Hacker News new | past | comments | ask | show | jobs | submit login
Google's most ridiculous trick to force users into adding phone number
414 points by vort3 on May 3, 2022 | hide | past | favorite | 237 comments
"To help keep your account secure, starting May 30, 2022, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password."

What does it have to do with phone numbers, you might think? Well, it's not that obvious.

I have beed using FairEmail app to read emails on my phone for many years. Recently, Google made this change, so I thought I need to take some actions to make sure I can continue using my favourite email app. After reading a bit, everything looked pretty simple:

- I could add my email account to my phone and login using google's native authentication methods, or

- «you can use an app password, please see below.»

Sure I don't want to add google's account to my phone just to be able to receive emails via IMAP, so I'll just generate separate app password for my email app, right?

Well, for some reason it's not possible to generate app passwords unless you have 2FA enabled. The option is just not there.

What can be simpler than adding 2FA to my account? I use password managers and my passwords are super strong, but I have no other choice, I'll have to use an authenticator app to continue reading emails on my phone, doesn't make much sense but anyway…

You can't just scan a QR with TOTP secret and enable 2FA for your account. Well, you can, after you enable 2FA by SMS using your phone number, or 2FA by notification on the phone, after you add google account to your phone. But using an authenticator is an «additional method» which is not available until «primary» 2FA method (SMS / phone number) is added. Oh, you can give away your phone number first, enable 2FA, after 2FA is already enabled you can remove 2FA by SMS and keep using authenticator app as your 2FA method, it's simple.

I guess I'll just have to stop using google. Thanks for making my life more difficult and caring about my security, Google.

TL:DR; You can't use «less secure» apps (apps other than official gmail app) to sync emails if you don't want to link your account to your phone number or add google account to your phone.




It's not even about not willing to spend 1$ for a random phone number.

Here's a list of things that are wrong with what Google does:

- If you want to read your email, you have to use app specific password. I'm ok with that.

- You can't generate app specific passwords if you don't have 2FA enabled. That's some artificial limitation made to force you into adding phone number to your account.

- You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.

- You can use «notification» to confirm it's you, but you can only do that on the phone. I'm currently logged in in my browser, certainly I could confirm any login attempt from that same browser, wouldn't that be a second factor?

- Nowhere in announcements or help pages or in the Google Account interface they tell you that you can't generate app passwords if you don't have 2FA. The button is just missing and you wouldn't even know it should be there unless you search on the internet.

- Nowhere they tell you the only way to enable 2FA is to link your account to your phone number or to your android/iphone device, the options are just not there.

All of this is just bizarre and ugly. I have no idea why other people are not complaining, probably most of them just accepted that and added phone numbers.


> You can't use authenticator app to enable 2FA

Are you sure about that? I don't think this is true. I definitely don't have a phone number linked to my Google Account and I have TOTP enabled as well. They even have the Advanced Protection mode which doesn't allow SMS or the authenticator app.

Really though, you should do the last thing. Buy some security keys and enable Advanced Protection.


Google used to give more options before. Today if you want to set-up 2FA you must either give them a phone number or use a phone.

Only then you can add other authentication methods (this a hardware key) and remove your phone as an option.

Source: went through this nonsense a couple years ago and then again a couple months ago with a different account.


You can start with a hardware key: https://i.imgur.com/FIjNyIh.png


Man, this thread is such a shinning example of why "trust, but verify" is a phrase.

There is ABSOLUTELY an option to enable 2FA on a Google account now that does not require giving them a phone number. There's a clear "Advanced Options" link that lets you choose a security key, which is what folks should be using anyway.


True, I just didn't write that because physical security key is not an option where I live.

Other than security key, it's only phone number or adding account to the phone.

I'm sorry I didn't mention that in my post, I wasn't trying to lie, I just can't obtain physical key and I don't think I have to have physical key to read my emails.


Don't feel bad. I recently went through the process of enabling app passwords and what not for google accounts. I did that because I lost control of one account and decided to implement every recovery option possible on the others - like TOPT's and backup codes. If there is a way to do it without purchasing stuff like tokens or entering phone numbers, I could not see it.

If there is a way of doing it, I suspect it's deliberately well hidden. I also suspect what they enforce varies by country.


Where is that? Judging by your comment history, maybe Kazakhstan? I can easily find physical security keys for sale in Kazakhstan. For example miningshop.kz in Almaty has Ledger Nano S in stock.

Besides, you don't need an actual physical key for U2F.


Almost nobody in the world have physical key and they shouldn't need to buy one when 2fa apps are sufficient for most people.


TOTP doesn’t protect against phishing, U2F keys do. Sadly very few companies have them as an option, which goes to show how 2FA is mostly security theater at all but a handful of companies.


use virtual authenticator (https://developer.chrome.com/docs/devtools/webauthn/)


Does that actually work? I assume google verifies the authenticity keypair(I forgot the specific term) that cannot be extracted authentic devices.


This may vary regionally. I went through this with an account recently and did not have this option, despite looking for it (as I do have a hardware key).


This is correct. A phone number is NOT required to enable 2FA, at least in my experience within the last few months.

I set up 2FA to use Yubikey hardware keys for a google account, and was then allowed to generated app passwords. No phone number has ever been attached to the account.

I do agree that not allowing app-passwords to be generated without setting up 2FA is coercive and seems hard to justify, and it is plausible that it is being used to push people into attaching their phone numbers to their accounts. If I recall right, the current language for the setup process skews heavily toward phone numbers and does not do a good job of highlighting other (more privacy oriented) alternatives (as may be evidenced at least in the case of OP).


You are right that I can bypass adding phone number if I have Yubikey, but unfortunately I don't have one and can't get it.


use virtual authenticator (https://developer.chrome.com/docs/devtools/webauthn/)


This may be a recent change, a few years ago when I tried this, I was definitely unable to add Yubikeys to a Google account until I added phone-based 2FA first.

If now it's just 'not recommended' then this is an improvement.


I've seen different authentication methods for different countries etc, for example there are some countries that if you put in your age as > 70 when signing up, the combination of being old and in a poorer country means google never asks you for a phone number, because it's likely you don't have a cellphone.

So the rules can vary by region


It is true, I have recently looked everywhere. You can't enable choose TOTP with only a desktop web browser.

I'm really glad that I've never used a gmail address for email before, I'd hate to be stuck with using anything run by Google.


Yeah I am sure too, my last company used google apps and I didn't want to use my personal number for google, but they forced me to insert a number in order to use 2FA, so I had to ask for a work SIM just so that google would STFU, it was said to be a backup method for google authenticator, f*uck google

Companies using google apps, keep in mind, you pay money for a service but if there's google involved, you're still a product, just avoid it


Microsoft plays the same games with their authenticator app.


No they don’t. I run an M365/Azure shop and not a single user out of hundreds has given their mobile number to Microsoft.

My personal consumer MSFT/Xbox account also has no mobile number attached.


Yes they do when your M365 using employer insists that you have to use the authenticator app on your personal phone and won't provide an alternative option.


At no point during setup does Microsoft Authenticator app collect your mobile number. That is in fact the whole point of the app: SMS is insecure for 2FA so collecting a mobile number makes no sense.

Most of our people including myself choose to enroll a personal phone rather than carry two devices, and somehow none of these hundreds of people ever provided their mobile numbers to Microsoft. I think you are mis-remembering the setup experience, or your employer chose to enable some non-default options that uses SMS as a backup option to the app.


Prior to Android 11 no permission was required to retrieve a phone number via the API.


Do you have evidence from the apk that phone numbers were being retrieved?


So far all the services that required MS authenticator for me turned out to be perfectly fine standard TOTP.


Let’s avoid Microsoft too?


I've tried that a few days ago.

You always need to add a phone as your first MFA method.

A simple hack though:you can add other methods, then remove phone.

Your account was likely created before phone MFA was mandatory (as the first method).


> A simple hack though:you can add other methods, then remove phone.

Sure. That's like when I deleted my DigitalOcean account. They still send me notices about their service. Just because something is deleted for you doesn't mean it's deleted for them.


well said!


I definitely don't have a phone number linked to my Google Account ...

If you use an Android phone, you most definitely do have a phone number associated with your Google Account. Android sends your IMEI and SIM card info to Google servers.


Unfortunately because their Google Authenticator app refuses to backup half of the codes they have to make sure there is an escape hatch if you lose your phone.


True for few years now


> That's some artificial limitation made to force you into adding phone number to your account.

Agreed

> You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.

The amount of people getting locked out of their account because they lost the phone with the auth app would be unacceptably large, is my guess. Like people lose their phones all the time. Simjackings are rare.


not only lost phone, but damaged phone is enough, as you can easily swap sim card but authenticator need to be set up again. BUT there are also one time recovery codes, they could add you option to use those to recover after clicking through few screens of warnings to make sure that you know what consequences does it have


That's one reason I definitely prefer SMS auth to any other method at the moment.

What if your phone is damaged while traveling and you are away from where you stored your recovery keys?


Whenever I add a new 2FA token, I always add it to my phone and a TOTP app (Authy) on my computers. Same thing for recovery keys.


You can always bring a paper recovery code or FIDO authenticator (both of which are safe against SIM swapping attacks).


we've been told for decades to "not write passwords on postits" and we're really back to square one...


It's not a password, it is a secondary, single-use recovery second factor.

Carrying that around in a wallet doesn't make you any more vulnerable to physical attackers than carrying your Yubikey on a keyring, and it's much more secure against remote attacks than SMS-2FA (where you can fall victim to SIM swapping, number porting attacks etc).


ideally the paper would be in a safety deposit box / safe and not stuck to your monitor.


If it fits your need to have it a fixed location, then yes.

But he talked about traveling.

IDK about you but I don't travel with a safe in my backpack


Just put it in your wallet and/or luggage. Without your account name and password, it's useless to any potential thief.


Lots of people's luggage include enough info to work out their name and likely home location, which is commonly enough to work out their username for a lot of popular services.

That makes the whole "stolen luggage" thing even far riskier. :/


But hopefully your luggage does not contain your Google account password.

Again, the recovery code is one factor.


I never thought of the whole idea of wanting to hide my number from them, and I suspect most other users haven't either, but it does seem like an issue once you think about it.

It might have something to do with not wanting to have tons of spam accounts out there? Do they have code to keep a closer eye on unverified accounts?

Or preventing broken devices from locking people out, in a "We must protect users from themselves" kind of way?

Google is a mass market company, clearly not a privacy company, anyone who really wants to not be constantly tracked should probably stay away for many more reasons than this.


It does make sense from one perspective I've seen. Scammers are using 2FA to lock people out of their own accounts and demand a ransom for the tokens. Happened to a friend of mine a couple months ago.


> It's not even about not willing to spend 1$ for a random phone number.

Some sites (e.g. Scaleway.com) won't accept VOIP numbers: they require numbers from actual mobile networks. That is a pain for me since my main phone# is a VOIP number that forwards to my mobile. I do that so I can change my mobile number and just update the forwarding target, or can forward to a landline if I'm someplace with a lousy mobile signal, etc. All of this sucks.


It's also not unheard of to enter a valid phone number and get a message that the number has been used too many times and is no longer valid for 2FA.


get an ultra cheap prepaid line then cancel

some (like visible) allow you to sign up without providing any of your own PII


That defeats the purpose, which is to give them a number that works in case they have to contact me. I have a stable VOIP number that forwards to one of various ephemeral numbers at any given time. The VOIP number really is the right one to give them and for them to use. But they are too smart for their own good.


The worst part about this 2FA story is that if you don't have any 2FA methods, Google will effectively lock you out of your account if you're trying to log in from an "unusual" device, i.e. any public (school, library) computer or wireless access point. If you don't have a phone with the proprietary google apps installed and logged into your account, you literally can't login in such situations. Make sure you always have a computer/OS combination that's recognized by google when you travel.

I used to constantly get emails about suspicious logins detected simply from moving around hotspots with my phone trying to log into IMAP. This was until I enabled the app password thing, which generated a password that's both shorter and uses less different characters than my old IMAP password.


Every tech company is losing the war against credential stuffing. I have a friend working at a series B startup with <10k MAU, you wanna know how many login attempts there are each month? 25,000 login attempts. Per user. That's 250m login attempts each month using stolen credentials.

None of the service providers who claim to fix the issue are worth their weight in salt. Shape, Akamai, none of them have a grip on the problem because the attackers are constantly evolving. As you can see, even Google is capitulating despite all the fud that people on HN spread about the company being omniscient.

Anyone who thinks this is about advertising/collecting personal data is out of their minds.

The worst part is nobody can talk about it because anything you reveal about your problems can give the attackers a massive edge.


There are far better ways to stop credential stuffing than requiring a phone number that would be immediately obvious to the people at Google - Hashcash, for instance[1].

250M login attempts times a few seconds of CPU time is a lot of compute cost to inflict on an attacker who is carrying out the same attack against a bunch of other services at once, and virtually nothing to the few thousands of active users who should only be logging in once every few months each.

And yes, a few extra seconds of logon time is viable, because people are used to the login process taking a few seconds and they don't do it very frequently.

"Credential stuffing" is straight-up an invalid excuse for asking for someone's phone number.

[1] https://en.wikipedia.org/wiki/Hashcash


Attackers are using hacked IoT devices to do these attacks. These devices have roughly the same computing power as a mid level smartphone. Attackers do not use their own hardware, and don't care about how much energy is used by their bot devices.

In a normal attack, there are maybe 2-3 requests per hour that come from each hacker-owned device. The only thing that hashcat would do is drastically increase power consumption at no cost to the attacker, and turn the application into a battery drainer on mobile devices.

So no, Hashcat is not an adequate solution.


> Attackers are using hacked IoT devices to do these attacks. These devices have roughly the same computing power as a mid level smartphone.

False for a very large variety of low-power IoT devices using chips like the ESP32, which are multiple decimal orders of magnitude slower than a modern computer (or high-end smartphone) and will absolutely take far longer to compute a Hashcash challenge than one of those devices. Your smart light bulb is absolutely not hosting a Qualcomm Snapdragon 450 to change its colors.

Additionally, adding this compute+power load causes the presence of malware to become far more visible on these devices, which increases risk of discovery, which is a significant upside.

Finally, because there's now a significant computational cost to performing a login attempt, the value of individual devices are further decreased to the attacker, which reduces their likelihood of compromising these devices, and for using them for these kinds of attacks against services that use this measure.

So, yes, Hashcash is absolutely an adequate solution, and yes, there is absolutely a cost to the attacker.


You have no idea what you're talking about. Botnets are almost entirely ISP router/modem combo devices.

Hashcat was proposed over 20 years ago. You really think out of all the tens of thousands of security engineers working on this problem, nobody has ever considered it? Get a grip.

I hate how this website incentivizes people to try to make posts that sound smart instead of posting stuff they're actually knowledgeable about.


> Botnets are almost entirely ISP router/modem combo devices.

Above you say they are IoT devices. I don't mean 'gotcha', but to learn: What does the population of botnet devices consist of?


This comment violates probably about a dozen different parts of the HN guidelines[1]. You should calm down with the ad-hominems and substance-less claims and give the guidelines a read, then come back and make an actual argument.

[1] https://news.ycombinator.com/newsguidelines.html


Yeah the majority of them aren't Wifi lightbulbs afaik it's mostly routers and other similar devices, so they really do have the power of a low-mid range smartphone.

Realistically though as long as it can send a request I think attackers would prefer lower power devices someone's computer may be able to send many more r/s but much harder to gain control of versus the $30 iot device.


This is ab irrelevant tangent on the mid level phone comment. We all know you don’t need any compute power at all to make “2-3 login attempts per hour” even on the slowest of IOT devices.


The problem with proof-of-work-for-login is:

Some of your attackers are going to run your proof-of-work algorithm on a 3090 Ti GPU and put loads of work into optimising their setup.

Some of your legitimate users are going to run it on a Raspberry Pi 1 with an ancient browser that only runs wasm through a javascript polyfill.

Tough to make up for a 1000x performance difference.


3090 Ti's are very hard to come by - an attacker will need to either have malware on gaming rigs (which are user-facing devices and so have higher odds of detection, especially if you're loading those GPUs), be paying for cloud compute (money out of their pockets), or own the GPU themselves (more money out of their pockets) - so that's a significant cost imposed on them - which is greatly amplified given the above figure of 25k login attempts per month per user per service.

Those legitimate users logging in on a Raspberry Pi 1 are going to be in the vast minority (probably about 0.001%, if not less, as evidenced by the relative marketshares of Windows vs Linux, and how rare Raspberry Pi's are for desktop use relative to normal x86 machines) of users of your service - it's OK for them to have 20s-30s logon times in exchange for (1) not requiring PII from users and (2) less credential stuffing.

Certainly, Raspberry Pi users are more rare than Internet Explorer users, which many developers simply refuse to support at all.

In particular, I am ok with having 30s logon times for services for my desktop computers (assuming that I only have to log on once every few months and not every few minutes like my brain-dead bank requires), so it's more than reasonable to expect those with an extremely niche and underpowered setup to have to wait that long for a very infrequent login process - again, for the sake of security and privacy.


Then give those users an option. It's not hard. Show a little progress bar for the PoW, and then offer the user other options including manually approving the new logon and using a yubikey or similar.


Mostly, there are so many IPs those attackers can use. When I look at the smtp/imap failed authentication attempt logs, the patterns are fairly obvious. Different IPs trying similar looking emails in a sequences. I think in most cases where banning the IP, even only for 24h, will do the trick (and /64 block for v6).

Also there is something to be said for generating the password yourself and sending it in clear to your users by email. The reality is that if the attacker has access to your client’s emails, it’s game over anyway because of password recovery. And this way you enforce that your clients will not reuse a password, and will have a strong non brute forceable password. And if you get hacked, at least you didn’t leak that precious password your users reused everywhere else. The only issue I can think of is that’s because smtp is the most neglected protocol of the internet, there is no way to ensure the email will be encrypted in transit.


Attacks coming from the same IP address are literally kids just running port scanners.

Blocking individual IP addresses has never been a valid mitigation against professional attackers. Attackers will just pivot to renting a different botnet from different geographies/ip ranges.

If your service has any level of scale, there can be double digit percentages of users who are sharing an IP address with a hacked device. Blocking attacker IP addresses will block users of your service.


Proof of work rewards those who own fast CPUs (or are using stolen CPU time). Those who are using an non-high end Android phone, a battery powered laptop, or an older PC are punished with a long loading times. Part of why Gmail takes so long to load is the anti-bot scripts.

Use rate limiting instead.


> Proof of work rewards those who own fast CPUs (or are using stolen CPU time).

Most technology rewards people who own fast CPUs or are using stolen CPU time, so this statement doesn't mean much.

What actually matters is "does this significantly negatively impact those with slower processors" (no) and "is it still effective at punishing attackers" (yes).

Impact: I'll set my Hashcash challenge so that it takes about 8 seconds on a 10-year-old middle-of-the-line Intel processor. There, login time is about doubled for people running that extremely old hardware, and that's the worst case - and this is entirely acceptable given that most people do not log in to their accounts very often - they do so once and then stay logged in for weeks or months.

Effectiveness: Even for attackers using stolen CPU time - Hashcash is still effective. If you have malware on a low-power device, that device is going to be far slower at login attempts. If you have a user-facing device, they're much more likely to notice their computer being slow, and do something that might lead to discovery. If you've stolen compute on some cloud, then the IT folks are more likely to notice, and so on.

Rate limiting is good, but is complementary to proof-of-work - if you have a large pool of IPs/devices to log in from, for instance, rate limiting isn't very effective.


> Anyone who thinks this is about advertising/collecting personal data is out of their minds.

Sorry, but that trust has been burned and I don't see a path to recovery. Support hardware tokens or get off my lawn.

https://www.eff.org/deeplinks/2019/10/twitter-uninentionally... https://techcrunch.com/2018/09/27/yes-facebook-is-using-your...


the average person don't have any idea what's a hardware token. google is not catering to HN readers, they're catering to your grandma, your parents, your little brother/sister, your tech illiterate neighbor.

They couldn't care less about the habits of a nerd on archlinux with ublock, noscript, firefork a vpn, hardware tokens and 2FA everywhere with recovery code split in 7 different location.


This is a straw-man. The problem is not that Google is designing their services to cater to the average tech-illiterate user, it's that they're preventing the tech-literate users from opting out of phone recovery and/or using something more sane, like what's been listed above.

That's clearly malice. Like, there's no good reason that Google would require you to hand over a phone number.


> That's clearly malice. Like, there's no good reason that Google would require you to hand over a phone number.

Let me give you a reasonable non-malicious reason:

Googler A: "We have this new attack. People are creating accounts from compromised IPs, and then creating app passwords to send huge amounts of gmail spam through SMTP directly, thus avoiding our browser-based spam mechanisms"

Googler B: "Can we ban them?"

A: "We can't ban them because we have no info on them, just sign-up IP, and the botnet has practically unlimited IPs"

B: "What about forcing them to have a phone number so we can do anti-spam on that, and perma-ban compromised phone numbers from making new accounts?"

A: "Good idea, that'll stop such a huge quantity of phishing emails and spam. That'll be good for the internet as a whole"

----

See, a non-malicious explanation.


Pretty sure they do support hardware tokens.


Only after you give them a phone number. In fact, they allow you to remove the phone number afterwards, so clearly they're happy with non-SMS 2FA being the only 2FA method on the account, as long as they first get the opportunity to stalk you beforehand.


Do they accept burner phone #s?


There's no universal definition of a burner phone number, but they do ban certain number ranges commonly associated with VoIP providers. Your best bet is to get a prepaid SIM as those typically draw from the main number pool of the carrier so scum like Google can't ban those without also banning a third of their target market.


> so scum like Google

You do know it isnt mandatory to be a customer.


+1..get a yubikey or similar device, problem solved.


> Every tech company is losing the war against credential stuffing. I have a friend working at a series B startup with <10k MAU, you wanna know how many login attempts there are each month? 25,000 login attempts. Per user. That's 250m login attempts each month using stolen credentials.

I ran into a similar situation (small, growing startup dealing with credential stuffing attacks). We have since implemented a few different solutions, but one of the most successful was rejecting reused passwords at signup using this service [0].

Some other effective solutions include captchas, emailing a verification code, etc. Aggressive rate limiting was not at all successful, as the botnets seem to have endless piles of residential ip addresses to send requests from.

[0] https://haveibeenpwned.com/Passwords


This. This reminds me of a couple of other hot threads on HN like Google not allowing you to log back in to old dormant accounts. It's abundantly clear to me that it's the same thing, same motivation.

The world desperately needs to move away from username + passwords. Google might seem really pushy right now, but it's simply a trailblazer. My prediction: in a few years every company that handles valuable personal information will behave like what Google is doing today.


at 25,000 login attempts per user if you're not doing common sense rate-limiting of attempts per username, and rate limiting per IP space origin (either discrete ipv4 /32 or attempts from within a whole ASN), you've got other problems.

the rate-limit and blockage time for attempts should increase ban time/lockout-timer on an exponential time scale the more that a single browser/useragent/browser fingerprint/IP makes incorrect attempts.

yes obviously there are people out there with fully automated systems who will try massive lists of commonly used plaintext passwords for authentication if you don't throttle/rate-limit it.


>yes obviously there are people out there with fully automated systems who will try massive lists of commonly used plaintext passwords for authentication if you don't throttle/rate-limit it.

and those people use single browser/single useragent/single browser fingerprint/single IP

the people competent enough to send millions of requests are usually also competent to send hard to detect requests

there are dozens of (free)tools/services offering those capabilities for LEGITIMATE purposes(like scraping)

there is an even bigger underworld market for paid tools for illegitimate purposes


if you're sending millions of requests you still have a finite number of proxies to use, it would be thousands to tens of thousands of requests per discrete /32 ipv4 proxy address, and not hard to detect as an abnormal volume of attempts per IP.

even if you see something like a single /32 address that is probably the public facing endpoint of a mobile phone carrier's cgnat and has MANY users behind it, trying different password attempts, you can still rate limit the number of attempts per unique username.

the actual amount of legit requests that a human who has forgot their password makes is 99.9% of the time under ten requests per account before they give up.


And that "finite number" is tens of millions, or even hundred of millions, spread across providers, spread across almost any location. From 4G proxy farms, to botnets of residential IPs, to grey area apps that rewards user for sharing their connection.

And ok, let's assume it came from the same block of ips(which rarely happens) what do you do when those IP blocks are from IDK, Verizon or AT&T in the middle of New York?You block half the city?

+if the attacker is trying it on all accounts, what are you gonna do? rate limit all accounts? and now anytime a user forgot his password he have to contact support because he can't even do it himself so your support is overwhelmed by 1000s of request every day?


> Anyone who thinks this is about advertising/collecting personal data is out of their minds.

For the end user it is absolutely about collecting additional personal data. My concerns as a user are not the concerns of Alphabet, the company, period.


> Anyone who thinks this is about advertising/collecting personal data is out of their minds.

Google is a public company, just look at their annual reports. Where do they make most revenue? Advertising.

Thus, everything they do is about promoting advertising. It would be naive to think otherwise.


And how do they avoid wasting money and therefore increase their profits? By putting in automated systems, that in this case are good enough for the majority of non tech savvy, non paranoid users.


Google is no saint, but there's absolutely no reason to ascribe ill intent to collecting phone numbers of 2FA setup. The reason is simple: Google has billions of users, and at any given time, a lot of them break their devices and lose access to 2FA credentials. Phone numbers, despite all their flaws, are still the most reliable long-term and mostly-immutable attributes which can service as a proxy for identity which can and does aid account recovery at scale. If you crack your phone screen, you can walk to a brick and mortar cell shop, present your ID and get a new phone that receives security codes without a second thought. If you're using Aegis and storing MFA seeds locally, you're on the hook for backups and no one wants that responsibility.

Think of it like using social security numbers to authenticate yourself to the bank. Yes, it's terrible, but it's kind of the only thing that works when done on a massive scale. Yes, you can do better at managing your 2FA credentials, but most users cannot - they struggle even having strong passwords. Phone numbers bridge that security-usability gap. To be clear, this isn't an endorsement of the system (I think the user should be allowed to choose), but rather trying to make sense from an engineering perspective.


This is an explanation for why Google might ask for phone numbers. This is not an explanation for why Google might require phone numbers.

The only valid reasons for the latter are (1) to collect your PII and/or (2) because they think that they know better than you and they're going to force you to do a thing because they think it's in your best interests - in other words, a tyrant ruling over a techno-feudalistic society.

If Google was really concerned only for the safety of their users, and not trying to obtain PII for their personal use, they would build an opt-out button, something that would allow users to print out a one-time-use password/encryption key, or register an alternate email address, in lieu of providing a phone number. They don't.

Your explanation doesn't hold water.


Why might Google require it?

It adds an external cost to creating an account. I imagine this is incredibly valuable in fighting spam across all of their services. No coincidence, the phone number requirement is the only reason I don't have several disposable twitter, Facebook, and Google accounts.


> a tyrant ruling over a techno-feudalistic society

It's an email app. There are many other options.


Google is, uh, not just email.

https://about.google/products/


The topic of the post was email. Even expanding to every other product, which ones are you forced to use? Just pick another one.

Calling this feudalism is a bit much.


Email was just an example. Topic is about account.


If I understood his post and overall point correctly, he doesn’t think that it’s that second possibility — that Google is a benevolent tyrant, essentially — but that that’s the only other explanation, which is bad.

(I agree that the language he used was a bit much, but I think he was using exaggeration as a legitimate literary device to make his point, not in an attempt to actually mischaracterize that scenario.)

He think it’s the first possibility — that Google is doing it for reasons other than the users’ best interests (i.e. “nefarious purposes”) — which is even worse.


There’s nothing that says they absolutely must do things at a scale that leads to ethical compromises. Oh, other than greed, that is.


Google asks for a phone number in this context even for accounts which are integrated with an external identity provider and for which Google does not need to (or rather: must not) provide a recovery option. Furthermore, in most countries, phone numbers (especially mobile phone numbers, as suggested by Google) are very susceptible to targeted attacks, so I hope that Google does not use them as a recovery option even for non-corporate accounts.

I think it's some sort of state machine glitch that this account feature only becomes available after adding a phone number. I couldn't come up with any other explanation. And I really hope that the static passwords stay indefinitely because the XOAUTH extension for IMAP is brittle, hostile to open-source software because of the API key requirement, and does not add security anyway. (I wouldn't mind manually rotating the passwords once per quarter, though.)


Then what happens when you change phone numbers and don't bother registering it with Google? There is a real risk of you becoming a non-person by linking things that shouldn't ever be linked.


> Phone numbers, despite all their flaws, are still the most reliable long-term

How so? The most realiable one is email, as it doesn't need to be tied to any third party so it can exist a lifetime.

I've had the same email since the mid 90s. I've had probably a dozen or more phone numbers in that timeframe. A handful of which are still tied to various company accounts even though I've long since haven't had any acces to those phone numbers.


I've had the same phone number since the mid 90s. I've had probably a dozen or more email addresses in that timeframe. A handful of which are still tied to various company accounts even though I've long since haven't had any acces to those email accounts.


I guess I'll just have to stop using google.

Welcome to the club. The fastest way to convince me *not* to use a product is to attach a "Google" label to it. Nothing Google has to offer justifies the drawbacks.

NOTE: I do use an Android phone --- but only after it has been thoroughly de-Googled --- starting from a stripped down, bare metal device that won't even power up.


> NOTE: I do use an Android phone --- but only after it has been thoroughly de-Googled --- starting from a stripped down, bare metal device that won't even power up.

You're going to have to explain to me. Particularly the "starting from a stripped down, bare metal device that won't even power up. Because this sounds excessive and a bit over the top.


It probably means something like, "buy a phone, unlock its bootloader, and wipe its data and system partition(s), after which you can flash a ROM of your choice onto the now mostly-blank machine". Depending on the device, you can probably even wipe the vendor partition. Any ways, the point is that in the middle there you have a device with no OS present (hence unable to boot) and probably no Google-ware, so if you flash a privacy-friendly ROM and don't re-add GApps it won't talk to Google.


Their device might have Google Smart Shellac on it, so this user chose to strip it off for the full De-Goog experience.


> Google Smart Shellac

No idea what this is and searching yields nail polish as the result.


Shellac is just a varnish/coating, so the implication is Google features are metaphorically painted on the phone hardware and software and you just need to scrape it off.


Unfortunately, what Google embeds into Android software is significantly more adverse than just "shellac".

A standard Android phone sends your IMEI and SIM card info to Google servers on boot up before you even have a chance to login.


My phone won't even connect to cellular data until I log on after boot.


What the UI shows you and what the phone OS actually does are not necessarily the same.


Citation for this?


https://www.scss.tcd.ie/doug.leith/apple_google.pdf


I was making a (funny) joke that they put magic google paint on the phone, in addition to their software in the phone.


I like how you had to specify that it was funny.


adb shell rm -rf


I bought Pixel phones for my wife and I because the price and ease of use to save my kids pictures was absolutely worth it.

I haven't found a service that functions as well as Google Photos. She takes pics and I take pics, and we have a shared account that backs it all up without any messing about. I have done precisely ZERO tech support for my wife since buying this service and phones and I will probably never leave.


My dad hates his pixel. His impressions are that they are taking away useful functionality and replacing it with Google assistant. He said he keeps trying to disable Google assistant but it turns on again the next morning.

I myself tried to power off the device. Holding the lock button actually didn't show a power off menu, it opened Google assistant. As far as I can tell the only way to turn off the phone was to say "Turn off" to the assistant.


I am not justifying the decision, the power off button in the notification shade between quick toggles and notifications.


If ever you get tired of Google - and for those who get tired of Apple or Amazon or whomever they have entrusted their digital photo archiving needs to...

Any of the personal cloud things - Nexcloud, Owncloud, Seafile, Syncthing and others - can be used to sync files - and with that photos and videos - from mobile devices to some server somewhere. This can be the server-under-the-stairs, your NAS at home, a wall-wart with a Raspberry Pi and a drive taped together, a VPS or a commercial entity offering these as SaaS. You can keep using your phones with or without Google, that is up to you. If you run the stuff yourself you'll need to install and configure the parts which make it work, if you use a commercial instance you just have to install the relevant app and tell it to sync your data. You can do this in parallel to using Google Photos, just to make sure you have a backup in case Google wants just that one extra piece of personal data to allow you to access your photos which makes you give up on them. Just one more piece... and one more please...


I have a system involving syncthing fork set up on my families phones and computers. I have to admit it was fiddly to set up but it has run very smoothly with no maintainence since then.


Why a fork? What's the fork do?


https://github.com/Catfriend1/syncthing-android/blob/main/RE...

When I set it all up, I think the fork had much better behaviour around folder permissions for non-root users, I'm not sure if that's true any more.


Have you thought about an Apple iCloud family accounts?


Mega.nz and OneDrive work well for me, albeit slightly less polished and (thankfully) a lot less opinionated than Google Photos.


How do you see eachothers photos though?


We're in a family plan and share all pics. My wife and I have total access to each others phones as well so it just made sense to share all pics to our "family plan".


Amazon Photos


I would not trust Amazon with tech related stuff lol


Used it before the pixel. It sucks and has this sheen of cobbled together and just good enough to launch but not a great experience.


HN needs a bot that posts an inb4 comment every time there's a post about Google or a Google product.

These predictable responses don't add any value whatsoever, and they're tiring to read.


You don't think your comment constantly gets posted as a reply?


Downvote and move on - adding a low-value comment of your own worsens the problem in some ways.


The predictable responses, to the predictable responses add even less value than the original comment did.

I wish HN would auto-remove these BS comments about BS comments. They're so tiring and boring...


Pot meet kettle....


Once you're in the pit of bad comments, you might as well try to discourage the original problem.


Good thing I switched to running my own mailserver in 2013. Now I'm completely independent of google and google accounts. If my @gmail.com email stops working with Thunderbird or other imap clients then that's that. I'm done using gmail.

Google hates open protocols. Don't let their claims of OAuth being open fool you. They don't use OAuth, they use OAuth 2 which is the mega-corp version shoved down the IETF's throat where every single corporate implementation is different and not-interchangable. You need a different OAuth2 plugin for every mega-corp.


I have a small free VPS and free domain name (whatever.duckdns.org). Do you think I can make a mail server that works, that could send emails that won't end up in spam folder of other people, and that I could use to create accounts?

I have thoughts of running my own mail server, but a lot of sites just won't let you create an account if you don't provide «trusted» email, and by «trusted» most of the time they mean gmail.


Well, the best time to start is now... but without a domain name I don't think you'll have much luck. If you want to learn how to set up and run a mail server I cannot recommend https://workaround.org/ispmail enough. These tutorials cover all the background and high-level concepts for why you're doing things in addition to the details needed to implement a proper mailserver.


Thanks for the link, latest version has some mistakes but in general it's good.

I got myself a domain and trying to set up my mail server, but my VPS hosting is blocking outbound port 25. So I can receive emails, but can't send anything. ispmail guide has no workarounds for that…


small fee VPS are likely to be in IP space that has a 'bad' reputation from other people who have historically done dumb things in the same /24 or /22, etc, even if it looks clean from RBL checking tools, you have no idea what its reputation is for actual delivery to google and office365.


Nothing you do excepting buying your email service from the same-self megacorps will protect you from the megacorps whim and mistakes (and even then not all the time). As you and others have mentioned, even relatively large companies get blocked.

We have to be the changes we want to see in the world. Maybe don't use the domain/mailserver for life or death services the first few years and just see how it goes.


Linode managed to get blacklisted by Microsoft for weeks. I don't think you should expect a single mailserver to be able to survive in the current email climate.

While email may be open it was designed in a pre-spam era and we've been fighting the oversights ever since.


I too was hit by this a few months ago, after having to create a Google account for work, and worked around it by running an android emulator where I installed their authenticator app. This was enough to get past the stupid "you have to have a phone" requirement, and gave me access to the TOTP secret, which I then promptly added to my favourite open source 2FA utility.

Screw you, Google, you're not getting my phone number.


What's your favorite open source 2FA utility?


https://www.nongnu.org/oath-toolkit/oathtool.1.html with some very light shell wrapper around it.


I might do this (install an emulator and use auth app there) if I can successfully login from it, I just need a lot of time to do that (internet here is really slow).

I asked one of my friends with faster internet to do that for me but google blocked an attempt to login with correct username and password.


You can just scan the QR code instead... The TOTP secret is contained in there, and can be copied into just about any password manager.


Please read the original post - the QR code (nor the TOTP secret in any other format) is simply not available until you enable either SMS authentication or the authentication app.

Afterwards, yes, you have the TOTP secret available for use in any tool you want - but I am repeating myself.


Google never offered a QR code like 99% of other MFAs.


Which android emulator do you use ?


I looked around for a least invasive solution, and went with https://www.android-x86.org/ in a small virtual machine.


From your perspective, you're looking at a change that impacted you.

From google's perspective, they're looking at a change which reduces phishing and scams by some small percent, and impacts a minuscule fraction of their users.

Abuse, scams, phishing, and forgotten passwords are all significant problems which phone numbers help with. I'd be willing to bet these changes end up having an on net positive impact for google's users.

How many phishers do you think will be stopped by removing an insecure login flow? How many people do you think want to use insecure apps, but don't have a phone number and refuse to login to their google account on their phone?


> How many phishers do you think will be stopped by removing an insecure login flow? How many people do you think want to use insecure apps, but don't have a phone number and refuse to login to their google account on their phone?

I actually don't know. Do you have any numbers?


Phone number is ultimate crossplatform and cross account identifier, only minority uses burner numbers for this. So I doubt that the phishing is the main driving motivation here, instead it is using phone numbers for easier tracking.


Phone numbers are also the primary thing people keep in contact lists and are very reliable to infer social graphs by stealing people's contacts and connecting the dots server-side.


The Fair Email FAQ [1] states that it supports Google's OAuth, so why don't you authenticate with that?

"OAuth for Gmail is supported via the quick setup wizard. The Android account manager will be used to fetch and refresh OAuth tokens for selected on-device accounts. OAuth for non on-device accounts is not supported because Google requires a yearly security audit ($15,000 to $75,000) for this. You can read more about this here [2]."

1. https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-co... 2. https://www.theregister.com/2019/02/11/google_gmail_develope...

So it maybe works, or maybe not, because they're not paying Google for the security audit.


Because I'm using a fork that is not signed by Google and it can't use OAuth, unfortunately.


So, at what point will there be a legitimate third option other than Google android phones (and associated ecosystem) and Apple iphones (and associatyed ecosystem)??? And, no, i don't mean rooting a phone, etc. to install Lineage or other alternative operating systems on it. I mean, i want to go out, buy a phone that is decent enough for the basics of what i need to do and is de-googled...not too crazy expensive like an iphone, and comes with legitimate support from a manufacturer. Its exhausting!


Here you go: https://puri.sm/products/librem-5 and https://pine64.org/pinephone.


Thanks! I am aware of both, but thought that they were still more for developers, and not ready for prime-time as daily drivers.


It depends on what "daily driver" means for you. Some people do use them as daily drivers, but many things don't work well yet.


Fair point. I define daily driver as having a device that does not crash for light duty operation, allows for sending/receiving of phone calls, text/sms mesaaging, using a small number of heavy apps like Element (for matrix), email client, light web browsing, light use of maps, taking photos, listening to (mostly offline but a tiny bit of online) music.


http://janvlug.org/blog/one-week-librem-5-field-trial-day-1/


nokia 3220


With any new employer be sure to show up with just a featurephone so you can shoot down any brain dead attempt to force you to link your personal property to corporate authentication.


This is a great idea! :-)


I guess i did walk into that one! :-)


the thing about 'adding a phone number' is that hijacking somebody's DID is fairly trivial these days for a good social engineer, you get the customer service department at somebody's cellular carrier to port out the number, or activate it on a new SIM card put into a burner.

the SS7/PSTN is horribly broken.

SMS based "2FA" is not actual 2FA


I think "trivial" is generous. For context, the current market rates for a SIM swap ranges from several thousand USD (T-Mobile) to well over fifty thousand USD (Verizon). It is not really something most people should lose sleep over, in my opinion.


I classify it as trivial compared to the effort in breaking some real 2FA or otherwise hijacking the start of authority for somebody's online identity/ability to reset their passwords and gain access to an account, like getting possession of a personal domain name to change the authoritative nameservers, set a new MX and receive incoming password-reset emails.

Working in the telecom industry I've seen the pressures that first tier phone service reps are under and how they can be socially engineered, if someone is in possession of enough pieces of a person's identity already, to issue a new SIM or port out a number.


That seems absurdly high for a SIM Swap. Source?


Source: Darknet Diaries, EP 112: Dirty Coms


The only solution I can see is buying a burner phone to avoid these situations. Yesterday tried to set up a new to me used iPhone 7 for my son. It too forces a phone number from you. I had to link my phone number to his phone which I didn’t really want to do.


Can you ever “burn” the number though? I’d be scared they will require you to receive a SMS token on it later, when they feel like it.


The problem with using a burner phone is that you could be assigned a phone number that has been blacklisted due to its abuse by a previous owner. Then Google terminates your account as soon as you use the banned number.


To be fair, this is a risk even with a "legitimate" number. How do you know whether the previous owner did anything nefarious with it before it was recycled and assigned to you?

Of course, the real solution is to remove the leverage Google has on you so that a ban is no longer a problem.


Can you recommend me any real working website where I could buy cheap one time virtual number that could be used to enable 2FA for my account?

And I hope they will never ever again ask me to confirm anything using that number.


I have used voip.ms for years. The basic plan costs approx 1 usd/m with no contracts, etc. and any messages received can be forwarded to and responded from email.


Nice try but this won't work with a lot of security providers.

Lookup APIs are available to identify line type and most will specifically reject voip numbers. The more obstinate providers I have encountered (some banks for example) will actually have a real human place a call to any number provided at sign up and reject it if they can't verbally talk to you.


It supports voice as well at this price - I use it with Linphone to receive and place calls plus I was also able to setup a forward rule where any calls to voip.ms numbers will be forwarded to my cellphone. Edit: you are right though that plenty of providers reject it as being a voip number.


Ah... I sense a very lucrative, low-ethics business model in providing "cheap one-time virtual [phone] numbers" to be used for security-sensitive purposes.


Unfortunately, others have already beat you to it.

For example, https://cheapglobalsms.com/

I went a slightly different route --- an old spare phone with Ultra Mobile PayGo prepaid SIM. For $3 per month you get 100 minutes of voice, 100 texts and 100 MB data per month.

The reason for this is that some security providers throw a little kink in the works by actually making a call to verify your number on sign-up.


> The only solution I can see is buying a burner phone to avoid these situation

Or, you know, stop fucking using google.


A "2FA Mule" is a special kind of burner phone that forwards the authentication to the endpoint of your choice - in my case, email:

https://news.ycombinator.com/item?id=29710908


How much do you pay monthly to keep the extra number? Is it worth that?


Depends on where you live. In my neck of the woods, burner phones are illegal. It's (nominally) impossible to get a phone number without getting ID verification. This applies to physical sims, but also to online services à la Twilio.


Providing ID verification to the carrier/government is one thing, providing it to Google is another. I'm personally much more comfortable with the government or carrier knowing my number than Google.


Sure, but that wasn't my point. My point was that it's very difficult to use a burner phone to bypass Google's data-guzzling.


Wait, you didn't want to add a phone number to a phone?


Twilio? Google voice?


I have a tangential story on how providing a phone number isn’t going to help either.

I have an important Gmail account where I recently had to change the password (because the only password set several years ago didn’t work). Since it was important, I didn’t want to risk the account becoming inaccessible and hence provided my phone number as the recovery number. After changing the password through a browser, the iOS Mail app complained that the password for this account is invalid and that I should enter it. So I go there and flow through the Google login pages (since this is setup as a Google account), and then it repeatedly tells me that it’s incorrect and that I should recover my account. Visiting the recover account page tells me that it cannot help me at this moment!

I’m furious at how stupid Gmail (and the people in Google writing this application) can be. I haven’t accessed that account over the last few days and am hoping I can get back in after the Google bots have cooled down. I have no idea what I can do if that account becomes permanently inaccessible because some “machine learning” algorithm messed things up. :(

I’ve decided to close my Gmail accounts (these were old ones) if I can manage to download the data from those.


One of the Google cofounders read the book “Nudge” and loved it so hard they invented a process I call “Shove”. You’ll do what we want or we’ll push you into traffic.

This is a prime example of using dark patterns to achieve a short term goal at the cost of creating a world none of us want.

We must all remain vigilant of this trap both as creators and as users.

I applaud you for calling it out. I wish there was something more we could do about it.


Couldn't you just install the Google Profile on any android tablet or spare phone or something, set it up, switch to authenticator (on your normal phone) and then remove the accounts and whatnot from the tablet? Never use SMS at all?

The real head scratcher for me here though is that you are fine with Google hosting all of your emails and whatnot but knowing the phone number is a huge problem? If you do not trust Google with your phone number it seems like going with another email service would probably already be a good decision.....


Every new feature from Google is a middle finger to their users, then you get some corporate double speak about how it's all well and good and how it makes the product better.

Get a Fastmail account, I got one after I got tired of google breaking my IMAP settings every other week. They're cheap, they have most everything you'd need from an email provider, and they don't require a special app like proton.


I think if I'm gonna pay for using email, I'll just try to get any cheap VPS/domain and try to run my own email. It'll be more expensive for sure, but at least it will be my own thing I'm paying for.


Just depends whether or not the effort it takes to find a VPS company whose IPs aren't blocked by major email providers, and then ensuring that your emails continuously make it through to their destinations, is worth the cost savings.

I share your sentiment, but I opted for Fastmail because the effort wasn't worth the savings. YMMV, obviously.


The problem with running your own email is getting past the spam filters.

The big email providers have basically built a walled garden around email by blocking anyone outside the garden as spam. They have no incentive to open the system to people who run their own email.


Fastmail service with a custom domain includes 10GB storage and zero hassles.


I tried fastmail and then there was no search on the drive aspect. had to move back to google


Fastmail is great at email. If you want a G Suite experience, then you'll need...well, Google.


I'm able to search for filenames in fastmail files. I guess you refer to searching file contents?


You can mount the files via WebDAV then grep away or point an indexing tool at that as desired.


My biggest complaint is that companies like Google won't make clear policies and instead their messaging is just corposhit nonsense.


Just one thing keeping me on Google for email/calendars: Search. I recently switched back to the Gmail app away from Spark for this. Don't have any examples off the top of my head, but I routinely encountered situations where I'd search for something in Spark or the Apple Mail client and couldn't find it out without using Gmail desktop/app.


I'm not too keen on mandatory 2fa via phone. we need something simpler, like, dunno, some sort of chip on our hands or foreheads perhaps? /s

on a serious note, it's annoying how fundamentalists eventually keep getting shit right because of idiots in power fulfilling their prophecies (daniel sloss had a nice comedy skit on this)


That makes me wonder, how big does the gap have to be between a supposed prophecy and the supposed fulfilment of that prophecy before we can't call it "self-fulfilling" any more?

I suppose that on a time scale of thousands of years, a lot of analytical methods break down (and certainly it would be hard to start any new experiments which take that long to complete), but I think that epistemological bonus points should go to anyone whose interpretation of a prophecy guessed the correct ~50 year period for its fulfilment roughly 1800 years in advance.

https://en.wikipedia.org/wiki/Millennialism#cite_ref-18


Thank you for posting this. I have had a second email account setup at the company I work for, and hit this exact problem. I thought I was going mad! Especially because I had enabled 2FA with TOTP with an existing company account just a few months ago.


I think the fact you can't generate an app password without a 2FA is because it never made sense. You would be better off just logging into your account directly. Now that you can't do that it makes sense. I'd file that as a FR.

One point is that app passwords can be a security issue in itself. If you have one the security page on Google alerts you with a big flashy yellow exclamation point and recommend you you to remove it. I did it, broke my email and took a few days to connect the dots, recreate a new app password and setup email again.

I think the problem they have is that mail clients don't do oAuth. So you always have that security weak link if you need IMAP/pop access.


A lot of 2FA is security theater and doesn't provide any actual protection.

If your phone gets taken by the police (or stolen), with an authenticator app or sms they can get into your account easily but you're locked out.

A hardware key is the way to go but even then there's no guarantee the police wouldn't take that as well, and most people think having an app on their phone is enough.

And 'email alerts' are even worse, if someone has taken your computer and has complete access to your accounts, an email saying "is this you?" is just gonna make them laugh.


To be fair the threat model for most people isn't the police or any other physical attack - instead it's remote attacks such as phishing, malware, etc.


For some time now it has been necessary to first setup a phone number as the 2FA solution on a Google account. Only after doing that does it become possible to setup alternative 2FA solutions.

So every account I setup, I have to temporarily provide my phone number to enable 2FA, then setup authy, and then delete my phone number. Obviously Google now knows who the real user is, but I haven't been creating additional accounts to be secret. That doesn't excuse the system, but it's not more than a small hassle for me.


Does using 2FA for GMail login actually add more security? Especially considered that to enable it, first you have to use dubiously secure SMS 2FA.


It's still an additional authentication factor, so in most circumstances, yes it would benefit security. However, you can (and should) use U2F for 2FA, which involves hardware making cryptographic assertions that cannot be phished or man-in-the-middle'd. It's possible to remove SMS as an option after turning this on in Google settings, but unfortunately not so with many other providers.


Here is how I solved the same problem a couple of weeks ago. If you still have an active session in a browser, you can add a recovery e-mail address to you account security settings. After that I was able to add a Yubikey as a second factor without adding a phone number. This should also work if you want to use TOTP as a 2F instead of a Yubikey.


I might try this, thanks.

Yes, I do have session in my browser and I would use it as a second factor to manually approve every login to my account from my browser if I had option to do that, but Google doesn't allow that. You can only confirm logins from android or apple device.


It worked for me and I did not have to give Google my phone number to "unlock" the other 2FA options and subsequently app passwords. I used the Yubikey, but I think it should work if you only use TOTP.


I added reserve email and in 2FA setup dialog there's still no authenticator option, just Yubikey, notification on Adnroid, or SMS by phone number.


> TL:DR; You can't use «less secure» apps (apps other than official gmail app) to sync emails if you don't want to link your account to your phone number or add google account to your phone.

Not true in multiple ways.

"Less secure apps" are ones that don't support OAuth. There are plenty of third party email apps that are not considered "less secure apps". E.g Thunderbird or Outlook, or iOS Mail work perfectly fine, as many others.

You can use u2f keys as second factors and don't need to add your phone number as a second factor nor as a recovery phone, as my Google account.


If all you need is IMAP/SMTP you can use this local proxy to continue using the “less secure” app without needing app passwords: https://github.com/simonrob/email-oauth2-proxy


That looks like a really great option for me, thanks a lot for the link.


I was able to get around SMS 2FA by adding a virtual security key then turning on TOTP (https://developer.chrome.com/docs/devtools/webauthn/)


I also really hate the use of Telegram by ostensibly open source projects for this reason.


They call me about my car’s extended warranty every day whether google has my number or not.

I also get a call, every day, precisely at 9:04am, from random numbers matching the first 6 digits of my phone number.

Protecting my phone number is a dead effort on my end.


There's a difference between random spam and having a world-scale stalker knowing your number. The first doesn't have any other details on you, the latter already has plenty and wants the phone number to infer your social graph.


It can't be helped I think. The chain of trust must start somewhere.

What if someone secretly have your password and enable 2FA? The addition of the 2nd factor of auth is a big deal and the process should be as secure as possible.


Note that this is why gmail is unreliable in terms of opsec now. Recovery SMS or phone number implies out of control of users.

One day the CEO gets SIM swapped over night...until that day nothing will change.


I just gone through this process myself. You can add another 2FA method later and THEN delete your phone number. That's what I did.


I've given Google my phone number ages ago and I still can't use their smtp to send email from apple's mail.app...


Is this to protect them from being a vector for span? Making it costly to create new usable Google accounts


Google can have my phone number when they give me Sundar's.


I don't see a problem giving Google my phone number.


Shame HN is 80% tropes now from paranoid introverts who don't want to go back to the office and who could write Dropbox in half an hour


It's painfully obvious that a non trivial number of users here maintain little contact to ordinary people who make up 99% of the user base.


Whats painfully obvious is how people and profit and interchanged so seemlessly by the vultures who pray on the "ordinary people" and how desensitised we have become as a collective to the notion.

What HN shows is that a non-trivial amount of peoples entire life is focused on exploiting others inadequacies and this exploitation is portrayed as "normal" by those who profit and abormal by those who now see how invasive ad companies become.

Letting your child sit through an ad is akin to child abuse in my head. Like taking them to a church.


Most of the user base are "sheeple" who subscribe to whichever corporate marketing program has the largest budget. Google itself is a major player in this game.

  "You laugh because I'm different.
   I laugh because you're *normal."
*normal - Average, ordinary, unremarkable, the same


Using "sheeple" unironically says more about you than it does about them. There's nothing remarkable about being too socially stunted to be able to acknowledge groups beyond your own.


I fully acknowledged groups beyond my own --- and the fact that corporations acknowledge and abuse these groups vulnerability to social pressure.

After all, this is what advertising (i.e. Google) is all about --- coercing people to act a certain way and buy certain things in order to fit into a particular social stereotype.

Which is worse --- being socially stunted or socially vulnerable?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: