Summary- Google has added a “match the numbers in the app” style 2FA to YouTube. Makes sense- their video monopoly means that for many iOS users like myself it’s the only Google app they’ve got. Except…
1) It’s the default, and there’s no apparent way to change it, or even turn it off. This is annoying- I prefer TOTP since it’s more secure. There’s a Google Prompts section in the 2FA settings, but it says that I don’t have any supported devices. This actually makes sense, because
2) It doesn’t f*king work! Ever since they changed it from “press yes” to “match number”, the screen opens in the YouTube app and then loads forever. Which means I’ve got a spurious notification on my phone, a screen to dismiss next time I open the YouTube app (or several, because for some reason they can stack), and two extra clicks every time I log into Google on a new device.
Actually, I lied earlier- there is one way to disable it, and it’s to DISABLE ALL 2FA, as you can see people doing in that support thread. I honestly don’t blame them, but clearly less 2FA was not the plan of whoever’s idea this was. Speaking of support forums- I don’t think anyone at Google reads them, but they do read HN :))))
Wow, that link is such a great example of Google's "support."
"This channel is for troubleshooting Google devices. It is best to report this with YouTube support for better assistance. [...] I'll be locking this thread after 24 hours."
...just because the initial report contained the keyword 'YouTube', presumably. The reporter clarified the situation, and a different "support" team member comes in and regurgitates the same canned response! On Google's side, why even bother replying at all if that's all you're going to do?
Just an FYI here: Google's community support forums aren't well named as their intended purpose is for users to answer other user's questions. For the community to support each other.
For actual support you need a paid account to reach out to.
You could argue that it's badly named and should just be called Google's community forum instead, which is what it really is.
Have you seen answers.Microsoft.com, the most useless support community on the internet full of „independent advisors“ aka Microsoft simps just sending links to irrelevant documentation?
While we're at it, have you seen the Apple ones? 3 year old threads with 100 messages of people saying 'I have this same issue' and zero response from Apple.
Some examples of the subjects of these threads:
- SD Card readers in original M1 Macbook Pro not working
- Bluetooth headphones balance getting messed up randomly (so old someone created an application to automatically center balance)
- Specific Intel Macbooks crashing after using a Thunderbolt dock exactly twice.
All of them with no response from Apple at all and no fixes in sight.
Very fair replies. I didn't mean to call out Google + fans of Google in particular, but rather "Bigco"s and fans thereof in general.
Out of all of them I guess I'm more disappointed in Apple because they have cultivated this aura of superior UX (so that emphasis on UX should extend to when people have problems).. but then again it's largely just an aura.
Even better is this comment by another support team member:
> I'm chiming in to ensure you've got the answer you're looking for. Feel free to let us know if you have more questions about this.
Totally void of any helpful information or even remotely understanding of the issue. Of course at the time the comment was posted, no useful answer had been given by any support team member.
But to be fair though, the support team did follow up a few month later:
> Thanks all for your patience on this post, and sorry for the confusion. I originally pinned a response by @knewland397 as a helpful workaround for some folks on the thread, but I understand that it didn’t answer the whole question. Happy to shed some light on the situation here!
> Prompts like this are intended to be easier than entering a verification code to log in, and you can receive them from not only the Youtube app, but the Gmail app, Google Photos app, and more. To learn more about prompts and how they help keep your account safe, stop by our Help Center [1].
> To answer your question of why your Nest Community account is impacted, our community uses the same Google Account authentication as the rest of Google services.
> For future reference, our friends over at the Google Account Help Community are best equipped to help you with these types of questions. This forum is meant to host discussion about apps and accounts as they relate to Google Home and Nest.
The help center [1] indeed documents the apps (under the "iPhone and iPad" tab):
> Gmail App, YouTube App YouTube, Google App, Fotos App Fotos, AdWords App or Smart Lock App.
I don’t know if it’s just me, but it seems like for the last couple years the products from the FAANG companies have been rotting on the vine. It seems like all the people that made these have moved on and have a b-team barely making them work.
Google's TOTP is not as good as it could be being HMAC-SHA1 of a symmetric secret and Unix epoch. WebAuthn with a hardware device is less prone to losing and compromising secrets.
I use all 2FAs allowed.
Tangent on passwords. What the world needs is a path to automated, interoperable secret management in 3-4 RFCs:
User-operable, standardized password change REST API that:
0. Sends a session token/nonce
1. Describe the password policy declaratively and precisely, to be validated client-side with boilerplate client code
2. Offer a list of supported PBKDFs and their required and allowed parameter values
3. Includes both client- and server-side PBKDF hashing with minimum values for a given risk type AND adjusted with the "inflationary" Moore's Law costs of tech resources (CPU, GPU, RAM, ASIC, FPGA, QC) over time
---> This would then permit a password manager app to automatically change every password perhaps every day. I'm thinking the future should be like this but use user certificates as a primary AA mechanism and passwords as a break-glass-backup.
GitHub has a similar problem, where the GitHub mobile app can’t be disabled as an 2FA factor. They implemented an option to make other factors as the “default” without the ability to completely disable mobile, and then falsely closed the discussion [1].
If such insecure factor can’t be disabled, what’s the point in setting up TOTP and / or hardware keys?
The YouTube mobile website is intentionally crippled. For example, the video refuses to play in a video popout, even though the same browser feature works for me on other mobile websites and on desktop YouTube. Personally I just avoid browsing it on mobile as a result, but I could see someone being convinced to install the app.
On iOS, installing vinegar sorts this. You get video pop outs and no ads to boot. It’s much better that the app and seems to give longer battery life (hardware acceleration?)
It breaks integration with the YouTube app, and it's a bit of a maintenance keeping up with the latest version, whether to use youtube-dl or yt-dlp or another fork, etc.
I paid $1.99 for Vinegar and on my iPad (and Mac) I get ad blocking, videos playing in the background, etc. It can be a little clunky because autoplay of the next video doesn't seem to work and there are times I'd like to use a music playlist. It's probably my fault but a quick glance at settings didn't resolve it.
I use the web one exclusively. Other than the video pop out feature missing and once in a while scrolling bugs on shorts, it actually works perfectly fine.
I refuse to use the YouTube app because they disabled playing in the background or with the screen locked . They Want your eyeballs on the screen for the ads. It so blatant.
The issue described here started happening to me recently: https://www.googlenestcommunity.com/t5/Apps-Account/Why-is-G...
Summary- Google has added a “match the numbers in the app” style 2FA to YouTube. Makes sense- their video monopoly means that for many iOS users like myself it’s the only Google app they’ve got. Except…
1) It’s the default, and there’s no apparent way to change it, or even turn it off. This is annoying- I prefer TOTP since it’s more secure. There’s a Google Prompts section in the 2FA settings, but it says that I don’t have any supported devices. This actually makes sense, because
2) It doesn’t f*king work! Ever since they changed it from “press yes” to “match number”, the screen opens in the YouTube app and then loads forever. Which means I’ve got a spurious notification on my phone, a screen to dismiss next time I open the YouTube app (or several, because for some reason they can stack), and two extra clicks every time I log into Google on a new device.
Actually, I lied earlier- there is one way to disable it, and it’s to DISABLE ALL 2FA, as you can see people doing in that support thread. I honestly don’t blame them, but clearly less 2FA was not the plan of whoever’s idea this was. Speaking of support forums- I don’t think anyone at Google reads them, but they do read HN :))))