You totally miss the point. Its not about how great two factor authentication is. Its about the fact I don't want to use the two factor authentication, I'd rather loose everything.

I'd rather have my "sensitive" data compromised than have some multinational advertising company that has been compromised by every major government on the planet have access to me at any given time.

And its as annoying as having someone stand in your kitchen every morning and say "A bowl of bran Sir, its good for you, best thing to eat Sir, other options are inferior". I hate Bran, I'd rather eat toast, I'd eat fruit, I'd rather wait till lunch time. But that butler person won't go away, he shows up at lunch time, an dinner, and when I just feel like a quick snack down town.

I don't care how much better it is for me, I already know, I just don't want it.

And lastly, if someone steals your phone, with your a mail client on it, it is way easier for identity theft to occur, not harder.

>I'd rather have my "sensitive" data compromised than have some multinational marketing company that has been compromised by every major government on the planet have access to me at any given time.

They are far from the same thing, and why do you think it is worse?

Because whats on my Google is mildly embarrassing, where as I grew up group of kids from Yugoslavia, where the government forces used information like this to butcher people in the streets, in there homes. I turn not he TV and see it happening in Iraq, and Syria right now.

Its not a future I want this world to have, and we are unfortunately enabling it, as always, with poorly thought through best intentions.

> And lastly, if someone steals your phone, with your a mail client on it, it is way easier for identity theft to occur, not harder.

How exactly is this true? I encrypt my phone's hard disk and I encrypt all of my SMS communications (locally) with https://play.google.com/store/apps/details?id=org.thoughtcri...

It's no harder than if someone steals your laptop. The same measures you would use on a laptop (FDE, TLS) are available on phones. The argument can certainly be made that SMS is an insecure form of 2-factor auth, since they can be easily intercepted in transport (though if you use TextSecure someone who steals your phone can't get them!), but that's why we have the google authenticator app.

Because a common tactic kids are using ATM is a simple snatch and grab, right out of peoples hands. Heaps easier than taking a laptop as you might be standing in a crowd, they can approach you with speed, shunt you off balance and are gone.

Phone doesn't lock while they run with it as they are touching the screen, they get away from the user and disable the security features. You are compromised, phone is compromised, thief's win.

Or so the papers say, and several female friends who have had this happen to them at evening events (not identity theft, but the snatch and grab).

I try to minimize how much I hold my phone in my hands in public for this reason sure (It also makes you a more viable target for muggers if you look distracted by your phone). You can also set TextSecure to automatically wipe your passphrase from memory when you're done reading/writing texts. I should probably also be using APG ( https://f-droid.org/repository/browse/?fdfilter=APG&fdid=org... ) to encrypt other stuff for the same reason.

I don't doubt that this is a real threat for sure, but there are measures you can take to prevent it from happening.

If your phone gets stolen, then you block your phone number with the carrier, and the thief can't get your SMS - so 2-factor security still works and protects you.

True, I think most snatch and grabs are sold quick for cash and not identity theft anyway.

But in a worst case scenario how quick could someone determined actually compromise you? minutes? less time than you'd wait on hold during work hours, let alone waiting till the next day?

Cool then continue to click "no". Your personal preferences have nothing to do with google's intention.

If someone steals your phone and it's logged into all your personal accounts and you don't contact your mobile provider to shut the sim-card off then yes you are screwed. Also I would suggest cancelling your credit cards if someone steals your wallet.

Yeah. The problem is that pretty much whatever they do--and certainly whatever they do that is practical at low-cost scale--is subject to criticism. In this case, it's the phone number thing. But try out these other headlines:

How I lost access to my Google account and couldn't get it back

How a hacker compromised my Google account with social engineering

etc.

You're right that in general this helps, and most of Google's account security energy is going towards helping average users deal with basic security. Microsoft offers a similar option (you must choose to use a phone, or a secret question, I think).

But interestingly, phone auth changes as your account becomes more valuable. If your Google account unlocks everything you have, then a targeted stealing of your phone number gives the attacker everything.

If the target is leaving the country without roaming for a few days, an attacker might even get the number flipped back before they return. A non-security conscious victim, upon return, might just wonder how they forgot their password, reset it again, and move on. (That's another reason why Google and others remind you when you last changed your account settings.)

No one is saying that it's fool proof or totally secure. It's just an easy, mostly reliable way to automate the process.

If you develop a way to recover people's email accounts that is simple for consumers, requires no human intervention, and is more secure than phone numbers, patent it and make millions. Seriously, this is a hard problem to solve and companies will gladly pay you for a better solution.

That's what I'm saying. It's great for most of their users, but as Google becomes more important, it provides an easy single-point-of-failure you can use to completely take over someone's ID.