[zorked]

That's a mistake I will never make again. Your phone number is insecure - but even if wasn't, you are setting yourself up for losing your account forever if you ever forget to transfer all your 2FA numbers, or if the phone company decides they want to cancel your contract, or potentially if you lose your SIM card, or even if whatever SMS gateway doesn't like your number for whatever reason.

Literally, you are giving your account to the phone company.

I'm more convinced by the printed security codes. I have encrypted copies in several storage providers, and that includes publicly-accessible copies. I have a copy in my safe, I have some in my family's safe in a different country. No phone company involved.

[jatgoodwin]

I recently discovered the printed codes aren't particularly reliable and google will still ask for another authentication method. I managed to get into my account by driving to a wifi google recognized as "home" and being connected to that after the codes weren't enough. I too assumed they were some sort of master key but they're just an extra method and google's security blackbox can decide its not enough.

[cube00]

This is the frustrating thing about Google's security. You record the printed codes and expect to be able to use them and then you're let down when it comes to the crunch because there are bonus extra steps.

It's a similar story with the "recovery email address" they let you add to your account. You'd expect that if you have access to that recovery email you'd be able to gain access but no, there are cases where Google refuses to send any recovery email because "we can't verify this account belongs to you at this time" so no recovery email for you.

This would all be fine if they didn't enforce we have to have 2FA enabled and then refuse to provide support even when you're a paid up member. [1]

[1]: https://news.ycombinator.com/item?id=31073302

[dazc]

Not just Google, anytime I have had to rely on a printed back-up code it hasn't worked. Anyone who thinks they are safe because they have back-up codes for any account, think again.

[anothernewdude]

Same is true of the phone method too. They ignored the fact that I had my second factor. I have no idea what google were thinking.

Now I use paid email services.

[timattrn]

Use a 2fa app with backups, or one that syncs to different devices (e.g. authy). It's distributed TFA. The phone number is not very secure, so I don't think it should be a part of TFA. I therefore agree that it is unwise to allow Google to use it for this. I also have a fake dob on my phone account to make Sim porting harder, but you can't trust that you have control over your phone number.

[theshrike79]

1Password also has a distributed TOTP system.

[syshum]

Bitwarden Family / Pro / Enterprise also has the ability to Setup TOTP based MFA which is then synced to other devices

I use both Authy and Bitwarden

[entropie]

> you are setting yourself up for losing your account forever if you ever forget to transfer all your 2FA numbers, or if the phone company decides they want to cancel your contract, or potentially if you lose your SIM card, or even if whatever SMS gateway doesn't like your number for whatever reason

Its the same with your address, what if your landlord randomly decides to kick you or your house burns down? Where I live my mobile number is very secure and will not change until I fuck up very hard. And in this case I have multiple other backups (printed codes, rescue number).

[jjav]

> Its the same with your address, what if your landlord randomly decides to kick you or your house burns down?

Not the same at all, you can just go to the post office and file a forwarding address and all is well.

Phone numbers are very ephemeral. I have many phone numbers associted with many older accounts, like one from an office phone from a company that doesn't even exist anymore. Learning from those lessons, I go out of my way to never associate a phone number with anything anymore, it's just asking for future pain.

[arcbyte]

Then I can go to the post office and talk to a human who will happily confirm who I am (maybe they even know me personally) and can forward my mail anywhere I want.