Google Tricking Me to Get a Phone Number (2FA)! Why This is Not About Security

Google Tricking Me to Get a Phone Number (2FA)! Why This is Not About Security

SUBTITLE'S INFO:

Language: English

Type: Robot

Number of phrases: 482

Number of words: 3011

Number of symbols: 13738

DOWNLOAD SUBTITLES:

DOWNLOAD AUDIO AND VIDEO:

SUBTITLES:

Subtitles generated by robot
00:00
recently i got notified by youtube that i had to do two-factor authentication by giving them a phone number or i would lose access to my youtube account or in fact my entire google account being a major channel here on youtube of course that concerned me but as a privacy evangelist here on youtube the last thing i want to do is to associate a phone number with my youtube account i discussed a little bit of this in my last live stream but this video will go a little deeper into understanding their
00:30
motive there are so many alternatives that can validate my login with two-factor authentication but not forcing me just like facebook to confirm my identity and address and i really wondered why they never offered any other reasonable option if they were truly concerned about my security the fact is this move has little to do with security but more with eliminating my privacy let's talk in detail about why google by youtube is doing this and
01:03
what it means for them i'll explain what the effect is of this little rule it goes beyond the phone number used for two factor i'll tell you the game i had to play to comply with the rules and why they will not win you can learn from what i've done and you will understand what threat i'm trying to defend against so stay right there when you need better search results like those from google but don't want the google tracking check out privacy search engine startpage.com
01:37
it does not collect or share any of your personal data so you can search anonymously my company offers a vpn service bytes vpn d google phones vpn routers now we offer email services these products are made to protect you from big tech and their tricks to profile us if you're interested in them they are on my app brax me the link is in the description so the question is is youtube forcing me to do two-factor authentication with a phone number
02:09
really about providing security to my account i thought about this and the conclusion has to be a no as i will explain here i think this is not simply about security but about extracting a permanent identity as i've discussed in many videos the real big tech secret weapon to tracking each one of us is not really about just watching what we see or do on the internet i've explained this over and over until your data is attached to a fixed identity they can never be certain about
02:40
what you're doing but we'll get back to this in a big way first let's examine the choices for two-factor authentication what is the purpose of two-factor authentication at least for security the purpose is to prevent someone who has stolen your username and password from controlling your account in the google case our username is the gmail account we used so in theory if someone gets a hold of your password then they can get into your gmail account and as a result they can change the password to a new one and lock the
03:12
original owner out so that's a common scenario it is made to protect against the reason it is called two-factor authentication is to provide some other means to validate the user identity beyond just the username and password and the logic here is that two-factor authentication should use a different method other than email since an attacker would possibly have access to other emails particularly if a computer was broken into most big tech platforms like a facebook
03:44
rely on the phone number so to validate a login a security code is sent via text typically and then you enter the code and you're acknowledged to be the true user since you have both the phone and the email under your control the problem is that platforms like facebook went hog wild with the phone number the phone number is a critical identifier to matching your accounts between whatsapp facebook and instagram for example and sadly the phone number is a piece of data imported by your friends into the
04:15
big tech platforms of google facebook microsoft and apple via the contact list which shows not just your phone number but your real name email address and sometimes a home address depending on how your info was entered into the contact list by your friends one of the ways i've controlled my appearance in these contact lists is by using an email that i've never given to anyone i know personally and i never give a phone number if i can help it at the most i've used a google voice number which is where i receive
04:46
two-factor authentication codes for platforms like twitter my google voice was originally set up with a phone number they required that so i did i use a ting sim card i set up a phone number for around nine dollars and then stopped the service so the phone number is no longer mine and it was a one-time cost you could then remove the connected phone number on google voice now as expected google will not use google voice as a second factor for authentication which makes sense since google voices
05:17
attached to the original account email and thus a hacker with access to the same email will also have access to google voice but it works fine for many other platforms that are not connected to google as you know once you get a real phone number your identity has to be recorded somehow it's part of the kyc know your customer laws of most countries either they know you paid by credit card or they attach the purchase to some other phone number
05:47
i'm fine with that since that data is accessible only by government typically it's not going to be available to some big tech ai what is available to the ai is the humongous population of uploaded contact lists that have our most common phone numbers on there and without much effort any platform can easily find your name and email it's like they're custom phone directories one per platform for this reason i hate the idea of
06:17
two-factor authentication with a phone number and there are alternatives let me give you some you could use an authenticator app like google authenticator or a clone called authy these apps are time-based one-time passwords you store a challenge key given by a platform typically given as a qr code and then when asked for a code you go to the app to supply one of the computed passwords which are based on a timestamp since the platform and your device know the time and the original key is known to both then your secure
06:50
identity is guaranteed by code that both parties can compute to be the same and all you need is any device that can run the authenticator app as far as i know this runs on any kind of phone including the google fonts which we'll talk about later the google authenticator app itself doesn't have anything on it just like authy but the algorithm to compute the correct code now google was one of the first to use time-based one-time password authentication with the google
07:20
authenticator app yet they stopped using this their own platforms don't allow totp as a second factor isn't that strange the next possible method of authentication would be a hardware key there's a totp based hardware that's based on a standard set by the fido alliance companies that use these hardware keys include ub key the logic here is that if you have the physical security hardware with your login and password then your login can be validated
07:51
but you will notice that even google doesn't support these hardware keys directly i'll get back to that instead they want you to rely primarily on one identifier and this is your phone google actually states this on their security checkup screen your phone's built-in security key is one of the strongest forms of two-step verification set it up now to keep your account protected and that's when i realized that the
08:22
phone number just a cover what they really want all of us to do is to rely on our phone because our phone has a key identifier that will identify everything we do based on that device id in fact google will accept two-factor authentication via notifications if you have a google android without any hardware security keys and this is acceptable to them because the device id is built into google android and you cannot alter this it is a physical
08:53
identifier a hardware security key would be redundant on a google android let me explain the implications of this so it's clear if you're using google accounts with multiple emails they will know that all of the accounts are connected because they can read the device id if you're logged into different platforms owned by google with different accounts they know your exact identity because of the device id so you can't cheat with fake names if you use
09:24
different phone numbers by putting in different sim cards or use a dual sim phone they will know the phone numbers anyway because the google os can detect the phone numbers the mz the imei and match it to the device id if you went to twitter and facebook they will know you did that again because it knew what app you launched and your device id this my friends has been my long time fear this is the active use of the device fingerprint this is the exact problem on a browser if you're using chrome on a
09:55
computer using a browser fingerprint apps can determine you're the same user without using the same user id email or even ip address it can be derived from the browser identity so it is clear here that google is establishing a line in the sand so to speak yes they will let you use a vpn to hide your ip address yes they will let you use different email addresses and different usernames yes they will let you switch phone numbers but they will match it all using
10:26
the device fingerprint now let me tell you an interesting little story since android 10 apps can no longer get direct access to the device identifiers such as the mac address mz imei and whatever security chip is hidden in there in other words standard apps will not have access to a device fingerprint this prevents apps like facebook from stealing that data and using it just like google google of course retains access to all
10:57
that even today because of course the operating system is theirs but there's a way out to prevent google from seeing this device fingerprint the answer is in the use of a d google phone for those that have watched my d google fun videos this is clear but i will repeat it for the newer viewers the original operating system called android is open source it's called the android open source project or aosp to actually create a commercial google android phone many of the open source
11:29
apps are replaced by google versions and these google versions insert the spyware into the google android if you install just aosp before it gets google code there is no spyware on there how do we know this to be true because it's open source you can go to source.android.com and actually check out the source code and see if there's any spyware there it isn't there things like geolocation and telemetry with firebase and device
12:00
fingerprinting are not in aosp so a google phone is a phone reflashed back to its aosp routes with the google code non-existent and thus an aosp android cannot have a device fingerprint that code isn't there and external apps are not allowed access currently this is the safest kind of phone out there that's commercially viable now what does this have to do with two-factor authentication the most common way to do authentication on android phone number aside is to use
12:32
the google app on an android that google app can check your device fingerprint that app cannot be installed on a google phone and how fitting that they accept hardware authentication with devices like yubikey only if you have a google app for hardware keys so hardware keys will not work on the google phones how convenient since the google hardware authenticator goes beyond just getting a one-time password
13:03
the google hardware authenticator gets the device fingerprint folks i use a google phone so there was no way to install a google app of any sort including a google notification or a google hardware authenticator apparently what they really want is the device fingerprint the only way i could do this and not use the phone number as a primary identifier was to get a googled android now just imagine what happens if i switch my daily driver to a google android like many of you use
13:34
then any activity i do on the phone is recognized as belonging to the same person every website i visit every app i run every location i go to every text i receive every email everything is visible to google and match to the device fingerprint regardless of the name i used so you know my answer is suck that i will teach you my very simple strategy that i actually taught you with browser isolation i'll repeat the lesson here so you remember on the
14:05
computer i always run three to four browsers simultaneously on everything related to google which includes youtube i use chrome i'm logged into my google account which is my youtube account on chrome i do everything google that is logged in on chrome google is watching me just like the movie congo where the either watching we are watching you well google's watching and this is fine because google is watching i only use chrome to do things
14:37
i want google to see i have two other browsers i run brave to do youtube where i've never logged into google never this is isolated and i don't do anything else on brave finally i have firefox where i do everything else amazon twitter news whatever else i search for on the internet it's done on firefox obviously it goes without saying that i do not use google search on anything i use start page and duck.go now because of this isolation data doesn't cross over from platform to
15:08
platform google only knows what i wanted to see on chrome that's my primary identity i never log into google on any other browser because of this they are not able to watch what is called a browser fingerprint which connects your activity on one browser so this technique is called browser isolation now i'll teach you my technique to deal with the google and youtube overreach on device fingerprinting i'm implementing a similar concept and i call it device
15:40
isolation so similar concept to browser isolation i have a dedicated google android phone with a different sim card and phone number this phone is only for things i would do on chrome meaning it is intended pretty much just for youtube two-factor authentication for now i will never never never do anything else on this phone that has nothing to do with youtube i will not make calls i will not have emails other than my normal youtube email so google will not know more
16:10
information than before all my other activity will be on my the google phone the google phone has no device fingerprint no login to google no contact tracing or such code no geolocation secret code and it has a different phone number it has no google voice it is completely isolated now at the moment my google android is turned off 99 of the time it is also not connected to my home wi-fi but maybe i want google to see me sometimes and this is like a direct
16:42
disinformation channel just like my chrome browser i control what i want them to see i control them they don't control me i hope you pick something up here for what i'm doing but importantly i wanted you to understand the why in the techniques i'm using my google android is no big expense by the way i'm using ting.com so it cost like six dollars to maintain a phone number that is hardly used it's only for texting i could have used any old android i happen to have a nicer samsung that i couldn't google but
17:13
it doesn't matter you could use any old phone that has lte with voice over lte so you get phone service the key takeaway though is this stop the device fingerprint i'm with the platform odyssey.com i'm now one of the top creators on there in the top 10 right now just in case i get the platform please follow me there using the link in the description i want to announce that starting in october 2021 my company will be offering email services so you can finally keep your
17:45
email from being read by big tech this offering will be in two flavors one is a standard email service on our servers with privacy features for example it won't share your ip address when you send an email and second we will have a service where we set up your own hardened linux mail server which you own so you have sole access to your inbox you will find these and can discuss this on my platform brax me if you enjoyed the video please click on that subscribe button and hit that
18:16
notification bell special thanks to my patreon supporters thank you for watching

DOWNLOAD SUBTITLES: