[vort3]

It's not even about not willing to spend 1$ for a random phone number.

Here's a list of things that are wrong with what Google does:

- If you want to read your email, you have to use app specific password. I'm ok with that.

- You can't generate app specific passwords if you don't have 2FA enabled. That's some artificial limitation made to force you into adding phone number to your account.

- You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.

- You can use «notification» to confirm it's you, but you can only do that on the phone. I'm currently logged in in my browser, certainly I could confirm any login attempt from that same browser, wouldn't that be a second factor?

- Nowhere in announcements or help pages or in the Google Account interface they tell you that you can't generate app passwords if you don't have 2FA. The button is just missing and you wouldn't even know it should be there unless you search on the internet.

- Nowhere they tell you the only way to enable 2FA is to link your account to your phone number or to your android/iphone device, the options are just not there.

All of this is just bizarre and ugly. I have no idea why other people are not complaining, probably most of them just accepted that and added phone numbers.

[loosescrews]

> You can't use authenticator app to enable 2FA

Are you sure about that? I don't think this is true. I definitely don't have a phone number linked to my Google Account and I have TOTP enabled as well. They even have the Advanced Protection mode which doesn't allow SMS or the authenticator app.

Really though, you should do the last thing. Buy some security keys and enable Advanced Protection.

[nagisa]

Google used to give more options before. Today if you want to set-up 2FA you must either give them a phone number or use a phone.

Only then you can add other authentication methods (this a hardware key) and remove your phone as an option.

Source: went through this nonsense a couple years ago and then again a couple months ago with a different account.

[tyrfing]

You can start with a hardware key: https://i.imgur.com/FIjNyIh.png

[accuratefud]

Man, this thread is such a shinning example of why "trust, but verify" is a phrase.

There is ABSOLUTELY an option to enable 2FA on a Google account now that does not require giving them a phone number. There's a clear "Advanced Options" link that lets you choose a security key, which is what folks should be using anyway.

[vort3]

True, I just didn't write that because physical security key is not an option where I live.

Other than security key, it's only phone number or adding account to the phone.

I'm sorry I didn't mention that in my post, I wasn't trying to lie, I just can't obtain physical key and I don't think I have to have physical key to read my emails.

[rstuart4133]

Don't feel bad. I recently went through the process of enabling app passwords and what not for google accounts. I did that because I lost control of one account and decided to implement every recovery option possible on the others - like TOPT's and backup codes. If there is a way to do it without purchasing stuff like tokens or entering phone numbers, I could not see it.

If there is a way of doing it, I suspect it's deliberately well hidden. I also suspect what they enforce varies by country.

[FDSGSG]

Where is that? Judging by your comment history, maybe Kazakhstan? I can easily find physical security keys for sale in Kazakhstan. For example miningshop.kz in Almaty has Ledger Nano S in stock.

Besides, you don't need an actual physical key for U2F.

[birksherty]

Almost nobody in the world have physical key and they shouldn't need to buy one when 2fa apps are sufficient for most people.

[fmajid]

TOTP doesn’t protect against phishing, U2F keys do. Sadly very few companies have them as an option, which goes to show how 2FA is mostly security theater at all but a handful of companies.

[drsh2k]

use virtual authenticator (https://developer.chrome.com/docs/devtools/webauthn/)

[no_time]

Does that actually work? I assume google verifies the authenticity keypair(I forgot the specific term) that cannot be extracted authentic devices.

[Handytinge]

This may vary regionally. I went through this with an account recently and did not have this option, despite looking for it (as I do have a hardware key).

[bbbbbr]

This is correct. A phone number is NOT required to enable 2FA, at least in my experience within the last few months.

I set up 2FA to use Yubikey hardware keys for a google account, and was then allowed to generated app passwords. No phone number has ever been attached to the account.

I do agree that not allowing app-passwords to be generated without setting up 2FA is coercive and seems hard to justify, and it is plausible that it is being used to push people into attaching their phone numbers to their accounts. If I recall right, the current language for the setup process skews heavily toward phone numbers and does not do a good job of highlighting other (more privacy oriented) alternatives (as may be evidenced at least in the case of OP).

[vort3]

You are right that I can bypass adding phone number if I have Yubikey, but unfortunately I don't have one and can't get it.

[drsh2k]

use virtual authenticator (https://developer.chrome.com/docs/devtools/webauthn/)

[PeterisP]

This may be a recent change, a few years ago when I tried this, I was definitely unable to add Yubikeys to a Google account until I added phone-based 2FA first.

If now it's just 'not recommended' then this is an improvement.

[malux85]

I've seen different authentication methods for different countries etc, for example there are some countries that if you put in your age as > 70 when signing up, the combination of being old and in a poorer country means google never asks you for a phone number, because it's likely you don't have a cellphone.

So the rules can vary by region

[Canada]

It is true, I have recently looked everywhere. You can't enable choose TOTP with only a desktop web browser.

I'm really glad that I've never used a gmail address for email before, I'd hate to be stuck with using anything run by Google.

[lnxg33k1]

Yeah I am sure too, my last company used google apps and I didn't want to use my personal number for google, but they forced me to insert a number in order to use 2FA, so I had to ask for a work SIM just so that google would STFU, it was said to be a backup method for google authenticator, f*uck google

Companies using google apps, keep in mind, you pay money for a service but if there's google involved, you're still a product, just avoid it

[kevin_thibedeau]

Microsoft plays the same games with their authenticator app.

[tatersolid]

No they don’t. I run an M365/Azure shop and not a single user out of hundreds has given their mobile number to Microsoft.

My personal consumer MSFT/Xbox account also has no mobile number attached.

[kevin_thibedeau]

Yes they do when your M365 using employer insists that you have to use the authenticator app on your personal phone and won't provide an alternative option.

[tatersolid]

At no point during setup does Microsoft Authenticator app collect your mobile number. That is in fact the whole point of the app: SMS is insecure for 2FA so collecting a mobile number makes no sense.

Most of our people including myself choose to enroll a personal phone rather than carry two devices, and somehow none of these hundreds of people ever provided their mobile numbers to Microsoft. I think you are mis-remembering the setup experience, or your employer chose to enable some non-default options that uses SMS as a backup option to the app.

[no_time]

So far all the services that required MS authenticator for me turned out to be perfectly fine standard TOTP.

[lnxg33k1]

Let’s avoid Microsoft too?

[pid-1]

I've tried that a few days ago.

You always need to add a phone as your first MFA method.

A simple hack though:you can add other methods, then remove phone.

Your account was likely created before phone MFA was mandatory (as the first method).

[prirun]

> A simple hack though:you can add other methods, then remove phone.

Sure. That's like when I deleted my DigitalOcean account. They still send me notices about their service. Just because something is deleted for you doesn't mean it's deleted for them.

[pid-1]

well said!

[jqpabc123]

I definitely don't have a phone number linked to my Google Account ...

If you use an Android phone, you most definitely do have a phone number associated with your Google Account. Android sends your IMEI and SIM card info to Google servers.

[tinus_hn]

Unfortunately because their Google Authenticator app refuses to backup half of the codes they have to make sure there is an escape hatch if you lose your phone.

[dzhiurgis]

True for few years now

[im3w1l]

> That's some artificial limitation made to force you into adding phone number to your account.

Agreed

> You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.

The amount of people getting locked out of their account because they lost the phone with the auth app would be unacceptably large, is my guess. Like people lose their phones all the time. Simjackings are rare.

[Szpadel]

not only lost phone, but damaged phone is enough, as you can easily swap sim card but authenticator need to be set up again. BUT there are also one time recovery codes, they could add you option to use those to recover after clicking through few screens of warnings to make sure that you know what consequences does it have

[eternityforest]

That's one reason I definitely prefer SMS auth to any other method at the moment.

What if your phone is damaged while traveling and you are away from where you stored your recovery keys?

[rtsil]

Whenever I add a new 2FA token, I always add it to my phone and a TOTP app (Authy) on my computers. Same thing for recovery keys.

[lxgr]

You can always bring a paper recovery code or FIDO authenticator (both of which are safe against SIM swapping attacks).

[FrenchDevRemote]

we've been told for decades to "not write passwords on postits" and we're really back to square one...

[lxgr]

It's not a password, it is a secondary, single-use recovery second factor.

Carrying that around in a wallet doesn't make you any more vulnerable to physical attackers than carrying your Yubikey on a keyring, and it's much more secure against remote attacks than SMS-2FA (where you can fall victim to SIM swapping, number porting attacks etc).

[charcircuit]

ideally the paper would be in a safety deposit box / safe and not stuck to your monitor.

[eternityforest]

I never thought of the whole idea of wanting to hide my number from them, and I suspect most other users haven't either, but it does seem like an issue once you think about it.

It might have something to do with not wanting to have tons of spam accounts out there? Do they have code to keep a closer eye on unverified accounts?

Or preventing broken devices from locking people out, in a "We must protect users from themselves" kind of way?

Google is a mass market company, clearly not a privacy company, anyone who really wants to not be constantly tracked should probably stay away for many more reasons than this.

[glennpratt]

It does make sense from one perspective I've seen. Scammers are using 2FA to lock people out of their own accounts and demand a ransom for the tokens. Happened to a friend of mine a couple months ago.

[throwaway81523]

> It's not even about not willing to spend 1$ for a random phone number.

Some sites (e.g. Scaleway.com) won't accept VOIP numbers: they require numbers from actual mobile networks. That is a pain for me since my main phone# is a VOIP number that forwards to my mobile. I do that so I can change my mobile number and just update the forwarding target, or can forward to a landline if I'm someplace with a lousy mobile signal, etc. All of this sucks.

[closetohome]

It's also not unheard of to enter a valid phone number and get a message that the number has been used too many times and is no longer valid for 2FA.

[nunez]

get an ultra cheap prepaid line then cancel

some (like visible) allow you to sign up without providing any of your own PII

[throwaway81523]

That defeats the purpose, which is to give them a number that works in case they have to contact me. I have a stable VOIP number that forwards to one of various ephemeral numbers at any given time. The VOIP number really is the right one to give them and for them to use. But they are too smart for their own good.

[mid-kid]

The worst part about this 2FA story is that if you don't have any 2FA methods, Google will effectively lock you out of your account if you're trying to log in from an "unusual" device, i.e. any public (school, library) computer or wireless access point. If you don't have a phone with the proprietary google apps installed and logged into your account, you literally can't login in such situations. Make sure you always have a computer/OS combination that's recognized by google when you travel.

I used to constantly get emails about suspicious logins detected simply from moving around hotspots with my phone trying to log into IMAP. This was until I enabled the app password thing, which generated a password that's both shorter and uses less different characters than my old IMAP password.