[unknownBits]

With two-factor authentication you are happily providing gmail with your phone number. They say they need this to send you a verification code when you log into your gmail account. Then they say:

"During sign-in, you can tell us not to ask for a code again on that particular computer."

Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..

[JosephRedfern]

If you're worried about giving Google your phone number, you should perhaps also be worried about them having access to all of your email messages.

[blueskin_]

You should be worried about both of these anyway.

I have a couple of old legacy gmail accounts I don't use any more but still keep active, so I have 2FA on them, but anything important goes to my own mail server.

[the_af]

Is this enough, though? Probably to prevent an attacker from stealing your account, but not to stop them from reading your emails.

Do you encrypt your emails? Do you regularly send emails to other people (who probably have Gmail accounts)?

[blueskin_]

>Probably to prevent an attacker from stealing your account, but not to stop them from reading your emails.

Since nothing important goes to them any more and I mainly keep them active to stop them getting squatted for for some highly intermittent email (3+yrs) I might have forgotten, then it doesn't matter much there. As it is, the main attacker where gmail is concerned is google itself, followed by the NSA.

As for other people with gmail accounts, yes, but I'm aware of when that happens and wouldn't email anything sensitive to any gmail(hotmail,yahoo,etc.) account.

[the_af]

The problem is that, as a security solution, having your own mail server and being careful about who you send emails to doesn't scale and it's not feasible in the general case. If you're worried about Google/NSA/spies as the main attackers, I'm not sure hosting your email is the best solution. Yes, it works if you never send email to anyone with Gmail, Yahoo, Hotmail, etc. But that will prevent most normal uses of email. And if you do send email to regular people, then someone, somewhere, will read your emails; that's what they are for after all. And then the privacy of your email is as good as the security measures your recipient has in place.

Same with 2FA: it's a security measure to make it difficult for an attacker to gain access to your account, and one all of us should use, but it's not there to prevent them from reading your emails.

Maybe the overall solution is "don't use email -- self-hosted or otherwise -- for anything sensitive, ever." This will probably work, but is not feasible for most of us.

[ak217]

I'm not sure exactly what point you're trying to make, but you seem confused about how 2FA works.

The goal of 2FA/MFA is to make you demonstrate that you're in possession of two independent secrets (authentication factors). Once you've shown that, it's considered safe enough to replace the second secret (OTP sent to your phone or generated by your TOTP app like Google Authenticator) with a cookie (the check is not IP-based). Typically the cookie only lasts for 30 or 60 days.

If what you're concerned about is the idea that Google knows your phone number, you can use Google Authenticator or another TOTP app instead.

[probably_wrong]

> If what you're concerned about is the idea that Google knows your phone number, you can use Google Authenticator or another TOTP app instead.

I'm under the impression that you need to provide Google your phone number before being allowed to enable TOTP.

[miohtama]

TOTP algorithm is open, has RFC. Check Google Authenticator Wikipedia page for OSS clients.

I guess phone number is needed for the secure reset. In the case you lose the device this would render your account inaccessible.

[probably_wrong]

I do have an OSS client, but the very first step to enable Gmail's 2FA is to give your phone number.

I agree that there are good reasons for asking that, but the comment above apparently raises a good point, namely, that you apparently cannot enable 2FA without giving Google your phone number.

[unknownBits]

Ip or cookie, still don't see the need for giving your phone number. In case of a crack, the cracker knows your private phone number too, for what?

[bigiain]

My gmail(and aws and dropbox and digital ocean and github and zoho and ...) TFA uses a TOTP app, not my phone number. (and works just fine on my iPad - which doesn't really have a phone number - at least not one I know or worry about...)

Also, according to the three biggest telcos where I live:

"SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication," ( http://www.itnews.com.au/News/322194,telcos-declare-sms-unsa... )

[probably_wrong]

> Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways.

Although that wouldn't be 2FA, it's worth noting that Facebook, Hotmail and Flickr will ask for some extra verification if you connect from a different country that usual. So that's probably not a bad idea.

[ZoFreX]

Google do as well - they block logins that they determine to be suspicious, and a separate country seems to be a big factor in that decision.

[dragonwriter]

> With two-factor authentication you are happily providing gmail with your phone number.

Which I also provide to Google because all of my phone numbers are forwarding numbers for my GVoice account, so that's not a big deal.

> They say they need this to send you a verification code when you log into your gmail account.

Sure.

> Well, if that's the trick, they don't need your phone nr at all, they can do ip and os check anyways..

How can they determine its valid without the second factor the first time you log on from a particular device? That's a key feature of 2FA (plus, if you ever use a shared computer, you don't want to choose the option to never ask for a code again on that computer!)

[doubt_me]

https://play.google.com/store/apps/details?id=com.google.and...

[kolev]

This is much better: https://play.google.com/store/apps/details?id=com.authy.auth...

[Aissen]

This is much better: https://play.google.com/store/apps/details?id=org.fedorahost...

Open source fork of the (now closed source) Google Authenticator.

[kolev]

Nice! Thanks for sharing!