Andy Burns <usenet@andyburns.uk> wrote:
> Frank Slootweg wrote:
>
> > Andy Burns wrote:
> > >> Frank Slootweg wrote:
> >>
> >>> you can still use Gmail without Oauth2. I'm doing so, in my 'stone age'
> >>> (60.9.0) Thunderbird
> >>
> >> There are those who resist giving google their phone number, in those
> >> cases I believe they can't create an app-specific password for IMAP/SMTP
> >> access (that's up to them, presumably the find an alternate provider).
> >
> > For 2-Step Verification (2SV) [1], you can still use 'Backup codes' in
> > the "Available seconds step' section.
>
> but "To use backup codes, 2-Step Verification must be on"

Where do you see that sentence? (I have Backup codes, so that's
perhaps why I do not see that sentence.)

That sentence is ambiguous, because in order to *use* backup codes, of
course "2-Step Verification must be on", otherwise there's no point to
have them. But it doesn't say that 2SV must already be on to *create*
(generate) backup codes.

> so that isn't an alternative for those not wanting to give google a
> phone number.
>
> > With 2SV turned on, you can still
> > create 'App passwords' [2].
>
> I've not looked into it since enabling oAuth2, but at that time, you had
> to give them a phone number in order to enable 2SV, in order to get the
> app-specific passwords ... and for some people, they didn't want to give
> google a phone number. Also if you disable 2SV it invalidates all app
> passwords you created while it was enabled.

Yes, the latter is true. That's why I'm not going to experiment to
check who of us is (more) correct.

> So I think it does come down to "no phone number, no access to gmail
> except via web browser"

Maybe yes, maybe no! :-) But seriously, I don't care much either way.
If people - i.e. the Arlen's of this world - are paranoid about giving a
phone number, to *use Google services* for crying out loud, I don't have
much sympathy.

BUT, there are other methods for 2SV, other than a phone number, like
'Google Prompts' (needs a phone, but not a phone *number*) and
'Authenticator app' (and, probably not so common, 'Security Key').

Frank Slootweg wrote:

> Andy Burns wrote:
>
>> but "To use backup codes, 2-Step Verification must be on"
>
> Where do you see that sentence? (I have Backup codes, so that's
> perhaps why I do not see that sentence.)

<https://support.google.com/accounts/answer/1187538?hl=en&co=GENIE.Platform%3DAndroid>

> That sentence is ambiguous, because in order to *use* backup codes, of
> course "2-Step Verification must be on", otherwise there's no point to
> have them. But it doesn't say that 2SV must already be on to *create*
> (generate) backup codes.

2SV is off for me, I can't get to the screen to create backup codes
without turning it [back] on.

2SV must also be on to create app passwords, I do have a recovery phone
number set, so could enable 2SV if I wanted.

It's the people who want to use IMAP, but who refuse to give a phone
number ... I don't think there's a way to do that.

>> so that isn't an alternative for those not wanting to give google a
>> phone number.
>>
>>> With 2SV turned on, you can still
>>> create 'App passwords' [2].
>>
>> I've not looked into it since enabling oAuth2, but at that time, you had
>> to give them a phone number in order to enable 2SV, in order to get the
>> app-specific passwords ... and for some people, they didn't want to give
>> google a phone number. Also if you disable 2SV it invalidates all app
>> passwords you created while it was enabled.
>
> Yes, the latter is true. That's why I'm not going to experiment to
> check who of us is (more) correct.
>
>> So I think it does come down to "no phone number, no access to gmail
>> except via web browser"
>
> Maybe yes, maybe no! :-) But seriously, I don't care much either way.

Me neither ... I do have gmail setup on my thunderbird, but it's only
for testing, going back a couple of years when TB users were losing
their shit over google pushing people towards oAuth2 and google
explaining it badly.

> If people - i.e. the Arlen's of this world - are paranoid about giving a
> phone number, to *use Google services* for crying out loud, I don't have
> much sympathy.
>
> BUT, there are other methods for 2SV, other than a phone number, like
> 'Google Prompts' (needs a phone, but not a phone *number*) and
> 'Authenticator app' (and, probably not so common, 'Security Key').

Andy Burns <usenet@andyburns.uk> wrote:
> Frank Slootweg wrote:
[...]
> 2SV is off for me, I can't get to the screen to create backup codes
> without turning it [back] on.
>
> 2SV must also be on to create app passwords, I do have a recovery phone
> number set, so could enable 2SV if I wanted.
[...]
> > BUT, there are other methods for 2SV, other than a phone number, like
> > 'Google Prompts' (needs a phone, but not a phone *number*) and
> > 'Authenticator app' (and, probably not so common, 'Security Key').

I've looked into this some more. One probably *can* turn on SV - and
hence generate App paswords - without giving a phone number, but that
gives so many *other* hoops to jump through, that it's probably not
worth it.

Anyway, here's what I found:

I created a new Google Account without giving ('Skip') a phone number
or a recovery email address (only needs a (fake) name, (fake) birthday
and password).

When trying to turn on SV, the only choices are phone number :-),
Google Prompt and Security Key.

We of course don't want to give a phone number (because that's what
started this subthread) and I don't think a Security Key is practical (I
have such devices for our banks, but they are *only* for those banks).

So that leaves Google Prompt.

The Help for Google Prompts mentions iPad, so theoretically a device
without a SIM/phone-number, but for the rest it only mentions Android
phones and iPhones.

While such a (smart)phone could in theory be SIM-less - and hence
have no phone number -, that's not very practical. And with a phone
number, there's always the risk/'fear' that the phone number of the
phone will 'leak' to the Google Account on the phone, so this is not an
option either (for those who do not want to give a phone number to
Google).

The only other 'safe' (phonenumber-less) option, 'Authenticator app',
is *not* one of the choices is this process, so it looks that Google
wants either a phone number or a (smart)phone (which normally has a
phone number). Catch 22!

Bottom line: In order to generate App passwords. 2SV must be on and
for 2SV to be turned on, a phone number is needed, one way or the other.

So you (Andy), were right after all. But you already knew that! :-)

Please let me know if/when we're done, so I can delete the test
account.