Hacker News new | past | comments | ask | show | jobs | submit login

Part of the issue here that I don't see people addressing is that SMS as an only-factor recovery tool is often not optional. I hit a case like this just the other day: the service would not allow me to log in at all without adding an SMS number. This is becoming increasingly common.

The irony is that my security is now worse. At least my password was randomly generated.

I'm not sure what there is to do about this, other than educating as broadly as we can and hope that engineers advocate in their own organizations to change this.




I really hope that I am not the only one requesting businesses to not do this when I encounter it. It may be the only way to get it to stop.

Open a case with customer service and represent it for what it is; a security hole that prevents you from using the service.


that is because google and other companies derive more $ from your number than protecting your privacy/security


Google doesn't require SMS. They often ask me when I log in, but I can always hit 'skip', which I do because I'm scared of this exact case.


This is not universally true. If Google decides that your account looks suspicious, either at creation or a later date, you are unable to access it until you provide a phone number.

You also used to be unable to set up a U2F/FIDO 2FA without first setting up SMS 2FA (but you could delete the phone number from the account later). Not sure if that's still the case.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: