Paranoia about online security is rife. But when safeguards are put in place, it helps to scope out how people might use them first.
I was roaming today on a public network and, because I’m reasonably security-minded, was using a VPN on the laptop. I’d picked Germany as my host nation as it’s reasonably nearby. Thus, as far as any websites I visited were concerned, my encrypted traffic came from a server in that country.
And that’s where the trouble began.
I wanted to access my gmail account. So I spun it up and logged in, to be greeted with the dreaded Suspicious Activity splash page. Google, among others, have taken it upon themselves to add this so-called security feature that lets me know any time my account is accessed from a location I don’t “usually” log in. The problem is — at their discretion — they can lock me out of my account until I enter a verification code to prove it’s me.
There are a variety of ways to satisfy Googlesville, the primary ones of which are:
- A code sent to my phone. No thanks. I don’t want Google having my mobile number and two-factor authentication is NOT necessarily security.
- An email sent to my “alternate address” that I set up at account creation time.
Brilliant, option two it is. click. Now I just need to log in to my hotmail account to retrieve the code and unloc… uh-oh:
Help us protect your account: We’ve detected something unusual about this sign-in. For example, you might be signing in from a new location, device or app.
Screeeeeeech. So in order to retrieve my code I need to verify my identity in Hotmail too. Great. The same two options are available and I choose to have the code sent to my alternate email address. That’s one of my throw-away email forwarders. And no prizes for guessing where that mail address forwards to:
(incidentally, stupidly. I know I shouldn’t daisy chain accounts, but at the time of this event, that’s what I did. I changed that).
With the very real prospect of being caught in a recursive loop, I swore profusely at both companies’ approach to security and switched off the VPN whereby I was permitted to log into one of the services. But not the other, because it deemed my roamed location in the UK was “not normal”. Of course it’s not normal: I’m on the move! You know, mobile. Like everyone else.
Fortunately I was in a position to be able to break the cycle, but if I was in a foreign city for the first time, how would I access my account? Unless I can pre-approve the location or happen to have a VPN endpoint in my home city that I can use to fake where I am in the world, thus pretending I’m back home in my trusted location, I’m out of luck. It’s not like I would even be able to admit defeat and set up 2FA while on the move because I can’t prove my identity to access the account. That kind of thing needs to be done from my “safe” house. Aaaargh!
This whole debacle can be avoided. Allow me to temporarily turn off the location-based detection service before I go and let me log in from wherever the hell I like, or let me nominate that I’ll be roaming in advance and say where so it doesn’t look “suspicious”. Google and Microsoft et al: please spend your countless millions on improving my experience and educating people in the art of using excellent, secure passwords instead of pandering to stupidity with half-baked solutions.