> but the actual response is that without 2FA even more people lose access to their accounts
This is not black and white. It is possible to encourage 2FA but allow to opt out. The same for phone numbers.
And that's why companies enforce 2FA: they want your juicy phone-number or other data. And yeah, maybe they also want to reduce support costs and avoid bad publicity. Still, it's not in your interest, it's in theirs.
If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
EDIT: Yes, Google offers more than a phone number when creating a gmail account. I didn't say they don't. However: they don't make it easy and I would even go as far as saying that they are evil here. If you don't believe me, try to create a gmail account right now and don't google/search how to do it without phone number.
> Still, it's not in your interest, it's in theirs.
Which is okay, because it is a business.
If society wants homeless people to have reliable access to email without having SMS 2FA or whatever requirements a business requires, then society should elect a government to provide it as a utility.
There is no reason to expect or want businesses to pick up the slack for the government not providing adequate safety nets. Let businesses be businesses, and let governments handle redistributing wealth.
I think this is a better answer than it first appears.
Initiatives at for profit corporations will always exist within some business constraints, shareholder obligations, and so forth.
It would be very reasonable for governments to provide tax-supported digital services. I could easily imagine that spending a few dollars per year to provide the homeless with basic digital services would pay off simply in easing administrative overhead.
But we don't do it, because, in America, our sense of what government can or should provide is atrophied, and we, mistakenly, look to private actors to provide basic public services.
>But we don't do it, because, in America, our sense of what government can or should provide is atrophied, and we, mistakenly, look to private actors to provide basic public services.
I don't think this matches reality. The US government is doing more today than any time point in the past. Spending and taxation as a percent of dgp is at an all time high.
There's also a sense that nobody should have to do anything themselves. There's nothing stopping anyone from talking to a homeless person and helping them set up an email account without 2fa.
That's fair that I shouldn't make such an unqualified statement.
While public spending as a % of GDP has indeed increased, that's primarily driven by two things: increased defence (and related) spending, and increased spending on health costs.
At the same time, we continue to believe in privatizing basic government services: outsourcing social assistance to charities (including religious charities), outsourcing military and intelligence functions to mercenaries, or, on point for this thread, outsourcing ID verification to VC-funded private startups.
Looking at your numbers or just social spending, it is increased 50% since 1990 as a portion of GDP. Real GDP adjusted for inflation itself has increased more than 3x since 1990. This means that us social spending in terms of inflation adjusted purchases has gone up more than 450% from 1990 levels.
This excludes military spending and is adjusted for the purchasing power of those dollars.
I don't know about you, but I don't feel like we are getting 450% more value out of the government services. The numbers are pretty clear that the government is collecting more and more inflation adjusted dollars from people's income than ever before.
I Suspect we would probably agree that the government is not being a responsible steward of this money that it is collecting.
My primary point was that I don't think that the belief that a decrease in government spending and Revenue is reflected in the numbers. Further, I think it is important to push back on the idea that the systemic issues we see can simply be solved by throwing more money into an increasingly inefficient system.
Sure. My point was indeed to suggest we rethink what government can do.
Can governments (not necessarily the federal government) run a public service internet system? Sure, and probably more easily than we can, as another poster suggested, regulate tech companies into providing the right tradeoffs for housed and unhoused users.
I've been on municipal Broadband and it was fine. I ended up moving to a private provider because it was better and cheaper.
When it comes to the right trade-off for the housed and the unhoused in terms of email service, I'm skeptical that the solution is regulatory. It seems like there is a large number of email providers that already offer what the homeless need. The problem is simply setting them up with the correct provider and user settings.
This seems like a job for people that work with the homeless.
Sure. I was also saying the solution is not regulatory.
But, look at that: the federal government already provides the homeless with cell phones. Yet instead of arguing that the government should also provide free email—which of course costs far less than cell service—the poster argues that existing commercial services should better serve the homeless.
Which, of course, would be nice! But my point was that this kind of argument seems to reflect a mistaken perception of free online services as some sort of social service, with commensurate obligations.
I find your worldview overly constrains the range of possibilities and eliminates reasonable ones, like expecting companies to not disproportionately harm those in our society who are least able to recover from or avoid the harm
Businesses are not harming anyone by not providing charity.
I struggle to see a reasonable possibility to the government either directly or legislating others to provide identification and communications services. One of the greatest utilities in the US is USPS, a monumental accomplishment to be able to provide communications to all people in the US.
Tacking on email (and identity verification services - which USPS already does via passports) should be a no brainer.
> And that's why companies enforce 2FA: they want your juicy phone-number or other data.
It is possible. And, as far as understand it, the teams at Google in charge of this have evaluated this option and found that it leads to more lost accounts.
The people responsible for user authentication at Google are in a completely different part of the company as advertising and, in my experience, are especially stubborn about their focus on security. "This is about phone numbers" doesn't make sense to me given my personal experience.
> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
We are talking about Google specifically here, which offers all of these options.
For our product, 2FA is pretty important as a security feature (domain registrar). That said, if you don't want to use it, that's on you as the user. We help out in a different way for those users - we make it impossible to disable account sign in email notifications if you don't use 2FA and those email notifications include a "nuke all active sessions and lock my account" button that can (and has) saved users if their account is compromised due to things like leaks of credentials that they've reused on multiple sites.
2FA is a major hassle for support when users get locked out because they smash their phone or change phone numbers or somehow lose access to the 2FA method. But, the benefits of 2FA largely outweigh those downsides for the majority of users. Offering the choice though, is something we think is important.
> For our product, 2FA is pretty important as a security feature (domain registrar). That said, if you don't want to use it, that's on you as the user.
That's all I'm asking for as a user - thank you for being on the good side. Optimally you allow for multiple MFA options, so that I can e.g. use an authenticator app and a yubikey, as well as a recovery code in my bank.
> It is possible to encourage 2FA but allow to opt out.
You might be surprised to learn that this is how it works for Google accounts: it is default-on but you can turn it off.
> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
You might be even more surprised to discover that all of these options are supported for Google accounts.
I definitely vividly remember needing it a few years ago, but right now I can try to sign up and it says "Mobile Number (optional)" (Maybe that's based on some security heuristics).
Yeah and it also only works on your phone (or if you know how to make Google think you are on your phone) and in certain countries. All to my knowledge and based on my tests.
I just did it from Firefox on Linux in a private tab near Washington, D.C.. Fake name, no phone, no backup email. I was able to log out, sign back in, and send an email without any trouble.
No doubt they're letting me through because some security heuristic says I'm a real human, and I'm sure they'd eventually make me provide a number if I continued using the account (this happened to me with my university G Suite account a couple years ago and I needed to contact my IT department to manually disable the phone challenge), but so far I can't see any evidence that they're doing anything unreasonable.
Perhaps they're requiring you to use a number because you've tested it a lot.
I thought the same but I just tried on firefox desktop (Windows) and spun up a new google account with email, password, fake first+last name and fake bday. Really, I was expecting to be stopped at "Phone Number required" but it is indeed optional.
Google only allows non-U2F 2FA methods (like TOTP) to be enabled AFTER enabling a hardware U2F device. And signing up without a working mobile number is impossible. Anyone who says that's not true hasn't actually tried in the last several years.
Nope, while I also did have TOTP before U2F (because it wasn't even a thing then), the rules changed to where if you don't have a phone number on your account, then you're required to enroll a U2F device before you can turn on TOTP.
Can't turn it off for Google Ads account any more. Won't let you in. This is a real pain for shared google account in a small team like ours. Sick of Google removing user choice.
We all knew password, no problems at all. Now it mandates 2FA. And because they mandate it for Google Ads, now it's on for everything like Google Drive etc.
Gmail offers all of these (except for the second email address): paper backup codes, hardware authenticators, non-Google/gmail authenticator apps. The problem is that homeless people can/do routinely lose the “thing you have” part of 2fa.
> If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
Oddly, I suspect if Google provided no free accounts at all--if you had to give a credit card and pay $5 to sign up--nobody would be complaining about this.
Which leads me back to the point made elsewhere in this thread: we have too high an expectation for what private companies can or should do, because they have taken the place in our minds if government.
And our expectations for what government can or should do are too limited, because we've convinced ourselves government is ineffective and unaccountable.
I can assure you that this suspection is wrong, at least about me.
I've personally bought/subscribed to various companies both personally and professionally. Just recently (a couple of weeks ago) I evaluated a couple of mailproviders. I discarded all of those that enforced 2FA with a phone-number.
For instance mailgun. At least the support helped me:
> Hello XXX,
>
> Thanks for bringing this to our attention.
>
> At this time, I have successfully activated your account so that it is now fully operational and you are all set! You may need to log out, then back in, to reflect this change. Also, your users can indeed utilize Google Auth without using a phone number.
>
> Please reach back out if any other questions arise.
>
> Regards,
> XXX | Mailgun by Sinch
Others weren't as flexible. E.g. Sendgrind:
> Hello,
>
> Thanks for reaching out to Twilio SendGrid Support and for your interest in our products. My name is XXX and I’ll be more than happy to assist you in this matter.
>
> I am sorry for the inconvenience caused by the 2 Factor Authentication process, but this is mandatory for all accounts, as a security feature.
> The only options available are to setup 2FA through Authy: to receive an SMS code or use the Authy app, which you can download here.
>
> I apologise for the inconvenience caused by the fact that we do not have any other options available at the time.
>
> Please do let me know if you have any additional questions in regards to this matter and I will be more than happy to further assist.
>
> Kind Regards,
>
> XXX | Technical Support Engineer Twilio-Sendgrid
Forcing me to use your own homegrown authenticator or a phone number? No thank you.
In the end I decided for a provider that offers 2FA but offers multiple options and doesn't enforce it.
> Oddly, I suspect if Google provided no free accounts at all--if you had to give a credit card and pay $5 to sign up--nobody would be complaining about this.
That is like saying 'if the DMV didn't offer IDs to people, no one would complain about not being able to get an ID'.
The fact of the matter is that email is 'de facto' online ID, and gmail has positioned itself into this role. They are now a societal need, not a luxury. They need to be regulated.
Email may be a societal need, but Gmail === Email. They're one email provider in a sea of providers. There are dozens to hundreds of free email provider choices out there.
One doesn't need Gmail to have a functioning email address.
This is not black and white. It is possible to encourage 2FA but allow to opt out. The same for phone numbers.
And that's why companies enforce 2FA: they want your juicy phone-number or other data. And yeah, maybe they also want to reduce support costs and avoid bad publicity. Still, it's not in your interest, it's in theirs.
If they at least would allow for a sufficient number of options. Like paper-tan (even self printed), yubikey or similar, second email address, an authenticator, ... but even big companies often only require a phone number.
EDIT: Yes, Google offers more than a phone number when creating a gmail account. I didn't say they don't. However: they don't make it easy and I would even go as far as saying that they are evil here. If you don't believe me, try to create a gmail account right now and don't google/search how to do it without phone number.