Introducing SMS verification for new Vivaldi Accounts
-
On a positive note - this should fix the problem where new users were sometimes unable to create a blog because it got caught in the spam filter.
-
This is a thread I opted to follow for seeing if I learn and understand some of the matter.
Regreted. Neither learning nor understanding.
Unique asking: my Viv webmail will remain guaranteed for me? Or menaced? I've just given it to Microsoft for alternative communications, when and if needed. Result: it stays under MS special quarentine (though for 30 days!), with some MS recommendations to undo.
-
@JoaBravo The SMS verification is aimed at new users. For the time being, you are not asked to provide a phone number to log in the webmail (as far as I understand, new users have to provide phone numbers for a one time verification). Is this what you wanted to know?
-
But at the sequence of the multiple posts, there are doubts if it will not extend for the
formerpreexistent users, if, as is very possible, I have not misunderstood., -
@JoaBravo That's why I wrote «for the time being». But some posts are just speculation. It is not said by Vivaldi that there is a plan to introduce, later, SMS verification for all users, as it's (currently) a measure against spammers (according to Vivaldi). That said, who knows? (that's not very helpful, I know). I hope not.
-
@Pathduck said in Introducing SMS verification for new Vivaldi Accounts:
@0001 said in Introducing SMS verification for new Vivaldi Accounts:
due to what the utter incompetence of allowing the implementation
That's kind of harsh, don't you think? Not everyone can be a cYb3r gÜrU you know
A company that offers a browser as their main product needs people who understand security issues (even better than I do). However, even if the people at Vivaldi had no technical skills whatsoever, anyone who has taken as much as a single undergraduate course in marketing should have vetoed this due to the obvious damage it will cause to the Vivaldi "brand" that has emphasized privacy as a feature (and core value of the company, no less). I stand by my statement simply because it seems apparent to me that no one considered the consequences of this policy, and I fear similar shortsightedness in the future.
my field is security research
Well, since you're obviously such an expert on the matter, what would you suggest as an alternative, to get rid of spam from email and on the blogs?
The problem has no easy answer, as every site with a significant number of users struggles with bad actors (Amazon has said that 80 percent of the login attempts on their sites come from people trying to break in). The exact measures I would recommend would require an analysis of data that I don't have access to, but (from reading this thread) it appears that the blogs previously allowed commenting without an account. Obviously, when anonymous comments become a problem, instituting a requirement for registration represents a solid first step (which I agree that Vivaldi needed to do).
-
@0001 So far, the new verification process has not slowed new downloads or new site subscriptions.
-
Many new users are also not interested in having, in addition to one of the best browsers and an access to the forum, also a blog and an email from Vivaldi, without which they can live perfectly, if they don't want to leave the phone number. To use Vivaldi, have sync and full access to the forum, to repeat it, confirmation by SMS is not necessary. But I still think that SMS protection is somewhat obsolete and an obvious privacy hole, especially if this method is provided by an external company and therefore I think it is urgent another anti-spam system for the use of mail and blog. It is therefore a call to the geeks of this community to contribute ideas. Brainstorming time, guys.
-
@iAN-CooG Please don't misrepresent my comments.
- All of the verification methods have their flaws and have been utilized in either data collection schemes, phishing attacks, breaches or malware delivery. Even the popular RSA Fob was breached a few years back
- All of the above are run/manged by "Third Parties" whom I am reluctant to trust if I have no knowledge of them.
- Vivaldi - I trust implicitly. It is those Third parties that are an issue with me. Should Vivaldi decide on one of these Third Party systems I know they have the expertise, have done their research and have made the best decision for their users.
-
Thanks everyone for sharing your input. We understand some of your anger and disappointment and as you know we do everything possible to avoid using 3rd-party services wherever possible. We’re proud to have built this community in-house from the ground up using open source solutions.
With the mail service, unfortunately, very malicious users have been abusing our free service. We hate to see these bad practices in action. Not to mention the resources and people-hours required to keep some sanity. More recently it became so bad that scammers were using our name so we had to put a stop to it. We really wish we didn’t have to do it, but there is good news. Since the implementation of SMS verification the number of spammers, scammers and phishers has decreased massively.
We also wish to host the SMS service ourselves, but at this stage we don’t have the resources to do it and we needed to act fast. Captcha is not enough to counter such users. Some feel that adding 2FA by default is creating a worse experience as users would have to do it every time they want to log in. However we do want to offer it down the road as an option.
We hope this helps you understand our side of the situation. We’ll keep working on improving the services and implementing as many useful features as possible for the community. Thank you again for trusting us and using our services.
-
Sorry, but I have been following this topic for several days and I noticed a few suspicious things:
- Almost everyone who defends SMS verification is affiliated with Vivaldi and has colored labels (green, blue, red). I'm sure you express your own opinion, but for some reasons it looks like an "official party line". Hmm...
- You choose the cons that you can explain and ignore others one. You explained why you use a third-party service, but you ignore users who don't want to share their phone numbers. You explained that new roles works for new users only, but you still ignore people who don't want to share their phone numbers. What if new user don't want to give you a phone number? Say "Goodbye" to your growth (I can not recommend Vivaldi anymore). Do you want a tip? Just add the ability to remove a phone number from the database after verification.
- You did not warn us about your plans. Again! And now you want to discuss this. Why? For what? What will change? Nothing. The time has gone. You should open this discussion before you added forced SMS verification for all new users. That's why even old users are worried: we are afraid that it will be worse, we are sure that SMS verification for all users is a matter of time, we are worried that SMS verification will be changed to 2FA very soon (for "suspicious" users of course) and we are afraid that you will force all of us to use 2FA by SMS (the worst 2FA method), because this is so "private and secure".
I remember the time when I could change my nickname and choose URL for my blog. You did not warn me that this will change soon. And it was because of WordPress-based blog platform and new WebMail too. Coincidence?
-
-
colored labels
I am not a fan of this change. I know why it's here & necessary, but I still don't like it. None of us (that I am aware of) have been told to stick to a given line on this issue.
-
What if new user don't want to give you a phone number
They don't have to. Only if they want to use the blogs or mail. The browser, forums & sync are still usable without passing over a phone number.
the ability to remove a phone number from the database
The service provider vivaldi has partnered with says in their privacy policy that data isn't kept longer than necessary. From this we know that the moment your account is verified, or not, the data will be removed automatically.
-
You did not warn us about your plans
I think this is a legitimate concern, but given that the recent change only affects new users I'm not sure what would be gained by having announced it in advance.
we are sure that SMS verification for all users is a matter of time
That won't happen. If you're already a member and a spammer, your account would have been locked by now. It wouldn't make sense to verify all the accounts again by SMS or any other means.
we are worried that SMS verification will be changed to 2FA very soon
I don't understand this concern. You can't verify that someone isn't a spammer by 2FA.
[...] because of WordPress-based blog platform and new WebMail
Free blogs and webmail are high value targets for spammers. They need to be more protected or it risks everyone else's account value too.
tl;dr if you already have an account, its not going to be any more locked down.
I hope this helps alleviate your concerns.
-
-
@Semenov-Sherin said in Introducing SMS verification for new Vivaldi Accounts:
Sorry, but I have been following this topic for several days and I noticed a few suspicious things:
- Almost everyone who defends SMS verification is affiliated with Vivaldi and has colored labels (green, blue, red). I'm sure you express your own opinion, but for some reasons it looks like an "official party line". Hmm...
- You choose the cons that you can explain and ignore others one. You explained why you use a third-party service, but you ignore users who don't want to share their phone numbers. You explained that new roles works for new users only, but you still ignore people who don't want to share their phone numbers. What if new user don't want to give you a phone number? Say "Goodbye" to your growth (I can not recommend Vivaldi anymore). Do you want a tip? Just add the ability to remove a phone number from the database after verification.
- You did not warn us about your plans. Again! And now you want to discuss this. Why? For what? What will change? Nothing. The time has gone. You should open this discussion before you added forced SMS verification for all new users. That's why even old users are worried: we are afraid that it will be worse, we are sure that SMS verification for all users is a matter of time, we are worried that SMS verification will be changed to 2FA very soon (for "suspicious" users of course) and we are afraid that you will force all of us to use 2FA by SMS (the worst 2FA method), because this is so "private and secure".
I remember the time when I could change my nickname and choose URL for my blog. You did not warn me that this will change soon. And it was because of WordPress-based blog platform and new WebMail too. Coincidence?
The confirmation by SMS does not make me any grace either for 2 main reasons, for being a rather outdated method and for having important privacy problems, especially if it depends on a external service.That is why I said before searching among all an alternative solution to avoid spam. Not because I have a color badge, I am satisfied with all the decisions of the Vivaldi team, and I am not the only one with badges who think so. But I like more suggestions instead of just criticism and anger.Vivaldi is a creation among all of us and I just like that it remains that way.
-
@Semenov-Sherin Blog and webmail are just extras we (older users) got by default. If you don't want something that is not connected with the browser in any other way than the company, you don't have to enter your phone number anywhere.
I'm also not very happy about this way of avoiding spam and would be very happy if we'd discuss more about alternative ways (how @Catweazle suggests) and one of them would become reality. But please don't forget it's only for registration to extra services.
Edit: @Catweazle you could maybe open a new thread for this to not have the ideas mixed with general discussion.
-
@Semenov-Sherin said in Introducing SMS verification for new Vivaldi Accounts:
New roles work for new users only. OK, but what if a new user has the same view on world like me? Are you sure you really can save my phone number? Are you sure we can trust your partners? 2FA via SMS must be optional!
It is not 2FA - it is only a one time verification and only if you want to use the blog and webmail services. If you only want to use sync or the forums, you only need a working e-mail address.
This is not about security, this is not about privacy, this is about spam. Hera are tons of smap and this is problem. So just add a CAPCHA.
CAPCHAs are no solution and especially Google CAPCHAs are no solution.
It was possible to take down "silk road", which was a hidden TOR service for drug dealers, because they used a CAPCHA.If verification by phone number is required, I can not recommend this browser to my friends anymore.
What has the browser to do with the website?
Maybe you cannot recommend the website, but I don't understand why you can't you recommend the browser ... -
@QuHno said in Introducing SMS verification for new Vivaldi Accounts:
What has the browser to do with the website?
These are the same people and they never warned about their plans. Yesterday you couldn’t know that they would do this. Now you cannot be sure that tomorrow they will not do something else.
-
@Semenov-Sherin said in Introducing SMS verification for new Vivaldi Accounts:
@QuHno said in Introducing SMS verification for new Vivaldi Accounts:
What has the browser to do with the website?
These are the same people and they never warned about their plans. Yesterday you couldn’t know that they would do this. Now you cannot be sure that tomorrow they will not do something else.
True, reaching this moment you can rethink the use. But in the meantime, the development of Vivaldi depends on the suggestions and needs of the user, according to the philosophy of this community., more than in any other browser.
-
@LonM said in Introducing SMS verification for new Vivaldi Accounts:
@Pesala I think most UK landlines can receive SMS messages which are stored in a mailbox, but it's been a long time since I've used that so I don't know how it works any more. You raise a good point.
Interesting. I would have thought that an internet browser company would have a global viewpoint, not parochial UK only mentality. Too bad. The inability of their personnel to even contemplate someone thinking or working differently than their narrow view destroyed Firefox. Looks like the same thing may be happening here. The announcement even conflates phone with mobile phone!
FYI, not all potential users of Vivaldi live in the UK nor does everyone need or have a mobile phone. Globally, very few landline phones support SMS. If you don't want users without mobile phones that is your choice but then you should say that up front.
-
@Catweazle said in Introducing SMS verification for new Vivaldi Accounts:
I believe that Vivaldi is a work in collaboration with the user and for this they are not necessary protests, but constructive suggestions.
If that was really true then a request for ideas and suggestions would be made before a (probable) non-reversible change or policy was implemented. Springing a major change upon users unannounced is the antithesis of colaboration or sensitivity to user needs.
-
@iAN-CooG said in Introducing SMS verification for new Vivaldi Accounts:
@Pesala the SMS will be sent via regular mail, give it 3-7 days for delivery.
Really? To what address? Since the only info requested was a phone number, does Vivaldi have an up to date global reverse phone directory? Even if Vivaldi did have a street address, are they really going to fund international postage rates for online accounts?
I don't think so.