mikiem2
Moderator
Watch for an email from Google with the Subject: "Your sign-in is changing..."
It'll give you a week to make sure everything's set up. From then on every time you want/need to sign in, you'll have to perform a 2nd step, usually verification using your cell phone.
Whiterabbit-uk
Games Guru
Thanks for the info Mikiem; that's great news (sarcasm) as I don't own a mobile phone. I only ever used one when I was working as a motorcycle courier to pay for my masters degree.
It looks like I'm going to be forced to buy one eventually as I've read that British Telecom are intending to scrap land line phones by the end of this decade. Plus there are lots of other issues I've faced that would have been easier if I had a mobile phone.
mikiem2
Moderator
The world nowadays expects you to have a cell phone, & if you don't, discriminates against you horribly, as most don't offer Any alternative. In the US -- I know the UK is different -- you can pick up a pay as you go phone pretty cheap. There's also a pretty big market, I think world-wide, selling used phones -- AFAIK most of the people paying $1000 or so for a new phone trade in their old one to reduce the price.
That said, I don't have a cell phone either -- ticked me off I didn't get the email from Google a day earlier, when I had a one day offer from PayPal to save money on eBay, where I bought a Yubikey 5 NFC for just under $30. Google, Microsoft, Amazon etc. will let you use -- I think prefer actually -- a FIDO2 key rather than a phone or tablet for authentication. An alternative is to use a WiFi tablet with the Microsoft or Google authenticator app installed & set up. I've done that in the past, but found it a PITA since I usually don't have my tablet on & ready -- I used it so rarely I gave my wife my 8" Samsung tablet to use alongside her Kindles.
mikiem2
Moderator
Well, got my security key, a Yubikey 5 NFC, setting it up with Google, Microsoft, PayPal, & Amazon so far. It seems like there's a Big lack of plain-spoken info available on how to use these keys -- I spent several hours off & on trying to get a bit of a handle on how to do it, afraid I'd wind up locking myself out of all our accounts.
The 1st thing I found out, is that I shouldn't have paid Any attention to the hype I've been seeing for years regarding these security keys. Some sites, banks etc. have abandoned support, while some, like one of our banks, will only use SMS text messages for 2FA [2 Factor Authentication], which is the least secure method out there [sigh]. Amazon & PayPal will work with the key for 2FA, but ONLY if you use an authentication app with the key. Google & Microsoft are pretty good about it, though Microsoft, despite saying repeatedly that they want to rid the world of passwords, only supports a security key for sign in to Windows for corporate IT.
Yubico, the company that makes the key I bought, has 2 apps -- one to manage the key & an authenticator. Turns out that's a big deal, since if I had bought a cheaper FIDO2 key from Amazon -- they start at a little over $10 -- I could use it for Google, but little else. I Googled on FIDO2 key authentication app, and got zero relevant results.
Setting the key up with Google was easy peasy straight forward -- just followed the prompts. Microsoft had Windows 10 setup the key again -- Windows set it up as soon as I plugged it in -- then asked for the key's PIN... you add a PIN to the Yubikey using their management app -- the minimum is 6 characters. For Amazon & PayPal I used the Yubico authenticator app... they show a QR code, & the app's menu includes "Scan QR code" -- click that & it identifies & adds the site to your account list. Then you double-click the account, & the app prompts you to touch the key -- there's a gold colored disk you touch, with a flashing green LED whenever you need to touch it. That causes the app to generate a 6 number code, which you copy/paste into the box on the sign-on screen or window.
Yeah, it's a bit of a pain to go through the extra steps, but the experts say it's worth it, and who knows, I may wind up saving quite a bit of money -- if it's that much hassle to sign in, I'll do it less often, which means I'll buy less. ;) Besides, sooner or later Microsoft will probably follow in Google's footsteps and make 2FA mandatory.
mikiem2
Moderator
This whole thing has turned out to be a major disappointment.
For the last several years I've been seeing all these statements, warnings really, that you really, REALLY should enable 2 factor authentication on all of your accounts. The companies running those accounts however have a Very different idea -- screw it, we've got insurance, and it's not our bank accounts or identities at risk. So far Amazon [using the Yubico Authenticator app], Google, and Microsoft are the only 3 accounts I've got set up to use with my new Yubikey.
PayPal works [with the Yubico Autheniticator] to log into their site, but when it comes to buying something, *for me* it's unworkable. I don't run my browsers full screen, so after entering my email & password into the pop-up during checkout, I don't see the dialog to select another option, rather than my wife's cell phone. And once I figured that out, and entered the code from the authenticator, it still sent a code via SMS to my wife's phone. That not only drives her nuts, but really weakens the security of 2FA... cybercriminals have long ago figured out how to get around 2FA using SMS texts.
I was dubious of Amazon's log-in with 2FA, since it has a checkbox to disable 2FA right below the text box where you enter the code from the authenticator, but checking that box just leads to another screen where you have to use the authenticator to verify you don't want to use it. Poor design to say the least, but it doesn't make setting up 2FA entirely useless.
With the rest of my accounts [so far], Googling on the account & 2FA I find all sorts of customer requests to enable it, but none of the companies have done so. There was one exception, where they would if you requested it send you an email to verify your identity, but IMHO that's pretty much useless... if a cybercriminal already has your sign-in info, they could easily change the email address on record, if they don't own your email account already. My guess is that none of these companies wants to risk losing even one sale or user, fearing that someone couldn't figure out how to use 2FA, and besides, like I wrote earlier, they're not the ones at risk.
You must log in to post.