Gordon Ponders a Silent Concern Over a Single Point of Failure

By BitcoinGordon | BitcoinGordon | 2 Mar 2022

If you live long enough, you learn some valuable lessons, or you don't and you become everybody else's cautionary tale- lol.

Be the first guy, not the latter.

This grand opening to say that you learn from life, that most often it's the thing you don't ever think too much about, that you rely heavily upon, that ends up being the major issue. In this case, a critical point of failure, and that is...

drum roll please...

 

Google Auth!

I was visiting with my cool crypto-centric family last week, and was scrolling through the impressive laundry list of Google AUTHs I use for my accounts... a LOT of accounts... TOO many accounts. It's about time to take a peak at Google Auth.

Yeah, hopefully this non-news-piece fades off into the abyss with all of the other potential "what ifs" that could keep a person up at night.

I don't know about you, but when I place importance next to trust, Google is not one of my top competing champs. Reliable as a search engine? yes.

Reliable for freebies like Google sheets, Google docs, Google Gmail? Yes.

Do most of us give enough thought to relying far too heavily on all of the above? I'd say not even close.

I do a lot of freelance work, and this isn't a post about the challenges of getting good work, because that is an entirely different tale.

This is 'that' post where I focus on how we tend to piece together systems that are ironic, often moronic, when you consider just how much we rely on things that perhaps aren't entirely inside bounds of our ethic. 

We care about safety, security, and privacy in the crypto world.

We don't want people getting inside our accounts.

We don't want 'official' entities tracking us, trying to pin us down, trying to dictate our behavior by controlling points of data. We want solid 24/7 access to trading, private wallets, or both. Almost every CEX uses Google Auth for 2FA. Don't know what that is? This may be your first time learning about crypto, then. Two factor authorization, is a means of guaranteeing you are who you say you are, when signing in to your account. In this case, on centralized crypto exchanges.

We give thought to whether we use a VPN for trading, whether to store funds in private wallets, custody or on exchanges through periods of heavy trading. But, we sure do a lot of logging in using Google authorization. I'm sure this goes without saying, but an exchange will often use a tiered system, where they allow you to have daily access to more of your funds, aka daily withdrawal limits, based on how much you protect your account, how much data you share with them, and that means how much you are willing to prove that you are you.

This thought piece can equally be categorized as "the things you do that may hurt you" as a friendly sci-fi-style warning, that in order to protect you from you, how much of you do you give them? Yes, that sentence was intentional.

Imagine what a single hour blip with Google Auth could do to the financial sector? If you can't get in, you can't do diddly. A single program used for pretty much every financial interaction online for stocks and crypto, and some of us use them every single day. Sure, you can reset it, but you won't be allowed back in for at least 24 hours. Lose your phone? Set up a new Google Auth.

We use a password for email, ironically Google allows the lowest password difficulty of any online service: you can create simpleton 1993-grade email passwords, but you can't get in your financial account without the right number generated once every 60 seconds from Google Auth.

So, what happens if Google has a glitch, losing their connection to the secret key linked to the QR code for all accounts, and millions of people cannot gain access to their funds?

Maybe it wouldn't be as bad as I have it built up in my brain, but I've been thinking about this for a (lot more than a) few months, and just now getting around to writing a piece on it.

Because we lump together freely available tools to make online security easier on ourselves, we accept that "they" have come up with something that increases our safety, but what if they don't have their very best guard up? 

One thing that occurs to me, is that if a person's smart phone is stolen, a thief can easily learn a lot about what that person takes part in, I mean really easily, by checking out their Google Auth app. In many, if not most, cases, it names the exchange, or other companies, that the code is for. In many ways, if someone has Google Auth loaded on their phone, it's a first place for a bad guy to check to see where they should sign in. Sure, you may not be able to get in without a password as well, but most likely they're using Gmail, and that's probably already loaded and signed in on their phone as well, right? So, they can easily "forgot password" and have it sent to your email, which is on your phone... where's the safety in that?

Even better, let's say you're across town when you realize you lost your phone. You get on a friend's laptop desperately to log in to your email and other accounts to change your passwords before anything bad can happen, and even if you beat the thief to the address, Google and others will want to protect you from that "strange device detected"... you know, YOU, and your friend's laptop. How would you like to proceed? Have Google send you an sms? Nope, the thief has the phone. Call you with a code to enter? NOPE, the THIEF has the PHONE! Prove that it's you another way? Sure, Okay, what is your connected email account so we can send that account a link to click, on your phone...

I am a BIG researcher of things "they" want to implement, that I am certain are much more of a danger to us than what they are designed to protect us from. We are going to hear more and more about the digitalID and how necessary it is for our security. It is one more layer of freedom they'll be taking from us. Once lost, it is very hard to win it back. Eventually, we will face things much like the people under the CCP and the world of Orwell's 1984, with the thought police and public tracking facial recognition as a regular part of our lives. I'm not a huge fan, how 'bout you? The move will eventually steer us away from smart phones to just... us.

We will be the ID.

But, it is usually those well-plotted single points of failure that help make the case for the next measure to come along. And, the next one after that.

All I'm sayin', is we have this idea that two layers of protection are better than one. But, we are using quite the parade of inferior security measures to protect an asset that has resolved some of the most complex security measures. We don't really utilize the SHA-256 encryption or Scrypt or whatever else is used for double-direction encryption, to protect the assets that DO have that level of protection.

Our connection is secure, but you use it to type in your password that's probably still your favorite cat's name and your mom's birthday- lol. If Google Auth fails, it could time a serious market correction, or it could jumble our ability to access our accounts, and in the end that recovery process relies on our email, which simply relies on our password. If it's all on the same device, and if that device isn't activated by your face or finger-swipe, a stranger is now running your online world.

But, biometrics can be bad news for all of the same reasons. Sure, it can protect us from someone else gaining access to our stuff, but it is also feeding the data to the very technology that is watching and collecting data all the time. Our geo-location, our communications running through the NSA, text, voice. The more one thinks about it, the more we really should have better independent shells of protection from companies that are solely built around security. Obviously, not John McAfee, but you get the idea- lol.

If we were to have a system, much like 256 bit encryption, that is a security layer built around our online data, that was not human-specific, but security-centric, and came solely from a security-based private entity, responsible for that one aspect of online use, it might be a better scenario than trusting the very group that are building their intelligence business around studying us, while we study the world.

Can you imagine the intricate data Google knows about a person at "X" IP address or VPN'd IP? Sure, the smart ones of the bunch will say they are using the onion and DuckDuck for searches, and I commend you. But, it is becoming industry practice to keep a whitelist and blacklist of VPN addresses used by the popular VPN services, so the only way to use CEX is to provide the same IP as they expect your computer to have logged.

It's all an interesting combination of things meant to protect us, that can very easily end up being the very thing that compromises our efforts in data security.

Food for thought. Maybe this went somewhere... maybe not. But, like I said. It's been rolling around in my head actually a lot longer than a few months, but that time in particular, it's been pushed to the surface for me. Figured I'd share a little anxiety with the rest of you so you can sleep a little less at night as well! lol

And on that friendly note, Crypto Gordon Freeman, for now... out.

security 2fa google auth

How do you rate this article?

15
BitcoinGordon
BitcoinGordon

Hi! I'm Gordon Freeman (I hear they made a likeness of me in some video game... totally unrelated... or...).

BitcoinGordon
BitcoinGordon

Welcome! This is my blog for all things crypto, from my day trading and tutorials to general crypto news.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
The DAILY SNAP Zone 024 - Scarlet Witch The DAILY SNAP Zone 024 - Scarlet Witch
Seven-NATE-Nine

Seven-NATE-Nine

3 Jun 2026
8 minute read

Crypto Trading And Market Update : Bitcoin Price At $65k Crypto Trading And Market Update : Bitcoin Price At $65k
shohana

shohana

20 hours ago
1 minute read

FanForce Spotlight Connects Founders With Their Earliest Believers FanForce Spotlight Connects Founders With Their Earliest Believers
PVM

PVM

15 hours ago
4 minute read