Re: gmail+imap+smtp (oauth2)

[Tim Cross]

Brian Cully via "Emacs development discussions." <emacs-devel@gnu.org> writes:

> Richard Stallman <rms@gnu.org> writes:
>
>> Does it have to be _your_ phone number, or can it be any phone
>> that you can answer at the time of creating the app password?
>> Will Google ever phone you again on the same number?
>>
>> Another question is, does setting up the app password require
>> a computer running nonfree software?  (For instance, a mobile phone.)
>> Can you do this with a landline?
>
> It does not have to be your phone number, no. They will send an SMS to 
> whatever
> number you choose (so long as its not on a blacklist somewhere). You do not 
> need
> to run non-free software, presuming you can receive SMS with non-free software
> (there are services for such things).
>
> However, you have the choice of using TOTP for 2FA[1], in which case you can 
> use
> any number of free applications to generate codes for you. If you use SMS as
> your 2FA, Google will send messages to you periodically as you attempt to log 
> in
> to services (though only with your main password - not app passwords). Once
> converted to TOTP, though, I do not believe Google will ever try to contact 
> you
> again. I have set up Google accounts using burner numbers and converted them 
> to
> TOTP without any issue over the years. However, there’s obviously no guarantee
> that Google will continue to allow this in the future.
>
> -bjc
>
> [1] There may be restrictions I’m not aware of when using TOTP, as I’d set 
> mine
> up a long time ago. You may, for instance, need to be able to receive SMS in
> order to do the initial TOTP setup. You definitely need to use SMS to do 
> initial
> account setup.

The SMS workflow is not Google's preferred 2FA. When Google first rolled
out 2FA, SMS based codes were widely used and it was one of the
techniques recommended by NIST. However, due to issues with number
spoofing and social engineering of Telco service desks to redirect
numbers etc, NIST now recommends against SMS based 2FA. 

I'm not sure about whehter you still require SMS in initial account
setup for Google. It has been too long since I moved my 2FA to use
non-SMS based techniques. I do notice that when I do login to google
from a new device/browser, the SMS option is still shown as one option,
but it is not the default/preferred option, only a fallback one. 

I do still wonder though - if your so concerned about privacy and google
having your phone number, how you can be comfortable with them having
your email data?