This is not black and white. It is possible to encourage 2FA but allow to opt out. The same for phone numbers.
And that's why companies enforce 2FA: they want your juicy phone-number or other data. And yeah, maybe they also want to reduce support costs and avoid bad publicity. Still, it's not in your interest, it's in theirs.
If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
EDIT: Yes, Google offers more than a phone number when creating a gmail account. I didn't say they don't. However: they don't make it easy and I would even go as far as saying that they are evil here. If you don't believe me, try to create a gmail account right now and don't google/search how to do it without phone number.
Which is okay, because it is a business.
If society wants homeless people to have reliable access to email without having SMS 2FA or whatever requirements a business requires, then society should elect a government to provide it as a utility.
There is no reason to expect or want businesses to pick up the slack for the government not providing adequate safety nets. Let businesses be businesses, and let governments handle redistributing wealth.
Initiatives at for profit corporations will always exist within some business constraints, shareholder obligations, and so forth.
It would be very reasonable for governments to provide tax-supported digital services. I could easily imagine that spending a few dollars per year to provide the homeless with basic digital services would pay off simply in easing administrative overhead.
But we don't do it, because, in America, our sense of what government can or should provide is atrophied, and we, mistakenly, look to private actors to provide basic public services.
I don't think this matches reality. The US government is doing more today than any time point in the past. Spending and taxation as a percent of dgp is at an all time high.
There's also a sense that nobody should have to do anything themselves. There's nothing stopping anyone from talking to a homeless person and helping them set up an email account without 2fa.
It might be legal and maybe even legitimate, but OP said:
> This isn't a "fuck the people who don't have regular access to a phone, they don't matter" situation.
So yeah, those people don't matter (enough) in the sense that it's not worth to offer more methods of 2FA. Let's not pretend otherwise.
I struggle to see a reasonable possibility to the government either directly or legislating others to provide identification and communications services. One of the greatest utilities in the US is USPS, a monumental accomplishment to be able to provide communications to all people in the US.
Tacking on email (and identity verification services - which USPS already does via passports) should be a no brainer.
It is possible. And, as far as understand it, the teams at Google in charge of this have evaluated this option and found that it leads to more lost accounts.
The people responsible for user authentication at Google are in a completely different part of the company as advertising and, in my experience, are especially stubborn about their focus on security. "This is about phone numbers" doesn't make sense to me given my personal experience.
> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
We are talking about Google specifically here, which offers all of these options.
2FA is a major hassle for support when users get locked out because they smash their phone or change phone numbers or somehow lose access to the 2FA method. But, the benefits of 2FA largely outweigh those downsides for the majority of users. Offering the choice though, is something we think is important.
That's all I'm asking for as a user - thank you for being on the good side. Optimally you allow for multiple MFA options, so that I can e.g. use an authenticator app and a yubikey, as well as a recovery code in my bank.
You might be surprised to learn that this is how it works for Google accounts: it is default-on but you can turn it off.
> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
You might be even more surprised to discover that all of these options are supported for Google accounts.
However, Google tries _very hard_ to prevent people from e.g. creating a gmail account without a phone number. Try it if you don't believe me.
We all knew password, no problems at all. Now it mandates 2FA. And because they mandate it for Google Ads, now it's on for everything like Google Drive etc.
Google seems to support all of those?
Hint: it is still possible to create a gmail account without phone number, but it has become quite tricky to do so.
Nope. Not possible.
Oh how I would love to be proven wrong though.
Which leads me back to the point made elsewhere in this thread: we have too high an expectation for what private companies can or should do, because they have taken the place in our minds if government.
And our expectations for what government can or should do are too limited, because we've convinced ourselves government is ineffective and unaccountable.
