29 May 2022
is fake news. He talked about IMEIs, device fingerprints and SMS 2FA.
My first gripe with this man is that it took him almost 20 minutes (the video is 25 minutes long!) before talking about TOTP! Despite this, he says Google forces him to use his mobile phone as a hardware key that reads his IMEI to log him in and that it detected this using his degoogled phone's user agent.
What confuses me is that someone who claims to be the Internet Privacy Guy fails to use a browser that spoofs a user-agent so that Google doesn't know his phone model or manufacturer because he said it knew he was using a Pixel! That's the whole reason Bromite exists!
He compares phones with authenticators to "the Gestapo asking for your papers" because his view is that 2FA will lead to phones being used for other purposes like proof of vaccination or proof of identity. The fact of the matter is that it doesn't matter even if you try your hardest to hide, you need to know your threat model.
His threat model seems to be the FBI, Big Tech and the NSA which is completely defeated by the fact he makes a YouTube channel linked to his Google account with a name on it and that he says his YouTube channel makes him money.
If you make money off of your YouTube channel, it has to be linked to a PayPal or a bank account which is tied to your real identity. It's incredibly hard to issue a bank account in the name of a phony person unless he has developed a fake identity with fake government documents and fake proof of identity.
Oh yeah and he also was sponsored by Startpage.com, a "privacy" search engine that isn't open source. You'd think someone advocating privacy would also advocate open source software that can be reputably recognised as private as its code is examinable by anyone? Google Authenticator is a TOTP app but it's closed source, even if it uses TOTP which is secure you don't know what Google is doing meanwhile my password manager KeepassXC has TOTP, it's open source, I know whatit's doing so I trust it.
However, I do get his gripes with SMS 2FA. It is an incredibly insecure and non-private 2FA method, he mentions an attack that requires access to the carrier network to pull off however I know of an attack that spoofs a cell tower and intercepts the messages that way: the police use it, it's called a Stingray.