Google – How to Create an Account without Telephone Number and Keep It

Abstract, Disclaimer, Warning

The following document describes an advanced technique to setup a Google account to rely on solely the information from a password manager i.e. no phone and no “real” second factor. This is only reasonable for cases where there is either no other alternative i.e. no other trustworthy device that could be used for the login or no sense in protecting the account as nothing of interest is stored/associated with it.

I believe it to be patronizing of Google to assume that the account you create there is so important that it requires world-class security mechanisms that not even banks require. Yet it cannot be denied that for many people the data of the account will be in fact at least as important as their bank account.

You have been warned.

The Problem

I was repeatedly presented with the following screens when trying to login with my Google account:

Google requests for a 2nd factor that I did not ask to setup. But OK, I can receive the e-mail…

A similar screen is presented if a “recovery” is attempted (futile!)

From: Google <>
Subject: Google-Bestätigungscode

Lieber Google-Nutzer,

wir haben eine Anfrage für den Zugriff auf Ihr Google-Konto über Ihre E-Mail-Adresse erhalten. Ihr
Google-Bestätigungscode lautet:


With YYYYYY being the code to enter.

We want your personal data!

No entry despite correct credentials

Some freely available phone numbers for receiving SMS online did not work (“That number has been used too often”). After giving up at the phone number screen, I always received an e-mail as follows:

From: Google <>
Subject: Critical security alert

attempt was blocked

Someone just used your password to try to sign in to your account.
Google blocked them, but you should check what happened.

Followed by a link that lead to said login screen again. Thank you, Google! That someone was me… Login to that account seems to be lost prematurely.

Interestingly, it was also not possible to create a new account with a secure Firefox configuration that rejects most tracking and loses its cookies upon exit. But: Starting with a new Firefox profile it suddenly became possible to create an account.

Creating an Account Without Phone Number

Keeping the Account: Enabling TOTP 2FA the hard Way

It can be foreseen that access to the account will be lost if no measures are taken to allow some further “verification” beyond the simple e-mail because e-mail alone is known not to be enough.

My initial idea was to use TOTP because TOTP seeds can be stored in a password manager and that can be used together with oathtool to login.

Upon trying to configure 2FA in Google however, I am presented with a screen that only allows these types of 2FA:

The solution here is as hacky as it gets: Chose Hardware Token.

Notes about using Rust U2F

Emulate a hardware token using an application e. g.

systemctl daemon-reload
systemctl enable softu2f.socket
systemctl --user daemon-reload
systemctl --user start softu2f

Continue setting up the Token for Google

Follow the instructions for setting up the Hardware Token in Google.

After completion, additional options for 2FA for Google become available.

Now as the last step, it is possible to remove the hardware token from Google to obtain the desired state: Login via username+password+TOTP.


For me personally, the experience with Google Login has drained my trust in Google accounts to zero. An login that I cannot perform with providing the correct password and e-mail verification is simply unacceptable. Giving more personal data to Google is not acceptable, either.

Yet there are occasions today where the use of Google seems to be inevitable (ever tried to install an Android “App” without? – possible, but difficult!) hence the necessity to retain an account and stay tuned to whatever new loopholes are required to login. Website 5 (1.0.2) – no Flash, no JavaScript, no Webfont, no Copy Protection, no Mobile First. No bullshit. No GUI needed. Works with any browser.

Created: 2021/04/06 00:18:53 | Revised: 2023/01/30 21:37:43 | Tags: google, login, 2fa, oathtool, hack, rant | Version: 1.0.1 | SRC (Pandoc MD) | GPL

Copyright (c) 2021, 2023 For further info send an e-mail to

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see <>.