[mself]

Unlike what the OP stated, the key is NOT to list you phone number as an SMS 2FA recovery option. Only use the non-SMS options (e.g. app-based recovery, Google Authenticator, recovery codes). Adding SMS as an option makes your account less secure, not more.

Unfortunately, most sites do not allow you to turn off SMS recovery even if they offer other 2FA options.

Security is only as strong as the weakest link, and SMS is very weak.

[azinman2]

The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d. I also doubt many use/print recovery codes, and if they do, good luck finding them 7 years later.

Overall the situation isn’t great.

[wccrawford]

I just went through this situation with a couple non-Google companies when I upgraded my phone, not realizing that their authentication info wouldn't transfer when Google transferred my data to the new phone. I thought I had double-checked that I had everything, but this got missed.

It was a pain for all of them, but it was worst for the ones that I had no other auth systems set up. (Or the ones that had my old phone number for SMS still, even though I thought I'd changed it everywhere.)

In the end, there's still no good system for real security. You're either stuck with a device you might lose (or someone might steal), or stuck with an account that you might cancel (or someone might steal). Or use biometrics which are just not ready for prime time.

[retromario]

I encountered the similar problem the last time I upgraded. There are alternatives to Google Authenticator that offer backups and cloud syncs while maintaining security. andOTP on Android and OTP Auth on iOS. https://play.google.com/store/apps/details?id=org.shadowice.... https://apps.apple.com/us/app/otp-auth/id659877384

[Shank]

> The problem lies in that Google Authenticator is tied to a device, so if you upgrade it or lose it, you’re f’d.

You can save the QR code that was used during setup to repeat the onboarding at any time. You can also use Authy, 1Password, or another service that lets you store the one-time password somewhere else. Or use U2F devices when possible.

[hv42]

I would recommend saving the recovery codes in a password manager app (that is not your browser)

[Tepix]

No, Google Authenticator is not tied to a device. It's a standard (TOTP, RFC 6238) and you just need to use an app (perhaps not Google Authenticator, I use a different app myself) that will let you see the numerical code that you need to save somewhere.

[azinman2]

It’s tied to the device as in it won’t be part of your backup to a new phone.. you have to manually transfer it yourself which according to you is using another app!

So the likelihood of moving to a new phone without those codes transferred is very high. Not exactly an easy experience.

[nomadluap]

I still have my Google Account recovery codes in my wallet that I first generated in 2011.

[azinman2]

Better not lose your wallet!

When you’re at Google scale, all of these methods have real world flaws.