In one of the later posts, the OP writes that the homeless will lose any physical thing after N weeks. So what kind of 2FA would be homeless-proof? I don't see a solution.
Also, fully acknowledging Google and other bigtechs 2FA is far from ideal:
The other thing is, we want at the same time Gmail to be unhackable against best hackers and state sponsored adversaries for the billions of users, including high profile dissidents, journalists, and senators who will inevitably have accounts; and at the same time to homeless people who can't keep any physical thing. It's kinda difficult to meet those conflicting requirements well at the same time.
Maybe the solution should be to have some basic free state-paid email provider for those people. They are not forced to use Gmail specifically (albeit the number of non-sucking and free email providers is probably close to zero).
> ... the homeless will lose any physical thing after N weeks. So what kind of 2FA would be homeless-proof? I don't see a solution.
How about the homeless person remembers a good password, and that's all that's needed for authentication? You know, just like it used to be. What exactly is wrong with that?
> How about the homeless person remembers a good password, and that's all that's needed for authentication?
Gosh, I don't know, how about literally all of the problems that 2FA solves in the first place? Passwords alone are a bad solution (often forgotten, easily re-used insecurely) for people without all of the challenges and frequent mental issues that accompany homelessness, why would you think they'd be a good solution for people who, as the OP says, aren't capable of keeping track of a physical device for more than N weeks?
I'm not unsympathetic to the problems of the homeless ant the burdens 2FA entails, but I'm also not willing to ignore the huge problems the 2FA solves, and realizing there will often be a tradeoff between making it very difficult to hack into accounts and making it easy for people with mental and other problems access their accounts.
Frame challenge - 2FA doesn’t solve any problems that are actually problems for the homeless.
A homeless person has a vastly different cybersecurity paradigm, specifically, they don’t need much in the way of cybersecurity. Nobody is stealing a homeless person’s identity.
Given that, just let them disable it, and let them just use a password. It’s fine to rate limit them if they forget the password a few times, but let them keep trying to log in until they remember it.
I think this comes from a supportive mindset, but working with homeless populations over the years I think they often were more at risk than many other groups. Significant numbers deal with domestic violence or otherwise abusive relationships, as one example, where these kinds of security issues can be life or death, and they often lack the digital hygiene skills many folks take for granted (I think half the folks in a computer lap I worked with left their password saved when chrome offered to remember it, or even wrote it down in a text file).
Wouldn’t a homeless persons identity be ideal to steal? There are lots of illegal immigrants that pay big money for a clean social security number and other things. It would probably take a homeless person longer to realize their identity has been stolen than a non-homeless person.
>why would you think they'd be a good solution for people who aren't capable of keeping track of a physical device for more than N weeks
Homeless people have no physically secure place to store their possessions. The reason so many of them lose cell phones is because they get stolen or destroyed. It's not because they're incapable of "keeping track" of them.
2fa is a good option, but there are many situations where a plain password is just superior. if you ignore this reality, that passwords are legitimately more secure and better for a lot of people, then you're undermining an existing working security system and will just cause chaos and loss for people.
"There is an imperfect existing solution, with a problem, therefore we will ban the existing solution and move to a new, better one"
... should require extraordinary certainty in completeness of ones new solution before banning the previous.
There are very few times when the legacy method should be deprecated, and Google is the poster child of someone who shouldn't be trusted to recognize them.
(Looks pointedly at Chrome mv2/3 hubris and implementation clusterfuck)
> Chrome mv2/3 hubris and implementation clusterfuck
I'm not sure why you think MV3 is a clusterfuck, it seems like it's doing exactly what Google wants. If you're confused by that, remember, you're the product, not the customer.
Assume I'm talking about something deeper than generic HN cliches. ;)
Pushing an implementation cutover by +6 months, and changing it from a hard to a soft date, because it has so many unresolved issues, incomplete APIs, and angry developers seems a fair definition of "clusterfuck."
The great thing about something like an email service is that password guessing can be extremely rate limited. You miss three guesses and you can't log in for several hours. So an easily remembered password is perfectly fine unless it is blindingly obvious. As a homeless person loosing access to a phone on a regular basis, I am going to be comfortable with the risk that the Gmail password hashes might get leaked. I think others would be quite comfortable with that risk as well...
Many of the reasons 2FA is added by product managers and engineers is because they are too lazy to actually solve the problem in a way that is empathetic to actual, breathing humans and instead bulldoze through the problem in the least usable method possible, call the problem "solved" and move on to shinier problems.
Just because 2FA "solves" the extremely narrowly defined problem, doesn't mean it is the best solution or even something that people can and will actually use. Upon those metrics alone, 2FA is usually one of the worst "solutions" to the problem.
> Gosh, I don't know, how about literally all of the problems that 2FA solves in the first place?
It is clearly failing for this use case.
Security can't be seen as a one-size-fits all threat models. That will never be satisfactory, as requirements vary.
For most people in most scenarios 2FA is a net positive.
But denial of service is also a component of evaluating threat models. Here we're discussing cases where 2FA causes denial of service which is worse than any risk of getting the account stolen by password guessing.
If you forget your password — it's YOUR fault. If you reuse your password and it gets leaked — it's YOUR fault. If for some reason you cannot fix yourself, and have to rely on Google 2FA for that — good. Somebody who can manage their own passwords alright shouldn't suffer because of you. How about his just using his password, and lose his accounts because he fucked up, not because Google (or anybody else) suddenly thinks (incorrectly) that it's not him anymore, who uses that login and password.
> Gosh, I don't know, how about literally all of the problems that 2FA solves in the first place?
Well, it isn't solving this one. Option to opt out would be nice.
> aren't capable of keeping track of a physical device for more than N weeks?
Bit ignorant of you. They could be just plainly stolen by someone else. A piece of rag working as a tent doesn't exactly have best physical security...
> I'm not unsympathetic to the problems of the homeless ant the burdens 2FA entails, but I'm also not willing to ignore the huge problems the 2FA solves, and realizing there will often be a tradeoff between making it very difficult to hack into accounts and making it easy for people with mental and other problems access their accounts.
Also they're frequently arrested, and if their "belongings" are unsafe (biologically contaminated, disgusting) they'll be discarded or ignored by police, if the person hasn't seen the police coming and thrown their belongings aside in the hopes of coming back for them later. Sad all around.
Over on /r/sysadmin there was a discussion this morning about email systems for dementia patients. How do you provide for someone that is forgetting that they are forgetting?
Pretty much EVERYONE will have cognitive decline in their twilight years. It would be nice if we could have communication systems that are compatible with basic human biology.
> It would be nice if we could have communication systems that are compatible with basic human biology.
At some point, this becomes a problem better suited to the government.
Imagine you have a loved one who has dementia or is homeless and incapable of administering their digital accounts with traditional authentication methods. You want to take over their accounts.
You will need to present evidence that:
- they are indeed incapacitated
- they are who they say they are, aside from you vouching for them
- you are who you say you are
- you legitimately represent this person
- there isn’t somebody else who has a better claim at representing that person
I personally don’t want any tech company in the position to sort through all of that on a case-by-case basis and decide which accounts to unlock or transfer ownership to. Let the government or the courts figure that out.
The average person cannot remember a good password without some help, be it using it everywhere, writing it down, or using a password manager. Homeless individuals, on average, have many more stressors in life, much higher rates of traumatic brain injury, and a number of other factors that make their ability to remember good passwords much worse than the average person. Given this solution doesn't work for the average person, it will have even less success applied to the homeless.
How many passwords does an homeless person need to remember ?
I’m with you that an average person is probably using at least dozens of services that need credentials, but these people are probably not login on Amazon or checking their 401k online for instance, nd can probably get by with a a very limited set of stuff to remember.
I don't know how dire it is in general, but there's at least a fighting chance to have some kind of unified login at that level. NThinking about it, now that many "casual" sites also accept google login the number of accounts needed might really be minimal.
Unfortunately (at least in the US) these types of services tend to be a patchwork of different agencies at different levels of government... you'll potentially see local, regional, state, and federal all for one person. If you're lucky agencies at the same level might share a unified login of some sort, but good luck finding that across different levels.
No. One can just remember a good password for gmail, and either use other passwords elsewhere (maybe bad, re-used, ones, or maybe good ones, not relevant if we're talking about gmail), or just always authenticate elsewhere using your gmail account.
Remembering one good password is not too onerous. Easier, it seems, that keeping any physical object in your possession if you're homeless. (I would assume that most losses are not due to cognitive failure, but instead are things like thefts when one is asleep.)
Even people not dealing with the stress and trauma of being unhoused have trouble remembering passwords - even when they're shared across accounts, let alone when they're unique. This ain't a "homeless people are dumb" argument; it's a "humans gonna human" argument.
> PS: Many unhoused people access their email rarely, intermittently; they don't stay logged in. They often have to guess several times to remember their password.
2FA doesn’t work, and remembering passwords doesn’t work either. Checkmate.
Having to guess several times != having forgotten your password.
I think what this actually calls for though is a way to prove your identity by talking to an actual human. Something that used to be the standard before tech companies declared that it was too inefficient.
Your thinking of SIM swapping attacks. SIM cloning is much harder without breaching the SIM manufacturer (often Gemalto or another giant vendor).
Rerouting traffic with a malicious home location record (like what was done to Merkel for years), or changing the eSPID/NNID for a numbers texting enablement is much easier than doing a SIM swap and you can usually avoid detection too.
The irony of SIM cards being a cryptographically strong smart card and then carriers let their employees give out replacement SIMs left and right. Ah, humans.
fun fact: SIM cards can run applets based on Java. That’s how mobile payments are able to work in developing nations. I think there was a DEFCON talk about it a few years ago.
> They often have to guess several times to remember their password.
I think pointless password rules are at the heart of this problem for many non-technical people who probably haven't been operating with a password storage solution and might not be used to that system or trust it.
Every platform has their own special requirements for passwords: some require a mix of capital and uppercase letters, some require numbers, some require a special symbol, some require a special symbol but no not that one, some restrict you from entering 3 of the same character in a row, some passwords have a short max character limit, some prevent certain characters like spaces, some require you to change it every so often, etc. Eventually, the password is forgotten or confused with another because of these pointless password rules.
I called them pointless password rules because they reduce the possible number of combinations required for an attacker to guess the password because any guessing program knows what can't possibly be valid combinations.
If a person can remember a password that is a minimum of 8-digits, they can remember an 8-digit backup code that is already provided by google. They are functionally equivalent, but a backup code is one-time use.
So the choice is for them to permanently lose access to their email?
Homeless people aren't stupid and strong password don't have to be incredibly hard to remember. I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.
There is literally nothing more important than your email. Even stuff like your bank account has secondary means of recovery, whereas if you lose access to your email you're pretty much fucked.
> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.
When your account is stolen the attacker changes your password. You lose access to your email forever and lose access to all of the services that use your email as a recovery platform.
Who's to say that your email account getting hacked is less dire than losing access to it? Attackers can easily search your inbox for 'verify your email', visit any website of value, and use their access to change the account away from your email to an address that they own, effectively removing your access to your third-party website accounts entirely.
I don't know that it is less dire, but I do think it's less likely. Are homeless people's email accounts getting hacked three times per year?
Also... maybe getting hacked is worse, or maybe loosing access is worse, but the user should have the right to make that decision! Google can set the default, but the user knows his or her own life.
Because you can still use an account everybody knows the password of.
It's a terrible place to be in, but isn't nowhere as bad as being a homeless person with no access to HN and Twitter, having Google delete your account and nowhere to complain about. Because that is even worse.
> So the choice is for them to permanently lose access to their email?
If an attacker breaks in and changes your password, you already do very likely permanently lose access to your email. Account recovery from that point is a hairy process even for people who have a place to safely store important documents, let alone those who don't.
> Even stuff like your bank account has secondary means of recovery
Those rely on forms of identification that the unhoused disproportionately lack (for the same reasons that they are more prone to lose access to phone numbers). This is also among the reasons why being unhoused tends to correlate with being unbanked.
> I'd rather get my accounts hacked because of password reuse than lose access to my email, forever.
This is functionally the outcome of getting hacked, if you want any kind of decent security measures.
Any way that Google can give you access back on a password-only account is going to be rife with bad actors using social engineering to gain control of accounts. As long as that form/page exists, it is a threat vector.
What you're asking is for the password to be the only proof that someone owns an account, which means a hacker can demonstrate ownership just as much as you can.
Banks have more options for account recovery because we're willing to give them a lot more info. They can force me to come in to a branch and compare my ID to my face, or ask for my SSN, or any number of things we're not comfortable handing over to Google (especially over the web).
I would rank a home as more important than email; I'd certainly rather lose access to my email than my home.
But by definition, the homeless have already lost a home (assuming they weren't born homeless) - and I've forgotten passwords before. So "the stupid homeless just need to memorize their password" isn't a solution.
Except that they're already losing access to email, forever. A small chance of it happening because of a hacker is better than a statistical guarantee of it happening from phone theft.
Th GGP was speaking in the first person. I personally have had hackers try to break into my account before, but have never lost my phone number. Furthermore, notwithstanding the policies of the "obamaphone" program, I would be able to recover my phone number if I lost my phone. So, speaking for the vast majority of people, it would be preferable to have losing my phone number lock me out of my account than having my password leaked lock me out of my account. If that is the dichotomy, and if we still care about the welfare of the average person, the correct choice is incredibly clear.
Is it though? Just because a password leaked doesn’t mean it will actually be abused. A homeless person without a credit card in their Google account is naturally limited in the amount of damage that can be done.
Security questions are probably enough, at least for people who can’t handle 2FA.
So you are saying that the homeless using plain passwords is wrong because tech giants want to collect personally identifying information under the guise of security? How does that make sense?
How do you remember a complex password? By practice? On what device? I’m sure those involved have bigger things to worry about/remember than a complex password to email.
I don’t think that is the solution. I also don’t know what is.
Public services that somehow provide safe access to email etc?
The same way I remember everything else: I think about it enough. There are plenty of good memorable password mnemonics out there, too. So that seems a non-issue.
In any case, I'm sure those involved would prefer the option of remembering a password to not having that option and getting locked out forever. Seems like a good solution. There may be better ones you can implement once this one is, always room for improvement you know
What works great for me is using _songs_ , ideally a sentence not directly from the chorus of a lesser-known song, complete with punctutation and some obvious replacement rules (such as `and` -> `&` ) . The reason why this works so great is that many people have some obscure song "in them" that they know by heart but which are not super widely known.
I only had to change one of my passwords once when my coworkers discovered I was reliably whistling "Stayin' alive" after logging in.
Complex doesn't mean hard to remember. XKCD936-style passwords (four words with no special chars) are nearly uncrackable and quite easy to remember. Something even simpler like [mother's name][father's name][year of birth] is also very strong when you aren't being targeted specifically (you almost certainly aren't, especially if you're homeless). The remaining issue is password reuse, but that's mostly solved by having two passwords - one for your email and one for everything else.
A good password is one that is difficult to crack which potentially means it will be difficult to remember. Long phrase passwords are recommended to be the most secure, but ironically the more convoluted the password, the harder it is to remember. In the case that a service requires a new password every x months, remembering a secure password is out the window. This type of practice encourages unsafe and easily guessable passwords such as “password1”, “password2”, etc…
Quite simply there are multiple factors at play here. Do you force 2FA on almost everyone and reduce hostile account takeovers to negligible? Do you allow for no 2FA and permit the homeless use case?
I think Google faced a trolley problem and made the right decision. You need a different tool "homeless mail" for them.
It's Gmail. You don't have to use it. There's a lot of mail providers out there.
Whatever, if this guy won't set it up I will. I'll stick a 20 msg / hr, 100 / day limit on it and call it a nice anti-spam day.
Based on Google documentation you can still turn off 2fa, so we are weighing the account security of the hundreds of millions of users who would never turn on 2fa but really should, versus the people who lose their 2FA verification method and are locked out of their account. Maybe the harm of not being able to login is worse than having your identity stolen but whose to say.
You don't solve a trolley problem. The entire point is that it's unresolvable from most ethical paradigms other than naïve utilitarianism (which is why it exists - to mock that way of thinking).
That's exactly the point here as well - well, without mocking the utilitarianism. It is natural that a corporation optimizes to its customers within the envelope of regulatory constraints.
I've often wondered that with a valid ID, that the gov does not give us an email noawdays. Especially one that does not require this asinine phone-validity garbage. I'd even suggest that maybe not use email-addresses as a login-name along with plenty of alias's for inbound and outbound that do not expose your "main" or account.
And google is not alone here; many other major "free" email providers require a phone as well (dagger eyes at you, MS, yahoo, ect); and the icing on the cake are some websites even require a particular set of domains to register with them to prevent multi-accounts/bots/spammers/ect => just a big ol download-spiral of decisions that feed into eachother, just to put a physical ID on anybody to tag-em-to-sell-em
The biggest gripe is that it is mandatory; it is not an option and nothing we can do about it other than "vote with our wallets" - and google does not even allow ToTP use as an alternative to phones, lol
The beatings will continue until morale improves; always has been, always will
> I've often wondered that with a valid ID, that the gov does not give us an email noawdays. Especially one that does not require this asinine phone-validity garbage.
Can you even imagine the nightmare of trying to police the usage of such a thing? Everything from simple spamming to harassment to child pornography, all complicated by the stricter scrutiny the government gets for who it can decide not to provide services to.
That depends greatly on if the systems in question are expected to provide universal service or not. This is perhaps the crux of the question - do we expect Google to operate as a public service capable of delivering service in a way that meets the needs of 100% of the population? Or do we think it's acceptable for Google to decide that they're happy with 98%, modulo things like the ADA?
USPS serves every US address. Lone Star Overnight is allowed to mostly serve Texas without a requirement to also serve Maine.
Which category do we want Google to fall into? This kinda smells like we're expecting it to be a universally provisioned public service, but provided by a private entity with private funding.
> So what kind of 2FA would be homeless-proof? I don't see a solution.
There are three factor categories, what you know, what you are, and what you have. A password is what you know. A phone is what you have. Biometrics are what you are - facial recognition, thumbprints, etc.
2FA in one manner or another is used by various services, because the security recommendation is to pillar identification by at least two of the three factors.
For your question, there are any two from the three factor categories that could be used.
However, there are also limited versions of a single category that are often used as a backup when 2fa is not available. In this case, google uses backup codes when "what you have" is not available. Backup codes are functionally equivalent to passwords, except that they are limited to a single-time use. Limiting use is often a method of using a single factor category, when another factor is not available.
Another method is to rely upon another authority, such as using a physical ID card that can be validated in order to let a person back in.
> In one of the later posts, the OP writes that the homeless will lose any physical thing after N weeks. So what kind of 2FA would be homeless-proof? I don't see a solution.
This is not a technical problem and should not be automated away.
Rely on trustworthy third parties. Universal utilities like Google should have retail outlets which are adapted to local conditions and can exercise educated judgement. In some countries, the police might certify the identity of the individual, and then Google could trust that certification. In another place, it might be some combination of the Red Cross and a public hospital. Obviously some identifications will be easier and others harder - if a person in New York claims they are the owner of an account based in Spain, the employee should be suspicious and require a higher burden of proof (and the reactivation might be logistically more difficult).
> The other thing is, we want at the same time Gmail to be unhackable against best hackers and state sponsored adversaries for the billions of users, including high profile dissidents, journalists, and senators who will inevitably have accounts;
I'm not really convinced high profile dissidents, journalists and senators (why senators?) should be trusting Gmail to protect them from state sponsored adversaries. Google generally wants to do business in territories controlled by states which means they have to follow laws and will sometimes be subject to intimidation; but they have no intrinsic motivation to be unhackable.
> Universal utilities like Google should have retail outlets which are adapted to local conditions and can exercise educated judgement.
Sorry but this just isn't happening, and if there is regulation to make something like this happen, companies will just turn off their services. Plus this would essentially seal off competition: want to run an email hosting startup? Guess you have to manage real estate all over the world and work with every government.
This whole conversation seems backwards to me. Yes, it should be easier for people to recover their accounts, but should governments be totally reliant on private email providers for communicating with people who need services?
The story, as I understand it, goes something like this: a case worker emails a homeless person, the homeless person can't access their email, and then the case worker denies them access to programs because they never got a response. That is not solely an email problem---it's also a huge problem with these programs and services! Why don't they provide identity services and retail outlets to help people get the resources they need? Why are governments shoving this responsibility into the private sector?
> Guess you have to manage real estate all over the world and work with every government.
Or, you know, pass a deal with post offices or banks. Bank ID is pretty widespread in nordic countries for instance.
But as with other topics (e.g. banking services) we're getting the usual HN answer where anything unheard of in SV but common elsewhere is considered luxury science fiction.
Google’s advanced protection program is probably the most secure way to have an email address if you believe you are likely to be targeted by a sophisticated attacker. It requires a security key to sign in every time, limits sign in with Google, and only lets you use Gmail, Apple Mail, or Thunderbird as your email client.
Why Senators? They’re high ranking US government officials, they’re a prime target for state sponsored attackers.
Other than Protonmail I wouldn’t trust anyone else with my email. Gmail is close to if not the #1 non-governmental target for state sponsored attackers. The NSA runs secure email for TS-SCI communications but they don’t want to have to teach John Podesta how to not get phished, and Google has the best defense against those attacks if you enable advanced protection.
I don’t think there’s any universe where a company runs an international chain of retail outlets in order to support a free email service. If that were the standard, free email providers just wouldn’t exist outside of bundles with other services.
We treat email almost as we used to treat postal mail: we expect it to be available to all ("digital transition" replacing human-fronted public services with digital one).
If we treat it as a utility, it's fine to regulate it as such. If <big corp> want to make money, directly or indirectly, by offering email service, they should have some standard of service. If they can't we can just make it public service, which wouldn't let <big corp> make money out of it, but would also guarantee it's available to all.
Either way, eating the cake and leaving it whole, like it is now, shouldn't be an option.
Maybe we don't need to meet all those requirements simultaneously. The on boarding process could try to determining if 2fa would actually benefit you or not.
Well .. yeah. And I think that's what OP (of the twitter thread) is advocating (without explicitly stating it). Namely, that 2FA doesn't work for homeless.
>Maybe the solution should be to have some basic free state-paid email provider for those people. They are not forced to use Gmail specifically (albeit the number of non-sucking and free email providers is probably close to zero).
You don't need to use Gmail. There are a lot of good free mail providers.
Gmail allows users to generate 10 one-time use 2FA codes at a time. Even if you are not going to become homeless, you should generate these and write them down somewhere secure. You never know if your phone battery will suddenly die.
Drop the password requirement. Use fingerprints + face. Very hard to lose these, but not impossible. Note, this solution is 1.5FA, but would solve the issue at hand. (pun alert)
Very easy to lose the features of those that tracking systems identify, however. Scar tissue makes most fingerprint systems fail over the smallest of changes, and facial scarring is also, unfortunately, not an uncommon issue among the homeless.
Ignoring the issue of device accessibility - which is the crux of the 2FA problem.
This assumes they have a device that can read fingerprints/face. I'm going to homeless folks are also more likely to be on library computers, old phones, etc. and not have access to biometric sensors.
One possibility would be to solve the "can't keep anything on them" problem with a bracelet or something like that, like they do in hospitals. Something more durable and less valuable than a cell phone.
If they truly can't keep anything on them, someone who recognizes them needs to represent them. (A locker won't do - they'll lose the key.)
And if they have no friends they can trust (which is likely) then it probably needs to be a government worker of some sort, who has their photo on the computer.
I mean, unless you want to have retina scans to log into library computers or something. Or really reliable face recognition.
>The other thing is, we want at the same time Gmail to be unhackable against best hackers and state sponsored adversaries for the billions of users, including high profile dissidents, journalists, and senators who will inevitably have accounts; and at the same time to homeless people who can't keep any physical thing. It's kinda difficult to meet those conflicting requirements well at the same time.
It's only hard if you adopt a one size fits all approach to security.
Google's proclivity towards treating its users as an undifferentiated commodity isnt proof that its users couldnt be treated differently.
There is none. That's the entire point of the post: "something you have" doesn't work if you're at risk of losing all of your possessions at any time. So let them disable 2FA and rely on passwords - or even better yet, provide some way to actually talk to a person and verify identity.
We will need to design it, but India has a biometrics system (yes big bad privacy issues) called aadhaar which is used for authentication in so many systems. As long as you can build and secure such a system, and people get used to it, as they are used to Socials now, it can be used to unlock a whole lot of things.
Almost certainly is a bad idea. But the first thing that seems like it could work would be an implantable nfc yubikey. Then making more devices support nfc.
I know I would be pretty tempted to get an implantable 2FA device if one was available and seemed like it would have both broad and long term support.
> So what kind of 2FA would be homeless-proof? I don't see a solution.
Biometric? Amazon One's hand recognition would be a decent solution here, though I'll be damned if I've ever met someone willing to try it. And I ask, every time I go to Whole Foods.
For better or worse, I can’t set my password to be “password” or any other number of weak words, and also need a number and symbol. Same principle in practice here.
It's realistic to expect people to remember a difficult password eventually. It's not realistic to expect them to recover the SIM card from a phone that was stolen from them in the middle of the night and pawned for drugs or broken down into parts.
Why would a strong password and needing an entirely different communication channel be the same thing? That's like saying walking to work and needing to drive a car to work are the same thing.
The problem with biometrics like that is that if the data is stolen or otherwise accessed then it can't be reset. If an attacker has your fingerprint and you use that for 2FA you can't reset that to prevent them from having access.
Also, fully acknowledging Google and other bigtechs 2FA is far from ideal:
The other thing is, we want at the same time Gmail to be unhackable against best hackers and state sponsored adversaries for the billions of users, including high profile dissidents, journalists, and senators who will inevitably have accounts; and at the same time to homeless people who can't keep any physical thing. It's kinda difficult to meet those conflicting requirements well at the same time.
Maybe the solution should be to have some basic free state-paid email provider for those people. They are not forced to use Gmail specifically (albeit the number of non-sucking and free email providers is probably close to zero).