228 comments

[ 4.5 ms ] story [ 249 ms ] thread
This is dangerous. I specifically don't want 2FA on one of my Google accounts because I only have one phone number tied to one device, and this decision by Google to enforce 2FA is going to lock out millions of accounts since some people like to have two Google accounts for compartmentalization reasons (one account for work and another one for play is a common thing to see). So now I need a second phone to get 2FA prompts on the account where I don't want 2FA turned on.
Dangerous? For the users maybe. What are they going to do?

For Google? They get to clean up (only keep "real" users) and reduce datacenter costs.

And maybe slow down account creation used for online harassment?
A phone number is already needed to create a Google account, completely independently of 2FA and a backup phone number
Last week I created a gmail account. No phone number was required. I fully expected it to require one, but it didn’t.
It looks like if you create it through the Gmail app that is a workaround to not needing a phone number
SMS is not the only – or preferred – 2FA mechanism for Google accounts. You can use any TOTP authenticator application, Google mobile applications like Gmail, physical security keys, or backup codes. Having a single phone number is not a problem for dealing with multiple 2FA-enabled Google accounts.
> or preferred

I just made a new Google account a couple hours ago, and it definitely looks like the preferred mechanism.

- There's one stage in the signup flow you can't bypass without SMS (granted, it doesn't automatically save that number to the account if you opt out, so that's nice).

- When setting up 2FA you're given giant messaging encouraging you to use a phone number. There's tiny text for other 2FA options.

- Those other 2FA options don't actually include TOTP. To enable TOTP you have to enable a "primary" 2FA solution (SMS, hardware key, or push notification), then enable a "secondary" 2FA solution (which can include TOTP), and if you're concerned about the shitty security SMS provides you then need to remove that as a 2FA option.

Edit: Mind you, it's probably reasonable given the state of the rest of their ecosystem to not have TOTP as the 2FA for your Google account (like if you have a chicken and egg problem trying to get into an android device with a TOTP app), but TOTP doesn't seem to be anywhere near as preferred as SMS.

That, and they do support hardware tokens out of the box (even if the UI doesn't make that super clear), so that's a step in the right direction.

Even though TOTP is provably safer than SMS, it looks like the reason why they want SMS/push as a "primary" is so that they can suck in more phone numbers, since hardware keys have an additional cost that most people won't have. Phone numbers will let them do better ad targeting.
That is Silicon Valley's reason for 2FA in a nutshell. Phone numbers can only be obtained with identification in many countries. It is a privacy nightmare.
It may be safer but it is way less user friendly. If you lose your phone with Google Authenticator (or any competitor), you will lose access to your accounts. You'll need to find your backup codes or go through the process to reset your accounts, which can be very cumbersome. Once someone has to go through this process they won't want to use 2FA anymore, I've seen it happen to many people.

But if you break or lose your cell phone you can just get a new one, and you have access to your 2FA token again immediately. It's much easier for people to work with. Yes it's less secure technically, but that sacrifice is worth it for a lot of people.

There are authenticators out there that can run on multiple devices and have multiple backup and restore options (with SIM Swap prevention) like saas pass.
You can backup your 2FA TOTP qrcodes to physical cold storage, and you can keep backups. Most non-technical people understand the process of "keep this print out safe + secure"

However you can lose control of your SMS phone number any number of ways that are beyond your control.

It's frustrating that so many providers push SMS as the only 2FA, when there are so many problems with it, and TOTP is provably better, privacy preserving, and much easier to work with.

I don't know if you ever worked with tech-illiterate people, but there is no way that they would print out or write down a list of codes or keep something in cold storage. Hell, even if they know how to. It's too much effort for something like email, and yet they wouldn't realize the importance until it's too late. I personally had to deal with an aging woman who had her online banking password set to her name followed by the year she was born in, and was unwilling to use the USB security key that the bank started providing. There was more than a million in her account. She couldn't be fucked to secure that kind of money with a free-of-charge easy to use key. It was not a case of an elderly woman struggling to remember her password or not understanding how to use it. In her mind she deserved the access to her account just on the merit of it being "hers", and she saw the security as an unnecessary ritual that the bank used as a barrier between her and her money and nothing could convince her otherwise.
That is a fair assessment in some cases, but I have also assisted tech-illiterate elderly folks with bank accounts in non-US banks. Keeping a printed list of codes (one time passwords) was in-scope for accessing the bank online, as well as other silly tricks as an on-screen keypad with rearranged numbers.

I think there is too much emphasis on catering to the lowest denominator to the point of sacrificing privacy and autonomy , rather than raising awareness and education.

> Even though TOTP is provably safer than SMS

This seems like it would depend heavily on your threat model, especially keeping in mind that we're talking about second factors here.

For example, one threat is that bad guys gain access to the authentication data of the Relying Party. For example, maybe they find the daily backups are in backups.tgz on the web server for convenient downloading. Or maybe you never changed the password on the MySQL server. This is of course one way bad guys might have everybody's passwords, the first factor...

For TOTP the stored credentials include a "seed" value used to generate those six digit codes, and so by the relying party to confirm your code is correct. So for that credential access threat, the bad guys also have your TOTP codes and you're no better off with TOTP.

Whereas for SMS the stored credentials just include a phone number to send the one use codes to, bad guys having that isn't great news necessarily, but it doesn't actually give them the codes. Even if the one-use codes are stored in the same place as permanent credentials (which they may not be) and thus accessible to bad guys, the bad guys can't necessarily arrange to see them before you use them, and in any case can't arrange for you not to wonder why you're getting all these one-use SMS codes suddenly.

In contrast notably Security Keys don't end up with the Relying Party having any secrets at all, and so bad guys do not learn how to impersonate your users even if they somehow have access to the same means you use to authenticate those users.

(comment deleted)
It's because people lose access to their phone number rarely. It would be pretty much expected for somebody to not realize their Google Authenticator codes aren't backed up before losing/selling their phone or losing their Yubikey before backing up the private key off it. As somebody who doesn't use SMS 2FA, I still think it's a great middle ground for the average user.
Untrue. Particularly in emerging economies where prepaid is much more common, it’s quite normal for people whose phone becomes unavailable to just buy a new one with an entirely new number and just tell everyone their number has changed.
emerging economies don't have number porting?
They do, but a lot of people don’t bother and just get a new number along with the new phone.
(comment deleted)
(comment deleted)
Then they wouldn't use their temporary number for 2FA. But for a lot of people they have their number for decades and are not going to suddenly lose it as easily as you can drop your phone into the ocean.
They finally updated Google Authenticator to enable backups and transfers between devices in December last year.[1] Also, there are other 2FA apps like Authy that are more user friendly and have been transferrable for years now.

However, I think you do have a point. The attacks that rely on intercepting SMS messages are cumbersome and are really feasible only for high value targets.

[1] https://www.androidpolice.com/2020/05/07/google-authenticato...

> There's one stage in the signup flow you can't bypass without SMS

Which impedes the ability to sign up if one does not own a smartphone. I’m sure many people who are unhoused and rely on dumb phones need access to email to apply for jobs. Granted, I’m selecting a niche of a niche, but it’s a prime example of how badly the system is stacked against people trying to claw their way out of poverty.

Feature phones are perfectly capable of sms.
I didn't test this very much with the current Google flow. I know FB and whatnot require a post-paid cell plan (i.e., with your name attached) at that portion of their sign-up flow, and that precludes a lot of the cheaper phone options.
1) Type of plan as no baring on feature vs smart phone.

2) Maybe pre-paid plans are contract based.

> There's one stage in the signup flow you can't bypass without SMS

You used to be able to make gmail accounts without a phone by using an Android TV device. I wonder if that still works.

Except that you might need to first setup phone/sms 2FA to then be able to setup any other 2FA auth, without being able to fully disable phone/sms based 2FA auth.

I'm not sure if it's still that way, but when I setup 2FA I could not directly setup non phone/sms 2FA (e.g. Yubikey, non google authenticator apps).

Worse even through I then explicitly disabled phone/sms based 2FA google at some point just switched it back one.

Worse there had been multiple times where having the 2nd factor but not the first (password) was enough to combine it with social engineering to completely take over an account. Some security researcher go hacked by this. Again I'm not sure it's still that way, but I don't trust Google anymore to not accidentally but a 2FA related vulnerability which makes the account less secure into their authentication flow. They either don't care (likely) or don't have the competency to handle this (unlikely). Well it's one of the reasons I'm slowly moving away from Google.

>a single phone number is not a problem for dealing with multiple 2FA-enabled Google accounts.

It increases the risk that a ban on an account will bring all of them down since you link them with same phone number identity.

Google makes using a different TOTP authenticator very difficult.

First, I need to register a phone number as 2FA. Only then can I choose an alternate method, get codes, and have to select Google Authenticator to use my Open Source authenticator, Aegis.

Does not say Google Auth or any TOTP; specifically only says Google Auth. I was worried Aegis would not work until I tried it.

Why not show choices on the sign up screen? Why do I need to register a phone number first? It is very insecure in the USA. Data collection? Hold out from when a phone number was the only real 2FA and a TOTP was under additional options? If the latter, that needs to change if 2FA is going to be mandatory.

This is doubly silly because the Google Authenticator team created the otpauth:// URI scheme which every authenticator application supports. I integrated it in pass-otp, for example.
>Why do I need to register a phone number first?

It's an anti spam/anti abuse feature. Getting access to new phone numbers that aren't recognized as virtual is pretty hard.

Then use a TOTP authenticator, which isn't tied to a phone number.

As an aside, this is the second comment, now, that is confusing general 2FA with SMS-based 2FA specifically. Given the audience of HN this is honestly surprising to me and makes me wonder how common this confusion is.

That alone makes me glad Google is doing this as maybe it'll drive more folks to be educated about 2FA.

Last time I checked and tried to have good 2fa on a Google account with only that,

TOTP is only allowed as an "additional" means of 2fa and to enable it you already need to have the Google Android promt authentication/phone? 2fa configured (Maybe not exactly like that, but basically you cant just add TOTP without having something worse already added).

(comment deleted)
(comment deleted)
I do not have SMS 2fa on my google account, but I do have TOTP and now U2F. At one point I definitely had only TOTP. At one point, I also had only U2F.

What I don't remember is whether or not I had SMS 2fa before and removed it, or never had it at all.

They allowed TOTP as primary method for 2FA before they put the Google app prompt in there as an option. So it was possible to set it up that way before 2016-2017-ish, I guess.
okay that would make sense, since I've had 2fa set up for it basically since they allowed it as an option

sucks to hear that you can't set it up that way initially anymore, if that's the case.

This is not accurate.

I just checked because I thought I was crazy: my account has SMS-based 2FA specifically disabled. The only enabled options are the Android prompt, Google Authenticator, and a set of backup codes.

Your comment is not accurate in the sense that it is currently not possible to enable 2FA on an account without it without a phone with either SMS verification or with a Google app prompt. If you have set it up in the past, before this, it will look different to you. If you set it up right now, you can remove the phone number later but somewhere in the bowels of Google the number will probably still remain to tie it to your dossier.
(comment deleted)
I think you're jumping to conclusions. It's unclear what "provided their accounts are appropriately configured" means, but a Google account that's not associated with any phone number or device probably isn't "appropriately configured" and I would guess that nothing will change.

But the original blog post was so opaque that I completely misunderstood what they were going to do until pointed out in this article. It's bizarre how badly written some Google blog posts are these days.

Why would you need a second phone? This is one of the more ridiculous things I've read on HN.
It is very common to arrange your life so that you are able to 'hand in' all work devices and walk away. Its a seperation of work and home life that is very healthy, and a reasonable self-protective measure.
Such assumptions are the root of all evil.
I don't understand what you're saying here. What's wrong with wanting to keep work stuff out of my personal machines?
No, that's perfectly fine. But where it goes wrong is in the assumption that it is 'common'. It isn't common at all to see the opposite either (not everybody wants to carry two phones around, not all phones are dual SIM).

The whole work/personal line is blurring more and more and our devices and thought patterns have not kept up with this. You could probably write one of those 'Things programmers assume about online identity' articles by now.

Oh yes work/personal commingling is definitely common in my circles unfortunately.
This doesn't explain the comment.

If you have a Google account for work you also have a work issued computer at minimum, so install a TOTP authenticator there.

If you also have a work issued phone it's a total non-issue as you can use that for 2FA.

If you access your work Google account from a personal device in circumstances where you don't have access to work equipment, then install an authenticator there.

> If you have a Google account for work you also have a work issued computer at minimum

I have a Google account for work. I don't have a work issued computer.

I think you're assuming too much about how other people might work.

I agree there are enough options that it shouldn't really be a big problem, but it's not surprising that not everyone are aware of the options.

> I have a Google account for work. I don't have a work issued computer.

Which must mean you're using personal equipment and you're not doing what the previous person was talking about, which was:

> It is very common to arrange your life so that you are able to 'hand in' all work devices and walk away.

Context matters. I was arguing a specific point based on a scenario the previous individual was posing. That scenario apparently doesn't apply to you, in which case, go argue with that person, because it wasn't my claim.

Now, if we want to talk about your specific circumstance, if you're using personal equipment to access a work account, stick a TOTP authenticator on your personal device.

I honestly don't understand what's confusing about this.

Doing work on my personal laptop does not mean I can't just hand in the work devices and walk away. My credentials would be disabled. The work data remains on work machines.

> I honestly don't understand what's confusing about this.

I didn't argue it was confusing. I argued against your assumption. And there's no need to use that tone - it comes across as aggressive and condescending. EDIT: I note this is not your only comment in this thread that comes across this way. Looking at your comment history suggests you're just direct, so I'll assume you don't mean anything by it, but it rarely goes over well here.

At a previous position I regularly used a variety of company issued hardware (alongside my standard workstation). The only company device I had consistently was the phone.

In my current position I can be called up for an emergency at any time. I'm not going to cart my desktop or laptop around on my day off, but carrying a phone for use with any reasonably secure machine I can find is a good solution.

People with responsibility for operations systems will find themselves in this kind of situation somewhat regularly. These are also the people most likely to seperate work and personal devices due to usage policies or risk profiles.

Here is a possible suggestion, let me know if there are problems with it. Install Authy on your phone and backup the 2FA secret key in the same password manager that you have the work password stored. That will allow you to effectively share the account (2FA included) and fully relinquish control if you leave. Would that work?
I'm not the person who said they had a problem with it.
Just install Authy on your computer with a master password for the personal account. No second phone needed. Or install Authy on your phone, but I can't tell if you are saying you only have a work phone and no personal phone? Or is it visa versa? I'm having trouble picturing your setup

Edit: If you already have two phones due to your work life separation, then 2FA isn't really causing you to get a second phone is it?

You are replacing one privacy nightmare with another:

https://www.twilio.com/legal/privacy/authy

The only privacy friendly method is no 2FA, just long secure passwords. Which is why 2FA is pushed so hard ...

> The only privacy friendly method is no 2FA, just long secure passwords. Which is why 2FA is pushed so hard ...

This is absolutely ridiculous and so clearly false I can't help but wonder if it's intentional misinformation.

There are numerous open source TOTP authenticators for both the desktop and mobile that require absolutely no data to be stored in the cloud or shared with third parties.

I myself use KeepassXC and Keepass2Android.

Not to mention, like, fido/u2f based systems which don't have any privacy concerns I can think of, even theoretically.
So you store the password and the TOTP in KeePass? Seems that you have 1FA, hacking your KeePass is enough to own you.
No, that would be silly. They're stored in separate databases with different passwords.

If I was really paranoid I'd keep the TOTP database on a separate device but, frankly, I don't anticipate being the target of a motivated attacker so that's more than I feel is necessary given the threat models I'm concerned about, those being untargeted hacks (service breaches, driveby attacks, etc) and social engineering.

I use Authy specifically because of their backup options. That obviously requires collecting my phone number and email address. I have no problem with that because if I'm traveling and somebody steals my laptop, phone, and backup Yubikey I won't be completely shit out of luck.

If you don't want to use Authy then use something else that doesn't backup the 2FA codes for you. But don't say 2FA is inherently a privacy concern. It isn't.

(comment deleted)
(comment deleted)
(comment deleted)
You can use the same phone number for more than one account.
It's possible to set up a Yubikey (or compatible) as the primary 2FA and Google Authenticator (I use Authy but it works the same) as a backup.

Once you've done that, you can remove SMS as 2FA. At least you could several years ago when I did it this.

I could not remove SMS first, I had to have 3 methods and then I was able to remove it.

This is intentional. They only want you to have one account.
AFAIK, you can use one phone or key for multiple accounts.
I don't enable it because of the social engineering attacks against mobile carriers, tricking them to hand out SIM cards to crooks.
I recommend andOTP downloaded from F-Droid: https://f-droid.org/en/packages/org.shadowice.flocke.andotp/
Also for the desktop I just use KeepassXC with my TOTP creds in their own database.
Isn’t switching between two databases a hassle?
No, KeepassXC provides a "Recently used databases" listing, so the effort required is 2-3 clicks and a password prompt.
Which is irrelevant given Google uses a combination of TOTP, and for connected Android phones or iOS devices running certain Google apps, a confirmation prompt on the phone.
Enabling SMS 2FA doesn't make your account less secure. At worst, if somebody targets you with SIMjacking, it simply doesn't make you more secure.

If you don’t have 2FA enabled for your account, you are in the least secure position compared with enabling any 2FA method.

Either way, there’s no need to use SMS for 2FA with Google, they support many other forms of 2FA.

I think Google actually allowed you to just use your phone number to recover your account, so it was effective 1FA. In that case it would be less secure. They might have changed it now though.
Often enabling SMS 2FA also enables SMS as a password reset option, which does make you less secure, since SIMjacking is easier than guessing a reasonable not-reused password.
With Google you can disable SMS-based account recovery independent of your 2FA options.
If that is the case though, you are not really enabling SMS 2FA. It is just SMS (1F) authentication.

Real 2FA would (theoretically) never make your account less secure than 1FA, because even if the second factor has 0 security, it shouldn't decrease the security of the first factor.

However, it is true that this may not always be the case for imperfect implementations, like your example. I can aldo imagine that social engineering might have a higher succes ratio if the intruder can say "it really is me! I have the correct second factor, I just lost my first factor...".

SMS based 2SV is just one option, there are many better methods you can enable for a google account.
In my country I've been required to go with my ID to a carrier shop to get a new SIM. How does that work elsewhere?
In some countries you can buy a SIM card, or even a dozen SIM cards, with no more hassle than buying a loaf of bread.
Even if your carrier actually enforces such a policy, the actual implementation is trusted to that part-timer on minimum wage you showed the ID to. They push "OK" on the ID check step, and it's done.

What do you suppose happens when the hot guy in the club who bought them and all their friends a round of drinks says they can make a month's salary in ten minutes if they allow a few of his mates to skip that "annoying" ID check?

And I'm sure that afterwards, once the carrier figures out who was responsible, they'll get fired. But meanwhile your accounts were taken over and leveraged for some scam or (if you own "cool" things like a short Twitter handle or that rare drop in a video game) sold to the highest bidder.

you do realize that the same can be done for a bank-account, right?

at the end of the day someone is sitting at a computer and given an id-card from a stranger and clicking the "yes, i verified their id card".

The bank account is the responsibility of the bank, the employer of these "strangers" you're talking about.

Whereas, of course, the reason we're discussing SIM attacks isn't that some bad guys might use your monthly download credits, or make a phone call that you pay for (the phone company would of course undo these charges once it was apparent that their employee caused the problem) but instead that this can be leveraged to gain access to all sorts of accounts your phone company has no responsibility for whatsoever.

The security was totally appropriate for the scope in which it was intended to be used, but that doesn't make it magically appropriate for all possible scopes.

I really like how the TOTP Yubi Authenticator app works. Just saves my secret to the Yubikey and I can save that secret to multiple keys. Then put a printed copy of the QR-Code in the vault in case I get hit by a bus.

This covers destruction of phone, destruction of office, destruction of Yubikey, destruction of me.

I would like to use U2F, but some companies (looking at you AWS team) only allow 1 MFA method period. And that just doesn't work.

> I would like to use U2F, but some companies (looking at you AWS team) only allow 1 MFA method period. And that just doesn't work.

That doesn't seem like an objection to U2F (or its successor WebAuthn) but more a reason not to use it for AWS or perhaps, if you have an alternative that does offer decent authentication, not to use AWS at all.

In this particular topic for example, the failures of AWS are no reason to avoid using the Yubikey's safer FIDO/ FIDO2 mode for your Google account.

That's fine, I'll disable it.

If they won't let me, then I'll stop using Google services which require me to auth.

That's how it works.

I lost one of my accounts last month to something similar to this. I used to have a secondary email as 2FA and then it got changed to "use one of my active devices", honestly I don't remember if there was some popup asking me to confirm the change, but one day I changed my iOS devices and the account was lost for good as I could not "tap confirm".

I tried to contact them from the email that used to be the 2FA, but no one could help me. It was a sad and eye-opening experience as I could have lost google domains and more.

Something similar happened to me last year. Luckily I had a vm with an android emulator with my Google account on it and managed to recover it

After that I activated the 2FA using authenticator... But using Authy, and has worked like a charm

Last time I worked to replace gAuthenticator with Authy for gmail, it failed. Toggling 2FA off and starting fresh didn’t work either. Have any tips?
I was able to contact Google, provide government issued identification and they removed the 2FA on the account.

Took about 3-5 days once I sent in the documents.

How did you do this?

Is the process repeatable?

Depends on a few factors in my experience, but when I had been locked out of an old email for 5 years because I knew the password but didn't own the associated phone number anymore, I had to know when my account was created (month and year), answer the security questions correctly, and know the full phone number associated with the account - and it still required a human review after a few days before I was able to reset the password (and I still had trouble changing the old phone number to my current one but I somehow managed).
The only account for which I could definitely provide this information would be my work email. It’s kinda of ridiculous to make this part of the criteria for resolving potentially huge disruption to a person’s life.
Same thing here, my 'your other device' was a VM that i had deleted. Telegram did this to me as well and won't send the text message..
I use Microsoft Authenticator because it backs up my 2FA accounts to my iCloud and I believe to Microsoft's servers on Android. If you lose those you're in trouble. I'm sure there are other options that support that now. When I moved everything that I could over, the open source options didn't support this. If I wasn't happy with the best open source solution, I wanted to use something from a large vendor that would be well supported. Any vendor not named Google at least, I have the least amount of trust in them among the 500 pound gorillas.

If you want to get ahead of this and save your accounts I've been using MS Authenticator for years now and am very happy with it.

Similarly I've been using Authy. I've started a Bitwarden account to store my passwords and I'm wondering if I should just move my 2FA codes to Bitwarden which partially defeats the purpose but convenience is always great.
That's all fine and good but reliability of delivery of 2FA data is not exactly fantastic (especially SMS, which lots of people use for 2FA), besides that it gives google your phone number, which not everybody may want to do.
> That's all fine and good but reliability of delivery of 2FA data is not exactly fantastic

So don't use SMS.

TOTP authenticators don't require any data to be transmitted at the time of authentication. They're set up with an initial shared secret (typically transmitted via QR code) at which point the codes are generated independently on the two devices.

This means the TOTP device doesn't even need to be connected to the internet. As long as you can get the TOTP seed onto the device (worst case: type it in), you can use that device for 2FA.

It is not possible to use TOTP with Google without also giving them your phone number.
Nope. My work Google account didn't have my phone number but did have TOTP setup.

I could set up TOTP on my personal account today, again without linking it to a phone number, but I don't because TOTP is less safe than my Security Keys which are already enrolled.

That seems to have changed recently. I tried it a few months ago and wouldn't let me set it up without providing a phone number. Thanks for the heads up, I'll try again.
To sign up for most google accounts you must be able to pass a phone number / SMS screen I think. Or have they gotten rid of that?
This kind of behavior is a good reminder of how little agency you have over accounts in your name. I turned off 2FA on my Google account (these days used only for Hangouts) because that account has little value, and the flurry of notifications that it produced was not worth the protection. I'm glad to be mostly de-Googled.
A lot of people commenting on using 2FA options other than SMS, but to the best of my knowledge it will only work after you’ve already associated a phone number to the account.

Wanted to check if I’m just dumb, and all recent answer point to the same issue: https://www.quora.com/Is-it-possible-to-use-Google-2-step-ve...

My Google account is configured right now to only support the Android prompt, TOTP, and Backup Codes. SMS is specifically not enabled, both for 2FA and account recovery.

Either that answer is out of date or it's lacking nuance. I haven't done it in a while, but it may be that you need SMS 2FA initially, and then once you've added TOTP you can then remove SMS.

But SMS is absolutely not required and anyone who thinks it is and is avoiding 2FA for that reason needs to go take a second look at their security settings.

I can also remove SMS as 2FA on my account, but I’ve had to give a phone number on all my accounts at different points in time, and they got confirmed by SMS.

What I was pointing at is not that SMS is the only option but that the phone number + confirmation seems mandatory at least once.

(comment deleted)
IMO, the bottom line is that Google wants your phone number, I'm guessing so they can somehow further target ads. They bugged the hell out of me a while back trying to get a phone number, even though I had a backup email address configured. They haven't bugged me for a while now, but that's likely because now they're going to try to force me to give them a phone number.
Thing is you can delete it immediately after you've set up your account with alternate 2FA eg TOTP/authenticator.
Do you believe they actually delete it? I don't.

I deleted my account with Digital Ocean years ago, because I use NoScript and every time I went to a new page at DO, it required me to enable more 3rd-party domains. I switched to Vultr.com because they only use their domain for their web pages.

Recently I received an email from DO that my acct information may have been accessed by some hack. I replied to that email, requesting that they delete everything on their systems relating to me. They said I had to sign in and purge my account. I already did this, when I switched to Vultr.com. But I tried anyway. It wouldn't let me sign in (Duh! I already deleted the account), so won't let me purge my info. When I explained that DO would have to delete it, they never replied. They obviously still have my info or they couldn't have emailed me.

My level of trust that a company has actually deleted everything they say they are deleting is about zero. If it's to their advantage to keep it, they will.

> They haven't bugged me for a while now, but that's likely because now they're going to try to force me to give them a phone number.

This and your other reply in this part of the conversation are purely paranoid speculation.

Frankly, if you're this concerned about Google's nefarious intent, you should get off their platform. They probably already know a lot more about you than just some random phone number.

My parents are using GMail and I have no idea how to explain and set up 2FA for them. Google probably won't do a good explanation either. And 2FA probably won't work on their landline telephone...
The blog post is vague, stating that only accounts that are "appropriately configured" will be automatically enrolled.

This article speculates a bit that:

> On Android, Google Prompt is a full-screen pop-up built into every device as part of Google Play Services, so that's easy. On iOS, Google Prompt requests for your account can be received by the Google Search app, the Gmail app, or the dedicated Google Smart Lock app. It sounds like everyone meeting these requirements will soon be enrolled in 2FA.

So assuming this is correct, if your parents don't have an Android phone attached to the account, and don't have an iPhone with those apps installed, then this won't affect them.

Of course, it'd be nice if Google was a little more clear on what they're doing, here...

I don’t know if it is required. I think it is just going from opt in to opt out.
You probably need to do it for them. Seriously.

I bought my mother a Yubikey a while ago and walked her through printing out backup codes (stored in a location I will remember even if she doesn’t) and registering it with her Chromebook. It’s on her keychain, but she won’t need to use it until she gets a new computer when the Chromebook dies.

The advantage of this is that her account can’t be broken into remotely, which would be catastrophic.

(Contrast with another relative that I think is on her third Google account.)

I am assuming that this is because they urgently need to collect your cell phone number to make more money from ads?
A cell phone number is not required for 2FA.
A cell phone number is required to sign up for google now though.
And thus is separate from this 'auto 2fa' blog post announcement.
(comment deleted)
out in the real world, there are a lot of people out there who hate 2FA. I have it on almost everything. You can't please everybody.
yeah, I hate 2FA. Disable it on everything since I do not want to carry a phone so as to login to any single service.
2FA is better than the alternatives. The app I work on has said no to clients requesting we add a feature to enforce password rotation. We state that 2FA must be used instead if security is required and that password rotations offer no security.
Dear Google: please sell me a wallet-sized laminated scratch-card with my single-use backup codes on it.
My bank did that ~10 yrs ago, it was really neat, but unfortunately it does not scale well.
Tried to log into an old gmail account recently.

Did not have access to associated phone number.

* gave correct password * gave correct secret question response * have access to backup email address

“Thank you for verifying that you have access to the backup email address.

We have been unable to verify your ownership of this account”

Are you serious?? Google must seriously want to tie everything to real world IDs.

This exact thing happened to me today as well. After waiting a few hours I've regained access to the account but can't change the recovery phone number because to get into that settings panel it requires me to verify it... with the old phone number.
I lost my Skype account the same way. I had been using it normally when suddenly one day it automatically logged me out, then when I logged in with the correct password it insisted on sending a code to a phone number that I have long lost.
Google is the biggest security risk for a lot of people since a lot of people throw their whole lives on Google - Google has to defend against literally the most dedicated attackers trying to hack political officials and fortune 500 executives alike. It's obvious that, at their scale, they're going to have a lot of false negatives and false positives. Even a 99.99% success rate of detecting fraud would mean millions of false positives or negatives locking people out of their account or allowing illegitimate actors into accounts. It's also the reason why they don't have general account support besides an account recovery process that only sends requests to humans under very specific circumstances: humans are bound to have an even worse success rate than the machines at preventing illegitimate access.

I think it's obvious that Google is too big, but it's not like they can help it. Capitalism in the internet age requires constant growth if you want to maintain your company's value, which is a large part of why they can't turn people away from their service. The best they can do is require a phone number to sign up and limit the number of accounts a phone number can be associated with (which they already do).

> Capitalism in the internet age requires constant growth if you want to maintain your company's value

Craigslist is doing fine with a small number of employees and no need to grow.

They don't have shareholders or a private equity firm requesting growth, so they don't have to grow. If they did, you'd see a renewed interface, ads more vaguely differentiated from regular results, and an ebay-like payment system. It's the difference between optimizing for maximum profit vs. optimizing for longevity.
Isn't this why they have their advanced threat protection thing? So people who aren't political officials or fortune 500 execs don't get that treatment?
Is this secret question like "whats your favourite movie" etc or a question they generate that they expect you to know about your account?

I checked my account and I don't see any secret questions options.

It asked me for a secret question and answer when I signed up years ago. Didn’t make any difference though.
That's the message I got the last time I tried to log into my google account. I'm so glad I had separate self-hosted email and didn't rely on anything from them.
I had just the opposite problem - I've had the same phone number linked forever, but I left my backup email set to my work address at a previous job. I wasn't able to reset my password without access to the latter.

After about 5 years of occasionally flunking the questionnaire to prove I was me, Google relented and allowed me to update my password via a code sent to my phone and another sent to the gmail account itself.

Which is to say that I was saved by a device that had access to my original gmail for five years without ever asking for the password. Which doesn't seem like an example of sterling security.

I had this happen recently but it had been previously tied to a phone number and I responded with it. And it appears to be locked permanently. Granted it is a pretty random side account and not that big of a deal, but that was an eye opener. I literally answered every challenge they gave me correctly and yet it is now gone forever.
I never agreed to this insane 4 factor authentication. I feel like google has locked me out just to reduce costs on its end.
The most annoying thing was that this was due to me changing my home router, which triggered an IP switcharoo from my ISP. Because it was a rarely used account Google freaked out. The more I tried to prove it was me the more it started sending me angry notices that it detected malfeasence and then boom.
This was the biggest eye opener for me, I used to think having a recovery email address would be enough to rescue my account. It turns out Google goes full on "spy vs spy" and can assume your recovery account is also compromised if it's secret algorithm decrees it so. It was such a relief to start the de Google journey and gain (some) control back.
This prompted me to make a plan to start deleting my gmail accounts today and shift to a new service. It felt pretty cathartic. For whatever reason, I could never unsubscribe myself from quora no matter how many times I tried.
I've started this process and it's surprising to see the number of services that won't let you change your email address without signing up for a brand new account.

You probably know this already but if you're making the effort to do this you absolutely must purchase a domain name that you own, it's the only way to make sure you'll never have go through this process ever again.

> Google's preferred 2FA method is the "Google Prompt," a notification Google pushes to your phone

Oh please no, no, no, no a million times. I shoudn't have to run Google services on my phone, I shoudn't need to have a phone, and my big heavy immobile desktop should BE a 2FA device of its own because it's much harder to steal. Don't make the use of a desktop require a phone.

The quote isn't true. This isn't in fact Google's "preferred 2FA method". If I need another factor (for example if I were to log into my Google account from some random device) I can just use any of my Security Keys or other means to do U2F/WebAuthn, which is - in fact - Google's preferred 2FA method.

Also, as the article already says, as does Google's announcement, this won't do anything at all if you don't have any suitable additional factors.

What about homeless people who don't have cell phones and use Gmail accounts? Maybe they don't have a backup email?
I've met a lot of homeless people with cell phones
A friend of mine in the mid-90s was experiencing homelessness and had a "virtual home" via website, including some VRML code. Considering in that era few people were "on the internet", it's not a far leap to find someone experiencing homelessness in the modern era who own a cell phone
>Utilizing data from a study of 421 homeless adults moving into PSH, this paper presents descriptive technology findings, and compares results to age-matched general population data. The vast majority (94%) currently owned a cell phone. /.../ Most (85%) used a cell phone daily, 76% used text messaging, and 51% accessed the Internet on their cell phone. One-third reported no past 3-month Internet use.

https://www.researchgate.net/publication/315541163_No_Digita...

There are free online SMS services
I've never had one of those work for that kind of stuff. I assumed they were all blacklisted by default.
I lost a gmail account like that too. The telephone number is gone and I have access to the backup email address but the email address isn't enough, and it's gone.
Isn’t it great how they will let you sign up for an account with just a password then demand a phone number later on when you’re already using it.
I recently had the same experience. They say, "try again later", but i kept returning a few weeks, nothing happened. Had to abandon accounts on some services as the result.

Then, three months later, I visited, and suddenly they've let me in. This is extremely annoying.

Oh, and I was visiting using the same IP address!

Pretend you had this problem after you'd had everything stolen from you, including your apartment key, during your first day in Colombia lol.

This experience is what pushed me off Gmail.

whenever i reinstall a computer i have the same problem for like two weeks unless i just copy over the .mozilla directory from a previous install. and that's on an IP that is already accessing the same account on another computer. if you keep trying it may eventually work, but maybe not
I also tried to log into an old gmail account. After I successfully verified my identity, gmail's final screen asked for a new phone number. My account never had a phone number; it wanted a new one. It wouldn't let me access my emails if I didn't acquire a phone and give them its number. I was glad that I didn't care about the emails in that account, or I would have no choice but to accept.

It really opened my eyes that google was willing to hold my emails hostage. Google's roadblock was unrelated to security, because an attacker could provide a new phone number too.

I wished that companies would just let me tick a box that says "I explicitly don't want 2FA and I accept that my account might get taken over / lost and I will not be able to do anything about it"
Sadly that's not going to fly, since the damage a bad actor can do with your account will generally hurt the service's bottom line.

Consider a game, as an example. A stolen account can be used to play with cheats or to commit credit fraud / chargebacks, and the typical punishment of banning the account is no longer a deterrent. If there's an in-game player market or gifting system, items can even be transferred to otherwise legitimate accounts.

> A stolen account can be used to play with cheats or to commit credit fraud / chargebacks, and the typical punishment of banning the account is no longer a deterrent. If there's an in-game player market or gifting system, items can even be transferred to otherwise legitimate accounts.

How is that hurting the company? It would mostly hurt me as the original account holder. Except for the cheating, but that can just be done with a newly created account as well, so the only thing the fraudster would gain is not having to create an account.

The general public has trouble discerning responsibility among multiple corporate citizens working together. Remember the "iCloud hack" from last decade was not actually a hack at all, just stealing passwords and downloading videos/images from cloud storage. Incidentally, that prompted Apple to turn on 2FA for all accounts.
...when in reality, all that was probably necessary was some password strength requirements including a check for previously leaked passwords.
Password strength requirements are an anti-pattern: they force users to pick passwords from a pre-determined list the algorithm comes up with, rather than passwords they can remember.

Even with the most secure password, it is still useful to have an additional gate to get past before being able to perform any actions on your account, You are in control; you could deny the 2FA for an attacker just by doing nothing, whereas kicking an attacker out after they've logged in with your password is a lot more difficult and requires active action on your part. I remember being paranoid checking the list of recent sessions (and clicking the "end all other sessions" button multiple times a day) in the old Gmail design, and also giving up as keeping an eye on that list 24/7 was futile and a waste of time. With 2FA, I don't have to.

2FA is great when you want it on an account. If it’s being forced on you however, it’s insanely irritating, often for no reason. The user should have the power to decide if that information is worth the extra protection.

To your point, what is an anti pattern is requiring certain special characters or a certain mixture of character sets while ignoring other valid safety approaches such as password length IMO. Regardless, if a user is constantly resetting their password due to forgotten password, that amounts to 2FA because of the emailed reset tokens anyway. Modern users have adequate access to password managers that it should be simple to put them back in control.

Rules like "At least one special character" are silly. But I like estimator (e.g. zxcvbn) based strength requirements. Plus checks against blacklist like hibp.
Dear Google: I enabled 2FA using an authenticator application (TOTP). Please _stop_ trying to use Gmail-based 2FA. I don’t want to verify authentication with one of your apps.
The issue with this is that push notification based 2fa is more secure than totp (and similar to u2f) since it prevents dinner of the dangers of phishing attacks.
Don’t care. It’s not what I configured, it’s not what I want.
Funny how "2FA" almost always equates to "phone number".

Beware if they claim they don't store your phone number. It's highly likely they store a hash of it for tracking purposes, and proceed to use child-like logic to claim they didn't break any law in doing so.

Furthermore, data brokers use the same hashing algorithm [1] to connect disparate/separate entities, such as your bank, insurance company, fast food chain, etc, basically, any entity you've shared your phone number/email with, in order to gather data on you behind the scenes. How did that happen, you ask? "Out of sight, out of mind."

Google could restrict non-2FA accounts. That way, users could still access their private collection of playlists, but maybe they're no longer able to make comments.

Google and others should offer a standard palette of 2FA options, where the risk factors are left to the users. Let them choose between verified email, some or other TOTP, but try to avoid scavenging private phone numbers, you know, the highest value, globally unique identifier, ooooh.

[1] https://twitter.com/WolfieChristl/status/1288229191759081472

They need to store the phone number in order to send an SMS to it.
It says in the article that they're using "Google Prompt" which sends a push notification to your phone instead of SMS or TOTP. Regardless I would be surprised if Google's own 2FA didn't support TOTP since....you know...they own probably the most popular mobile TOTP app: Google Authenticator.
In this case if it's not phone number based. It's based on an app prompt on your phone.
I like this better, because if you lose your phone/number, it’s a pain to redo all of your phone based 2FA accounts.
Google has:

* Prompts. (Show a notification on a device)

* Phone Txt or voice

* Backup codes

* Authenticator App (ie TOTP)

* Security Key: Yubikey and the like. (You can use some Android phones as a Bluetooth security key)

I'd say google has more options than anyone else right now.

Iirc none of the alternate methods is available until you have given them a phone number.

A few months back I finally enabled 2FA on one of my accounts, I wanted to use totp and that option was completely unavailable until I enabled SMS 2FA.

You can remove the phone number and the other options stay enabled. I removed the phone years ago, because I did not want all of my security for more or less all of my online accounts (password recovery via email) to hinge on the unhelpfulness of a customer service agent of my cell phone provider who is heavily incentivized to be as helpful as possible to any criminal impersonating me
And you of course can trust Google that they actually remove your phone number. /s
(comment deleted)
Look, this is silly. Not removing the users number on request is asking for a huge scandal if it ever was leaked or compromised. Pulling this crap isn’t worth it. The value of collecting a few phone numbers from people who don’t want to give it out is nothing.
You might not consider it worth it, but some marketroid? Was anyone actually surprised when facebook sent spam texts to 2FA numbers back in 2018? They just floated that balloon and went "whoop sorry bug in the system" and that was that.
To be fair, it was almost certainly a bug in their system.

You can argue that they shouldn't have made that mistake, and I'd agree, but stupidity is always more likely than malice.

> stupidity is always more likely than malice.

It's interesting how the supposedly smartest companies of the world are so regularly so stupid in such consistent ways.

They're never stupid in a "oh no we deleted all your personal information from our system and now can't track you anymore" way, weirdly.

that probably happens, but it doesn't tend to get publicity.

More generally, remember that you could be one of those megacorp employees one day, and you might build a 2fa system which logged to a particular place.

Later (remember the company is growing for 50% for many years) some new person sees the phone numbers and doesn't realise their provenance (very likely culturally at a place like FB, where things are default open) someone else finds the phone numbers and uses them to send marketing messages.

Like, that's what happened (most likely) but it amazes me that people will always want understanding for their own mistakes, but regularly disclaim that others shouldn't have done it, or made a mistake maliciously.

To be clear, I have no special insight here, but I think that assuming everything is malice and pre-planned is a less fruitful headspace to inhabit than realising that everyone is human, all companies make mistakes and that's a good prior.

To be even clearer, FB should have made this bug impossible (and I'm sure they have now), but given the amount of mistakes I've made I hesitate to cast the first (or indeed one of the last I suppose) stone.

> Pulling this crap isn’t worth it.

And what happens if it's revealed? How large are fines, how long the prison time?

For data of EU citizens, up to 2% of global revenue for small violations, 4% for severe ones
There indeed was a big scandal when FB did something like this with 2fa SMS numbers
Simply bury something in the TOS along the line of "oh well actually we reserve the right to do whatever with your 2F phone number" and be done with it.

Or just keep a hash of the number as GP described.

To address the app and phone number concern I have; I doubt it's possible to remain a user of Google services without being forced to give them my phone number at least once, and even if they don't keep it, they'll keep a hash of it to bypass the spirit of the law, and track me across data brokers using a derivative of my phone number instead.

My guess is, if they aren't nagging you about verification by phone number, you've likely provided them with your number at least once in the past.

On a related note, there's been a push for supporting the Payment Services Directive (PSD2), which requires strong customer authentication (SCA) in most cases, which implies 2FA.

Forget 2FA: you can't get a Google Account without giving a phone number during signup.
You could as recently as a few months ago (haven’t tried since winter), but you have to be careful from the create account page. If you get asked for a phone number, start over in a new Firefox container. Or, you could do it through YouTube.
It has to be the IP address of something they know the location of with some certainty, near impossible to privately sign up for one.

Try it with a VPN or anything from a datacenter IP or any other public place and it's a no go.

I have tried this dozens of times in the last year, with an empty cookie jar. Every time it demands I verify a phone number.
Why do they need your phone number?

They already have Google Authenticator. (Although authenticator plus is better imo) and they use your email address for that.

Maybe they want to have a backup? People setup 2FA using authenticator, loose phone, no proper backups, backup codes lost.

Using access to specific phonenumber as second factor is not too good security wise, but there’s no perfect options. I’d say managing 2FA properly is hard even for IT pros, let alone regular people. Like how many store the backup codes offsite, regularly test backup Ubikeys etc.

Get ready for a lot of people loosing their accounts, crippling online services and become distrustful of google/2FA
As a Google of many years and a long-term gmail user, I have refused to give my phone number to Google. Their hunger for data has absolutely no bounds, and the security blather is just a convenient way to demand everyone's phone number. It makes sense though - they make more money the more they know about your account. I am in the final stages of terminating my use of anything that requires a google account. I fully expect that you will not be able to do a search on Google without being logged in. It's only a matter of time.
>they make more money the more they know about your account

to Google's credit you can at least opt out of that part. (don't know if this is a global thing)

myaccount.google.com/privacycheckup

I hate this. I have 2 accounts with adsense, no recovery email because google banned all adsense account associated to my old emails (in 2012), which was not my fault. So I know the password, I know the email, still can't login because that phone number expired.
to login to my Outlook need get code from old email account then again get another from different email account then get code from phone that is is pay as you go and mostly turned off and have to charge battery. so login to my email is like 30 minutes of dealing with codes and different shit.

Ebay is the best need know usernames of other users who live in my old flat 10 years ago.

Try to login to PayPal,ebay, outlook gmail from mexico or Vietnam captcha every 10 minutes everywhere how this people can live like this

every other time i try to log into paypal it insists on verifying my identity by calling me, started a couple months ago. it certainly has somewhat dampened my online spending, so I'm not entirely against it
That's great as long as they let me opt out somewhere in the settings.
so annoying. it's like being required to have an ankle monitor.
I never used to use 2FA because it was annoying to have a single point of failure that locked me out of all my accounts.

Ever since I realized that the 1Password desktop/mobile app can save and sync your 2FA code generators onto all of your devices, as well as automatically fill them, I have been a happy 1Password user with possibly hundreds of active 2FA setups.

Even if I lose all of my devices, there is at least a clear way forward with my 1Password recovery kit. I don't need to save millions of emergency recovery codes. Still, the biggest point of convenience for me is being able to access the same 2FA codes from my laptop, phone or tablet despite only entering them once on desktop.

I feel like I'm advertising for 1Password right now, but honestly this is perhaps the most exciting thing that has happened in over a decade for my personal cyber security situation. I have been able to completely decouple my phone number from my 2FA in most instances.

Bitwarden can do it too.
So just to clarify, this kinda isn't 2FA if the password and the seed are stored in the same place.

I get that if your password manager is compromised, you've got bigger problems, but some account seeds for H/TOTP should stay out of it and on a paper or dedicated piece of hardware.

Well the seed is protected by the PK (the 1P salt certificate) and the master vault password, so even if the account password is leaked or realistically keylogged, you still get nearly all of the protection from 2FA in that case since only your devices have the 1P salt required to decrypt the 2FA seed. I don’t think that the ‘common password’ attack that 2FA would typically protect from even applies if you are using a password manager where each account is a random password. In this case you’re only protecting yourself from keyloggers or such.

My 2c.

"Non-tech-savvy users always use the defaults, and the default will soon be 2FA. "

And not just non-tech savvy users neither.

Google just wants to make everyone download their mail app so they can push their other apps as well and keep tracking iPhone users.