| 1 |
On Friday, 3 June 2022 12:15:53 BST spareproject776 wrote: |
| 2 |
|
| 3 |
> How did you even enable the oauth thing ? only had security device or |
| 4 |
> push to an authenticated device available. Then lied and forced enabling |
| 5 |
> sms as a 'recovery' option. |
| 6 |
|
| 7 |
When I enabled OAuth2 it was early days and Google did not ask for 2FA as a |
| 8 |
prerequisite back then. All you had to provide, for account recovery, was |
| 9 |
another email address. So I set up a second Google email address for this |
| 10 |
purpose and cross referenced the two accounts. Some months thereafter Google |
| 11 |
started asking for 2FA via SMS, before you could access the page to set up app |
| 12 |
access. More recently they also started asking for DOB, "... for legal |
| 13 |
purposes". Soon they will be asking for digital ID and a DNA test, or |
| 14 |
whatever. :p |
| 15 |
|
| 16 |
I noticed whenever I tried to login from a remote location Google would block |
| 17 |
the mail client and also block webmail login if I tried to use a browser. |
| 18 |
Evidently, geolocation/IP address was being used as a security check. To |
| 19 |
acknowledge this was not an attempt by some remote and nefarious actor to |
| 20 |
compromise my account, I had to connect to Google by tunneling via a VPN |
| 21 |
connection to my home and from there to the Google webmail. After that I was |
| 22 |
able to login remotely. |
| 23 |
|
| 24 |
The question about privacy is a moot point. Privacy is often conflated with |
| 25 |
identity and consequently with security. All a mail service provider *need* |
| 26 |
to know is if the person trying to login is the same person who set up/owns |
| 27 |
the account. A single or multiple challenge-response mechanism over an |
| 28 |
encrypted network connection is enough to identify the owner of the account |
| 29 |
via the credentials exchanged between client and server. No sharing of any |
| 30 |
other private and personally identifiable information needs to be part of it. |
Archives