Oh, I have been wanting to write about this nonsense for a while now. The working title of my blog post is “So what if I am a robot?”
Adding to the described problems are the confusing messages that tend to accompany these type of extra authentication steps. For instance, every once in a while eBay decides that my password is not enough for that day and I must prove that I am really me. And then I get a captcha where I need to select a bunch of chimneys or bridges. Really eBay? Am I the only person in the universe that can tell chimneys apart from traffic lights? Are you sure you are not actually testing something else?
I have set my browser to erase cookies after each session. I tend to run into this a lot. Several companies must think by now I am a very rich person with a very big house, because each time I login I get an email congratulating me on using the service with a new device. Good way to make me ignore the “security emails” you send.
I almost could not work for a day because I visited a relatives house and used a the same laptop I always use, except on a different WiFi network. Google decided that surely is the behavior of a criminal. I again needed to prove I really was me. So I click the buttons and the first thing Google asks is my phone number. I have never given my phone number to Google, how on earth is that going to proof I am me? Also, what are you planning to use that number for?
Just when I was ready to throw the laptop out of the window I tried to login with Chrome instead of with Firefox. Miraculously it just worked. Which proofs the bullshit of their tests, because for me using Chrome is very atypical.
I have set my browser to erase cookies after each session. I tend to run into this a lot. Several companies must think by now I am a very rich person with a very big house, because each time I login I get an email congratulating me on using the service with a new device. Good way to make me ignore the “security emails” you send.
A thousand times this! I’m extremely tired of services that think they have some magical ability to “remember this device”. No you don’t, enormous amounts of effort are put into the web platform to try and prevent any kind of fingerprinting like this. The web deliberately has no feature to identify a “device”. So I have to go through this every time because, like you, I cap cookies at the session (actually, it’s even stricter, when the last tab from an origin is closed).
If companies aren’t willing to trust users to set competent passwords anymore perhaps they should just bite the bullet and implement the “lost password” (i.e. login by email) flow as their only login flow, as that’s basically what this seems to be degenerating into.
Am I the only person in the universe that can tell chimneys apart from traffic lights? Are you sure you are not actually testing something else?
100%. All the choose-picture captcha stuff is just so obviously just forcibly outsourcing ML model training to everyone else on the internet, for free, at a time when it’s usually inconvenient. Not OK.
Really eBay? Am I the only person in the universe that can tell chimneys apart from traffic lights? Are you sure you are not actually testing something else?
The ‘am I a robot’ thing, aside from the outsourcing labelling ML data sets aspect, is really just there for rate limiting. It isn’t about checking that you’re you, it’s about ensuring that each botnet member can submit password guesses at a rate of only about one every minute. This means that your credentials can be a bit easier to guess than if attackers could mount line-rate attacks.
The risk-based thing that Google and Facebook do is quite different. They profile you across a load of different sites to try to build a picture of how you behave. A browser that matches this profile is treated as having a higher probability of being you and requires less authentication (Facebook even lets you skip authentication completely if they’re sufficiently confident here). There are two big problems with this approach:
Legitimate users change their behaviour. They may then find that they’re triggered as high-risk by the system, which may prevent them from accessing the system.
None of these have been actively attacked yet and it’s completely unclear whether an attacker can exfiltrate sufficient information via various side channels (e.g. public posts) to be able to simulate your behaviour and bypass various authentication steps.
There’s also a problem related to the first, which is common to a lot of ML systems: it’s not clear what the biases are and whether a particular subset of the population (e.g. poor people, people of a given gender or ethnicity, users of a particular browser) are going to be targeted more. This may open up legal liability. If users of Chrome are more likely to be trusted, that may be anticompetitive. If people of a particular protected class are less likely to be trusted, that comes under discrimination legislation. If privacy-conscious people are more likely to be targeted, that’s probably legal but deeply unethical.
I can also imagine some people are simply unable to complete many of the CAPTCHAs. I know I’ve struggled with some of them at times, and a few times they have been painfully US-centric, to the extent that I thought “OK I don’t think I’d have got that if I hadn’t spent a few months in the US.” You can usually skip a specific challenge to get a different, hopefully easier one, but I assume that probably also acts as a negative indicator to the system.
asks is my phone number. I have never given my phone number to Google
Migrating my 3 Mojang Minecraft accounts to Microsoft accounts after the acquisition required me to create 3 microsoft accounts. I gave them email + Password + TOTP. Then I wanted to login into one from another PC in my own home network, 5 minutes afterwards. Microsoft asked for a phone number to “proof” myself. On all three accounts.
So if anyone asks: Buying minecraft for your child requires a phone number.
I know one fellow whose password was stolen and used to buy a $700 phone on the Google Store using his saved credit card. He did a chargeback of course, and his entire Google account was locked as a consequence - including his email, important documents, and cloud projects. With no recourse or appeal.
Plus, I’ve now heard often enough that it’s basically impossible to get in contact with a human person at Google if you don’t fit into their standardized processes. So good luck if you’re locked out of your account, even if you could proof that you’re the owner of the business (which at least in my jurisdiction is quite easy, because you have a business registration document, for some business types you’re also listed in a public registry).
How much is this a problem in practice for enterprise accounts with 2FA enabled? Most of the complained I saw were from consumers without 2FA turned on, but I also didn’t look too hard.
If you mean for Google Workspaces, it seems like it’s less of a problem because you can supposedly disable risk-based authentication in it. I’m not sure this entirely mitigates the other issues like the browser discrimination, and the inscrutability of the system remains frustrating.
Moreover it does seem like enabling 2FA acts as a kind of undocumented cheat code to disabling risk-based authentication in many systems. I actually often enable 2FA on some accounts I don’t care about the security of (and pointlessly store the TOTP secret in a password safe same as the password).
Why? Because it seems to be treated by a lot of services as a flag to a) disable non-deterministic authentication, and b) as a flag to disable password recovery (or at least make it moot if you can’t also recover the TOTP secret). I consider the former actively desirable in all circumstances, and I consider the latter desirable because I have enough confidence in my own credential storage practices that I’m more than happy to accept the risk and responsibility of being locked out if I lose that token.
Oh, I have been wanting to write about this nonsense for a while now. The working title of my blog post is “So what if I am a robot?”
Adding to the described problems are the confusing messages that tend to accompany these type of extra authentication steps. For instance, every once in a while eBay decides that my password is not enough for that day and I must prove that I am really me. And then I get a captcha where I need to select a bunch of chimneys or bridges. Really eBay? Am I the only person in the universe that can tell chimneys apart from traffic lights? Are you sure you are not actually testing something else?
I have set my browser to erase cookies after each session. I tend to run into this a lot. Several companies must think by now I am a very rich person with a very big house, because each time I login I get an email congratulating me on using the service with a new device. Good way to make me ignore the “security emails” you send.
I almost could not work for a day because I visited a relatives house and used a the same laptop I always use, except on a different WiFi network. Google decided that surely is the behavior of a criminal. I again needed to prove I really was me. So I click the buttons and the first thing Google asks is my phone number. I have never given my phone number to Google, how on earth is that going to proof I am me? Also, what are you planning to use that number for?
Just when I was ready to throw the laptop out of the window I tried to login with Chrome instead of with Firefox. Miraculously it just worked. Which proofs the bullshit of their tests, because for me using Chrome is very atypical.
A thousand times this! I’m extremely tired of services that think they have some magical ability to “remember this device”. No you don’t, enormous amounts of effort are put into the web platform to try and prevent any kind of fingerprinting like this. The web deliberately has no feature to identify a “device”. So I have to go through this every time because, like you, I cap cookies at the session (actually, it’s even stricter, when the last tab from an origin is closed).
If companies aren’t willing to trust users to set competent passwords anymore perhaps they should just bite the bullet and implement the “lost password” (i.e. login by email) flow as their only login flow, as that’s basically what this seems to be degenerating into.
100%. All the choose-picture captcha stuff is just so obviously just forcibly outsourcing ML model training to everyone else on the internet, for free, at a time when it’s usually inconvenient. Not OK.
The ‘am I a robot’ thing, aside from the outsourcing labelling ML data sets aspect, is really just there for rate limiting. It isn’t about checking that you’re you, it’s about ensuring that each botnet member can submit password guesses at a rate of only about one every minute. This means that your credentials can be a bit easier to guess than if attackers could mount line-rate attacks.
The risk-based thing that Google and Facebook do is quite different. They profile you across a load of different sites to try to build a picture of how you behave. A browser that matches this profile is treated as having a higher probability of being you and requires less authentication (Facebook even lets you skip authentication completely if they’re sufficiently confident here). There are two big problems with this approach:
There’s also a problem related to the first, which is common to a lot of ML systems: it’s not clear what the biases are and whether a particular subset of the population (e.g. poor people, people of a given gender or ethnicity, users of a particular browser) are going to be targeted more. This may open up legal liability. If users of Chrome are more likely to be trusted, that may be anticompetitive. If people of a particular protected class are less likely to be trusted, that comes under discrimination legislation. If privacy-conscious people are more likely to be targeted, that’s probably legal but deeply unethical.
I can also imagine some people are simply unable to complete many of the CAPTCHAs. I know I’ve struggled with some of them at times, and a few times they have been painfully US-centric, to the extent that I thought “OK I don’t think I’d have got that if I hadn’t spent a few months in the US.” You can usually skip a specific challenge to get a different, hopefully easier one, but I assume that probably also acts as a negative indicator to the system.
Migrating my 3 Mojang Minecraft accounts to Microsoft accounts after the acquisition required me to create 3 microsoft accounts. I gave them email + Password + TOTP. Then I wanted to login into one from another PC in my own home network, 5 minutes afterwards. Microsoft asked for a phone number to “proof” myself. On all three accounts.
So if anyone asks: Buying minecraft for your child requires a phone number.
I know one fellow whose password was stolen and used to buy a $700 phone on the Google Store using his saved credit card. He did a chargeback of course, and his entire Google account was locked as a consequence - including his email, important documents, and cloud projects. With no recourse or appeal.
I can only hope this gets better with WebAuthn/passkeys, as they are much stronger than typical passwords and unphishable
Plus, I’ve now heard often enough that it’s basically impossible to get in contact with a human person at Google if you don’t fit into their standardized processes. So good luck if you’re locked out of your account, even if you could proof that you’re the owner of the business (which at least in my jurisdiction is quite easy, because you have a business registration document, for some business types you’re also listed in a public registry).
How much is this a problem in practice for enterprise accounts with 2FA enabled? Most of the complained I saw were from consumers without 2FA turned on, but I also didn’t look too hard.
If you mean for Google Workspaces, it seems like it’s less of a problem because you can supposedly disable risk-based authentication in it. I’m not sure this entirely mitigates the other issues like the browser discrimination, and the inscrutability of the system remains frustrating.
Moreover it does seem like enabling 2FA acts as a kind of undocumented cheat code to disabling risk-based authentication in many systems. I actually often enable 2FA on some accounts I don’t care about the security of (and pointlessly store the TOTP secret in a password safe same as the password).
Why? Because it seems to be treated by a lot of services as a flag to a) disable non-deterministic authentication, and b) as a flag to disable password recovery (or at least make it moot if you can’t also recover the TOTP secret). I consider the former actively desirable in all circumstances, and I consider the latter desirable because I have enough confidence in my own credential storage practices that I’m more than happy to accept the risk and responsibility of being locked out if I lose that token.
Okta calls this “Adaptive MFA” and it’s an endless source of confusion for our customers.