Question about U2F

[pdknsk]

To setup 2FA you need a phone. With a U2F device you wouldn't need a phone (only for possible backup, but this is also provided through printable backup keys). So my question is: can 2FA via U2F be somehow setup without a phone? The support page isn't clear on this.

https://www.yubico.com/2014/10/google-releases-support-fido-u2f-security-key/

https://support.google.com/accounts/answer/6103523?hl=en

[Reilly Grant]

You currently cannot set up a U2F device without first adding a backup phone (landline or mobile).

--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

[pdknsk]

This should be on a TODO list. (I guess it is.)

[Markus Gutschke (顧孟勤)]

I understand why you prefer if phone numbers weren't mandatory. And I certainly can see situations where a user wouldn't want or wasn't able to provide a phone number.

But in general, it is probably not a bad idea to strongly encourage having a phone number on file. With systems such as 2FA and U2F there is an increased risk that users inadvertently lock themselves out of their accounts, if they lose their second factor. Ideally, they should have prepared for this possibility and printed out backup codes -- but I bet many people don't do that.

So, having a phone number that Google can verify, is just one more tool that might eventually help them recover their account. I am not closely familiar with Google's account recovery process though (knock on wood), so I am not sure just how much weight is put on having access to the backup phone number in this situation.

Markus

On Mon, Nov 10, 2014 at 12:27 PM, pdknsk <pdk...@gmail.com> wrote:

This should be on a TODO list. (I guess it is.)

--

[pdknsk]

In addition to many reasons why a user might not want to or be able to use a phone, it's also a benefit security wise I think. A backup phone is a possible backup attack vector. I notice that Google has basically everything in-place already for this to work from what I can tell, just that the 2FA sign-up process isn't prepared for phone-less activation.

https://security.google.com/settings/security/securitykey/add

[pdknsk]

Sorry for the bump, but I kept wondering if this is actually on a TODO list and whether I should wait for this feature or not. Thanks!

[pdknsk]

I just want to post an update on this. Currently a phone number is not required, as long as you have another device (like a tablet) with a Google account configured. Then you can add a security key. It is however still not possible to have the security key as your only second factor. Attempting top remove the other factor causes this error.

> 2-Step Verification isn't allowed without a verified phone number, the Authenticator app or a Google prompt-enabled device

[Reilly Grant]

chromium-dev@ to bcc because this is off-topic.

If you enable Advanced Protection on your account then you can remove the phone number as a second factor:

https://landing.google.com/advancedprotection/

On Sat, Mar 17, 2018 at 5:09 AM pdknsk <pdk...@gmail.com> wrote:

I just want to post an update on this. Currently a phone number is not required, as long as you have another device (like a tablet) with a Google account configured. Then you can add a security key. It is however still not possible to have the security key as your only second factor. Attempting top remove the other factor causes this error.

> 2-Step Verification isn't allowed without a verified phone number, the Authenticator app or a Google prompt-enabled device

--

--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev

---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/c0be3111-18c9-4a24-9d6d-2e6e80baae5f%40chromium.org.

[pdknsk]

Where can this be discussed? I have a few more questions which are not answered on the landing page (nor the support page).

Does the first security key actually need to be wireless, or rather be connected to a second device? Can you alternatively have two keys connected to the same device? (I'm aware this makes the advanced protection less advanced.)

[Mike Frysinger]

if you search for "Google product forums", you'll find Google groups more appropriate. this group is only for building the Chromium browser.

-mike

On Sun, Mar 18, 2018, 02:12 pdknsk <pdk...@gmail.com> wrote:

Where can this be discussed? I have a few more questions which are not answered on the landing page (nor the support page).

Does the first security key actually need to be wireless, or rather be connected to a second device? Can you alternatively have two keys connected to the same device? (I'm aware this makes the advanced protection less advanced.)

--

--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/0be4a1b6-24e8-40e6-b069-eb32930919fa%40chromium.org.