Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

On Google's "Enter your code" screen, if you click the "Don't have your phone?" link, you get a pop-up that gives you the following options:

   * Use a backup code. Learn more
   * Send to your backup phone number ending in ##
   * I cannot access any of my phones Learn more
I presume option #2 is the one cubicle67 is referring to.

So yes, if someone gets my phone, they can then gain access to my Google account. Grrrrr...




> So yes, if someone gets my phone, they can then gain access to my Google account. Grrrrr...

Only if they also know your password. That's why it's called "two factor authentication". Simply compromising your password is not enough. They also have to capture your phone.

Now, if you're stupid enough to write your password on the back of your phone.... you deserve everything that's coming to you.


There are plenty valid theoretical cases being made in this thread that the phone is not a fully-independent second factor from the password. Syncing phones to laptops is a big one. If your phone is compromised and you're concerned at all, you really should just reset your password.


> I presume option #2 is the one cubicle67 is referring to.

I'm pretty sure the backup phone number is someone else's phone, not yours. I use my wife's phone number.

If you lose your phone (and thus access to the Google Authenticator app), you can send a code to the backup phone (for example, my wife's phone) allowing you to login.


Then why are you not using POP or IMAP with a separate password? What are they going to do with the auth code when they don't have your original password?

I'm not trying to defend their stupid choice of offering option #2, but rather trying to offer a solution to your current problem.


I find option #2 to be very useful, not stupid.

If my phone becomes unavailable (eg lost/ stolen/ dropped in a toilet) then I need a backup option to login. The backup options Google provides are: * Use a backup code * Use a backup phone number * None of the above, I still need help!

1. The backup codes are suggested to be printed and stored in a wallet; however you can put them anywhere you like.

2. The backup phone number can be somebody else's number. Your best friend, your partner, whatever.

3. If you still can't get a backup code, the third option is to go through Google's support team and recovery process. Selecting this option results in an advisory message stating the process could take from 3 to 5 days.

These options appear to be very sensible to me.


I guess that's fair, but since it seems like that's how it got gamed, they should definitely be more strict and send only to your primary or backup number.


> So yes, if someone gets my phone, they can then gain access to my Google account. Grrrrr...

If someone gets your wallet, they can use your credit cards to gain access to your credit. You cancel the credit cards. Move on with your life.

Your phone already matters as much as your wallet now - that's just reality. Secure your phone as best you can. Use full-disk encryption wherever backups are stored. Don't give your phone to people you can't trust. Change your password if you lose it or it gets stolen. Move on.

These are tools to solve problems, not shrines to worship.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: