I ask inspired by experiences with Google. Google/YouTube, for as long as I can remember, always had a strange habit of assuming absolutely anyone even near to you is you. Back when I had my first YouTube account (which was also back when I was in a completely different part of the world), for the last few years of having it, it had my sister’s channel listed under “alternate accounts” and it wouldn’t even ask me for the password to log into her account, I could simply click over to it like it was nothing (led to a lot of sister rivalry moments). Of note, on a less severe scale, something akin to this mindset is also credited to leading me to witnessing a documented and verifiable triple banning of cherished accounts, how lovely.

So yeah, my first curious hypothetical question I have of the year. How common/normal would this stance be on the net, with something like 2FA where it could mean the difference between data and makeshift DNA (secondary question, does it actually work as well as touted years ago)?

  • sylver_dragon
    link
    English
    710 months ago

    Wow, ok hopefully I am unpacking this question correctly. But let’s start with the question from the title.
    Does Google et al. assume it’s your number or just a number you have access to? It’s the former. Google assumes you are entering your number. If you put in a communal number, that’s on you for screwing up the base assumption underpinning SMS as a second factor for authentication. When working with a factor which is supposed to be “something you have” it needs to be something that you control. Think of it like the keys to your home. If you aren’t the only person with a copy of that key, then that lock does not provide security for your home against others with the key.

    As for the “DNA” question. I’m going to guess this is about websites “remembering” you for login purposes. The way this usually works is that, after the first login, the website sets a cookie in your browser. This cookie contains a cryptographic value which is also stored on the web server. When you go back to the site, your browser uses this value with your request for the site. The server then compares it to the stored value. If it matches, you are logged in, without needing to reauthenticate. It’s more complex than just sending the value, but that’s not worth getting into.

    If you have multiple logins “remembered” this way, it may be possible to move to different accounts without the need to reauthenticate. Also, many modern browsers can save passwords for you. This lets the browser auto-fill your credentials for you. It’s universally a bad idea to save your passwords this way, but it could allow you to switch accounts without knowing the passwords.