1 |
On Friday, 3 June 2022 12:15:53 BST spareproject776 wrote: |
2 |
|
3 |
> How did you even enable the oauth thing ? only had security device or |
4 |
> push to an authenticated device available. Then lied and forced enabling |
5 |
> sms as a 'recovery' option. |
6 |
|
7 |
When I enabled OAuth2 it was early days and Google did not ask for 2FA as a |
8 |
prerequisite back then. All you had to provide, for account recovery, was |
9 |
another email address. So I set up a second Google email address for this |
10 |
purpose and cross referenced the two accounts. Some months thereafter Google |
11 |
started asking for 2FA via SMS, before you could access the page to set up app |
12 |
access. More recently they also started asking for DOB, "... for legal |
13 |
purposes". Soon they will be asking for digital ID and a DNA test, or |
14 |
whatever. :p |
15 |
|
16 |
I noticed whenever I tried to login from a remote location Google would block |
17 |
the mail client and also block webmail login if I tried to use a browser. |
18 |
Evidently, geolocation/IP address was being used as a security check. To |
19 |
acknowledge this was not an attempt by some remote and nefarious actor to |
20 |
compromise my account, I had to connect to Google by tunneling via a VPN |
21 |
connection to my home and from there to the Google webmail. After that I was |
22 |
able to login remotely. |
23 |
|
24 |
The question about privacy is a moot point. Privacy is often conflated with |
25 |
identity and consequently with security. All a mail service provider *need* |
26 |
to know is if the person trying to login is the same person who set up/owns |
27 |
the account. A single or multiple challenge-response mechanism over an |
28 |
encrypted network connection is enough to identify the owner of the account |
29 |
via the credentials exchanged between client and server. No sharing of any |
30 |
other private and personally identifiable information needs to be part of it. |