[sigmoid10]

>Unfortunately I did not have a phone number associated with this account. My understanding is I would have been able to recover my account, If I had one.

It boggles my mind how people can have their entire life tied to this service and not connect a phone number, especially since google regularly warns you during login that this can happen if you don't add your number. They even ask to confirm every now and then in case your number changed and you forgot to update it. If you're worried about giving them your number for data privacy reasons, you should not have used their service for your whole life's activities anyway.

[zorked]

That's a mistake I will never make again. Your phone number is insecure - but even if wasn't, you are setting yourself up for losing your account forever if you ever forget to transfer all your 2FA numbers, or if the phone company decides they want to cancel your contract, or potentially if you lose your SIM card, or even if whatever SMS gateway doesn't like your number for whatever reason.

Literally, you are giving your account to the phone company.

I'm more convinced by the printed security codes. I have encrypted copies in several storage providers, and that includes publicly-accessible copies. I have a copy in my safe, I have some in my family's safe in a different country. No phone company involved.

[jatgoodwin]

I recently discovered the printed codes aren't particularly reliable and google will still ask for another authentication method. I managed to get into my account by driving to a wifi google recognized as "home" and being connected to that after the codes weren't enough. I too assumed they were some sort of master key but they're just an extra method and google's security blackbox can decide its not enough.

[cube00]

This is the frustrating thing about Google's security. You record the printed codes and expect to be able to use them and then you're let down when it comes to the crunch because there are bonus extra steps.

It's a similar story with the "recovery email address" they let you add to your account. You'd expect that if you have access to that recovery email you'd be able to gain access but no, there are cases where Google refuses to send any recovery email because "we can't verify this account belongs to you at this time" so no recovery email for you.

This would all be fine if they didn't enforce we have to have 2FA enabled and then refuse to provide support even when you're a paid up member. [1]

[1]: https://news.ycombinator.com/item?id=31073302

[dazc]

Not just Google, anytime I have had to rely on a printed back-up code it hasn't worked. Anyone who thinks they are safe because they have back-up codes for any account, think again.

[anothernewdude]

Same is true of the phone method too. They ignored the fact that I had my second factor. I have no idea what google were thinking.

Now I use paid email services.

[timattrn]

Use a 2fa app with backups, or one that syncs to different devices (e.g. authy). It's distributed TFA. The phone number is not very secure, so I don't think it should be a part of TFA. I therefore agree that it is unwise to allow Google to use it for this. I also have a fake dob on my phone account to make Sim porting harder, but you can't trust that you have control over your phone number.

[theshrike79]

1Password also has a distributed TOTP system.

[syshum]

Bitwarden Family / Pro / Enterprise also has the ability to Setup TOTP based MFA which is then synced to other devices

I use both Authy and Bitwarden

[entropie]

> you are setting yourself up for losing your account forever if you ever forget to transfer all your 2FA numbers, or if the phone company decides they want to cancel your contract, or potentially if you lose your SIM card, or even if whatever SMS gateway doesn't like your number for whatever reason

Its the same with your address, what if your landlord randomly decides to kick you or your house burns down? Where I live my mobile number is very secure and will not change until I fuck up very hard. And in this case I have multiple other backups (printed codes, rescue number).

[jjav]

> Its the same with your address, what if your landlord randomly decides to kick you or your house burns down?

Not the same at all, you can just go to the post office and file a forwarding address and all is well.

Phone numbers are very ephemeral. I have many phone numbers associted with many older accounts, like one from an office phone from a company that doesn't even exist anymore. Learning from those lessons, I go out of my way to never associate a phone number with anything anymore, it's just asking for future pain.

[arcbyte]

Then I can go to the post office and talk to a human who will happily confirm who I am (maybe they even know me personally) and can forward my mail anywhere I want.

[josephcsible]

This is victim blaming. If you have the correct credentials to an account, Google should never say "we're not letting you log in anyway, and there's literally nothing you can do about it".

[DoItToMe81]

Phone numbers are not a magic cure-all-ills pill, either. My phone plan became outdated and my number wound up being cancelled, which means my old work email now no longer can be accessed.

If Google actually gave options to its users instead of babying them and pressuring them to give up all their personal info (like EVERY OTHER EMAIL PROVIDER), this would not have been a problem. Google clearly cannot be trusted with anything of value.

[j4tech]

I totally agree with you. That was a mistake on my part . I had my number on the account a few months back.But my thinking was similar to what @orblivion posted below

"Because I've been warned by security conscious people never to use phone number as a 2FA because it's so insecure, and using it as a recovery option seems to create an even weaker link.". I happened to read so many articles in the recent past of SIM Swapping, that I was afraid to use my cellphone number as 2FA and removed it from my gmail account. What with Google being evil and all

[davidmitchell2]

> Because I've been warned by security conscious people never to use phone number

Sadly you read only one part of the warning from security conscious people. The main part is to get U2F/FIDO key or use QR-code/authenticator. The same security conscious people use Fdroid/AndOTP where you can export all your 2FA codes.

There NO reason to say if I shatter my phone. Yes, you can also print recovery codes and keep it at home.

[orblivion]

We're not talking about 2FA, we're talking about account recovery. I do have my authenticator app set up. Can I use it to prove myself if Google thinks somebody stole my account?

[davidmitchell2]

Yes, I just tested it with one my accounts that has NO recovery email address/phone. ONLY U2F key.

Select forgot password; the it asks Insert U2F Key. Then recovered. Yes, it may be that if one loses U2F key in Metro it is dangerous but some risk is always there. (i.e) how many times have you lost your key in your life? If more than one per year then keep one U2F at work and one at home.

[orblivion]

Cool I'll look into it, thank you.

[orblivion]

Because I've been warned by security conscious people never to use phone number as a 2FA because it's so insecure, and using it as a recovery option seems to create an even weaker link. If that's somehow not true, I haven't gotten around to figuring out why that is because I only have so much time for this shit.

[UncleMeat]

Security conscious? Or security expert?

SIM-swaps are easy but do not scale. This means that they don't actually affect a lot of people. The improvement in security posture from SMS 2FA to TOTP is actually fairly small, because both lose to phishing and phishing is orders of magnitude more common that SIM-swaps or malware that steals SMS codes.

As a solo recovery option, it is indeed a more meaningful risk. But we also observe that people just lose their accounts all the time if they don't have a phone-based recovery option so I do understand why the option is offered.

[Daedren]

Google allows for various kinds of 2FA, not just SMS. You can use a hardware key or even Google apps installed on other trusted devices.

[orblivion]

Great, can I use a hardware key (or authenticator app, in my case) if I get locked out of my account like the person who posted this question? That's my point.

To be clear, 2FA != account recovery.

[Froedlich]

Not for all accounts. After several years, they started strongly recommending an SMS verification, then finally locked my account when I couldn't provide them one. [I have SMS turned off by my cellular provider] Every year or so I'll see if I can get back in. Sometimes I'm presented with a non-SMS option, but once I work through that, they go right back to insisting on SMS.

I only used that account for communicating with one friend, [our mail hosts were blocking each other in some kind of spam war tit-for-tat] now deceased, so it was no great loss to lose the account, but rather annoying that they pretend harvesting phone numbers is some type of "authentication."

[hackmiester]

But if you don’t remove your phone number then the insecure option is still present.

[ttybird2]

"especially since google regularly warns you during login that this can happen if you don't add your number"

All of this is so that they can mine phone numbers for older accounts. Now they require a phone number by default.

It makes sense to add a way to recover access to your account if you fear that you may forget your password. It makes no sense to give google your phone number just in case they may out of nowhere decide that you look suspicious (for using firefox? moving to another country? something else?) and reject authenticating you despite being able to enter your password correctly.

"you should not have used their service for your whole life's activities anyway"

You should not do that in general as Google is extremely unreliable. I had given them my phone number for my account but this did not help. I posted about it at https://news.ycombinator.com/item?id=30544030 a few months ago.

[tzs]

> It makes sense to add a way to recover access to your account if you fear that you may forget your password. It makes no sense to give google your phone number just in case they may out of nowhere decide that you look suspicious (for using firefox? moving to another country? something else?) and reject authenticating you despite being able to enter your password correctly.

Why should the reason you need to recover the account matter?

If the account is important to you, wouldn't losing it be equally bad regardless of whether you lost it because you forgot your password or you lost it because Google did something annoying?

[ttybird2]

I meant in terms of what google may need to prove that it is you.

[j4tech]

I was NEVER prompted for a phone number or given a warning that I will not be able to access my account if I didnt have one. (Maybe because i already had one on the account and removed it?. Not sure). However, off and on , google would prompt me for my recovery email and I had no problem accessing my account using that.

[kkfx]

It boggles my mind how people can have their digital life under third party computers ONLY. I was a GMail user, since when it was beta/invite only, but I always have had local copy of anything in usable formats...

It might sound rude, but people have to learn a thing: only things you really own are yours, the rest might be there or not, might be good or bad, but it remain something ephemeral, not to be trusted for anything. And that's why we MUST stop connected-devices to fill our life from cars to home doors: we do not really own them and we should.

[tjoff]

At the end of the day, they won't trust that the phone number you provided actually is you anyway.

[malka]

yep. If google artificial idiot has decided "guuuh even with your password, your token, and access to your recovery mail I cannot be 140% sure its you, better to lock anyone out of your account forever", your account is toast.

[jjav]

> It boggles my mind how people can have their entire life tied to this service and not connect a phone number

This is blaming the victim instead of the ham-fisted limitations imposed by google.

There is no justifiable reason for google (or any of the cloud companies) to be imposing their arbitrary account locks on users.

I should be able to configure my gmail account with a setting that says never ever require anything other than my password to access it, because I know my password is strong and well protected. I don't want any of these misbehaving AI detections locking up my account for reasons that I don't want.

If someone else want to configure their account with these trip hazards, more power to them, but it's not ok for these cloud companies to impose it.

Another reason why I mostly self-host everything, but for less technical people who are not able to do so it's a huge problem. Let's not blame the victim.

[anothernewdude]

I've tried to reset my password previously. Having a number associated didn't really help me.

[donthellbanme]

Some people can't afford a a smart phone, and rely just on a landline, sometimes one phone for an entire home.

We need a federal law that two factor authencation needs to work on landlines.

The technology is there. It's not expensive either.

[mindslight]

Why not a law that prohibits companies making people jump through any of these arbitrary hoops in the name of "security" to begin with? Authentication requirements should be straightforwardly understandable, future-predictable, and fully changeable by the user. Not opaque, always changing, and top-down set by the company for their version of "security". This goes doubly when there is no customer service to sort things out with.

PS stop validating their top-down model by referring to SMS nags as "2FA". It's snake oil for the corporate motive of demanding identifying information.