this post was submitted on 09 Jun 2025
515 points (99.2% liked)

Technology

71159 readers
3592 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
515
A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account (brutecat.com)
submitted 1 day ago* (last edited 1 day ago) by Pro@programming.dev to c/technology@lemmy.world
52 comments fedilink hide all child comments
 

archive.today link

you are viewing a single comment's thread
view the rest of the comments
[–] malloc@lemmy.world 21 points 1 day ago (2 children)

Google, Apple, and rest of big tech are pregnable despite their access to vast amounts of capital, and labor resources.

I used to be a big supporter of using their "social sign on" (or more generally speaking, single sign on) as a federated authentication mechanism. They have access to brilliant engineers thus naively thought - "well these companies are well funded, and security focused. What could go wrong having them handle a critical entry point for services?”

Well as this position continues to age poorly, many fucking aspects can go wrong!

  1. These authentication services owned by big tech are much more attractive to attack. Finding that one vulnerability in their massive attack vector is difficult but not impossible.
  2. If you use big tech to authenticate to services, you are now subject to the vague terms of service of big tech. Oh you forgot to pay Google store bill because card on file expired? Now your Google account is locked out and now lose access to hundreds of services that have no direct relation to Google/Apple
  3. Using third party auth mechanisms like Google often complicate the relationship between service provider and consumer. Support costs increase because when a 80 yr old forgot password or 2FA method to Google account. They will go to the service provider instead of Google to fix it. Then you spend inordinate amounts of time/resources trying to fix issue. These costs eventually passed on to customer in some form or another

Which is why my new position is for federated authentication protocols. Similar to how Lemmy and the fediverse work but for authentication and authorization.

Having your own IdP won’t fix the 3rd issue, but at least it will alleviate 1st and 2nd concerns

[–] Paradox@lemdro.id 4 points 20 hours ago

The sad thing is, we had federated auth before social sign on. OpenID was a thing before oauth

[–] propitiouspanda@lemmy.cafe 4 points 23 hours ago

They have access to brilliant engineers

Not really.