Here is my problem. I have an ancient Google account I set up decades ago. I pretty much never use it and I don’t like google. But every few years someone sends me Google Docs file I need to access so I use my Google account.
But recently Google has started refusing to let me log into my Google account without a phone number! I can find no way around this. When I try and log in, Google emails me a code number which I have to enter to confirm it’s me. But then it insists on also wanting to text me a code to a phone number. I refuse to give google my phone number, so now i’m locked out of my google account.
I was reading this post with interest as I thought maybe I could set up a google voice for this – I wasn’t sure GV numbers worked with text messages – but in order to set up a Google Voice number, it wants me to log into my google account, which is exactly what I cannot do. Catch-22.
Any ideas of how to solve this??? Why does google want to text me a code when they can email it to me just fine??? (I’m assuming it’s just superfluous data collection by google.)
Sorry if this is off-topic – to me it’s related to 2FA issues, though not iCloud.
Google pretty much requires 2FA these days, but it doesn’t have to be a code texted to a phone number. That’s pretty much the last resort option these days.
Yes, it seems strange that they ask for a phone number and then immediately text you a 2FA code to it, for you to enter. But that’s because it’s the first time. For subsequent logins, they will just send the text message to the number already on file. (You can go to your Google account settings to change the number, later on.)
But once you’re logged in, you can choose different authentication mechanisms. I would actually recommend not using a text message to a phone number, because it’s relatively insecure (e.g. SIM swap attacks).
My account is configured for four different mechanisms:
Google prompts. If you are logged in to your Google account on an Android phone or some other compatible app (including the YouTube iPhone app, I believe), the device/app will send you a notification asking “is this you”. Just tap “yes” to continue or “no” to block the connection.
Authenticator app. Use Google Authenticator or any other standard TOTP app to generate authentication codes. Enter the code when asked.
Voice or text message. This needs a phone number on file, of course.
Backup codes. You can request Google generate 10 single-use authentication codes. I did this, printed them, and I keep them in my wallet, for use if I’m away from any electronic device that would otherwise be needed.
You can also use a security key hardware dongle like a YubiKey or a virtual dongle (running as an app on a phone).
Did you configure any other mechanism? If you didn’t set up anything else, then you obviously can’t try anything else.
That’s because you have nothing configured. If you add a phone number (which you are unwilling to do), then it won’t ask. It will just send a text message to that number (if it’s your configured default) or will provide it as an option on the “try other ways” page if it’s not the default. You can add and remove numbers in your account settings.
You’re seeing weird behavior because your account doesn’t have a second factor configured, but Google really wants you to have one. So they are pressuring you (maybe a bit too hard) to set one up, and a phone number for receiving texts is the easiest to do on the fly.
I would strongly recommend setting up Google Authenticator (which, again, can be used with any TOTP app if you don’t want to use theirs) and make that your default second factor. I would also recommend generating and printing backup codes, for emergency use.
Whether you can do this without also setting up a phone number for voice or text messages, I don’t know. I set it up for my phone a long time ago.
No. I set up this account decades ago before there were any such options. F2A hadn’t even been invented yet!
The weird thing is it trusts me enough to allow to type in any phone number I want… but not enough to allow me to set up google authenticator or some other verification method.
I would love to do that, but it’s not an option unless I give my google my phone number to access my account first. I suppose I could delete the phone number afterwards, as you mention, but what are the odds google will actually forget it?
F2A is fine, but only supporting text messaging is a serious flaw. (What if I only had a land line?)
Do you know @Shamino if you can make the TOTP auth the default instead of Google prompt? I ask because 1password already has copied the code to the clipboard so it will be faster. Also, I have had it (or me?) been confused and not working since I login to several Google accounts.
What is the specific reason you’re concerned about them having your phone number? If you’re concerned about it being sold to telemarketers, that ship has probably already sailed - I’m sure they already have it.
If you’re concerned about Google using it for purposes other than 2FA authentication, I can’t advise you. I personally don’t think it’s a big deal, but that’s hardly a convincing argument.
They can also send you a voice call for 2FA. I’ve never tried this option, but I assume a computer voice will speak the code.
I don’t know. I never tried it.
On the 2SV configuration page, it says that Google Prompt is the default, but it doesn’t say how to change it, so it might not be changeable.
You could log out out from Google on your Android device to stop the prompts, but that would cripple Android, so I don’t think it would be a good idea.
Unfortunately, no, you cannot. I looked into this recently because I would also prefer the default being TOTP.
What I’m not sure about is what happens if you delete any of the Google apps from all of your devices - then perhaps it won’t default to prompting you in the app (which always seems to be the gmail app in my experience.)
I looked into this some more. I If you are logged in on any Google App on the iPhone Google prompts will be used. My wife is logged in on YouTube only she gets the prompt there. I am logged in on several Google apps. I get my prompts on the Google app most of the time.
On the security page for my account, I read:
“To receive Google prompts, just sign in to your Google Account on your phone.
After you enter your password on a new device, Google will send a prompt to every phone where you’re signed in. Tap any one of them to confirm.
You’re currently signed in on these devices that support prompts.
Your Google prompt devices >my iPhone<”
Logging into a seldom used Google account, I was asked for the TOTP auth. Checking the security page for this account, it had only TOTP (default) and backup codes enabled. I am pretty sure I never used this account to login on any app anywhere.
If you don’t have an Android phone (where you really want to be signed in to Google at all times, much like how you want your iPhone to always be signed into iCloud), then this may be an option.
But I don’t think you need to delete the apps. Just sign out from them. That should be enough for Google to be unable to use it as an authentication factor. It may be too aggravating to sign out of an app like GMail (FWIW, I access GMail via Apple’s Mail app on my phone), but for other apps like YouTube, maybe not.
That’s why I would think, but whenever I click the “try other ways” button it comes back to the same phone number prompt screen. So I’m never given any other option.
Oddly, when I did try and create a GV number with a brand new google account (with a new gmail email address), it showed a phone number as optional! So I was able to create a new account, but then to activate the GV number requires a phone number (it forwards calls to that number), which was useless for my purpose of not giving google my phone number.
Yes, for security purposes, this struck me as insanely dumb. If I’m an imposter (which is what they seem to think since it’s asking after I give them the emailed code), I could enter any phone number I want and gain access to the account. This is like offering a criminal permanent key to your house.
If I’m not an imposter, then why do they need a second factor beyond email?
This is why I would never trust google with anything important. I can’t imagine using a gmail address for business purposes when google can just lock you out at any time.