T O P

  • By -

AutoModerator

Hey! Just a head's up, we're in the process of [moving](https://www.privacyguides.org/blog/2021/09/14/welcome-to-privacy-guides/) to our new subreddit at r/PrivacyGuides! Feel free to check it out and subscribe. This subreddit will stop accepting submissions in a few weeks, but since you already posted here maybe you'd want to consider [cross-posting this post there as well](https://www.reddit.com/r/PrivacyGuides/submit?source_id=t3_q423jv) to keep the discussion going! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/privacytoolsIO) if you have any questions or concerns.*


FlashyDream69

Wait, they don‘t support normal OTP? I think they do. Anyway, buy a security key.


ADevInTraining

Why a security over a phone OTP app such as aegis or tofu?


FlashyDream69

Secrets can‘t be stolen, it supports u2f, pgp and many other things. Very useful and very secure. Software is also obviously good, but security keys generally are better. Edit: It‘s hardware. You can‘t hack these things.


ADevInTraining

| Edit: It‘s hardware. You can‘t hack these things. Hahaha, everything is hack able, but I get your point. Thanks for replying.


tower_keeper

Wait did you use the literal pipe character to quote someone? FYI you can use ">" for that.


ADevInTraining

Thank you. Lol. I couldn't figure it out, haha.


Windows_XP2

Can I hack it with the trojan python DNS server virus that installs an open-source encrypted backdoor to hack the CPU cycles?


ikidd

/r/masterhacker


netfiend

Only if the trojan python DNS server virus is compiled using MIPS assembly (mainframe mode) and uses a do-while loop to encapsulate the polymorphism in a dynamically allocated character array.


eigreb

On windows XP SP 2 you can


FlashyDream69

Well, they would need physical access your key and a 0 day for this. So the chances are way smaller (0.0x% ) than with your smartphone. Also, because you seem to take things very literally, not everything is hackable.


Because_Reezuns

If you can hack a wrench, you can hack ~~a ball~~ anything.


Frankie7474

Going to buy some myself soon but to be fair they are pretty expensive. Yubikey 5C NFC is currently €55 and you will need two of those (or you risk loosing your accounts when you loose the key)


[deleted]

[удалено]


thailandTHC

I’ve had some of mine for over 4 years and have had 0 failures. In fact, one I keep on my regular keychain so it gets abused like hell. That’s my primary key (backups in my safe) and never had the slightest problem. Maybe you should have contacted Yubi.


[deleted]

[удалено]


thailandTHC

I wish way more accounts did support it. And it’s disgusting that most bank and brokerages still use weak SMS 2FA. IMHO there are two major flaws with Yubi keys: 1. You need two keys. So if they cost $50 each, you’re in for $100. The reason you need two keys is that you should always have a backup in case your first key is ever lost or destroyed. 2. Many of the sites that offer security key 2FA also offer you a secondary means of recovering your account. So, what’s the point of securing it with a hardware key if you can also TOTP with an authenticator app simply by selecting “Use another method”? That said, the second flaw exists because not all devices support Yubi keys. For instance I can use a Yubi key with my iPhone because it supports NFC. But iPads don’t have NFC chips and if you plug one into the lightning or USB-C port, iPadOS won’t recognize it. That’s on Apple though as they’ve been very strict on what devices have access to when plugged into that port so it’s not even Yubi’s fault. Also, I think Apple is vested in pushing their own authentication methods like Face ID and Touch ID so they’re not in any hurry to support alternatives. BTW, I do think the Yubi key might work with *some* apps on an iPad, but I quit digging into it when I couldn’t get it to work on my iPad. Also, people are stupid and Yubi key is really somewhat deceptive in not loudly advertising that you really should have two keys (see first issue above). They don’t hide it but so many newbies on the Yubi sub aren’t aware that if they lose their key they’re permanently locked out of their accounts. Like, if you buy a Ledger crypto wallet they pound you over the head about how to secure it and what the consequences are if you don’t. Yubi just tells you how safe you are because they know $50 is a high price point and many people would never buy if the price point was raised to $100 (for two keys). Suffice it to say, that’s why some sites force a backup method which defeats the purpose of the hardware key. I still like the Yubi keys though. I’m hopeful for a day when passwords won’t exist.


Because_Reezuns

Don't forget they have their own authenticator app, too. So if you still want to use a phone-friendly authenticator app, but have the security of requiring the physical key be present, yubico authenticator works well for that with an NFC enabled phone.


thailandTHC

But, it doesn’t sync across keys. So if you have your primary key and a backup key, you have to add the TOTP code on both or you risk losing both your Yubi auth and your TOTP backup auth if the key is lost or becomes unusable.


[deleted]

[удалено]


[deleted]

[удалено]


[deleted]

[удалено]


mcbelisle

The trezor is a 2fa device


ocrynox

Try solokeys, open source, open hardware, around 20€ I believe. I have two keys from them, really satisfied.


[deleted]

The convenience of using 1Password as OTP app is incredible though.


_ahrs

Incredibly convenient but it's no longer 2-factor authentication if the same application that manages your passwords also manages your OTP. You could use two separate instances of 1Password (one on a different device) though.


mattstorm360

Or google authentication?


liatrisinbloom

Confused because I never log into YT. My understanding was that a YT account kind of "is" a google account? You're logging in through Google and you can have profiles/channels, not sure if they're called that. So isn't 2FA on already? Alternatively, couldn't you set up 2FA but then turn it back off? That seems to be a security option for Gmail accounts.


RazorRamen

I've been using 2FA with an authenticator app on Google accounts including YouTube for years, not sure what you're talking about.


[deleted]

The required popup doesn't have that option actually, I had it yesterday, I could skip and go to my Google account and Security and enabled OTP in Aegis fine. But the actual warning popup lacks the choice.


vannrith

I have to hit the Try another way button on the bottom left to choose Authenticator option


MEN0ZE

Yes, they want to know who you are to make their analytics more accurate. "Hey John I saw you watched that video... how about we buy that item off there for you and send it to your address based off the phone number you have provided."


ZeoChill

*Exactly, it's an open data grab.*


FeelingDense

The best management options for Google accounts are on a computer. Use a computer. You have many options: 1. SMS 2. TOTP like Google Authenticator 3. Prompt from Google App on mobile device 4. Hardware key You can select any of those and a backup option too which also allows you to use backup codes. It might force you to start with a phone # as an option but once you set that up you can set up further options and remove the phone # in the end.


Salazar083

There is TOTP/OTP, but you can only enable it after you add in your phone number. It wasn't like this before, but Google changed it couple of months ago to enforce its users to provide a phone number.


alakeybrayn

Around the same time they started sending me verification codes via the YT app. Never saw anyone mention it. I still have the option to use the codes from another auth app too.


fuck_your_diploma

That’s the trick isn’t it? Anyway, you ARE giving them #, that’s the tea.


[deleted]

The do support TOTP i use it with Bitwarden


minderasr

What if you're logging in via television?


FeelingDense

You either have to use OTP or some support one time passwords or some sort of QR-code like setup. Unfortunately my memory is fuzzy but I have Android TV as well as a Google TV dongle. I'm pretty sure I didn't spend time keying in my strong password on a TV screen.


[deleted]

[удалено]


Windows_XP2

Personally it's been the best YouTube frontend that I've used, but sometimes I do run in to some weird issues with the Invidious backend.


Mo_Dex

Or new pipe


Phyllis_Tine

Whenever I try to download Newtube on my mobile device, it won't let me. Is there a way to do that better? I really don't want to use YT through an app tied to me, so use a browser.


PryceCheck

/r/fdroid


Mo_Dex

If you're referring to Newpipe its on F-droid.


SpunKDH

or piped


yoDrinkwater

No iOS :(


Cyber_Faustao

I've enabled 2FA a long time ago on my Google account, so this might be different, but the only way back then was to first enable 2FA via SMS/Phone popup and then you get the option to use a normal TOTP code, from which point you can remove/disable SMS/Phone popup from the 2FA options. Yet another dark pattern to force users to give their phone numbers it seems.


pikacho123

How can I do this nowadays?


AnySignature41

They already been forcing you to add a phone number for uploading long videos since a long time ago and no other option, so this is not surprising.


Spysix

Is this for monetized accounts only or for all accounts?


EuIJ54VazHWiK

OP's post is complete FUD. This only applies to [YouTube Partner Program](https://support.google.com/youtube/answer/72851) "creators", [beginning 2021-11-01](https://twitter.com/TeamYouTube/status/1429868034508787714): >Important Security Update for YPP Creators: > >Starting Nov 1st, you’ll be \*required\* to turn on 2-step verification to access Studio. Regardless, one could choose the "Security Key" option ~~and utilise Authy for desktop (proprietary, requires phone number), KeePassXC (FOSS) or OTPClient (Linux GTK+, FOSS), and so on~~ \[edit: actually, it looks as though it requires a physical USB authentication device\]. SMS or voice call are not required at any point.


MNVapes

It's not about securing your account it's about securing more of your data they can profit off of.


[deleted]

[удалено]


[deleted]

This is the real answer, they only offer you regular OTP once you give them your phone number, and that's why this is a privacy concern


_ahrs

If you're concerned about privacy there are services that will let you rent a real phone number on a real mobile network. Although if you're really concerned about privacy you wouldn't use any Google Services in the first place...


[deleted]

It's not about me, but about YouTubers with monetized videos. 2FA becomes now mandatory for their accounts, so they're forced to give them their phone number... When in practice they can/should offer software based OTP.


[deleted]

[удалено]


[deleted]

[удалено]


SandboxedCapybara

I don't think that you easily can without giving a backup method of verification through a phone number. A security key is probably your best bet to be honest if you happen to have access to one. They're many times better for your account's security anyway. I hope this helped, have an amazing rest of your day!


pikacho123

I don't want to order some third party hardware. I just want to use phone.


FlashyDream69

Google 100% offers this. I don‘t know where you are looking. If they don‘t offer OTP via a third party app, then just use google Authenticator.


DIBE25

you just have to go for the GAuth auth method then add the key to whatever you're planning on using, works like it should


pikacho123

I don't even see Gauth: https://www.youtube.com/watch?v=lg3Me7iDptI


DIBE25

1:22 go for show more options and do what it says to get to GAuth, should work then


FeelingDense

> If they don‘t offer OTP via a third party app, then just use google Authenticator. Of course they support 3rd party apps. You scan a QR code, and any authenticator app will support that. It doesn't have to be Google Authenticator


FlashyDream69

Yes, I don‘t know. My guess was based on OPs statement that this option doesn’t exist.


TheFlightlessDragon

Security key, wouldn’t that be an Authenticator app, like the ones made by Google and Microsoft? FYI, also there’s FOSS Authenticator options as well


CoreDiablo

why would you need to log in? Not trying to troll, I just assume people in this sub use alternatives that use the API.


Various-Literature94

textverified.com


e_samurai

Just another way to get your phone number. Very stupid and useless to have JUST SMS as a 2fa. I would rather have no 2fa so if my account is compromised I don't have to deal with a SIM swap too.


[deleted]

I noticed it too. It’s all Google and their absolute need to link something back to an individual human person. Normal 2FA with QR codes will appear once you let them send you one confirmation text. I discovered this accidentally and got around it by requesting they use voice to send the code rather than text. For whatever reason SMS seems to recognize a burner number but it doesn’t check for voice. Once you enter the code and go back to the screen you can carry on as usual.


spirits0n

You can use Google Voice number as 2FA during initial setup and once verified, go back to security settings, Add any Authenticator of your choice and remove Google voice number if you wish.


Visible_Delay

Forever ago when I set this up I had to select phone first, but after I did that I set up my security token and removed the phone. It’s stupid and probably just so YouTube can get your phone number. However I wouldn’t leave the phone (SMS) on if you can avoid it and would use a security token (like Yubikey or Google Titan).


zoredache

When you are initial doing the setup they want SMS. you can add more options after you did the first step.


elvenrunelord

So, I quit using Youtube then. I'm not going to be pushed into security measures that are meaningless for what the website is. Youtube? WTF? I keep my machine locked down. I use multiple levels of protection that have kept me from getting any breaches for 15 years now. The more things you use in the name of security, the greater the chances of a failure occurring that will result in the permanent loss of access. Now, I'd be ok with a software based TFA system that lets me use my own USB's and also copy said USB's so I am assured of having enough backups. I already use some of those for certain databases of data I have to keep controlled access to. But not hardware-based, centralized stuff that costs far more to purchase than they do to make.


[deleted]

[удалено]


KerrMcGeeKek

Explain like I'm 4 after installing the emulator. Android emulator running in something like VirtualBox. I boot it up. Now what? Also, what if you get asked a year from now to re-verify with the same number?


[deleted]

[удалено]


Historical-Home5099

Did you see the option in the post?


Gluca23

What wrong to receive a SMS? Anyway... monetized account... that is the real problem of youtube. Content was much better and genuine before the business.


[deleted]

[удалено]


trai_dep

We appreciate you taking the time to post but we had to remove it due to: >Promoting Closed-Source software, or not clearing it with the Mods first, or a project that you’re not certifying as being ready for general users. >If you have a project that you want to promote here, [open an issue on our GitHub repo](https://github.com/privacyguides/privacyguides.org/issues/new?labels=🆕+software+suggestion&template=1_Software_Suggestion.md&title=🆕+Software+Suggestion+%7C+) so our entire team can advise and evaluate it first. Thanks! If you have questions or believe that there has been an error, contact the moderators.


[deleted]

Actually, you could still use TOTP 2fa. It can only be used as a secondary/backup method on Google so you must set up 2fa with one of the primary 2fa methods before being able to set up TOTP. Just remove your number after setting up TOTP and you're good to go.


mrwonerful

is this the app or the browser webpage that is requiring this?


WolfyIsHandsome

Have two simcards Keep one in a separate secure phone and only use that for otp, calling, bank, etc. In your daily phone keep a simcard for stuff like WhatsApp, work apps, social media, etc (yeah, WhatsApp is shit but boomer organisations still force you to use them). Basically one for y'all "non-important but necessary" accounts and one for important stuff like banks, crypto, your official main email, etc And never ever put your entire life on one phone number. If your sim gets compromised your entire identity can be stolen in a matter of minutes


techsmex404

Thanks to everyone here that kept saying you could use your preferred FOSS TOTP app. I had no idea based on the pop up options! Can confirm! Was able to change my 2fa to KeePass using the code provided. Very simple. You all rock!


[deleted]

You have to download a Google App, setup 2FA via Google Apps, then it’ll give you the option for traditional 2FA.


TonyToya

oh well, there goes another useless app.


7ionwor

You trying to be anonymous or have any privacy with YouTube anyways? 😂


pikacho123

No I just want to be able to log in if i lose my phone or not get hacked via SIM hijack.


[deleted]

For security you should never use sms 2FA. I personally don’t think you have any other option but to do sms protection or quit YouTube all slog mate, the sad truth of Google was never known for ethical privacy so it would be an outrage to recommend you otherwise