I Think Google did their homework and struck a great balance between usability and security. Let’s be honest, those that would have a hard time learning how to use 2FA really have not much to safeguard on their Google accounts.
Granted that the wealth of data collected and available through anyone’s account is staggering and to have it exposed would be devastating to the victim, however that data would only be useful aggregating gazillions of users of the same kind. At that level, you become practically an anonymous data point and anything juicy or really harmful would only be useful to someone you know.
Moreover, most supposedly security concerned people lock the front door (Google account) while leaving the backdoor wide open, by literally broadcasting your whereabouts and behavioral patterns just by being logged in to Facebook, Messenger or Whatsapp…
On the other hand, people who hold the keys to important data, or whose electronic identity being supplanted puts companies, customers and employees livelihoods at risk or safeguard politically damaging evidence were it to see the light of say, That class of users can and SHOULD jump trough any flaming hoops to secure their accounts.
The purpose of registering the phone number is mostly for account recovery in case of getting locked out for whatever reason. But if yor digital identity is pinned on the security of your Google account, once you have 2FA activated, your can remove your phone.
Reason being that people are more likely to mess up while setting up 2FA, and getting themselves locked out. So once you authenticate successfully with the OTP, only then you may remove SMS account recovery.
By then, your recovery codes should be well printed on non-acid paper, laminated and inside a fireproof safe.
However you should have be thinking that still, relying on the authenticator app is kinda iffy if you are likely to lose sight of your handset for more than a few minutes (say boardroom meetings, where it’s common etiquette to surrender your phone to a secretary or hostess before entering the meeting.)
There lies the vulnerability to high value targets who are worth the trouble of social engineering to get a hold of their handsets…
But Google provides a solution for thaf situation: a YubiKey or similar compliant device as second factor. So I think they covered all the bases from average Joe, to sysadmins whose account authorization would is critical, all the way up to high ranking government officials and corporate officials….
While Joe sixpack is well protected with a strong password only, I’m sure Sergei Brim has a Chain around his neck with a YubiKey.
In short, just like in the locksmith business, Locks, fences, and padlocks are there not to keep intruders out but to conveniently let the right people In.
And anyone determined enough to gain access, WILL get access, no matter how secure your setup may be.
Security only works if everyone follows procedures all the time, with no exceptions, combined with adequate physical, electronic, passive and active measures to support those procedures. Relying exclusively on security devices and measures will only get you so far.
Security is a shared responsibility between service provider and user, and in my opinion Google have put the ball on the user’s court, by providing a wide pallette of options for us to choose then appropriate level of security vs usability that our data and digital authorization require.
On top of that, most of us get corporate grade security options basically for free, the least we can do is an effort to do our part in keeping our own data safe.
I hope this makes sense, I’m still a bit wired after this AM’s DDOs 😀