2

Both Gmail and Outlook keep asking for a phone number for security purposes once in a time, when you log in.

Now, I decided to use two factor authentication via a phone authenticator app for both. Gmail seems to have a phone number as a mandatory requirement for using 2FA.

From my perspective, I don't think a phone number should be a mandatory requirement for the 2FA service. If you use 2FA, I think you're responsible enough to keep a recovery code stored at a safe place. Moreover, I find it infringing on my privacy.

Why does Google ask for a phone number as a mandatory requirement for using the 2FA service?

Furthermore, if you're logged in through your smartphone, there already exists a prompting feature. This seems to make the phone number requirement a bit redundant.

It is the mandatory requirement that I disagree with. They diverge in this policy from Microsoft Outlook and Attlasian's Bitbucket, for instance.

Mussé Redi
  • 145
  • 7

1 Answers1

2

It all burns down to solving just one problem: spam protection. Ensuring that the people who sign up for services are real people.

Before that, thanks for bring this up, and yes, it is indeed annoying.

From what I have perceived, services that deal with "real people" often want some sort of "real world" token that a person would have on them. Like a biometric scan, something unique or nearly unique to a person.

And since we don't expect every person to have special hardware like biometric scanners, our phone numbers happen to be the next most unique (I cringe) and convenient way of having almost that.

Facebook, Twitter, Gmail, every people-to-people service wants (and are often criticised) for requiring it. Although in the case of messaging service it makes some sense to have that, because "that is how WhatsApp routes chat messages between you and your contacts" But no one seems to be arriving at a better solution for it. And from what all I have read, not a lot of investments are being done to fix this either. Yes, it does require fixing IMO.

Edit: Case in point is Google, and in their case, they also use it as a recovery option in case you lose access to your credentials. Which is not very secure, so they pad it up with additional checks like security question, or recovery Email addresses.

Community
  • 1
Sankalp Sharma
  • 136
  • 4
  • But 2FA is a somewhat second-tier service. Why would you impose this mandatory requirement for an extra security layer? Spam protection policy would apply to the registering of an account. This seems like trying to accomplish something through a non-relevant channel. I would understand (although it is annoying) that they ask it some times when you log in, but to make it mandatory for using 2FA seems a bit overkill to me. – Mussé Redi Feb 12 '17 at 13:40
  • @MusséRedi True to some extent. It is not in fact overkill, rather underkill. Phone-number based recovery makes it much much less secure than a proper 2FA. Although I forgot to mention, in the case of Google, they use phone number as a backup. In case you lose all access to everything, they try and get your account recovered through an SMS or a phone call.

    [Edit: typo, grammar]

     – Sankalp Sharma Feb 12 '17 at 13:43
  • I think it's a bad policy. People who use 2FA surely can take care of storing the recovery code. I think the collection of phone numbers for enhancing their information base, weighs heavier than the backup option. I also agree that it makes the 2FA less secure. – Mussé Redi Feb 12 '17 at 13:50
  • @MusséRedi Yes, there is that angle to it. But I doubt if the person(s) responsible for account recovery at Google would think in terms of how much data they can amass from every single user; that would be a sheer waste of their architecture design skills. (just my opinion)

    Bear in mind that they are making services for every layman, who have no clue about data security.

     – Sankalp Sharma Feb 12 '17 at 13:52
  • Maybe you're right about that the person responsible for account recovery at Google doesn't think about how much data they can amass from every single user.

    It is the mandatory requirement that I disagree with. They diverge in this policy from Microsoft Outlook and Attlasian's Bitbucket, for instance.

     – Mussé Redi Feb 12 '17 at 13:58