Is apparently now acceptable

<https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>

Andy Burns <usenet@andyburns.uk> wrote:
> Is apparently now acceptable
>
> <https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>

As this is comp.mobile.android: It already was possible (I tested this
on October 22) if you were willing/able to use 'Google prompts' as your
2SV method.

But now it's more general, which is good.

On 06/05/2024 21:07, Andy Burns wrote:
> Is apparently now acceptable
>
> <https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>

How is this news? I did this years ago with Authy without needing to
give my phone number. Just scan the QR code and you're done.

Ah, it might be because this is specific for google *workspace*.

Chris wrote:

> Andy Burns wrote:
>
>> Is apparently now acceptable
>>
>> <https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>
>
> How is this news?

I only posted it because there are people who have complained it wasn't
possible to access gmail with oauth, or app specific passwords without
registering a verifiable phone number ...

Andy Burns <usenet@andyburns.uk> wrote:
> Chris wrote:
>
>> Andy Burns wrote:
>>
>>> Is apparently now acceptable
>>>
>>> <https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>
>>
>> How is this news?
>
> I only posted it because there are people who have complained it wasn't
> possible to access gmail with oauth, or app specific passwords without
> registering a verifiable phone number ...

Using a third party app for reading gmail does require 2SV/MFA, but no idea
why people felt that a phone number was needed. It is an option, but not
the only one.

Chris <ithinkiam@gmail.com> wrote:
> Andy Burns <usenet@andyburns.uk> wrote:
> > Chris wrote:
> >
> >> Andy Burns wrote:
> >>
> >>> Is apparently now acceptable
> >>>
> >>> <https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>
> >>
> >> How is this news?
> >
> > I only posted it because there are people who have complained it wasn't
> > possible to access gmail with oauth, or app specific passwords without
> > registering a verifiable phone number ...
>
> Using a third party app for reading gmail does require 2SV/MFA, but no idea
> why people felt that a phone number was needed. It is an option, but not
> the only one.

As Andy indicated: If you want/need to use App Passwords. That
requires to switch on 2SV, but maybe you don't want to use SMS (hence
phone number) for 2SV and don't want to or can't use 'Google prompts' or
'Security Key'. In that case, you were stuck, but now you can proceed
and for example select authenticator apps or even Backup Codes.

Andy also mentioned needing 2SV/MFA for Gmail with oauth, but as I
have no experience with that, I won't comment on it.

Frank Slootweg <this@ddress.is.invalid> wrote:
> Chris <ithinkiam@gmail.com> wrote:
>> Andy Burns <usenet@andyburns.uk> wrote:
>>> Chris wrote:
>>>
>>>> Andy Burns wrote:
>>>>
>>>>> Is apparently now acceptable
>>>>>
>>>>> <https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>
>>>>
>>>> How is this news?
>>>
>>> I only posted it because there are people who have complained it wasn't
>>> possible to access gmail with oauth, or app specific passwords without
>>> registering a verifiable phone number ...
>>
>> Using a third party app for reading gmail does require 2SV/MFA, but no idea
>> why people felt that a phone number was needed. It is an option, but not
>> the only one.
>
> As Andy indicated: If you want/need to use App Passwords. That
> requires to switch on 2SV, but maybe you don't want to use SMS (hence
> phone number) for 2SV and don't want to or can't use 'Google prompts' or
> 'Security Key'. In that case, you were stuck, but now you can proceed
> and for example select authenticator apps or even Backup Codes.

That's what I'm saying. That isn't new. I've been using Authy for several
years with gmail logins. I don't think I've ever used a mobile number for
google.

> Andy also mentioned needing 2SV/MFA for Gmail with oauth, but as I
> have no experience with that, I won't comment on it.
>

Chris wrote:

> That's what I'm saying. That isn't new. I've been using Authy for several
> years with gmail logins. I don't think I've ever used a mobile number for
> google.

If authy only runs as a phone app, does that phone need an associated
mobile number? Does authy need access to know it?

Personally, I have no issue giving google a mobile number, but there is
on specific individual around these parts, who certainly did object and
as a consequence couldn't setup oauth, or an imap specific password.

Andy Burns wrote on Thu, 9 May 2024 17:21:56 +0100 :

>> That's what I'm saying. That isn't new. I've been using Authy for several
>> years with gmail logins. I don't think I've ever used a mobile number for
>> google.
>
> If authy only runs as a phone app, does that phone need an associated
> mobile number? Does authy need access to know it?
>
> Personally, I have no issue giving google a mobile number, but there is
> on specific individual around these parts, who certainly did object and
> as a consequence couldn't setup oauth, or an imap specific password.

I'm confused by the information in the OP as I've recently (just last week)
tried to set up a new Google account using just my normal ISP (no VPN) but
Google insisted on a phone number and hence the account never got set up.

In a normal home environment, and therefore not in a corporate managed
computer, does this new information mean anyone at home can now start a new
Google email account without needing to have a phone number on file?

How?

Andy Burns <usenet@andyburns.uk> wrote:
> Chris wrote:
>
>> That's what I'm saying. That isn't new. I've been using Authy for several
>> years with gmail logins. I don't think I've ever used a mobile number for
>> google.
>
> If authy only runs as a phone app, does that phone need an associated
> mobile number? Does authy need access to know it?

Yes, it is only a mobile app so it does require a smartphone, but doesn't
require the phone number.

> Personally, I have no issue giving google a mobile number, but there is
> on specific individual around these parts, who certainly did object and
> as a consequence couldn't setup oauth, or an imap specific password.
>
>

Andy Burns <usenet@andyburns.uk> Wrote in message:

> Is apparently now acceptable
>
> <https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>

When I first saw this announcement I ignored it because I didn't
know what Google Workspaces was. When I realised Gmail was part
of it I decided to change my gmail accounts to use an
authenticator app (I use andOTP on Android and FreeOTP on iPhone)
and remove the phone numbers. (This was prompted by recently
changing my mobile number which was a painful process .) I have
several gmail accounts, some 2SV some not.

It was quite easy using the account security settings on the gmail
web page. I added the authenicator then deleted the phone number
if it was already used it for 2SV. One account had my old phone
number which I'd failed to correct so that was a useful
find.

One of the gmail accounts had Google Prompts as an authentication
method. I'd not heard of that either but the little tablet icon
gave me a clue.

The section of the account/security webpage for enabling 2SV
prompts for a phone number on the same line; it's not obvious you
can scroll down and add an authenticator first then come back to
it and enable 2SV.
--
Remove numerics from my email address.

Chris <ithinkiam@gmail.com> wrote:
> Frank Slootweg <this@ddress.is.invalid> wrote:
> > Chris <ithinkiam@gmail.com> wrote:
> >> Andy Burns <usenet@andyburns.uk> wrote:
> >>> Chris wrote:
> >>>
> >>>> Andy Burns wrote:
> >>>>
> >>>>> Is apparently now acceptable
> >>>>>
> >>>>> <https://workspaceupdates.googleblog.com/2024/05/updates-for-configuring-two-step-verification-for-your-google-account.html>
> >>>>
> >>>> How is this news?
> >>>
> >>> I only posted it because there are people who have complained it wasn't
> >>> possible to access gmail with oauth, or app specific passwords without
> >>> registering a verifiable phone number ...
> >>
> >> Using a third party app for reading gmail does require 2SV/MFA, but no idea
> >> why people felt that a phone number was needed. It is an option, but not
> >> the only one.
> >
> > As Andy indicated: If you want/need to use App Passwords. That
> > requires to switch on 2SV, but maybe you don't want to use SMS (hence
> > phone number) for 2SV and don't want to or can't use 'Google prompts' or
> > 'Security Key'. In that case, you were stuck, but now you can proceed
> > and for example select authenticator apps or even Backup Codes.
>
> That's what I'm saying. That isn't new. I've been using Authy for several
> years with gmail logins. I don't think I've ever used a mobile number for
> google.

I think you *did* use a phone number, because, as I said, you needed
(past tense) a phone number or 'Google prompts' or a 'Security Key' to
switch on 2SV. Note *phone* number, not neccessarily a *mobile* number,
because Google can use a voice prompt for 2SV. (As I said elsewhere in
the thread, I tested this (i.e. set up a new Google Account) as recently
as October 23, so Andy's information is indeed new.)

> > Andy also mentioned needing 2SV/MFA for Gmail with oauth, but as I
> > have no experience with that, I won't comment on it.

Andrew <andrew@spam.net> wrote:
> Andy Burns wrote on Thu, 9 May 2024 17:21:56 +0100 :
>
> >> That's what I'm saying. That isn't new. I've been using Authy for several
> >> years with gmail logins. I don't think I've ever used a mobile number for
> >> google.
> >
> > If authy only runs as a phone app, does that phone need an associated
> > mobile number? Does authy need access to know it?
> >
> > Personally, I have no issue giving google a mobile number, but there is
> > on specific individual around these parts, who certainly did object and
> > as a consequence couldn't setup oauth, or an imap specific password.
>
> I'm confused by the information in the OP as I've recently (just last week)
> tried to set up a new Google account using just my normal ISP (no VPN) but
> Google insisted on a phone number and hence the account never got set up.
>
> In a normal home environment, and therefore not in a corporate managed
> computer, does this new information mean anyone at home can now start a new
> Google email account without needing to have a phone number on file?
>
> How?

Andy's reference is about enabling 2SV in an existing Google Account,
not about creating a new account.

Creating a new Google Account without a phone number has always been
possible, at least it still was on October 23 when I last tested this
(probably/possibly (also) for you).

But it did require to specify a birthday.

I specified a birthday, set Gender to "Rather don't say" and skipped
the recovery e-mail and the phone number. So the only info Google has is
a fake name and a fake birthday.

Frank Slootweg wrote on 10 May 2024 14:07:42 GMT :

>> In a normal home environment, and therefore not in a corporate managed
>> computer, does this new information mean anyone at home can now start a new
>> Google email account without needing to have a phone number on file?
>>
>> How?
>
> Andy's reference is about enabling 2SV in an existing Google Account,
> not about creating a new account.

Oh. I missed that. Thank you.
I'm allergic to 2SV/2FA as I feel it's an obvious invasion of privacy.

Much appreciated the clarification as Andy always has good information
(so I wanted to be clear that I understood what he was informing us of).

> Creating a new Google Account without a phone number has always been
> possible, at least it still was on October 23 when I last tested this
> (probably/possibly (also) for you).

Everyone says that but I'm no technical slouch and it *always* asks for a
second verification, whether a phone or an email, and I give it neither.

Hence, it refuses to set up the account. I'll try again later to screenshot
it for the team such that my experience has been GMail always requires it.

> But it did require to specify a birthday.

That's not a problem as any given day is easily 'bogused.

For example, I have a specific historical event that I use as my birthday.
That way, if I forget it, I can always look it up.

Same with my passwords which are the last letters of the first set of words
to famous songs (which I do so that I can look it up if I forget).

For example, Cher sang "Bang Bang (My Baby Shot Me Down)" which turns into
something like "!!(yyten)" as a password, although sometime numbers are
required (such as in the chorus to the Beatle's "Revolution 9").

> I specified a birthday, set Gender to "Rather don't say" and skipped
> the recovery e-mail and the phone number. So the only info Google has is
> a fake name and a fake birthday.

< off topic US-specific political rant >

The two questions in any application that I never answer if it allows me
are my gender and my race since they don't have "Germanic" or "Italic" and
yet they have the idiotic political designation of "Hispanic" "Black" &
"Asian" in the USA - where "Hispanic" is just a political offshoot of
European (which doesn't exist) and hence, it's an insult to all Caucasians
(IMHO).

If they insist on a race, I often write in "human race" and if they don't
give me the option, then I arbitrarily pick one of the politicized races.

Coincidentally, they also often ask the latest year of education of my
parents (which is something my kids constantly get asked when going to
school) where again, I give them a fully 'bogused answer of my choosing.

Note: If they simply provided a "Why we are asking these unrelated
questions", maybe I'd take them more seriously if they gave a good reason.

< / off topic US-specific political rant >

Andrew <andrew@spam.net> wrote:
> Frank Slootweg wrote on 10 May 2024 14:07:42 GMT :
>
> >> In a normal home environment, and therefore not in a corporate managed
> >> computer, does this new information mean anyone at home can now start a new
> >> Google email account without needing to have a phone number on file?
> >>
> >> How?
> >
> > Andy's reference is about enabling 2SV in an existing Google Account,
> > not about creating a new account.
>
> Oh. I missed that. Thank you.
> I'm allergic to 2SV/2FA as I feel it's an obvious invasion of privacy.

You're of course free to (try to) prevent use of 2SV/2FA, but AFAIK,
authenticator 'apps' (programs) don't have any privacy issue. Perhaps
others can comment on that.

> Much appreciated the clarification as Andy always has good information
> (so I wanted to be clear that I understood what he was informing us of).
>
> > Creating a new Google Account without a phone number has always been
> > possible, at least it still was on October 23 when I last tested this
> > (probably/possibly (also) for you).
>
> Everyone says that but I'm no technical slouch and it *always* asks for a
> second verification, whether a phone or an email, and I give it neither.

Yes, it *asks*, but you can *skip* it.

> Hence, it refuses to set up the account. I'll try again later to screenshot
> it for the team such that my experience has been GMail always requires it.

That would be nice. Perhaps things are different for this side of the
pond (Andy, Chris and I are in Europe). BTW, this is about setting up a
new Google Account, not about Gmail.

[...]

Frank Slootweg wrote on 10 May 2024 15:07:22 GMT :

>> Oh. I missed that. Thank you.
>> I'm allergic to 2SV/2FA as I feel it's an obvious invasion of privacy.
>
> You're of course free to (try to) prevent use of 2SV/2FA...

Yes. I know. Privacy is getting more and more difficult every day.
Mainly because Google makes the rules and others follow those rules.

Luckily, OAUth2 is still working for Thunderbird & FairEmail on Android.

> but AFAIK, authenticator 'apps' (programs) don't have any privacy issue.

I just looked up my old XDA thread, which I updated with Andy's new
information, and at the same time I looked up what the existing OTA apps
are, which, last I tested the available free ad-free OTA apps, all
_required_ you to give them your personal information to set 'em up.

> Perhaps others can comment on that.

I'd be happy to learn more as I get frustrated instantly whenever any app
requires me to identify myself using personal information such as OTA apps
do when you're setting them up for the first time.

I'm not going to test them again but for others, here are some OTA apps
that were listed in my app archive when I did a dir on the OTA folder.

https://play.google.com/store/apps/details?id=com.twofasapp
https://play.google.com/store/apps/details?id=com.authy.authy
https://play.google.com/store/apps/details?id=com.rcdevs.auth
https://play.google.com/store/apps/details?id=com.azure.authenticator
https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp
https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis
https://play.google.com/store/apps/details?id=com.zoho.accounts.oneauth
https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp
https://play.google.com/store/apps/details?id=com.bitwarden.authenticator
https://play.google.com/store/apps/details?id=com.smmservice.authenticator
https://play.google.com/store/apps/details?id=com.authenticator.authservice2
https://play.google.com/store/apps/details?id=com.authenticator.app.starnest
https://play.google.com/store/apps/details?id=org.liberty.android.freeotpplus
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
https://play.google.com/store/apps/details?id=authenticator.two.factor.authentication.otp
https://play.google.com/store/apps/details?id=otp.authenticator.app.authentication.password

>> Much appreciated the clarification as Andy always has good information
>> (so I wanted to be clear that I understood what he was informing us of).
>>
>>> Creating a new Google Account without a phone number has always been
>>> possible, at least it still was on October 23 when I last tested this
>>> (probably/possibly (also) for you).
>>
>> Everyone says that but I'm no technical slouch and it *always* asks for a
>> second verification, whether a phone or an email, and I give it neither.
>
> Yes, it *asks*, but you can *skip* it.

I understood what you said. I've heard it said so many times.
As I said, I'm no technical slouch on finding a "skip" or "ignore" button.
But maybe things have changed since last week (or maybe I made a mistake).
Just let me test it later today and screenshot it for the team.
>> Hence, it refuses to set up the account. I'll try again later to screenshot
>> it for the team such that my experience has been GMail always requires it.
>
> That would be nice. Perhaps things are different for this side of the
> pond (Andy, Chris and I are in Europe).

I'll do it from my own ISP and I could try it from my phone's T-Mobile data
but I've _never_ been able to set up a Google Account without needing to
give them private "real" data.

> BTW, this is about setting up a new Google Account, not about Gmail.

Maybe they're different in terms of setup, but I've never set up "only"
GMail. I set up a "Google Account" and it comes with the GMail (AFAIK).

I could be wrong - as I had never doubted it - but to me the GMail account
comes with the Google Account. Thanks for the clarification.

Andrew wrote on Fri, 10 May 2024 17:02:05 -0000 (UTC) :

> I'll do it from my own ISP and I could try it from my phone's T-Mobile data
> but I've _never_ been able to set up a Google Account without needing to
> give them private "real" data.

Correction...

I should clarify that this is only recently as I'm sure my dozen-year old
Google Account was set up without needing to give them private data.

Andrew <andrew@spam.net> wrote:
> Frank Slootweg wrote on 10 May 2024 15:07:22 GMT :
[...]
> >> Hence, it refuses to set up the account. I'll try again later to screenshot
> >> it for the team such that my experience has been GMail always requires it.
> >
> > That would be nice. Perhaps things are different for this side of the
> > pond (Andy, Chris and I are in Europe).
>
> I'll do it from my own ISP and I could try it from my phone's T-Mobile data
> but I've _never_ been able to set up a Google Account without needing to
> give them private "real" data.
>
> > BTW, this is about setting up a new Google Account, not about Gmail.
>
> Maybe they're different in terms of setup, but I've never set up "only"
> GMail. I set up a "Google Account" and it comes with the GMail (AFAIK).
>
> I could be wrong - as I had never doubted it - but to me the GMail account
> comes with the Google Account. Thanks for the clarification.

Yes, Gmail - and its associated e-mail address - comes with setting up
a Google Account. But Gmail is just one of Google's services and you can
create a Google Account and use some (other) Google services, but choose
not to use Gmail. That's why I make the distinction, in a context, such
as this, where it's important.