gmail security is a joke
akumar at anilkumar.com
Wed May 27 03:43:47 UTC 2015
> On May 27, 2015, at 8:09 AM, Harald Koch <chk at pobox.com> wrote:
> On 26 May 2015 at 11:32, Alex Brooks <askoorb+nanog at gmail.com> wrote:
>> Can you not set account recory options which change the way password
>> reset requests are handled.
>> https://support.google.com/accounts/answer/183723 Gives some guidance?
> Unfortunately, setting these options does not disable the separate "account
> recovery form" listed at the bottom of the page, and it is this form that
> allows you to login with any previous password and to bypass 2-factor auth.
> I must admit I was surprised by this when I tried it just now. I guess it's
> time to rethink using Google as a primary account...
According to this page, the 2-factor authentication does kick in when you
finally try to reset the password.
“… I was presented with an emailed link to a reset page. When I clicked
that link, since I have two-step verification set up, I was presented
with a demand for a number provided by the Google Authenticator
app on my phone. I provided that number and only then was I allowed
to reset the password.”
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3575 bytes
Desc: not available
More information about the NANOG