I have to admit I came here to wag a finger but it does kinda appear that Google will let you enroll a phone and then ... Offers... But doesn't really encourage or force the user to download backup codes.
Tbh, if I were Google, I'd force the user to prove they have a second second-factor added before enabling. Force them to enter the first half of one recovery code or something. Of course, if anyone really asked me, I've been screaming about SMS 2FA for forever, but its just one of those things most people just can't be bothered to care about until...
Tbh, if I were Google, I'd force the user to prove they have a second second-factor added before enabling. Force them to enter the first half of one recovery code or something. Of course, if anyone really asked me, I've been screaming about SMS 2FA for forever, but its just one of those things most people just can't be bothered to care about until...