On Wed, 24 Jul 2013, Theodore Ts'o wrote: > Date: Wed, 24 Jul 2013 10:49:20 -0400 > From: Theodore Ts'o <tytso@xxxxxxx> > To: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > Cc: Lukáš Czerner <lczerner@xxxxxxxxxx>, linux-fsdevel@xxxxxxxxxxxxxxx > Subject: Re: [Lsf] [Lsf-pc] hello > > On Wed, Jul 24, 2013 at 07:23:23AM -0700, James Bottomley wrote: > > > > Yes, just to emphasise, the phone number thing is completely unviable > > for me as well. They want to send you a code every time you log on. > > It's founded on the assumption you have a single number that can reach > > everywhere, which obviously doesn't work when you're travelling. > > > > I thought they had something which used the google authenticator app? > > Which can generate the codes without needing an active cell connnection. > > There is a google authenticator app. Having the codes sent via SMS is > an option, but it's certainly not the only way to use 2 factor > authentication. > > It's been a while since I've done the 2FA signup flow, but I believe > they had streamlined it a bit to make it easier to use. It may have > been that one of the ways the 2FA signup flow was streamlined was to > assume that everyone would have a cell phone which was SMS-capable, > but not everyone would have an Android phone. But after you enable > 2FA, it is definitely possible to set it up to use the android > application. Problem I've got is that in order to enable 2FA I need to go through a series of steps the first one of which is to send me a Google Authenticator application, even though I already have this installed on my phone. And apparently they want to send a link to me via sms. I do not see any way around that unfortunately. So to me this really looks like a cheap way to get my phone number (which is not the first attempt from Google I have to say). Enabling this from the GA application does not seem to be possible as it tells me to look at the accounts.google.com/security which takes me back to what I've described earlier. It is quite annoying :) -Lukas > > Also, you don't need to enter the code every single time you log in, > at least not for consumer accounts. You can specify that this is a > trusted machine; if you do this, then after you enter the code, an 2FA > authentication cookie which is good for 30 days is set on your > browser, and you don't need to enter the code again subsequently. On > the other hand, if you're one of the people who are > carefree^H^H^H^Hless to be willing to log in on kiosk machines, or in > general on any machine which you don't personally control, you can > simply leave the check box unchecked, and the 6-digit code will only > be good for that particular login session. > > You may have noticed Google employees needing to enter a code much > more frequently, and it may be that if you are using an enterprise > Google account, your enterprise I/T manager can set different policies > for enterprise account. But what I've described above is the case for > all consumer accounts --- you do have the option of using a Google > Authenticator application, which is available for Android and IOS > devices, which generates a RFC-6238 compliant time-based TOTP code; > and you have the option of designating the browser and the computer > which is running on as trusted, in which case you only need to do the > 2FA authentication procedure every 30 days. > > Cheers, > > - Ted >
