It looks like Google have stopped registering new accounts unless you
have a phone number for verification purposes.

I just tried to create a new account but it didn't allow me to register
because I didn't want to give them a phone number. I was expecting to be
allowed to use an email.

On 2/20/2024 at 4:40 PM, A.Brehme wrote:
> It looks like Google have stopped registering new accounts unless you
> have a phone number for verification purposes.
>
> I just tried to create a new account but it didn't allow me to register
> because I didn't want to give them a phone number. I was expecting to be
> allowed to use an email.

Would it accept 999-999-9999?

"A.Brehme" <invalid@invalid.invalid> wrote:

> It looks like Google have stopped registering new accounts unless you
> have a phone number for verification purposes.
>
> I just tried to create a new account but it didn't allow me to
> register because I didn't want to give them a phone number. I was
> expecting to be allowed to use an email.

I suspect part of their decision was to allow a means of recovery. You
can't use the account itself for recovery, because you cannot login.
You can specify an alternate e-mail address for recovery, but that could
also fail (*). They want a 2nd means of recovery which is texting to
your phone.

(*) A while ago, I was on vacation in a location across the nation.
Gmail saw I was in a different location, and refused to let me
login unless I used a recovery method. My recovery was Hotmail.
Recoverr for my Hotmail pointed at my Gmail account Alas, Hotmail
also saw I was in a different location, and did the same lockout
crap. So, I couldn't use either account nor the recovery e-mail
account. Because I had my phone number also as a recovery
option, I used that to get into both my Gmail and Hotmail
accounts (no problem with my ISP e-mail account). Without the
phone number for them to send a text, I could do e-mail while on
vacation, which included reservation numbers send when paying
online for dinner theater reservations. After I got home, I
investigated to find my ISP's e-mail service doesn't do that
geolocation crap to lockout their users, so I set both Gmail and
Hotmail to use my ISP e-mail account for recovery.

"This extra confirmation by phone helps keep spammers to abuse our
systems" (https://support.google.com/accounts/answer/114129?hl=en).
Bettery wording would've been "from abusing". Really? LOTS of spam
originates from Gmail/Googlemail accounts. Google has great anti-spam
filtering on inbound messages, but obviously doesn't apply that
filtering to outbound messages.

Some suggestions are available online, like at:

https://www.makeuseof.com/create-google-account-without-phone-number/

Step 10 isn't available anymore (where you skip entering a phone
number)? The Skip option is not available in all areas (no, don't ask
me which areas the Skip is available).

https://www.wikihow.com/Bypass-Gmail-Phone-Verification

Another recommendation is to create a temp phone number using Google
Voice, but that service is only available in the USA. For using someone
else's phone, once entered that phone number is permanent (your friend
is on the hook thereafter) until you edit the phone number, but you
cannot delete it. You'll need to replace the phone number with another,
not with a blank/null entry.

Bill H <billh@domain.is.invalid> wrote:

> On 2/20/2024 at 4:40 PM, A.Brehme wrote:
>> It looks like Google have stopped registering new accounts unless you
>> have a phone number for verification purposes.
>>
>> I just tried to create a new account but it didn't allow me to register
>> because I didn't want to give them a phone number. I was expecting to be
>> allowed to use an email.
>
> Would it accept 999-999-9999?

When you specify a phone number, they send a 2FA text to that number.
You need to use the 2FA code to complete the new-account registration.
They aren't that dumb.

On 2/20/2024 at 5:15 PM, VanguardLH wrote:
> Bill H <billh@domain.is.invalid> wrote:
>
>> On 2/20/2024 at 4:40 PM, A.Brehme wrote:
>>> It looks like Google have stopped registering new accounts unless you
>>> have a phone number for verification purposes.
>>>
>>> I just tried to create a new account but it didn't allow me to register
>>> because I didn't want to give them a phone number. I was expecting to be
>>> allowed to use an email.
>>
>> Would it accept 999-999-9999?
>
> When you specify a phone number, they send a 2FA text to that number.
> You need to use the 2FA code to complete the new-account registration.
> They aren't that dumb.

Oh well. Just a thought. Some site will accept 999-999-9999, but they
don't do 2FA.

On 2024-02-21 02:01, Bill H wrote:
> On 2/20/2024 at 4:40 PM, A.Brehme wrote:
>> It looks like Google have stopped registering new accounts unless you
>> have a phone number for verification purposes.
>>
>> I just tried to create a new account but it didn't allow me to register
>> because I didn't want to give them a phone number. I was expecting to be
>> allowed to use an email.
>
> Would it accept 999-999-9999?

They verify you can receive a message on whatever number you give.

--
Cheers, Carlos.

On Tue, 20 Feb 2024 17:24:31 -0800, Bill H wrote:

>> When you specify a phone number, they send a 2FA text to that number.
>> You need to use the 2FA code to complete the new-account registration.
>> They aren't that dumb.
>
> Oh well. Just a thought. Some site will accept 999-999-9999, but they
> don't do 2FA.

I wonder if a second line existing voip account number would work?
TextNow? 2ndLine? Hushed? TextPlus? Talkatone? Burner? GoogleVoice?

On 2/20/2024 8:20 PM, Carlos E.R. wrote:
> On 2024-02-21 02:01, Bill H wrote:
>> On 2/20/2024 at 4:40 PM, A.Brehme wrote:
>>> It looks like Google have stopped registering new accounts unless you
>>> have a phone number for verification purposes.
>>>
>>> I just tried to create a new account but it didn't allow me to register
>>> because I didn't want to give them a phone number. I was expecting to be
>>> allowed to use an email.
>>
>> Would it accept 999-999-9999?
>
> They verify you can receive a message on whatever number you give.
>
try using the number from your old account.

VanguardLH wrote:
> I suspect part of their decision was to allow a means of recovery.

I think it is 'too bad'/ tragic/ that the user can't make his own
decisions about the conditions which should trigger lockouts and
recoveries, instead of the provider unilaterally making all of the
decisions and restrictions.

Ideally security protocols should be 'advised' and then the suggested
protocols optionally available.

It is NO GOOD when security rules work to the disadvantage of the user
instead of to his advantage.

--
Mike Easter

Mike Easter wrote:
> VanguardLH wrote:
>> I suspect part of their decision was to allow a means of recovery.
>
> I think it is 'too bad'/ tragic/ that the user can't make his own
> decisions about the conditions which should trigger lockouts and
> recoveries, instead of the provider unilaterally making all of the
> decisions and restrictions.

Hey! We're Google! We know what's best for you!
Searching on the Internet, EMail, online storage - all for free!! FOR FREE!!
You don't have to pay anything, we just want to have as much of your data
as we can get. Don't worry, we just try to overtake this whole internet-thing.

If you're already in our fenced garden you don't have to worry at all.
Get your free Gmail, Gstorage, Gnet, Ginternet, Ggroups, Gforums, Gsale now!!!

Mike Easter <MikeE@ster.invalid> wrote:

> VanguardLH wrote:
>
>> I suspect part of their decision was to allow a means of recovery.
>
> I think it is 'too bad'/ tragic/ that the user can't make his own
> decisions about the conditions which should trigger lockouts and
> recoveries, instead of the provider unilaterally making all of the
> decisions and restrictions.

Well, when your bank enforces 2FA to login, you can argue until you die.
They rely on the advise of their web devs, and advice from their lawyers
trying to indemnify the bank against hacked accounts.

I hate running around to find my smartphone when my bank sends a text
with the 2FA login code. I'm not grafted to my phones. I had to use
Authy to work with their 2FA login, but Authy discontinued their desktop
client, and I obviously don't need their mobile app since the phone is
where I'd be getting their 2FA text, anyway. Their only other choice to
get their 2FA codes is to get them via SMS. Geez, like that's a more
secure setup: use an insecure communications venue (SMS) to complete
login using HTTPS and me using long strong passwords that are unique to
every domain. Since Authy is dropping their desktop client, and I'm not
going to bother with the Symantec alternative (which I think is just
mobile apps which are unnecessary on the phone where the SMS text gets
sent), I have them send their 2FA code to my Google Voice phone number.
Google Voice sends me a copy of texts to my e-mail address. So, I get
the 2FA code via e-mail (which they don't offer as a choice). Complain,
suggest, or opine however much as I have, the bank is not going to alter
what choices they have to shove a 2FA code at me - security theater to
allow tracking while compensating for boobs that reuse weak passwords at
every site they login.

> Ideally security protocols should be 'advised' and then the suggested
> protocols optionally available.
>
> It is NO GOOD when security rules work to the disadvantage of the user
> instead of to his advantage.

Often "security" is an allusion by making the user busy. Gee, if the
user is busy jumping through hoops, security just must be better.

Reminds of a programmer that had an airline as a customer. Their
real-time reservation system was getting really slow, and embarrasing
their counter agents while customers had to wait a long time. When he
showed up, he made simple edits to the code which added status messages
basically saying "You got here", "Now you're here", "Still working", and
so on. That placated the impatience by the counter agents. They saw
/something/ was changing instead of staring at a stalled screen. That
got them of his back, so he could focus all his time on analysing and
fixing the problem (requires database maintenance, like deleting
delete-flagged records over some expiration, and compacting the
database). He salved the anxiety of the agents until the real problem
got fixed.

2FA is pretending to users that sending codes over insecure
communications venues (e-mail, SMS) is better security. Users are
misled into thinking their logins are more secure. It's like you want
to get into your house, but your neighbor down the block has to send you
a letter with a code to unlock your door, but the letter is not in an
envelope, and the letter gets passed to the intervening neighbors who
can each see the contents of the letter.

E-mail is not secure. Rare few users install x.509 or PGP certs into
their e-mail client, or now how to use them (they are by invite: you
send someone your public key they optionally use to encrypt their
message to you that you decrypt using the private key that only you
have). The free e-mail certs (is there more than 1 provider now?) only
have your e-mail address, no other details (you have to pay to get a
more detailed cert). Your only identity in a free e-mail cert is your
e-mail address. So, we have 2FA codes securing a login that are sent
via an insecure e-mail route.

SMS is also insecure. It is not encrypted. We're not talking about
using end-to-end encryption using WhatsApp, but just simple texting.
So, we have 2FA codes securing a login that are sent via an insecure SMS
texting route.

By nuisancing users with more steps during the login process, they hope
the majority of them are boobs assuming "Ooh, it's harder to login, so
it just must be more secure."

On 21.02.24 01:40, A.Brehme wrote:
> It looks like Google have stopped registering new accounts unless you
> have a phone number for verification purposes.
>
> I just tried to create a new account but it didn't allow me to register
> because I didn't want to give them a phone number. I was expecting to be
> allowed to use an email.

This one: A.Brehme <invalid@invalid.invalid>
Never ever.

--
"Ave Caesar! Morituri te salutant!"

On 21.02.24 04:38, Frank Miller wrote:
> Mike Easter wrote:
>> VanguardLH wrote:
>>> I suspect part of their decision was to allow a means of recovery.
>>
>> I think it is 'too bad'/ tragic/ that the user can't make his own
>> decisions about the conditions which should trigger lockouts and
>> recoveries, instead of the provider unilaterally making all of the
>> decisions and restrictions.
>
> Hey! We're Google! We know what's best for you!
> Searching on the Internet, EMail, online storage - all for free!! FOR FREE!!
> You don't have to pay anything, we just want to have as much of your data
> as we can get. Don't worry, we just try to overtake this whole internet-thing.
>
> If you're already in our fenced garden you don't have to worry at all.
> Get your free Gmail, Gstorage, Gnet, Ginternet, Ggroups, Gforums, Gsale now!!!

Google is simply evil.

--
"Ave Caesar! Morituri te salutant!"

On Wed-21-Feb-2024 4:42 pm, VanguardLH wrote:
> Mike Easter <MikeE@ster.invalid> wrote:
>
>> VanguardLH wrote:
>>
>>> I suspect part of their decision was to allow a means of recovery.
>>
>> I think it is 'too bad'/ tragic/ that the user can't make his own
>> decisions about the conditions which should trigger lockouts and
>> recoveries, instead of the provider unilaterally making all of the
>> decisions and restrictions.
>
> Well, when your bank enforces 2FA to login, you can argue until you die.
> They rely on the advise of their web devs, and advice from their lawyers
> trying to indemnify the bank against hacked accounts.
>
> I hate running around to find my smartphone when my bank sends a text
> with the 2FA login code. I'm not grafted to my phones. I had to use
> Authy to work with their 2FA login, but Authy discontinued their desktop
> client, and I obviously don't need their mobile app since the phone is
> where I'd be getting their 2FA text, anyway. Their only other choice to
> get their 2FA codes is to get them via SMS. Geez, like that's a more
> secure setup: use an insecure communications venue (SMS) to complete
> login using HTTPS and me using long strong passwords that are unique to
> every domain. Since Authy is dropping their desktop client, and I'm not
> going to bother with the Symantec alternative (which I think is just
> mobile apps which are unnecessary on the phone where the SMS text gets
> sent), I have them send their 2FA code to my Google Voice phone number.
> Google Voice sends me a copy of texts to my e-mail address. So, I get
> the 2FA code via e-mail (which they don't offer as a choice). Complain,
> suggest, or opine however much as I have, the bank is not going to alter
> what choices they have to shove a 2FA code at me - security theater to
> allow tracking while compensating for boobs that reuse weak passwords at
> every site they login.
>
>> Ideally security protocols should be 'advised' and then the suggested
>> protocols optionally available.
>>
>> It is NO GOOD when security rules work to the disadvantage of the user
>> instead of to his advantage.
>
> Often "security" is an allusion by making the user busy. Gee, if the
> user is busy jumping through hoops, security just must be better.
>
> Reminds of a programmer that had an airline as a customer. Their
> real-time reservation system was getting really slow, and embarrasing
> their counter agents while customers had to wait a long time. When he
> showed up, he made simple edits to the code which added status messages
> basically saying "You got here", "Now you're here", "Still working", and
> so on. That placated the impatience by the counter agents. They saw
> /something/ was changing instead of staring at a stalled screen. That
> got them of his back, so he could focus all his time on analysing and
> fixing the problem (requires database maintenance, like deleting
> delete-flagged records over some expiration, and compacting the
> database). He salved the anxiety of the agents until the real problem
> got fixed.
>
> 2FA is pretending to users that sending codes over insecure
> communications venues (e-mail, SMS) is better security. Users are
> misled into thinking their logins are more secure. It's like you want
> to get into your house, but your neighbor down the block has to send you
> a letter with a code to unlock your door, but the letter is not in an
> envelope, and the letter gets passed to the intervening neighbors who
> can each see the contents of the letter.
>
> E-mail is not secure. Rare few users install x.509 or PGP certs into
> their e-mail client, or now how to use them (they are by invite: you
> send someone your public key they optionally use to encrypt their
> message to you that you decrypt using the private key that only you
> have). The free e-mail certs (is there more than 1 provider now?) only
> have your e-mail address, no other details (you have to pay to get a
> more detailed cert). Your only identity in a free e-mail cert is your
> e-mail address. So, we have 2FA codes securing a login that are sent
> via an insecure e-mail route.
>
> SMS is also insecure. It is not encrypted. We're not talking about
> using end-to-end encryption using WhatsApp, but just simple texting.
> So, we have 2FA codes securing a login that are sent via an insecure SMS
> texting route.
>
> By nuisancing users with more steps during the login process, they hope
> the majority of them are boobs assuming "Ooh, it's harder to login, so
> it just must be more secure."

What pisses me off is Google's preoccupation with SMS for their 2FA.
Some of us live in places like New Zealand where there's not much
interest in providing decent communications in rural areas and as I have
no cellular coverage SMS is a bit of a problem for me. Most
organisations I deal with offer 2FA via email or even voice message via
a land line - not ultra-secure, but better than nothing. But it seems
Google is far too arrogant and indifferent to customers to consider
those options....

In alt.comp.software.thunderbird VanguardLH <V@nguard.lh> wrote:
> SMS is also insecure. It is not encrypted. We're not talking about
> using end-to-end encryption using WhatsApp, but just simple texting.
> So, we have 2FA codes securing a login that are sent via an insecure SMS
> texting route.

But is it practicable for an adversary to intercept the SMS message in the few seconds it takes for the user to log in with it?

Mike Easter wrote on 2/20/24 8:06 PM:
> VanguardLH wrote:
>> I suspect part of their decision was to allow a means of recovery.
>
> I think it is 'too bad'/ tragic/ that the user can't make his own
> decisions about the conditions which should trigger lockouts and
> recoveries, instead of the provider unilaterally making all of the
> decisions and restrictions.
>
> Ideally security protocols should be 'advised' and then the suggested
> protocols optionally available.
>
> It is NO GOOD when security rules work to the disadvantage of the user
> instead of to his advantage.
>

Might be perceived as 'no good'...but that expectation of the opposite is
really or fast becoming a pipe dream.

i.e. desire to play in their ball bark => no home field advantage, price
of admission(their rules/policy)

Might be sad, but true.

--
....w¡ñ§±¤ñ

On 2024-02-21 04:42, VanguardLH wrote:
> Mike Easter <MikeE@ster.invalid> wrote:
>
>> VanguardLH wrote:

....

> By nuisancing users with more steps during the login process, they hope
> the majority of them are boobs assuming "Ooh, it's harder to login, so
> it just must be more secure."

Recently a large provider here (Orange) was hacked, all internet access
for all (most?) their clients died. An attacker found the passwords to
critical machines. Analysts said that if those machines had used a
simple 2FA, the attack would not have succeeded.

https://www.reuters.com/business/media-telecom/orange-suffers-cyber-attack-affecting-clients-internet-access-spain-2024-01-03/

https://www.securityweek.com/ripe-account-hacking-leads-to-major-internet-outage-at-orange-spain/

--
Cheers, Carlos.

malone <malone@nospam.net.nz> wrote:
[...]

> What pisses me off is Google's preoccupation with SMS for their 2FA.
> Some of us live in places like New Zealand where there's not much
> interest in providing decent communications in rural areas and as I have
> no cellular coverage SMS is a bit of a problem for me. Most
> organisations I deal with offer 2FA via email or even voice message via
> a land line - not ultra-secure, but better than nothing. But it seems
> Google is far too arrogant and indifferent to customers to consider
> those options....

Google's 2-Step Verification (2SV, not (neccesarily) 2FA) can use a
*voice* message. As far as I know, you can also use a landline number
for these (2SV) voice messages.

And there's always the 'Backup codes' option, which does not need any
phone or other device.

Do you have a smartphone? If so, you can use that for (2SV) 'Google
Prompts'.

And if you only have a computer, you can do 2SV with an
'Authentication app'.

In any case, just go to

<https://myaccount.google.com/signinoptions/two-step-verification>

to see the "Available second steps".

And of course you need to use 2SV only once on each device, if you set
up 'Devices you trust' by ticking the box at the first 2SV procedure.

FYI, for my main account, I currently have 'Google prompts' as the
default and 'Voice or text message' (for two numbers) and 'Backup
codes'.

Bottom line: Google's 2SV is not as bad as some people portray and
actually quite good and flexible, but it does require some RTFS
(RTFScreen).

On 2/20/24 21:06, Mike Easter wrote:

[snip]

> It is NO GOOD when security rules work to the disadvantage of the user
> instead of to his advantage.

"working to the disadvantage of the user" is what security rules almost
always do. You hope there's some good in there too.

In alt.comp.os.windows-10, on Tue, 20 Feb 2024 19:19:06 -0700, Nick Cine
<nickcine@is.invalid> wrote:

>On Tue, 20 Feb 2024 17:24:31 -0800, Bill H wrote:
>
>>> When you specify a phone number, they send a 2FA text to that number.
>>> You need to use the 2FA code to complete the new-account registration.
>>> They aren't that dumb.
>>
>> Oh well. Just a thought. Some site will accept 999-999-9999, but they
>> don't do 2FA.
>
>I wonder if a second line existing voip account number would work?
>TextNow? 2ndLine? Hushed? TextPlus? Talkatone? Burner? GoogleVoice?

This is not my question, but I read it anyhow and installed 2ndLine on
my 85-yo friend's phone with no sim, and it seems to work fine, comelete
witha new phone number. Thank you. they did send an email but only to
my paypal email address, because I decided it was easier to use my
paypal than to convince her to use her credit card. And maybe they
wrote to her gmail address too, but I know they didn't call any phone
numbers or do any 2FA.

I also had tried Google Voice and did something wrong and tonight it
looks like tha would work too, but I have no reports.

Textnow I have not tried to install but it is like the others and it's
free to use with wifi, except for $5 you can get a sim card and then use
it to make and receive calls and texts even if you're not connected to
wifi. How can they do that? I'm very confused.

The others you name and 2 more all seemed to have some bigger weakness.

In alt.comp.os.windows-10, on Thu, 22 Feb 2024 01:36:38 -0500, micky
<NONONOmisc07@fmguy.com> wrote:

>In alt.comp.os.windows-10, on Tue, 20 Feb 2024 19:19:06 -0700, Nick Cine
><nickcine@is.invalid> wrote:
>
>>On Tue, 20 Feb 2024 17:24:31 -0800, Bill H wrote:
>>
>>>> When you specify a phone number, they send a 2FA text to that number.
>>>> You need to use the 2FA code to complete the new-account registration.
>>>> They aren't that dumb.
>>>
>>> Oh well. Just a thought. Some site will accept 999-999-9999, but they
>>> don't do 2FA.
>>
>>I wonder if a second line existing voip account number would work?
>>TextNow? 2ndLine? Hushed? TextPlus? Talkatone? Burner? GoogleVoice?

I hope you are talking about a phone by this time. I see now that none
of the ngs are for phones, but all of the suggestions above are android
apps.

>This is not my question,

Not a question I posed or a thread I had been reading. Lucky for me, I
started to read it.

> but I read it anyhow and installed 2ndLine on
>my 85-yo friend's phone with no sim, and it seems to work fine, comelete
>witha new phone number. Thank you. they did send an email but only to
>my paypal email address, because I decided it was easier to use my
>paypal than to convince her to use her credit card. And maybe they
>wrote to her gmail address too, but I know they didn't call any phone
>numbers or do any 2FA.
>
>I also had tried Google Voice and did something wrong and tonight it
>looks like tha would work too, but I have no reports.
>
>Textnow I have not tried to install but it is like the others and it's
>free to use with wifi, except for $5 you can get a sim card and then use
>it to make and receive calls and texts even if you're not connected to
>wifi. How can they do that? I'm very confused.
>
>The others you name and 2 more all seemed to have some bigger weakness.

VanguardLH wrote:
> Well, when your bank enforces 2FA to login, you can argue until you
> die. They rely on the advise of their web devs, and advice from their
> lawyers trying to indemnify the bank against hacked accounts.
>
> I hate running around to find my smartphone when my bank sends a
> text with the 2FA login code. I'm not grafted to my phones.
>
I agree w/ your disagreement.

Some security places DO allow one to have or not have 2FA.

My personal 'distance' from cellphones is much greater than most people,
so I have to take 'measures' to compensate. Normally I do not carry a
cell nor use a cell, and normally I only turn a cell on when I leave the
state on travel. My home phones are VoIP but they don't take SMS, as
they were originally 'landlines' connected by ATT twisted copper.

I have GV googlevoice number/s that provide some mitigation to a
desktop, but I generally keep my ancient cell (flip type 'feature'
phone, ancient linux kernel OS in a VTE dumb phone) near my desktop
computers so that I can turn it on if I need a text.

I would be unhappy if I had to have that kind of 2FA to use gmail, which
is where this thread started.

--
Mike Easter

Mike Easter <MikeE@ster.invalid> wrote:
[...]

> I have GV googlevoice number/s that provide some mitigation to a
> desktop, but I generally keep my ancient cell (flip type 'feature'
> phone, ancient linux kernel OS in a VTE dumb phone) near my desktop
> computers so that I can turn it on if I need a text.
>
> I would be unhappy if I had to have that kind of 2FA to use gmail, which
> is where this thread started.

As I mentioned, you don't (have to use 2FA (actually 2SV in this
case) to use Gmail). You just use it *once* per device (i.e. your
desktop) and tick the box to add that device as a trusted device. No
more 2SV/2FA for that device.

On Wed, 21 Feb 2024 00:40:00 +0000, A.Brehme wrote:

> It looks like Google have stopped registering new accounts unless you
> have a phone number for verification purposes.

And if you want to see +18 vids (for instance an open heart operation)
they want your eID. Reminds my of their Master Plan:
<https://www.youtube.com/watch?v=NAx-6nHEWbE>

--
s|b

malone <malone@nospam.net.nz> wrote:

> On Wed-21-Feb-2024 4:42 pm, VanguardLH wrote:
>> Mike Easter <MikeE@ster.invalid> wrote:
>>
>>> VanguardLH wrote:
>>>
>>>> I suspect part of their decision was to allow a means of recovery.
>>>
>>> I think it is 'too bad'/ tragic/ that the user can't make his own
>>> decisions about the conditions which should trigger lockouts and
>>> recoveries, instead of the provider unilaterally making all of the
>>> decisions and restrictions.
>>
>> Well, when your bank enforces 2FA to login, you can argue until you die.
>> They rely on the advise of their web devs, and advice from their lawyers
>> trying to indemnify the bank against hacked accounts.
>>
>> I hate running around to find my smartphone when my bank sends a text
>> with the 2FA login code. I'm not grafted to my phones. I had to use
>> Authy to work with their 2FA login, but Authy discontinued their desktop
>> client, and I obviously don't need their mobile app since the phone is
>> where I'd be getting their 2FA text, anyway. Their only other choice to
>> get their 2FA codes is to get them via SMS. Geez, like that's a more
>> secure setup: use an insecure communications venue (SMS) to complete
>> login using HTTPS and me using long strong passwords that are unique to
>> every domain. Since Authy is dropping their desktop client, and I'm not
>> going to bother with the Symantec alternative (which I think is just
>> mobile apps which are unnecessary on the phone where the SMS text gets
>> sent), I have them send their 2FA code to my Google Voice phone number.
>> Google Voice sends me a copy of texts to my e-mail address. So, I get
>> the 2FA code via e-mail (which they don't offer as a choice). Complain,
>> suggest, or opine however much as I have, the bank is not going to alter
>> what choices they have to shove a 2FA code at me - security theater to
>> allow tracking while compensating for boobs that reuse weak passwords at
>> every site they login.
>>
>>> Ideally security protocols should be 'advised' and then the suggested
>>> protocols optionally available.
>>>
>>> It is NO GOOD when security rules work to the disadvantage of the user
>>> instead of to his advantage.
>>
>> Often "security" is an allusion by making the user busy. Gee, if the
>> user is busy jumping through hoops, security just must be better.
>>
>> Reminds of a programmer that had an airline as a customer. Their
>> real-time reservation system was getting really slow, and embarrasing
>> their counter agents while customers had to wait a long time. When he
>> showed up, he made simple edits to the code which added status messages
>> basically saying "You got here", "Now you're here", "Still working", and
>> so on. That placated the impatience by the counter agents. They saw
>> /something/ was changing instead of staring at a stalled screen. That
>> got them of his back, so he could focus all his time on analysing and
>> fixing the problem (requires database maintenance, like deleting
>> delete-flagged records over some expiration, and compacting the
>> database). He salved the anxiety of the agents until the real problem
>> got fixed.
>>
>> 2FA is pretending to users that sending codes over insecure
>> communications venues (e-mail, SMS) is better security. Users are
>> misled into thinking their logins are more secure. It's like you want
>> to get into your house, but your neighbor down the block has to send you
>> a letter with a code to unlock your door, but the letter is not in an
>> envelope, and the letter gets passed to the intervening neighbors who
>> can each see the contents of the letter.
>>
>> E-mail is not secure. Rare few users install x.509 or PGP certs into
>> their e-mail client, or now how to use them (they are by invite: you
>> send someone your public key they optionally use to encrypt their
>> message to you that you decrypt using the private key that only you
>> have). The free e-mail certs (is there more than 1 provider now?) only
>> have your e-mail address, no other details (you have to pay to get a
>> more detailed cert). Your only identity in a free e-mail cert is your
>> e-mail address. So, we have 2FA codes securing a login that are sent
>> via an insecure e-mail route.
>>
>> SMS is also insecure. It is not encrypted. We're not talking about
>> using end-to-end encryption using WhatsApp, but just simple texting.
>> So, we have 2FA codes securing a login that are sent via an insecure SMS
>> texting route.
>>
>> By nuisancing users with more steps during the login process, they hope
>> the majority of them are boobs assuming "Ooh, it's harder to login, so
>> it just must be more secure."
>
> What pisses me off is Google's preoccupation with SMS for their 2FA.
> Some of us live in places like New Zealand where there's not much
> interest in providing decent communications in rural areas and as I have
> no cellular coverage SMS is a bit of a problem for me. Most
> organisations I deal with offer 2FA via email or even voice message via
> a land line - not ultra-secure, but better than nothing. But it seems
> Google is far too arrogant and indifferent to customers to consider
> those options....

Does your cellular provider have the option to send received texts to
your account with them to an e-mail address? I have that with Google
Voice, and it eliminates having to find and use my phone to manually
copy the 2FA code from the phone to the web form at the site to complete
the login. GV sends me a copy of the text to my e-mail address. I can
then open e-mail on the same computer where I'm trying to login.
Sometimes I can just copy-n-paste the 2FA code from the e-mail to the
login web form, but sometimes I'm stuck entering the 2FA code character
by character, because the web form has separate input elements
separately for each character.

I figure if GV has the text-to-email option that other telcos might have
it, too.