Google now lets you set up 2-Step Verification without adding a phone number
Google has announced that it is streamlining the process of setting up 2-Step Verification (2SV) for user accounts. Users can now enable 2SV without adding a phone number.
Prior to this change, Google required users to provide their phone number, before they could set up a 2SV method. Now, when you go to your account settings and enroll into the verification method, you can skip the phone number if you want to use one of the other methods.
While the article published by Google highlights the fact that this change will aid admins to enforce 2SV policies in their organizations, this is a welcome move for all users. That's because relying on a phone number is not a secure option, since SMS based one-time passcodes (OTPs) can be obtained by hackers, of if your device is stolen.
Google no longer requires users to add a phone number before setting up 2-Step Verification
Google lets you choose between 3 options for setting up a 2-step verification. You may opt to use an authenticator app like Google Authenticator or Microsoft Authenticator. I would suggest looking into open source alternatives such as Aegis Authenticator for Android, or 2FAS (Android, iOS) or Ente Auth (Android, iOS).
Optionally, you can use a hardware security key such as a YubiKey to protect your Google account. Google says that the keys will be registered as FIDO1 credential even if the key is FIDO2 capable. On the other hand, you can create a passkey for your Google account, and this will register it as a FIDO2 credential. A passkey will require users to input their key's PIN for local verification.
On a side note, Microsoft recently added support for Passkeys for all user accounts. WhatsApp Messenger also introduced Passkeys to allow users to relogin to their accounts securely. Bitwarden Password Manager now supports passkeys on Android and iOS. It is clear that passkeys are quickly rising in popularity. As a matter of fact, Google recently revealed that its users have used passkeys for authentication over 1 billion times across over 400 million accounts in less than a year. Interested in setting it up? Follow our tutorial to create a passkey for your Google account using your fingerprint reader, Face ID, or your device's screen lock code.
The Mountain View company also says that when a user who had 2SV enabled for their account disables the setting, other enrolled second steps such as backup codes, Google Authenticator, or a second factor phone, will not be removed automatically from their account anymore. This will likely be helpful in preventing users from being locked out of their accounts, especially when switching to a new device.
The best part is that the new 2-Step Verification process is not exclusive to Google Workspace customers, it is available for all users including personal accounts. The announcement mentions that the change is being implemented over the next two days. If you have not done so already, you can enable 2-step verification for your Google Account from your Account's security page. Enabling 2SV will protect your account from being hacked, even if your password is leaked.
Which 2SV method do you use, an authenticator app or a hardware security key?
Step Verification has been hacked again and again so clear danger danger danger
Now after forcing the entire user base to enable 2FA with phone number, what is the point? Just new spam accounts can be created with more ease I guess…
google needs to be shut down because if their spying on the people in the usa lock them up
Good! I will never give my personal phone number to any companies like google, facebook, x, etc. knowing they could sell it to some advertisers who would suddenly send sms/calls/voice mails/etc.
This is great news for those that had to set up a Google account and use 2FA. Just did this on a few of my accounts.
Does that mean I can remove my phone number now from my Google acount and still use 2FA?
Yes. I just did this on a few of my secondary Google accounts.
Man its about time Google got onboard with this and dropped the SMS requirement. SMS is so hackable these days. As for TOTP 2FA apps, for those that didnt know. Bitwarden now offers a separate app for TOTP codes.
The two step verification phone method is mostly a complete insecure way to protect nothing. Double password to recover the account or even to confirm opening a session should be turn back as soon as possible, just to avoid very important security risks like the fake user (probably the best explanation of a man-in-the-middle attack). Double password should be always a primary option instead the 2step phone method.
Just understand > the phone is not the solution, it’s the problem itself.
Just an easy example of what I meaning…
1) someone takes your smartphone while unblocked.
2) you have an email account with two step verification.
3) this person clicks on “I forgot my password” button.
4) a code is sent to your smartphone in your absence.
5) if you have read point 4) you are now very well fu*****.
A friend of mine demonstrated it to me in person during a trip to the south of France, and even told me that thieves there usually steal cell phones while they are open for this and other reasons. Yes, they prefer to steal unblocked phones to access inside the sooner as possible.
Just prevent robberies, please be smart, everything is very bad out there!
Thanks for the article! :]
Is Authy still secure to use?.
I would suggest a different authenticator app, Aegis for instance or the recently released Bitwarden Authenticator.
https://www.ghacks.net/2023/02/27/best-authenticator-apps-for-android-and-ios/
https://www.ghacks.net/2024/05/02/bitwarden-launches-standalone-bitwarden-authenticator-app/
@ASHWIN, thanks for the article. But why is there no option for desktop computers as well?! I don’t want all of this to necessarily go through a phone. I want the possibility of such two-factor authentication through a desktop computer, but there is no such article here on the site?
Yes finally…already set it up. No phone # needed.