[loosescrews]

> You can't use authenticator app to enable 2FA

Are you sure about that? I don't think this is true. I definitely don't have a phone number linked to my Google Account and I have TOTP enabled as well. They even have the Advanced Protection mode which doesn't allow SMS or the authenticator app.

Really though, you should do the last thing. Buy some security keys and enable Advanced Protection.

[nagisa]

Google used to give more options before. Today if you want to set-up 2FA you must either give them a phone number or use a phone.

Only then you can add other authentication methods (this a hardware key) and remove your phone as an option.

Source: went through this nonsense a couple years ago and then again a couple months ago with a different account.

[tyrfing]

You can start with a hardware key: https://i.imgur.com/FIjNyIh.png

[accuratefud]

Man, this thread is such a shinning example of why "trust, but verify" is a phrase.

There is ABSOLUTELY an option to enable 2FA on a Google account now that does not require giving them a phone number. There's a clear "Advanced Options" link that lets you choose a security key, which is what folks should be using anyway.

[vort3]

True, I just didn't write that because physical security key is not an option where I live.

Other than security key, it's only phone number or adding account to the phone.

I'm sorry I didn't mention that in my post, I wasn't trying to lie, I just can't obtain physical key and I don't think I have to have physical key to read my emails.

[rstuart4133]

Don't feel bad. I recently went through the process of enabling app passwords and what not for google accounts. I did that because I lost control of one account and decided to implement every recovery option possible on the others - like TOPT's and backup codes. If there is a way to do it without purchasing stuff like tokens or entering phone numbers, I could not see it.

If there is a way of doing it, I suspect it's deliberately well hidden. I also suspect what they enforce varies by country.

[FDSGSG]

Where is that? Judging by your comment history, maybe Kazakhstan? I can easily find physical security keys for sale in Kazakhstan. For example miningshop.kz in Almaty has Ledger Nano S in stock.

Besides, you don't need an actual physical key for U2F.

[birksherty]

Almost nobody in the world have physical key and they shouldn't need to buy one when 2fa apps are sufficient for most people.

[fmajid]

TOTP doesn’t protect against phishing, U2F keys do. Sadly very few companies have them as an option, which goes to show how 2FA is mostly security theater at all but a handful of companies.

[drsh2k]

use virtual authenticator (https://developer.chrome.com/docs/devtools/webauthn/)

[no_time]

Does that actually work? I assume google verifies the authenticity keypair(I forgot the specific term) that cannot be extracted authentic devices.

[Handytinge]

This may vary regionally. I went through this with an account recently and did not have this option, despite looking for it (as I do have a hardware key).

[bbbbbr]

This is correct. A phone number is NOT required to enable 2FA, at least in my experience within the last few months.

I set up 2FA to use Yubikey hardware keys for a google account, and was then allowed to generated app passwords. No phone number has ever been attached to the account.

I do agree that not allowing app-passwords to be generated without setting up 2FA is coercive and seems hard to justify, and it is plausible that it is being used to push people into attaching their phone numbers to their accounts. If I recall right, the current language for the setup process skews heavily toward phone numbers and does not do a good job of highlighting other (more privacy oriented) alternatives (as may be evidenced at least in the case of OP).

[vort3]

You are right that I can bypass adding phone number if I have Yubikey, but unfortunately I don't have one and can't get it.

[drsh2k]

use virtual authenticator (https://developer.chrome.com/docs/devtools/webauthn/)

[PeterisP]

This may be a recent change, a few years ago when I tried this, I was definitely unable to add Yubikeys to a Google account until I added phone-based 2FA first.

If now it's just 'not recommended' then this is an improvement.

[malux85]

I've seen different authentication methods for different countries etc, for example there are some countries that if you put in your age as > 70 when signing up, the combination of being old and in a poorer country means google never asks you for a phone number, because it's likely you don't have a cellphone.

So the rules can vary by region

[Canada]

It is true, I have recently looked everywhere. You can't enable choose TOTP with only a desktop web browser.

I'm really glad that I've never used a gmail address for email before, I'd hate to be stuck with using anything run by Google.

[lnxg33k1]

Yeah I am sure too, my last company used google apps and I didn't want to use my personal number for google, but they forced me to insert a number in order to use 2FA, so I had to ask for a work SIM just so that google would STFU, it was said to be a backup method for google authenticator, f*uck google

Companies using google apps, keep in mind, you pay money for a service but if there's google involved, you're still a product, just avoid it

[kevin_thibedeau]

Microsoft plays the same games with their authenticator app.

[tatersolid]

No they don’t. I run an M365/Azure shop and not a single user out of hundreds has given their mobile number to Microsoft.

My personal consumer MSFT/Xbox account also has no mobile number attached.

[kevin_thibedeau]

Yes they do when your M365 using employer insists that you have to use the authenticator app on your personal phone and won't provide an alternative option.

[tatersolid]

At no point during setup does Microsoft Authenticator app collect your mobile number. That is in fact the whole point of the app: SMS is insecure for 2FA so collecting a mobile number makes no sense.

Most of our people including myself choose to enroll a personal phone rather than carry two devices, and somehow none of these hundreds of people ever provided their mobile numbers to Microsoft. I think you are mis-remembering the setup experience, or your employer chose to enable some non-default options that uses SMS as a backup option to the app.

[kevin_thibedeau]

Prior to Android 11 no permission was required to retrieve a phone number via the API.

[no_time]

So far all the services that required MS authenticator for me turned out to be perfectly fine standard TOTP.

[lnxg33k1]

Let’s avoid Microsoft too?

[pid-1]

I've tried that a few days ago.

You always need to add a phone as your first MFA method.

A simple hack though:you can add other methods, then remove phone.

Your account was likely created before phone MFA was mandatory (as the first method).

[prirun]

> A simple hack though:you can add other methods, then remove phone.

Sure. That's like when I deleted my DigitalOcean account. They still send me notices about their service. Just because something is deleted for you doesn't mean it's deleted for them.

[pid-1]

well said!

[jqpabc123]

I definitely don't have a phone number linked to my Google Account ...

If you use an Android phone, you most definitely do have a phone number associated with your Google Account. Android sends your IMEI and SIM card info to Google servers.

[tinus_hn]

Unfortunately because their Google Authenticator app refuses to backup half of the codes they have to make sure there is an escape hatch if you lose your phone.

[dzhiurgis]

True for few years now