I've been surprised to learn that several of my non-technical friends forget their passwords and rely on cookies, and then reset the password using their phone number whenever the cookies are lost.
> I've been surprised to learn that several of my non-technical friends forget their passwords and rely on cookies
As a "technical" person, I despise passwords and tend to avoid using them. My preferred way to log-in somewhere is either with ssh keys or with single-usage codes sent by mail.
This has nothing to do with "losing" passwords.
For example, I actually have a password for amazon written in a file, but I don't bother looking for it, I prefer to use the single-usage code anytime I want to use the site.
If you lose your phone number gmail asks you these:
-Last password you remember
-Last time when you logged in
-Your security questions
-Devices connected with your Google account
Just to tell you gmail is unable to recover your account. I am not sure but I think the more you try to recover it the worse it gets (which is understanble). So either you have the phone number and you magically get everything else in those questions right(what counts as right is the real question), or you enter a rabbit hole and get further from getting your account back the more you try.I'm not blaming this system entirely but apparently nothing matters except your phone number when it comes to recovering your account.
Not even getting everything else right works, you need ALL of it right, including the backup email address, when the account was created, last password, location, some captchas, and the backup phone number.
Once one of my Google Accounts was taken over by a hacker (I had reused the password on another site, which was hacked around that time), and even although Google warned me that someone was trying to take over my account, and told me someone was logging in from Russia (I always logged in from the exact same IP address from which I tried to recover it), and even though a friend at Google submitted an internal request to get me the account back, and even though I sent them a photo of my ID (with the Google account having that exact name in it), they refused to help me.
Google support did try to reach out to me, as I later figured out, but they had instead contacted me via the hacked email account, I only found the "thanks for your support chat" mail in the account after I regained access.
Which I was only able to do so by talking to the person who now owned the phone number I had used a decade before for that account (the ISP had long recycled it).
Interested to know how it works if Google don't have your phone no.? Certainly every time they've nagged me for a phone no. I decline the gracious opportunity to give them another identifier. My gmail account long predates the mandatory phone no. step, and so far I think I've managed to dodge it.
Thinking of ditching the ~tracking device~ phone anyway... what then? Have we sleep-walked into a world where people without a mobile phone are the underclass who barely even exist?
> but apparently nothing matters except your phone number when it comes to recovering your account.
Kind of legit to be honest. Anything else would make it far too easy to recover accounts. Also Gmail is far too large to have a customer care that could also do things like passport verification or so.
Having said that, Protonmail has no phone number recovery. That's kind of bad. You can enter an old E-Mail address there though but it would be so much better to link this with a phone number. If you loose your sim card, you can always get a new one from the phone company with your passport.
> Kind of legit to be honest. Anything else would make it far too easy to recover accounts. Also Gmail is far too large to have a customer care that could also do things like passport verification or so.
Why is being able to recover accounts easily a bad thing when you, and only you have or should have access to, say, the password?
> Protonmail has no phone number recovery. That's kind of bad
I do not use it, so it is fine by me.
> If you loose your sim card, you can always get a new one from the phone company with your passport.
Not necessarily. It is more and more difficult to get a new one, and there are prerequisites that one may not meet, or they decide they do not want to do business with you, or your social credit is too low, etc.
The differences are: one is given to you by a third party, and the other one is made up by you.
I would like to be able to opt out of it, e.g. phone number should not be required.
>Protonmail has no phone number recovery. That's kind of bad. You can enter an old E-Mail address there though but it would be so much better to link this with a phone number. If you loose your sim card, you can always get a new one from the phone company with your passport.
Considering how many high profile bitcoin thefts occured using hijacked phone numbers, it's probably better not to have that as a reset method.
But this should be up to the user. I mean if your 1 million BTC account is protected through a phone number, someone might want to still do it that way.
Most users don't even have Bitcoin but normal bank account which are oftentimes protected by different second factors. It would be nice if they would provide different options. For me it would suck if someone hacked my E-Mail but I could reclaim it quickly and the damage would be very limited.
Probably it is better to forget a strong password and reset it, than use a weak password that is easy to remember.
Last year I was working on a service that skipped passwords altogether. We used the phone number and a one time pin code by sms for registration, login and order confirmation all in one step.
As a "technical" person, I despise passwords and tend to avoid using them. My preferred way to log-in somewhere is either with ssh keys or with single-usage codes sent by mail.
This has nothing to do with "losing" passwords. For example, I actually have a password for amazon written in a file, but I don't bother looking for it, I prefer to use the single-usage code anytime I want to use the site.