Google's most ridiculous trick to force users into adding phone number

414 点作者 vort3大约 3 年前

"To help keep your account secure, starting May 30, 2022, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password."What does it have to do with phone numbers, you might think? Well, it's not that obvious.I have beed using FairEmail app to read emails on my phone for many years. Recently, Google made this change, so I thought I need to take some actions to make sure I can continue using my favourite email app. After reading a bit, everything looked pretty simple:- I could add my email account to my phone and login using google's native authentication methods, or- «you can use an app password, please see below.»Sure I don't want to add google's account to my phone just to be able to receive emails via IMAP, so I'll just generate separate app password for my email app, right?Well, for some reason it's not possible to generate app passwords unless you have 2FA enabled. The option is just not there.What can be simpler than adding 2FA to my account? I use password managers and my passwords are super strong, but I have no other choice, I'll have to use an authenticator app to continue reading emails on my phone, doesn't make much sense but anyway…You can't just scan a QR with TOTP secret and enable 2FA for your account. Well, you can, after you enable 2FA by SMS using your phone number, or 2FA by notification on the phone, after you add google account to your phone. But using an authenticator is an «additional method» which is not available until «primary» 2FA method (SMS / phone number) is added. Oh, you can give away your phone number first, enable 2FA, after 2FA is already enabled you can remove 2FA by SMS and keep using authenticator app as your 2FA method, it's simple.I guess I'll just have to stop using google. Thanks for making my life more difficult and caring about my security, Google.TL:DR; You can't use «less secure» apps (apps other than official gmail app) to sync emails if you don't want to link your account to your phone number or add google account to your phone.

37 条评论

vort3大约 3 年前

It's not even about not willing to spend 1$ for a random phone number.Here's a list of things that are wrong with what Google does:- If you want to read your email, you have to use app specific password. I'm ok with that.- You can't generate app specific passwords if you don't have 2FA enabled. That's some artificial limitation made to force you into adding phone number to your account.- You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.- You can use «notification» to confirm it's you, but you can only do that on the phone. I'm currently logged in in my browser, certainly I could confirm any login attempt from that same browser, wouldn't that be a second factor?- Nowhere in announcements or help pages or in the Google Account interface they tell you that you can't generate app passwords if you don't have 2FA. The button is just missing and you wouldn't even know it should be there unless you search on the internet.- Nowhere they tell you the only way to enable 2FA is to link your account to your phone number or to your android/iphone device, the options are just not there.All of this is just bizarre and ugly. I have no idea why other people are not complaining, probably most of them just accepted that and added phone numbers.

评论 #31252625 未加载

评论 #31252443 未加载

评论 #31252974 未加载

评论 #31252857 未加载

评论 #31255047 未加载

评论 #31257708 未加载

bsamuels大约 3 年前

Every tech company is losing the war against credential stuffing. I have a friend working at a series B startup with <10k MAU, you wanna know how many login attempts there are each month? 25,000 login attempts. Per user. That's 250m login attempts each month using stolen credentials.None of the service providers who claim to fix the issue are worth their weight in salt. Shape, Akamai, none of them have a grip on the problem because the attackers are constantly evolving. As you can see, even Google is capitulating despite all the fud that people on HN spread about the company being omniscient.Anyone who thinks this is about advertising/collecting personal data is out of their minds.The worst part is nobody can talk about it because anything you reveal about your problems can give the attackers a massive edge.

评论 #31252934 未加载

评论 #31253201 未加载

评论 #31254253 未加载

评论 #31256900 未加载

评论 #31253292 未加载

评论 #31252936 未加载

评论 #31253628 未加载

0daystock大约 3 年前

Google is no saint, but there's absolutely no reason to ascribe ill intent to collecting phone numbers of 2FA setup. The reason is simple: Google has billions of users, and at any given time, a lot of them break their devices and lose access to 2FA credentials. Phone numbers, despite all their flaws, are still the most reliable long-term and mostly-immutable attributes which can service as a proxy for identity which can and does aid account recovery at scale. If you crack your phone screen, you can walk to a brick and mortar cell shop, present your ID and get a new phone that receives security codes without a second thought. If you're using Aegis and storing MFA seeds locally, you're on the hook for backups and no one wants that responsibility.Think of it like using social security numbers to authenticate yourself to the bank. Yes, it's terrible, but it's kind of the only thing that works when done on a massive scale. Yes, you can do better at managing your 2FA credentials, but most users cannot - they struggle even having strong passwords. Phone numbers bridge that security-usability gap. To be clear, this isn't an endorsement of the system (I think the user should be allowed to choose), but rather trying to make sense from an engineering perspective.

评论 #31253078 未加载

评论 #31257798 未加载

评论 #31253442 未加载

评论 #31253950 未加载

评论 #31253600 未加载

jqpabc123大约 3 年前

I guess I'll just have to stop using google.Welcome to the club. The fastest way to convince me *not* to use a product is to attach a "Google" label to it. Nothing Google has to offer justifies the drawbacks.NOTE: I do use an Android phone --- but only after it has been thoroughly de-Googled --- starting from a stripped down, bare metal device that won't even power up.

评论 #31252479 未加载

评论 #31252485 未加载

评论 #31252421 未加载

superkuh大约 3 年前

Good thing I switched to running my own mailserver in 2013. Now I'm completely independent of google and google accounts. If my @gmail.com email stops working with Thunderbird or other imap clients then that's that. I'm done using gmail.Google hates open protocols. Don't let their claims of OAuth being open fool you. They don't use OAuth, they use OAuth 2 which is the mega-corp version shoved down the IETF's throat where every single corporate implementation is different and not-interchangable. You need a different OAuth2 plugin for every mega-corp.

评论 #31252389 未加载

评论 #31253973 未加载

pferde大约 3 年前

I too was hit by this a few months ago, after having to create a Google account for work, and worked around it by running an android emulator where I installed their authenticator app. This was enough to get past the stupid "you have to have a phone" requirement, and gave me access to the TOTP secret, which I then promptly added to my favourite open source 2FA utility.Screw you, Google, you're not getting my phone number.

评论 #31253320 未加载

评论 #31257218 未加载

评论 #31257906 未加载

评论 #31253291 未加载

TheDong大约 3 年前

From your perspective, you're looking at a change that impacted you.From google's perspective, they're looking at a change which reduces phishing and scams by some small percent, and impacts a minuscule fraction of their users.Abuse, scams, phishing, and forgotten passwords are all significant problems which phone numbers help with. I'd be willing to bet these changes end up having an on net positive impact for google's users.How many phishers do you think will be stopped by removing an insecure login flow? How many people do you think want to use insecure apps, but don't have a phone number and refuse to login to their google account on their phone?

评论 #31252693 未加载

评论 #31252651 未加载

ASalazarMX大约 3 年前

The Fair Email FAQ [1] states that it supports Google's OAuth, so why don't you authenticate with that?"OAuth for Gmail is supported via the quick setup wizard. The Android account manager will be used to fetch and refresh OAuth tokens for selected on-device accounts. OAuth for non on-device accounts is not supported because Google requires a yearly security audit ($15,000 to $75,000) for this. You can read more about this here [2]."1. <a href="https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-content-faq111" rel="nofollow">https://github.com/M66B/FairEmail/blob/master/FAQ.md#user-co...</a> 2. <a href="https://www.theregister.com/2019/02/11/google_gmail_developer" rel="nofollow">https://www.theregister.com/2019/02/11/google_gmail_develope...</a>So it maybe works, or maybe not, because they're not paying Google for the security audit.

评论 #31257227 未加载

mxuribe大约 3 年前

So, at what point will there be a legitimate third option other than Google android phones (and associated ecosystem) and Apple iphones (and associatyed ecosystem)??? And, no, i don't mean rooting a phone, etc. to install Lineage or other alternative operating systems on it. I mean, i want to go out, buy a phone that is decent enough for the basics of what i need to do and is de-googled...not too crazy expensive like an iphone, and comes with legitimate support from a manufacturer. Its exhausting!

评论 #31265052 未加载

评论 #31252699 未加载

walrus01大约 3 年前

the thing about 'adding a phone number' is that hijacking somebody's DID is fairly trivial these days for a good social engineer, you get the customer service department at somebody's cellular carrier to port out the number, or activate it on a new SIM card put into a burner.the SS7/PSTN is horribly broken.SMS based "2FA" is not actual 2FA

评论 #31253024 未加载

14大约 3 年前

The only solution I can see is buying a burner phone to avoid these situations. Yesterday tried to set up a new to me used iPhone 7 for my son. It too forces a phone number from you. I had to link my phone number to his phone which I didn’t really want to do.

评论 #31252400 未加载

评论 #31252908 未加载

评论 #31252165 未加载

评论 #31252309 未加载

评论 #31253346 未加载

评论 #31252464 未加载

评论 #31252447 未加载

评论 #31252260 未加载

AnonC大约 3 年前

I have a tangential story on how providing a phone number isn’t going to help either.I have an important Gmail account where I recently had to change the password (because the only password set several years ago didn’t work). Since it was important, I didn’t want to risk the account becoming inaccessible and hence provided my phone number as the recovery number. After changing the password through a browser, the iOS Mail app complained that the password for this account is invalid and that I should enter it. So I go there and flow through the Google login pages (since this is setup as a Google account), and then it repeatedly tells me that it’s incorrect and that I should recover my account. Visiting the recover account page tells me that it cannot help me at this moment!I’m furious at how stupid Gmail (and the people in Google writing this application) can be. I haven’t accessed that account over the last few days and am hoping I can get back in after the Google bots have cooled down. I have no idea what I can do if that account becomes permanently inaccessible because some “machine learning” algorithm messed things up. :(I’ve decided to close my Gmail accounts (these were old ones) if I can manage to download the data from those.

more_corn大约 3 年前

One of the Google cofounders read the book “Nudge” and loved it so hard they invented a process I call “Shove”. You’ll do what we want or we’ll push you into traffic.This is a prime example of using dark patterns to achieve a short term goal at the cost of creating a world none of us want.We must all remain vigilant of this trap both as creators and as users.I applaud you for calling it out. I wish there was something more we could do about it.

Melatonic大约 3 年前

Couldn't you just install the Google Profile on any android tablet or spare phone or something, set it up, switch to authenticator (on your normal phone) and then remove the accounts and whatnot from the tablet? Never use SMS at all?The real head scratcher for me here though is that you are fine with Google hosting all of your emails and whatnot but knowing the phone number is a huge problem? If you do not trust Google with your phone number it seems like going with another email service would probably already be a good decision.....

ad404b8a372f2b9大约 3 年前

Every new feature from Google is a middle finger to their users, then you get some corporate double speak about how it's all well and good and how it makes the product better.Get a Fastmail account, I got one after I got tired of google breaking my IMAP settings every other week. They're cheap, they have most everything you'd need from an email provider, and they don't require a special app like proton.

评论 #31252476 未加载

评论 #31252458 未加载

okasaki大约 3 年前

My biggest complaint is that companies like Google won't make clear policies and instead their messaging is just corposhit nonsense.

turdnagel大约 3 年前

Just one thing keeping me on Google for email/calendars: Search. I recently switched back to the Gmail app away from Spark for this. Don't have any examples off the top of my head, but I routinely encountered situations where I'd search for something in Spark or the Apple Mail client and couldn't find it out without using Gmail desktop/app.

tpoacher大约 3 年前

I'm not too keen on mandatory 2fa via phone. we need something simpler, like, dunno, some sort of chip on our hands or foreheads perhaps? /son a serious note, it's annoying how fundamentalists eventually keep getting shit right because of idiots in power fulfilling their prophecies (daniel sloss had a nice comedy skit on this)

评论 #31254029 未加载

negative_zero大约 3 年前

Thank you for posting this. I have had a second email account setup at the company I work for, and hit this exact problem. I thought I was going mad! Especially because I had enabled 2FA with TOTP with an existing company account just a few months ago.

dudus大约 3 年前

I think the fact you can't generate an app password without a 2FA is because it never made sense. You would be better off just logging into your account directly. Now that you can't do that it makes sense. I'd file that as a FR.One point is that app passwords can be a security issue in itself. If you have one the security page on Google alerts you with a big flashy yellow exclamation point and recommend you you to remove it. I did it, broke my email and took a few days to connect the dots, recreate a new app password and setup email again.I think the problem they have is that mail clients don't do oAuth. So you always have that security weak link if you need IMAP/pop access.

groffee大约 3 年前

A lot of 2FA is security theater and doesn't provide any actual protection.If your phone gets taken by the police (or stolen), with an authenticator app or sms they can get into your account easily but you're locked out.A hardware key is the way to go but even then there's no guarantee the police wouldn't take that as well, and most people think having an app on their phone is enough.And 'email alerts' are even worse, if someone has taken your computer and has complete access to your accounts, an email saying "is this you?" is just gonna make them laugh.

评论 #31253512 未加载

z9znz大约 3 年前

For some time now it has been necessary to first setup a phone number as the 2FA solution on a Google account. Only after doing that does it become possible to setup alternative 2FA solutions.So every account I setup, I have to temporarily provide my phone number to enable 2FA, then setup authy, and then delete my phone number. Obviously Google now knows who the real user is, but I haven't been creating additional accounts to be secret. That doesn't excuse the system, but it's not more than a small hassle for me.

butz大约 3 年前

Does using 2FA for GMail login actually add more security? Especially considered that to enable it, first you have to use dubiously secure SMS 2FA.

评论 #31252868 未加载

MilaM大约 3 年前

Here is how I solved the same problem a couple of weeks ago. If you still have an active session in a browser, you can add a recovery e-mail address to you account security settings. After that I was able to add a Yubikey as a second factor without adding a phone number. This should also work if you want to use TOTP as a 2F instead of a Yubikey.

评论 #31257391 未加载

drivebycomment大约 3 年前

> TL:DR; You can't use «less secure» apps (apps other than official gmail app) to sync emails if you don't want to link your account to your phone number or add google account to your phone.Not true in multiple ways."Less secure apps" are ones that don't support OAuth. There are plenty of third party email apps that are not considered "less secure apps". E.g Thunderbird or Outlook, or iOS Mail work perfectly fine, as many others.You can use u2f keys as second factors and don't need to add your phone number as a second factor nor as a recovery phone, as my Google account.

sir大约 3 年前

If all you need is IMAP/SMTP you can use this local proxy to continue using the “less secure” app without needing app passwords: <a href="https://github.com/simonrob/email-oauth2-proxy" rel="nofollow">https://github.com/simonrob/email-oauth2-proxy</a>

评论 #31257410 未加载

drsh2k大约 3 年前

I was able to get around SMS 2FA by adding a virtual security key then turning on TOTP (<a href="https://developer.chrome.com/docs/devtools/webauthn/" rel="nofollow">https://developer.chrome.com/docs/devtools/webauthn/</a>)

adhesive_wombat大约 3 年前

I also really hate the use of Telegram by ostensibly open source projects for this reason.

browningstreet大约 3 年前

They call me about my car’s extended warranty every day whether google has my number or not.I also get a call, every day, precisely at 9:04am, from random numbers matching the first 6 digits of my phone number.Protecting my phone number is a dead effort on my end.

评论 #31253572 未加载

评论 #31252925 未加载

MetroWind大约 3 年前

It can't be helped I think. The chain of trust must start somewhere.What if someone secretly have your password and enable 2FA? The addition of the 2nd factor of auth is a big deal and the process should be as secure as possible.

cookiengineer大约 3 年前

Note that this is why gmail is unreliable in terms of opsec now. Recovery SMS or phone number implies out of control of users.One day the CEO gets SIM swapped over night...until that day nothing will change.

rdschouw大约 3 年前

I just gone through this process myself. You can add another 2FA method later and THEN delete your phone number. That's what I did.

nottorp大约 3 年前

I've given Google my phone number ages ago and I still can't use their smtp to send email from apple's mail.app...

gbasin大约 3 年前

Is this to protect them from being a vector for span? Making it costly to create new usable Google accounts

_jal大约 3 年前

Google can have my phone number when they give me Sundar's.

TameAntelope大约 3 年前

I don't see a problem giving Google my phone number.

nprateem大约 3 年前

Shame HN is 80% tropes now from paranoid introverts who don't want to go back to the office and who could write Dropbox in half an hour

评论 #31254190 未加载