Google Workspace (formerly G Suite, formerly Google Apps for Business) is changing its default policy to require 2FA (two factor authentication) for all accounts. While this is good news for security, Google have made it very difficult to maintain privacy at the same time.
The 2FA enrolment process, at least with the organisation that manages the Google Workspace account I have to use, offers three options: SMS/call to a PSTN telephone number, authentication prompt via the Google smartphone app, or a hardware security token. Notably absent is the option to use an OTP (one time password) app – Google Authenticator is a well known example but there are many alternatives because OTP codes are based on open standards. This is important because options 1 and 2 require giving up privacy to Google, whereas OTP is anonymous.
Option 1, giving Google your phone number, has obvious privacy implications. Numerous organisations have been caught using phone numbers for marketing purposes after originally claiming that they would only be used for security verification. On top of that, the PSTN is not very secure, meaning that your codes can potentially be intercepted.
Option 2 requires installing a Google app on your smartphone and having it logged into your account. Google therefore know where your phone is at all times. If you use Google services anyway then perhaps this isn’t a major concern. However, for those of us who only use Google when required by clients, installing what amounts to a tracking app isn’t very appealing.
That leaves option 3, a hardware token. The downside of this method is that hardware tokens aren't free, and you have to carry them everywhere you might need to log into your account. On top of that, Google’s 2FA enrolment process implies that if you want to use a hardware token as your only method of 2FA, you also need to enrol in their “advanced protection programme”. This requires... registering a phone number with Google. They really make it hard to avoid giving them your phone number!
However, it turns out that there is a way around all of this. Here's the summary:
- Install a software security token. This emulates a hardware security token as seen by your web browser.
- Enrol in Google 2FA using this security token.
- Set up OTP as a second method of 2FA.
- Remove the software security token.
This process works because while Google doesn’t offer OTP as an option during the enrolment process, you can add it as an alternative 2FA method once you’re already enrolled.
I’m told that there are a number of different software-based security token emulators, either standalone programs or browser extensions. They tend not to be very mainstream or very well supported, so I would be hesitant about using one as your only means of authentication. However, using one to get through the initial setup process should be reasonably safe. I used rust-u2f by Dan Stiner. It’s only available for Linux so if you’re on Windows or Mac you will need to find an alternative.
Once you’ve got the security token installed, you can proceed with the 2FA enrolment. Just follow the instructions – with rust-u2f, when Google tells you to plug in your device and press the button, you should run systemctl start --user softu2f.service instead. As a side note, during this process Google will prompt you to download some backup recovery codes. I strongly recommend that you follow this advice, and store the codes somewhere safe.
After enrolling with the security token, Google will take you to another screen inviting you to add another authentication method. Here you should select “Authenticator app”. The help text implies that you have to use Google Authenticator on either Android or iPhone, but this is not true: you can use any OTP-standard compliant app on any device. It just needs to support TOTP (time-based one time password, as opposed to HOTP = HMAC-based one time password) with the default 6 digits valid for a 30 second interval. Once you've chosen this option, you can either scan the resulting barcode with your chosen authenticator app, or you can click “Can’t scan it?” to get the initialisation key in plain text. You can then enter this key into the OTP app of your choice.
From this point you should be all set. Try logging out of your Google account, then log back in and confirm that you can use the OTP app.
One more small thing: At time of writing, if you have a security token set up as a 2FA method, Google always uses that as the default. This means that even if you’d rather use the OTP app, you first have to click past the security token prompt and tell Google you’d like to use another method every time you sign in. You can’t set OTP as your default 2FA method and keep the security token as a fallback. For this reason, along with the concerns about security and maintenance of software security tokens mentioned above, you might want to remove the security token from your account once OTP is confirmed working.