306 comments

[ 2.6 ms ] story [ 271 ms ] thread
This hit me the other day. I dropped my phone and smashed both the screen and display making it essentially unusable. I needed to get into my email. I had no WiFi but I had access to an older phone with data. Tried to sign in on the other phone. It said I needed to confirm the login on my device, I obviously could not, it gave me an option saying 'can't access phone' so I clicked it, it took me to a page saying too bad sorry no signing in for you and that was it, I was locked out of email until I bought a new phone and set it up.
1. Add OTP to your account ("Google Authenticator", Lastpass, etc). 2. Remove phone number from account. 3. Enjoy not needing a phone ever again to login. 4. Might take a couple of days for (3) to stick, train the algorith by logging in a couple of times using OTP.
How does one add OTP to her/his Google account? Is there a guide/instruction that you could share? Thanks in advance!
Your solution for not needing a phone to log in is to use Google Authenticator which is a phone app that would've been on the smashed phone?

I recently went through this exact scenario: Old phone broke. Bought a new one, restored backup. Guess which app doesn't restore its data from the old phone? Google Authenticator. Lost access to all my TOTP logins.

I've been bit by this before also. It's important to take the one time passcodes that Google provides seriously and keep a couple of them in your wallet.
This means I cannot login just using my password?
That's already the case. If their algorithms decide that your activity is "unusual", they can disable your ability to login with literally no option to bypass it.

https://i.imgur.com/4YrElkJ.png

Keep that in mind when you e.g. go traveling.

If you have OTP 2FA set up they let you login from anywhere.
(comment deleted)
I've been getting this for years. This announcement doesn't seem like a major change to their overall policy, just a ramping up of the roadblocks for CGNAT and the like.

Rather than giving users options, Big Tech has decided to paternalistically kill passwords in favor of less convenient and less secure methods (my email is much less secure than my password store). Even from residential IPs, it's become the norm for banking websites to harass you with snake oil "2FA" every time you login. The only solution is to split up your online activities so you can conform to their demands with one VM/browser config, account for the extra annoyances as the price of using their services, and move as much activity as possible to freedom-respecting technologies.

Which of course is why those tech companies spent effort writing and advancing FIDO specs, and why I am able to login to my Goog/Facebook/MS accounts just perfectly damn fine using offline tools (pass, pass-otp).

Can we please stop spreading FUD because people here really getting their jimmies rustled at any extra steps (even though this forum is often rife with people falling for phishing attempts, repeatedly using GoDaddy, on and on, proving that they can't protect themeselves.)*

But maybe you could name a few tech companies besides Twitter who have implement 2FA you way you imply.

This is an old article. When it first was posted I strongly considered finally ditching Google forever. Of all the Google services, I only use gmail and then only for catching junk, spam, for Craigslist posts, and for bullshit account creations. I have two active junk gmail accounts.

I log in all the time, this morning included, and do it every time with a simple password. I have never been prompted for 2FA and there is no identifying info in my account or in the emails that it catches. The account names are even fake.

If I do end up prompted to set up 2FA I will simply delete the whole shitteroo and start over somewhere else with another fake name.

It seems you didn't read the article.

"The company plans to automatically enable two-step verification for accounts that have been configured correctly."

I'd like to make a humble appeal to you, dear Reader, that you consider if you are able to exist without Google services and the tradeoffs they entail.
I'm having the opposite reaction.

2FA is a strict improvement and everyone should be using it. I applaud Google for mandating a best practice.

It's far preferable to the alternative of having your account compromised because your password is guessed or stolen.

This is not my opinion against 2FA, it is me using this moment of friction to ask a question most people are often too happy to ignore when things are going fine. Are you able to live without your captors or not?
I also don't see them as my "captors."

I'm able to live without electricity but I'm not about to call the power company and have them cut my feed. There are folks who consider it some kind of incarceration to be beholden to the electricity provided by a power company; I respect them but I don't share their philosophy.

Depending on the situation it can be easy to cut yourself from the power company, but no one can create his own phone carrier regardless of the situation.
> Depending on the situation it can be easy to cut yourself from the power company

Unless the situation is "There is another power company right next door," I'll have to disagree.

If the claim is one can self-generate power, the analogy holds but not in the way, I think, the author means. Self-generation off-grid is a pain... Buy or build and maintain your own generators, your own storage, deal with impedance, deal with the risks of operating on high voltage, equipment breakdowns are yours and yours alone to repair, etc.

Similarly, I can self-host my own email, video, web servers, and possibly even build my own voice-activated assistants tuned perfectly to my specifications, sharing my data with nobody... But that's a lot of work when Google has provided all of that for me.

Yes, it’s immensely frustrating when a service doesn’t support proper 2FA or forces weak SMS as a backup to proper 2FA, undermining much of its value.

So while I support asking people to reconsider if they need a Google account, I would never recommend alternatives that lack 2FA and where possible, I refuse to use services that lack 2FA myself. Unfortunately there are still some categories like banking where TOTP, FIDO, etc is practically unheard of.

I'm continuously surprised how authoritarian some people are.

You consider something superior just because it works for you and therefore everyone should be forced to do as you, but you ignore what doesn't work for others (such as being tied to a phone).

Nobody is forcing you to use Google's products. If having a phone is that onerous for you, you're allowed to not do that.
GOOGLE is literally forcing people to use their products. Their entire business strategy is based around it, gobbling up or destroying every competitor, advertising and promoting their own services on search above others, illegally collaborating with other giant tech companies, and on and on. That's how monopolies work. That's the whole point.
The announcement doesn't even require a phone... it just requires SOME second device to confirm your identity. There are several alternatives.

And as others have said, you can use another product.

What are the tradeoffs?
They really want our phone numbers. I have a few throwaway accounts for subbing to sites that require log-in that I don't want connected to a phone. IF they brick my accounts, I'm just going to stop using Gmail and turn to Proton or something else.
Aren't there non-phone-number 2FA options?
Yes, OTP.
Possible, and a real burden to set up:

https://webapps.stackexchange.com/questions/127464/enabling-...

Perhaps this changed now, but I had to set up a different 2FA method first (I used a U2F security key), then add OTP, and then it was possible to remove the U2F method.

After logging in with OTP once (I just keep the private key on my laptop in pass) you never seem to get asked to provide it again, but 2FA is nominally enabled.

"Then, a code will be sent to your phone via text, voice call, or our mobile app. Or, if you have a Security Key, you can insert it into your computer’s USB port."

https://www.google.com/intl/en/landing/2step/#tab=how-it-wor...

I'm not sure why TOTP isn't an option. Google Authenticator still seems to be a supported app.

It is. Look under Features

> The Google Authenticator app for Android, iPhone, or BlackBerry can generate verification codes. It even works when your device has no phone or data connectivity.

You can also use third party apps, I use Authy

(comment deleted)
Google Authenticator is TOTP and you can use any other app.
Yes, that was what I meant. The quoted passage didn't seem to include any TOTP app, including GA. Apparently they are supported, the info is just on another page.
Yeah, they don't really want you to do it. That kinda makes sense when you think about it; TOTP has a lot of friction compared to "just press the button on the device 99% of you already have linked to your account".
That makes sense for most. For me, I can have my TOTP app running on my laptop all the time. Looking around for my phone is higher friction.
There's only 3 options (I'm on the panel), Google Prompt (requires a phone), security key, or text message/voice call (requires a phone). 2 out of 3 require you to attach a phone number and the last one requires a security key to be inserted every time you want to make throw away accounts via Gmail.
I'm using a TOTP authentication, are they taking that away? Because TOTP doesn't require a phone.
Google has supported WebAuthn security keys for a while now. Don't give your phone number if you don't want to.
Yeah, true, all they really want is our phone no's so they can sell the numbers to spammers and completely render our phones useless, even for texting . . . fuck GOOGLE
Pathetic. GMail authentication was already quite broken as it is - eg for me it just won't let me in over cellular connection.
Having 2FA set up usually gets around those pesky risk-scoring algorithms.
At the cost of introducing other, even worse problems.
What are some of these worse problems that MFA introduces?
Not being able to get to your account when you lose the phone; having to run extra software.

But also, frankly, I just don't trust Google to implement this correctly, given their track record. Google sure employs a lot of smart people, but the quality of their products and services is generally crap.

> Not being able to get to your account when you lose the phone

Really? There are scratch codes for that. Or you can use an app that backs up your TOTP key for you, like Authy. Or you can store your TOTP key manually. Or you can have multiple devices. Or...

> having to run extra software

Oh, come on. Are you really complaining about having to compute an HMAC?

> I just don't trust Google to implement this correctly, given their track record.

Huh? You do know "The day Google forgot to check passwords" was fictional?

So yeah, the additional problems this introduces do have workarounds. Still, the point remains: this adds new problems for no gain (for me).

As for the track record: we are talking about a company that can't properly implement basic password authentication, see my first comment. And no, I'm not interested for possible reasons/excuses why is it so; what matters is that it doesn't work _for me_.

> this adds new problems

It doesn't, though. Go actually read the article this time, not just the headline.

> for no gain (for me).

Sure. There's no way your system could ever be compromised. It's not like you actually click any of the links on HN, right?

> we are talking about a company that can't properly implement basic password authentication

[citation needed]

Seems like a great opportunity for folk to reevaluate whether they need a Google account at all. I finally escaped in September, after first trying all the way back in 2011. Dragged my feet for so long until eventually just saying "fuck it" after a few glasses of wine, and even recorded a screen cap of the final GAFYD deletion.

For anyone attempting escape, rclone seems to be the only tool that supports exporting all Google Docs ever shared to the account. Google Takeout (or the equivalent GAFYD tool) worked for everything else

> Seems like a great opportunity for folk to reevaluate whether they need a Google account at all.

Yeah, but still pretty inconvenient. I migrated all my main stuff way from Google years ago, but I have a bunch of accounts I use as throwaways that will be a much bigger PITA to use.

Probably a little easier for me, I stopped adopting anything new from Google for personal use after the Reader episode. I still have access to some business accounts mostly for GCloud.
Why would 2FA of all things be the critical issue? Tech savvy people should understand and use hardware security keys at this point to be securing their cloud accounts in general.
Tech savvy people often discard browser cookies at every opportunity. Adding a 2FA step to every interaction with Google is a change in routine, and forced routine changes are a great time to break any harmful habit
Firefox Containers. Sandbox Google from the rest of the internet, while still appearing logged-in to Google products.
This is the "killer feature" of Firefox, IMO. No other browser does what Firefox does w.r.t. containers.
As a tech savvy person, I used 2fa for all the corporate stuff I could and for some personal stuff too.

Now that I only have one phone, I've turned off 2FA as much as possible, because only one phone means when it breaks, I can't access my accounts, because I can't get to the 2FA tokens. No thanks.

You can add the 2FA authenticator codes to multiple authenticator programs. I usually add them on to 2 different devices at the same time.
I use Keepass with Strongbox and save the database file in iCloud. That way I have TOTP codes backed up, and I can share with others such as my spouse.
You didn't read any of those screens warning about you needing the backup codes? I do realize some services don't provide backup codes (which is insane), but when they don't I have found that they provide the codes you can manually type in to authenticator apps. With that, you can add the code in multiple places, like on your phone and also another computer with any totp app like authy or TOFU or whatever to have a 'backup'.

I keep my backup codes in a plain text files in a folder on my home NAS which is encrypted on disk, and backs up through rclone (with encryption) to backblaze every night. I'm about to configure up a second NAS for redundancy because 3 2 1.

> You didn't read any of those screens warning about you needing the backup codes?

I read them, and said, no thanks; I'd rather be able to recover my accounts easily.

(comment deleted)
Because my email account is that's linked to every other account and I can't afford to lose everything just because I've lost my phone (which has happened twice in the last two years, but recovered it both times).
You have many options including notifications in google apps, authenticator apps, text messages, hardware tokens, written backup codes. Not all of these rely on your phone so set them all up
So in other words dramatically increase the attack surface on my account.

Enabling SMS authentication for an account is a huge DOWNGRADE in security, not an increase. Cellular providers are infamously easy to socially engineer.

Especially some banks that still use SMS as your 2FA.
No… Well I guess if you were adding SMS as a 2fa option to your real 2fa would increase surface but that wouldn’t solve what the parent comment was saying. So yea don’t do that (but it’s better than just a password).

1)Password alone is weak. 2)Password and SMS 2fa better. 3)Password and real 2fa best. 4)Password, real 2fa, backup codes, basically just as good as best.

Google is only eliminating #1, and only requires 2fa when logging into a new device. I’m surprised HN folks are having a tough time grasping this one, in general it’s pushing people (I’d guess 90% of people would never opt into anything more than a regular password, including the parent) into #2 above.

Parent should do #4, but #2 is fine

Oh c'mon, even tech savvy people are just using email for email.

For me, I have to consider 2FA, or in the case of my son, who doesn't want a phone, a Yubikey or similar. I don't want to live with the additional management and potential disaster of 2FA blocking his access to his email account, which is currently his gateway to university.

At work I have 2FA, but there's a whole IT/IS team to manage and unblock things (which happens, co-workers get blocked out of their email accounts regularly).

Personally, I'm hoping to convince my domain cohorts (family) to move to Protonmail or similar.

> For me, I have to consider 2FA, or in the case of my son, who doesn't want a phone, a Yubikey or similar. I don't want to live with the additional management and potential disaster of 2FA blocking his access to his email account, which is currently his gateway to university.

This is a good point: For many people, passwords are already too much of a hassle. 2FA is going to be just more hassle. I manage all the passwords for everyone in my family, because they just can't manage to remember theirs (even simple ones like hunter2), and they don't want to use a password manager themselves. I'm sure ours is not the only family in the world who does this. So, the burden falls on me to keep their passwords stored and secure, and tell it to them when they need it. Now add 2FA onto that pile and it's just going to be more of a hassle for me.

> Why would 2FA of all things be the critical issue? Tech savvy people should understand and use hardware security keys at this point to be securing their cloud accounts in general.

Yeah, sure, should be.

Meanwhile I've yet to actually see one in the wild, in a 20 year career, aside from one that's used on a server I know of.

Coworkers at small tech companies? Nope. Serious-business clients coming into the office? Don't see them busting out the USB stick and plugging it in to their laptops. Medium-sized tech companies? Nope.

Hell, I'd hate it even worse than phone 2fa. I lose my actual keys all the damn time. 80% of all remote controls in our house are, at any given time, vanished to some other dimension, because I have kids. The last thing I need is another tiny, super-important physical thing to lose. The only reason a cell phone is a useful object to me, and not another annoying thing I can never find, is because of "Find My".

And move to what?

Your choices are:

- Run it yourself: And get eaten alive by third party anti-spam products. Maintaining a mail server is a full time job.

- Move to another large corporation (e.g. Apple, Microsoft, et al). What have you solved exactly?

- Move to a small mail provider and hope they don't go under (and you lose your x year old email address associated with tons of stuff) or have security issues because they didn't/couldn't afford the expertise.

The "least bad" option right now just seems to be to spread yourself around, so you're not too invested in any one vendor (in particular in case they ban you randomly for reasons they won't disclose or discuss).

i find migadu great, using my own domain names
D) go with any vendor but use your own domain. That way if you get randomly banned or they go under you still have the address, and it mostly solves issues with deliverability/being spam filtered.
That only shifts the issue from having to trust Google to having to trust the domain registrar. It does not solve the underlying problem.
you can register domain on your own name.
HN’s darling fastmail has been around for 22 years, I somewhat doubt they’d randomly go under.

On the other hand they are small enough to certainly be hurt by concentrated DDoS attacks as it’s been happening the last week.

> Move to a small mail provider and hope they don't go under (and you lose your x year old email address associated with tons of stuff) or have security issues because they didn't/couldn't afford the expertise.

You can also just use an email client that downloads the emails you get, and then point your MX-records to another provider if and when your provider goes belly up.

Domain name with Namecheap, Gandi, $your_favorite_registrar.

Mail provider with any small provider.

Use Thunderbird, it's honestly better that it has been in maintenance-only mode for a decade and isn't being "innovated".

I use my own domain + small mail provider. If they go under, I just need to change DNS records.
(comment deleted)
> The "least bad" option right now just seems to be to spread yourself around

Sounds about right. For e-mail I'm using SES for outbound on my domain, and.. of all things.. Yandex Mail for inbound. SES doesn't seem to have any problem with spam filters, Yandex OTOH, it's definitely a temporary solution, I'm only using it for POP3, but their webmail is also fairly cute. Yandex outbound is treated as spam by basically everything except Yandex

Chiming in with what everyone is saying:

1. Have your own domain name.

2. Use a small-ish mail provider that supports IMAP, etc.

3. Store all your emails/folders on a device (laptop, whatever). This way if the provider locks you out or goes under, it's easy to switch to another.

Has worked since what, the 80's? Personally been doing this since before Gmail existed. Ironically I chose this route precisely because the major providers (Yahoo, etc) were too unreliable for me - I had lost accounts multiple times because some of the (then) top mail providers decided to get out of the mail business and/or regressed their featureset so much that it hurt.

Of all the Internet services, this is the easiest one for someone to own.

I will never again create an email that matters for a domain I don't control. I learned that lesson with my nerdshack account.
This article is from May.
It is still generating useful discussion though. Sometimes news gets lost, I certainly haven't seen this discussed on HN before today.
Been using google prompt 2-step since they first started offering it a while back. Gotta say its the most painless 2-factor authentication of any account I actively use. Although its a bit clunky to have to open gmail on an iphone to get the prompt when I'm not dailying an android phone for testing reasons.
How annoying, in particular that service providers expect me to have a mobile phone and that the phone represents me (can not be lost, etc)
You don't need a mobile phone for TOTP -- you can do it from a shell script and openssl. Many security keys support storing TOTP built in, and Google also supports the various security key protocols (FIDO2 I think is the current version?)
(comment deleted)
I should point out that FIDO2 allows sites to require that visitors use a device from a specific whitelist of devices.[0] Google has already tightened the requirements by mandating 2FA, so don't be surprised when they start blocking "insecure" factors like shell scripts.

It probably wouldn't go down well if Google required an Android device to provide the second factor, but I could definitely see them requiring a device which does biometric verification of the user. That's a pretty good way of connecting online activity to a specific human (assuming the attacker can gain physical access to your authentication device, and has a model of your fingerprint/face, which governments increasingly do have).

[0] https://developers.yubico.com/WebAuthn/WebAuthn_Developer_Gu...

Google doesn't, they still allow you to use TOTP 2FA.
You don't have to use a mobile phone/SMS for Google 2FA. You can use:

- Hardware key (fido u2f).

- TOTP or HOTP generator (on any platform, PC, Mac, iOS, Android, whatever).

- Trusted Device.

(comment deleted)
(comment deleted)
In all those cases the user needs a device for auth
You also need a device for logging into a Google Account at all. These can be the same device.
With password I can login from any device (guest session on a friend's laptop, etc). So I am independent of a specific device.

The second factor ties me to a specific device.

TOTP does not. Plus Google supports multiple concurrent 2FA tokens anyway.
Multiple still tie user to specific devices. It will not work on a friends machine (unless user memorises the shared secret used for hashes).

TOTP is essentially a glorified password (which is the shared secret), only so long that the user presumably does not remember it, so it is taken as a representation of a trusted device access. TOTP / HOTP are close to manual CHAP.

I don't feel two passwords (the real password and TOTP shared secret) are better than one.

How do I set up TOTP with Google? As far as I can tell, you first have to give them a mobile phone number and configure 2FA with that. Once it is configured, you can then change it to TOTP and remove your phone number. But I don't want to give Google my phone number in the first place.
In my account I either see the option with "push notifications on your phone", usb dongle or SMS (security nightmare).

I'm not against RFC'd TOTP , but is it possible with google?

While I agree with your general point about the pressure to link accounts to phone numbers...

The post specifically states that there are other forms of 2FA, including token based.

They don't think the phone represents you. But the combination of proving you know the password and that you have physical access to a trusted device increases the confidence that it's you by a lot.

Depending on the form of second factor you use, it can stop phishing attacks (and don't say you'll never fall for one, anyone can make a mistake). The "send a notification" option for 2FA gives you information about where the login request is coming from, which is a chance to check that someone isn't sitting in the middle of login process. And something like WebAuthn makes phishing impossible outside of a browser exploit since the domains won't match.

You can lose the phone, just use your backup codes. Bitwarden supports otp and you can use that from any browser.
I'm a technical person and I have no idea what your post means... and I also need to figure this out and explain it to the rest of my (extended) family.

Google Accounts are the new printers, familial-y speaking.

One common 2FA method is TOTP (time-based, one time password). Bitwarden [0] is a password/secrets manager that you can host yourself. It supports TOTP so you can just use that instead of a separate app like Google Authenticator or Authy. I would not recommend this personally as if you expose your master password for bitwarden, you've also made it possible for the attacker to sign in via 2FA... which normally would require access to your phone or backup keys. But it is more convenient.

Basically, people should be using password managers by this point. I recommend bitwarden because you can host it yourself, it's good for storing other secrets, and it has browser plugins/apps.

[0]: https://bitwarden.com/

Thanks for the explanation.

Follow-up question: I downloaded Authy on my phone and my desktop, and the first thing it wants is a phone number. I'm trying to solve for not having a phone -- can Bitwarden's TOTP be used without a phone number being provided?

Thanks in advance.

Bitwarden does not require a phone, but it sadly TOTP support is only in the paid version. What I do is keep TOTP in an app called Aegis, which supports backing up the seeds. This way, I can always use the seed file to setup Aegis on a new device.
This is only rolling out to people who already have devices attached to Google services.
I feel I'm the only one who absolutely hates the zoo of MFA I'm subjected to as part of the latest and greatest in security for the masses. I hope something comes along to replace all of it soon.
Don't worry. Many companies are already replacing it with a simple webcam image of your mug (Hopefully directly stored on a server somewhere so it can be used for identity theft purposes).
Assuming you mean face and not a coffee mug, can you give an example? Most companies using facial recognition are using 3D maps of facial features using IR or other sensors, not a camera image. Windows Hello and Face ID come to mind, hence why they work in the dark.
I am fully aware that these algorithms use reference points on your face. I'm still not pleased with that data getting passed around.

As for the part of my comment in parentheses; I'm graciously awaiting the facial equivalent of "passwords in plaintext on the server". It's rather uncommon these days but I can almost guarantee it'll happen at least once.

My point is that generalizing it as a "webcam image on a server" is not only disingenuous, it's incorrect. It's not from the webcam, it's not an image, and it's not on any server except your own local device. Unless you have an example of a company doing this, which I did ask for. As far as I know companies are not storing that data in the cloud, at least the major ones I'm aware of.
Sure, but doesn't that lead to XKCD Standards?

https://xkcd.com/927/

Literally everything you can make to solve a problem leads to XKCD standards. If we go by XKCD logic we wouldn't have Netflix because it would just be another "standard" alongside all of the other film distribution methods.
Apple is working on this using WebAuthn, they call it Passkeys:

https://sixcolors.com/post/2021/06/wwdc-2021-apple-takes-the...

This seems pretty worrisome if you have ANY non-Apple device. So if I create an account using PassKeys, but at some later date, I need to log in using a browser on a Windows or Linux box, what do I do? I don't have a password, since one was never created. And all my credentials are in iCloud.
This is already an issue Apple has with their own Apple ID 2-factor authentication; in order to authenticate, you must either accept the prompt and receive the code on a current Apple device, or (secondarily) recieve a code via SMS.

Frustratingly, there is no option to add a TOTP code (like most other services, including Google, offer) or to disable SMS 2FA as a backup (despite its known security issues).

I say this mostly because I assume Apple would use your Apple ID credentials as a way to log in to these services on a Windows or Linux machine, as they do currently with the "Sign in with Apple" flow.

Currently yes, they're obviously working on a solution to that (it's the only non-green part of the chart)
Would you be interested in an emulated Android phone hosted somewhere that just auto-clicks "approve" on 2FA, maybe as a low-fee subscription service?

Could even set up rules for like "only during business hours in my country"

Hah! I actually did exactly that! (ran Android in a VM just for 2FA) until I realized I could do it from the command line easily with `oathtool`.
Yes.

I feel like my PC is should be the source of truth for my identity, not my phone. Phones get lost, stolen, and destroyed at times and there's no guarantee that I'll have access to my phone number for the rest of my life. I'm already completely screwed if my phone number changes, because not every service offers one-time-use codes to bypass 2FA.

It is absolutely baffling that there's no desktop 2FA program that's widely used. I guess tech savvy people are using android emulators on their PC to run google authenticator, but that's such a pain.

Has anyone had luck with yubikeys for personal accounts?

> I guess tech savvy people are using android emulators on their PC to run google authenticator

I simply use Authy instead of Google Authenticator. It has a desktop app that syncs to the Authy app on my phone.

With Windows 11, you'll soon be able to run Android apps without needing to install an Android emulator, but that's not here and now, though...

I use Yubikeys for everything that allows them. Haven't had any problems.
> Supports Google Authenticator and other authentication apps that can generate one-time security codes.

How do you do this? I'm looking at my personal account settings and the 2-step options are "app on my iOS devices", "security key", or "text message/voice call".

Was the same for me until I enrolled one of the above. I used a security key to get past that stage, then I was allowed add an Authenticator app. Very frustrating UX.
Most people don't have a hardware key so Google gets your verified phone number for free.
Am I understanding this correctly: you can't sign up with Authy for Google Accounts if you don't have a mobile device to authenticate with first..?
There's an option to use a hardware key. I don't have one so I couldn't try. I did the text message option and that worked.
I'm looking at a family member who has Google Mail and Google Voice because they don't have a cellphone.

I guess there's some needles here to be threaded, whether we stay or leave Google.

This guarantees 100% that you will get locked out of your account permanently at some point in your life.
How so? If you have a variety of second factors enabled (security key, TOTP, recovery codes) it seems like you can be confident enough in not getting locked out.
People who are in the top 1% of technical skill will do that. Not "the rest of us".

Most of those tools suck. For instance I got a yubikey which has numerous flaws (not quite a regulation USB device), but the one that "EOLed" it was that the hole to attach it to a keychain wore away. A 0.25-cent nylon washer would have fixed it. Fortunately I was able to recover the yubikey rather than lose it, but it isn't on my keychain anymore.

Banks and other high-margin organizations can afford heavy reset and recovery processes. Companies like Google where customer service is "talk to the hand" can't and won't.

> People who are in the top 1% of technical skill will do that. Not "the rest of us".

Nobody is obligated to help you learn.

Is this the standard answer now every time someone complains of beating treated like shit? "I was walking down the street in broad daylight and someone beat me and threw me in the gutter!"

"Nobody is obligated to teach you self-defense."

"I tried to stop while driving but my breaks failed and I crashed into a house!"

"Nobody is obligated to teach you proper car maintenance."

"My wife's surgeon lied about his qualifications and now she's dead!"

"Nobody is obligated to teach you how to spot a quack."

IT'S NOT OUR OBLIGATION EITHER. It's Google's, to make products that don't abuse and exploit their users. Stop this bizarre gaslighting tactic. 2FA is a shitty scam system that increases complexity and failure rates, radically decreases privacy, and DOESN'T increase security because the vast majority of users will just use SMS, which is easily hacked.

SMS excludes people who live in places where cell phone carriers choose not to cover. I've had to drive 2 miles from my house to receive an SMS, and I live just 20 minutes from a major research university.
> People who are in the top 1% of technical skill will do that. Not "the rest of us".

That means it's not 100% guaranteed one will be locked out, _provided that_ one has the tech chops. Even with such condition, is enough to totally invalidate your statement of "100% guaranteed you'll be locked out".

You probably should change your statement to say "99% of people (i.e., those withiout tech chops) will very likely -- or almost certain -- to be locked out sometime in the future". Now that new statement will be true.

Got a 2FA prompt for my Google account which said something like: 'Tap the confirm button on your phone to verify it's you'. Just dawned on me I switched to a dumbphone about 5 years ago for privacy reasons and binned my smartphone. So no more Google account for me.

It makes me wonder how many people are going to be locked out of their accounts because of these changes. So many people looking for a human. Sadly Google support is famously terrible, and 99% of queries are just Google replying back saying: 'RTFM' or 'Please refer to the FAQ for support'.

Then you click "Try another way..." and send a code to SMS, or you use U2F.
Google locking me out of my account, despite me providing valid credentials, was the catalyst in de-googlifying my life.

The inherent tradeoff with information security is convenience. For a personal account, the user should decide where they want to exist on that curve. Google's assumptions that I have perpetual access to a cellular device, or a consistent ISP, are user hostile.

I think most users lack understanding to make an informed decision about where they want to be on that curve.
Absolutely. Additionally, when The Verge runs an article about how “Google doesn’t do anything to protect your account even though it’s the center of your digital existence”, with the story of a user who failed to enable 2FA and had their entire life upended, the retort that “users should be able to decide for themselves where they want to be on the convenience / security curve doesn’t play.
This isn't about articles by a site 95% of the population has never heard of and it sure isn't about security if SMS is considered acceptable for the second factor.

Cellular providers have laughable security when it comes to account access and changes. The easiest way to get to someone's money and digital life is to figure out their cell phone company, and then convince them to send you a new SIM card for their account. Presto, instant to their bank account and now their google account.

This is about google wanting to tie more identifying information to a google account, and (by way of making all but "install our app" incredibly annoying) force iOS users to have a Google app on their phone so they know what IP address to associate with you at all times.

I was in the process of stripping Google out of my life and this looks like excellent motivation to speed that along.

What's why we need Big Government, too.
I also have an old account that despite knowing the correct password AND having access to the recovery email for that account, Google refuses to let me log in and there's no recourse. It's frustrating to say the least.
How did you regain access in the end? That's the only worry I have with relying on Google services so much...
I never regained access to it. It's just an old account that I only used for a brief period of time so I don't think there's anything valuable in there, but it still sucks nonetheless.
I've been through the process of recovering an old account and I can share some tips, feel free to email me if you'd like (address in my profile)
Please consider doing a write up on how you resolved this? There must be thousands of people impacted by this.

I've also had this situation when relocating countries. I had to abandon a 15 year old account (for which I also had a valid working recovery email) with a lot of issues recovering online banking etc. (Had to physically travel to another country to restore multiple services associated with the account).

I'm with fastmail now. I will never again depend on a mail service that I am not paying for.

You need to own the domain in your email adress, then the email provider does not matter that much.
This spells the end of privacy on the Internet. Your phone 100% identifies you. Plus, if you lose it, you may lose your account as well. I just got an email from Twitter support, saying that I could “restore” my lost access by creating new account. I thought this email was some kind of a joke, but no.
That is why I use a TOTP app that lets me export an encrypted copy of the TOTP secrets. I also have a printed-out copy of the secrets stored in a secure location, which I update monthly for new accounts I add in. Prior to that when I was just using Google Authenticator I would record the TOTP secret prior to importing it into the app.
What TOTP app do you use, and what format do you print the secrets in?

I currently use "OTP Auth" for iOS, which supports backup and encrypted cloud sync, but I'm not sure if that supports something like "export to a text file".

On Android, andOTP is good.

It is open source, maintained, easy to use, can do backups and re-present the QR code so you can easily scan it with another device.

https://github.com/andOTP/andOTP

I stumbled across Aegis for Android (they don't have an iOS version though). The export format is json, you can export in cleartext or aes encrypted.
What app is it?
Uh, doesn't this accept U2F?

I'm a Googler, but haven't really looked into this yet.

>This spells the end of privacy on the pop(ular) internet.

FTFY. Though, I'd argue privacy has been dead there for years already.

AFAIK you should be able to remove your phone number from your account after adding some other type of MFA (authenticator app or key fob). Did this change recently?
"This spells the end of privacy on the Internet. Your phone 100% identifies you."

My "2FA Mule" has no identifying information of any kind on it and doesn't follow my location(s).

It's a stock android phone with no google account and no apps installed except for "SMS Forwarder"[1].

It is configured to forward all SMS to an email address via encrypted SMTP. This means that I can receive these 2FA codes anywhere I have Internet access - such as an airplane or newly arrived in a foreign country where my SIM card does not work.

The "2FA Mule" itself is plugged in at my office in a corner.

I'm not employing this for anything sensitive but it's interesting to consider that I can use SMS based 2FA while divorcing it from my day to day SIM identity ...

[1] https://play.google.com/store/apps/details?id=com.frzinapps....

What happens if that phone is destroyed through some sort of accident, possibly involving your office? No matter how unlikely, if that's not a contingency you've planned for, the plan needs some work.
At some point you've got to sign off on 'acceptable risk'.
"What happens if that phone is destroyed through some sort of accident ..."

I don't think that's an issue at all ...

I don't care about the phone - all I care about is the SIM card. If the SIM card is destroyed, your provider can issue a new one.

I guess if the 2FA mule was destroyed while I was traveling that would be a real pain but ...

That's a great idea, and worth remembering for me in the future, but it's also worth noting not everyone can afford a 2FA mule phone.

(yes even as relatively "cheap" phones are these days. there was a time that $20 was a no-go for me.)

> This spells the end of privacy on the Internet. Your phone 100% identifies you.

But I don't think Google mandates you to use a phone for 2FA? You can use any TOTP app or a U2F dongle like the Yubikey (or the Ledger Nano S, which has an U2F app).

I see your point but unlike climate change, privacy is not a one-way loss. It can be restored so long as some other technology prevails. Wishful thinking perhaps, but it's well within the realm of possibilty.
Google's 2FA is very frustrating to say the least. The forced use of a mobile device with a Google app installed as my primary 2FA device is nothing if not annoying-- I already have 1Password set up in the browser to autofill 2FA codes. Google doesn't seem to like this because after sign in I always have to wait for the prompt saying "open the google app on your phone", then scroll down and click "try a different way" and THEN click a selection to enter a 2FA code. Very very frustrating.
That sounds like design decisions for optimising the 2FA experience for the vast majority of users, who don't want to mess with Google Authenticator or their password manager _is_ Google (Chrome).
I use a password manager myself (as IMHO everyone should). It's not ideal because if your master password gets compromised it's potentially catastrophic in away that any individual getting compromised isn't.

The problem with 1Password 2FA is, I believe, that the 2FA itself is still gated behind your master password, in that if that gets compromised so does your supposed 2FA.

The central idea of 2FA is it's something you know and something you have. If that 1Password master password is the only thing needed to gain access then you don't really have 2FA.

Again, I don't use this feature of 1Paswword so this might not be exactly how it works.

But if so, I'm sympathetic to Google not treating it as 2FA because, well, it isn't.

I know 2FA is often described in this way but it's not the way I really use it or how your average person wants to use it IMHO. It's just a second piece of data that is needed to login, which does add significant security. Maybe I just don't oversee anything important enough but I don't actually want my digital security to be dependent on a single piece of hardware ever. Yes, I know about backup codes but where are you going to store those if not 1Password/alternative-manager? So for me I'm perfectly happy to keep my 2FA alongside my password in 1Password.

As for "If that 1Password master password is the only thing needed to gain access then you don't really have 2FA." it's not, unless they get access to a device you have logged into 1Password on in the past (and thus entered your secret key [0]). For me this stays true enough to "something I have". If someone has my phone/computer AND can guess my 1Password master password then things are already pretty bleak and they already have access to whatever other 2FA app I was using (Authy/GA).

Lastly 2FA falls apart if you share an account with a significant other (or a team). In 1Password I can just move that login to a shared vault or share that login individually and everyone can log in and use 2FA. I'm not sure what the alternative would be. Sure, if a product supports multiple accounts or even multiple 2FA's (I don't think I've ever seen the latter, at least in non-enterprise settings) there is a way to do this but most apps/SaaS/etc there isn't an alternative (other than disabling 2FA).

[0] https://support.1password.com/secret-key/

> backup codes but where are you going to store those

On a flash drive/SD card, or even printed out, and then stashed somewhere safe/secure (i.e. not in an unlocked drawer next to your desk)

Yes. I write them in a book. The book lives in a locked desk drawer.

My threat model does not include "Nation state adversary breaks into my home and... reads the contents of the book". If I annoy the Russians enough, presumably they would just try to outright murder me.

In contrast, "Person I annoyed online plans elaborate Internet revenge" is definitely a potential threat I want to cope with, as are "Scam email claiming to be from company I have account with", "Facebook lose everybody's passwords", and so on.

What about the “my house burns down along with all my devices” threat model?
In the event I die, most documents and other material are encrypted and so are now intentionally useless. My accounts are not intended to be "memorialized" or whatever. My net worth cashes out for a handful of people to split up as they choose, or if they can't/won't evenly between them.

If you meant somehow the building burns down and destroys all my possessions but leaves me miraculously alive, I lose access to a bunch of stuff. Nothing to be done about it.

But one of the Security Keys lives in my jeans pocket, so if I survive the fire in the regular way, by fleeing a burning building, I still have that Security Key. If I am wearing trousers. Not so many people actually flee naked, if the fire is going to kill you in the time it takes to pull jeans on you're probably just not making it out at all.

> It's not ideal because if your master password gets compromised it's potentially catastrophic in away that any individual getting compromised isn't.

If you care about this, consider security through compartmentalization provided by Qubes OS. I store my passwords in plain text in an offline VM (with hardware virtualization).

The way I see my password manager, is that its password store in itself is "something I have", while the password to it, is "something I know".
The problem is that “something I have” is generally supposed to imply that it’s a physical object whose functionality cannot be feasibly copied to another object. Some data, especially data stored in the cloud, isn’t really a good candidate, even if it’s protected by a password that only you know.
I disagree. The "have" factor can be soft or hard. It just needs to not be memorable (because then it's guessable, which is a primary weakness of a "know" factor).

For example: if you have an application protected by password+yubikey with "remember device" enabled, after prompting for your password it may decide not to also prompt you for the yubikey, and that can be because a cookie (perhaps ANDed with some other heuristics) is taking its place. A cookie which can be trivially copied to another device, but can't be trivially memorized nor guessed, and is for that reason not a "knowable" thing. If it was considered a "know" factor, then the "remember device" feature would effectively be a "conditionally disable 2FA" feature (two "knows" are 1FA), but it's really not that, outside of describing the interim UX.

I think that a "remember device" feature is a totally orthogonal concept. That's really just another word for a session, and it's quite common for authentication to apply to an entire session rather than to each and every message in a session.

It's true, of course, that once you have created an authenticated session on a device, anyone who has compromised that device (with physical access or a software hack) can likely gain access to that session. But the authentication method still prevents unwanted initiation of sessions, which is the whole point.

Any service provider obviously needs to choose their session policies to match the sensitivity of their service, their own threat models, and the threat models of their clients. So e.g. an online bank probably shouldn't issue cookies that last for a year and are portable across IP addresses. For some services, it could be a good idea for the session to only grant less sensitive access (e.g. only read access), and still require fresh authentication for sensitive actions (e.g. transferring money).

Totally agree, it’s crazy to have your 2FA and password manager be the same application. You can actually disable 1Password’s 2FA and tie a different 2FA. I’m not sure if it’s just a business/teams feature, but we are able to require everyone at the company install and use Duo as their primary 2FA as part of their 1Password activation.
The only use case I've identified for 1Password 2FA is an account that _must_ be a shared login. There are a few business services we use that don't support multiple users on an account.

Our choice is either:

* No 2FA

* Virtual, 1Password 2FA

It's better. But it's not great.

Is there any reason why you couldn't set up the same TOTP authentication on multiple devices?
It's a pain and would require setting it up on nearly every employee's device.
A password manager itself should be protected with 2FA already. Especially in terms of 1Password since you mentioned it, you need to have both master password and private key to decrypt a vault. It is a pretty strong 2FA as long as you know how to protect the private key.

Granted that if you put your TOTP seed somewhere else outside the password manager, you technically achieved "3FA"(1Password master password + 1Password private key + TOTP token) and it is more secure. But I don't think putting TOTP seed and password together in the same password manager weakens 2FA?

To login to a website:

- Without a password manager, your 2 factors are account password + account TOTP.

- With 1Password, your 2 factors are 1Password master password + 1Password private key.

I avoided using my password manager's 2fa for quite some time for the same argumentation...

But when I realised the 'something you have' is the password manager (actually, the data store) itself, and the 'thing I know' is my master password (and not the individual site's password) I've started using it for 2fa. I can still see how the subscription version of 1password stretches that definition though (because you don't actively have unique ownership of the data itself), which is why I use keepass now.

Just like a dongle, your pc is not immune to evil maid if left unattended. My threat model isn't inclusive of that (my threats come from the internet - I live rurally).

Requiring your phone for 2fa (google auth or sms 2fa or other) isn't a panacea either, especially if that's the device you're logging in with.

I wish Google would allow setting 2fa without a phone number...

> the 'something you have' is the password manager

The problem is, assuming your master password is unique (I hope so!), all of the likely vectors for exposing it also expose the database, even if it's only kept locally. Having the database only stored in one place is also quite inconvenient, of course, and any sync mechanism adds even more opportunities for it to be exposed.

My computer could very easily have a zero-day vulnerability get exploited. So could my phone. Either one would expose anything I do on it (for example: access my password database using my master password).

(My solution to this is to use a security key for as much as I can. If you're not concerned about this risk, great, but it definitely is a threat.)

Your example is correct, but your 1Password account can be protected by MFA that's separate from 1Password itself. They also support U2F.

I personally have all my MFA codes in 1Password, but 1Password is protected with my Yubikey. In the unlikely event that a bad actor did acquire my master password, they wouldn't get far unless they also physically had my hardware security key.

1. 1Password requires a secret key[1] in addition to the master password to gain access on a new device - specifically to protect against weak/reused/leaked master passwords

2. You can add 2FA (well, technically 3FA if you need the secret key, master password, AND a rotating token) to your 1Password signin as well (I auth Authy for that purpose)

[1] https://support.1password.com/secret-key/

By implementing #1 and #2 seems like you would still have a layer of protection even if your master password get key-logged.
The second factor for login to 1Password (or other password managers) protects you from people logging into your account officially, but not from vulnerabilities or inside action of the vendor.

1Password also seems able to bypass the secret key ("If you still can’t find your Secret Key, contact 1Password Support.") which means social engineering, phishing, and/or credential stuffing attacks are viable.

somthing you have and something you know. a password can be hacked remotely. something you have is more involved. these are layees if security. some are better than others and there are gimicks like some forms of recovery.
> The central idea of 2FA is it's something you know and something you have. If that 1Password master password is the only thing needed to gain access then you don't really have 2FA.

Well, this is not exactly true. You need to know the master password, and you need to have the device that has the 1Password database on it. Even with the knowledge of the master password, you can't login into your $random_website account from my laptop. So even without the additional one-time 2FA codes, using a password manager that has a master password and doesn't synchronize its database, de-facto, _is_ a form of 2FA. Yes I understand that this view is controversial and that auditors will disagree.

My parents are low tech and don’t have cellphones. I guess they’re going to have to get a call on their landline now every time they have to 2fa?
I am curious about this as well parents in the same position. What happens now?
My Dad is in the same boat. What about a Titan/yubikey? They are fairly easy to use - although you might have to help your parents with enrollement.
Others have mentioned a desktop app, but how often do your parents have to 2fa? It's not every time they log in (unless they're buying a new burner laptop every time they log in. If they are, there may be other issues to discuss first.)
I've found Google asks for 2fa at pretty random times. I do travel a lot but still it happens at least once a month.
low tech, but with google account?
Yeah they can barely manage email. I've taught them how to forward email a dozen times but that's a bridge too far for them.
Google discontinued the "read you a number over a landline" feature a little while back and only supports texting now.
Because your parents do not have cellphones, Google will conclude that it doesn't know a better way to authenticate them and they get to keep their existing (poor) security. As the article eventually explains.

If you would like your parents to have better security for these accounts, I commend Security Keys. Unless your parents aren't together any more, or are just really fervently independent, it's probably fine to buy them one each, but with the suggestion that they both enroll both keys. This way when Parent #1 loses the Yubikey you bought them, Parent #2 can use their Yubikey to save the day until a new one is purchased.

Yubico's USB A format factor "Security Key 2" is robust, but relatively expensive for what you need.

Searches for "Security Key" on Amazon or your preferred site will give you a pile of products and review feedback across price brackets, the only thing your parents are likely to care about are the connector (USB A is no use for a USB C MacBook for example) and maybe other form factor concerns like can it hang from a keychain, or would it fit in a wallet? For their purpose these things don't fill up, and shouldn't (modulo physically smashing it) wear out.

Something like this is really going to be a challenge for them. Might be time to move them to fastmail.
> USB A is no use for a USB C MacBook for example

You can always buy a USB-A-to-USB-C adapter/converter. They are available everywhere, inexpensive, and if you're afraid it will be misplaced, there's always the option to glue the USB A key to the adapter...

FWIW I've been using Authy for all my 2FA for years, including Google's, without any issues
And authy has a desktop app too, which makes it much more convenient.
The whole point of 2FA is that 2 devices need to be compromised - your phone AND your computer. With desktop Authy only one device - your computer - needs to be compromised.
This is correct but, in the vast majority of cases, attacks are carried out remotely. I would agree that where third parties have access to your machine, it would be not be a good solution.
If someone controls your computer remotely, it's the same as if she controlled it physically, no difference from pownership point of view.
Authy desktop app doesn't show some entries for me though. Dunno why
You can always use SMS 2FA
SMS 2fa is still multiple times more secure than no 2fa at all though.
That's not really on the table though. We are not talking about your local tech illiterate bank here. We are talking about securing your Google account which is likely used to SSO authenticate with many other accounts.
I sort of disagree. With social engineering, it could be easier to reset someone's password with a SIM swap than traditional means. For many years, PayPal refused to do true 2FA and I cringed at having to choose between no 2FA or SMS-based. Phone numbers are much easier to source through public records than many people realize. As someone who has had the same primary cell phone number since I was a teenager, I’m honestly shocked it isn’t in more places (I’ve taken great pains to limit it getting out, but I’m still shocked). That scares me enough to almost get a second number, but that’s such a pain in the ass and not a great solution.
There are services that have safeguards in place against sim swapping, coincidentally one of them is Fi: https://support.google.com/fi/answer/9834243?hl=en
Apparently the safeguards consist of using a non-SMS method of 2FA. Maybe just do that in the other case too.
While I'm sure that Fi and Google Voice are better than almost any other carrier based SMS security, this does nothing to convince me to ever use SMS 2FA.

"Your Fi number is tied to your Google Account." -- I'm sure you've seen cases of people's google accounts being randomly locked for no reason. Now you lose access to make a call too!

The last thing I'd ever trust security to is SMS. Lots of good technical details here:

https://lucky225.medium.com/its-time-to-stop-using-sms-for-a...

No matter what cellular service you use, you run a risk of being flagged as a false positive for fraud locks (irrespective of SIM swaps).

If a SIM swap scam is happening and your account is locked, it is incredibly unlikely they'll be able to swap it out.

Huh. My google account shows Security Keys as the default 2fa option. When I login it goes straight to the security key prompt.
> I already have 1Password set up in the browser to autofill 2FA codes

The whole point of 2FA is to have "2" independent pieces of data to verify logins. Gating 2FA behind a single password defeats the point.

> The whole point of 2FA is to have "2" independent pieces of data to verify logins. Gating 2FA behind a single password defeats the point.

Indeed.

It's also why I think U2F should be mandatory in way more places/sites/companies (it is in some, thankfully): you then need to physically have a Yubikey or similar and it's not possible anymore to trade security for convenience. It doesn't solve all security issues, but it's already a great step forward.

When you let people the choice, they'll pick the lazy, insecure, way.

My password manager requires a hardware token to log in. So now the second factor is "has a device I've logged into my password manager with, or the hardware token for the password manager".
Which isn't something you have. It's something you know, gated behind something you have.
Two passwords - a master password, and a secret key. That secret key comprises the phone or laptop with 1password configured being the "something you have" for MFA because it's basically the same as the TOTP seed value/QR code - that secret key is only used by the user when setting up a new device - similar to when a new TOTP MFA is set up.
That's not how MFA works.

Chaining just increases vulnerability.

Security often comes at the cost of convenience.
False dichotomy, these issues would be gone if google provided any meaningful customer service for edge cases.

You can fill forms and feedback but I have never heard of free users ever getting as much as a reply back.

If you are working in facility where you can't have a mobile phone nearby, it is incredibly frustrating. Sure, just print out a long list of codes every week.
I've used a U2F dongle for my 2FA with Google for a few years. I've been enrolled in the Google Advanced Protection program for a while. I don't have any issues around Google logins, just plug in my U2F dongle and press the button or hold the dongle near my phone for NFC to do its magic.

Another benefit is that I'm much less likely to lose my U2F dongle as it's on my physical keychain (and has been, for years, without damage) than I am to need to replace or wipe my phone (although a password manager with 2FA codes in it also avoids this).

For anyone who says, "But what if $WORKPLACE doesn't allow you to plug in USB dongles or use NFC!?!" my counter is then maybe you shouldn't be logging into your personal Google account on that PC. And you probably have an IT department who already have a solution for 2FA that you're required to use.
Also, just because you aren't allowed to plug in "USB dongles" such as flash drives, does not mean FIDO authenticators [the things needed to make WebAuthn or its predecessor U2F work] won't work.

A FIDO authenticator is actually a USB HID class device, like a keyboard‡. So, if your $WORKPLACE doesn't allow you to plug in keyboards then, OK, I guess maybe a FIDO dongle isn't worth trying, but few people are in that situation.

If your employer has a policy of specifically issuing and authorising only particular devices (e.g. you can pick from a list of 3 Dell branded keyboards and 2 Logitech keyboards and anything else needs HR director override) then seems like it's time for them to authorise and issue a nice high quality FIDO authenticator. Yubico make some eye-wateringly expensive models, maybe they should pick those.

‡ "Like" a keyboard but it isn't a keyboard. The FIDO protocols don't involve keypresses, the device is just HID class because well, it's a Human Interface Device, seems legit. It sets protocol to 0xFF custom, and needs dedicated software to use that, which is fine.

Some work machines have all external ports glued shut and the mouse/keyboard are non-removable to prevent data exfiltration. Though you shouldn't be logging into personal accounts on those machines anyway.
This is quite a flippant response. These requirements are being put in place against (some) users' will. Simple changing email providers isn't exactly easy and maybe they need to access that account. Maybe Google should allow users to turn this off?
I've had the same experience. Signed up for Advanced Protection Program not long after it was announced and I've been very happy with my MFA experience with Google for years now.
If you use a Google Titan Key with Apple devices, have you been able to pair and successfully authenticate using either (1) bluetooth only, or (2) NFC only, on any Apple device?

I have not, and it's frustrating that Google offers no support beyond their help pages for their own branded hardware.

I use a few Yubikeys and a Bluetooth Feitian key with my iPhone 8. My wife uses a Google Titan USB key and Bluetooth key for her Apple devices. Our iPads are too old to have NFC, but the Bluetooth paired fine with Google's Smart Lock app and we've used that.

For our iPhones, the NFC has worked fine even without the Smart Lock app. I believe Google phased Smart Lock out some time ago but I've not tried using it in a while, I don't use an iPad very often.

Yes, the bluetooth titan key definitely worked for me and my wife on our iPhones. I think NFC did too but I haven't had to reauthenticate my iPhone in ages so I don't remember for sure.
What's your plan for when your dongle is lost/stolen/destroyed? Many U2F devices cannot be backed up and they recommend that you register with 2 separate devices. But while that is possible, it certainly doesn't scale and really is useless advice for the general case.
Can you elaborate on it not scaling? Keeping a spare is a pretty common pattern; see tires, house keys, emergency supplies.
I have 3 U2F devices. My wife has 2. For any U2F logins we have, we have enrolled all of our dongles in each login.

At least one of each of our devices is always stored at home in a safe place, where we store other valuable documents. If either of us lose one device, we will buy a new U2F dongle, enroll the new dongle, and unenroll the old lost/missing/stolen dongle from each of the services we use.

You can't backup a U2F dongle but so far everywhere I've enrolled to use one it always recommends you enroll at least 2 and keep one in a safe place.

Mind sharing which U2F dongle and phone you use?

I haven't been able to get any Google Titan Key to work with any Apple device via NFC.

I have a Yubikey 5, Yubikey 4, and a Feitian Bluetooth key, the Feitian is basically the unbranded Google Titan Bluetooth key. Both work fine, although I haven't used the Bluetooth one in a while. I use my Yubikey 5 on a regular basis.

I use an iPhone 8.

FWIW, you could use a different app, other than Google's. For example, you could use an app called Authy or the Microsoft authenticator app. Then AT LEAST, the app is outside the Google network.
One alternative (though it's absurd it has to be this way) is to use two separate google accounts - one for your phone, one for everything else. It actually solves a few invasive/dark patterns Google employs.
1Password isn't really multi factor authentication though.

Google doing it properly should not upset you this much.

Google's 2FA doesn't make sense. The 2FA bugs sometimes tried to log in to a brand new laptop, and it automatically logged me in without any asking for verification.
Great now if I lose my phone, or if it breaks, I'm in grave danger of losing my google account.
That’s the beauty of 2 factor. If you lose your phone and a bad actor picks it up, they now have one of your factors (what you have) but not “what you know.”

Your example is a great reason for 2FA to exist.

Consider 3 situations:

1. Google does not require 2FA.

2. Google DOES require 2FA on an account, but only requires the second auth if "suspicious activity" crops up.

3. Google requires 2 auths on each and every login.

On 1, if a bad actor picks up your phone and tries to log in, they will fail if you haven't saved your login, or succeed if you've been lazy and saved it. In the latter case, that's really on you (and you might still be able to get your account back even then, if they didn't fully and quickly reset password and other details!)

On 2 however, they will try to log in, fail, and trigger a lock-down that can only be lifted with both auths. One of which you don't have anymore. Congrads, you've just lost your account!

3 is the same as 2, just for different reasons. As soon as that phone disappears, you don't have the second auth, and you're screwed.

And don't even bother with anything that isn't a phone. We both know nobody in the general public is using anything other than text for this. And some older folks don't even have that! Add on to this that SMS can be easily hacked, and it's pretty clear this whole system is a joke.

You just put in your back up codes to restore access. That’s why the backup codes/words exist. If I lose my crypto wallet or it gets stolen, I go to my bank, get the words from my safe deposit box, and use those words to seed my new wallet. Doesn’t have to be a bank — a home safe or filing cabinet will work, but when my phone broke I had zero problem restoring my 2FA on my new phone using the backup words.
You can use your backup codes. In fact your point is a good reason to HAVE MFA given that in the past, if you lost your phone all your data would be compromised.
> In fact your point is a good reason to HAVE MFA given that in the past, if you lost your phone all your data would be compromised.

In the past, wouldn't all your data still be behind a password? Am I missing something?

Is this really "mandatory" or rather just "opt-out?" My understanding is that it can still be disabled...
This was already required to generate what's called an "App Password", in order to keep using IMAP in a sane way without constantly getting emails about suspicious logins when my K9-Mail app on my phone connects to public hotspots.

The irony of the matter is that I keep my OTP key in the same password manager as my google password, in order to not require a phone to access it, and this "App Password" is significantly weaker than my generated passwords...

Oh and I should add that it was already rather compulsory in order to be able to log in to your account on "public" computers (think printing services, schools, ...), as google would straight up block the login unless you got an existing device to confirm your login (i.e. a phone with google apps and services, which I don't have). With the 2FA enabled this no longer is a problem as long as I have a device nearby on which my OTP key is stored...
it is for your own protection. time to switch to outlook.com
I'm OK with MFA, but it doesn't allow a swedish phone number as backup solution. That's annoying ...
(comment deleted)
Seems like a great backdoor method to fool everyone into giving Google their phone numbers.
can't you use an authenticator app or hardware key?
You could, but the vast majority of people probably won't.
This article links to a Google blog post which notes explicitly: "NOTE: The automatic 2SV enrollment will not impact organizations on Google Workspace. Organizations on Google Workspace will continue to have the choice of enrolling their users in 2SV via the admin console."