Tell HN: Google requiring phone number to log into Chromebook

327 points by pisky ↗ HN
Long story short: bought a couple of Chromebooks over the years (as they're nice multi user machines), created Google accounts on each but never gave a phone number. Now after years of use, Google pops up an "unrecognized device" roadblock AFTER I enter the password to log in, with the message "enter a phone number to get a text message with a verification code".

There is no mention of suspicious activity. The only trigger I can think of is a recent modem reset that changed my Public IP, and my new IP doesn't appear to resolve to my old physical location in Google's geoip db.

Am I crazy or does this seem like an extremely cynical attempt to get more phone numbers? I don't even understand how giving them my phone number proves anything as I definitely did not ever give them one previously.

Unfortunately burner phones are not available in my country, so that's not an option.

201 comments

[ 2.9 ms ] story [ 253 ms ] thread
Google voice numbers work, BTW. So since you ha E a Google account, make a burner G voice number and get the text that way.
You cannot create a Google Voice number without providing an existing, working, real number.
Huh, I didn't remember that. The last gv number I created was many years ago.
mailinator has an SMS service
Using disposable SMS service for what will be used to verify account owner in the future sounds unreasonable.
if you know about it, everyone does

and such services are usually blacklisted

They've essentially bricked your machine and are demanding your phone number to un-brick it? Sounds like a case for a legal battle.
Sonos just did the same. They want you to create an account (and therefore give them an email) and otherwise are effectively bricking the device in the latest update.

Was time to get rid of this pos.

Doesn't Apple do that too?

One of the reasons I use Linux on my MacBook.

No. Why would you spread lies like that?
It's a question. The user saying that may be wrong in that assumption, but to counter assume intent of spreading a lie is a bit of stretch.
Isn't it true that questions are very handy in rhetorics? No, you do not get a pass just because you claim you were not sure. If you don't know, then don't suggest it. It just muddies the water.
Arguably the sequence of question and affirmation makes it sound very much like the question was purely rhetorical.
Where/when did you encounter that? I used a Mac machine for awhile without even logging into iCloud/Apple ID; I don't recall being asked for any personal info beyond what's required to set-up the machine.

Off-topic, out of curiosity: what distro are you running on the MacBook, and how's that going?

You can set up a Mac or iOS device without ever logging into an Apple account. The only place it is "required" (well, not strictly required , but I guess an iOS device is not that useful otherwise) is for the App Store to get apps (someone correct me on this but I'm not sure you can download free apps without an Apple account, and there's a way, although convoluted IIRC, to create one without entering credit card details)
Last I heard, you can't download any apps without signing in with an Apple ID. Since sideloading is impractical on iOS, this would make the phone not very useful as you can't install any software.
You're being downvote but an appleTV is completely useless without an appleId...
Well, when there is only one App Store and it requires you to log in, it in effect means you have to have an Apple ID -- which is a far cry from being forced to give up your phone number to use your own personal computer.
On the other hand they could allow access to the app store only for free apps
I just use homebrew.
No. You can give your email and it enables some additional functionality such as iCloud if you want to opt in to that but it’s not required.

When it asks if you have an Apple ID (which can be any email address) there is a skip button in very plain language on a very uncluttered screen where it is very easy to read.

And no, it never asks for a phone number. You are free to add one later though if you choose. But the OS doesn’t want it or use it...

The only place I can think of where you can put in your phone number is the Messages app, which is not even part of the OS.

You would do this on your own initiative by the way, not requested by the app or by the OS. Putting your number into that allows SMS messages to appear on your computer.

No, I've been using Macs for years and have never created an apple account. They really encourage it, but you can in fact skip all the prompts.
An email is waaay different than a phone number. You can easily just use a burner email- but using a burner phone is too much work and costly.
Twilio SMS is an option at $1 / month
I've had problems using Twilio numbers to create Google accounts. I think voice activation does work, but you need to forward the number to your own number.
It should be assumed they check the phone number provider and block twilio as a spam prevention technique.
How can they detect Twilio numbers but still let scammers robocall my phone on a daily basis via bandwidth.com's API?
Even where this doesn't happen, Twilio block messages of the form "Your Google verification code is 123456" so you can't receive them anyway.
I removed SMS from my google account for security purposes and use push notifications on the google app. Perhaps you could try that.
Your solution is to give them your phone number first?
It’s an app and I don’t know if you need to supply a number first. Either way they need it one time so use a throwaway only to activate the app.
I have a similar problem with yandex. It's not hardware, just an email account, but I'm locked out of one I used for stuff because they are now asking me for my phone number because of "suspicious activity". I don't want to give them one.
Yup. And Yandex is one of the only free email services left that doesn't require a phone number to register yet they stuck me with a lockout on the account weeks later (still haven't bothered to re-activate the account yet).

Not to mention that I created both a custom question and answer with randomly generated strings that couldn't possibly have been known by anyone else, which they confirmed as correct during the lockout and still are demanding a phone number to 'verify'. I mean, really now, how on earth would giving any random phone number further verify I'm the account holder when I already know the correct randomly generated password, secret question and secret answer.

Gmail has similarly locked out various accounts with this despite no actual suspicious activity and having a completely unique password. It's a transparent effort by all these companies to gather more user details.

https://cock.li/ doesn't require phone number (you can also choose other domain name)
It's a one man show and can disappear any moment. Following is pure speculation, but it raises concerns as well. Owner of cock.li leaked that he had a job in Romania. What could possibly an US citizen do in Romania? Well, Romania has an US military base, so he could be an IT contractor connected to that, which makes cock.li just a honeypot.
ProtonMail doesn't require a phone number either for registration.
This is not entirely correct. Sometimes protonmail requires a phone number to send an auth code when you sign up. It randomly happens when you use Tor/VPN. Sometimes it's another email address. In very rare cases is just a google captcha, which itself is still tor unfriendly. Please don't spread false information.
> Yandex is one of the only free email services left that doesn't require a phone number to register

It is a trap. Register a new account and it will be locked in a few days. It started at the beginning of this year before Putin's "election". Pretty much all Russian websites that bend over to Kremlin are requiring a phone number and real name now.

I have the same when logging in to my Google account provided by my employer. I don't have 2FA set up, so they have no prior knowledge of my phone number.

I'd also like to understand how this is possibly useful?

In my case I was travelling, so had no option but to enter the number of the nearest available random person willing to lend me a phone for the purpose, with no idea what it would be used for.

It is cynical to suggest it's to boost their network of connected phone numbers, but I can't think of a better explanation?

What you're describing is a "cost proof" - namely that the user has something we can verify that costs some amount of money and is unique. So when the service I work on asks for a phone number verification, it's not always to determine your ID - it's to cut down on spam from users unwilling/unable to set up tens or hundreds of phone numbers, which I imagine is the majority of spammers.

Adding it to existing accounts, though, makes less sense to me. Retroactively checking that an active account can cost proof seems like the most intrusive way of doing this, particularly as part of OS login - at this point you have so many signals that you should already be able to detect the user is a spammer or not.

Then it also seems especially odd to do this on a paid-for G Suite account.
it's to cut down on spam from users unwilling/unable to set up tens or hundreds of phone numbers, which I imagine is the majority of spammers.

If anything I think it's the opposite --- dedicated spammers have shown they can farm resources like accounts of various types, so phone numbers aren't out of their reach. It's the casual users who don't want to give away their phone numbers or setup a throwaway one which will be turned away.

Cost proof doesn't cut in for those users - it's typically only put in on the Nth new signup within X hours from an IP address.
When logging in on hardware that they provided, the cost proof should be solved (if you are only using one or a few accounts). Chromebook could come with a private key and sign a message for google, they control both hardware and software.
This is the reason for the verification, and I'm surprised nobody mentioned it yet. When you sign up for a new account they also require a phone number. It provides a basic measure of accountability and a bot prevention mechanism.

They're doing it on Chromebooks because you're using Google's services. A Chromebook is just a Google Cloud Computer; users aren't expected to use one without using Google's services too.

Stop buying computers that require you to provide your identity to ad companies in order to use them.
While this is a good idea in principle, in this case it's a recent development. You can't really go back in time and unbuy it just because Google suddenly decides to be a(n even bigger) dick.
You could install GNU/Linux on the ones that were already purchased.
> Am I crazy or does this seem like an extremely cynical attempt to get more phone numbers?

Nope you are not crazy at all, that's exactly what they are doing. It's the same pattern in practice of online banks that are demanding you give them an SMS capable phone, it's so that they can in the backchannel identify you through AT&T, which is really teh corporate face of the NSA (don't argue with me, 33 thomas st. nyc), and the implications there is that they have many things tied together in fusion centers so they can use something like palantir to instantly profile you when you put in that number and it draws in via their backchannel apis your bank accounts into a single view along with your other information, like medical, civic, etc that's literally what fusion centers do. It's all hooked up for THEIR convenience, and its all keyed off now on google's gaia_id. They tether your phone number(s) to gaia_id and voila all these data sources get drawn in....it's all about the convenience to the five eyes/nato people to force you to use their free sandwich stuff and get everyone tied into the central hub of services that is google

So I agree with others: don't use a chromebook. I have an older friend who needed a laptop for work and I made the mistake of getting a chromebook. The f*cking thing didn't do TKIP correctly in WPA2 so it didn't work with my wifi without making major changes to security in a tactical frustration that made ME look like I didn't know what I was doing

It was a G d nightmare, but needless to say I will NEVER use a chromebook again, esp after hearing your issue with the phone

Just get a refurb lenovo from tigertits or newegg and put linux mint debian edition with xfce on it. The end

You've only been a member for less than 12 hours, but I've already specifically enjoyed your comments in two separate threads. I hope to see more of you in comment threads! You add a lot of value.

Whats your "stack"? are you running linux and avoiding google services entirely - or using and mitigating their tracking?

This conspiracy theory makes no sense. Why on earth would your bank need identify you by phone number when you already have to give them your social security number to open the account?
> conspiracy theory

Its a fact and works exactly as he described.

Also the term conspiracy theory was created and popularized by the CIA as a function to install into the general population as a protection mechanism against their own true and active operations, which as stated, are treasonous to America and American citizens.

A useful tool for you might be to become self aware of your use of the term “conspiracy theory” and whenever you find yourself reaching for it as a knife, to instead reflect on the issue and to genuinely and independently compile a response to the topic at hand using basic logic, reason, and available known prior actions of the organizations that would profit from discrediting the topic.

Good luck.

> Also the term conspiracy theory was created and popularized by the CIA as a function to install into the general population as a protection mechanism against their own true and active operations, which as stated, are treasonous to America and American citizens.

This is not true. The term is older, dating back to at least 1870, and was used then much in the way it is now [1]. The idea that it was coined by the CIA is an urban legend.

[1] https://www.csicop.org/specialarticles/show/nope_it_was_alwa...

Duly noted and interesting, thanks.
About your WiFi issue: you shouldnt use WPA2 TKIP, because it is insecure.
Go create a google voice account and put in that number.
I can't offer any advice that can help you quickly or is guaranteed to work. Write a longer and better composed post on some platform, with details of what you've tried, whom you tried to contact at Google, responses (or the lack thereof), etc. Share it on HN, Twitter and elsewhere to get some traction. If you can get it to someone at a senior level, that may help. Sadly, that seems to be the only way to get some companies to pay attention.

I'm not sure if your Google account is tied to a Gmail address (it doesn't necessarily have to be), but I would advise anyone who uses (or must use) Google's services to use an email address from another provider so that if you lose access to the Google account, your email also doesn't disappear with it. Further, disentangling oneself from such providers and going with those whose business depends on your monetary support may be a better choice (where feasible). I also get that these suggestions may sound absolutely ridiculous.

How do you even find someone to contact at Google? When I tried in the past, the only support was for people that had some sort of recurring SaaS contract or for AdWords
You force them to hand over their phone number.
Some of them read Hacker News.. if your problem makes it to the frontpage you might be in luck. But again, this is really not the way this should work.
Can you install Linux in these machines?
Yes. There’s a Chromebook-optimised distro called GalliumOS. I use it on my HP Chromebook G5 (weighs the same as a MacBook, costs £200) and it works great.
ChromeOS utilises the Linux kernel itself but without arguing semantics you can install a chroot Linux distribution with Crouton [1]. Whether that supports this specific machine (whatever it may be) I do not know.

[1] https://github.com/dnschneid/crouton

You'd need to get past the login screen to install a chroot, so not appropriate for OPs usecase. Some machines support modifying the bios, but it requires taking off the panels to unscrew the write protect screw.
You can install something like GalliumOS depending on compatibility [1], but it's not for someone who's afraid of modification as to make the boot process seamless you need to modify the BIOS. I have an Acer C720 running it, and it works well - it's a light, cheap linux machine that I can take with me wherever and not be too bothered about (because of the replacement cost), but TBH I think installing Linux because of the OP's issue is sledgehammer/nut! Lots of people like ChromeOS (my Mum has a Chromebase, and since she's had it I've needed to provide precisely zero tech support which wasn't the case for either her Mac or the PC she had to replace it), so replacing it with a niche version of Linux may not be the route to go for many.

[1] - https://wiki.galliumos.org/Hardware_Compatibility

For the older ones I've read that you can reflash it to a "normal" PC BIOS and then it becomes a pretty ordinary laptop that will run Linux or Windows or whatever else.
Evil.

Imagine those teens at school, that bought Chromebooks because they were more affordable, and now getting pried on like this.. :-( It is this generation that is going to lose the idea of privacy and suffer from these piece of shit corporations.

It's almost like watching a movie.

If you're a school you're on GSuite for Education so can create as many accounts as you want for free, without phone numbers, and for under 13s
Parentpost is talking about a different market group. You are talking about chromebooks provided by schools to students. Parent is talking about chromebooks _bought_ by students (because they're cheap and functional).
Fair enough. I'd just pick up a random sim card at any supermarket, comes with a free phone number.
FYI being able to just buy a random SIM a any supermarket is not common outsid the UK.
FYI, it's possible in Ireland.
It is common at least in most of Central and Eastern Europe.
And in most of South America, and many Asian countries
I don't want to spend money. Not even a few quid, because a scummy company suddenly doesn't let me access my device, which I "own" for years without surrendering even more personal information.

That's apart from what other posters explained. That in a lot of countries you can't just get a sim from a kiosk, or a vending machine without proper identification.

Use TextNow app- it gives you free phone numbers.
Many services that require phone numbers can tell if a number is a free VOIP number and will not accept it for verification.
This is an anti-spam and anti-abuse requirement, not because they need you to tell them your phone number.

They’re on most of the phones in the world, and have access to all the billing records associated with your phone number, as they’re a cell phone service provider. They’re asking folks who they think might be abusing the service for this information, so they identify themselves in a way that Google can report to law enforcement.

The idea they’d need you to tell them this information so they could use it is kind of laughable.

Given that this is a very new account I smell trolling, or astroturfing. Just in case it's not, I bite:

This is an anti-spam and anti-abuse requirement, not because they need you to tell them your phone number.

Any means of backing up that statment? Specifically, why are anti-spam measures needed to access a device?

They’re on most of the phones in the world

So what? A lot of people, myself included, will never, ever use an Android device. Especially since they don't trust Google one yota not to completely violate their privacy. In terms of the discussion this is a red herring.

and have access to all the billing records associated with your phone number, as they’re a cell phone service provider.

It's here, where your comment gets outright ludicrous. From [1]

When the mobile device is turned on or is transferred via a handover to the network, this new "visited" network sees the device, notices that it is not registered with its own system, and attempts to identify its home network. If there is no roaming agreement between the two networks, maintenance of service is impossible, and service is denied by the visited network.

The visited network contacts the home network and requests service information (including whether or not the mobile should be allowed to roam) about the roaming device using the IMSI number.

If successful, the visited network begins to maintain a temporary subscriber record for the device. Likewise, the home network updates its information to indicate that the cell phone is on the host network so that any information sent to that device can be correctly routed.

There is NO, whatsoever exchange of subscriber information, safe for service information required for billing. Pretending that "Google can associate billing records with your number" doesn't pass the smell test.

The idea they’d need you to tell them this information so they could use it is kind of laughable.

The idea that the ilks of Google, Facbook and all those dodgy add tech brothers and sisters would not abuse any means possible to violate your privacy is laughable.

[1] https://en.wikipedia.org/wiki/Roaming

You don’t think there is a system for network providers to identify customers to each other?

How about to law enforcement?

I find teens rather cautious about giving out phone numbers, older generation - much less so.
Anyone over the age of 40 (and many younger) will have had a landline, almost all in the phone book. Name, address, and phone all neatly collected, very few were bothered.
Very good point. I had completely forgotten about that practice. Name, address, phone number. Seems surreal.
There's no problem with it in general when it's printed on a dead tree.

When it's available electronically, everything changes

True but that loophole was closed when phone books started to collect mobile phone numbers. Nobody was happy with that so it was changed so that people had to actively opt into being listed. Phone books are now dead and good riddance.
Except that with the advent of mobile billing, and the like, any phone service provider can pull your info from pretty much anywhere in the world.

Which is why Google is asking for a phone number here, they think the account is likely abusing a service, and they want to identify who is using it.

>"...and now getting pried on like this."

Those students are being tracked regardless of whether they provided their mobile phone number. ChromeOS is an entire operating system that tracks you from the moment you sign-in with your Google account.

Sure, you can use a guest account, but you won't be able to save anything because the entire OS is "cloud-based".

People rush to Google's defence and say that Google doesn't build ad or marketing profiles from student data. But even if the online activity from students is aggregated or detached from individual accounts, that still means Google holds the personal online behaviour of millions of students. They can now poke and interrogate that data in ways that even they probably haven't fully grasped. And as we've seen from Netflix and Spotify, aggregated data still lets you pull out precise details and behaviour from "anonymised" data (a meaningless term).

Tracking is so pervasive and so normalised that no-one even bothers to ask: why should students be tracked in the first place? Tracking online behaviour is in Google's DNA and no-one does it at such industrial scale.

The hypocrisy of the tech community who have nothing to say on the privacy implications of ChromeOS in schools is hard to understand.

Most of the tracking in your google account is to give you the answers you’re looking for, not because it’s of any benefit other than providing a better service.

Like when I search for a three letter acronym, google knows that I’m an engineer, and I see links for results about computer hardware, and not about a Jewish Torah studies group with the same TLA.

Google makes those models for individual accounts, which is why google can tailor results so well to what you’re looking for right now.

Are u worried about your country's security services or Google? Not sure of the question. If it is (1) then stop using anything from big 5 tech. It is likely changing ips and locations possibly makes google feel suspicious that your login is being compromised. For my very paranoid friend, I bought 2 X 'U2F' key completely open source at https://u2fzero.com/ (unlike some of Yubico keys) . All problems went away.

Also remember any form of 2-factor is better than none. Yes, GSM can be hacked and yadayada.. but even one extra factor always slows down. See even a senior Mozilla dev got hacked without 2FA: https://www.theregister.co.uk/2017/08/02/chrome_web_develope...

Can't you just set up an alternative two factor authentication method? How about a Yubikey? I think that maybe if 2FA is not explicitly enabled on the account, Google try and enforce this 2FA 'light' method using SMS
+1 ... they pestered me for a phone number until I set up 2FA then they shut up.
>Am I crazy or does this seem like an extremely cynical attempt to get more phone numbers?

Yes it does. The normal Gmail interface I get now has a forgot password link which is by default activated after I enter the username. I have to explicitly jump over that to continue entering the actual password and thus to my mail box.

My decade+ old Hotmail account, plus two more newer ones, began prompting me for a # "for security" back around 2014. After a couple weeks of "not right now" all three of them locked me out simultaneously. Yahoo still asks for a # to this day(AFAIK... stopped using it after Oauth prompts appeared). Security IS one benefit, but it does not seem to be the most heavily weighted reason. Most don't change phone #s often, if ever. Seems like a super data tracking metric.
(comment deleted)
I’ve had chrome books as a possible purchase.

That’s finished now.

I want my machine to be my machine.

Google can F off.

If you wanted that why would you ever consider a Chromebook in the first place?
I am/was considering a Chromebook because of the lower price and the opportunity to run Linux on it
If you were running Linux on it wouldn't this be a non-issue?
If that's what you're looking for, buy an off-lease/refurb/used business class notebook that's a few years old. On the ThinkPad side, a T450 or T450s, maybe a T440s if you're going to disable the touch pad, maybe a T430s if you're willing to go back 6-7 years but then you're really going to be looking at likely battery issues and higher weight.
(comment deleted)
I've had this issue with one email account that I use solely for a very busy email group. Occasionally there is no way at all to log in, as I have no tied phone numbers/email accounts. I think one question was, when did you create this account? Which of course, I have no idea.

Anyway that has put me totally off using gmail. I rarely have a phone too, so using a phone number for secondary authentication is a PITA.

Funny enough the much maligned evil Win10 allows for the use of a local account.

(I am hesitant to give American companies my personal information because they are not beholden to my country's consumer laws).

It could be that your account was hacked and the hacker has enabled 2FA on your account using their phone number.
Hi, op here. They're asking me for any phone number, not for one tied to the account (there is none). I've confirmed this by comparing with the message a friend sees with two factor authentication turned on.

Some people are posting here saying they got in using a stranger's number so I still don't understand how providing a number proves who I am.

I've had this happen with gmail accounts randomly. Most of the time with computers I've been using for years on the same network.

The worst occasion I've ever had was the one time I was traveling. I was getting by with only wifi and, naturally, didn't have a phone number to confirm my account with. I didn't have a number bound to my account, either, making the whole process pointless.

How did I get into my account? I asked a random guy who walked by if I could login to my email on his phone (since at that point I'd left my wifi area and couldn't login with my own device). It was essential that I check an email at that point, so I didn't have a choice. It was anti-security--I literally gave full access to my email account to some man I never met before in a different country.

Google needs to stop pretending it's some security measure. It's not. It's data harvesting, plain and simple. I just wish they'd admit it.

Even if you removed that number from you account immediately after logging in, something tells me google will not forget that association.

He might not had an account then, but could create one in the future. So now if either of you messes up or does anything even remotely suspicious (in google's eyes) - say goodbye to your account.

I had a Gmail account for a secondary email address that I used at times. One day I logged in with my email and password, and Google said I needed to further verify my identity. Well, my security question was a bogus one because I was confident with my password manager and backups it would not be needed. But, I guess I was wrong, because I didn't anticipate that knowing the password wouldn't be enough for Google. I never got access to the account again.
Precisely the same thing happened to me. I removed Google from my life entirely, and I'm really happy about it.
Next time, add your security questions to your password manager.
Yes. I answer something like "favorite color" with "blue green red" or "blue was the color of my first bike" if I can. I end up with something like this:

pet: answer school: answer friend: answer

Security Q/A are de facto passwords. Treat accordingly.

Further, they're often a sign that a human employee providing support can override and manually authenticate a user. Whether or not that is really the correct user. Treat your entire account with them accordingly.

Stupid "security" questions, I've started answering them like "what's your favourite colour?" - "colour" or "what was your first pet's name" - "pet".

There are a few things that make me wonder if I can trust a company. Security questions, stupid password restrictions, sending me a password in plain text via email.

I tell the students that you really need to lie and put in some words that you remember that go with the question. Think of it as a challenge/ response, not an answer.
I recently was forced to do this by my home ISP. I used my password manager to generate 32 character length passwords, and then stored that info in the manager. However, when I attempted to save this info, the website responded with something along the lines of, 'we're sorry, please come back and try this again at another time.' This was preventing me from paying my bill online as it would not let me access my account with this info. I did this for 3 days straight. On the 4th day, I changed my answers to very simple responses similar to yours and the entire thing worked. It's not that it was fixed, because I tried the complex values first on day 4. Their system couldn't support such a value, and failed at letting me know that.
So, effectively, three security questions, like this:

  Favorite color? red

  Favorite band? yes

  First vehicle? car
In reality, they actually reduce complexity, defeating a 12 character password requirement with numbers, uppercase, lowercase and punctuation characters, because the total space of complexity can be possibly less than 9 case-insensitive letters.
I used to give my real birthday. Then I kept reading about how knowing that plus your address (usually easy to find on the internet - whitepages.com, etc.) got someone a long ways toward imitating you.

So I started making up birthdays but would have problems because I didn't remember them. So now I just use the epoch, which I think somebody here suggested.

I put January 1, 1970 as my birthday, and sometimes I can tell sites convert to timestamp and then it rejects my entry because it evaluates to zero which is falsely.
The issue then is that some services will require a copy of your ID to recover/unlock your account, and if the birth dates don't match they won't do it.
I use my sister's birthday. Other than the year, it's close to mine, and I don't forget it.
I always use plausible typos.
I use the registration date of my car (which is 4 years older than me) since at least I can look it up.
What on earth are those of us supposed to do that don't have a phone?
ProtonMail.
I second this; ProtonMail is great.
Switch to a paid service that doesn't depend on your data or on ads for revenue and survival.

I would mainly recommend posteo.de because of what the company stands for and its cheap pricing. Other options are runbox.com and mailbox.org. All these providers support IMAP too. So you can use any email client on any platform, or the web interface, to access email.

Protonmail, recommended by some others here, doesn't support IMAP for free accounts (so you can't take your mail out easily if you want to move elsewhere). For paid accounts, it has a "bridge" software that needs to be installed and running. This is available only on Windows and Mac. For Linux, the FAQ [1] still says at multiple places that it'll be available in "early 2018", while we're already nearing the fourth calendar quarter of 2018.

[1]: https://protonmail.com/bridge/faq#c8

Or simply buy Apple and use iCloud for emails and data
Except they silently filter email messages based on certain keywords
Emm, they do what? Please clarify.
Fastmail. They even have a real customer service.
I think the correct term is security by obscurity. Every time I need to "ID" myself I just borrow someone else's phone.
Did Google ask again for a phone number when you tried to log in from the strangers phone?
It’s a security measure FOR THEIR SECURITY, not for yours.

It’s an anti-spam, and anti-abuse measure. So they’re not giving away free resources that get used to harass their users.

Why would Google need you to give them your phone number to associate that with you? They’re on many of the phones in the world, someone you know has already done that for them, or you used your own phone to do the same.

If Google hired reasonable smart engineers, they'd know that a 10 year old account with a stable history of regular emails isn't a spam account.

Unfortunately, Google doesn't seem to have the best staff. Or even good staff.

10 year old accounts get hijacked all the time.
Yeah, maybe.

But it's Google. I could name at least 12 datapoints to check wether it's still the same user it was for 10 years on top of my head. Starting with "still using the same device" going to probably things like "typing style", given how sophisticated their AI is.

There is really no excuse for Google's ADD and implementing half-assed features and stopping to support them 2 months later...

This isn’t a feature to authenticate the account. This is to identify the person using the account. They’re tying the person using the account to a phone number that person apparently controls, and thus a billing contact.

This usually means Google suspects you of doing something that might be abusive.

In this case: re-activating a dormant account that was in a data dump would be a safe bet.

Get a Google Voice number https://google.com/voice and link it to Google Hangouts or Google Messenger so you can send and receive texts via your phone or Wifi Web apps.
I cannot reproduce this on any of my chromebooks.
I can reproduce this on my secondary and tertiary gmails. They require a phone number or security "questions" that I have no idea about.

I have effectively lost access to them because of google.

It proves you are not a bot? The account recovery procedure is usually via a secondary email account or saved backup codes.

I know this because I have a friend who's prone to getting himself locked out and I have become his personal tech support guy (not willingly).

I understand the measures they have to go to to stop bots, but Google have more than enough data to know these accounts are not bots (they have years' of browsing history and whatever other hooks they use on Chromeos). Unfortunately these accounts were created years ago and I assumed 'recovery options' would only be required if I forgot my password (which I never would). Beginner's mistake.