Skip to content
This repository has been archived by the owner on Nov 25, 2020. It is now read-only.

Add check about disabling phone-based account recovery (NOT SMS-based 2FA) #397

Open
tyler-dot-earth opened this issue Dec 16, 2019 · 0 comments
Open

Add check about disabling phone-based account recovery (NOT SMS-based 2FA) #397

tyler-dot-earth opened this issue Dec 16, 2019 · 0 comments

Comments

@tyler-dot-earth
Copy link

tyler-dot-earth commented Dec 16, 2019
edited
Loading

I was originally turned onto this issue via zooko on twitter:
https://twitter.com/zooko/status/1138907707346264065

Basically, some services (namely Google) allows you to setup account recovery via phone number. This recovery option is NOT SMS-based 2FA. Enabling phone-based account recovery can circumvent the non-SMS-based 2FA that a user may have on their account.

EXPLICIT STEP TO ENSURE THAT GOOGLE USER DOESN'T HAVE SMS-BASED ACCOUNT RECOVERY:

  1. Make sure that no phone number is shown in the “Ways we can verify it's you” section here: https://myaccount.google.com/security

When disabled, the section should look something like this:

image

EDIT: this might be good near the "Set up a mobile carrier PIN" section.
@tyler-dot-earth tyler-dot-earth changed the title Add check for phone-based account recovery (NOT SMS-based 2FA) Add check about disabling phone-based account recovery (NOT SMS-based 2FA) Dec 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tyler-dot-earth