[bradfa]

For anyone who says, "But what if $WORKPLACE doesn't allow you to plug in USB dongles or use NFC!?!" my counter is then maybe you shouldn't be logging into your personal Google account on that PC. And you probably have an IT department who already have a solution for 2FA that you're required to use.

[tialaramex]

Also, just because you aren't allowed to plug in "USB dongles" such as flash drives, does not mean FIDO authenticators [the things needed to make WebAuthn or its predecessor U2F work] won't work.

A FIDO authenticator is actually a USB HID class device, like a keyboard‡. So, if your $WORKPLACE doesn't allow you to plug in keyboards then, OK, I guess maybe a FIDO dongle isn't worth trying, but few people are in that situation.

If your employer has a policy of specifically issuing and authorising only particular devices (e.g. you can pick from a list of 3 Dell branded keyboards and 2 Logitech keyboards and anything else needs HR director override) then seems like it's time for them to authorise and issue a nice high quality FIDO authenticator. Yubico make some eye-wateringly expensive models, maybe they should pick those.

‡ "Like" a keyboard but it isn't a keyboard. The FIDO protocols don't involve keypresses, the device is just HID class because well, it's a Human Interface Device, seems legit. It sets protocol to 0xFF custom, and needs dedicated software to use that, which is fine.

[rot13xor]

Some work machines have all external ports glued shut and the mouse/keyboard are non-removable to prevent data exfiltration. Though you shouldn't be logging into personal accounts on those machines anyway.

[CogitoCogito]

This is quite a flippant response. These requirements are being put in place against (some) users' will. Simple changing email providers isn't exactly easy and maybe they need to access that account. Maybe Google should allow users to turn this off?