[ PFIR ] More on the Google Authenticator problem -- and the "Google Pattern" (and Passkeys)

Fri, 15 Sep 2023 11:53:14 -0700 


More on the Google Authenticator problem -- and the "Google Pattern"
(and Passkeys)

A few more words about the Authenticator vulnerability under
discussion. Back in April when I first discussed this, I noted that
the concept of backing up to the cloud was in theory a good one, but
that Google's current implementation (which is enabled by default)
posed risks. I said that the risk was likely quite small for most
people, but I still recommended everyone disable this feature in its
current form, for exactly the kinds of reasons noted earlier today
when a firm was heavily hacked via cloud synced Authenticator.

Google has a pattern in security of saying in essence "well, this is
good for most users, so too bad if it hurts a fraction of them!" It
also tends to enable new features that may present risks to some users
without adequately explaining those features and asking for
affirmative permission to enable them.

Those fractions represent genuine human beings and at Google scale
almost certainly a lot of human beings in absolute numbers --- who can
suffer significantly when their accounts are subverted, and who rarely
can get effective help from Google in such circumstances.

I'll add that I have similar concerns regarding Google's current
"passkeys" implementation, but since I've written them up a number of
times before, I won't repeat them here and now.

Bottom line, Google still has a lot of work to do when it comes to
understanding the needs of their users, especially those users not in
the majority cohorts. -L

- - -
--Lauren--

Lauren Weinstein 
[email protected] (https://www.vortex.com/lauren)

Lauren's Blog: https://lauren.vortex.com
Twitter: https://twitter.com/laurenweinstein
Mastodon: https://mastodon.laurenweinstein.org/@lauren
T2: https://t2.social/laurenweinstein
Founder: Network Neutrality Squad: https://www.nnsquad.org
        PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
Tel: +1 (818) 225-2800
_______________________________________________
pfir mailing list
https://lists.pfir.org/mailman/listinfo/pfir














    











					Reply via email to