FYI Using Google Voice instead of your mobile number for 2FA

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

kwe

Member
Mar 3, 2021
8
1
Steve really put a fright in me with his latest podcast end segment where he basically said your mobile number security hangs by a thin thread of a four-digit PIN. He transferred his mobile number to a new phone with nothing more than this PIN. You can also lose your phone physically, you can accidentally destroy it, or you might lose it in a SIM-swapping attack. Is a mobile phone number sufficiently secure for use for 2FA? Is Google Voice better?
Use an authenticator app on your phone if the web site supports it. Because Google Authenticator has no backup or second device option and doesn't provide any password protection on the app when running, I prefer Authy. I have Authy on my Android phone with a backup vault on my Debian-based laptop. If I lose my phone, even unlocked, no bad guy can access Authy without my four-digit PIN and I have access to Authy on my laptop until I get a new phone. I think this is the best option.
But if your sensitive web site doesn't support Authy or GAuth, you need to use texting or calling to a phone number. What about Google Voice? Google Voice runs on your phone or your laptop via a web browser. Google has strong security and backup codes.
I think it might work if I setup a new Google account on an alternate browser (Chromium instead of my main Firefox browser). I only use Google on this Chromium browser and never logon to my main Google account there. Of course, Google can link this second account to my first account using my mobile number or my IP address or my location derived from their location technology using GPS and Wi-Fi. This is a privacy issue, not a security issue, so long as this account is only used for 2FA.
One thing to take note is that web sites require "mobile" numbers not "landline" numbers, but I have found that if you put the landline-based Google Voice number in and identify it as a mobile number, most web sites will send texts to GV for 2FA.
I know there has been a lot of criticism of GV as a 2FA number and Jason Howell of TWIT famously bricked a Google account, but I think Google security is superior to cellular carrier security and their recovery process is secure and flexible. You don't risk losing your number if you login to your sensitive sites on a regular basis.
Would you use a virgin Google account with GV as a 2FA number for your sensitive web sites?
 

miquelfire

I like red!
Sep 26, 2020
60
6
www.miquelfire.red
For the reason sites need "mobile" numbers is for sending text messages, which Google Voice supports. I think for how sites treat phone numbers, Google Voice is just a mobile number.

If you're in a position where Google Fi is an option, the PIN needs to be created manually, and it's active for 30 minutes once you click the generate button. And it's 6 digits. I haven't really used their service (at least via phone) since I ported my old number to the service, so I'm not sure when you would need the PIN number. (The last two phones I bought, I just sign into the app, and it downloads an eSIM, which means I need log into my Google account just to do that, including whatever 2FA stuff I have)
 

excel

New member
Oct 7, 2020
3
0
The challenge with Google Voice is that GV numbers are identified as VoIP, not true mobile numbers. Many sites (for example Paypal) require a carrier registered mobile number. GV is not accepted. Unfortunately the number of sites that do not accept VoIP numbers seems to be increasing.
 

AlanD

Well-known member
Sep 18, 2020
210
69
Rutland UK
That could be a problem. Here in UK, the whole telephone network is likely to switch to VOIP as they phase out copper wires and move to fibre to the home.
 

kwe

Member
Mar 3, 2021
8
1
I was able to use Google Voice at all my sensitive 2FA-via-phone web sites, but on some I had to enter the GV number in the mobile section, not the home section. Web sites are allowing customers to declare whether or not their number receives texts. They used to look up the numbers in databases to determine whether they were landline or mobile.
Anyway, is using GV a good idea vs. using your mobile number?
 

Clev

New member
Sep 30, 2020
1
0
I do this too. Just make sure GV isn't set up to forward incoming SMS to your phone's SMS; otherwise a SIM swapped phone would still receive your codes. Have SMS delivered to your GV app only.
 

Dave

Dave Jenkins, N1MXV
Sep 16, 2020
102
58
Gardner, MA (USA)
I do this too. Just make sure GV isn't set up to forward incoming SMS to your phone's SMS; otherwise a SIM swapped phone would still receive your codes. Have SMS delivered to your GV app only.
Google Voice recently dropped SMS forwarding "for security reasons". If you did have it set up, it now forwards to your GMail.
 

SeanBZA

Active member
Oct 1, 2020
41
6
That could be a problem. Here in UK, the whole telephone network is likely to switch to VOIP as they phase out copper wires and move to fibre to the home.
Not going to be a problem, the networks simply block the known blocks of the VOIP providers for numbers, the older network operators going to a VOIP solution still uses their existing number ranges to route the calls, so they will not be blocked. Funny thing though is now you can have a landline number, which traditionally, did not support SMS sending or receiving, as it was a plain copper pair, now can support SMS on the new handset, as it is now basically a cellular phone with a always on wireless connection to your local fibre router, and often you can put a SIM into them and use it as a mobile phone.
 

PHolder

Well-known member
Sep 16, 2020
773
2
359
Ontario, Canada
There are services (such as TextNow) that will "rent" you a phone number. People use these for mal-purposes. (Attempting to remain anonymous for hateful reasons, generally.) Accordingly, there has sprung up services that track these numbers and businesses can use these second services to block people using numbers from the first services. (I have learned this the hard way, when using an iPad with no phone ability and wanting to sign up for some services that only use a phone number as the identifier... such as, say, Signal.)
 
Sep 17, 2020
162
55
63
London UK
landline number, which traditionally, did not support SMS sending or receiving
I believe you can still send a text to a copper wire analogue phone. When you answer the phone a text to speech converter reads it to you. Mind you it has been several years since I tried this!
 

Dave New

Active member
Nov 23, 2020
34
9
kwe said - "Because Google Authenticator has no backup or second device option..."

I beg to differ. Tap the 'three dots' menu in the upper right corner, and choose 'Transfer Accounts'. You can then produce a QR code that will be displayed on the 1st phone screen that can be read by the app on the 2nd phone, and it will transfer all your accounts over. I use this when moving to a new phone, but it could be used to keep two phones in sync.
 

kwe

Member
Mar 3, 2021
8
1
kwe said - "Because Google Authenticator has no backup or second device option..."

I beg to differ. Tap the 'three dots' menu in the upper right corner, and choose 'Transfer Accounts'. You can then produce a QR code that will be displayed on the 1st phone screen that can be read by the app on the 2nd phone, and it will transfer all your accounts over. I use this when moving to a new phone, but it could be used to keep two phones in sync.
"Transfer" means "copy and delete". It doesn't infer a backup or second device capability. Can you confirm that you can run GAuth on two devices at the same time?
 

Greg S

Member
Sep 16, 2020
22
9
Northeast Ohio, USA
Can you confirm that you can run GAuth on two devices at the same time?
I can confirm this. I have it running on two phones. What happens when you "transfer" is actually a "copy". It copies all of your 2FA accounts from an instance of Google Authenticator running on one phone to an instance of Google Authenticator running on another phone. They are then independent of one another. Any subsequent deletions or additions of accounts on one device will not be reflected on the other. So, if you are using a secondary phone as a backup, you have to repeat this process every time your list of accounts changes on your primary phone.
 

dg1261

Member
Oct 22, 2020
6
1
kwe said: "Google Authenticator has no backup or second device option..."

You can install GA on as many devices as you wish. To set up the same TOTP tokens on multiple devices, all that is required is that you use the same QR code, or at least the same secret keystring that's embedded in the QR code.

(If you scan the QR code with an ordinary QR code reader, you'll find it merely consists of a couple text fields, such as a name, secret keystring, and maybe a URL or description. Note only the secret is critical; the other fields are optional and can be altered or edited as desired. The QR code isn't proprietary to a particular service or particular authenticator app, it's nothing more than a convenient way of passing the secret keystring the service generates to your phone's app without you having to manually type it in.)

Also, there's nothing unique about the Google Authenticator app, so you don't even need to use that specifically. For instance, you can use Microsoft Authenticator with your Google account, if you wanted to. All TOTP authenticators are the same -- they simply take a given key (the “secret”) and use it to generate a 6-digit number. Regardless of whether the authenticator app comes from Google, Microsoft, Facebook, Authy, andOTP, Bitwarden, et al, they'll all generate the same 6-digit number if given the same QR code or secret key. So don't install different authenticators for different services, just install one and use it for the TOTP tokens for all your services.

When you're initially setting up 2FA for a site and the service/website displays the QR code for you to scan, simply take a screenshot and keep the QR code. You can thereafter rescan the same QR code to recreate the same token on another device.

You don’t even need to set them up contemporaneously, either. Only the first authenticator needs to be configured “live” so the service provider knows which secret you’re going to be using, but subsequent authenticators can be setup later if you use the same QR code.

Not only is this is useful for adding multiple devices, it's useful for recreating your TOTP tokens if you change phones or have to factory-reset your phone.
 

miquelfire

I like red!
Sep 26, 2020
60
6
www.miquelfire.red
Note, Authy and Duo Mobile have special features that services may use to lock you to them. Duo has a push service so you just push accept or deny, and I think Authy has a similar feature, along with a feature Google Auth (along with others) didn't/doesn't have with TOTP in which you can have more than 6 digits (Cloudflare is set to 7 digits for example).
 

Lob

What could possibly go wrong?
Nov 7, 2020
99
20
Here's an interesting observation about Google which probably extends to GVoice.....

If the attacker trying to take over your phone and your life is remotely skilled and motivated, he or she could simply get your Google account too. With MFA enabled, try logging in and then when the second factor is requested, choose other options. If you have a phone number on record with Google, it will offer to send you an SMS.

So Google MFA is only as good as you enable it to be, a classic trade-off between security and convenience.....
 

kwe

Member
Mar 3, 2021
8
1
Here's an interesting observation about Google which probably extends to GVoice.....

If the attacker trying to take over your phone and your life is remotely skilled and motivated, he or she could simply get your Google account too. With MFA enabled, try logging in and then when the second factor is requested, choose other options. If you have a phone number on record with Google, it will offer to send you an SMS.

So Google MFA is only as good as you enable it to be, a classic trade-off between security and convenience.....
Under the phone number settings there is a switch to disable using your phone for password reset. Thank you so much for mentioning this. Another reason to create a separate Google Account for 2FA. (Why is this so hard?)
 
Last edited:
  • Like
Reactions: Lob

Lob

What could possibly go wrong?
Nov 7, 2020
99
20
thanks, kwe, I am not seeing this. I have a verified phone number for my account but I can only delete it. It appears that the second factor can perhaps be to the phone number but the phone cannot be used in the password reset process - is that right? I am looking now....

Edit: "Recovery Phone" is the term for password resets, you can prevent someone resetting your password if this has no phone number BUT if you have a phone number linked to your account, the second factor can be sent to that number so you effectively only have single factor authentication for Google if you add your phone number.....
 
Last edited: