FYI Using Google Voice instead of your mobile number for 2FA

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

kwe

Member
Mar 3, 2021
9
1
Steve really put a fright in me with his latest podcast end segment where he basically said your mobile number security hangs by a thin thread of a four-digit PIN. He transferred his mobile number to a new phone with nothing more than this PIN. You can also lose your phone physically, you can accidentally destroy it, or you might lose it in a SIM-swapping attack. Is a mobile phone number sufficiently secure for use for 2FA? Is Google Voice better?
Use an authenticator app on your phone if the web site supports it. Because Google Authenticator has no backup or second device option and doesn't provide any password protection on the app when running, I prefer Authy. I have Authy on my Android phone with a backup vault on my Debian-based laptop. If I lose my phone, even unlocked, no bad guy can access Authy without my four-digit PIN and I have access to Authy on my laptop until I get a new phone. I think this is the best option.
But if your sensitive web site doesn't support Authy or GAuth, you need to use texting or calling to a phone number. What about Google Voice? Google Voice runs on your phone or your laptop via a web browser. Google has strong security and backup codes.
I think it might work if I setup a new Google account on an alternate browser (Chromium instead of my main Firefox browser). I only use Google on this Chromium browser and never logon to my main Google account there. Of course, Google can link this second account to my first account using my mobile number or my IP address or my location derived from their location technology using GPS and Wi-Fi. This is a privacy issue, not a security issue, so long as this account is only used for 2FA.
One thing to take note is that web sites require "mobile" numbers not "landline" numbers, but I have found that if you put the landline-based Google Voice number in and identify it as a mobile number, most web sites will send texts to GV for 2FA.
I know there has been a lot of criticism of GV as a 2FA number and Jason Howell of TWIT famously bricked a Google account, but I think Google security is superior to cellular carrier security and their recovery process is secure and flexible. You don't risk losing your number if you login to your sensitive sites on a regular basis.
Would you use a virgin Google account with GV as a 2FA number for your sensitive web sites?
 
For the reason sites need "mobile" numbers is for sending text messages, which Google Voice supports. I think for how sites treat phone numbers, Google Voice is just a mobile number.

If you're in a position where Google Fi is an option, the PIN needs to be created manually, and it's active for 30 minutes once you click the generate button. And it's 6 digits. I haven't really used their service (at least via phone) since I ported my old number to the service, so I'm not sure when you would need the PIN number. (The last two phones I bought, I just sign into the app, and it downloads an eSIM, which means I need log into my Google account just to do that, including whatever 2FA stuff I have)
 
The challenge with Google Voice is that GV numbers are identified as VoIP, not true mobile numbers. Many sites (for example Paypal) require a carrier registered mobile number. GV is not accepted. Unfortunately the number of sites that do not accept VoIP numbers seems to be increasing.
 
That could be a problem. Here in UK, the whole telephone network is likely to switch to VOIP as they phase out copper wires and move to fibre to the home.
 
I was able to use Google Voice at all my sensitive 2FA-via-phone web sites, but on some I had to enter the GV number in the mobile section, not the home section. Web sites are allowing customers to declare whether or not their number receives texts. They used to look up the numbers in databases to determine whether they were landline or mobile.
Anyway, is using GV a good idea vs. using your mobile number?
 
I do this too. Just make sure GV isn't set up to forward incoming SMS to your phone's SMS; otherwise a SIM swapped phone would still receive your codes. Have SMS delivered to your GV app only.
 
I do this too. Just make sure GV isn't set up to forward incoming SMS to your phone's SMS; otherwise a SIM swapped phone would still receive your codes. Have SMS delivered to your GV app only.
Google Voice recently dropped SMS forwarding "for security reasons". If you did have it set up, it now forwards to your GMail.
 
That could be a problem. Here in UK, the whole telephone network is likely to switch to VOIP as they phase out copper wires and move to fibre to the home.
Not going to be a problem, the networks simply block the known blocks of the VOIP providers for numbers, the older network operators going to a VOIP solution still uses their existing number ranges to route the calls, so they will not be blocked. Funny thing though is now you can have a landline number, which traditionally, did not support SMS sending or receiving, as it was a plain copper pair, now can support SMS on the new handset, as it is now basically a cellular phone with a always on wireless connection to your local fibre router, and often you can put a SIM into them and use it as a mobile phone.
 
There are services (such as TextNow) that will "rent" you a phone number. People use these for mal-purposes. (Attempting to remain anonymous for hateful reasons, generally.) Accordingly, there has sprung up services that track these numbers and businesses can use these second services to block people using numbers from the first services. (I have learned this the hard way, when using an iPad with no phone ability and wanting to sign up for some services that only use a phone number as the identifier... such as, say, Signal.)
 
landline number, which traditionally, did not support SMS sending or receiving
I believe you can still send a text to a copper wire analogue phone. When you answer the phone a text to speech converter reads it to you. Mind you it has been several years since I tried this!
 
kwe said - "Because Google Authenticator has no backup or second device option..."

I beg to differ. Tap the 'three dots' menu in the upper right corner, and choose 'Transfer Accounts'. You can then produce a QR code that will be displayed on the 1st phone screen that can be read by the app on the 2nd phone, and it will transfer all your accounts over. I use this when moving to a new phone, but it could be used to keep two phones in sync.
 
kwe said - "Because Google Authenticator has no backup or second device option..."

I beg to differ. Tap the 'three dots' menu in the upper right corner, and choose 'Transfer Accounts'. You can then produce a QR code that will be displayed on the 1st phone screen that can be read by the app on the 2nd phone, and it will transfer all your accounts over. I use this when moving to a new phone, but it could be used to keep two phones in sync.
"Transfer" means "copy and delete". It doesn't infer a backup or second device capability. Can you confirm that you can run GAuth on two devices at the same time?
 
Can you confirm that you can run GAuth on two devices at the same time?
I can confirm this. I have it running on two phones. What happens when you "transfer" is actually a "copy". It copies all of your 2FA accounts from an instance of Google Authenticator running on one phone to an instance of Google Authenticator running on another phone. They are then independent of one another. Any subsequent deletions or additions of accounts on one device will not be reflected on the other. So, if you are using a secondary phone as a backup, you have to repeat this process every time your list of accounts changes on your primary phone.
 
kwe said: "Google Authenticator has no backup or second device option..."

You can install GA on as many devices as you wish. To set up the same TOTP tokens on multiple devices, all that is required is that you use the same QR code, or at least the same secret keystring that's embedded in the QR code.

(If you scan the QR code with an ordinary QR code reader, you'll find it merely consists of a couple text fields, such as a name, secret keystring, and maybe a URL or description. Note only the secret is critical; the other fields are optional and can be altered or edited as desired. The QR code isn't proprietary to a particular service or particular authenticator app, it's nothing more than a convenient way of passing the secret keystring the service generates to your phone's app without you having to manually type it in.)

Also, there's nothing unique about the Google Authenticator app, so you don't even need to use that specifically. For instance, you can use Microsoft Authenticator with your Google account, if you wanted to. All TOTP authenticators are the same -- they simply take a given key (the “secret”) and use it to generate a 6-digit number. Regardless of whether the authenticator app comes from Google, Microsoft, Facebook, Authy, andOTP, Bitwarden, et al, they'll all generate the same 6-digit number if given the same QR code or secret key. So don't install different authenticators for different services, just install one and use it for the TOTP tokens for all your services.

When you're initially setting up 2FA for a site and the service/website displays the QR code for you to scan, simply take a screenshot and keep the QR code. You can thereafter rescan the same QR code to recreate the same token on another device.

You don’t even need to set them up contemporaneously, either. Only the first authenticator needs to be configured “live” so the service provider knows which secret you’re going to be using, but subsequent authenticators can be setup later if you use the same QR code.

Not only is this is useful for adding multiple devices, it's useful for recreating your TOTP tokens if you change phones or have to factory-reset your phone.
 
Note, Authy and Duo Mobile have special features that services may use to lock you to them. Duo has a push service so you just push accept or deny, and I think Authy has a similar feature, along with a feature Google Auth (along with others) didn't/doesn't have with TOTP in which you can have more than 6 digits (Cloudflare is set to 7 digits for example).
 
Here's an interesting observation about Google which probably extends to GVoice.....

If the attacker trying to take over your phone and your life is remotely skilled and motivated, he or she could simply get your Google account too. With MFA enabled, try logging in and then when the second factor is requested, choose other options. If you have a phone number on record with Google, it will offer to send you an SMS.

So Google MFA is only as good as you enable it to be, a classic trade-off between security and convenience.....
 
Here's an interesting observation about Google which probably extends to GVoice.....

If the attacker trying to take over your phone and your life is remotely skilled and motivated, he or she could simply get your Google account too. With MFA enabled, try logging in and then when the second factor is requested, choose other options. If you have a phone number on record with Google, it will offer to send you an SMS.

So Google MFA is only as good as you enable it to be, a classic trade-off between security and convenience.....
Under the phone number settings there is a switch to disable using your phone for password reset. Thank you so much for mentioning this. Another reason to create a separate Google Account for 2FA. (Why is this so hard?)
 
Last edited:
  • Like
Reactions: Lob
thanks, kwe, I am not seeing this. I have a verified phone number for my account but I can only delete it. It appears that the second factor can perhaps be to the phone number but the phone cannot be used in the password reset process - is that right? I am looking now....

Edit: "Recovery Phone" is the term for password resets, you can prevent someone resetting your password if this has no phone number BUT if you have a phone number linked to your account, the second factor can be sent to that number so you effectively only have single factor authentication for Google if you add your phone number.....
 
Last edited: