I ask inspired by experiences with Google. Google/YouTube, for as long as I can remember, always had a strange habit of assuming absolutely anyone even near to you is you. Back when I had my first YouTube account (which was also back when I was in a completely different part of the world), for the last few years of having it, it had my sister’s channel listed under “alternate accounts” and it wouldn’t even ask me for the password to log into her account, I could simply click over to it like it was nothing (led to a lot of sister rivalry moments). Of note, on a less severe scale, something akin to this mindset is also credited to leading me to witnessing a documented and verifiable triple banning of cherished accounts, how lovely.

So yeah, my first curious hypothetical question I have of the year. How common/normal would this stance be on the net, with something like 2FA where it could mean the difference between data and makeshift DNA (secondary question, does it actually work as well as touted years ago)?

  • rdyoung@lemmy.world
    link
    fedilink
    arrow-up
    13
    ·
    10 months ago

    If it doesn’t ask you to verify the number by entering a code that it texts you, it’s not true 2fa.

    As for your sister’s account. Are you sure it was her account and not you just viewing her channel? If you were actually logged in to her account it stuck around because sites store credentials via cookies it’s not unheard of to be able to access previously logged in accounts for a very very long time even after moving across the globe.

    And what the fuck do mean by “makeshift DNA”? Unless you meant makeshift 2fa which is still confusing as a term.

    • Call me Lenny/Leni@lemm.eeOP
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      1
      ·
      10 months ago

      That’s what I mean, we had a family computer way back then and YouTube assumed once and remembered its assumption forever. By “makeshift DNA” I mean a set-in-place identifier. I never said it was true two factor authentication if it didn’t text someone, I was asking if, when you choose to be texted, if it’s normal to assume the number chosen to be texted on is property of the person setting it up, versus, for example, a family member lending a number to use. I for one don’t even have a phone number right now.

      • Mamertine@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        10 months ago

        It uses whatever phone number you gave it when you created the account. They do not guess what phone number you might have.

      • rdyoung@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        10 months ago

        Numbers can belong to anyone and yes, they do “assume” that the number you enter is at the least accessible by you. It would make no sense for you to make up a number or give them a relative or friends number especially for 2fa.

        Why don’t you have a phone number? You can get a cheap prepaid phone and if you don’t want to pay for cell service you can import that number to Google Voice or other services like textnow, you could even go straight to textnow and get a free number from them. I have one that I pay like $5/year for them to hold on to just in case I feel like I need it.

        • Call me Lenny/Leni@lemm.eeOP
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          10 months ago

          You mean a burner phone, right? Those are good for verification but not if you regularly need something to log in with.

          • rdyoung@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            10 months ago

            Which is why I said you could port that number elsewhere. Google Voice, textnow, etc.

            I personally have at least 5 numbers.

            1. GV that was ported from tmo a good 15+ years ago

            2. My direct personal line

            3. My direct business line

            4)My GV business line

            1. My textnow number that I am just sitting on.

            2. I’m going to set up a family number attached to our family email.

  • Bitrot@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    9
    ·
    edit-2
    10 months ago

    If it was a family computer it sounds more like she had signed in too. YouTube and Google support multiple accounts being signed in at once and have for years, with an account picker (Instagram does too, on the mobile app). Assuming it was you only due to location or IP would be a huge and highly publicized security lapse, think of college, workplace, coffee shop. The deviantart thing is because they had the same IP address, that has long been a way of checking for ban evasion or banning people in the first place. Spillover to other people in the household is expected and accepted when designing it that way.

    If you were using a phone number, which is generally the worst form of 2FA, they could potentially correlate that the accounts are at least related. Most sites wouldn’t, but places like Google or Facebook might. Other forms like TOTP or passkeys should not.

    • LemmyKnowsBest@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      10 months ago

      Why do you say telephone 2FA is the worst method? Seems pretty secure to me if each person has their own phone that no one else has access to.

      Except for OP who doesn’t have a phone, But that’s another mystery and I honestly don’t understand how or even IF YouTube thinks that she and her sister are the same person 🤷🏻‍♀️🤔

  • sylver_dragon@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    10 months ago

    Wow, ok hopefully I am unpacking this question correctly. But let’s start with the question from the title.
    Does Google et al. assume it’s your number or just a number you have access to? It’s the former. Google assumes you are entering your number. If you put in a communal number, that’s on you for screwing up the base assumption underpinning SMS as a second factor for authentication. When working with a factor which is supposed to be “something you have” it needs to be something that you control. Think of it like the keys to your home. If you aren’t the only person with a copy of that key, then that lock does not provide security for your home against others with the key.

    As for the “DNA” question. I’m going to guess this is about websites “remembering” you for login purposes. The way this usually works is that, after the first login, the website sets a cookie in your browser. This cookie contains a cryptographic value which is also stored on the web server. When you go back to the site, your browser uses this value with your request for the site. The server then compares it to the stored value. If it matches, you are logged in, without needing to reauthenticate. It’s more complex than just sending the value, but that’s not worth getting into.

    If you have multiple logins “remembered” this way, it may be possible to move to different accounts without the need to reauthenticate. Also, many modern browsers can save passwords for you. This lets the browser auto-fill your credentials for you. It’s universally a bad idea to save your passwords this way, but it could allow you to switch accounts without knowing the passwords.