each homeless person? We'd probably save money for | the program by developing some sort of dedicated device | designed to be harder to steal or lose. Maybe a high-autonomy | low-powered KaiOS smartphone that can be attached as a strap? | It's not like the current devices are working. | | You're putting the cart before the horse. The _far_ simpler | solution is for the government to provide the homeless with | email. Now the auth can work however you want. | Bakary wrote: | I agree that it would be a good start. What I'm saying is | that the system of having to replace phones every 12 weeks | is dysfunctional on its own and probably should be looked | at. | reaperducer wrote: | _What if that homeless person was your substance-abusing | sibling? A friend from school with mental health issues?_ | | I think we also have to realize that not everyone who is | homeless has problems that can explain it away. | | It's easy to look at someone who is homeless and tell yourself, | "Oh, he's a dope addict. He did this to himself." It's only | very rarely true, and you're only making excuses for not | helping another human being. | | Just last year there were newspaper articles about how a | shocking number of perfectly normal public school teachers in | California live out of their cars, just because they cannot | afford a place to live on what they're paid. | | Most people, especially in the SV bubble, would be shocked to | learn how many of the baristas, maids, security guards, | convenience store clerks, and other people they encounter every | single day are homeless, living in their cars, or sleeping on | other people's couches through no fault of their own. | angry_octet wrote: | Just trying to motivate some empathy, "there but for the | grace of God go I." You are correct than many homeless people | are not carless, or they suffer from housing uncertainty | (couch surfing, itinerant sleepers rolling through difficult | family situations and severe housing shortages). Probably | they can manage 2FA though. | bombcar wrote: | The "quiet homeless" who can hold down a job are also likely | to be able to keep track of a phone or other two factor | device. | | If we can "solve" the problem for the dopest of dope addicts, | the problem will also be solved for the homeless barista. | | That still doesn't solve the problem for homelessness, of | course. | judge2020 wrote: | > The "quiet homeless" who can hold down a job are also | likely to be able to keep track of a phone or other two | factor device. | | While I agree that there's a lot of generalization here, a | lot of the point of supporting the homeless in the first | place is that big tech should support everyone, even if | they are indeed someone who "can't keep the same cell phone | number for more than 4 months at a time" (via the source | twitter thread) as if they're a government that must cater | to its citizens. | robertlagrant wrote: | > For some people that might be their local librarians or | community shelter, legal aid groups, and banks. | | What's stopping any of those groups becoming a homeless | person's 2FA? | tpoacher wrote: | > we need ideas like to 2FA to gain traction as widely as | possible | | No, 2FA needs to die in a fire. Easily circumvented in most | social attacks that actually matter, false sense of security, | massive timewaster/usability-hell/pain in the butt, acts as a | novel social/corporate/accessibility barrier to technology for | a large number of previously unaffected groups, and poses a | threat to software freedoms. | | There are many ways to strengthen security and this has got to | be the shittiest one. | Eisenstein wrote: | What are the other ways? | Aunche wrote: | More people ought to read this: https://blog.jaibot.com/the- | copenhagen-interpretation-of-eth.... | | Google is already providing a free service to homeless people. | It's not empathy to tell someone else to solve a problem that | you care about. That's virtue signaling. If he cares, he should | take matters into his own hands. | | Is it too much to ask a single person to build a free email | service for all homeless people? Perhaps, but the good news is | that he doesn't have to. Google already allows you to disable | 2FA [1]. He could have started a campaign to disable 2FA on | homeless people's phones, but instead he uses this as an | opportunity to shame Google to boost his own Twitter follower | count. | | I think that empathy is highly overrated. I doubt anyone | notorious for flashing their big Johnson is particularly | empathetic, yet LBJ expanded social services more than any | other President. The problem isn't that people have too little | empathy these days. It's that people are too easily impressed | by broadcasting their intentions rather than actually trying to | solve a problem. | | [1] https://support.google.com/accounts/answer/1064203 | replygirl wrote: | looks like loder is talking about problems their own friends | face, and the post is not directed at anyone in particular. | venting is not virtue signaling | Aunche wrote: | Loder has 130k Twitter followers without any claim to fame | besides Twitter, so he knows exactly what he's doing. If he | had vented about his friends cutting themselves with a | knife that's too sharp, he would have been ridiculed, but | in this case he can hide behind the Google hate bandwagon. | danso wrote: | But many people consider LBJ to have been an empathetic | president? I don't see how it's supposed to be self-evident | that, because Johnson liked bragging about his johnson, that | his focus on the Great Society must have been driven by hard- | headed pragmatism. U.S. presidents have a wide array of | problems to solve. LBJ didn't have to pick causes that are | commonly associated with empathy for the downtrodden. | Aunche wrote: | He didn't just brag about his dick. He went out of the way | to show it off to his colleagues. I mean it's possible that | his fetish outweighed his empathy, but it's more likely | that he simply didn't care about making people feel | uncomfortable. | | He did progressive things, but to me it sounds like he was | influenced by philosophical ideals rather than empathy. | They based Frank Underwood from House of Cards on an | exaggerated version of LBJ. | ynbl_ wrote: | > Practically, we need ideas like to 2FA to gain tractionas | widely as possible, while realising that isn't everywhere. | | thats just one opinion on security. you see this world where | google is an identity provider, and you prove your identity to | it via a librarian or bank. i dont. an internet service should | absolutely never require any form of government id nor separate | network like cell. | president wrote: | If we all spent our collective efforts to make sure everything | in this world is accessible to every single human being, we | would have zero progress as a society. We are not even | guaranteed the right to live in this world and yet you are | advocating for the right to email service? It is shocking that | someone could even have a thought process like this and receive | so many upvotes. | mplewis wrote: | This is entirely untrue. We can build an accessible society | for everyone. We clearly have the resources for it. | Spooky23 wrote: | Hopefully we will be able to get digital credentials from state | and local entities that will help with this sort of issue. | | It's a problem all around - the elderly are most vulnerable to | the types of account takeovers that MFA will prevent. | ouid wrote: | >Practically, we need ideas like to 2FA to gain tractionas | widely as possible | | Why, to sell more fucking cellphones? | lotsofpulp wrote: | 2FA is not only SMS 2FA. | sicp-enjoyer wrote: | In practice SMS or mobile specific applications seem to be | the only usable option. Some sites do allow email. | jaclaz wrote: | Yes, but what else? | | A hardware token can be lost as well, and "in app" push | notification (or whatever the app does) you stil need the | telephone or at least the SIM/same telephone number, don't | you? | angry_octet wrote: | No the device auth prompts are completely independent of | mobile number, you don't even need a Sim card. | | Giving homeless people a secure and convenient place to | stash documents would be a great outcome. Birth | certificate, military discharge papers, licences, 2FA | codes. Many homeless people live in cars and have all | this stashed somewhere in the car, but then the car gets | stolen/towed (e.g. because they haven't paid car | registration) and then they're sleeping rough, without | docs. | jaclaz wrote: | >No the device auth prompts are completely independent of | mobile number, you don't even need a Sim card. | | Sorry, I don't understand, I believed that the | independence from the SIM for an app was for an app | already installed and authenticated on the specific | device. | | If you lose the smartphone (with the app), and the SIM, | how can you install the app and be authenticated on | another device? | | I mean short of a SMS or a code via e-mail (both not | receivable/accessible). | | >Giving homeless people a secure and convenient place to | stash documents would be a great outcome. Birth | certificate, military discharge papers, licences, 2FA | codes. Many homeless people live in cars and have all | this stashed somewhere in the car, but then the car gets | stolen/towed (e.g. because they haven't paid car | registration) and then they're sleeping rough, without | docs. | | A sort of luggage deposit, you mean? | remote_phone wrote: | No, people like you really highlight the "If they don't help | everyone then they are being immoral" mentality. Which is | wrong. | | Down grading security for the benefit of a tiny minority with | an especially ridiculous use case is not the greater good. If | the homeless people think they are at risk of losing their | phone then they should pick another free email vendor. | d4mi3n wrote: | This is a simplification of the problem. Both: | | 1. Vulnerable populations need more assistance accessing | essential services required to participate in society | | 2. Service providers need to maintain a reasonable level of | security for their customers | | Can both be true. Saying that maximum (or minimum) levels of | security are required at all time completely misses the point | of security--which is to _mitigate_ risk. How much risk is | appropriate varies a lot by context. | | Beyond the context of risk, there is reasonable debate to be | had on how to best provide access to essential services to | vulnerable populations. It's pretty important to have an | email nowadays and if you're not tech savvy or an | individual/community has little to no money to spend it's not | unreasonable to have the reality of the matter be that there | may simply not be many good alternatives (or awareness of | alternatives) to GMail. | | I'm not sure what a correct answer here looks like, but I | don't think ignoring the need is an approach that gets us to | a better society or enables vulnerable populations to better | care for themselves. | lotsofpulp wrote: | > there is reasonable debate to be had on how to best | provide access to essential services to vulnerable | populations. | | What is the debate? The government can collect taxes and | provide services, like they do for multitude of other | needs. | | > I'm not sure what a correct answer here looks like, but I | don't think ignoring the need is an approach that gets us | to a better society or enables vulnerable populations to | better care for themselves. | | The correct answer is not depending on the largesse of | businesses. It is using government resources to provide | methods for identity verification, communications, and | various other bare minimum needs for living. | judge2020 wrote: | > The correct answer is not depending on the largesse of | businesses. It is using government resources to provide | methods for identity verification, communications, and | various other bare minimum needs for living. | | To be fair I don't see how any government system can do | better regarding identity on the internet. Login.gov is | one of the best services I've used for access to | usajobs/SSA/etc but it follows some of the same security | best practices people are complaining about here with no | real way to re-gain access to your login.gov account | should you lose your 2fa methods (afaik). | lotsofpulp wrote: | The US government uses the USPS to do identify | verification for passports. If it can handle identity | verification for passports, why would it not be able to | handle identity verification for other purposes, such as | replacing or reauthorizing one's MFA device? | | Hell, it should be trivial to offer federal government | provided emails with ID verification with customer | service in the event of loss of device/loss of | ID/death/etc. | angry_octet wrote: | The USPS and banks would be ideal identity validators. | Having run a few mail servers I don't think the Govt is | best placed to do that, but they could outsource it to | google, with a few tweaks to allow identity attestation. | | Many other countries have a central government portal | with secure messaging, with federated identify. Heavily | reliant on 2FA of course. | judge2020 wrote: | Passports require the most paperwork out of anything - | your in particular, a birth certificate, a second form of | ID including a driver's license, a photo, and $130+$35. | The USPS isn't just looking at a face and issuing a | passport. | | 0The issue here is that homeless don't hold onto anything | physical for 4 months; identity verification breaks down | in-person immediately as shelters/libraries can't be | expected to run a facial recognition operation, and | specific shelter employees/volunteers aren't guaranteed | to be there anytime a homeless person might walk in and | need those backup codes, but it breaks down even further | online since 2fa is inherently 'what you know' + ('what | you have'/'who you are'). | lotsofpulp wrote: | > Passports require the most paperwork out of anything - | your in particular, a birth certificate, a second form of | ID including a driver's license, a photo, and $130+$35. | The USPS isn't just looking at a face and issuing a | passport. | | The point is the hardest part of the problem is already | solved - which is the physical infrastructure and labor. | As for not holding onto physical items, USPS also has | little boxes that people can keep their belongings in. | dahart wrote: | > what is the debate? | | The debate parent mentioned is what to do with the money, | not where to get money. You can see that there are lots | of possible options, right? But you say use taxes like | it's 'duh, easy' or something. Now we're in the realm of | the debates actually happening every day in the US, | _whether_ to provide social services at all, before we | even discuss how much money they need, what to do with | it, and where to get it. A huge portion of people this | country seem to believe that they don't benefit from | taxes and would prefer safety nets for other people not | come out of their pockets. | | > The correct answer is [...] using government resources | to provide methods for identity verification, | communications, and various other bare minimum needs for | living. | | This also sounds like you think it's easy, without | considering the implications. (If govt resources is the | solution, why do we still have a problem?) We don't have | municipal or federal Gmail or Facebook, and there are | reasons to believe programs like that would take a long | time and cost a lot of money. The 'bare minimum needs' | have changed dramatically in 20 years, and will probably | keep changing just as fast for a while, with the homeless | population growing in the mean time because the tax- | funded social safety net we have isn't doing the job. | lotsofpulp wrote: | > A huge portion of people this country seem to believe | that they don't benefit from taxes and would prefer | safety nets for other people not come out of their | pockets. | | Exactly, and they love it when people waste time and | energy blaming businesses for not providing charity. This | whole tweet storm should not be directed at Google, but | directed at the US federal government. | | > This also sounds like you think it's easy, without | considering the implications. (If govt resources is the | solution, why do we still have a problem?) | | Because it is purely political. Stalling progress on | providing essentials for life helps keep people from | getting help, and hence keeps taxes lower. If the US | government can do identity verification for passports at | USPS offices, it can do the same for other purposes. | | >We don't have municipal or federal Gmail or Facebook, | and there are reasons to believe programs like that would | take a long time and cost a lot of money. | | If the world's leading country cannot setup email | infrastructure, then we have huge problems. Presumably, | it already does for the how many million federal | employees? | gubernation wrote: | scrollaway wrote: | Counterpoint, I taught several older relatives in my family how | to use 1Password. | | UX for good security can exist, but it does need a little bit | of education. | | We will all be old one day but I have trouble believing we will | just forget how to use computers. On the other hand, we do need | to carefully consider the role google plays in our lives... | especially for us Europeans, who are just at the mercy of a US | company's whims. | soneil wrote: | I have a sibling who's "no fixed abode". Teaching him how to | use 2fa isn't the problem. It's that all property is transient, | so the 2nd-factor can't be tied to property. It doesn't matter | if that's his phone or his socks. "Something you know and | something you have" does not account for those who have | nothing. | mihaaly wrote: | Not only Google. | | A much less critical or important thing but underlines the bad | attitudes: I just tried to renew my cancelled Netflix membership | yesterday. I am not allowed to do that without providing a phone | number (I used Netflix for ca. 8 years without it). I do not | provide that because I do not want to. I do not tie every aspect | of my life to my phone number. In fact I do not want to tie any | aspect of it to my phone exclusively. Phone number based | authentication is not safe and reliable anyway (can loose, | stolen, damaged, then I'll have a cascading effect of problems | instantly). | | I talked long to the helpdesk lady and the conclusion is that I | am not allowed to renew my Netflix account without providing a | phone number. End of story. | | I permanently remain a non-Netflix user this way. Their loss | actually. | | (A secondary trouble with them is that they are trying to | misinform me, giving false reasons! The support lady reasoned | that they need the phone number for validating bank transaction. | Since they - Netflix - want to use this to send a code in text | that I am required to type into their - Netflix - system it has | nothing to do with my bank and with authenticating the | transaction! (my bank would never use phone for authienticating a | transaction btw, I am not even sure if I updated my phone number | with them, they reach me other electronic ways). She was just | bullsh%ting! Also the renewal pages stated differently, saying | that authenticating my account is where the phone number is | required. Not to mention that a friend of mine registered | recently and for him the reason to register a phone number was to | retrieve password recovery messages. Three sources, three | different reasons, one of them is complete bullsh%t. Very | repelling kind of practice, I am actually glad staying away.) | | (A third smaller aspect was that the helpdesk lady tried to | interview me about my phone usage strategy and my reasons instead | of answering my question about alternatives. It is not her | business how I use phone and trying to pressure me into some | rigid lifestyle strategy they determine. There are many | alternative ways to carry out the same task, they should provide | more and better choices.) | logicchains wrote: | >A much less critical or important thing but underlines the bad | attitudes: I just tried to renew my cancelled Netflix | membership yesterday. I am not allowed to do that without | providing a phone number (I used Netflix for ca. 8 years | without it). | | If you've got some spare time, have you considered taking them | to small-claims court for refusing to cancel your membership | and still charging you? It'll cost them a huge amount if they | show up, and if they don't then you get a judgement against | them by default. Or if you signed some contract agreeing to | only use specified some Netflix-specified legal intermediator, | use that. | | If everybody who was screwed over by tech companies took legal | action against them, it'd cost the companies a huge amount of | money and they'd have to improve the way they treated people. | judge2020 wrote: | > (my bank would never use phone for authienticating a | transaction btw, I am not even sure if I updated my phone | number with them, they reach me other electronic ways). | | Phone numbers are often included in billing address inputs, so | I imagine it's at least logged in the bank's system and perhaps | used as a heuristic signal for fraud. | s0rce wrote: | Very confusing title, I thought there was some weird schedule | that needed address verification. It's when a phone is lost which | is on average every 12 weeks according to the twitter post. | craniumslows wrote: | Why not educate the people in need about the tons of other free | email services that exist? Outlook, tutanota, protonmail, yahoo, | gmx, fastmail, zoho theres plenty more but you get the idea. | | The only way to win is to not play the game. | spoonjim wrote: | I don't think changing Gmail to meet the needs of the homeless, | at the risk of everyone else's security, makes any sense. Instead | there should be a different email service that the homeless use, | perhaps government provided if there's no business model in it. | ENOTTY wrote: | This might not be a problem that matters to the Google bean | counters, but it would be a problem that a responsible, moral, | and just company would solve. | chimprich wrote: | Google's 2FA is dreadful. 2FA is a good idea when it's added with | consent, but Google adds it behind your back in ways that are | both infuriating and brain-dead. | | I've been caught out recently twice: once I was away on work and | had to access my email. Google demanded that I verify it using my | phone that I'd previously accessed my work email with. However, | this phone was just a phone I use for development, had never had | a sim card inserted, and was on my desk at home. I hadn't agreed | that it should be used for 2FA. It was tremendously inconvenient | because I needed to find where my hotel was. | | Another time recently I managed to destroy my phone in an | accident and got the phone replaced. Despite taking the sim card | from the old phone and putting it in the new one, doing a factory | reset on the old one, and it not being active for a week, Google | still demanded I 2FA authenticate on the old one. | | I feel these problems could have easily been avoided, but it's | typical latter-day Google experience: a tin ear for the customer | experience and a general attitude of automation knows better than | users. | icehawk wrote: | Yeah I had a similar issue. I had TOTP 2FA set up on my google | account, and connected an android phone to it purely to | download something from the app store. | | Google then decided that it was going to ignore TOTP set up and | prefer the "Trusted mobile device." | | In a way it actually made my account less secure, since that | was a testing device and had no passcode on it. | gigglesupstairs wrote: | Apple does it too. I have three iPhones, one much older than | the other two. Recently, in one of my new iPhones, Apple | decided to ask me about my passcode I used in my | "giggleupstairs's iPhone" for some special verification | scenario. Now, what? I have THREE iPhones, how will I remember | which iPhone is this generic looking iPhone name referring to? | I kept entering what I thought was the correct passcode for at | least three times before realising what was happening. I | shudder to think I could have ended up locking up my account | like this. | kyle-rb wrote: | Disclaimer: I work at Google. | | I've never seen this issue. I don't have 2FA enabled for any | personal Google account. There are some dark patterns to try | and get you to enable 2FA that I don't agree with, e.g. a big | "add a phone number to your account" page after you log in, | with a small "skip for now" button at the bottom. | chimprich wrote: | This doesn't involve a phone number, and I haven't enabled | 2FA either. This is a security check that's activated under | some combination of unfamiliar location, WiFi network, or | device. It requires you to confirm your identity by using the | app. | | If you delve though GMail's settings, under "Sign-in and | recovery": Trusted mobile devices | Google can verify that it's you by sending sign-in | notifications to a private phone or tablet. You can | remove it in your recently used devices. | | There's no way to turn it off as far as I can see. You can | remove a device from the authorised list, but that's not very | helpful if you don't realise that it's been added. | | It's idiotic. It's essentially: "confirm that you're allowed | to access your email by confirming that you already have | access to your email". | WaitWaitWha wrote: | Goog did it to me too. I was using a burner phone, and logged | into the Goog account. Next thing I know, after I chucked the | burner, Goog is demanding I authN using the burner phone. | | If you are wondering how I authenticated the first place onto | the burner, I used TOTP, but she would not let me use it | again; she wanted my burner. | susanasj wrote: | I think the answer here is not that Google makes bad product | design decisions it's that we shouldn't live in a society of | incredible wealth but some people still don't have homes and have | to sleep in places where they are constantly the victims of | property crime. | deeblering4 wrote: | I had never considered this thanks for sharing it. Yes the | typical "something you know and something you have" 2FA | authentication approach doesn't work when unable to reliably | "have" something. | | Even backup otp keys would be a challenge in this scenario. | | What solutions would help with this? I would think even having | two passwords on the account (as in you need both to log in) | would be an improvement over plain password auth. | ifqwz wrote: | >Unhoused people tend to get their phones through the | "Obamaphone" program, which means that replacing a lost or stolen | phone results in a completely new phone number. | | Maybe that's part of the issue. Why recycle numbers so | aggressively? Give the user a few months to recover their old | number if they can prove they are the same person. | est wrote: | Reminds me of an anti-CAPTCHA argument, there are many people in | this world who have never seen a fire-hydrant in their life. | xxs wrote: | or American buses, or anything culture centric. The US version | of hydrant is just not present around here. | jupp0r wrote: | GMail requiring a password makes my grandparents loose their | access what feels like every time I visit them. I can imagine | that homeless people are facing that problem on top of the ones | described in the thread as well. | | GMail offers backup codes to somewhat solve the phone number | problem by the way. | xen0 wrote: | There is a huge disconnect between two types of companies. | | The majority of companies seem to view email addresses and phone | numbers as largely permanent identifiers. | | Then there are the companies that actually provide you those | things. To them, what they provide you is definitely not | permanent. | [deleted] | themagician wrote: | Solution: Don't use Gmail. | | There are many other (free) email providers. Not all require 2FA | via SMS. | codegeek wrote: | Maybe we can build some sort of a "reverse proxy" solution where | you can get a number from Twilio etc and just forward to an | actual phone number from your carrier. Bonsu, you can add some | "firewall" rules and boom. If you lose your phone from your | carrier, your twilio number is the same. Just change the rule in | Twilio ? | | Isn't there a service like this already ? If not, there is your | billion dollar startup idea. | dexterdog wrote: | And how do you authenticate to Twilio? | jqpabc123 wrote: | Won't work. VOIP numbers can be easily identified and Google | and most other providers refuse to accept them. | 99112000 wrote: | Cyph0n wrote: | Did you even click on the link? | benhurmarcel wrote: | I understand they get stolen | permo-w wrote: | I know this will sound "let them eat cake"-ey but just don't use | gmail then? | concordDance wrote: | I don't understand why governments don't provide everyone with an | email address. | | E.g. John.doe1234@people.gov | dexterdog wrote: | Because google funds campaigns | tiku wrote: | Estonia does this for their eResidents. | RichardCNormos wrote: | The government doesn't need copies of my communications living | on their servers. | googlryas wrote: | Here's the solution: Since OP is regularly in contact with 30+ | homeless people, he can offer to be their backup email account. | He can then confirm the identity of people if they lose access to | their account and help them get it back. | | Or, he can safely store their 2FA backup codes in his house. | | The homeless make up like 0.1% of society. And not every homeless | person has this issue. It would be insane to make _any_ feature | for like 0.02% of the population. Especially a feature which | diminished security. Because yes, those 0.02% of people might | have an easier time accessing their accounts, but probably 100x | that amount of people are going to end up getting tricked into | de-securing their account, or do it by accident, and end up | getting compromised. | IncRnd wrote: | > Here's the solution: Since OP is regularly in contact with | 30+ homeless people, he can offer to be their backup email | account. He can then confirm the identity of people if they | lose access to their account and help them get it back. | | > Or, he can safely store their 2FA backup codes in his house. | | Why even have security? Your solution practically screams for | those 30+ people to be taken advantage of. | | Just use a different email provider whose procedures align with | how you regularly change your phone number. | googlryas wrote: | Why would Chad Loder take advantage of them? Yes, it gives | him the _ability_ to, but that doesn 't mean he will. | | Why have security? So some random, untrusted person can't | compromise the account. If Chad holds the codes, then only he | can compromise the account, and maybe their relationships are | good enough that they would trust him. | | Using a different email provider also works, but I assumed | there would be some reason that doesn't work - android | effectively has a built in gmail client, non-tech people | might just autocomplete "@gmail.com" and mess up someone's | address if it is a non-expected domain, etc. | karaterobot wrote: | I'll accept the downvotes, but I don't feel like optimizing for | the subset of homeless people who regularly lose their phones and | their recovery codes is a good use of resources. I'd change my | mind if someone could cite reliable sources that say this is | actually a large community that Google as a corporation should | really be paying more attention to, but just this one guy on | Twitter is not enough for me. | IncRnd wrote: | This is a non-issue. When signing up for 2FA google provides a | set of backup codes and instructions on how to use them when | access to your phone number is lost. | | I don't work for google, and recognize they have many other | issues, but this person on twitter is incorrect. There are other | methods in addition to backup codes. There are voice | authentication and id upload. I've even had Google call me back, | and I spoke to a person who manually authenticated me. | | This particular system isn't broken. | | Of course, there are many other email providers. Why would | someone keep choosing the same provider, when it doesn't act in | the way they expect? | googlryas wrote: | The article mentions that "maintaining possession of anything | physical is difficult" for the homeless. Let's say they print | out the backup codes...but then their backpack gets stolen. Or | it just rains and ruins the paper. | [deleted] | topherPedersen wrote: | Yeah I don't like that feature either. You can't get into your | gmail unless your phone is working. If you don't have access to | your phone # you are kind of screwed. | | EDIT: It looks like you can turn off 2FA, I think I'm going to do | that now so I don't get locked out of my Gmail. | miki123211 wrote: | This is yet another example of the "accessibility, privacy, | fraud-protection, choose any two" problem. | | You can force people to use 2FA, but then you discriminate | against people who can't. You can build an account recovery flow | that requires government-issued proof of ID, but then you | sacrifice privacy. You can do neither, but then you make accounts | easier to compromise and harder to recover. There's no good | solution here, it's all tradeoffs. | | Captchas are another situation where this problem arises. You can | implement easy audio and text captchas, available in all the | languages your signup form supports, but then you get a lot more | fraudulent signups. You can eliminate captchas altogether, | relying on invasive user fingerprinting instead, but then you | sacrifice privacy. You can do neither, but then you discriminate | against visually impaired users. Once again, no good solution, | just tradeoffs. | civilized wrote: | Maybe each individual should be allowed to "choose the two" | that work best for them. | | Most of us have at least one email account that's already under | our real name, where we have no big interest in hiding our real | identity, but we do have a big interest in not being randomly | shut down by Google. We hear about such shutdowns every few | weeks on HN, if not more. | | Google has unfathomable financial and technical resources, much | of which goes to projects of speculative value at best. I can't | help but feel that they could provide a slightly more | customized login experience to help diverse people with diverse | needs. | Balgair wrote: | There are a lot of email providers out right now that fit one | of the three possibilities OP set out. | | But most people aren't aware of any of this, choose the one | they know of or see first, and get angry when 'it doesn't | work right'. | | Like OP said, all cover is temporary. | civilized wrote: | Appreciate the principle, but not all of us have time to | change everything we don't like the moment we don't like it | a little bit. | ridgered4 wrote: | The only email provider I'm aware of that still doesn't | require a phone number during sign up is protonmail. Maybe | tutanota but IIRC they wouldn't let you sign up over a VPN. | labanimalster wrote: | You mean 4 times a year...every 12 wks | hitpointdrew wrote: | I think you really mean once. How do you "permanently lose" | anything more than once? If it is permanent then you can only | lose it once. | sneak wrote: | Your phone number is also your permanent cross-app tracking | advertising identifier. | | This is why every app and vendor asks you for it. | | I change mine every 90 days. | ajhurliman wrote: | Do you just go into the carrier's store and ask them to change | it, or do you have some streamlined way of changing it? Every | time I go into one of those stores it seems to take hours to | get even the simplest thing done. | sneak wrote: | I just buy new $90 mint prepaid sims for cash. They work for | three months. I have never talked to a CSR. | modeless wrote: | Why is this guy mad at Google for implementing security (which I | guarantee has saved a lot of homeless from account takeovers), | when he could be mad at the government program for failing to | provide people with a stable phone number? Constantly changing | your phone number has a lot of other bad consequences which have | nothing to do with Google. | | And maybe the government should consider providing an email | account too. The cost would be negligible compared to buying | people new phones every 12 weeks... | bbarnett wrote: | Google has a lot of issues, but the gist of these twitter posts, | is that homeless people lose their phones multiple times a year, | and their phone number, and this makes 2fa hard. | | But, I mean, why are they not railing on the phone companies, to | make it easy for the homeless to keep the same phone number?! | | Why is this Google's fault? | dgan wrote: | but nobody ever advertised phone numbers to be assigned "for | life". | | People lose their phones all the times, I personally lost | countless phones, and I am very far from being homeless. | | The problem is forcing 2FA on everyone | ZiiS wrote: | If you have a permanent address the are lots of ways to | ensure you keep your phone number when you loose your phone. | This is a very different problem. | [deleted] | lxgr wrote: | It really is every company's fault that jumps on this absurd | trend of seeing SMS-2FA as the be-all and end-all of user | identification and verification. | | Google is actually doing much better than the competition here | in many aspects (e.g. it is possible to operate a Google | account completely without a phone number for 2FA or account | recovery), but as far as I understand, one is still required to | initially create an account. | pilgrimfff wrote: | > it is possible to operate a Google account completely | without a phone number | | This is only true for a limited time. I've tried to use a | couple Google accounts this way and inevitably I log in from | a new IP and Google's 2FA system kicks in - forcing me to | either furnish a phone number or lose access to the account. | | It's similar to how Twitter forces phone numbers out of | people - just not as immediate. | lxgr wrote: | Do they really ask for a phone number, or would a Yubikey | work as well? | bbarnett wrote: | A yubikey would be as useless in this article's specific | case, as the problem is losing valuable things (eg, | phones). A yubikey is no different. | | It too would be lost. | lxgr wrote: | That's definitely a problem, and a tricky one to solve in | the context of 2FA: One of these factors is usually | knowledge (your password); the other then has to be | possession or inherence, and the latter has problems as | well. | | Essentially, if you rule out possession, your choice is | between server-side validated biometrics (if offered at | all), or "double knowledge" (e.g. a password and email | 2FA, with the email account also only protected by a | password), which is pretty phishable. | Semaphor wrote: | This is not just the homeless, there was a post on HN from a | librarian talking about the same issues for the elderly and | socially disadvantaged. The issue is that Google forces 2FA on | them, even if they otherwise don't have a phone. | bertman wrote: | Yep,that's what I thought of as well. Discussion from two | months ago: | | https://news.ycombinator.com/item?id=32304320 | Semaphor wrote: | Wow, my sense of time is horrible. I thought it was about | 1-2 years ago :D | UncleMeat wrote: | This post was also very misleading. The concerns the | librarian raised _were actually addressed_. The doc was old | and made public by somebody other than the librarian, who | edited it after it blew up to make it clear that the content | was out of date. | | ====== | | Addition, 08/02/2022, 3:03pm: I don't know how this got | shared to HackerNews. I appreciate all of the positive | responses we have gotten. However, this was not an open | letter. It was meant to be shared internally to Google. It | went directly to the security team and we had a conversation | about it about a year ago. Things have improved significantly | since then and this is no longer a daily problem. Please stop | calling the branch or emailing me about it. It's interfering | with my work. Press inquiries can be made through | https://libwww.freelibrary.org/contact/ and the public | relations department will be in touch with you. | | If you want to learn more about patron privacy and support | librarians advocating for patron privacy and against big tech | please check out https://libraryfreedom.org/ which is a | wonderful organization I am a part of that does work like | this. I still firmly believe in and stand by everything that | I wrote. But this particular action was not meant to be a | public letter. | | Also! If you're in Philadelphia you should check out this big | program we're doing on August 12th called Empathy Versus | Misinformation where a panel of experts will address | questions and misconceptions about transgender youth!! Boy am | I relieved that this was a Google Doc and I can just put | whatever I want onto the front page of HackerNews now :) | Semaphor wrote: | There was a followup comment on HN: | | > Doesn't sound like it was completely resolved. In fact, | it sounds like Google may have treated it as a "squeaky | wheel," and only that library is getting better help. | | -- https://news.ycombinator.com/item?id=32309190 | UncleMeat wrote: | So on one hand we've got the actual author of the | original document saying one thing and on the other hand | we've got an uninvolved internet poster saying something | else. | Semaphor wrote: | The original author is not _saying_ anything to disclaim | what the HN comment said. | borissk wrote: | What makes you think Google cares about homeless? | notThrowingAway wrote: | What makes you think Google cares about anyone? | borissk wrote: | Stupid question. | peanut_worm wrote: | Don't they have backup codes? | benpxu wrote: | Sidenote from something I noticed from the rest of these | comments: SMS is not the only form of 2FA. It is the most common | type, but also one of the most insecure versions of it. You | should not be using SMS for 2FA. | remote_phone wrote: | The biggest fallacy we have right now use that all use cases need | to be treated equally and if they don't then somehow they are | being immoral. | | Google is not being immoral. | | The homeless people can use a different service. | | Dealing with the use case of someone losing their phone every few | weeks when you have billions of others to worry about is | unreasonable. I think handling that situation should be | considered out of scope. | bombcar wrote: | Perhaps not immoral but kafkaesque or something - if a | government support service requires an email address to be | used, and the government doesn't provide the email address, | there is a dependency on the market to provide such. | | And if they don't give a list of "workable free email | providers" then the government has failed. | | Imagine the howling if you had to have an email address to | vote. | olalonde wrote: | You can disable 2FA[0]. | | [0] https://support.google.com/accounts/answer/1064203 | rkagerer wrote: | I feel for these folks. I'm housed and never wanted my email (and | a host of other services) to become dependant on my phone number. | I've gone so far as telling service providers "I don't have a | phone, deal with it" (which is getting harder and harder). | Bakary wrote: | I can definitely understand not realizing that you could lose | access to your account if you lose your phone number. But once it | happens the first time, could you not pick any free email that | does not require 2FA, and warn fellow homeless to avoid gmail? | | I disagree with the idea that because a very, very niche audience | is in dire straits that the design decisions should be based on | their needs. The forced 2FA system has probably prevented | identify theft and financial loss for a very large number of | people. I'm saying this as someone who thinks Google is a shady | and dangerous entity in general. | | It's similar to the idea that hard cases make bad law. | ridgered4 wrote: | > I can definitely understand not realizing that you could lose | access to your account if you lose your phone number. But once | it happens the first time, could you not pick any free email | that does not require 2FA, and warn fellow homeless to avoid | gmail? | | Almost every free email service I've tried now requires a phone | number to setup. Even protonmail required it for a brief while, | although they now are back to captcha and a stern warning. I | actually can't think of another free service besides protonmail | that this isn't now true for. | | An annoying trick some of them use is to allow you to setup the | account and then lock it some time later. I've seen on | immediate login (irritating waste of time) or after you've used | it for awhile (what you used the account for is now held | hostage unless you cough up a phone number). | tomxor wrote: | > because a very, very niche audience is in dire straits | | Not very niche. | sp332 wrote: | There are over half a million homeless people in the USA right | now. And only a quarter are "chronically homeless", meaning for | ober a year or more than once. There are many, many people who | will be homeless for a few months at some point during their | lives. | Bakary wrote: | There are 1.5+ billion gmail users. I don't have stats, but | that intuitively means millions of vulnerable people who | could be scammed or phished or whatnot because they would | never think of using 2FA at all. | | Among those half a million homeless, how many use gmail and | are unable to change for whatever reason? Among those, how | many have issues with 2FA? Thus we advocate for increasing | the vulnerability of millions to do something that would not | even help the homeless that much. The whole problem of having | to replace their phones every 12 weeks sounds like a far more | pressing issue to investigate and find solutions for. | lazyasciiart wrote: | And what, find every system that has your existing email | address and change it? | IIAOPSW wrote: | The phone number decision is stupid. I up and jump countries | every few years. Each time, I'm switching to a new number. I'm | the opposite of homeless, I'm that jet set elite. The idea that | you want, need, should or will tie your identity to a phone | number where people can always reach you is long outdated. | xani_ wrote: | > The idea that you want, need, should or will tie your | identity to a phone number where people can always reach you | is long outdated. | | Yeah I have no idea why phones still use numbers. It would be | so easier if same address for e-mail worked for voice, just | add some DNS records that point at my phone provider to | domain and done. | | Then again, spam calls would probably be so much worse... | uup wrote: | So use one of the other 2FA options. | esperent wrote: | Not always a possibility. Many banks require phone number | based 2FA, for example. And you're required to use it any | time you want to make a transaction that exceeds some | threshold. | netheril96 wrote: | We are talking about Google here, right? | jbay808 wrote: | (FWIW, my bank does not provide any other 2FA options.) | wavelen wrote: | afair you need to set up a phone number before you can | choose to add another 2FA option (which is stupid imho) | UncleMeat wrote: | Even if this is the case, this isn't a problem for the | poster. They have _a_ phone number, it just changes | frequently. They can sign up, enroll in a TOTP or U2F | system, and then they are set. | yellowapple wrote: | Except if you're using e.g. Google Authenticator and you | lose that phone, you've now lost your TOTPs. The most | unhoused-friendly solution _there_ would be to use | something like Authy instead (which is another password | to remember, but at least it makes it easy to recover | your TOTP keys on a new device without needing the old | one); next best would be to use something like andOTP | which supports backups (but then you 'd need someplace to | store those backups, which introduces the same problems | as safely keeping a phone on your person). | UncleMeat wrote: | The context for this post is a person who moves between | countries frequently and therefore gets new phone | numbers. This person has consistent access to the same | phone. | borissk wrote: | It's not stupid - Google wants to track everyone | everywhere and a phone number is a good way to link an | account to a real world person. | RupertEisenhart wrote: | Sticking my German sim card into my phone for fifteen minutes | in all sorts of random countries and continents and waiting | for a number to come through always feels absurd. | | I pray for the rise of esims! I feel like it's on the cards. | xani_ wrote: | Eh, I greatly prefer ability to move the very reliable | thing from one phone to another, just use another phone | instead of going into paperwork to move it if my phone gets | damaged or something | Timpy wrote: | I thought I got everything moved over to an authenticator | app before leaving home but I forgot one, I got a "check | your phone for verification SMS" earlier today. My American | SIM could get the text but my foreign sim was giving my | laptop internet access. Big pain in the ass. | lxgr wrote: | I've been using eSIMs for the past couple of years for this | specific use case, and while they certainly help, it's | really just a stop-gap measure: | | You still need your phone and cell signal to receive them | (at least many European carriers don't support SMS over | VoWIFI); the eSIM is "stuck" in your phone if it physically | breaks (and on many carriers, you can't re-use an eSIM QR | activation code in any case); in many countries, SIMs | expire after a couple of months or even weeks of | inactivity, losing your number permanently, to name just a | few. | | I've found Google Voice to work quite well as a workaround | for almost all of these problems, but unfortunately, many | US companies insist on not allowing VoIP numbers for 2FA or | even plain account creation purposes. I usually try to | avoid these companies. | mwint wrote: | > the eSIM is "stuck" in your phone if it physically | breaks | | Wait, does this happen? | heavenlyblue wrote: | That's overly dramatic, of course you can re-create it on | the other phone. But what's true is that you can't | physically transfer it. | lxgr wrote: | I wasn't trying to be dramatic here: Without deleting an | eSIM profile from a device, all implementations I know | indeed disallow reinstalling the profile on another | device. (The eSIM standard effectively enforces the | singleton nature of an instantiated eSIM profile.) But of | course most providers can re-issue eSIMs if required, | just like they can mail a physical SIM replacement. | | But in many cases, they either charge for it, require | more or less involved bureaucratic acrobatics (including | sending the QR code via physical mail as proof-of- | address, because they've been burned badly by eSIM | swapping), or both. | | So the assumption that an eSIM activation (QR) code is | more or less like a bearer token that you can keep in | your password safe and use whenever required often does | not hold true, especially when needed most (traveling | internationally etc). | | Fortunately, my provider is pretty good about it (I can | instantly self-serve reissue an eSIM in their portal free | of charge), but that seems to be the exception, and I | also don't know how I feel about that, security-wise. | (They don't offer 2FA, as far as I know.) | jaclaz wrote: | More common case. | | Your phone breaks (broken screen, swollen battery, | whatever). | | With a physical SIM you can physically extract the SIM | and insert it in another (spare) phone (and you can even | borrow one for a few minutes). | | To transfer an e-SIM you need to authorize the transfer | on the old phone (the one that doesn't work): | | https://news.ycombinator.com/item?id=32138466 | benhurmarcel wrote: | I've lived in different countries along the years, it's | simple and best to just keep a permanent phone number in the | country you consider the most like "home". Get a cheap phone- | only plan, stick the SIM into a dumbphone or your second SIM | slot. Done. | oceanplexian wrote: | What's painful is that I've ported my phone number out to a | VoIP provider similar to Google Voice for exactly this | purpose, but something like 25% of providers now block using | SMS for 2FA unless it's tied to an approved mobile phone | operator. | | Turns out 2FA is also being used as a low-effort form of a | captcha in addition to being a tool for data harvesting and | "device identification". I wouldn't be surprised if | legitimate users simply never receive a 2FA SMS because | someone used a prepaid phone or something. | throwawaysleep wrote: | It is more that generating thousands of phone numbers is | extremely expensive. It is cheap for real users, but | scammers and spammers have to pay a lot. | tehwebguy wrote: | Was just reading about how Overwatch 2 won't let people | register with a prepaid phone number. | | I'm sure there is some good reason to want to avoid people | spinning up free or ultra low cost phone numbers to make | extra accounts but some users were like, "I've been using | TracPhone for a decade" or something like that. Also pretty | surprised that it's this easy to detect the carrier. | Guessing we'll see this more and more! | danuker wrote: | The problem will solve itself. People unwilling to sign | up for a mobile plan for playing a game will | automatically boycott the likes of Overwatch 2, which | will result in revenue lost (perhaps to competing games | that allow prepaid cards). | | I have only ever used prepaid cards. I would rather be | cut off from communication (or buy a local prepaid card) | than get a surprise bill of hundreds of euros for | visiting a country outside the EU. | | I guess a lot of people have the same thought process as | me around Europe, because there are lots of smartphones | available with dual SIM cards. | judge2020 wrote: | Using mobile phone numbers as a makeshift captcha is the #1 | tool any security team has to prevent fraudulent signups. | Because they're expensive to get, it puts any attack at a | baseline cost $x, so many would-be attackers that only | stand to gain $y just don't carry out the attack when $y < | $x. | kthejoker2 wrote: | Wtf Calling homelessness a "niche" .. peak apres moi le deluge | Bakary wrote: | This is the sort of performative response that is the | problem. Let's say we force Google to switch off 2FA. Now we | have exposed millions of people who don't know any better to | phishing attempts and financial loss. And the group we are | trying to help isn't really better off. There are so many | other questions we could be asking. Why are they directed | towards picking Gmail by default? Why is the system to give a | replacement phone every 12 weeks instead of investing in a | dedicated device that's much harder to damage or lose? Why is | keeping the same number a hassle? Why are we tackling the | problem with caseworkers instead of something more ambitious, | that would ironically be less costly in the long run? There | are so many angles we could go for, but instead we are stuck | on this performative nonsense that gets retweets. It's | pseudo-empathy at best, because it's not oriented towards a | real solution. | xani_ wrote: | > This is the sort of performative response that is the | problem. Let's say we force Google to switch off 2FA. Now | we have exposed millions of people who don't know any | better to phishing attempts and financial loss. | | Could be just option hidden somewhere in the settings. | Don't need to turn it off for all | | > And the group we are trying to help isn't really better | off. | | That's just your assumption | Edman274 wrote: | > Why is the system to give a replacement phone every 12 | weeks instead of investing in a dedicated device that's | much harder to damage or lose? Why is keeping the same | number a hassle? | | If you're homeless, you're getting robbed. It doesn't | matter that a yubikey would be worthless to a person | mugging you, they'll take everything including the | worthless stuff. Or you're being picked up by an ambulance | and taken to a behavioral health center after a mental | health crisis and when they do that they take your clothes | off and stuff goes missing, even if it's worthless. | | Keeping the same number usually requires paying into an | account which requires being able to make consistent | payments, which is not easy to do. Or a credit card or bank | account is required. You are maybe unbanked in this | scenario. | | > Why are we tackling the problem with caseworkers instead | of something more ambitious, that would ironically be less | costly in the long run? | | Caseworkers make practically nothing. Does your solution | get rid of human beings to act as agents for people who | sometimes lose touch with reality? Will there be an AI | assistant to guide someone through a schizophrenic break | and get them to a hospital and help get them reoriented | after they regain contact with reality? That's what's | necessary and you're treating actually understanding what | they're going through as if it's virtue signalling. | esperent wrote: | Exactly. The word people should be looking for is | "vulnerable". They are not a niche category, they are a | vulnerable category, and need protection, not dismissal. | Kalium wrote: | You're absolutely right. | | Now let's talk about how much effort and what level of | resources it's reasonable to expect a commercial entity to | invest in extending protections to vulnerable people in | need who happen to not be customers. | | Perhaps we're asking the wrong entity to address this | problem? This seems more like a public service | infrastructure problem. | nyuszika7h wrote: | Google is a multi-billion dollar company, they barely | have to lift a finger. They simply have to provide an | option to opt out of 2FA. Add a bunch of warnings if you | must. Even if Google was a small startup it would be | trivial for them to do this. | Kalium wrote: | To be clear, your answer to vulnerable people needing | protections is to lower the minimum level of security for | everyone using Gmail. Do I understand correctly? | WithinReason wrote: | No, please reread. | Kalium wrote: | Ah! Then the problem is solved, I suppose. | WithinReason wrote: | There is already an option to opt out of 2FA: | | https://support.google.com/accounts/answer/1064203 | everforward wrote: | In the US, they are a niche at 0.2% of the population. Vegans | are an order of magnitude larger at 2%. | | They are a vulnerable niche, but a niche nonetheless. | ruph123 wrote: | Gmail != Email. | | There are many other usable (and free) email providers out there. | It doesn't have to be Google. | AngeloAnolin wrote: | Every solution/alternative would always impose challenges that | can be considered an edge case initially until it becomes | permanent. | | For example, if Google wants people (who have a tendency to lose | their 2FA devices more often) to always use this feature, and in | case they lose access to their device, they could use a trusted | designate who can verify on their behalf that they are the ones | signing into the service. But then again, this alternative will | impose some new challenges such as: | | - What if the designate is not available? - Designate is | available but also lost their access to verify the other person? | | As with this case being raised here, it will always be a process | wherein Google (or any other organization) will have to explore | and find meaningful solutions that is both inclusive and | considerate on specific conditions. | | The variability alone of such premise is huge that I am quite | sure when the next edge case comes up, there are other edge cases | boiling down that will become the next set of issues. | ClassyJacket wrote: | I have lost access to Tinder and Transferwise because I moved | between the UK and Australia and thus changed my phone number. | Whatsapp also silently fails to send me private messages now, | even after I went thru their official inbuilt 'I changed my | number' process - only my group chats work now. The messages | appear to send to the sender, they don't even know I didn't | receive them. | | One of the worst examples I've heard is that Overwatch 2 not only | requires a phone number, but they actually check with your | carrier if it's a prepaid number, and if it is, you're banned. | Sorry poor people, Blizzard doesn't want scum like you playing | their game. | | Assuming someone's phone number never changes, or that they'll | have access to their old and new numbers at the same time, is | simply wrong and does not work. | | I haven't been locked out of Google yet, somehow, but maybe it's | just a matter of time. | dtx1 wrote: | If you rely on a free google service for _anything_ in _any_ | situation, you are one random AI decision away from being | completely fucked anyway. If losing 2FA access often is a problem | for you, chose a different provider or if you have to use google | for some reason, use their google authentication app and save the | authentication credentials somewhere save. If you cannot keep a | strip of paper with a few recovery codes safe, don 't use the | internet, it's not for you. | RenThraysk wrote: | More evidence how different groups in society have no idea how | the other groups live. | 0xbadcafebee wrote: | Google doesn't even care about their paying customers. You think | they care about the homeless? | | Just stop using Gmail. Here is a very small number of other | providers: https://www.ionos.co.uk/digitalguide/e-mail/technical- | matter... | [deleted] | pyuser583 wrote: | Homeless, people facing criminal charges, incarcerated, etc. | | None of these folks are desirable advertising targets. | krick wrote: | I don't even know what this has to do with the homeless. I don't | want ANY of my internet accounts to depend on my phone (which I | can lose, and I just don't want it to be a big deal) or, worst of | all on "my" _phone number_ , which IS NOT, never was and never | will be controlled by me -- but by my cellphone operator. Who | isn't my friend. Both problems seem to be so obvious, that I | don't see how pointing out (also rather obvious thing) -- that | life out there on the streets is a bit different than in your | [home-sized] cubicles -- can help. | | And since it's always more productive to assume malice, not | stupidity -- obviously, this is the point. Somebody _wants_ you | to depend on your phone number, something you don 't really | control and cannot easily change. This isn't about comfort and | security, it never was. What else is new. | | But, I mean, if I have to pretend that it's not about me, but | about homeless people for something to be changed -- I guess I'm | homeless' rights supporter #1 from now on. | admax88qqq wrote: | Amazing that we let Telecoms become the arbiters of identity | online. | kweingar wrote: | The USPS should operate a free public email service and provide | support at every post office. | | The government has the resources to navigate complex situations | that digital safeguards can't. | | If someone has no paperwork, lost the device they made their | account with, and cannot remember a password they made--no tech | company has the resources or expertise to handle this at scale as | well as local institutions can. If someone needs to take over an | account of a loved one that they have legal guardianship of, you | don't want a support agent at a call center to make these | decisions. | throwaway290 wrote: | Just the other day had an experience where someone in need, | freshly moved to a new country, asked to use my phone to email a | relative asking for money to buy a phone. When I realized they | would need to log in to their gmail, I felt sorry knowing it | almost certainly won't work. It didn't. Thankfully Facebook | worked. | topherPedersen wrote: | Today I learned you can turn this feature off. Just disabled 2FA | for my Gmail so I don't get locked out if something happens to my | phone/phone-number. | calibas wrote: | Potential solution, the Obamaphone program keeps using the same | phone number for an individual instead of totally new ones every | time they lose a phone. | MAGZine wrote: | this feels like a workaround. | | We should not be treating phonenumbers as SSN round two, where | everyone relies on it for your identity, and it should never be | changed because of how much shit was needlessly tied to it. | | I rue the day I need to change my phone number and my digital | identity becomes a huge headache, especially for far flung | services that decided they wanted my phone number, but I | wouldn't have considered going explicitly to them to update it. | yamtaddle wrote: | The correct solution to this _and a shitload of other | problems_ is a real, national ID program. But there 's enough | resistance to it in _both_ US political parties that it can | 't happen. The lack of it causes a ton of stress, over the | population, and is a drag on the economy, but we're just | never gonna fix it. Instead we'll de-facto have one (or more) | anyway, including 99% of the risks that a real one would | carry with it that everyone's so hand-wringy about, but | without the benefits of the real thing. | mcshicks wrote: | There was a bill to improve digital identity in the us | Congress but I don't think it went anywhere. I wrote my | congressman about it more than once. | | https://www.congress.gov/bill/117th-congress/house- | bill/4258 | | edit: Actually there is a similar bill being sponsored in | the senate now this year. So something is happening | | https://www.congress.gov/bill/117th-congress/senate- | bill/452... | yamtaddle wrote: | Yeah, it's brought up from time to time but the right | _hates_ national ID programs and enough on the left don | 't like it (including elected officials, not just voters | --the distinction's worth mentioning) that it'd take an | implausibly-huge supermajority of Democrats to ever pass | such a thing. | | Never mind that all the things they're worried about | would _barely even be easier_ with an official national | ID versus what exists now. Let alone hard /impossible | without one. | | But no, we just suffer though tons of wasted time for all | bureaucratic processes and all kinds of hassle keeping | our documents in order and tons of fraud and abuse | instead. For no benefit. So we can pretend the government | can't already "make a database" about dissidents or gun | owners or Christians or whoever _very nearly_ as easily | and effectively as if we had an official national ID, if | they wanted to. Sigh. | crooked-v wrote: | I think it's worth noting here that the passive | resistance to the idea of a national ID among Democrats | has a lot to do with Republicans regularly hijacking | voter ID bills to specifically make things harder for the | poor and minorities, and the expectation that they would | absolutely do the same for any national ID program that | actually got Republican support. | xani_ wrote: | Uh, no, that's even worse thing to give to the for-profit | companies as indentifier. | | Now they have country-unique ID of a person that will never | change so it can be linked to a person regardless of where | that person logs in | syrrim wrote: | It already is that, which is precisely why google is using it | here. Google is an american private company. Phone numbers | have government mandated systems around the world that allow | a individual to keep using them even when they lose their | phone. Google uses it because it lets governments solve the | identity problem in the fashion and to the degree they deem | acceptable, and leaves google in the tech business. Some | countries have issued ID cards which support encrypting and | signing documents. If that becomes more widely practiced, | then google could switch to that instead, but until then I | imagine they'll keep using phone numbers. | calibas wrote: | It's not ideal, but phone numbers already are how we verify | identity online and sometimes offline. There's been other | methods proposed, but they've generally been rejected because | of concerns over privacy. | | I'm not proposing a solution for the real issue, simply a way | of making things easier for people who have a hard enough | time already. ___________________________________________________________________ (page generated 2022-10-07 23:01 UTC)