I ask inspired by experiences with Google. Google/YouTube, for as long as I can remember, always had a strange habit of assuming absolutely anyone even near to you is you. Back when I had my first YouTube account (which was also back when I was in a completely different part of the world), for the last few years of having it, it had my sister’s channel listed under “alternate accounts” and it wouldn’t even ask me for the password to log into her account, I could simply click over to it like it was nothing (led to a lot of sister rivalry moments). Of note, on a less severe scale, something akin to this mindset is also credited to leading me to witnessing a documented and verifiable triple banning of cherished accounts, how lovely.
So yeah, my first curious hypothetical question I have of the year. How common/normal would this stance be on the net, with something like 2FA where it could mean the difference between data and makeshift DNA (secondary question, does it actually work as well as touted years ago)?
If it doesn’t ask you to verify the number by entering a code that it texts you, it’s not true 2fa.
As for your sister’s account. Are you sure it was her account and not you just viewing her channel? If you were actually logged in to her account it stuck around because sites store credentials via cookies it’s not unheard of to be able to access previously logged in accounts for a very very long time even after moving across the globe.
And what the fuck do mean by “makeshift DNA”? Unless you meant makeshift 2fa which is still confusing as a term.
That’s what I mean, we had a family computer way back then and YouTube assumed once and remembered its assumption forever. By “makeshift DNA” I mean a set-in-place identifier. I never said it was true two factor authentication if it didn’t text someone, I was asking if, when you choose to be texted, if it’s normal to assume the number chosen to be texted on is property of the person setting it up, versus, for example, a family member lending a number to use. I for one don’t even have a phone number right now.
It uses whatever phone number you gave it when you created the account. They do not guess what phone number you might have.
Numbers can belong to anyone and yes, they do “assume” that the number you enter is at the least accessible by you. It would make no sense for you to make up a number or give them a relative or friends number especially for 2fa.
Why don’t you have a phone number? You can get a cheap prepaid phone and if you don’t want to pay for cell service you can import that number to Google Voice or other services like textnow, you could even go straight to textnow and get a free number from them. I have one that I pay like $5/year for them to hold on to just in case I feel like I need it.
You mean a burner phone, right? Those are good for verification but not if you regularly need something to log in with.
Which is why I said you could port that number elsewhere. Google Voice, textnow, etc.
I personally have at least 5 numbers.
-
GV that was ported from tmo a good 15+ years ago
-
My direct personal line
-
My direct business line
4)My GV business line
-
My textnow number that I am just sitting on.
-
I’m going to set up a family number attached to our family email.
-
If it was a family computer it sounds more like she had signed in too. YouTube and Google support multiple accounts being signed in at once and have for years, with an account picker (Instagram does too, on the mobile app). Assuming it was you only due to location or IP would be a huge and highly publicized security lapse, think of college, workplace, coffee shop. The deviantart thing is because they had the same IP address, that has long been a way of checking for ban evasion or banning people in the first place. Spillover to other people in the household is expected and accepted when designing it that way.
If you were using a phone number, which is generally the worst form of 2FA, they could potentially correlate that the accounts are at least related. Most sites wouldn’t, but places like Google or Facebook might. Other forms like TOTP or passkeys should not.
Why do you say telephone 2FA is the worst method? Seems pretty secure to me if each person has their own phone that no one else has access to.
Except for OP who doesn’t have a phone, But that’s another mystery and I honestly don’t understand how or even IF YouTube thinks that she and her sister are the same person 🤷🏻♀️🤔
Wow, ok hopefully I am unpacking this question correctly. But let’s start with the question from the title.
Does Google et al. assume it’s your number or just a number you have access to? It’s the former. Google assumes you are entering your number. If you put in a communal number, that’s on you for screwing up the base assumption underpinning SMS as a second factor for authentication. When working with a factor which is supposed to be “something you have” it needs to be something that you control. Think of it like the keys to your home. If you aren’t the only person with a copy of that key, then that lock does not provide security for your home against others with the key.As for the “DNA” question. I’m going to guess this is about websites “remembering” you for login purposes. The way this usually works is that, after the first login, the website sets a cookie in your browser. This cookie contains a cryptographic value which is also stored on the web server. When you go back to the site, your browser uses this value with your request for the site. The server then compares it to the stored value. If it matches, you are logged in, without needing to reauthenticate. It’s more complex than just sending the value, but that’s not worth getting into.
If you have multiple logins “remembered” this way, it may be possible to move to different accounts without the need to reauthenticate. Also, many modern browsers can save passwords for you. This lets the browser auto-fill your credentials for you. It’s universally a bad idea to save your passwords this way, but it could allow you to switch accounts without knowing the passwords.
Some sites and apps tie your account to the a phone number (messengers are especially annoying in this regard, you still can’t use Signal without a phone number). Many others accept a bunch of accounts with the same phone number, but there’s usually a limit to make it harder for spam farms to enter a platform.
I don’t believe getting phone banned is common, except for phone oriented platforms like messengers.
As for your Google thing: that’s not the result of your phone number matching, that’s an account thing. Your sister’s YouTube channel is attached to your Google account (probably as a “branded account”). This could’ve happened back during the Google+ days when YouTube did all kinds of weird shit. It’s highly likely that your account and your sister’s YouTube account will get banned together if you can access hers without logging out and entering her password instead. If this is the case, you can transfer a YouTube account to your sister’s Google account, though. Watch out to follow official Google guides om this if you decide to start the process because scammers are known to steal accounts through this transfer process.
Google is particularly nasty when it comes to certain bans. If your account is used to commit sufficient (Google Play) fraud, it becomes infectious. Your personal account will be banned, your professional account will be banned, your employer’s accounts will be flagged, and if you get a new job and don’t create new Google accounts, your new company Google account and employers’ accounts will be flagged as well. This type of ban is normally reserved for ad fraudsters and click farms, it doesn’t happen accidentally, but if it happens to you, you MUST use separate devices, accounts, and preferably internet connections, or the company you work for may run into problems. This approach works well in preventing fraudsters from starting “new” companies when they’re caught, but it’s aggressive as hell.
not even the only time it’s happened - this is such a stupid situation!