> You'll get a "Is this you?" popup in your phone or tablet whenever someone uses your username and password in a new device/browser/application.

I have two different concerns.

The first is that I frequently end up having to clear my browser cookies, for a variety of reasons. Every time I do, I have to redo the 2FA dance, on every single website that requires 2FA. I suppose I could find a different cookie management strategy, but I think it's good for both privacy and security to treat cookies as semi-ephemeral.

Secondly, I’m concerned that I'll either loose or replace my 2FA device and forget about the account until it's too late—again, I’m much more concerned about losing access to my account than someone else getting in. I would almost certainly loose any physical backup codes.

I also have a fantasy that I'll give up my smartphone one of these days, or at least not bring it everywhere I go. I’ll probably never do it, but the idea is such that I don't want to depend on an app for access to my account. I do think I’ve successfully made myself less dependent on my smartphone than a lot of people, and I’m proud of that accomplishment.

Have you thought about multiple 2FA devices?

To my knowledge, you can use as 2FA w/Google:

1. A prompt on your phone

2. A hardware security key

3. TOTP token from authenticator

4. one of 10 backup codes

And you can also have multiple security keys as well, which is useful if you lose one.

A prompt on my phone and an app on my phone come down to the same thing, and I'm not interested in getting a physical hardware security key. The backup codes are one-time use, and there is no way I would keep track of a slip of paper for years without loosing it.

I could use my password manager (Bitwarden) as my TOTP generator, and I may eventually do that just to make all of these services shut up. But, wouldn't that leave my account no more secure than it already is today? It would effectively be single-factor authentication, since the password and the generator would be in the same place, protected by the same master password.

I’m not sure about Bitwarden, but 1Password requires quite a few pieces of information to log in on a new computer, because it derives the encryption key from both the hash of your password and the “Secret Key”. Effectively, it still IS 2FA, with the “something you have” factor being a device activated with the secret key and your 1Password OTP. If you don’t sign into your password manager on your computer directly this should be fine. But you do, of course, lose the ability to paste passwords.

But regardless of how the vault is protected, your password and your otp generator are both stored there, right? If you have access to one, you have access to the other. So, I don’t understand how requiring both to log in to Google improves security in any meaningful way.

It's often much easier for someone to manage to get a copy of your password for a specific application than to get a copy of your unencrypted vault.

Then try TOTP, and back up your seeds.

Googles 2fa requires the user to give google his phone number before being able to add a totp authenticatior. That alone is reason for me to never use it for my google account. The popup also doesn't come up if you haven't signed up with google on your phone, obviously. There is nothing stopping them from just allowing anyone to add a normal totp 2fa generator, they just chose to not do that to get more of that sweet, sweet data.

Does Google fall back to SMS if you tell it you lost your totp authenticator? That’s problematic in its own way, but it would explain the phone number requirement.

Not if you remove the phone number afterwards. It just requires the phone number before enabling the normal otp.

That's more friction than I'm willing to tolerate. If they force me to use 2FA, I'm done with Gmail for good (it's already no longer my primary email).

And I'm not against 2FA in general, I just don't want to use it in this case.