Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: Google requiring phone number to log into Chromebook
327 points by pisky on Sept 9, 2018 | hide | past | favorite | 189 comments
Long story short: bought a couple of Chromebooks over the years (as they're nice multi user machines), created Google accounts on each but never gave a phone number. Now after years of use, Google pops up an "unrecognized device" roadblock AFTER I enter the password to log in, with the message "enter a phone number to get a text message with a verification code".

There is no mention of suspicious activity. The only trigger I can think of is a recent modem reset that changed my Public IP, and my new IP doesn't appear to resolve to my old physical location in Google's geoip db.

Am I crazy or does this seem like an extremely cynical attempt to get more phone numbers? I don't even understand how giving them my phone number proves anything as I definitely did not ever give them one previously.

Unfortunately burner phones are not available in my country, so that's not an option.




I've had this happen with gmail accounts randomly. Most of the time with computers I've been using for years on the same network.

The worst occasion I've ever had was the one time I was traveling. I was getting by with only wifi and, naturally, didn't have a phone number to confirm my account with. I didn't have a number bound to my account, either, making the whole process pointless.

How did I get into my account? I asked a random guy who walked by if I could login to my email on his phone (since at that point I'd left my wifi area and couldn't login with my own device). It was essential that I check an email at that point, so I didn't have a choice. It was anti-security--I literally gave full access to my email account to some man I never met before in a different country.

Google needs to stop pretending it's some security measure. It's not. It's data harvesting, plain and simple. I just wish they'd admit it.


Even if you removed that number from you account immediately after logging in, something tells me google will not forget that association.

He might not had an account then, but could create one in the future. So now if either of you messes up or does anything even remotely suspicious (in google's eyes) - say goodbye to your account.


I had a Gmail account for a secondary email address that I used at times. One day I logged in with my email and password, and Google said I needed to further verify my identity. Well, my security question was a bogus one because I was confident with my password manager and backups it would not be needed. But, I guess I was wrong, because I didn't anticipate that knowing the password wouldn't be enough for Google. I never got access to the account again.


Stupid "security" questions, I've started answering them like "what's your favourite colour?" - "colour" or "what was your first pet's name" - "pet".

There are a few things that make me wonder if I can trust a company. Security questions, stupid password restrictions, sending me a password in plain text via email.


I recently was forced to do this by my home ISP. I used my password manager to generate 32 character length passwords, and then stored that info in the manager. However, when I attempted to save this info, the website responded with something along the lines of, 'we're sorry, please come back and try this again at another time.' This was preventing me from paying my bill online as it would not let me access my account with this info. I did this for 3 days straight. On the 4th day, I changed my answers to very simple responses similar to yours and the entire thing worked. It's not that it was fixed, because I tried the complex values first on day 4. Their system couldn't support such a value, and failed at letting me know that.


So, effectively, three security questions, like this:

  Favorite color? red

  Favorite band? yes

  First vehicle? car
In reality, they actually reduce complexity, defeating a 12 character password requirement with numbers, uppercase, lowercase and punctuation characters, because the total space of complexity can be possibly less than 9 case-insensitive letters.


I used to give my real birthday. Then I kept reading about how knowing that plus your address (usually easy to find on the internet - whitepages.com, etc.) got someone a long ways toward imitating you.

So I started making up birthdays but would have problems because I didn't remember them. So now I just use the epoch, which I think somebody here suggested.


I put January 1, 1970 as my birthday, and sometimes I can tell sites convert to timestamp and then it rejects my entry because it evaluates to zero which is falsely.


The issue then is that some services will require a copy of your ID to recover/unlock your account, and if the birth dates don't match they won't do it.


I always use plausible typos.


I use my sister's birthday. Other than the year, it's close to mine, and I don't forget it.


I use the registration date of my car (which is 4 years older than me) since at least I can look it up.


I tell the students that you really need to lie and put in some words that you remember that go with the question. Think of it as a challenge/ response, not an answer.


Next time, add your security questions to your password manager.


Security Q/A are de facto passwords. Treat accordingly.

Further, they're often a sign that a human employee providing support can override and manually authenticate a user. Whether or not that is really the correct user. Treat your entire account with them accordingly.


Yes. I answer something like "favorite color" with "blue green red" or "blue was the color of my first bike" if I can. I end up with something like this:

pet: answer school: answer friend: answer


Precisely the same thing happened to me. I removed Google from my life entirely, and I'm really happy about it.


What on earth are those of us supposed to do that don't have a phone?


Switch to a paid service that doesn't depend on your data or on ads for revenue and survival.

I would mainly recommend posteo.de because of what the company stands for and its cheap pricing. Other options are runbox.com and mailbox.org. All these providers support IMAP too. So you can use any email client on any platform, or the web interface, to access email.

Protonmail, recommended by some others here, doesn't support IMAP for free accounts (so you can't take your mail out easily if you want to move elsewhere). For paid accounts, it has a "bridge" software that needs to be installed and running. This is available only on Windows and Mac. For Linux, the FAQ [1] still says at multiple places that it'll be available in "early 2018", while we're already nearing the fourth calendar quarter of 2018.

[1]: https://protonmail.com/bridge/faq#c8


Or simply buy Apple and use iCloud for emails and data


Except they silently filter email messages based on certain keywords


Emm, they do what? Please clarify.


Fastmail. They even have a real customer service.


ProtonMail.


I second this; ProtonMail is great.


I think the correct term is security by obscurity. Every time I need to "ID" myself I just borrow someone else's phone.


Get a Google Voice number https://google.com/voice and link it to Google Hangouts or Google Messenger so you can send and receive texts via your phone or Wifi Web apps.


It’s a security measure FOR THEIR SECURITY, not for yours.

It’s an anti-spam, and anti-abuse measure. So they’re not giving away free resources that get used to harass their users.

Why would Google need you to give them your phone number to associate that with you? They’re on many of the phones in the world, someone you know has already done that for them, or you used your own phone to do the same.


If Google hired reasonable smart engineers, they'd know that a 10 year old account with a stable history of regular emails isn't a spam account.

Unfortunately, Google doesn't seem to have the best staff. Or even good staff.


10 year old accounts get hijacked all the time.


Yeah, maybe.

But it's Google. I could name at least 12 datapoints to check wether it's still the same user it was for 10 years on top of my head. Starting with "still using the same device" going to probably things like "typing style", given how sophisticated their AI is.

There is really no excuse for Google's ADD and implementing half-assed features and stopping to support them 2 months later...


This isn’t a feature to authenticate the account. This is to identify the person using the account. They’re tying the person using the account to a phone number that person apparently controls, and thus a billing contact.

This usually means Google suspects you of doing something that might be abusive.

In this case: re-activating a dormant account that was in a data dump would be a safe bet.


Did Google ask again for a phone number when you tried to log in from the strangers phone?


Evil.

Imagine those teens at school, that bought Chromebooks because they were more affordable, and now getting pried on like this.. :-( It is this generation that is going to lose the idea of privacy and suffer from these piece of shit corporations.

It's almost like watching a movie.


>"...and now getting pried on like this."

Those students are being tracked regardless of whether they provided their mobile phone number. ChromeOS is an entire operating system that tracks you from the moment you sign-in with your Google account.

Sure, you can use a guest account, but you won't be able to save anything because the entire OS is "cloud-based".

People rush to Google's defence and say that Google doesn't build ad or marketing profiles from student data. But even if the online activity from students is aggregated or detached from individual accounts, that still means Google holds the personal online behaviour of millions of students. They can now poke and interrogate that data in ways that even they probably haven't fully grasped. And as we've seen from Netflix and Spotify, aggregated data still lets you pull out precise details and behaviour from "anonymised" data (a meaningless term).

Tracking is so pervasive and so normalised that no-one even bothers to ask: why should students be tracked in the first place? Tracking online behaviour is in Google's DNA and no-one does it at such industrial scale.

The hypocrisy of the tech community who have nothing to say on the privacy implications of ChromeOS in schools is hard to understand.


Most of the tracking in your google account is to give you the answers you’re looking for, not because it’s of any benefit other than providing a better service.

Like when I search for a three letter acronym, google knows that I’m an engineer, and I see links for results about computer hardware, and not about a Jewish Torah studies group with the same TLA.

Google makes those models for individual accounts, which is why google can tailor results so well to what you’re looking for right now.


If you're a school you're on GSuite for Education so can create as many accounts as you want for free, without phone numbers, and for under 13s


Parentpost is talking about a different market group. You are talking about chromebooks provided by schools to students. Parent is talking about chromebooks _bought_ by students (because they're cheap and functional).


Fair enough. I'd just pick up a random sim card at any supermarket, comes with a free phone number.


I don't want to spend money. Not even a few quid, because a scummy company suddenly doesn't let me access my device, which I "own" for years without surrendering even more personal information.

That's apart from what other posters explained. That in a lot of countries you can't just get a sim from a kiosk, or a vending machine without proper identification.


This is an anti-spam and anti-abuse requirement, not because they need you to tell them your phone number.

They’re on most of the phones in the world, and have access to all the billing records associated with your phone number, as they’re a cell phone service provider. They’re asking folks who they think might be abusing the service for this information, so they identify themselves in a way that Google can report to law enforcement.

The idea they’d need you to tell them this information so they could use it is kind of laughable.


Given that this is a very new account I smell trolling, or astroturfing. Just in case it's not, I bite:

This is an anti-spam and anti-abuse requirement, not because they need you to tell them your phone number.

Any means of backing up that statment? Specifically, why are anti-spam measures needed to access a device?

They’re on most of the phones in the world

So what? A lot of people, myself included, will never, ever use an Android device. Especially since they don't trust Google one yota not to completely violate their privacy. In terms of the discussion this is a red herring.

and have access to all the billing records associated with your phone number, as they’re a cell phone service provider.

It's here, where your comment gets outright ludicrous. From [1]

When the mobile device is turned on or is transferred via a handover to the network, this new "visited" network sees the device, notices that it is not registered with its own system, and attempts to identify its home network. If there is no roaming agreement between the two networks, maintenance of service is impossible, and service is denied by the visited network.

The visited network contacts the home network and requests service information (including whether or not the mobile should be allowed to roam) about the roaming device using the IMSI number.

If successful, the visited network begins to maintain a temporary subscriber record for the device. Likewise, the home network updates its information to indicate that the cell phone is on the host network so that any information sent to that device can be correctly routed.

There is NO, whatsoever exchange of subscriber information, safe for service information required for billing. Pretending that "Google can associate billing records with your number" doesn't pass the smell test.

The idea they’d need you to tell them this information so they could use it is kind of laughable.

The idea that the ilks of Google, Facbook and all those dodgy add tech brothers and sisters would not abuse any means possible to violate your privacy is laughable.

[1] https://en.wikipedia.org/wiki/Roaming


You don’t think there is a system for network providers to identify customers to each other?

How about to law enforcement?


Use TextNow app- it gives you free phone numbers.


Many services that require phone numbers can tell if a number is a free VOIP number and will not accept it for verification.


FYI being able to just buy a random SIM a any supermarket is not common outsid the UK.


FYI, it's possible in Ireland.


It is common at least in most of Central and Eastern Europe.


And in most of South America, and many Asian countries


They closed that loophole in Europe after the terrorist attacks of recent years. You can't buy pre-paid SIM cards without giving an ID anymore.


Please don't generalize about Europe unless you're certain the statement is true.

You can buy a SIM card in a vending machine in at least airports in Denmark and the UK.


Last time I was there in Denmark I had to provide a CPR number to enable the SIM card. For the non-danish people the CPR number is basically your lifetime number for everything from social security, to tax, payroll, etc.


Perhaps if you want a contract, but it would be rather pointless requiring a CPR number, yet selling SIMs in the arrivals hall of Copenhagen Airport.


Can you also activate it and use it?

Because I've seen SIM cards that can be bought in supermarkets in another country, but then you need to show your ID to an operator over Skype to activate it.


You can.


How?


Indeed, I thought it was a European directive.

I am willing to bet the vast majority of European countries will follow suit before 5 years though.


In Romania by law you have to give your ID. But between what the law says and what happens in practice...


Throwaway SIMs are unavailable and foreign throwaway ones do not work in Turkey.


In Portugal you can buy and use a prepaid sim card without showing your ID or giving away any personal information. On the other hand buying credit is done via the bank, so you only have a few euros to spend before losing anonymity.


It's different in different countries. Estonia, Latvia, Netherlands allow sim cards wihout IDs. Poland, Switzerland do not.


Afaik since last year an ID is required in The Netherlands as well.


You lose anonimity in a very short time if you either:

1- Use the new "anonymous" sim card with a phone you already own and used with other sim card (IMEI matching).

2- Use a new phone with the new sim card but let it connect through your home WiFi network (IP tracking).

3- Use a new sim card and a new phone, but carry the new phone around with your main phone so that they find your second phone and number just by looking in the carrier(s) database(s) if there are any matches to the tower areas the first phone connects to.


Must be a buoyant market in sims walking over the border?


You don't need ID in Lithuania. You can also buy top ups with cash.


what kid doesn't have a phone?


I find teens rather cautious about giving out phone numbers, older generation - much less so.


Anyone over the age of 40 (and many younger) will have had a landline, almost all in the phone book. Name, address, and phone all neatly collected, very few were bothered.


True but that loophole was closed when phone books started to collect mobile phone numbers. Nobody was happy with that so it was changed so that people had to actively opt into being listed. Phone books are now dead and good riddance.


Except that with the advent of mobile billing, and the like, any phone service provider can pull your info from pretty much anywhere in the world.

Which is why Google is asking for a phone number here, they think the account is likely abusing a service, and they want to identify who is using it.


Very good point. I had completely forgotten about that practice. Name, address, phone number. Seems surreal.


There's no problem with it in general when it's printed on a dead tree.

When it's available electronically, everything changes


They have done this to me a couple of months ago with my Gmail account and got really panicked, because I had all my contacts on it.

After I have managed to restore it more than 4 hours later, I permanently deleted my account and Google immediately contacted me with apologies, asking me for the reason I did such thing.

They have tried to persuade me to restore my account with a couple of emails, but it was already too late.

I cannot trust them anymore.

I want to have absolutely nothing to do with Alphabet or Google; if a certain service that I currently use gets acquired by either of them, then I will delete that account too immediately.

Enough is enough!


> They have tried to persuade me to restore my account with a couple of emails, but it was already too late.

Where are they sending those emails, to your Google account's backup account?


Yes, on my alternative email.


I'm having problems where I am not getting important business emails, but only seeing them on a backup account that gets forwarded all my mail.

Also I am getting mail from a guy in India, and he is also getting my email. It's like our accounts got crossed over.

As usually, there is nobody at google to reach.

How did you get a hold of somebody?


They've essentially bricked your machine and are demanding your phone number to un-brick it? Sounds like a case for a legal battle.


Sonos just did the same. They want you to create an account (and therefore give them an email) and otherwise are effectively bricking the device in the latest update.

Was time to get rid of this pos.


An email is waaay different than a phone number. You can easily just use a burner email- but using a burner phone is too much work and costly.


Burner email?


Doesn't Apple do that too?

One of the reasons I use Linux on my MacBook.


No. You can give your email and it enables some additional functionality such as iCloud if you want to opt in to that but it’s not required.

When it asks if you have an Apple ID (which can be any email address) there is a skip button in very plain language on a very uncluttered screen where it is very easy to read.

And no, it never asks for a phone number. You are free to add one later though if you choose. But the OS doesn’t want it or use it...

The only place I can think of where you can put in your phone number is the Messages app, which is not even part of the OS.

You would do this on your own initiative by the way, not requested by the app or by the OS. Putting your number into that allows SMS messages to appear on your computer.


You can set up a Mac or iOS device without ever logging into an Apple account. The only place it is "required" (well, not strictly required , but I guess an iOS device is not that useful otherwise) is for the App Store to get apps (someone correct me on this but I'm not sure you can download free apps without an Apple account, and there's a way, although convoluted IIRC, to create one without entering credit card details)


Last I heard, you can't download any apps without signing in with an Apple ID. Since sideloading is impractical on iOS, this would make the phone not very useful as you can't install any software.


Where/when did you encounter that? I used a Mac machine for awhile without even logging into iCloud/Apple ID; I don't recall being asked for any personal info beyond what's required to set-up the machine.

Off-topic, out of curiosity: what distro are you running on the MacBook, and how's that going?


No, I've been using Macs for years and have never created an apple account. They really encourage it, but you can in fact skip all the prompts.


You're being downvote but an appleTV is completely useless without an appleId...


Well, when there is only one App Store and it requires you to log in, it in effect means you have to have an Apple ID -- which is a far cry from being forced to give up your phone number to use your own personal computer.


On the other hand they could allow access to the app store only for free apps


I just use homebrew.


I can't offer any advice that can help you quickly or is guaranteed to work. Write a longer and better composed post on some platform, with details of what you've tried, whom you tried to contact at Google, responses (or the lack thereof), etc. Share it on HN, Twitter and elsewhere to get some traction. If you can get it to someone at a senior level, that may help. Sadly, that seems to be the only way to get some companies to pay attention.

I'm not sure if your Google account is tied to a Gmail address (it doesn't necessarily have to be), but I would advise anyone who uses (or must use) Google's services to use an email address from another provider so that if you lose access to the Google account, your email also doesn't disappear with it. Further, disentangling oneself from such providers and going with those whose business depends on your monetary support may be a better choice (where feasible). I also get that these suggestions may sound absolutely ridiculous.


How do you even find someone to contact at Google? When I tried in the past, the only support was for people that had some sort of recurring SaaS contract or for AdWords


Some of them read Hacker News.. if your problem makes it to the frontpage you might be in luck. But again, this is really not the way this should work.


I'd suggest filing a public report to their support on Twitter phrased something like "services inaccessible to underprivileged users", that should trigger enough keywords for their AI managed support to notice. Be sure to get as many quantifiable likes, retweets, upvotes, etc as possible, as that is all data which is used to increase the internal score of the report in their system. Once its been elevated to a human, as rare as that is, play the victim; you're not from the West Coast, so you don't know the West Coast ways, but play the victim, get support behind you, and your issue will be resolved within a week. Good luck!


I have the same when logging in to my Google account provided by my employer. I don't have 2FA set up, so they have no prior knowledge of my phone number.

I'd also like to understand how this is possibly useful?

In my case I was travelling, so had no option but to enter the number of the nearest available random person willing to lend me a phone for the purpose, with no idea what it would be used for.

It is cynical to suggest it's to boost their network of connected phone numbers, but I can't think of a better explanation?


What you're describing is a "cost proof" - namely that the user has something we can verify that costs some amount of money and is unique. So when the service I work on asks for a phone number verification, it's not always to determine your ID - it's to cut down on spam from users unwilling/unable to set up tens or hundreds of phone numbers, which I imagine is the majority of spammers.

Adding it to existing accounts, though, makes less sense to me. Retroactively checking that an active account can cost proof seems like the most intrusive way of doing this, particularly as part of OS login - at this point you have so many signals that you should already be able to detect the user is a spammer or not.


it's to cut down on spam from users unwilling/unable to set up tens or hundreds of phone numbers, which I imagine is the majority of spammers.

If anything I think it's the opposite --- dedicated spammers have shown they can farm resources like accounts of various types, so phone numbers aren't out of their reach. It's the casual users who don't want to give away their phone numbers or setup a throwaway one which will be turned away.


Cost proof doesn't cut in for those users - it's typically only put in on the Nth new signup within X hours from an IP address.


When logging in on hardware that they provided, the cost proof should be solved (if you are only using one or a few accounts). Chromebook could come with a private key and sign a message for google, they control both hardware and software.


This is the reason for the verification, and I'm surprised nobody mentioned it yet. When you sign up for a new account they also require a phone number. It provides a basic measure of accountability and a bot prevention mechanism.

They're doing it on Chromebooks because you're using Google's services. A Chromebook is just a Google Cloud Computer; users aren't expected to use one without using Google's services too.


Then it also seems especially odd to do this on a paid-for G Suite account.


>Am I crazy or does this seem like an extremely cynical attempt to get more phone numbers?

Yes it does. The normal Gmail interface I get now has a forgot password link which is by default activated after I enter the username. I have to explicitly jump over that to continue entering the actual password and thus to my mail box.


My decade+ old Hotmail account, plus two more newer ones, began prompting me for a # "for security" back around 2014. After a couple weeks of "not right now" all three of them locked me out simultaneously. Yahoo still asks for a # to this day(AFAIK... stopped using it after Oauth prompts appeared). Security IS one benefit, but it does not seem to be the most heavily weighted reason. Most don't change phone #s often, if ever. Seems like a super data tracking metric.


I've had this issue with one email account that I use solely for a very busy email group. Occasionally there is no way at all to log in, as I have no tied phone numbers/email accounts. I think one question was, when did you create this account? Which of course, I have no idea.

Anyway that has put me totally off using gmail. I rarely have a phone too, so using a phone number for secondary authentication is a PITA.


That's exactly why I don't use Gmail anymore. Tutanota lets you in without a phone number: https://tutanota.com/blog/posts/anonymous-email

And there are more, no point in sticking with the big G.


I have a similar problem with yandex. It's not hardware, just an email account, but I'm locked out of one I used for stuff because they are now asking me for my phone number because of "suspicious activity". I don't want to give them one.


Yup. And Yandex is one of the only free email services left that doesn't require a phone number to register yet they stuck me with a lockout on the account weeks later (still haven't bothered to re-activate the account yet).

Not to mention that I created both a custom question and answer with randomly generated strings that couldn't possibly have been known by anyone else, which they confirmed as correct during the lockout and still are demanding a phone number to 'verify'. I mean, really now, how on earth would giving any random phone number further verify I'm the account holder when I already know the correct randomly generated password, secret question and secret answer.

Gmail has similarly locked out various accounts with this despite no actual suspicious activity and having a completely unique password. It's a transparent effort by all these companies to gather more user details.


https://cock.li/ doesn't require phone number (you can also choose other domain name)


ProtonMail doesn't require a phone number either for registration.


Funny enough the much maligned evil Win10 allows for the use of a local account.

(I am hesitant to give American companies my personal information because they are not beholden to my country's consumer laws).


I see a lot of concern around privacy and that’s a blessing.

Honest question: Let’s assume for a moment that google wants to do something evil, what kind of info will “providing a mobile number” give to google that the email, searches, possibly DNS queries, oauth2 authentication and browsing tracker will not?


Phone number is a universal ID whose transmission and content is managed by another company. It's one which we generally make public, too (that's the point). Plus, unlike email, it's difficult and/or non-free to create more, or manage several of them.

A malicious Google with my phone number could easily sell my web searches to the phone company, for example. Or publicly expose my web searches, associated with my phone number (which my friends or employers would recognize).

It's basically one less layer of indirection, which means much less plausible deniability. It's not a hard line but there's definitely a gradient they're moving down.


I’ve had chrome books as a possible purchase.

That’s finished now.

I want my machine to be my machine.

Google can F off.


If you wanted that why would you ever consider a Chromebook in the first place?


I am/was considering a Chromebook because of the lower price and the opportunity to run Linux on it


If you were running Linux on it wouldn't this be a non-issue?


If that's what you're looking for, buy an off-lease/refurb/used business class notebook that's a few years old. On the ThinkPad side, a T450 or T450s, maybe a T440s if you're going to disable the touch pad, maybe a T430s if you're willing to go back 6-7 years but then you're really going to be looking at likely battery issues and higher weight.


I see what you’re saying.

As a side note, most likely Google already has your mobile, through a friend who uses an android phone.


Can you install Linux in these machines?


You can install something like GalliumOS depending on compatibility [1], but it's not for someone who's afraid of modification as to make the boot process seamless you need to modify the BIOS. I have an Acer C720 running it, and it works well - it's a light, cheap linux machine that I can take with me wherever and not be too bothered about (because of the replacement cost), but TBH I think installing Linux because of the OP's issue is sledgehammer/nut! Lots of people like ChromeOS (my Mum has a Chromebase, and since she's had it I've needed to provide precisely zero tech support which wasn't the case for either her Mac or the PC she had to replace it), so replacing it with a niche version of Linux may not be the route to go for many.

[1] - https://wiki.galliumos.org/Hardware_Compatibility


Yes. There’s a Chromebook-optimised distro called GalliumOS. I use it on my HP Chromebook G5 (weighs the same as a MacBook, costs £200) and it works great.


ChromeOS utilises the Linux kernel itself but without arguing semantics you can install a chroot Linux distribution with Crouton [1]. Whether that supports this specific machine (whatever it may be) I do not know.

[1] https://github.com/dnschneid/crouton


You'd need to get past the login screen to install a chroot, so not appropriate for OPs usecase. Some machines support modifying the bios, but it requires taking off the panels to unscrew the write protect screw.


For the older ones I've read that you can reflash it to a "normal" PC BIOS and then it becomes a pretty ordinary laptop that will run Linux or Windows or whatever else.


Can't you just set up an alternative two factor authentication method? How about a Yubikey? I think that maybe if 2FA is not explicitly enabled on the account, Google try and enforce this 2FA 'light' method using SMS


+1 ... they pestered me for a phone number until I set up 2FA then they shut up.


Outlook Mail does the same. Registered a free email account, logged in from other IP (from the same network) and got a requirement to enter a phone number.


Had the same experience with an outlook account used for registering sites I don't trust.

Microsoft's excuse (lie) was that, my account had sent too many spam messages.

Got pissed and abandoned the account.


Maybe giving them your phone number gives Google another signal to catch hackers in another country trying to taking over your Google account. Or a malware server could be prevented from taking over tons of Google accounts? I don't want in abuse, so there are only guesses.

I don't mind giving Google my hone number to keep my data secure, and I'm in the majority, so this is a good thing IMO.


To further lurker456’s point, phone carriers are currently one of the weakest point if you care about security.

I assume you are giving your phone number to a lot of entities already (public administration, HR, service prodivers, delivery etc.). From there a simple phone call to your carrier will be enough to reset your contact dmail, SIM and/or have a new one activated.


You should, because anyone that can compromise your phone will be able to get into your email.

From there it's a small step to reset passwords (SMS 2FA won't help here, as they also have your phone) to all online services you signed up for with that email.


Yes, but you need to weigh that risk against the risk of not having 2FA.

Taking a step back, and responding to the other comment in response to mine as well, I was just speculating. I don't work in abuse, and I'm inclined to trust the Google abuse engineers over myself or random HN commentators to keep my Google account safe.


Format it and install Linux.


I cannot reproduce this on any of my chromebooks.


I can reproduce this on my secondary and tertiary gmails. They require a phone number or security "questions" that I have no idea about.

I have effectively lost access to them because of google.


It could be that your account was hacked and the hacker has enabled 2FA on your account using their phone number.


Hi, op here. They're asking me for any phone number, not for one tied to the account (there is none). I've confirmed this by comparing with the message a friend sees with two factor authentication turned on.

Some people are posting here saying they got in using a stranger's number so I still don't understand how providing a number proves who I am.


I help people without cell phones set up email accounts (public library). As a result, my cell phone and work phone are blacklisted by Google and unable to receive verification codes. Had to set up my wife's phone as my primary email recovery number.

Google's phone number policy is ridiculous.


That is the reason i stopped using Gmail. Random verifications popping up from time to time.


Maybe GMail maybe something else, their advice if you didn't have a cell phone was to use someone else's for the initial confirmation code.


Can you imagine if Google gets hacked? Your entire life becomes public. I don’t want to sound paranoid, but it’s a scary thought.


I'm waiting for the day that LinkedIn will refuse to let me login without configuring a phone number.

I don't use smartphones.


> I don't use smartphones

This has nothing to do with smartphones.

Last week I decided to create a Youtube account as their premium, ad-free service is now available in the UK. All was going well on my laptop until I hit the page demanding a phone number. Any number, smart or dumb.

Not having a burner-SIM to hand I just closed the tab.


> Not having a burner-SIM to hand I just closed the tab.

Don't burners get their # recycled?

This seems like a pretty awful approach considering most of the sites I see demanding phone #s are doing so under the guise of improved security. It seems likely whoever controls that number will have some authority over the account.

All it would take is some stupid notification being sent to the phone number to inform whoever that is of something interesting being possible.

Combine that with the fact that burner phones are often utilized by criminals for variety of reasons...


Do these services take landline numbers as well?


Most phone verifications that I've seen do work with a landline. They call you and a text-to-speech bot reads you a code.


Why isn't this on the front page?

Seems plenty enough points tjat it should have been there still.


mailinator has an SMS service


Using disposable SMS service for what will be used to verify account owner in the future sounds unreasonable.


It proves you are not a bot? The account recovery procedure is usually via a secondary email account or saved backup codes.

I know this because I have a friend who's prone to getting himself locked out and I have become his personal tech support guy (not willingly).


I understand the measures they have to go to to stop bots, but Google have more than enough data to know these accounts are not bots (they have years' of browsing history and whatever other hooks they use on Chromeos). Unfortunately these accounts were created years ago and I assumed 'recovery options' would only be required if I forgot my password (which I never would). Beginner's mistake.


Use TextNow app to get temporary mobile numbers.


What's wrong with giving away phone number?


Twilio SMS is an option at $1 / month


I've had problems using Twilio numbers to create Google accounts. I think voice activation does work, but you need to forward the number to your own number.


It should be assumed they check the phone number provider and block twilio as a spam prevention technique.


How can they detect Twilio numbers but still let scammers robocall my phone on a daily basis via bandwidth.com's API?


Even where this doesn't happen, Twilio block messages of the form "Your Google verification code is 123456" so you can't receive them anyway.


I removed SMS from my google account for security purposes and use push notifications on the google app. Perhaps you could try that.


Your solution is to give them your phone number first?


It’s an app and I don’t know if you need to supply a number first. Either way they need it one time so use a throwaway only to activate the app.


Google voice numbers work, BTW. So since you ha E a Google account, make a burner G voice number and get the text that way.


You cannot create a Google Voice number without providing an existing, working, real number.


Huh, I didn't remember that. The last gv number I created was many years ago.


It might just be a security measure, but tinfoil hats are fun...


Stop buying computers that require you to provide your identity to ad companies in order to use them.


While this is a good idea in principle, in this case it's a recent development. You can't really go back in time and unbuy it just because Google suddenly decides to be a(n even bigger) dick.


You could install GNU/Linux on the ones that were already purchased.


Well said; it really is that simple on principle.


Yes, its new IP adress, they don't like you getting too smart using VPN :)

To bypass that, set up MFA using OTP app, like FreeOTP, that should skip 'unknown device' nagging.


Go create a google voice account and put in that number.


Requires a "real" phone number to create one.


The following is very YMMV. I anal and I'm not a Google employee (would love to be though!).

For those in the US, the approach I've taken is to create a Google Voice number. Yes, you need to give it your existing phone number. Then, you can give this number as a backup but the key is to use a two step authentication app like Google authenticator or authy. This is key because like any sane system, two step by SMS has rate limits in place. I don't know the details but it seems like rate limits apply even when an SMS never leaves Google (the SMS originates at Google and ends on your Google voice with no forwarding).

Long story short, if you want to fix your problem, try to get two step authentication using an app for your account(s). I think that should do it.


Are u worried about your country's security services or Google? Not sure of the question. If it is (1) then stop using anything from big 5 tech. It is likely changing ips and locations possibly makes google feel suspicious that your login is being compromised. For my very paranoid friend, I bought 2 X 'U2F' key completely open source at https://u2fzero.com/ (unlike some of Yubico keys) . All problems went away.

Also remember any form of 2-factor is better than none. Yes, GSM can be hacked and yadayada.. but even one extra factor always slows down. See even a senior Mozilla dev got hacked without 2FA: https://www.theregister.co.uk/2017/08/02/chrome_web_develope...


> Am I crazy or does this seem like an extremely cynical attempt to get more phone numbers?

Nope you are not crazy at all, that's exactly what they are doing. It's the same pattern in practice of online banks that are demanding you give them an SMS capable phone, it's so that they can in the backchannel identify you through AT&T, which is really teh corporate face of the NSA (don't argue with me, 33 thomas st. nyc), and the implications there is that they have many things tied together in fusion centers so they can use something like palantir to instantly profile you when you put in that number and it draws in via their backchannel apis your bank accounts into a single view along with your other information, like medical, civic, etc that's literally what fusion centers do. It's all hooked up for THEIR convenience, and its all keyed off now on google's gaia_id. They tether your phone number(s) to gaia_id and voila all these data sources get drawn in....it's all about the convenience to the five eyes/nato people to force you to use their free sandwich stuff and get everyone tied into the central hub of services that is google

So I agree with others: don't use a chromebook. I have an older friend who needed a laptop for work and I made the mistake of getting a chromebook. The f*cking thing didn't do TKIP correctly in WPA2 so it didn't work with my wifi without making major changes to security in a tactical frustration that made ME look like I didn't know what I was doing

It was a G d nightmare, but needless to say I will NEVER use a chromebook again, esp after hearing your issue with the phone

Just get a refurb lenovo from tigertits or newegg and put linux mint debian edition with xfce on it. The end


This conspiracy theory makes no sense. Why on earth would your bank need identify you by phone number when you already have to give them your social security number to open the account?


> conspiracy theory

Its a fact and works exactly as he described.

Also the term conspiracy theory was created and popularized by the CIA as a function to install into the general population as a protection mechanism against their own true and active operations, which as stated, are treasonous to America and American citizens.

A useful tool for you might be to become self aware of your use of the term “conspiracy theory” and whenever you find yourself reaching for it as a knife, to instead reflect on the issue and to genuinely and independently compile a response to the topic at hand using basic logic, reason, and available known prior actions of the organizations that would profit from discrediting the topic.

Good luck.


> Also the term conspiracy theory was created and popularized by the CIA as a function to install into the general population as a protection mechanism against their own true and active operations, which as stated, are treasonous to America and American citizens.

This is not true. The term is older, dating back to at least 1870, and was used then much in the way it is now [1]. The idea that it was coined by the CIA is an urban legend.

[1] https://www.csicop.org/specialarticles/show/nope_it_was_alwa...


Duly noted and interesting, thanks.


> you already have to give them your social security number to open the account

FYI, no you do not have to.

> You are not required to have a social security number to open a checking or savings account.

Source: https://www.consumerfinance.gov/ask-cfpb/can-i-get-a-checkin...


I am very curious to know of a bank or credit union that will open an account without a social security number.


Non US citizens are able to open bank accounts in the US. By definition they do not have social security numbers.


Yeah, but one needs to provide scan of US/internationally recognized passport. Then mostly every country has FATCA agreement with US. Abundance of keys and IDs to just link lines.


About your WiFi issue: you shouldnt use WPA2 TKIP, because it is insecure.


You've only been a member for less than 12 hours, but I've already specifically enjoyed your comments in two separate threads. I hope to see more of you in comment threads! You add a lot of value.

Whats your "stack"? are you running linux and avoiding google services entirely - or using and mitigating their tracking?




Applications are open for YC Summer 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: