[fiblye]

I've had this happen with gmail accounts randomly. Most of the time with computers I've been using for years on the same network.

The worst occasion I've ever had was the one time I was traveling. I was getting by with only wifi and, naturally, didn't have a phone number to confirm my account with. I didn't have a number bound to my account, either, making the whole process pointless.

How did I get into my account? I asked a random guy who walked by if I could login to my email on his phone (since at that point I'd left my wifi area and couldn't login with my own device). It was essential that I check an email at that point, so I didn't have a choice. It was anti-security--I literally gave full access to my email account to some man I never met before in a different country.

Google needs to stop pretending it's some security measure. It's not. It's data harvesting, plain and simple. I just wish they'd admit it.

[MawKKe]

Even if you removed that number from you account immediately after logging in, something tells me google will not forget that association.

He might not had an account then, but could create one in the future. So now if either of you messes up or does anything even remotely suspicious (in google's eyes) - say goodbye to your account.

[Guest9812398]

I had a Gmail account for a secondary email address that I used at times. One day I logged in with my email and password, and Google said I needed to further verify my identity. Well, my security question was a bogus one because I was confident with my password manager and backups it would not be needed. But, I guess I was wrong, because I didn't anticipate that knowing the password wouldn't be enough for Google. I never got access to the account again.

[richrichardsson]

Stupid "security" questions, I've started answering them like "what's your favourite colour?" - "colour" or "what was your first pet's name" - "pet".

There are a few things that make me wonder if I can trust a company. Security questions, stupid password restrictions, sending me a password in plain text via email.

[dylan604]

I recently was forced to do this by my home ISP. I used my password manager to generate 32 character length passwords, and then stored that info in the manager. However, when I attempted to save this info, the website responded with something along the lines of, 'we're sorry, please come back and try this again at another time.' This was preventing me from paying my bill online as it would not let me access my account with this info. I did this for 3 days straight. On the 4th day, I changed my answers to very simple responses similar to yours and the entire thing worked. It's not that it was fixed, because I tried the complex values first on day 4. Their system couldn't support such a value, and failed at letting me know that.

[winceschwab]

So, effectively, three security questions, like this:

  Favorite color? red

  Favorite band? yes

  First vehicle? car

In reality, they actually reduce complexity, defeating a 12 character password requirement with numbers, uppercase, lowercase and punctuation characters, because the total space of complexity can be possibly less than 9 case-insensitive letters.

[jdeibele]

I used to give my real birthday. Then I kept reading about how knowing that plus your address (usually easy to find on the internet - whitepages.com, etc.) got someone a long ways toward imitating you.

So I started making up birthdays but would have problems because I didn't remember them. So now I just use the epoch, which I think somebody here suggested.

[gordo4]

I put January 1, 1970 as my birthday, and sometimes I can tell sites convert to timestamp and then it rejects my entry because it evaluates to zero which is falsely.

[gambiting]

The issue then is that some services will require a copy of your ID to recover/unlock your account, and if the birth dates don't match they won't do it.

[Spooky23]

I always use plausible typos.

[5555624]

I use my sister's birthday. Other than the year, it's close to mine, and I don't forget it.

[gargravarr]

I use the registration date of my car (which is 4 years older than me) since at least I can look it up.

[protomyth]

I tell the students that you really need to lie and put in some words that you remember that go with the question. Think of it as a challenge/ response, not an answer.

[vezycash]

Next time, add your security questions to your password manager.

[pasbesoin]

Security Q/A are de facto passwords. Treat accordingly.

Further, they're often a sign that a human employee providing support can override and manually authenticate a user. Whether or not that is really the correct user. Treat your entire account with them accordingly.

[jdeibele]

Yes. I answer something like "favorite color" with "blue green red" or "blue was the color of my first bike" if I can. I end up with something like this:

pet: answer school: answer friend: answer

[bye_gmail]

Precisely the same thing happened to me. I removed Google from my life entirely, and I'm really happy about it.

[grecy]

What on earth are those of us supposed to do that don't have a phone?

[newscracker]

Switch to a paid service that doesn't depend on your data or on ads for revenue and survival.

I would mainly recommend posteo.de because of what the company stands for and its cheap pricing. Other options are runbox.com and mailbox.org. All these providers support IMAP too. So you can use any email client on any platform, or the web interface, to access email.

Protonmail, recommended by some others here, doesn't support IMAP for free accounts (so you can't take your mail out easily if you want to move elsewhere). For paid accounts, it has a "bridge" software that needs to be installed and running. This is available only on Windows and Mac. For Linux, the FAQ [1] still says at multiple places that it'll be available in "early 2018", while we're already nearing the fourth calendar quarter of 2018.

[1]: https://protonmail.com/bridge/faq#c8

[auslander]

Or simply buy Apple and use iCloud for emails and data

[beamatronic]

Except they silently filter email messages based on certain keywords

[auslander]

Emm, they do what? Please clarify.

[Casseres]

Fastmail. They even have a real customer service.

[pas]

ProtonMail.

[diplocorp]

I second this; ProtonMail is great.

[z3t4]

I think the correct term is security by obscurity. Every time I need to "ID" myself I just borrow someone else's phone.

[espeed]

Get a Google Voice number https://google.com/voice and link it to Google Hangouts or Google Messenger so you can send and receive texts via your phone or Wifi Web apps.

[bobdole123456]

It’s a security measure FOR THEIR SECURITY, not for yours.

It’s an anti-spam, and anti-abuse measure. So they’re not giving away free resources that get used to harass their users.

Why would Google need you to give them your phone number to associate that with you? They’re on many of the phones in the world, someone you know has already done that for them, or you used your own phone to do the same.

[fiblye]

If Google hired reasonable smart engineers, they'd know that a 10 year old account with a stable history of regular emails isn't a spam account.

Unfortunately, Google doesn't seem to have the best staff. Or even good staff.

[bobdole123456]

10 year old accounts get hijacked all the time.

[blackbrokkoli]

Yeah, maybe.

But it's Google. I could name at least 12 datapoints to check wether it's still the same user it was for 10 years on top of my head. Starting with "still using the same device" going to probably things like "typing style", given how sophisticated their AI is.

There is really no excuse for Google's ADD and implementing half-assed features and stopping to support them 2 months later...

[bobdole123456]

This isn’t a feature to authenticate the account. This is to identify the person using the account. They’re tying the person using the account to a phone number that person apparently controls, and thus a billing contact.

This usually means Google suspects you of doing something that might be abusive.

In this case: re-activating a dormant account that was in a data dump would be a safe bet.

[dplgk]

Did Google ask again for a phone number when you tried to log in from the strangers phone?