I mean, if you come back years later and lay a claim to an account you’re going to have to show something that proves who you are.
An SMS sent to the phone number stored on the account is no more reliable than asking the user to generate a code with an authenticator app (based on a secret that is stored in both the account and the app). People can lose the app/phone just as easily as the number. Also, SMS confirmations suffer from many vulnerabilities that TOTP codes do not.
The main point is that these methods are not related. Google could and should offer them side by side. Let people take their pick of any of the following:
Confirmation message sent by email (and let people add multiple address not just one).
SMS to phone number (again, let them add multiple numbers).
TOTP code generated with authenticator app.
One-time-use secret codes written down somewhere.
Secret question/answer pairs.
Codes generated by USB key fobs.
Confirmation on a phone that’s still logged in to that Google account (this doesn’t require the phone number).
Google is witholding some of these methods until you give them your main phone number, which is obviously a ploy to get your main number so they can track you.
I’m frankly surprised that a privacy-oriented community is not aware of the fact phone numbers are an excellent means of tracking people across services and databases for extended periods of time.
Google kinda does do that though. You can have a recovery email (or multiple IIRC), or you can have a phone number.
TOTP and hardware authenticators are more for second factor authentication; you’re probably more likely to use those than a password, and they don’t really make sense for recovery.
Why wouldn’t they make sense for recovery? They’re authentication factors just like passwords.
“Second” factor means you should have multiple, not that one of them is beneath the others. And they all work just as well for authentication and recovery.
Because you’re much more likely to lose or break a hardware fob than lose a password, let alone change (lose or whatever) recovery email or phone.
Like, it would be a neat option; ideally you could set up literally anything and say what combination of factors you want to use for recovery and which to use for authentication, but it’d be a pretty big change for a tiny minority of users.
I mean, if you come back years later and lay a claim to an account you’re going to have to show something that proves who you are.
An SMS sent to the phone number stored on the account is no more reliable than asking the user to generate a code with an authenticator app (based on a secret that is stored in both the account and the app). People can lose the app/phone just as easily as the number. Also, SMS confirmations suffer from many vulnerabilities that TOTP codes do not.
The main point is that these methods are not related. Google could and should offer them side by side. Let people take their pick of any of the following:
Google is witholding some of these methods until you give them your main phone number, which is obviously a ploy to get your main number so they can track you.
I’m frankly surprised that a privacy-oriented community is not aware of the fact phone numbers are an excellent means of tracking people across services and databases for extended periods of time.
Google kinda does do that though. You can have a recovery email (or multiple IIRC), or you can have a phone number.
TOTP and hardware authenticators are more for second factor authentication; you’re probably more likely to use those than a password, and they don’t really make sense for recovery.
Why wouldn’t they make sense for recovery? They’re authentication factors just like passwords.
“Second” factor means you should have multiple, not that one of them is beneath the others. And they all work just as well for authentication and recovery.
Because you’re much more likely to lose or break a hardware fob than lose a password, let alone change (lose or whatever) recovery email or phone.
Like, it would be a neat option; ideally you could set up literally anything and say what combination of factors you want to use for recovery and which to use for authentication, but it’d be a pretty big change for a tiny minority of users.
Google can use the phone number on file to text a verification code for password reset.