💾 Archived View for asquare.srht.site › gemlog › locked_out.gmi captured on 2024-12-17 at 10:34:20. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
In the beginning, there were passwords. To log into your various online accounts you had to demonstrate that you remember their corresponding passwords. If you forgot the password you got locked out. This was a tractable problem that you could solve unilaterally: keep multiple redundant copies of your "password manager" database, so that you're unlikely to lose all of them at the same time.
For reasons that I won't get into, eventually the gatekeeper that set the terms of how the login process works decided that passwords aren't good enough anymore, and started demanding in addition that on every login you type in a one-time code sent to your email address. Meaning that whichever evil megacorporation that manages your email gets to interpose themselves between you and every single one of your online accounts, giving them the power to unilaterally cut you off even from services that they ostensibly don't own.
"Don't get banned from GMail" is an intractable problem. The bots that wield the banhammer are notoriously fickle, inscrutable by design, and too obstinate to ever reverse a decision to ban.
https://pluralistic.net/2024/07/22/degoogled/#kafka-as-a-service
https://pluralistic.net/2022/08/22/allopathic-risk/#snitches-get-stitches
https://www.eff.org/deeplinks/2021/08/utilities-governed-empires
But recently, the "2-Factor Authentication" situation has started to improve. More and more online service now give you the option to use TOTP instead of email as your "2nd factor". And just like traditional passwords, you can save TOTP tokens to an "authenticator" database ("authenticator" is gen-Z lingo for "password manager") and make multiple redundant offline backups. TOTP lets you log in to things without exposing yourself to a megacorporation-in-the-middle (MitM) attack.
A word of warning: do not use Google's authenticator app. Instead of saving your stored credentials to an offline database gated by access to a physical device, it'll save them to an online database gated behind a Google account login, thereby nullifying the main advantage of TOTP over email. To add insult to injury, Google's authenticator does not allow you to export the credential database to a file in order to make backups.
... You'd think that "assume that tools provided by the enemy are compromised and don't rely on them to protect you from that same enemy" is so obvious that you don't need to mentioned it, but no. To my great shame, I actually told a normie friend of mine to install Google authenticator, because I was too lazy to walk her through the process of installing F-Droid and FreeOTP. A few months later, two TOTP tokens were lost due to a Google hiccup. I wrote this post partly to atone for my sin.