Your Google accounts will soon default to 'two-step verification'

[ZedRM]

Why? They make passwords much harder to remember.

And? Practice makes perfect. Continuous use of complex passwords increases the skill and ability to use them. It's not different than practicing math. The more you do it, the better you get.

So are you promoting mental laziness?

 

[zulu53]

All app-based 2FA I've used required a phone number at least for the initial setup and creation of an account. And they might ask again for phone confirmation whenever they think there was any unusual activity from the account - which can mean anything, even just normally logging in, on the same device you've always used, but from a different browser than what you normally use.

If none of that is required, then I haven't heard of it. Anyways, for the kind of 2FA you describe, the service must support it. Personally I still wouldn't use it because like I have said, for me the inconvenience of 2FA far outweighs the risks of not using it except for the most critical services. So I hope it remains an optional thing.



Strong passwords really are everything you need. Fact is, people who have bad opsec will always find a way to screw things up and end up having their accounts hacked or invaded, no matter how many hurdles services put in the process. There comes a point where anything they add to "enhance security" only ends up inconveniencing users. Ideas like phasing out passwords are just so they can have more control over their users and better spy on them, adding security is just an excuse.

The best security is not having anything worth stealing. If you do then use end to end encrypted email (get a Proton account). Giving data to a company based purely on data mining (and with all of those shareholders to satisfy) and expecting them not to mine?