Man, this thread is such a shinning example of why "trust, but verify" is a phrase.
There is ABSOLUTELY an option to enable 2FA on a Google account now that does not require giving them a phone number. There's a clear "Advanced Options" link that lets you choose a security key, which is what folks should be using anyway.
True, I just didn't write that because physical security key is not an option where I live.
Other than security key, it's only phone number or adding account to the phone.
I'm sorry I didn't mention that in my post, I wasn't trying to lie, I just can't obtain physical key and I don't think I have to have physical key to read my emails.
Don't feel bad. I recently went through the process of enabling app passwords and what not for google accounts. I did that because I lost control of one account and decided to implement every recovery option possible on the others - like TOPT's and backup codes. If there is a way to do it without purchasing stuff like tokens or entering phone numbers, I could not see it.
If there is a way of doing it, I suspect it's deliberately well hidden. I also suspect what they enforce varies by country.
Where is that? Judging by your comment history, maybe Kazakhstan? I can easily find physical security keys for sale in Kazakhstan. For example miningshop.kz in Almaty has Ledger Nano S in stock.
Besides, you don't need an actual physical key for U2F.
TOTP doesn’t protect against phishing, U2F keys do. Sadly very few companies have them as an option, which goes to show how 2FA is mostly security theater at all but a handful of companies.
This may vary regionally. I went through this with an account recently and did not have this option, despite looking for it (as I do have a hardware key).
