From 7b1d21bac75fa2d820d32e52c4af1c734420aebb43745d8106c6b0ef72af87a8 Mon Sep 17 00:00:00 2001 From: Nicholas Johnson Date: Thu, 10 Aug 2023 00:00:00 +0000 Subject: New entry: re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud --- ...d-authentication-or-why-i-wouldnt-trust-google-cloud.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 content/entry/re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud.md (limited to 'content/entry') diff --git a/content/entry/re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud.md b/content/entry/re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud.md new file mode 100644 index 0000000..e85ba9e --- /dev/null +++ b/content/entry/re-against-risk-based-authentication-or-why-i-wouldnt-trust-google-cloud.md @@ -0,0 +1,14 @@ +--- +title: "Re: Against risk-based authentication (or, why I wouldn't trust Google Cloud)" +date: 2023-08-10T00:00:01 +draft: false +--- +I found another [article](https://www.devever.net/~hl/logindenial "Against risk-based authentication (or, why I wouldn't trust Google Cloud)") written by Hugo Landau which discusses the unavailability of risk-based authentication (non-deterministic login). The article also points out how the login systems of many online services seem very poorly thought-out. For those who don't want to read the entire article, here's a short quote which captures the essence of Hugo's critique: + +> "The problem is precisely this: The credentials you require to access a Google account are essentially indeterminate. Supposedly, for a simple Google account without 2FA enabled, knowledge of the account email and password should be sufficient to access an account; except sometimes, they aren't. Sometimes, Google might randomly decide your login attempt is suspicious, and demand you complete some additional verification step. +> +> This sounds potentially innocuous until you then realise that there's no guarantee you can actually complete this additional verification step. There are to my recollection numerous stories of people being locked out of accounts which they have the passwords for because Google has decided that things are suspicious and having the password is not enough." + +Apart from the availability issue that Hugo brought up, my problem with risk-based authentication is that it usually relies on collecting and indefinitely storing sensitive data about the user for later comparison, which violates their privacy and creates needless risk of sensitive data exposure. + +Hopefully risk-based authentication will fade away and online services will switch to better alternatives. -- cgit v1.2.3