alt Hacker NewsGmail registration now requires scanning a QR code and sending a text message
Comments
Any Gmail person can tell me why Gmail is tolerating Gmail phishing emails that use Google's own services (e.g. https://storage.googleapis.com/savelinge/... ?
More info here: https://news.ycombinator.com/item?id=46665414
> Supposedly, using the QR code on the smartphone triggers an SMS sent from your phone to Google in order to verify your phone number.
Does anyone have a better source of information than this one forum comment from someone who thinks scanning a QR code is enough to get your phone to send a text message?
EDIT: It’s just an SMS URI. It doesn’t automatically send anything, just opens a text message for you to send.
This is just the old phone number verification with a QR code convenience method.
Recently helped a small business set up a Google Workspace account and we hit a wall during registration.
Told the owners that if Google is already being difficult during signup, imagine being locked out later with client work on the line. Pulled up a few horror stories about Google lockouts to drive the point home. They ended up with another workspace solution.
The latest moves from google are the damning smoking gun evidence that anti monopoly court ever needs. "Do this or else". Recaptcha, gmail, google suite, android, chrome, colab and even google play must be viable businesses on their own, separate from google ads machine. Gmail must start competing for users with other email providers. And, yes, recaptcha must pay its infrastructure cost in full only from recaptcha revenue. This is the good way to level playing field, silence all the critics and let air into the room.
I went through it to register just now. No QR code required. Same flow as it has been for years:
1. Personal/Child/Business
2. First/Last
3. Pick email
4. Date of Birth
5. Backup email / Skip
6. Password
7. Enter phone number
8. Confirm with 2FA code
9. Done.
I just made the email [email protected] and have since forgotten the password. So that’s one burned. But feel free to try [email protected] and see if it works without a QR code.
The headline is clearly a misstatement of what is a specific flow for someone to make many Gmail accounts programmatically.
This feels like one of those "security" changes that also happens to conveniently eliminate a lot of privacy-preserving workflows
I got this a few weeks ago, it was a URL like "sms?:number" which tries to pre-fill text in app. Didn't work for me (Fossify) so I had to copy the number and verifier text from that URL and send it manually. It's for saving money spent on providers like Twilio.
Is this the reCAPTCHA crap I just ran into minutes ago? It’s the Cloudflare “verify your humanity” thing, and the checkbox isn’t good enough, so now there is a “mobile verification, the support page for which (that I briefly skimmed) talks about scanning a QR code.
(EDIT: TFA didn’t clear it up for me, but it sounds similar.)
Wechat (Weixin; 微信) from Tencent has been doing this for years. Now Google is becoming the new Tencent and the US is becoming the new China
I tried to create a new gmail address recently because my primary gmail address is my name, and it's quite common, so I get more email for other people than I get for me.
My phone number - which I've had for about 15 years and have only ever used for personal purposes (minimal SMS, mainly just an iMessage/Whatsapp ID) - is apparently "not eligible" to create a new gmail account. Which is quite strange.
Register your own domain and use that for your email, and you'll no longer be held hostage by Google. Takes almost no effort and will cost you a few dollars a month.
Oh, excellent! Having been on the end of someone flooding a service with tens of thousands of autogenerated Gmail accounts.
And if you don’t want to share your phone number with Google, which I totally respect, there are a zillion other email providers. Contrary to popular perception, Gmail != email.
Won't be registering any new gmail accounts in the future and will gladly dump the ones I have if Google tries to force obtaining my phone no.
> requires scanning a QR code
That's like saying you need to "scan a QR code" to open a train door, not mentioning that the real requirement is linking your phone to your payment data so they can bill you. It's not the ability to turn a data matrix into bytes that Google is verifying here...
Google is trying to retain the value of their userbase, because many third party services use Gmail auth as a signal for low fraud risk.
Last time YouTube wanted to verify my phone number it was easier to find a free service to receive SMS than for Google to deliver it to my actual phone. And Google didn't care I "verified" a number assigned to other side of the world.
I recently had to do google takeout on an old google apps account. The account didn't have 2 factor auth and while enabling it I got stuck in a loop scanning the QR and getting a code via text message. I can't remember how I eventually broke out of the loop?
I wonder if there is a single engineer at Google who actually understands the whole registration/verification flow and all the edge cases?
It seems we're at a bit of a crossroads. It seems like the world both needs:
- Permissionless email (i.e. for agents, empowered users who can program now)
- Pervasive email allow listing
Wonder if these can both exist at the same time, i.e. having a "public" email that is read first by AI (let's imagine we're in a world where prompt injections weren't so possible) and heavily filtered, along with one that is private and allow-list gated (via some easier-than-gpg-to-use identity marker).
Gmail turned me off way back when it became obvious that they scanned your email to present relevant advertising.
I've paid for email nearly forever (Earthlink, not the most high tech provider but good enough) and get nearly zero spam. Their price went up again recently, but apparently if you mention Fastmail they'll match the cost.
I was listening to the local TV news a few weeks ago and the reporter talked about an SMS scam insisting that you owe unpaid turnpike charges. He said "most of us have seen them". I'm thinking, I've never received anything like that!" and then realized it could be because I don't give out my phone number to just anybody who asks. And tend to push back when they do.
Most people don’t understand how QR code works. So right now it may just send a SMS or prepare for it. But some day, it will do the remote attestation under the hood and the end user does not see the difference. I would bet a lot for this preparation.
Gmail has been evil both for client privacy as they use email scanning for marketing purposes, and for 'spam' filters that reject legitimate emails.
The fact that they're introducing QR/SMS/MMS/whatever they want is actually an interesting signal, because it will harm the customer experience, which might result in the growth of responsible paid email services.
Thanks for the update. I've been meaning to fully move away from gmail. It's clear that now is the time.
The days of my old google account that predates real identity policies are numbered...
People already assume that your "google name" is your official name, so much so that I had to patiently explain a delivery man once that the funny nickname he had for some reason in the delivery notice did not match my ID because that was an old google account from a time when it was usual to use any funny handle for your account.
Is this for GMail only or just Google accounts? A while ago I was able to signup for a Google account with an iCloud relay email, and it _seemed_ like I had to give my phone number or use Google Authenticator… but I worked around it by using Chrome Devtools to create a virtual WebAuthN device, after which I was able to scan a QR code for 2FA with 1Password.
Obviously this is bad in general, but what's the threat profile here? Google already has the content of your emails and I guarantee they have pinned down your fingerprint unless you're using Snowden-level counter-int.
Protest this by using a paid email provider. My $60 yearly payment just went through today, is that honestly too much for the typical person around here?
It was easy to see coming, and it’ll spread further and to more services. In fact, recently they even forced old accounts to log in or they would delete them.
It’ll happen with social media accounts and other things too. The account creation date is going to become an even bigger heuristic in their spam models.
I get like 33 and a half million spam messages per day to my Shopify store, all bots using Gmail addresses.
Google really need to get it together. Their sender reputation bypasses all the normal spam filters, but if it was up to me…
Reminds me of Telegram that forces you to pay premium to login to a new device depending on the country. Login, not registration. This is all due to the cost of SMSes of course.
You can bypass this if you have a passkey, but phone and password isn't enough. No idea why they opted to do that, it's not like passkeys are indicative of any device binding.
I can say that this QR code could be requested if IP is suspicious and/or associated with unusual activity. Recently I did register a new google account from my own residential IP and it did not request any additional confirmations, not even SMS verification.
This could well be to help prevent sms pumping — where someone makes money by receiving smss to a particular set of numbers. Requiring the user to first send an sms breaks the economics that type of fraud.
How do you scan QR codes on the device that is showing the QR code?
I wonder how long it will be until those without smartphones will be completely forced out of the mainstream internet.
Time to leave the sinking ship.
Try Tuta, or Proton, or Fastmail, or Zoho.
I recommend people switch to Tuta mail - the most privacy focused, email service. Read about it.
If you haven't created a Gmail or an Instagram account in a while you might be surprised how aggressive it is. For instance, try doing this without verifying your phone.
Both can ban you right away because they had to ramp up their anti-spam protections. Pretty much everyone already have an account, so most people creating new ones are just that, spammers.
the most nefarious thing about Gmail/Google Accounts is how it's not only the default SSO option, but for many AI services, notably even Chinese-owned ones like Deepseek and Kimi, it's often one of the only ones (the other being Apple ID).
When did it start?
fwiw I was able to set up a fresh google account without SMS via a used android device (with no SIM installed), 2 days ago. But I suppose on balance, having a second device is more onerous than having a second SIM.
Yes I had the same issue and wrote an hackernews comment[0] and was gonna write a blog post but laziness (but I am glad that privacyguides wrote an article!)
I also want to share a comment that someone (Velocifyer) added on my comment:
"If you make a blog post, make sure to also comment on how the audio reCAPTCHAs are nearly impossible and are blocked on public VPNs. The visual reCAPTCHAS have vauge instructions (they say “Select all squares with busses.” when they mean “Select all squares that have a bus or part of a bus and do not select any other squares.”. For 2 years I could not figure that out so I had to use the audio captchas but then Google blocked them on public VPNs and also made them almost impossible. I could only figure that out when Google Gemini clarified it for me."
Also another fact that I had discovered but to upload youtube vidoes more than 15 minutes you have to do this verification with sms and I found that its system of sending sms was quite finnicky and (too much limits is actually just one try)
Google and other tech giants's recent changes/lobbying are really impacting the open internet and it feels to me like we as people who have knowledge about these topics must do something to reform things as I simply cannot ask people who are technically unaware about these topics to fight for these changes unless we advocate and educate them about it
Most people just have simply way too much of other issues to fight for these things that they have almost taken for granted, but this to me means that the responsibility is on us people who are technically sound to fight against the attacks on open internet if we wish to preserve it.
I think my point is that we all might be waiting for other people to protest against these tech giants but I think that the world is looking at us people for such protests, Let's hope that we are able to educate more people and the open internet is preserved.
Our small steps might mean a lot in the future and so to not be dis-illusioned to make small steps thinking that they might be too small but we have to fight tech giants if we wish to preserve open internet. Every step is meaningful no matter how small
... and gives me a message on my primary phone: "This number has been used too many times."
Everything is going to get so much worse and AI really is to blame. So many websites now have these verification pauses and CAPTCHs because of AI agents. Part of it is agents. Part of it is everyone running their own awful versions of Googlebot.
Years ago IIRC there was a "bug" where the Android emulator allowed you to create real Google accounts. This was found and I'm sure millions of these accounts were created. There's a whole black market for Google accounts. Whereas I lost a Google account I'd created for a relative because it hadn't been used in awhile and it was tied to a mobile number I no longer had.
I don't see how this ends without registering for a service like Gmail being tied to your government ID.
How could they.
There is one way to sign up for a gmail account that does not require this: get an old chromebook out of the trash or for $20, then go through the account setup process on ChromeOS. It will create a google/gmail account that does not require use of a smartphone.
Soundcloud now needs a login for you to do anything. Instagram is not showing even previews anymore, the web's velvet glove is tightening.
Google has requried a phone number for registration for a long while now, and blocks many types of phone numbers, including almost all easily-created ones, making creating new Gmail accounts rather difficult without a trip to the store to buy a prepaid SIM.
(In many countries, including soon the USA[1], you can't get a phone number+sim without showing ID, also.)
[1]: https://reclaimthenet.org/the-fcc-wants-your-id-before-you-g...
Wow! My 93 year old mom will not be able to use Gmail.
There are defo still some workarounds to make new google / gmail accounts without giving a phone number or any info.
Now people only need to connect this to age sniffing and the global corporate-driven movement to destroy and abolish VPNs. Politicians are no longer working for the people but their own money - aka by definition these are lobbyists.
Note that "scanning a QR code and sending a text message" means, for the most part, a smartphone. One could do so via a tablet too, I suppose, but most who register will do so via their smartphone device. For some reason accessing the www is increasingly tied to "identify now!". This is a huge contrast to the freedom of the 1990s. I don't think we should accept that.
People complain a lot about Gmail, but honestly I kind of understand Google's plight here.
They've essentially gotten roped into maintaining a huge chunk of internet infrastructure, for free. If they ever shut it down the whole world would end up rioting because it's so widely used.
But it's expensive, complicated and time-consuming to maintain - and both a source of and recipient of endless waves of spam and scams. It's an endless pile of data to hold onto, FOREVER, as well.
I enjoy hating on Google when appropriate. But when it comes to Gmail, I understand what they're dealing with.
It's honestly why I believe the idea of free e-mail is just bad, fundamentally. You can't expect a free e-mail service to be good or have any kind of support. The fact that it still exists is more out of shear fear of the repercussions than any good will on the owner's part.
Just get a paid e-mail service. They're better, and offer a lot more peace of mind.