Are email providers giving you the code instead of asking for tel #?
February 19, 2023 1:56 PM   Subscribe

I couldn't fit all the words in the title. Are the main email providers nowadays giving you the code phrase/words (in case you forget your password) instead of asking you for your phone number or alternate email? If so which ones are they? I'm thinking Gmail Outlook, Yahoo, etc. It looks like it is better than email of phone number since what happens if you don't have access to the alternate email, , etc.?
posted by amfgf to Computers & Internet (7 answers total)
 
Best answer: My Microsoft 365 account has the option to provide me with a GUID that identifies my account. (The GUID is unique and requesting a new one invalidates the old one.) Code phrases, like "What is your mother's maiden name?" have been around for awhile, but are unreliable validators. (Sarah Palin's account was famously hacked by someone who just looked up the answers online.) I'd be wary of any e-mail that provides a "code number" for you to use along with a "link" to your provider. This is more than likely a phishing scam.
posted by SPrintF at 2:33 PM on February 19, 2023


Best answer: Gmail, memory says, will offer you the opportunity to print a page of one time codes to use in case of emergencies. You need access to the codes, but you don't need a functioning device, for instance if you've lost your phone. It's more a recovery mechanism of last resort than one suited to every day use, mind.

As a general best practice, most sites avoid using only a password or passphrase (or answers to personal questions, whatever) that (a) you made up and (b) is sent over the network from you to them while being reusable. Weak passwords are obviously a problem, and they're common if you leave the choice up to the user, but even strong passwords are a problem if they can be reused, because they might be phished or intercepted. A one time password sheet is a low tech way to make solidly random, non-reusable credentials.

A site that does let you use a passphrase, on the other hand, is not implementing good security and you should ask yourself how you might hack someone's account if that's what they do (think gamil.com, for example).
posted by How much is that froggie in the window at 2:57 PM on February 19, 2023


Best answer: Regardless most repeatable services are going to allow multiple versions of a recovery mechanism. You should definitely use more than one scheme.
posted by mmascolino at 4:48 PM on February 19, 2023


Best answer: I have noticed a change with lost password protocols. The old way was that, once prompted, the site sent a email containing a link to a new page where a new password could be entered. The new way is to send an email or text containing code number that has to be taken back to the original page.
posted by SemiSalt at 6:21 PM on February 19, 2023


Response by poster: Thank you all.
I'm all rereading the answers.
1)How do you make an account independant of other accounts or tel number? What if the alternate email gets hacked?
2) what do "repeatable" or "reusable" mean?
posted by amfgf at 5:52 PM on February 21, 2023


I believe mmascolino meant 'reputable'.

When I said 'reusable' about passwords I mean that the same password will work again, even if it's in the hands of someone else.

I think you understand that there are two categories of login or recovery mechanism, one which relies on another service (a text message to your phone account, an email) to log in, and ones which don't. If it's dependent on another service it's pretty much compromised if the other service is compromised. Ultimately, then, it comes down to whether that service is secure, so somewhere you need a service that is independent of any other service.

The non-dependent mechanisms I've seen ultimately still require you to secure something else, but it's more likely to be a physical thing.

The ones that come to mind are

- time based one time password generators ('TOTP'); this runs on a device so make sure that device is secure, but note that that device doesn't have to talk to the internet to do its job

- yubikeys - it has information on it that you can use to login but that can't be extracted; don't lose it. In a similar vein, the little keypads that banks used to give you where you typed in a challenge and it made up a response code

- one time password sheets - don't lose them or let anyone else see them.

And you can't always make one account independent of others. Not every service supports a method for that. I would start by setting up your email with strong security ao that is doesn't get hacked, and then you can worry less about using that email account for password recovery of other accounts where there is no alternative.
posted by How much is that froggie in the window at 8:56 AM on February 23, 2023


Response by poster: Ok. Very interesting. A lot to absorb. Thank you all again.

.
posted by amfgf at 6:00 PM on February 24, 2023


« Older What is the instrument on this record?   |   Help me find the blowup doll of my youth Newer »
This thread is closed to new comments.