Google will soon enforce the use of two-step verification for Google accounts

Two-factor authentication, or as Google calls it two-step verification, is a popular security feature that adds another layer of security to the authentication process. Users who have configured two-factor authentication use a secondary authentication option, such as a code that is sent via SMS to a linked mobile device or an authentication app, to sign-in to their account.
Google customers may configure two-step verification to protect their accounts with that second security layer. Many of you have probably configured the feature already for their accounts.
Google announced this week that it will soon enforce the use of two-step verification for Google accounts. The company wants to enroll its customers automatically, provided that the account is configured properly.
Today we ask people who have enrolled in two-step verification (2SV) to confirm it’s really them with a simple tap via a Google prompt on their phone whenever they sign in. Soon we’ll start automatically enrolling users in 2SV if their accounts are appropriately configured.
Google's Security Checkup online tool allows users to check whether two-factor authentication can be enabled for the account and to find out which information is missing to enable the feature.
The following options are available when it comes to protecting Google accounts with two-step verification:
- Google Prompts: on Android if signed-in with the same Google Account, on iPhones, with Google's Smart Lock app, Gmail or Google app, and being signed-in to the same account.
- Security keys: physical security keys, e.g. a Yubikey.
- Authenticator app: use of Google Authenticator or another authentication app that generates one-time security codes on demand.
- Text message or call: if a mobile phone number has been added to the account.
- Backup codes: created during setup.
Google does not mention specifically which of its customers it is going to push into using two-step verification. Any customer who has added a mobile phone number to the account or is using the same Google account on an Android device or certain Google apps on iOS, could theoretically be a targeted for the enrollment.
Update: Google clarified that its customers will get an opt-out option.
Now You: do you use two-factor authentication?


I know that no one cares – least of all Google, but requiring a security code to access my own computer (for instance) is a real problem for me. I’m autistic, and not the high functioning kind. I find that most autistic folks are either tech geniuses or completely ignorant of all tech and the “so easy a child could do it” instructions are kind of how I feel about quantum physics – but not this. Honestly, every time they make a security change and explain it in neuro-typical, it usually only takes me 30-40 hours of trying to figure it out before I become suicidal. Thanks Google.
2FA has everything to do with data harvesting, if you want to steal someone’s emails you use MITM ATTACK, SESSION HIJACKING, MALWARE and other forms cyber-security attacks that do not RELY ON PASSWORDS OR 2FA AUTH CODES. (And these are countless, and not new!)
Only fools think that 2fa authentication will make your email more secure.
I have a masters degree in cybersecurity and am still amazed at how many people still blindly just repeat what the media (or these google articles) are suggesting.
It’s just so odd because even before MFA, I rarely heard about attacks that relied on stealing the victims password ( what is this the 90s? ). Meanwhile some people just blindly trust the statistics that are published by Google (the same company that tries to push MFA) ?
The same old tricks for MFA from 8 years ago are still valid today: https://link.springer.com/chapter/10.1007/978-3-662-45472-5_24
Even the attacks used before MFA work just the same now, whether MFA is used or not it makes no difference for these attacks. It seems that Google (/certain big techs) has made some people develop a FALSE SENSE OF SECURITY.
Why do you think people stopped doing cryptanalysis and started focusing on malware, it didn’t just have to do with difficulty but also with fact that reading someone’s emails without them knowing it seems to be much more beneficial. (Reminds me of this pointless “logged in from an unknown device” emails.
There HAVE BEEN COUNTLESS data breaches that EASILYYYYY bypass 2FA (almost EXACT SAME way you would when using ONLY A PASSWORD)
https://www.techrepublic.com/article/why-2-factor-authentication-isnt-foolproof/
https://techcrunch.com/2022/01/20/2fa-compromise-led-to-34m-crypto-com-hack/?guccounter=1
HAVE PEOPLE BEEN LIVING WITH THEIR EYES SHUT THE PAST 30 YEARS? PASSWORDS WHERE NEEEVEERRR THE ISSUE. SAME OLD TRICKS DIFFERENT DAY.
Why not give people a choice instead of trying to make the decision for them?
2FA has nothing to do with data harvesting other than to PREVENT malicious third-parties from doing it by stealing your identity.
I have 2FA with Google. I use a Solokey. You don’t HAVE to give Google your phone number, dingbats. The funniest thing is you don’t even HAVE to use Gmail. There are so many email providers. Quit crying about better security. I found out the hard way that a password-only solution is vulnerable: I lost my backup Google account that didn’t have 2FA.
Anyway, if Google wanted more information about you, having your phone number is negligble. Your phone number doesn’t divulge much except where you got your phone… if even that. There are far better ways of tailoring ads to you than knowing a 10-digit friend code you give out to friends, family, coworkers, potential clients, potential employers, potential dates, etc.
Let me say it again: YOU DON’T NEED A PHONE FOR 2FA!!!
read the comments google then do the right thing and disband your company. you are evil and you will be destroyed, better off to end your self.
I don’t even HAVE a phone since I can do literally EVERYTHING through my PC as is, even phone calls (through Google calls, Skype calls or one of the other million of options, on top of my normal landline at home), companies need to stop forcing this shit, it’s bad enough other things like Steam punish you for not using 2fa (Steam makes you wait 2 weeks to sell/trade stuff for example), now Google is joining the bandwagon? I have VERY strong passwords (30+ characters for most sites/services), I’m very careful with them, only accessing through my desktop computer at home and never from public places (or if on laptop I never leave it unattended in public) and have worked as security expert for years in companies like AVG and whatnot so I can say I’m preeeety sure I can protect myself from phising attempts, but now I literally am forced to buy a phone, however cheap it might end up being, just to access my fucking email I’ve had since 2007 that was never “hacked” even during the two dataleaks all those years ago?
Fuck Google calls it two-step verification .not many people to know set 2step code fuck bitch google scammer bicth
As of November 2021 Google is making this mandatory if you want to log into your YouTube channel. It’s like they’re saying to me “hey Chris, we see you’ve spent 6 years building up a nice YouTube channel, now you’re gonna have to give us your phone number so we can track your movements on an hourly basis if you ever want to log in again”. This in addition to already being forced to hand over my tax information due to some stupid US laws even though I’m not living in the US.
Apparently the reason for the 2FA is ‘to keep my account secure’ and ‘keep the bad guys out’. Apart from the insulting attitude and treating me like a toddler, what does this say about security of my account so far? Has it not been secure and keeping the ‘bad guys’ out all this time already??
Two step security is a process that frequently (most of the time) does not work and I find it impossible to use in a simple thing like activating a new phone. Asks for SC which I supply from my home pc (logged into my account) and then the code is rejected (multiple times). If only there was an alternative.
2FA has problems too. Google forgot about that. I agree, they just want more info on users. I’m in the process of switching all my emails over to Vivaldi webmail and proton now. I’ve used non-google browsers for years. I now have little use of Goggle other than YT. Now there are options on the way for that. Big companies always shoot themselves in the foot sooner or later. Just stick to what works. Sometimes smaller companies aren’t bad.
Really they just want everyone’s most up to date mobile number to remove anonymity and gather all information about you.
61 I use banking and other security intense computing. Two factor is being used to offset the general lack of intelligence of the modren human.
Th innability to keep and secure pass words.
What i detest is getting the mandated code on the device i use to co firm the code, utter ignorance
no shit. its also about the imminent digital / vaccines passports – they want to starve those that dont get their booster shot every six months, or whenever they get a government message tellling them to do so.
Th?t’s Sucks BigTime, I just Got ? New Motorol?® Cellul?r Phone, It’s Won’t Let Me into My G•M?il ?ddress. It’s Too Hard Enough As is!!!!!!! I’ve Been Trying For, Wh?t SEEMS Like A Few Days Now. By The W?y, I WasTold Th?t I Could Pick Any ?vlil?ble Number I W?nted. So I W?nt, 760 623 7752. Ple?se Help Me.
?.?. ??????
Reading some comments here made me rolled my eyes. I will be adopting Harmony OS once it crosses over to laptops/PCs (the phone version launching this June). Screw Google/Apple. China can has all my private info. Won’t b able to do jack to me coz I live in North America!!
I relented and bowed to the great G in the sky. Reason? I wanted to buy an iPhone and be done with Google, but guess what? Apple doesn’t have a user manual you can download prior to purchasing the phone. That’s a big No-No for me.
I like to acquaint myself with a product before putting my hard earned cash on the table and the user manual which practically every major manufacturer makes available online is the best way of doing that I find. But it is not to be in this particular case.
By the way Martin, the link to Companies —> Apple on your site doesn’t work. The message which appears is “The page isn’t redirecting properly”. I tried it in Firefox as well Waterfox but the same message appears on both.
@ Martin,
I just used the link you provided to login to Google, but didn’t see any option to opt out of 2FA so I guess they’ve changed their minds.
The only addition was a prompt to add my phone number which I declined and then I removed my phone from the “signed in devices” and subequently signed out of all accounts.
However, I’ll probably have to review that decision since the chat app I use (LINE) is only available via the Play Store I regret to say.,
I rarely use my “Google” account so this change doesn’t mean much to me, but I NEVER use 2FA for anything. Security risks have always existed and will do so even with 2FA.
There are two reasons why I don’t want to use 2FA:
1. laziness – I don’t want to set this up and I don’t want to use other devices or services for something that I could always do with just a password. And no, I don’t want to use some paid or “”free”” service, tool or whatnot to “”securely”” save my passwords and connect stuff for me. Just let me login normally with my password. If I (or them) get hacked and my password or whatever is stolen so be it. After my Xbox account got compromised once just for going online and linking PayPal I default to thinking it doesn’t matter what you do and hacks will always happen.
2. account linking – I hate this and want to do it as little as possible. Every darn site or app wants to link/merge accounts and most of the time at the center of it all is the precious Google account/mail. One gets hacked, all get hacked. You lose your gmail account for some arbitrary reason you’re f***ed. No thanks!
(3. I’m a proud dumbphone user so no fancy apps for me and I’m not giving out my PRIVATE phone number to a scummy company like Google)
I’m really tired of all the coddling nowadays to make things simpler and “safer” by removing options/customization while forcing dumb crap on me so they get more data on their “customer.”
Big F U to the big Gman
Sorry I’m kind of late for the conversation but I just want to add two things:
1) 2FA won’t help anything, if they are really after you. Moreover, if you go the SMS route you will lose your line too via a sim-swap. In other words, phones are not for 2FA, security keys are.
2) Why do companies blame it on passwords instead of people? The problem is people picking stupid passwords. If you pick a long random one with numbers mix capped letters and even a few symbols, guessing that is laughable. Most brute force attacks goes for dictionary-based and already-known passwords (like 1234).
Wow!
Where did the trolls and socks come from?
Ex E Lawn Fanpersons?
Hah!
They have always been here. They just stopped taking their meds.
Two-Factor is NOT secure, in fact it the complete opposite. For example install/setup new Windows 10, use a “Mobile” number to use/make account, you have now logged into emails and accounts of who ever had used that mobile number on windows before.. (Numbers are NOT unique to you or anyone, they have been owned and used numerous times.) And you will not have said mobile number forever. Now you and others are sending each other mobile login verifications..
“you have now logged into emails and accounts of who ever had used that mobile number on windows before”
Nope, I call B.S. on this. If it was so simple to gain access to others’ mails and accounts don’t you think there would’ve been a huge hue and cry over this? In short, provide proof or stop talking nonsense.
As correctly stated above, alternatives are needed:
I just want to remind you that tutanota.com does not require a mobile phone, is located in Europe (Germany – where privacy laws are stricter than in the U.S.) and has built-in encryption (between service accounts).
–
And also a reminder that technically “two-factor authentication” from Google is a lie:
“Factor” must meet at least one of the characteristics:
-Knowledge (e.g., password)
-Possession (e.g. a key)
-Inherent (e.g. fingerprint)
However, Google deceives users by saying that “cell phone ownership” is a factor of Posession, because in fact, in this scheme of theirs, the factor is not the phone itself, but the SMS to that phone number (in fact, the phone number itself). But this “factor” is completely controlled by your mobile operator, not by you. It is they who own your number, who can block it and, over time, pass it on to someone else. You do not own your mobile number, so you do not really have this “second factor”.
@ Lemegeton,
I’ve registered my tutanota a/c as my 2FA and in the past it’s worked without question when logging in to my Youtube a/c.
But things have changed since then and when I tried to login this morning I was presented with the message that Google couldn’t verify that it was me and wanted verfication via a 2FA code sent to my phone. I tried the option “Try another way”, but it kept returning to the phone method. I didn’t login and now I’m being plagued by SMS to my number stating “Somebody has your password”.
So the choice now is either never login to yt again, or relent and admit defeat (which is not in my nature).
I should add here that I never gave Google my phone number and it’s not registered in my Google account. So how did they get hold of it you may well ask.
Well, I use an app called LINE for chats and they have a large collection of animated stickers which users can purchase. I didn’t want to use my credit card or use Google for payment and opted to use a service my ISP offers by having online purchases charged to my account with them. I thought I was being clever at the time by avoidng Google Pay, but to my horror that’s exactly the route payment took. So now Google has my phone number. :(
A very good point indeed. Next to impossible to convince the lemmings though.
With all due respect to other folks here and yes I hate Google too because years ago I had to create an account for my smartphone to download apps. But forcing 2FA in long term is good for users. I use Aegis Authenticator(F-Droid) and the key is stored in my password manager, so no chances of me getting locked out of my account. And I do the same for my Firefox account and several other services which offer 2FA option. As several users pointed out phone numbers are not ideal for anything besides making calls. Twitter’s CEO case is well known as hackers hacked his account by SIM flaw, so better stay away from OTP based 2FA authentication, unfortunately the method used by most banks.
However I do hate Google Prompts and even the most Google loyalists can’t defend that option as Google account required it sometimes even though I used Authenticator codes in the past. And it would be the default option no matter what.
This is absolute fucking bullshit, ‘do no evil’ is most defiantly removed. Watch https://www.thesocialdilemma.com/ to understand why they want to bind your phone with your google account. All your life are belong to us
And yet you can see people defending such bullshit here and elsewhere. The ones standing to profit of course I can understand, but the remaining sheep? Pathetic.
I am confused by this. We (wife and I) do not have 2FA set up at all anywhere and we do not do any online banking.
We have a home landline but often we are away from home – so we cannot use the landline phone number for 2FA. We do not share a common email account.
We each have a cell phone and of course the 2 cell phones have different phone numbers.
Say we are away from home with our cell phones – but not together – but we share the same Google account, if I set 2FA to send the msg to my cell phone number, my wife’s phone would never get the the messages from Google – so my wife could not login. Is there a way to address this problem?
They collect (steal) massive amounts of data, yet what they do not have is a verification of peoples identity unless they are allowed to get their hands on such data for example from a telecom company which verified the identity to get a mobile phone number contract.
Right on target, but someone explain it to poor ol’ “Google Defender” Jim in the comments here. Don’t know how long ago he retired from his bank job, but there seems to be a major disconnect when it comes to understanding to what lengths Google will (and does) go to gather and exploit data on people. Can’t be a bigger boon to the company really than to have such enthusiastic users like him. Wonder if he’s equally gung-ho about FB as well?
Update: “According to Risher, Google will start ‘automatically enrolling users in 2SV [what Google calls 2FA] if their accounts are appropriately configured.’ However, Google said that users would be given an opportunity to opt out, too.”
“Correction: This story has been updated to note that Google’s Risher clarified Google’s position by noting that users would be given the option to opt out of the two-factor authentication.”
from PCW:
https://itsssl.com/9QNEG+
Nothing worse than articles that aren’t updated to reflect the latest news other than news that comes out long after its news:
https://itsssl.com/VDSJZ+
Can anyone help me to recover my gmail account? 2FA was on and I have forgotten the password of bothe the primary account and recovery gmail account. I am not able to reset my password because google asks for verification code sent to the recovery mail after putting the verification code sent on my registered mobile. Kindly help me otherwise I will have to lose all my digital life.
It’s Djibouti and there are plenty of Nigerian Princes eager to help you and give you lots of money, too!
Nobody’s gonna help you hack your ex’s or boss’ account, dude. ;)
Google is so annoying. Taking away user choice is such an evil thing to do.
If person A wants 2FA, let them use it.
If person B doesn’t want 2FA, don’t force it on them.
Forcing all the sheep into the same corral is just a manipulative and controlling thing to do.
No one asked for this. It’s Google exerting unwanted force and control over it’s users.
It’s also going to backfire on Google in such a big way. People are going to get locked out of their accounts and get pissed off at Google. Just watch as the needless & stressful drama unfolds.
I have a Gmail account that I use for unimportant correspondence. It’s apparently time to find a new email provider. There is nothing private in that account, and I don’t want to waste my time with 2FA every time I want to check my email. It’s going to be a PITA to move all the emails from that Gmail account to a new provider. Screw Google.
Then we need several alternatives! Suggest some really accurate, and very good search engines that don’t spy like google ?! But, giving examples, do it with the exact link!
DuckDuckGo. Don’t be lazy, figure out the link if you’re really interested.
How about people (like myself)
who are HEARING IMPAIRED
or even DEAF.
We don’t own or use cell phones…
makes sense?.
Many companies don’t think
about all the different types of Users / Clients…
Many have no cell phones.
Google!
Are you listening???
(no pun intended…).
@ joe
Once more from the article above:
Security keys !
Authenticator app !
Backup codes !
ALL WITHOUT PHONE !!!
Joe !
Are you reading ???
(At least now …).
Domain provider, credit card companies, health insurance, online tax, organ donor card, bitcoin exchange, banks and ISPs – they all “forced” me to use 2FA.
But, of course, if Google does the same, the haters start typing (see comments above).
As predictable as boring …
PS
Email, call and text message can be used with multiple addresses / numbers, and all options can be set up in parallel.
No other login in the world offers this variety !
My ISP does not support it AFAIK. My bank and my other bank (and thus my CC) does not AFAIK. Organ donor card? That’s a signature… no online interface.
Not done online: Taxes, health care (except consults with the doc and results, but no billing and what I have does not support 2FA). Don’t do bitcoin because of their own security issues and massive heists.
I’ll call out Google and any other company that enforces this. Moreso on short notice and moreso when it impacts less capable demographics (poor families who have a PC but no phone and can’t afford one, the elderly who have trouble with lock screens and anything else, kids withou a cell phone, people who need email access by wired internet because they cannot have phones at work on or present, stolen phone/broken phone/misplaced phone/no power in phone, etc. It also doesn’t account for locations where one might live, work, etc. where coverage is terrible or non-existent so you can’t pull out your phone. And if you have proper browser setup, EVERY new session is a new login effectively (as the browser clears everything on exit and if run in a VM, the VM resets).
7 days is BS. Forced OPT IN is BS. Google … well, you can see the pattern here.
What is your vested interest in pushing this, Jim? Pray tell us, are you a loyal Google employee and is all this part of your attempt to prove said loyalty to your masters to achieve further advancement up the corporate ladder?
@ Anonymous
RE: “What is your vested interest in pushing this”
2FA is always intended to secure user’s data.
Banks fight an additional threat:
Tracking John Smith for money laundering he could claim plausible deniability if his account was accessible using only the password (“qwer1234” notabene).
To avoid that scenario all banks are subject to respective regulations (even banks in Nigeria probably).
Latest development in the EU:
Each single credit card transaction has to be 2FA secured !
So it looks like somebody is (again) using BS to support baseless claims against their imagined enemy …
Riiiight, and I suppose the Fact with a capital F that scaring or forcing people to share their mobile nos. with intrusive spy Google also neatly serves to further their tracking agenda in the mobile/financial domains (they also keep trying to shove GPay down users’ throats here) had absolutely NO bearing at all on this decision? You can cry “conspiracy theory!” all you wish (FB fanboys flung this too back in the day at those who criticized it, not so much now), but if you honestly think Google’s doing this (or literally anything) for altruistic reasons and because it truly cares for its users, you seriously need help.
@ Anonymous
“Us” ?
One Google hater plus who ?
“Google employee”
Read the comment you reply to !!!
Bank employee.
(Former bank employee to be exact, retired now.)
Apparently you are mistaken. I use two banks, one is a credit union. Neither uses 2FA unless I choose to set it up.
@ Anonymous
Both banks outside EU and US, right ?
And just out of curiosity (having worked for an European bank’s IT for 30+ years): Can you please tell the names of the two, THANKS.
Not a single one of those that you mentioned forced 2FA on any of my accounts.
I won’t use Google regardless, because of Google’s spying and connections to the CIA.
@ Anonymous
PS
Please don’t tell me you are able to declare your taxes online w/o 2FA or I have to assume you are living in Nigeria ;->
Does this mean that you transfer money from / to your bank by carrying cash from / to their next branch ?
Because (at least in the western hemisphere) no bank offers online banking w/o 2FA.
I’ve already setup proton, just need to commit and make the permanent move. I’m tired of ‘Big Brother’ and its constant spying.
Why else did you link your phone to your account?
Who said all of us did?
I use Authy. And I despise SMS as a 2FA because it incentivizes black hats to attack the phone system. Argh!
Not that they don’t have the same motivation even without 2FA, to be fair. Authy at least (in a limited way) lets you save your 2FA tokens which is more than Google Authenticator does. You can have installs of Authy on multiple devices to ensure your tokens are replicated, but you can then turn off that feature for security. Enrolling 2 or 3 devices gives you access to 2FA tokens if one of the devices has issues (missing, broke, malfunctioning, hijacked, stolen, etc). And the Authy app is itself protected so if someone gets your phone (hijack or stolen), you have more protection even in that case.
NOTE: GET THE INSTRUCTIONS FOR MULTIPLE DEVICE SETUP AND FOLLOW CAREFULLY. I see people that have ended up with odd outcomes (possibly 2 accounts) if they weren’t exacting in following the workflow for multiple device setup.
I don’t have, have never had and will never have a damn mobile phone.
Everywhere you look is full of “phone junkies” allowing themselves to be chained to a contraption every day….feeling “obliged” to answer the contraption when it rings/bleeps/buzzes. Afraid to “miss out” on some funny/useless/unimportant piece of information/meme/photo etc.
And while they become phone zombies life in the real world passes them by.
Rant over…I feel better now!! lol
I still do have a mobile phone, but it simply does what its name suggests since it’s not the so-called ‘smart’ variety (bonus – battery lasts for days!). No more occasional digital detox required. My life is much more peaceful now, honestly, since no more mails and other crap to deal with during off work hours (was never a social media junkie anyway – too toxic and creepy data collection wise for my tastes). Not just that, at first my co-workers and friends all laughed at me, but now I see a whole bunch of them has followed suit. Ha, guess who’s having the last laugh!
Silly as always with Google lately. What if you don’t have a smartphone? Will they send you free smarthpone with mobile plan or offline token generator?
@ Anonymous
You do not need a smartphone.
Generate tokens with browser extension or stand-alone app or password manager, or use FIDO or get codes via voice call to your landline.
All these options are nicely listed in the article above, maybe next time you read the subject of your comment first ?
Huh? Just reading that ‘simple’ convoluted techie workaround exhausted me
JIM, I LIVE IN A FOREIGN COUNTRY, THE REPUBLIC OF PANAMA, AND GOOGLE DOES NOT SEND ANYTHING TO MY LANDLINE PHONE. A COUNTRY CODE, AREA CODE AND PHONE NUMBER IS REQUIRED.
I AM 82 YEARS OLD AND HAVE VISION PROBLEMS (AMD-WET) SO A SMARTPHONE IS OUT OF THE QUESTION.
I HAVE NOTHING TO HIDE THAT NEED A SECURITY PASSWORD, WHY CAN’T IT BE MY CHOICE? NOT GOOGLES?
IT SEEMS TO ME THAT THIS IS ALL ABOUT CONTROL.
PLEASE EXCUSE THE UPPER CASE AS MY VISION IS VERY LIMITED.
I’m with you. My wife has AMD-Wet and I have retinopathy. In addition, I have very limited use of my dominant hand. We do have smart phones but our use is quite limited.
Every single Google exec should be blindfolded with just a slot in the blindforld, have their dominant hand tied behind their back, and forced to use 2-factor authentication to do anything.
I SUPPOSE TWO REASONS, PATRICK:
1) YOU DO NOT PAY FOR YOUR EMAIL. WHEN YOU ARE NOT PAYING (AND SOMETIMES WHEN YOU DO), YOU ARE THE PRODUCT AND NOT THE CUSTOMER.
2) GOOGLE IS GETTING MORE SCRUTINY FROM GOVERNMENTS AND SECURITY FOLKS WHO ALL LIKE THIS 2FA STUFF. GOVERNMENTS WOULD LOVE TO KNOW WHERE YOU WERE LOGGING IN FROM AT ALL TIMES AND TIE IT TIGHTLY TO THE USER.
ALTERNATIVE: LOOK INTO PROTON MAIL. IT HAS SECURITY OF A HIGH DEGREE, WORKS IN BROWSER, AND DATACENTER UNDER MOUNTAINS IN SWITZERLAND WITH A FAIRLY SIGNIFICANT SET OF PRIVACY LAWS THEY COMPLY WITH.
BUT WITH THEM, NEVER EVER LOSE YOUR PASSWORD. THEY CAN NEVER SEE YOUR EMAIL SO THEY CAN’T HELP YOU WITH A LOST PASSWORD.
@ PANAMA PATRICK
It is your choice:
Setup 2FA using (for example) the browser extension “Authenticator” ONCE and tick “Don’t ask me again on this device”.
From thereon you login with your password as usual.
Google does deliver codes to Panama:
Country code is +507.
Split the actual phone number randomly, enter for example a landline number with the first 2 digits as area code and the remaining 5 digits as phone number.
Brilliant reply to (probably yourself) someone who can’t read a phone or anything else you’ve posted.
Kewl.
Its a step better than the totally useless email message they send “did you just sign in from {wherever}”.
Due to what I do with location settings, my {wherever} seems to be my ISP’s location. Get a new device or if my ISP connection changes, my phones and computers start triggering Google “did you just sign in from {some location I don’t know”. I have my gmail account set to not alert on the phone (everything else too – the phone is a tool for your convenience, not vice versa). Sometimes it is many hours between logon and mail message. To me all those email messages are ‘the boy who cried Wolf’.
I’m not sure I “get” how this 2SV would factor into my environment…
The only time I signed-in to google on my Moto X4 phone and Samsung Tab A was the first time I set ’em up, both about three years ago. To me, I’ve been “signed-in” ever since, though I’ve had to enter my password now and then when changing some account settings.
On either device that might be in use or get my attention, I’m notified I got new mail and deal with it. If I’m spending time on my desktop PC and I want to check for new mail, Firefox fills the credentials and when I’m done, I sign out. And, of course, I use the devices’ apps or Firefox to send out email or re-read others. Neither the tablet or PC have my mobile phone number.
I’ve had my gmail account since its invite-only days as part of a test team in an enterprise I contracted to at the time. As such, it’s just a fun account (forums, news, past co-workers) and not for my personal affairs or online commerce/finances.
To add to the all this excitement, I’ve got another gmail account I set up for YouTube TV which I use on a Roku, the tablet and PC. I handle payments and customer service with my ISP email account.
But if I have to 2SV every time I have to use gmail, it has run its course in my life and time to toss it in the Recycle Bin. Which is what I’d like to do with all of google. But the only alternative are eliti$t Apple devices. Five of one, $even of the other…
Hah! Funny, me too. Not sure I still like the person who sent me the invite. Took a few years for Google to go bad and become a spam and ad monster.
Gmail? What’s that? Everyone was using email their IPS gave them.
I’m down to one Gmail account from 4, soon to be none. Subscription email is vastly better, cheap, too.
Yes, but the phone prompts stay as default. You can’t disable it. I just want to use the autentication app.
Reminds me “The Godfather” and its choice you can’t refuse.
You can, if you avoid Google accounts in the same way avoiding bad areas limits the risks. They’ll still be after you so wearing a bullet-proof jacket is advised, and such a protection here means limiting meetings with BigG to the strict minimum (in my case, maps, images, translation) together with an army of blockers, smartly put in line because BigG, contrarily to BigF, cannot be totally blocked without breaking a considerable percentage of Web sites. Some of us opt for and manage with a 100% blocking of BigG (for instance [https://decloudus.com/] and its ‘Alpha’ option). I may one day or another switch to that approach.
As ‘The Register’ states it [https://www.theregister.com/2021/05/07/google_password_purge/] :
“One day, all your base are belong to us”. That day will arise soon if a mass of users don’t react.
A lot of the mobile web (sites with mobile) have google frameworks behind them and you at the user end (getting data sent to your phone) don’t even know that, yet Google is *still* collecting info about your and your machine and your browser without you even seeing any signs of their presence (to block).
If you think you are fully protected, you still aren’t. That’s how prevasive and sly they are. They are at least as evil as Facebook in terms of how they treat users and even their paying customers.
I prefer using a second email for 2FA because that is the most convenient for me. I hate using SMS tied to my phone because what would happen if I lose / break my phone?! Then I’m doubly screwed because then I won’t have a phone AND I’m locked out of my account. Great.
It’s supposed to be “two factor” not “single point of failure”. Alternate emails and authenticator apps provide 2FA without being single points of failure i.e. can be accessed through multiple devices..
I’m going to use Microsoft Authenticator for my Google accounts, and Google Authenticator for my Microsoft accounts, just to keep these two in check lol.
This is the most critical point: SIngle point of failure and single point of gathering data (second factor should ideally never be sent to the same device! That’s right in the basic notion of 2FA!).
>I hate using SMS tied to my phone because what would happen if I lose / break my phone? Then I’m doubly screwed because I won’t have a phone AND I’m locked out of my account. Great.
Exactly!
They want to harvest the maximum amount of personal data, that’s all. Discerning individuals don’t want to have anything to with Google, the notorious data thieves.
@ Gerard
Nearly four billion Google users are not discerning ?
Only stubborn haters don’t want to have anything to with Google.
Right-o everyone, let’s all listen to Jim and pull our pants down for the G rod. He promises you will love it. After all, you don’t want to be called a “stubborn hater” for resisting their spying, do you? Thought not. Attaboy, now that’s a good sheep…
@ GScam
“He promises you will love it”
Any clue why you produce such a blatant lie ?
I guess “obvious fact” = “blatant lie” to you, Jim. How else to explain your repeated defence of Google’s underhanded tactics, pushing this change in multiple comments here, or the utterly shameless “Only stubborn haters don’t want to have anything to with Google” comment?
“You will obey!”
We’re not ignorant, Jim. Do you need the facts shown to you for the thousandth time?
OWG disguised behind a fake corporate facade.
@ |\|\/\/0
Stupid conspiracy theory undisguised in a not subject-related comment.
no Jim Vanderbilt you are obviously a * [Editor: removed, please no attacks]. all governments / big corporations suddenly working together to implement a form of international control, i.e vaccines passports, is an obvious sign of whats going on. the “conspiracy theory” of a NWO / OWG is already here, if you havent been paying attention. Google 2FA BS is only about ensuring no one can go online without giving their real details to the powers that be, its all tied in with imminent digital passports which will be required world wide to access the internet, after their imminent false flag attack to shuts down the internet. Also, FYI conpiracy theory just means spoiler warning these days. Now hurry up and take your never ending boosters, for your own good of course.
Well, now I’ve had my laugh for the day.
2FA is a response to the government and some consumers looking for better security.
And to others who don’t see why an email needs to have security of any level:
1. Passwords are quite frequently exposed nowaday
2. If you’ve ever talked to friends or family or anbody else (doctor, boss, etc), and someone compromises your email, they can misrepresent you and phish information from your contacts and possibly even let them hijack your phone (SIM Jacking and other means). So even if you don’t figure you’ve got anything to protect, you likely do.
I hate that this is being made mandatory. I hate even more that I had 7 days warning to try to understand how this affects a complex ecosystem at home here with an OSX Mac, Windows 7-10, Andoid (various versions on various phones), iPhones (likewise), and to figure it out in a way that lets different folks have access to their stuff but be able to survive scenarios like:
Phone off or out of power when you need email on your computer, Phone damaged irrecoverably, phone lost or stolen, elders that have troubles with lock screen having to deal with 2FA, the vagueness of exactly when an account might be considered high-risk and require more frequent 2FA challenges, how to handle cases where one wants to update a phone or has lost it and can’t use the old phone to help, kids who don’t have phone numbers but do have email, etc.
I have read about Prompts, SMS (both break good F2A practice if they both go to the same device), I don’t have time to get Yubico keys here soon enough (and I’m never buying Chinese ones) plus the cost for 4 of them would be $250-300 here, and Google Auth won’t support backups of your tokens and Authy & GA don’t say clearly enough if I can have more than a handful of 1-time codes (what happens when I run out?).
And if I get anything wrong, lockout to an account could happen and that’s dire with online banking, groceries, Amazon, medical stuff, etc. etc.
And there are use cases that I don’t represent but others do:
Elders without someone tech savvy to help
People who live, work or attend school where landline data is available but not cell coverage
People who live or work in environments where they are allowed to check their own email but cannot have a phone in the facility or it must be turned off all the time
In a disaster, when cell networks go down sometimes before hard lines underground, can I not get to my gmail to notify friends of my situation?
Saying ‘you just have to have the phone to log on’ don’t get all the situations where that is a pain. I’m mobility challenged and if my phone is charging elsewhere, that’s a big deal. My wife is disabled as are both the seniors in our house.
And then proper browser use means a new browser instance with no cache or anything for any surfing and full deletion of any cookies or other information on exit (and possibly if run in a VM, wiping the entire VM image). So *every* time is a new login.
7 days is too short notice. AND saying Google said this months ago *on some blogs most readers don’t even know exist let alone read’ is not sufficient. This should have had email warnings and more information distributed to the emails over the last 45 days. That would have allowed people to get hardware keys (Yubico) or to even migrate off gmail.
2FA isn’t as such the problem. Forced 2FA on a week’s notice is a problem. Google is a problem. They ceased being ‘we do no evil’ long ago.
Sure, just “stupid conspiracy theory”, even when it is a proven fact. Completely related.
Seems you’re very defensive about Google, judging by your multiple comments.
@Anonymous
Socks abound.
@ Anonymous
1: Proven fact
Surest thing.
All conspiracy theories are.
2: Being defensive
Let’s assume that tomorrow a Ghacks article about Firefox facing problems with a certain Coolermaster keyboard receives ten comments claiming Mozilla was secretly trying to rule the world. I will call their BS ten times.
That doesn’t mean I’m defensive about Mozilla nor Coolermaster.
Totally sick of companies assuming anyone with a mobile phone has it switched on all the time.
FORCING 2-FACTOR ON CELL PHONE IS VERY BAD. Glad someone else posted that they too, don’t do cell phones/mobile devices! I have a cheap, pay-as-you go phone for road emergencies that DOES NOT have a fancy graphical user interface. Every text message and phone calls COSTS MONEY – or if you prepay, it debits the allowance. Why should I have to pay money every time I want to check email or respond to a message? Bad enough to get unwanted SPAM. BTW – banks do NOT require a cell phone for authentication. There are other means which I won’t go into here. I no longer use gmail because it wouldn’t let me access an account even after answering ‘challenge questions’ correctly. There is no customer service to resolve this. Google is complete unresponsive. What’s up with email accounts that require you to provide an email account from a different provider to get an acount? It’s a circle in frustration.
Yes, I agree. Too invasive, plays with our email attempting to build artificial intelligence (infrequently sends my family emails and subscribed newsletters to me into Spam). I thought things might clear up a little once the original Pirate himself quit, but that apparently isn’t true.
Much more importantly SteveB, sick of them assuming that everyone is even stupid enough to provide companies like Google with their mobile numbers in the first place.
@SteveB
Good news! You no longer have to feel “totally sick”, as your assumption is wrong. You don’t need to have your mobile phone on all the time. You just turn it on when you sign-in.
Also, with Google, there are other options, such as opting out of all two-step verifications.
But if you still want to talk bunkum and feel sick, then that’s fine by me.
as of this week you can longer opt out
Technically phones are on all of the time. Unless the battery goes flat it’s more like in a hibernation state. But if you can access a computer by remote shell, login without the pc even turning on. Fuckers can remote install flash images for Christ sake. That’s like game over before finding out you’re playing a game, then get spawn killed repeatedly with amnesia as a death streak reward.
@ SteveB
Some banks demand the mobile phone, still they are not sick.
Google, Amazon and many others offer for 2FA the option “Don’t ask me again on this device”.
Tick that checkbox and from there on log in using only your password.
@JV
Get a new bank, doing financial stuff on a phone is really dumb. No real bank requires a phone.
In the space below, add lengthy ready, fire, aim rebuttal:
:)
>implying that I save cookies
Doesn’t work with tracking protection.
I am sick and tiref of companies that think that if you use their software, they own your system and can do whatever they want, like M$ thinking they can crash my gamedev laptop to install updates. WRONG. They will wait until *I* say they can install their updates by restarting it on MY schedule.
oops sick and tireD :-)
TOTALLY SICK OF COMPANIES THINKING THAT EVERYONE
HAS A MOBILE PHONE. I DON’T, I’M 82 YEARS OLD AND MY
EYESIGHT PROHIBITS ME FROM READING ANYTHING ON
THOSE PHONE. BESIDES, WHAT THE HELL DO I NEED SECURITY
FOR? I DON’T HAVE ANY TOP SECRETS OR CONFIDENTIAL INFO
IN MY COMPUTER. WHAT BULLSHIT!!! THIS SECURITY SHIT IS
GETTING RIDICULOUS.
i freaking agree. i honestly dont need my email that secure, there absolutely no information in my email account and if i dont care to make it more secure then why the hell should they. its only going to complicate everything and there is zero chance that i wont somehow get locked out of mine eventually. plus i have multiple email accounts an multiple devices, this is going to be a huge pain in the ass and its bullshit. honestly im not sure why everyone is ok with it
As far as mobile phones go I carry one for when there is an emerency situation. I pay $70 a year for that privelage no data. If the government want to trace me with all this covid crap they can pay for me to have data. I also carry an EPIRB, this is for when there is no mobile phone service and believe me there are more no service reas then good service areas. I have a landline line, you want to contact me you use that. All this security with google is crap. Companies won’t let me buy online with my computer because I will not give them a mobile number, Fine I will buy else where. Store won’t let me in to do shopping fine there are plenty of other stores. Google wants me to do 2 step verification, forget it you don’t get my mobile number it is for my use only… not for google or all this advertisement crap. Be careful cause big brother is watching you.
Easy, my friend. I, too, don’t do cell phones/mobile devices (I’m 70). I find those little suckers are WAY overpriced for what they’re worth so I don’t bother. Even if I had one, it would be off most of the time. (It is for MY convenience.) The security shit is ridiculous ’cause it needs to be, mainly ’cause most folks are dumb enough to keep really private stuff on their devices. (You and I are the smart ones, here.)
Google forces you to use Google Prompts as the default 2fa even if you would rather have an authenticator app
In my case, I needed to use my phone to sign in. This is because I had my cellphone number linked to my personal gmail address, the original owner of my youtube channel before I monetized under hennyk.com
I solved this by making sure the 2-step was “on” for phone sign in on both gmails, then I returned again to make sure 2-step Verification also showed blue toggle “on”.
Ultimately, I had to make sure to link my personal cell phone number to both gmails to enable 2-step verification on both accounts, including the one linked to my youtube creator studio.
I also made a 1-minute how-to video for people who are still unable to setup 2 step verification. Endless loop going back to my google account page instead.
@Anonymous
Google makes it difficult to enable the authenticator app, but is it possible.
On the safety check page at the two step verification tab you will see this:
You can add backup options through your 2-step verification settings https://myaccount.google.com/signinoptions/two-step-verification
I want authenticator as default and google prompts as backup if something goes wrong, Google makes Prompts the default
google MUST die!
@ assurbani
That’s your answer to Martin’s question “Do you use two-factor authentication?” ???
Google is now self aware. You can’t kill Skynet…
Yes we can, Dustyn. Just ignore all the non-canon post-T2 crapfests. :D