undefined | Better HN

0 pointsbbbbbr3y ago0 comments

This is correct. A phone number is NOT required to enable 2FA, at least in my experience within the last few months.

I set up 2FA to use Yubikey hardware keys for a google account, and was then allowed to generated app passwords. No phone number has ever been attached to the account.

I do agree that not allowing app-passwords to be generated without setting up 2FA is coercive and seems hard to justify, and it is plausible that it is being used to push people into attaching their phone numbers to their accounts. If I recall right, the current language for the setup process skews heavily toward phone numbers and does not do a good job of highlighting other (more privacy oriented) alternatives (as may be evidenced at least in the case of OP).

0 comments

vort33y ago

You are right that I can bypass adding phone number if I have Yubikey, but unfortunately I don't have one and can't get it.

drsh2k3y ago

use virtual authenticator (https://developer.chrome.com/docs/devtools/webauthn/)

PeterisP3y ago

This may be a recent change, a few years ago when I tried this, I was definitely unable to add Yubikeys to a Google account until I added phone-based 2FA first.

If now it's just 'not recommended' then this is an improvement.

j / k navigate · click thread line to collapse