WingNews logo WingNews
top | item 31252338

(no title)

vort3 | 3 years ago

It's not even about not willing to spend 1$ for a random phone number.

Here's a list of things that are wrong with what Google does:

- If you want to read your email, you have to use app specific password. I'm ok with that.

- You can't generate app specific passwords if you don't have 2FA enabled. That's some artificial limitation made to force you into adding phone number to your account.

- You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.

- You can use «notification» to confirm it's you, but you can only do that on the phone. I'm currently logged in in my browser, certainly I could confirm any login attempt from that same browser, wouldn't that be a second factor?

- Nowhere in announcements or help pages or in the Google Account interface they tell you that you can't generate app passwords if you don't have 2FA. The button is just missing and you wouldn't even know it should be there unless you search on the internet.

- Nowhere they tell you the only way to enable 2FA is to link your account to your phone number or to your android/iphone device, the options are just not there.

All of this is just bizarre and ugly. I have no idea why other people are not complaining, probably most of them just accepted that and added phone numbers.

discuss

order

loosescrews|3 years ago

> You can't use authenticator app to enable 2FA

Are you sure about that? I don't think this is true. I definitely don't have a phone number linked to my Google Account and I have TOTP enabled as well. They even have the Advanced Protection mode which doesn't allow SMS or the authenticator app.

Really though, you should do the last thing. Buy some security keys and enable Advanced Protection.

nagisa|3 years ago

Google used to give more options before. Today if you want to set-up 2FA you must either give them a phone number or use a phone.

Only then you can add other authentication methods (this a hardware key) and remove your phone as an option.

Source: went through this nonsense a couple years ago and then again a couple months ago with a different account.

bbbbbr|3 years ago

This is correct. A phone number is NOT required to enable 2FA, at least in my experience within the last few months.

I set up 2FA to use Yubikey hardware keys for a google account, and was then allowed to generated app passwords. No phone number has ever been attached to the account.

I do agree that not allowing app-passwords to be generated without setting up 2FA is coercive and seems hard to justify, and it is plausible that it is being used to push people into attaching their phone numbers to their accounts. If I recall right, the current language for the setup process skews heavily toward phone numbers and does not do a good job of highlighting other (more privacy oriented) alternatives (as may be evidenced at least in the case of OP).

malux85|3 years ago

I've seen different authentication methods for different countries etc, for example there are some countries that if you put in your age as > 70 when signing up, the combination of being old and in a poorer country means google never asks you for a phone number, because it's likely you don't have a cellphone.

So the rules can vary by region

Canada|3 years ago

It is true, I have recently looked everywhere. You can't enable choose TOTP with only a desktop web browser.

I'm really glad that I've never used a gmail address for email before, I'd hate to be stuck with using anything run by Google.

lnxg33k1|3 years ago

Yeah I am sure too, my last company used google apps and I didn't want to use my personal number for google, but they forced me to insert a number in order to use 2FA, so I had to ask for a work SIM just so that google would STFU, it was said to be a backup method for google authenticator, f*uck google

Companies using google apps, keep in mind, you pay money for a service but if there's google involved, you're still a product, just avoid it

pid-1|3 years ago

I've tried that a few days ago.

You always need to add a phone as your first MFA method.

A simple hack though:you can add other methods, then remove phone.

Your account was likely created before phone MFA was mandatory (as the first method).

jqpabc123|3 years ago

I definitely don't have a phone number linked to my Google Account ...

If you use an Android phone, you most definitely do have a phone number associated with your Google Account. Android sends your IMEI and SIM card info to Google servers.

tinus_hn|3 years ago

Unfortunately because their Google Authenticator app refuses to backup half of the codes they have to make sure there is an escape hatch if you lose your phone.

dzhiurgis|3 years ago

True for few years now

im3w1l|3 years ago

> That's some artificial limitation made to force you into adding phone number to your account.

Agreed

> You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.

The amount of people getting locked out of their account because they lost the phone with the auth app would be unacceptably large, is my guess. Like people lose their phones all the time. Simjackings are rare.

Szpadel|3 years ago

not only lost phone, but damaged phone is enough, as you can easily swap sim card but authenticator need to be set up again. BUT there are also one time recovery codes, they could add you option to use those to recover after clicking through few screens of warnings to make sure that you know what consequences does it have

eternityforest|3 years ago

I never thought of the whole idea of wanting to hide my number from them, and I suspect most other users haven't either, but it does seem like an issue once you think about it.

It might have something to do with not wanting to have tons of spam accounts out there? Do they have code to keep a closer eye on unverified accounts?

Or preventing broken devices from locking people out, in a "We must protect users from themselves" kind of way?

Google is a mass market company, clearly not a privacy company, anyone who really wants to not be constantly tracked should probably stay away for many more reasons than this.

glennpratt|3 years ago

It does make sense from one perspective I've seen. Scammers are using 2FA to lock people out of their own accounts and demand a ransom for the tokens. Happened to a friend of mine a couple months ago.

throwaway81523|3 years ago

> It's not even about not willing to spend 1$ for a random phone number.

Some sites (e.g. Scaleway.com) won't accept VOIP numbers: they require numbers from actual mobile networks. That is a pain for me since my main phone# is a VOIP number that forwards to my mobile. I do that so I can change my mobile number and just update the forwarding target, or can forward to a landline if I'm someplace with a lousy mobile signal, etc. All of this sucks.

closetohome|3 years ago

It's also not unheard of to enter a valid phone number and get a message that the number has been used too many times and is no longer valid for 2FA.

nunez|3 years ago

get an ultra cheap prepaid line then cancel

some (like visible) allow you to sign up without providing any of your own PII

mid-kid|3 years ago

The worst part about this 2FA story is that if you don't have any 2FA methods, Google will effectively lock you out of your account if you're trying to log in from an "unusual" device, i.e. any public (school, library) computer or wireless access point. If you don't have a phone with the proprietary google apps installed and logged into your account, you literally can't login in such situations. Make sure you always have a computer/OS combination that's recognized by google when you travel.

I used to constantly get emails about suspicious logins detected simply from moving around hotspots with my phone trying to log into IMAP. This was until I enabled the app password thing, which generated a password that's both shorter and uses less different characters than my old IMAP password.