[ak217]

I'm not sure exactly what point you're trying to make, but you seem confused about how 2FA works.

The goal of 2FA/MFA is to make you demonstrate that you're in possession of two independent secrets (authentication factors). Once you've shown that, it's considered safe enough to replace the second secret (OTP sent to your phone or generated by your TOTP app like Google Authenticator) with a cookie (the check is not IP-based). Typically the cookie only lasts for 30 or 60 days.

If what you're concerned about is the idea that Google knows your phone number, you can use Google Authenticator or another TOTP app instead.

[probably_wrong]

> If what you're concerned about is the idea that Google knows your phone number, you can use Google Authenticator or another TOTP app instead.

I'm under the impression that you need to provide Google your phone number before being allowed to enable TOTP.

[miohtama]

TOTP algorithm is open, has RFC. Check Google Authenticator Wikipedia page for OSS clients.

I guess phone number is needed for the secure reset. In the case you lose the device this would render your account inaccessible.

[probably_wrong]

I do have an OSS client, but the very first step to enable Gmail's 2FA is to give your phone number.

I agree that there are good reasons for asking that, but the comment above apparently raises a good point, namely, that you apparently cannot enable 2FA without giving Google your phone number.

[unknownBits]

Ip or cookie, still don't see the need for giving your phone number. In case of a crack, the cracker knows your private phone number too, for what?