I’m sorry for posting the following question to TidBITS, but the forum provided by Google is worthless.
At 3 AM this morning, my (Android) phone received two text messages, allegedly from Google: “G-XXXXXX is your Google verification code” (the X’s are numerals in the actual message). Being asleep, and all web browsers having been quit, I obviously wasn’t doing anything that required a code.
Has someone signed in to my account fraudulently?
Thank you for considering.
Someone attempted to. 2FA did its job.
Wow. Thank you. As Neil Diamond wrote, now “I’m a believer.”
Google’s 2FA can be a pain in the ass if two or more people need to be able to access a Gmail address. I have had this problem with a small organization where the only solution we have found is for the person who owns the phone number linked to the Gmail winds up calling the person who needs to use the address and reading the six-number code to the other person.
Possible work-around: switch the 2FA to Google Authenticator (or other authenticator app that allows adding new accounts via QR code). Use either the original QR code (if all users are present during 2FA setup) or the QR code generated by the “Transfer Accounts” option inside Google Translator Authenticator (whenever two users are physically together, one who has the code and one who needs the code) to share the 2FA credentials among mutiple people.
Little known pro tip: macOS Passwords has built-in support for this.
Passwords > Double-click an account > Edit > Set Up Code…
Ever since I added my Google Auth QR code to Passwords, all my Macs and my iPhone can fill in the required 2nd factor with just TouchID/FaceID. And, at least with Safari, all required dialogues come up automatically so you’re only left with having to auth via TouchID/FaceID. Syncing/backup gets automatically taken care of by iCloud. No more authentication apps, no more fuss, just pure bliss. 
What do I do if I have an account that did not offer 2FA when I set it up, but now requires 2FA, and I don’t have a record of any Code? (I have multiple examples, but I’m mainly thinking of a bank that has atrocious customer support and worse technical support, so calling would be a last resort.) Do you have any general guidance? Thanks.
They should allow to you set that up. But sometimes there can be issues. Like if it’s a bank, they will only text the code to the phone number they already have on file. You can’t input a new phone number at the time of setting up the 2FA, as that would defeat the security aspects (since a random hacker could just give them their own phone number). You have to go into the bank or call and change the number on file first, which can be a pain.
(I did this with an elderly friend who had her landline as the number on file at the bank, so she couldn’t receive any 2FA codes sent text message.)
I’m lost here. Nothing I use can handle QR code. Although I have an iPhone, I have not set up most smart features because I find it very hard to read tiny type on a tiny screen even with reading glasses. I don’t like the idea of having features activated that I can’t read without a magnifying glass. What am I missing here?
This isn’t just banks. I have encountered other organizations that activated 2FA on old accounts that were set up when most people’s primary phones were landlines. I prefer it that way for some organizations because some medical offices are set up to text appointments and other messages that easily go unnoticed – especially when nobody ever told me they would send texts. Texts send to landlines usually go unnoticed entirely by many phone systems. However, some phone systems, including at least some “Caption Phone” used for the hard of hearing, are equipped either to spell out the text message (including security messages) or display them on a screen (e.g., Caption Phones). I have had good luck with texts being converted to voice on landlines, but I have yet to figure out the details of what makes it work.
Every online account that I have that has the ability to use Google Authenticator-type codes, when properly logged in to your account, allows you to change the two-factor code. It’s generally in the same place in account settings where you would change the password for the account.
To add to this, since the Passwords app allows sharing passwords with other people (say, in a family sharing situation), the two-factor code would also be shared.
Most authenticator apps, like Google Authenticator, will let you import new keys via a QR code. They usually work this way:
At this point the authenticator app should be able to generate codes for that service.
Sorry, auto-replace or auto-correct changed what should have said “Google Authenticator” to “Google Translator”.
In any case, there are many apps that can generate 2FA codes without involving text messages or making a phone call, including Google Authenticator, Apple Passwords, as @Simon said above, and 1Password. All rely on scanning a QR code that is generated by a website to set up or reset 2FA.
I use Google Authenticator for a number of reasons but I would switch, without hesitation, to Apple Passwords if GA stopped meeting my needs.
Details, to add to @Shamino 's concise explanation, on how QR codes work for setting up and copying 2FA credentials on Google Authenticator:
And, incidentally, Google Authenticator presents 2FA codes using a font size that is larger than most text seen in mobile apps.
Thanks for the suggestions. I was able to get my iPhone to read a QR code and display the text and image on Safari on the phone, which is a small step forward. However big problems are systems that automatically assume any phone number in their records was a mobile phone (preferably a smart phone for at least some features). But many of us old folks originally listed our home wireline phone number, and these numbers may never have been changed if the wireline phone is still in service. When the new system turns on 2-step verification by sending a text or six-digit code, there’s a good chance a wireline phone will not respond. (Some will respond, but that seems to depend on the actual phone installed on the wireline and perhaps on the software used by the sender.)
Some services (sadly, not all), give you the option of receiving a voice call for 2FA. When you answer the call, a bot will read you the 6 digit number.
Depending on how your household uses your landline, it may make sense to convert your landline phone number to a VOIP number or a cell phone.
For example, I ported my landline to a cell number (eventually to VOIP) specifically because I almost never used it for real calls, but it was still the contact number for various bank accounts and other important accounts. Nearly 100% of inbound calls on my landline were junk calls, and I expected a very low number of text messages, so a minimalist cell phone plan was enough for me.
I had an old 4G LTE iPhone kicking around, so I didn’t need to get a fancy new cell phone. I found a month-to-month plan (no long term contract) with Consumer Cellular that used the AT&T network for less than $25/month, including taxes and fees, that was less than my landline. The porting process was painless, and Consumer Cellular support was excellent. I kept my “landline” cell phone where I used to have my old landline phone, so no one had to worry that they’d miss a call to the old number.
In practice, I added text capabilities to my landline number at a lower cost than I was paying previously. Of course, if you use your landline extensively, there are more extensive plans, though often at surprisingly inexpensive rates.
I eventually updated the contact info for my financial accounts to my primary cell phone number, but I still wasn’t quite ready to give up the old “landline” phone number. Based on @doug2’s experience with porting a number from Skype to VOIP, I eventually looked into VOIP providers as an even less expensive alternative for receiving texts and occasional calls on my former landline number.
Like @doug2, I ended up with the pay-as-you-go VOIP.ms service. Since I don’t use the phone number for anything other than answering calls from numbers I recognize and for receiving authentication codes, I average $2-$5/month for the service. Porting the number from Consumer Cellular to VOIP.ms went very smoothly. Setting up VOIP.ms is a little tricky if you’ve never worked with VOIP before, but VOIP.ms has its own app now, which makes it a lot easier, and their tech support answered all of my questions. You also can set up the app on a cell phone or a regular computer.
Since I haven’t received any critical calls or texts on that number in a long time, I’ll probably just discontinue the service when my pre-paid call balnce gets depleted in a year or so.
(Disclaimer: I have no relationship with either Consumer Cellular or VOIP.ms except being a satisfied customer.)
Thanks. We all have different telephone needs. As a self-employed writer and journalist, I need a good reliable phone sitting on my desk for talking to people. I’m still using a Verizon telephone plan built into our fiber-optic internet connection. I’m using Zoom for both business and personal calls where I want to include video or record interviews. I don’t need or want a mobile phone for that; the last thing is business calls on a cell when I am out bicycling or driving.
My wife got cell phones for herself, a daughter, and me on a family plan from AT&T, which I use when I’m out of the house or traveling. I used a flip phone until AT&T turned off 3G and the new flip phone fell apart after a few years. Then I inherited my wife’s old iPhone, which has been a nuisance because I need reading glasses to see the screen, which I don’t normally wear unless sitting to read. My vision makes it much easier to read on a 27-inch desktop screen, so I don’t use smartphone features.
I have recently started wearing hearing aids because of hearing loss, and a few months ago replaced the old landline phone with a Caption Phone, designed for people with hearing loss, which includes a screen that displays a transcription of the discussion so I can read what I can’t hear clearly. If you have hearing loss that affects your ability to use a phone as verified by an audiologist, you can get a free Caption phone from a Federal Communications Commission program, and I recommend exploring the possibility. It gives better sound than my old wireline phone, and can be operated wither by holding the handset or using it in speakerphone mode. I selected a desktop version; they also offer mobile versions but I have not explored them.