Am I the only person in the world who doesn't have a cell phone? It annoys me that the two-factor auth setups at sites (like Google) assume I have one and don't even have an option for "I don't have a cell phone, please stop nagging me about this."
Still, if I plan to use Google Authenticator, I don't want to give Google my phone number at all. When they insist to get the phone number from me, I don't like it.
I don't think you need to get them a phone number. I use Google Authenticator app on my iPhone, and didn't give them anything. It just scanned a barcode on a webpage IIRC.
The bar code was actually just a code to initialize the code generation (I think it is based on that randomly generated seed and the time, so that then server and client generate the same keys). You could have also typed in the code by hand.
How do you get 2-factor auth enabled at all without entering a phone number? Their help page says that you can switch from phone-based to Google-Authenticator-based authentication after enabling 2fa, but I can't find a way to skip the phone step for turning it on in the first place. This is the screen I get when I click to enable: http://i.imgur.com/cm6Km.png
Sorry, a bit off-topic, but that reminded me of one fun fact.
In Russia, most social networks these days require that you sign up with a mobile number. You cannot start using your account without receiving an SMS verification code.
Buy a $20 used phone and get the cheapest pay-as-you-go plan you can find (you'll only be using the phone to receive text messages, so it should be really cheap) and consider it a somewhat impractical Google Authenticator hardware dongle.
Note that even a cheap, pay-as-you-go phone emits a breadcrumb trail of mobile network (and possibly GPS) location information. Unless you power it down between connection attempts. In which case it still emits breadcrumbs, though fewer.
Perhaps I meant it as a half-rhetorical question; I'm not the only person I know who doesn't have a cell phone, and if you take moment to consider it, I'm sure you'll realize that you know some people in the same position.
There are in fact significant demographics - children and the elderly - where cell phone adoption is rather low. Ironically enough, these are the very groups where enhanced security measures may be most useful.
> if you take moment to consider it, I'm sure you'll realize that you know some people in the same position.
Actually no, I can't think of anyone. Buy an iPod Touch and install Google Authenticator, you will have all the inconveniences of not having a phone but enjoy the security benefits of two-factor authentication.
You can use a YubiKey for Google 2-factor along with a helper app like Yubikco's "sidekick" for Windows [1] or my company's OneTime on Mac [2]. A YubiKey costs about $25 but is very portable, fast and convenient option.
You shouldn't have to carry an electronic device, though: a list of codes on paper can work fine. That's how the NemID system works, for example (http://en.wikipedia.org/wiki/NemID): I have a big list of challenge/response codes that I carry in my wallet, and each is used once. I use that one successfully to log into my bank with two-factor authentication, but since I have no cell phone, iPod, iPad, or Android device, I can't use Google's version.
What's weird is that Google even sort of supports the numbers-on-paper approach, but for some reason they limit it to 10 numbers.
edit: Hmm actually thought of a possible solution. Looking into how hard it'd be to port the Google Authenticator to a non-mobile platform so I can run it on my laptop.
edit2: Although it looks like you can't enable the Google Authenticator method without first enabling the SMS method...
You can print out more than 10, but only 10 are valid at any given time. There's a link at the bottom of the page with the codes to generate 10 more. I suspect they do this so people don't print out 1000 only to be using 10 (or less) at any given time.
>edit: Hmm actually thought of a possible solution. Looking into how hard it'd be to port the Google Authenticator to a non-mobile platform so I can run it on my laptop.
Just install an android emulator, e.g. YouWave, and use that virtual android device to run GA.
Although it looks like you can't enable the Google Authenticator method without first enabling the SMS method...
I'm not sure about this (it was a while ago when I installed it), but I know you can install it on a new device after previously having it installed on another device (which disables it on the first device) without an SMS.
Why are you the only person in the world who doesn't have a cell phone? Why would you assume that super-large companies would consider your single-person use-case?
No; I know dozens of people, including myself, who do not have cell phones, and have no intention of getting one. I find this an extremely obnoxious assumption by Google (and others) -- it's not like we're luddites; it's frequently the programmers I know who are least willing to carry a cell phone.
