[patrickdavey]

I thought that would be an answer, but then if your phone is stolen and they get in, couldn't they simply invalidate your 2fa codes too?

Mind you, it's probably the best idea.

[abraham]

Simply stealing your phone isn't enough. They also need to know your password change 2-step settings.

[mbrubeck]

So you also need to make sure that your phone's browser doesn't have your Google password stored, and/or your phone's storage is encrypted with a strong-enough key.

[trentmb]

Google has made me re-enter my password when modifying 2fa settings.

[eli]

Sure, but if it's saved in the browser than it can be extracted from the browser

[founder6564]

Last I checked, this was not the case- And a major cause for concern.

[abraham]

Everytime I go to https://www.google.com/settings/security and click on 2-step verification, I'm required to enter my password if I haven't done so in the last 5 min or so.

[anonymoushn]

With this scheme someone can't access your account by stealing your phone. You also can't access your account by getting your phone number to point to your new phone though.

[abalone]

Put a strong password on the phone. Not just a PIN. Touch ID makes that practical now.

[hahainternet]

If you have a targeted attacker then Touch ID is actually less secure.