When people setup two factor authentication on an account on sites that allow it and insert a phone number, does that site assume by default that it's their own number or do they see it as "a" number?

Submitted ⁨⁨9⁩ ⁨months⁩ ago⁩ by ⁨shinigamiookamiryuu@lemm.ee⁩ to ⁨[deleted]⁩

I ask inspired by experiences with Google. Google/YouTube, for as long as I can remember, always had a strange habit of assuming absolutely anyone even near to you is you. Back when I had my first YouTube account (which was also back when I was in a completely different part of the world), for the last few years of having it, it had my sister’s channel listed under “alternate accounts” and it wouldn’t even ask me for the password to log into her account, I could simply click over to it like it was nothing (led to a lot of sister rivalry moments). Of note, on a less severe scale, something akin to this mindset is also credited to leading me to witnessing a documented and verifiable triple banning of cherished accounts, how lovely.

So yeah, my first curious hypothetical question I have of the year. How common/normal would this stance be on the net, with something like 2FA where it could mean the difference between data and makeshift DNA (secondary question, does it actually work as well as touted years ago)?

source

Comments

Sort:hotnew top

rdyoung@lemmy.world ⁨9⁩ ⁨months⁩ ago
If it doesn’t ask you to verify the number by entering a code that it texts you, it’s not true 2fa.

As for your sister’s account. Are you sure it was her account and not you just viewing her channel? If you were actually logged in to her account it stuck around because sites store credentials via cookies it’s not unheard of to be able to access previously logged in accounts for a very very long time even after moving across the globe.

And what the fuck do mean by “makeshift DNA”? Unless you meant makeshift 2fa which is still confusing as a term.

source
- shinigamiookamiryuu@lemm.ee ⁨9⁩ ⁨months⁩ ago
  That’s what I mean, we had a family computer way back then and YouTube assumed once and remembered its assumption forever. By “makeshift DNA” I mean a set-in-place identifier. I never said it was true two factor authentication if it didn’t text someone, I was asking if, when you choose to be texted, if it’s normal to assume the number chosen to be texted on is property of the person setting it up, versus, for example, a family member lending a number to use. I for one don’t even have a phone number right now.
  
  source
  - rdyoung@lemmy.world ⁨9⁩ ⁨months⁩ ago
    Numbers can belong to anyone and yes, they do “assume” that the number you enter is at the least accessible by you. It would make no sense for you to make up a number or give them a relative or friends number especially for 2fa.
    
    Why don’t you have a phone number? You can get a cheap prepaid phone and if you don’t want to pay for cell service you can import that number to Google Voice or other services like textnow, you could even go straight to textnow and get a free number from them. I have one that I pay like $5/year for them to hold on to just in case I feel like I need it.
    
    source
    -> View More Comments
Bitrot@lemmy.sdf.org ⁨9⁩ ⁨months⁩ ago
If it was a family computer it sounds more like she had signed in too. YouTube and Google support multiple accounts being signed in at once and have for years, with an account picker (Instagram does too, on the mobile app). The Deciantart thin is because they had the same IP address, that has long been a way of checking for ban evasion.

If you were using a phone number, which is generally the worst form of 2FA, they could potentially correlate that the accounts are at least related. Most sites wouldn’t, but places like Google or Facebook might. Other forms like TOTP or passkeys should not.

source
sylver_dragon@lemmy.world ⁨9⁩ ⁨months⁩ ago
Wow, ok hopefully I am unpacking this question correctly. But let’s start with the question from the title.
Does Google et al. assume it’s your number or just a number you have access to? It’s the former. Google assumes you are entering your number. If you put in a communal number, that’s on you for screwing up the base assumption underpinning SMS as a second factor for authentication. When working with a factor which is supposed to be “something you have” it needs to be something that you control. Think of it like the keys to your home. If you aren’t the only person with a copy of that key, then that lock does not provide security for your home against others with the key.

As for the “DNA” question. I’m going to guess this is about websites “remembering” you for login purposes. The way this usually works is that, after the first login, the website sets a cookie in your browser. This cookie contains a cryptographic value which is also stored on the web server. When you go back to the site, your browser uses this value with your request for the site. The server then compares it to the stored value. If it matches, you are logged in, without needing to reauthenticate. It’s more complex than just sending the value, but that’s not worth getting into.

If you have multiple logins “remembered” this way, it may be possible to move to different accounts without the need to reauthenticate. Also, many modern browsers can save passwords for you. This lets the browser auto-fill your credentials for you. It’s universally a bad idea to save your passwords this way, but it could allow you to switch accounts without knowing the passwords.

source
snowe@programming.dev ⁨9⁩ ⁨months⁩ ago
eff.org/…/fixed-ftc-orders-facebook-stop-using-yo…

source
- perviouslyiner@lemmy.world ⁨9⁩ ⁨months⁩ ago
  not even the first time - this is such a stupid situation!
  
  eff.org/…/twitter-uninentionally-uses-your-2fa-nu…
  
  source