This is not black and white. It is possible to encourage 2FA but allow to opt out. The same for phone numbers.
And that's why companies enforce 2FA: they want your juicy phone-number or other data. And yeah, maybe they also want to reduce support costs and avoid bad publicity. Still, it's not in your interest, it's in theirs.
If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
EDIT: Yes, Google offers more than a phone number when creating a gmail account. I didn't say they don't. However: they don't make it easy and I would even go as far as saying that they are evil here. If you don't believe me, try to create a gmail account right now and don't google/search how to do it without phone number.
Which is okay, because it is a business.
If society wants homeless people to have reliable access to email without having SMS 2FA or whatever requirements a business requires, then society should elect a government to provide it as a utility.
There is no reason to expect or want businesses to pick up the slack for the government not providing adequate safety nets. Let businesses be businesses, and let governments handle redistributing wealth.
Initiatives at for profit corporations will always exist within some business constraints, shareholder obligations, and so forth.
It would be very reasonable for governments to provide tax-supported digital services. I could easily imagine that spending a few dollars per year to provide the homeless with basic digital services would pay off simply in easing administrative overhead.
But we don't do it, because, in America, our sense of what government can or should provide is atrophied, and we, mistakenly, look to private actors to provide basic public services.
It might be legal and maybe even legitimate, but OP said:
> This isn't a "fuck the people who don't have regular access to a phone, they don't matter" situation.
So yeah, those people don't matter (enough) in the sense that it's not worth to offer more methods of 2FA. Let's not pretend otherwise.
It is possible. And, as far as understand it, the teams at Google in charge of this have evaluated this option and found that it leads to more lost accounts.
The people responsible for user authentication at Google are in a completely different part of the company as advertising and, in my experience, are especially stubborn about their focus on security. "This is about phone numbers" doesn't make sense to me given my personal experience.
> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
We are talking about Google specifically here, which offers all of these options.
2FA is a major hassle for support when users get locked out because they smash their phone or change phone numbers or somehow lose access to the 2FA method. But, the benefits of 2FA largely outweigh those downsides for the majority of users. Offering the choice though, is something we think is important.
That's all I'm asking for as a user - thank you for being on the good side. Optimally you allow for multiple MFA options, so that I can e.g. use an authenticator app and a yubikey, as well as a recovery code in my bank.
You might be surprised to learn that this is how it works for Google accounts: it is default-on but you can turn it off.
> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
You might be even more surprised to discover that all of these options are supported for Google accounts.
However, Google tries _very hard_ to prevent people from e.g. creating a gmail account without a phone number. Try it if you don't believe me.
We all knew password, no problems at all. Now it mandates 2FA. And because they mandate it for Google Ads, now it's on for everything like Google Drive etc.
Google seems to support all of those?
Hint: it is still possible to create a gmail account without phone number, but it has become quite tricky to do so.
The key takeaway is not about how we should promote 2FA or how we should promote long ass passwords, the main issue at hand is google's neglectful lack of customer support.
I was once caught in this non-sense many moons ago. But I learned my lesson, I absolutely do not rely on any google products for anything that has any potential to impact me personally (with the unfortunate exception of the Android OS on my phone).
Google as a brand is absolutely dead in the water for anyone that has woken up from the 'Don't be evil' kool-aid of the early days.
Imagine Google had a full service customer support system for account recovery that everybody could access rapidly. How would a homeless person use it? They lose all their possessions regularly so they don't have a reliable form of identification. They'd need to enroll their drivers license (which they probably don't have) in the system and then still have that license when they need to recover their account. Or they could be vouched for by a pre-enrolled trusted party account that does have strong authentication systems. But... homeless people are often transient and don't have access to regular support networks like a family member or social worker who could be enrolled as a backup account. In fact, you can already enroll as backup account if you want to.
> Google as a brand is absolutely dead in the water for anyone that has woken up from the 'Don't be evil' kool-aid of the early days.
Google has a pretty bad reputation at this point on tech blogs and forums. But, believe it or not, it actually shows up near the very top of trusted brands when 3rd party analysts do surveys on the wider population. Maybe this data is wrong, I don't know. But it is interesting.
Customer support is the main entrypoint into 99% of sim swapping attacks and would be similarly for any targeted account takeovers. What sort of information do you possibly think would be enough to prove someone actually owns a Google account over the phone?
they're smart, I'm sure they can find a way, even if it contains such horrible, detestable ideas like "more support staff" and "more training for support staff"
The claim in the link is that homeless people lose every single one of their possessions after a period of time. They also have minimal access to support structures that could be used as a recovery system. We've had decades of work on authentication and pretty much every solution either involves using a password manager to create unique passwords or having possession of a physical thing.
That won't at all bother anyone homeless, because there's never been a homeless person who was a conspiracy theorist.
(Obvious sarcasm detected)
Sometimes you have to make hard choices where some people get burned because the alternatives are worse. That doesn’t mean you don’t care.
In this case the people asking for 2FA are the "small minority", and the rest of us have to suffer through 2FA-authentication hell because of them.
How many people don't like 2fa because they don't know about all the times it's saved them from total account takeover?
