This is the reason I never gave Google my phone number, even when they were bugging me about it.

A while ago someone replied to one of my posts and said "Your phone number is not a secret". I know that. My issue is that if I give it to these big companies, they feel like they can do whatever they want with it. So as much as possible, I don't give it to them, at least not willingly.

You should try Fastmail. I switched and love it.

This happened to a family member who primarily used Gmail on their LG Sunrise candybar phone and never had 2FA enabled on the Google account.

After an iPhone upgrade and SIM swap, they couldn’t login to Gmail on an unrecognized device because the only option for verification was to “open the Gmail app on your LG sunrise”.

No 2FA enrollment ever took place, therefore no SMS fallback, recovery codes, or recovery email were offered as backup methods.

By sheer luck we found an old laptop where Gmail was used recently enough to recognize the browser.

At that point, only after removing the LG phone from “Account > My Devices” was it possible to enable 2FA and enroll a new iPhone as usual.

This “silent opt-in” (without 2FA) of the phone’s Android Gmail app as the only way to confirm unusual logins is likely limited to a subset of low-tech users / low-end devices who missed the Google account security checkup prompts.

2FA is OK, but:

1. You need to have several code generators that are initialized with the same secret. I actually have one on all of my computers, it's just a couple of Python lines. Well, a smart human attacker could probably find my generator on the computer reducing it to 1FA. But the risk of a smart human attacker spending hours to analyze the contents of my computer (using full disk encryption) is smaller than me forgetting, losing, breaking my phone.

2. Google does not allow you to setup 2FA without a phone. That's part of their the customer is the product thinking. It eliminates privacy and is a risk to your data when your phone number changes.

KeePassXC supports TOTP so you could have it on your desktop in an encrypted database.

I also run into this. I created a google account when traveling in the EU with no 2fa. The account was tied to an EU number I was using at the time (I believe google wasn't letting me register a new account without a mobile number). I for sure NEVER turned on 2fa on account.

When I came back to the US, I could not log into the account anymore. First of all, it would force me to receive a text or call with my EU number even though I never turned ON 2fa. Then, when trying to recover it further, I can answer all the questions correctly and then google says "Google couldn’t verify this account belongs to you."

By now, the EU number has probably already been recycled and the contents of the account are completely inaccessible to anyone (even though I _know_ all of the credentials/recovery details).

This is hilarious. Someone was trying to take over your account and you're pissed at Google. Turning on MFA and attaching it to the threat actors device is the first step in ransoming your account.

Get a clue and use MFA for everything. It's 2021 and you're on a tech site for crying out loud...

> This is hilarious

Glad to hear you find it funny.

> Someone was trying to take over your account

Nope. If you read the original post again, you'll find out that "I" was trying to log into it.

> use MFA for everything

I would love to use MFA for this particular secondary email account. If only Gmail lets me log-into it so I can enable it.

2FA includes fallback methods, at a minimum a small set of one-time codes. There are paths out of the problem, at costs such as carrying the codes, or having somebody guard them for you (yes, obvious risks)

It is possible to train another device to be Google Authenticator, its a QR exchange. So, selection of which second factor is material here: it can be the device you own, or it can be the TOTP. Its not either/or, it can be both, you pick which.

(not a googler btw. Just a happy 2FA adopter since S/Key)

I don't have 2FA for my secondary Gmail accounts. So Google doesn't offer a Google Authenticator app option to use QR exchange to recognize the new device.

I don't understand this sentence. the account you DO have 2FA on should offer more than one 2FA mechanism, and the printout of the backup security codes.

I also don't understand why you don't have 2FA on your secondary gmail accounts, but that isn't material to the point: Any google account which does have 2FA should (as I understand it) support multiple modalities of 2nd factor simultaneously so you don't get cut off simply by losing a phone, if you enable the alternates. I mentioned two, there is the third, the yubikey type option which I think is now in general release, but comes at a $cost.

Maybe I misunderstand something in the points you're raising. Maybe its a nuance of the loss of the primary device and the use of backup recovery accounts, but the way I read it, the backup account recovery path is AFTER you explore alternate 2FA paths to account recovery.

I have my TOTP on two devices because I kept the QR code to bootstrap and also used the migration tool in google authenticator. I also have them in BitWarden. And I have the security one-time codes printed out. At this point, loss of a single device in the two I have to authenticate with is an irritation. This kind of feels like a 3-2-1 story: three forms of authentication, two online, one offline.

> any google account which does have 2FA should (as I understand it)

Are you talking from experience (with Gmail) or just talking "best practices"?

From personal experience. I have two @gmail and a hosted by google and all of them show me both device and totp enabled. afaik it came for free. Admittedly I turned 2fa on as soon as it was GA years ago and did not have it automatically applied so maybe the backup codes and TOTP thing is different.

I've noticed 2FA being turned on at family accounts without them noticing. Very crappy indeed. And it was the only 2FA method ...

From my recent similar experience I concluded that it was a shadow 2FA enrollment of the Android device’s Gmail/Google app only, without prompting the user to choose backup and recovery methods like SMS — even though it was an Android phone.