
Tell HN: Google requiring phone number to log into Chromebook - pisky
Long story short: bought a couple of Chromebooks over the years (as they&#x27;re nice multi user machines), created Google accounts on each but never gave a phone number. Now after years of use, Google pops up an &quot;unrecognized device&quot; roadblock AFTER I enter the password to log in, with the message &quot;enter a phone number to get a text message with a verification code&quot;.<p>There is no mention of suspicious activity. The only trigger I can think of is a recent modem reset that changed my Public IP, and my new IP doesn&#x27;t appear to resolve to my old physical location in Google&#x27;s geoip db.<p>Am I crazy or does this seem like an extremely cynical attempt to get more phone numbers? I don&#x27;t even understand how giving them my phone number proves anything as I definitely did not ever give them one previously.<p>Unfortunately burner phones are not available in my country, so that&#x27;s not an option.
======
fiblye
I've had this happen with gmail accounts randomly. Most of the time with
computers I've been using for years on the same network.

The worst occasion I've ever had was the one time I was traveling. I was
getting by with only wifi and, naturally, didn't have a phone number to
confirm my account with. I didn't have a number bound to my account, either,
making the whole process pointless.

How did I get into my account? I asked a random guy who walked by if I could
login to my email on his phone (since at that point I'd left my wifi area and
couldn't login with my own device). It was essential that I check an email at
that point, so I didn't have a choice. It was anti-security--I literally gave
full access to my email account to some man I never met before in a different
country.

Google needs to stop pretending it's some security measure. It's not. It's
data harvesting, plain and simple. I just wish they'd admit it.

~~~
Guest9812398
I had a Gmail account for a secondary email address that I used at times. One
day I logged in with my email and password, and Google said I needed to
further verify my identity. Well, my security question was a bogus one because
I was confident with my password manager and backups it would not be needed.
But, I guess I was wrong, because I didn't anticipate that knowing the
password wouldn't be enough for Google. I never got access to the account
again.

~~~
richrichardsson
Stupid "security" questions, I've started answering them like "what's your
favourite colour?" \- "colour" or "what was your first pet's name" \- "pet".

There are a few things that make me wonder if I can trust a company. Security
questions, stupid password restrictions, sending me a password in plain text
via email.

~~~
jdeibele
I used to give my real birthday. Then I kept reading about how knowing that
plus your address (usually easy to find on the internet - whitepages.com,
etc.) got someone a long ways toward imitating you.

So I started making up birthdays but would have problems because I didn't
remember them. So now I just use the epoch, which I think somebody here
suggested.

~~~
gordo4
I put January 1, 1970 as my birthday, and sometimes I can tell sites convert
to timestamp and then it rejects my entry because it evaluates to zero which
is falsely.

------
reacharavindh
Evil.

Imagine those teens at school, that bought Chromebooks because they were more
affordable, and now getting pried on like this.. :-( It is this generation
that is going to lose the idea of privacy and suffer from these piece of shit
corporations.

It's almost like watching a movie.

~~~
open-source-ux
>"...and now getting pried on like this."

Those students are being tracked regardless of whether they provided their
mobile phone number. ChromeOS is an _entire operating system that tracks you
from the moment you sign-in with your Google account_.

Sure, you can use a guest account, but you won't be able to save anything
because the entire OS is "cloud-based".

People rush to Google's defence and say that Google doesn't build ad or
marketing profiles from student data. But even if the online activity from
students is aggregated or detached from individual accounts, that still means
Google holds the personal online behaviour of _millions of students_. They can
now poke and interrogate that data in ways that even they probably haven't
fully grasped. And as we've seen from Netflix and Spotify, aggregated data
still lets you pull out precise details and behaviour from "anonymised" data
(a meaningless term).

Tracking is so pervasive and so normalised that no-one even bothers to ask:
why should students be tracked in the first place? Tracking online behaviour
is in Google's DNA and no-one does it at such industrial scale.

The hypocrisy of the tech community who have nothing to say on the privacy
implications of ChromeOS in schools is hard to understand.

~~~
bobdole123456
Most of the tracking in your google account is to give you the answers you’re
looking for, not because it’s of any benefit other than providing a better
service.

Like when I search for a three letter acronym, google knows that I’m an
engineer, and I see links for results about computer hardware, and not about a
Jewish Torah studies group with the same TLA.

Google makes those models for individual accounts, which is why google can
tailor results so well to what you’re looking for right now.

------
stephen82
They have done this to me a couple of months ago with my Gmail account and got
really panicked, because I had all my contacts on it.

After I have managed to restore it more than 4 hours later, I permanently
deleted my account and Google immediately contacted me with apologies, asking
me for the reason I did such thing.

They have tried to persuade me to restore my account with a couple of emails,
but it was already too late.

I cannot trust them anymore.

I want to have absolutely nothing to do with Alphabet or Google; if a certain
service that I currently use gets acquired by either of them, then I will
delete that account too immediately.

Enough is enough!

~~~
vageli
> They have tried to persuade me to restore my account with a couple of
> emails, but it was already too late.

Where are they sending those emails, to your Google account's backup account?

~~~
stephen82
Yes, on my alternative email.

------
emerongi
They've essentially bricked your machine and are demanding your phone number
to un-brick it? Sounds like a case for a legal battle.

~~~
cm2187
Sonos just did the same. They want you to create an account (and therefore
give them an email) and otherwise are effectively bricking the device in the
latest update.

Was time to get rid of this pos.

~~~
greenhatman
Doesn't Apple do that too?

One of the reasons I use Linux on my MacBook.

~~~
lloeki
You can set up a Mac or iOS device without ever logging into an Apple account.
The only place it is "required" (well, not strictly _required_ , but I guess
an iOS device is not that useful otherwise) is for the App Store to get apps
(someone correct me on this but I'm not sure you can download free apps
without an Apple account, and there's a way, although convoluted IIRC, to
create one without entering credit card details)

~~~
binomialxenon
Last I heard, you can't download any apps without signing in with an Apple ID.
Since sideloading is impractical on iOS, this would make the phone not very
useful as you can't install any software.

------
newscracker
I can't offer any advice that can help you quickly or is guaranteed to work.
Write a longer and better composed post on some platform, with details of what
you've tried, whom you tried to contact at Google, responses (or the lack
thereof), etc. Share it on HN, Twitter and elsewhere to get some traction. If
you can get it to someone at a senior level, that may help. _Sadly, that seems
to be the only way to get some companies to pay attention._

I'm not sure if your Google account is tied to a Gmail address (it doesn't
necessarily have to be), but I would advise anyone who uses (or must use)
Google's services to use an email address from another provider so that if you
lose access to the Google account, your email also doesn't disappear with it.
Further, disentangling oneself from such providers and going with those whose
business depends on your monetary support may be a better choice (where
feasible). I also get that these suggestions may sound absolutely ridiculous.

~~~
Rebelgecko
How do you even find someone to contact at Google? When I tried in the past,
the only support was for people that had some sort of recurring SaaS contract
or for AdWords

~~~
kaybe
Some of them read Hacker News.. if your problem makes it to the frontpage you
might be in luck. But again, this is really not the way this should work.

------
013a
I'd suggest filing a public report to their support on Twitter phrased
something like "services inaccessible to underprivileged users", that should
trigger enough keywords for their AI managed support to notice. Be sure to get
as many quantifiable likes, retweets, upvotes, etc as possible, as that is all
data which is used to increase the internal score of the report in their
system. Once its been elevated to a human, as rare as that is, play the
victim; you're not from the West Coast, so you don't know the West Coast ways,
but play the victim, get support behind you, and your issue will be resolved
within a week. Good luck!

------
zbuf
I have the same when logging in to my Google account provided by my employer.
I don't have 2FA set up, so they have no prior knowledge of my phone number.

I'd also like to understand how this is possibly useful?

In my case I was travelling, so had no option but to enter the number of the
nearest available random person willing to lend me a phone for the purpose,
with no idea what it would be used for.

It is cynical to suggest it's to boost their network of connected phone
numbers, but I can't think of a better explanation?

~~~
hirsin
What you're describing is a "cost proof" \- namely that the user has something
we can verify that costs some amount of money and is unique. So when the
service I work on asks for a phone number verification, it's not always to
determine your ID - it's to cut down on spam from users unwilling/unable to
set up tens or hundreds of phone numbers, which I imagine is the majority of
spammers.

Adding it to existing accounts, though, makes less sense to me. Retroactively
checking that an active account can cost proof seems like the most intrusive
way of doing this, particularly as part of OS login - at this point you have
so many signals that you should already be able to detect the user is a
spammer or not.

~~~
userbinator
_it 's to cut down on spam from users unwilling/unable to set up tens or
hundreds of phone numbers, which I imagine is the majority of spammers._

If anything I think it's the opposite --- dedicated spammers have shown they
can farm resources like accounts of various types, so phone numbers aren't out
of their reach. It's the casual users who don't want to give away their phone
numbers or setup a throwaway one which will be turned away.

~~~
hirsin
Cost proof doesn't cut in for those users - it's typically only put in on the
Nth new signup within X hours from an IP address.

------
sixstringbudha
>Am I crazy or does this seem like an extremely cynical attempt to get more
phone numbers?

Yes it does. The normal Gmail interface I get now has a forgot password link
which is by default activated after I enter the username. I have to explicitly
jump over that to continue entering the actual password and thus to my mail
box.

~~~
tunap
My decade+ old Hotmail account, plus two more newer ones, began prompting me
for a # "for security" back around 2014. After a couple weeks of "not right
now" all three of them locked me out simultaneously. Yahoo still asks for a #
to this day(AFAIK... stopped using it after Oauth prompts appeared). Security
IS one benefit, but it does not seem to be the most heavily weighted reason.
Most don't change phone #s often, if ever. Seems like a super data tracking
metric.

------
keypress
I've had this issue with one email account that I use solely for a very busy
email group. Occasionally there is no way at all to log in, as I have no tied
phone numbers/email accounts. I think one question was, when did you create
this account? Which of course, I have no idea.

Anyway that has put me totally off using gmail. I rarely have a phone too, so
using a phone number for secondary authentication is a PITA.

~~~
uconucon
That's exactly why I don't use Gmail anymore. Tutanota lets you in without a
phone number: [https://tutanota.com/blog/posts/anonymous-
email](https://tutanota.com/blog/posts/anonymous-email)

And there are more, no point in sticking with the big G.

------
willvarfar
I have a similar problem with yandex. It's not hardware, just an email
account, but I'm locked out of one I used for stuff because they are now
asking me for my phone number because of "suspicious activity". I don't want
to give them one.

~~~
Springtime
Yup. And Yandex is one of the only free email services left that doesn't
require a phone number to register yet they stuck me with a lockout on the
account weeks later (still haven't bothered to re-activate the account yet).

Not to mention that I created both a custom question and answer with randomly
generated strings that couldn't possibly have been known by anyone else, which
they confirmed as correct during the lockout and still are demanding a phone
number to 'verify'. I mean, really now, how on earth would giving any random
phone number further verify I'm the account holder when I already know the
correct randomly generated password, secret question and secret answer.

Gmail has similarly locked out various accounts with this despite no actual
suspicious activity and having a completely unique password. It's a
transparent effort by all these companies to gather more user details.

~~~
st1ck
[https://cock.li/](https://cock.li/) doesn't require phone number (you can
also choose other domain name)

------
phobosdeimos
Funny enough the much maligned evil Win10 allows for the use of a local
account.

(I am hesitant to give American companies my personal information because they
are not beholden to my country's consumer laws).

------
atmosx
I see a lot of concern around privacy and that’s a blessing.

Honest question: Let’s assume for a moment that google wants to do something
evil, what kind of info will “providing a mobile number” give to google that
the email, searches, possibly DNS queries, oauth2 authentication and browsing
tracker will not?

~~~
ken
Phone number is a universal ID whose transmission and content is managed by
another company. It's one which we generally make public, too (that's the
point). Plus, unlike email, it's difficult and/or non-free to create more, or
manage several of them.

A malicious Google with my phone number could easily sell my web searches to
the phone company, for example. Or publicly expose my web searches, associated
with my phone number (which my friends or employers would recognize).

It's basically one less layer of indirection, which means much less plausible
deniability. It's not a hard line but there's definitely a gradient they're
moving down.

------
hguhghuff
I’ve had chrome books as a possible purchase.

That’s finished now.

I want my machine to be my machine.

Google can F off.

~~~
mavhc
If you wanted that why would you ever consider a Chromebook in the first
place?

~~~
solarengineer
I am/was considering a Chromebook because of the lower price and the
opportunity to run Linux on it

~~~
fencepost
If that's what you're looking for, buy an off-lease/refurb/used business class
notebook that's a few years old. On the ThinkPad side, a T450 or T450s, maybe
a T440s if you're going to disable the touch pad, maybe a T430s if you're
willing to go back 6-7 years but then you're really going to be looking at
likely battery issues and higher weight.

------
atmosx
I see what you’re saying.

As a side note, most likely Google already has your mobile, through a friend
who uses an android phone.

------
TekMol
Can you install Linux in these machines?

~~~
Fnoord
ChromeOS utilises the Linux kernel itself but without arguing semantics you
can install a chroot Linux distribution with Crouton [1]. Whether that
supports this specific machine (whatever it may be) I do not know.

[1]
[https://github.com/dnschneid/crouton](https://github.com/dnschneid/crouton)

~~~
verbify
You'd need to get past the login screen to install a chroot, so not
appropriate for OPs usecase. Some machines support modifying the bios, but it
requires taking off the panels to unscrew the write protect screw.

------
drinkwell
Can't you just set up an alternative two factor authentication method? How
about a Yubikey? I think that maybe if 2FA is not explicitly enabled on the
account, Google try and enforce this 2FA 'light' method using SMS

~~~
eikenberry
+1 ... they pestered me for a phone number until I set up 2FA then they shut
up.

------
codedokode
Outlook Mail does the same. Registered a free email account, logged in from
other IP (from the same network) and got a requirement to enter a phone
number.

~~~
vezycash
Had the same experience with an outlook account used for registering sites I
don't trust.

Microsoft's excuse (lie) was that, my account had sent too many spam messages.

Got pissed and abandoned the account.

------
kartickv
Maybe giving them your phone number gives Google another signal to catch
hackers in another country trying to taking over your Google account. Or a
malware server could be prevented from taking over tons of Google accounts? I
don't want in abuse, so there are only guesses.

I don't mind giving Google my hone number to keep my data secure, and I'm in
the majority, so this is a good thing IMO.

~~~
lurker456
You should, because anyone that can compromise your phone will be able to get
into your email.

From there it's a small step to reset passwords (SMS 2FA won't help here, as
they also have your phone) to all online services you signed up for with that
email.

~~~
kartickv
Yes, but you need to weigh that risk against the risk of not having 2FA.

Taking a step back, and responding to the other comment in response to mine as
well, I was just speculating. I don't work in abuse, and I'm inclined to trust
the Google abuse engineers over myself or random HN commentators to keep my
Google account safe.

------
drasticmeasures
Format it and install Linux.

------
mverwijs
I cannot reproduce this on any of my chromebooks.

~~~
antt
I can reproduce this on my secondary and tertiary gmails. They require a phone
number or security "questions" that I have no idea about.

I have effectively lost access to them because of google.

------
EspadaV9
It could be that your account was hacked and the hacker has enabled 2FA on
your account using their phone number.

~~~
pisky
Hi, op here. They're asking me for any phone number, not for one tied to the
account (there is none). I've confirmed this by comparing with the message a
friend sees with two factor authentication turned on.

Some people are posting here saying they got in using a stranger's number so I
still don't understand how providing a number proves who I am.

------
S_Bear
I help people without cell phones set up email accounts (public library). As a
result, my cell phone and work phone are blacklisted by Google and unable to
receive verification codes. Had to set up my wife's phone as my primary email
recovery number.

Google's phone number policy is ridiculous.

------
FrozenVoid
That is the reason i stopped using Gmail. Random verifications popping up from
time to time.

------
JJMcJ
Maybe GMail maybe something else, their advice if you didn't have a cell phone
was to use someone else's for the initial confirmation code.

------
pyman
Can you imagine if Google gets hacked? Your entire life becomes public. I
don’t want to sound paranoid, but it’s a scary thought.

------
newnewpdro
I'm waiting for the day that LinkedIn will refuse to let me login without
configuring a phone number.

I don't use smartphones.

~~~
dingaling
> I don't use smartphones

This has nothing to do with smartphones.

Last week I decided to create a Youtube account as their premium, ad-free
service is now available in the UK. All was going well on my laptop until I
hit the page demanding a phone number. Any number, smart or dumb.

Not having a burner-SIM to hand I just closed the tab.

~~~
kaybe
Do these services take landline numbers as well?

~~~
binomialxenon
Most phone verifications that I've seen do work with a landline. They call you
and a text-to-speech bot reads you a code.

------
reitanqild
Why isn't this on the front page?

Seems plenty enough points tjat it should have been there still.

------
fredsanford
mailinator has an SMS service

~~~
dchest
Using disposable SMS service for what will be used to verify account owner in
the future sounds unreasonable.

------
dazc
It proves you are not a bot? The account recovery procedure is usually via a
secondary email account or saved backup codes.

I know this because I have a friend who's prone to getting himself locked out
and I have become his personal tech support guy (not willingly).

~~~
pisky
I understand the measures they have to go to to stop bots, but Google have
more than enough data to know these accounts are not bots (they have years' of
browsing history and whatever other hooks they use on Chromeos). Unfortunately
these accounts were created years ago and I assumed 'recovery options' would
only be required if I forgot my password (which I never would). Beginner's
mistake.

------
algog
Use TextNow app to get temporary mobile numbers.

------
Elksnis
What's wrong with giving away phone number?

------
simeonOli
Twilio SMS is an option at $1 / month

~~~
emerongi
I've had problems using Twilio numbers to create Google accounts. I think
voice activation does work, but you need to forward the number to your own
number.

~~~
hirsin
It should be assumed they check the phone number provider and block twilio as
a spam prevention technique.

~~~
JoshMnem
How can they detect Twilio numbers but still let scammers robocall my phone on
a daily basis via bandwidth.com's API?

------
dev_dull
I removed SMS from my google account for security purposes and use push
notifications on the google app. Perhaps you could try that.

~~~
noja
Your solution is to give them your phone number first?

~~~
dev_dull
It’s an app and I don’t know if you need to supply a number first. Either way
they need it one time so use a throwaway only to activate the app.

------
berbec
Google voice numbers work, BTW. So since you ha E a Google account, make a
burner G voice number and get the text that way.

~~~
LeoPanthera
You cannot create a Google Voice number without providing an existing,
working, real number.

~~~
berbec
Huh, I didn't remember that. The last gv number I created was many years ago.

------
ledriveby
It might _just_ be a security measure, but tinfoil hats are fun...

------
JoshMnem
Stop buying computers that require you to provide your identity to ad
companies in order to use them.

~~~
Tharkun
While this is a good idea in principle, in this case it's a recent
development. You can't really go back in time and unbuy it just because Google
suddenly decides to be a(n even bigger) dick.

~~~
JoshMnem
You could install GNU/Linux on the ones that were already purchased.

------
auslander
Yes, its new IP adress, they don't like you getting too smart using VPN :)

To bypass that, set up MFA using OTP app, like FreeOTP, that should skip
'unknown device' nagging.

------
Meph504
Go create a google voice account and put in that number.

~~~
techsupporter
Requires a "real" phone number to create one.

------
mcny
The following is very YMMV. I anal and I'm not a Google employee (would love
to be though!).

For those in the US, the approach I've taken is to create a Google Voice
number. Yes, you need to give it your existing phone number. Then, you can
give this number as a backup but the key is to use a two step authentication
app like Google authenticator or authy. This is key because like any sane
system, two step by SMS has rate limits in place. I don't know the details but
it seems like rate limits apply even when an SMS never leaves Google (the SMS
originates at Google and ends on your Google voice with no forwarding).

Long story short, if you want to fix your problem, try to get two step
authentication using an app for your account(s). I think that should do it.

------
whyagaindavid
Are u worried about your country's security services or Google? Not sure of
the question. If it is (1) then stop using anything from big 5 tech. It is
likely changing ips and locations possibly makes google feel suspicious that
your login is being compromised. For my very paranoid friend, I bought 2 X
'U2F' key _completely open source_ at
[https://u2fzero.com/](https://u2fzero.com/) (unlike some of Yubico keys) .
All problems went away.

Also remember any form of 2-factor is better than none. Yes, GSM can be hacked
and yadayada.. but even one extra factor always slows down. See even a senior
Mozilla dev got hacked without 2FA:
[https://www.theregister.co.uk/2017/08/02/chrome_web_develope...](https://www.theregister.co.uk/2017/08/02/chrome_web_developer_extension_hacked/)

------
negutron
> Am I crazy or does this seem like an extremely cynical attempt to get more
> phone numbers?

Nope you are not crazy at all, that's exactly what they are doing. It's the
same pattern in practice of online banks that are demanding you give them an
SMS capable phone, it's so that they can in the backchannel identify you
through AT&T, which is really teh corporate face of the NSA (don't argue with
me, 33 thomas st. nyc), and the implications there is that they have many
things tied together in fusion centers so they can use something like palantir
to instantly profile you when you put in that number and it draws in via their
backchannel apis your bank accounts into a single view along with your other
information, like medical, civic, etc that's literally what fusion centers do.
It's all hooked up for THEIR convenience, and its all keyed off now on
google's gaia_id. They tether your phone number(s) to gaia_id and voila all
these data sources get drawn in....it's all about the convenience to the five
eyes/nato people to force you to use their free sandwich stuff and get
everyone tied into the central hub of services that is google

So I agree with others: don't use a chromebook. I have an older friend who
needed a laptop for work and I made the mistake of getting a chromebook. The
f*cking thing didn't do TKIP correctly in WPA2 so it didn't work with my wifi
without making major changes to security in a tactical frustration that made
ME look like I didn't know what I was doing

It was a G d nightmare, but needless to say I will NEVER use a chromebook
again, esp after hearing your issue with the phone

Just get a refurb lenovo from tigertits or newegg and put linux mint debian
edition with xfce on it. The end

~~~
saryant
This conspiracy theory makes no sense. Why on earth would your bank need
identify you by phone number when you already have to give them your social
security number to open the account?

~~~
bodi
> conspiracy theory

Its a fact and works exactly as he described.

Also the term conspiracy theory was created and popularized by the CIA as a
function to install into the general population as a protection mechanism
against their own true and active operations, which as stated, are treasonous
to America and American citizens.

A useful tool for you might be to become self aware of your use of the term
“conspiracy theory” and whenever you find yourself reaching for it as a knife,
to instead reflect on the issue and to genuinely and independently compile a
response to the topic at hand using basic logic, reason, and available known
prior actions of the organizations that would profit from discrediting the
topic.

Good luck.

~~~
stijnstijn
> Also the term conspiracy theory was created and popularized by the CIA as a
> function to install into the general population as a protection mechanism
> against their own true and active operations, which as stated, are
> treasonous to America and American citizens.

This is not true. The term is older, dating back to at least 1870, and was
used then much in the way it is now [1]. The idea that it was coined by the
CIA is an urban legend.

[1]
[https://www.csicop.org/specialarticles/show/nope_it_was_alwa...](https://www.csicop.org/specialarticles/show/nope_it_was_always_already_wrong)

~~~
bodi
Duly noted and interesting, thanks.

