Your phone messages presumably have a fixed format and can be logged by the network; drawing attention to Tor usage is not the goal and I can see that being a serious problem.

I think you can also opt to receive a phone call that says something like "Your verification code is 12345". It doesn't mention Google and certainly doesn't mention Tor. But it's been a while since I went through this myself so I don't remember exactly. I should note that this is the worst case scenario. For most users you do NOT have to receive a verification code. We were considering requiring that for all anonymizing proxy users in the past, but did not do so. It's an option we reserve for the future though. For now, answering a security quiz is good enough. Note that you can add a fake phone number to your account (we don't presently verify them) and this acts as a second password, more or less, so as long as it's a number you can remember you can get through ID verification without receiving any phone codes.

I see a cookie called GAPS under accounts.google.com - is this the only one which needs to persist for authentication to work?

Yes, we know that saying "don't clear cookies" rather goes against the advice and design of tools like the browser bundle. Potentially TBB could have some specific hack for Google. The GAPS cookie is the only one that's needed for a login to be recognized as good. It's part of how we propagate goodness around between second factors. Simple example: you log in from an IP address that is nearby to one you previously used (in physical or internet space), and don't have a GAPS cookie. We issued you a new one when you visited the login page. The act of logging in from a good IP whitelists that GAPS cookie. Now you travel and log in from a new country. The IP is unknown but the GAPS cookie you have was seen before. We let you in without hassle because we know that device is legit. Your new IP geo is now whitelisted too.

I believe it would be very much appreciated if your team could provide a support page with a walk-through for Tor users explaining how to gain access by the second method

I agree. There was actually some work done on this around the time we were considering requiring phone verification for all logins, but I can't find it on our support site now. I think I need to chase that up again. _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE