gmail security is a joke

[akumar at anilkumar.com (Anil Kumar)]

> On May 27, 2015, at 8:09 AM, Harald Koch <chk at pobox.com> wrote:
> 
> On 26 May 2015 at 11:32, Alex Brooks <askoorb+nanog at gmail.com> wrote:
> 
>> 
>> Can you not set account recory options which change the way password
>> reset requests are handled.
>> https://support.google.com/accounts/answer/183723 Gives some guidance?
>> 
>> Alex
>> 
> 
> Unfortunately, setting these options does not disable the separate "account
> recovery form" listed at the bottom of the page, and it is this form that
> allows you to login with any previous password and to bypass 2-factor auth.
> 
> I must admit I was surprised by this when I tried it just now. I guess it's
> time to rethink using Google as a primary account...



According to this page, the 2-factor authentication does kick in when you 
finally try to reset the password.

http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature <http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature>

?? I was presented with an emailed link to a reset page. When I clicked 
that link, since I have two-step verification set up, I was presented 
with a demand for a number provided by the Google Authenticator 
app on my phone. I provided that number and only then was I allowed 
to reset the password.?

AK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3575 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150527/b871e0ef/attachment.bin>