Facebook apparently has a grudge against me XD

[Mæstro]

How were you forced to use Google’s verifier? I have always used oathtool, a Debian package, for my needs, and I am sure Italian electronics vendors have got separate devices for the purpose in their bargain bins, just like German ones.

[Lucio Chiappetti]

Rather irrelevant to this topic. My institution has a Gsuite contract, and before I retired I was one of the local admins, so they required 2FA, and 2FA requires a SMS OTP. This remained after I retired and associated. I need it only if I have to log in to G* itself, which in practice occurs only for google meet.
For e-mail I have other means (redirection and app passwords)

[Mæstro]

I think it is relevant inasmuch as the original topic, more generally, involves ordinary institutions presuming mainstream IT usage habits in their users. The local shop which reserves its opening hours for Facebook and the university that uses Google for email and conferences are both thrusting their choices upon others. In the same genre, I have sometimes seen posters for events or activities at my university (student-organised, not official) where the only contact information offered is a QR code. The most egregious example to come to mind now is how many US American schools assign Chromebooks to their pupils.

[moonbat]

they required 2FA, and 2FA requires a SMS OTP.

Couldn't they require an authenticator app instead? Using SMS is vulnerable to SIM cloning attacks. And just like RealityRipple's SecondFaqtor, there are other OTP generating apps available for desktop, at least on Linux - for those who don't want to use a smartphone.

[Moonchild]

I would expect Gsuite to offer authenticator app support; after all, Google provides its own Google Authenticator app for that exact purpose.

[Mæstro]

And just like RealityRipple's SecondFaqtor, there are other OTP generating apps available for desktop, at least on Linux - for those who don't want to use a smartphone.

In the Windows 7 days, I used Authy for this purpose. At the time, no telephone was required to use it.

[Lucio Chiappetti]

Not sure what you mean by "authenticator app" ... is something requiring a smartphone or a PC ? I do not want any smartphone.

I am not worried of SMS per se, I use them with my bank (which before used an OTP key, fine if the battery did nor discharge, and before scratch numbers), I used them with the regional health service, or the national SPID id system for public administration (but the post office SPID allowed only few SMS per month) but I prefer using a smartcard reader.
AFAIK Gsuite, if one wants to avoid smartphones, allows SMS, and also backup one-time text codes (I have requested some, never used them and almost forgotten where I put them). This is if you need to log in, I almost never need to login unless I have to use google-meet or some protected google drive. 2FA is just a little PITA ... username, password, select one's country, type in a phone number you want to use (in principle one can select a different one each time), wait for the SMS an type in the OTP. I suppose I could avoid it clicking on 'do not ask again on this device" if I'd keep permanent cookies, which I don't.
For e-mail there are "app passwords" if one does not want to use Oauth2 and/or 2FA.

I have no idea whether the phone number is stored permanently anywhere. That both for Google, and also for some other sites which require it (varying from sites of utilities, e-commerce, petitions). In principle I have no problem in giving the phone number (after all 50 years or so the telephone company published paper phone directories in alphabetic and street order) but for getting phone spam, which for me is close to zero. Anyhow I avoid giving phone numbers on e-commerce or petition sites, if it is optional, and avoid using them if it is not optional,

[Moonchild]

Not sure what you mean by "authenticator app" ... is something requiring a smartphone or a PC ? I do not want any smartphone.

TOTP applications. I initially (incorrectly!) thought as well it was smartphone specific but no it's a pretty straightforward protocol that also has desktop applications like RealityRipple's one mentioned above. I guess you overlooked @moonbat's post?

[UCyborg]

Sssh, before 2FA mafia comes with "but then it's not true 2-factor" argument.

[Moonchild]

TOTP fills a second factor, though, because it is device-linked. So it's something you know + something you have.

[Mæstro]

TOTP is not inherently device-linked. I can copy my seed number onto any Linux computer and run oathtool with it as argument, and I will get my one-time passwords as needed. ‘Something I have’ only holds literally for me if the thing is the number, but this rather blurs the line between having and knowing. My bank card at a cash machine with its PIN is the only certain example of having and knowing in my daily life. Meanwhile, I have heard of some banks which use security questions as their second factor after a password for logging into their site. Except my bank card and PIN, which I am using while outside my home, actually device-based second factors pose real accessibility problems for me, in ways which arose directly from my disability even when I still had a mobile phone.

[Moonchild]

TOTP is not inherently device-linked.

it is device-linked, just not device-locked. Subtle difference but still counts as a second factor in the normal sense of the word, since obtaining the seed is normally locked behind explicit actions to transfer to a new device. Although I guess 100% strictly speaking it's diminished by being extractable.

[Lucio Chiappetti]

My bank card at a cash machine with its PIN is the only certain example of having and knowing in my daily life. Meanwhile, I have heard of some banks which use security questions as their second factor after a password for logging into their site. Except my bank card and PIN, which I am using while outside my home, actually device-based second factors pose real accessibility problems for me, in ways which arose directly from my disability even when I still had a mobile phone.

Banking is the *only* case where 2FA makes fully sense. ATM card and PIN is one. Bank site (for me) has a numeric username they assigned, a PIN I changed and an OTP sent by SMS (there were or are other means, involving a separate device [as simple as sheet with codes to be scratched, or a key, now both gone ... or a smartphone, I sometimes assist a disabled friend who has sort-of been forced to use it, and requires dialing the PIN on the phone when instructed].
2FA is popular with public administration, and that is where a device-based arrangement is fine for me, in the form of a (NFC) smartcard reader connected to the PC and a card like the national identity card, or the health service card. I would like to be able to use it also with a bank card.
For any other use 2FA (even if in the simple form of OTP SMS) is just a nuisance. I've even seen a case with my friend above) of a telephone compamy which to access their site required an OTP set by e-mail ... may be they thought an SMS would not be independent enough being them a telephone compamy ? Confirmation clicking on an URL set by e-mail is a common way to verify complaints.

[Mæstro]

Bank site (for me) has a numeric username they assigned, a PIN I changed and an OTP sent by SMS (there were or are other means, involving a separate device [as simple as sheet with codes to be scratched, or a key, now both gone ... or a smartphone, I sometimes assist a disabled friend who has sort-of been forced to use it, and requires dialing the PIN on the phone when instructed].
2FA is popular with public administration, and that is where a device-based arrangement is fine for me, in the form of a (NFC) smartcard reader connected to the PC and a card like the national identity card, or the health service card. I would like to be able to use it also with a bank card.
For any other use 2FA (even if in the simple form of OTP SMS) is just a nuisance. I've even seen a case with my friend above) of a telephone compamy which to access their site required an OTP set by e-mail ... may be they thought an SMS would not be independent enough being them a telephone compamy ? Confirmation clicking on an URL set by e-mail is a common way to verify complaints.

Email agrees with my limitations far more than SMS. To explain this requires going into detail about my disability.

In the autistic community, one familiar practise is nesting: maintaining a small area, often one’s bedroom, which is guaranteed to be mild to the senses (which are easily overloaded) and unchanging (so one can always safely return to it when overwhelmed). My computer is part of my own such nest. To keep the nest free from anything which might irritate the senses, I must be thoroughly clean when I enter it; I always shower before going into bed, even if I have just stepped up to have a glass of water. Belongings which are not part of the nest, or go into the outside world of dirt and smells and soot and dogs, must be kept away from the nest. To bring a mobile phone which has been outside into one’s bed would be even more egregious than those Hollywood films where the Yankee teenager climbs into bed with his dirty shoes still on his feet. Over a year ago, when I still had a feature phone, this meant that SMS verification would involve the following steps:

1. Log in as much as I can at my computer until prompted for the OTP.
2. Leave my bedroom and go into the other room, where I kept the mobile.
3. Access the messages two submenus in and put the OTP to memory.
4. Wash my hands thoroughly so they are suitable again for the nest.
5. Return to my bedroom and log onto the computer again.
6. Hope that the OTP has not already expired by the time I enter it.

It was even worse for Duo, a second factor my old school in the States used, which would require me to rush to the other room to answer the telephone within half a minute.
At least, with that, I could take my time then to prepare myself to return to bed, for the verifying was already done.

A physical scanner, assuming it is compatible with my Linux system, would still require thorough washing before it enters the nest, and once ‘naturalised’, cannot be combined with foreign objects like a bank card. Despite requesting the physical scanner in December 2023(!) from my bank, it has been sitting in its box, unopened, for the work of cleaning it and trying to hold it over the dirty page (delivered by post) with the PhotoTAN paper such that nothing is contaminated struck me as far more headache than just going to the bank in person whenever I have got financial business. In contrast, I can access my email inbox instantly, within my nest, without any difficulty.

To compensate for all this, I had actually bought in 2024 a secondary computer, which I have mentioned before on this board, and which I deliberately keep away from the nest and allow to get dirty, so I have got it for when travelling. Hypothetically, I could use it to circumvent the shuttling between devices that device mandates otherwise impose, but I have never actually needed to do this after deciding I would just do my business in person instead. Its charger disappeared a few months ago.

[UCyborg]

^^ That sucks.