Google has a lot of issues, but the gist of these twitter posts, is that homeless people lose their phones multiple times a year, and their phone number, and this makes 2fa hard.
But, I mean, why are they not railing on the phone companies, to make it easy for the homeless to keep the same phone number?!
This is not just the homeless, there was a post on HN from a librarian talking about the same issues for the elderly and socially disadvantaged. The issue is that Google forces 2FA on them, even if they otherwise don’t have a phone.
This post was also very misleading. The concerns the librarian raised were actually addressed. The doc was old and made public by somebody other than the librarian, who edited it after it blew up to make it clear that the content was out of date.
======
Addition, 08/02/2022, 3:03pm: I don’t know how this got shared to HackerNews. I appreciate all of the positive responses we have gotten. However, this was not an open letter. It was meant to be shared internally to Google. It went directly to the security team and we had a conversation about it about a year ago. Things have improved significantly since then and this is no longer a daily problem. Please stop calling the branch or emailing me about it. It’s interfering with my work. Press inquiries can be made through https://libwww.freelibrary.org/contact/ and the public relations department will be in touch with you.
If you want to learn more about patron privacy and support librarians advocating for patron privacy and against big tech please check out https://libraryfreedom.org/ which is a wonderful organization I am a part of that does work like this. I still firmly believe in and stand by everything that I wrote. But this particular action was not meant to be a public letter.
Also! If you’re in Philadelphia you should check out this big program we’re doing on August 12th called Empathy Versus Misinformation where a panel of experts will address questions and misconceptions about transgender youth!! Boy am I relieved that this was a Google Doc and I can just put whatever I want onto the front page of HackerNews now :)
> Doesn't sound like it was completely resolved. In fact, it sounds like Google may have treated it as a "squeaky wheel," and only that library is getting better help.
So on one hand we've got the actual author of the original document saying one thing and on the other hand we've got an uninvolved internet poster saying something else.
It really is every company's fault that jumps on this absurd trend of seeing SMS-2FA as the be-all and end-all of user identification and verification.
Google is actually doing much better than the competition here in many aspects (e.g. it is possible to operate a Google account completely without a phone number for 2FA or account recovery), but as far as I understand, one is still required to initially create an account.
> it is possible to operate a Google account completely without a phone number
This is only true for a limited time. I've tried to use a couple Google accounts this way and inevitably I log in from a new IP and Google's 2FA system kicks in - forcing me to either furnish a phone number or lose access to the account.
It's similar to how Twitter forces phone numbers out of people - just not as immediate.
That's definitely a problem, and a tricky one to solve in the context of 2FA: One of these factors is usually knowledge (your password); the other then has to be possession or inherence, and the latter has problems as well.
Essentially, if you rule out possession, your choice is between server-side validated biometrics (if offered at all), or "double knowledge" (e.g. a password and email 2FA, with the email account also only protected by a password), which is pretty phishable.
But, I mean, why are they not railing on the phone companies, to make it easy for the homeless to keep the same phone number?!
Why is this Google's fault?