the average person don't have any idea what's a hardware token.
google is not catering to HN readers, they're catering to your grandma, your parents, your little brother/sister, your tech illiterate neighbor.
They couldn't care less about the habits of a nerd on archlinux with ublock, noscript, firefork a vpn, hardware tokens and 2FA everywhere with recovery code split in 7 different location.
This is a straw-man. The problem is not that Google is designing their services to cater to the average tech-illiterate user, it's that they're preventing the tech-literate users from opting out of phone recovery and/or using something more sane, like what's been listed above.
That's clearly malice. Like, there's no good reason that Google would require you to hand over a phone number.
> That's clearly malice. Like, there's no good reason that Google would require you to hand over a phone number.
Let me give you a reasonable non-malicious reason:
Googler A: "We have this new attack. People are creating accounts from compromised IPs, and then creating app passwords to send huge amounts of gmail spam through SMTP directly, thus avoiding our browser-based spam mechanisms"
Googler B: "Can we ban them?"
A: "We can't ban them because we have no info on them, just sign-up IP, and the botnet has practically unlimited IPs"
B: "What about forcing them to have a phone number so we can do anti-spam on that, and perma-ban compromised phone numbers from making new accounts?"
A: "Good idea, that'll stop such a huge quantity of phishing emails and spam. That'll be good for the internet as a whole"
Only after you give them a phone number. In fact, they allow you to remove the phone number afterwards, so clearly they're happy with non-SMS 2FA being the only 2FA method on the account, as long as they first get the opportunity to stalk you beforehand.
There's no universal definition of a burner phone number, but they do ban certain number ranges commonly associated with VoIP providers. Your best bet is to get a prepaid SIM as those typically draw from the main number pool of the carrier so scum like Google can't ban those without also banning a third of their target market.
They couldn't care less about the habits of a nerd on archlinux with ublock, noscript, firefork a vpn, hardware tokens and 2FA everywhere with recovery code split in 7 different location.