summaryrefslogtreecommitdiff
path: root/content
diff options
context:
space:
mode:
authorNicholas Johnson <nick@nicholasjohnson.ch>2023-08-10 00:00:00 +0000
committerNicholas Johnson <nick@nicholasjohnson.ch>2023-08-17 00:00:00 +0000
commit7b1d21bac75fa2d820d32e52c4af1c734420aebb43745d8106c6b0ef72af87a8 (patch)
treecb9ad82e9c0672fbb3955a76c8ae25e99a66d1de7efe1cacf5037a9ae7695476 /content
parent4c4b247e339e92afc38927d482c5dbf2f92d01ccb2dda651bff2846813f38df7 (diff)
downloadjournal-7b1d21bac75fa2d820d32e52c4af1c734420aebb43745d8106c6b0ef72af87a8.tar.gz
journal-7b1d21bac75fa2d820d32e52c4af1c734420aebb43745d8106c6b0ef72af87a8.zip
New entry: re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud
Diffstat (limited to 'content')
-rw-r--r--content/entry/re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud.md14
1 files changed, 14 insertions, 0 deletions
diff --git a/content/entry/re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud.md b/content/entry/re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud.md
new file mode 100644
index 0000000..e85ba9e
--- /dev/null
+++ b/content/entry/re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud.md
@@ -0,0 +1,14 @@
+---
+title: "Re: Against risk-based authentication (or, why I wouldn't trust Google Cloud)"
+date: 2023-08-10T00:00:01
+draft: false
+---
+I found another [article](https://www.devever.net/~hl/logindenial "Against risk-based authentication (or, why I wouldn't trust Google Cloud)") written by Hugo Landau which discusses the unavailability of risk-based authentication (non-deterministic login). The article also points out how the login systems of many online services seem very poorly thought-out. For those who don't want to read the entire article, here's a short quote which captures the essence of Hugo's critique:
+
+> "The problem is precisely this: The credentials you require to access a Google account are essentially indeterminate. Supposedly, for a simple Google account without 2FA enabled, knowledge of the account email and password should be sufficient to access an account; except sometimes, they aren't. Sometimes, Google might randomly decide your login attempt is suspicious, and demand you complete some additional verification step.
+>
+> This sounds potentially innocuous until you then realise that there's no guarantee you can actually complete this additional verification step. There are to my recollection numerous stories of people being locked out of accounts which they have the passwords for because Google has decided that things are suspicious and having the password is not enough."
+
+Apart from the availability issue that Hugo brought up, my problem with risk-based authentication is that it usually relies on collecting and indefinitely storing sensitive data about the user for later comparison, which violates their privacy and creates needless risk of sensitive data exposure.
+
+Hopefully risk-based authentication will fade away and online services will switch to better alternatives.