On Mon, Nov 15, 2021 at 07:34:00PM +0100, Geert Uytterhoeven wrote: > On a related subject, I am using Gmail for email (e.g. patch review), > but not for actual patch submission (git send-email through my ISP's > SMTP server). I do have app passwords set up for git send-email on > my laptop (if I ever need to send patches while on the road, barely > used so far) and for backing up email using getmail. > > Recently I received an email from Google that my account may be "at > greater risk of targeted attack", and that they recommend enrolling > into Google's strongest account security offering, the Advanced > Protection Program. Apparently this makes use of a hardware token, > the Titan Security Key. Well, I'm sure they wouldn't mind if you paid them money for a "Titan Security key", but it's really just a rebranded Chinese-made U2F token and, as such, not any different from any other U2F security key. You can get one from Nitrokey (nitrokey.com) or SoloKeys (solokeys.com). I *do* recommend using a hardware token for your Google account, seeing as it's increasingly tied to so much of our online identity. > I have no idea what kind of criteria are > used to reach out to people (might be people involved with important > FLOSS projects, who knows? ;-), but the other family members haven't > received this. It's anyone's guess, but it's probably based on analyzing various account dumps a-la haveibeenpwned.com or Mozilla's Firefox Monitor. It doesn't necessarily mean that you have anything in particular to worry about. Best regards, -K