Why is SMS Google’s Primary 2FA Method?

by Alberto Matus

One of the domains I manage with Google for Education enforces the 2-step verification for obvious security reasons. Nevertheless, the only three methods available during the 2FA setup process are:

  • Setting up a Phone number via (SMS or phone call)
  • Security Key (physical device) difficult to obtain in Belize
  • Google Prompt

This differs from a few years ago whereby you could use third-party apps for 2FA. The go-to option for many has always been the first option which is via a phone number. However, I had two users unable to use their numbers (new accounts). I deleted the accounts, recreated them, and created new/different user emails and it still did not work. After testing with different numbers we realized that it had something to do with their numbers. For whatever reason it is still unknown. Perhaps Google has blocked those specific cell numbers, but at this point, it will remain unknown.

Error with Phone number

Nevertheless, there are a few lessons learned here:

  • You can’t use the authenticator app to enable 2FA, the three above are the primary methods. Even though SMS is one of the least secure ways to send information.
  • Authenticator apps can only be set up later, as secondary options.
  • Even though one-time recovery code options could be a nice way of a primary option after presenting warnings and consequences to the average user, it’s still listed only as a secondary option. (But we all know most don’t read the warnings).
  • If you don’t want to use Google’s native authentication methods you have to use app passwords, but to generate app passwords you have to have 2FA enabled.

Most importantly, one can only assume that the authenticator app is not a primary method, well because Google boasts billions of users, and consistently, a significant number of them encounter situations where their devices become non-functional, resulting in the loss of access to their 2FA credentials. Despite their imperfections, phone numbers remain the most dependable enduring, and relatively unchangeable attributes that can function as a stand-in for identity. This quality significantly contributes to the facilitation of large-scale account recovery. For instance, if you accidentally damage your phone screen, you can simply visit a physical cellular store, provide identification, and obtain a new phone capable of receiving security codes, all without encountering any significant obstacles.

Think of it like using social security numbers to authenticate yourself to the bank. Yes, it’s terrible, but it’s kind of the only thing that works when done on a massive scale. Yes, you can do better at managing your 2FA credentials, but most users cannot – they struggle even having strong passwords. Phone numbers bridge that security-usability gap. To be clear, this isn’t an endorsement of the system (I think the user should be allowed to choose), but rather trying to make sense from an engineering perspective.

To test out Google’s take on authenticator apps I personally used my number on one of the accounts to enable 2FA. Only after doing that did it become possible to set up alternative 2FA solutions and so I proceeded with Google Authenticator. Interestingly enough, I was able to remove my phone number and stay with only the authenticator app. So clearly they’re happy with non-SMS 2FA being the only 2FA method on the account, as long as they first get the opportunity to stalk you beforehand?? Why not present these options as primary methods?

But we haven’t forgotten the Google prompt option. To enable the Google prompt one has to do sort of the following:

  • Sign in to a mobile device.
  • Go back to your PC and enroll in 2FA.
  • Show More Options.
  • Choose Google Prompt and Select the mobile device on which you signed in to your email.
  • Once saved. You can add the second presented method of one-time backup codes.
  • Finally, after this, you can add another method such as Google Authenticator or Authy.

Pretty complicated for your average user isn’t it? Makes you just want to type in your phone number and be done with it.

Yet, this process of assisting the users did present their privacy concerns regarding data tracking and/or personal numbers being input into these services. I’ve had my past experiences with a vast number of users presenting this concern in other companies. Some have even gone so far as to ask their employers to buy them a work sim for this specific reason.

Google is a mass market company, clearly not a privacy company. Anyone who really wants to not be constantly tracked should probably stay away for many more reasons than this – but this is the same for many tech giants. Despite that, we are in the era of technology where attackers are on the rise and sometimes it’s not just about advertising/collecting personal data (but it has happened – Eg1 (Twitter) Eg2 (Facebook) ). In either case, sometimes we are presented with it being the only option.

Despite the complications people feel 2FA/MFA present, by no means would we revert back to setups without it. There are just too many security concerns in today’s digital age which makes this an important step in addressing them. However, perhaps our privacy and online digital footprint sometimes end at the bottom.

What’s your take? Are we being stalked via our 2FA numbers and that’s why it is the primary method presented?

You may also like

Leave a Comment

Update Required Flash plugin