Ironically Google's Yubikey implementation requires you to register a phone number to your Google account, which many people don't want to do.

Yeah, it's a big flaw in the setup. The instructions I linked have users add it temporarily, to unlock the rest of the options, and remove it afterwards.

Once you've added it, it's google's forever and you've only got their word that they've 'deleted' it. I bet it's still available with a warrant.

The problem isn't that Google knows your phone number but that they will use it (or more precisely the attacker will use it after redirecting your texts) for account recovery which you can prevent by removing the number.

On Facebook, you can subsequently take your phone number off.

The point is that it's no longer an attack vector. Wrt privacy, sure, it's probably still there.

Even though you can remove SMS as a 2FA, it looks like Google still asks for an email and phone for "Account recovery options". Probably should remove that as well?

Yes, you should. They demand phones because normal users who aren't being guided through the setup would be likely to lock themselves out of their account without it, but if you know what you're doing you can eliminate the phone dependency.

Or create an email account. It's impossible to sign up to any web email service to be able to send email not just receive if you don't have a phone.

I needed an untraceable email to send from for reasons I won't go into but couldn't create one.

If you're poor but need a webmail account you need a phone. You can't even put in a fake number since you need to reply to the approval link setup email. Gmail, Outlook, Yahoo, everyone one I tried all require a phone.

Recently I was able to create a "test" gmail account without using a phone number, just leave the fields blank and hit continue.

They may allow you to do that. If you are on an IP that they deem not trustable enough, like if you are on a dynamic IP or come from the wrong country, they'll refuse to create the account without some phone verification (to hinder spammers)

Pay someone on fiver with bitcoin to give you a few email accounts. Problem solved. (Make sure to use Tor and mix the coins.)

Or just Google authenticator without a phone number. You can still be phished but it's better than sms.

Very true, but I don't think it's possible to have an authenticator-only 2FA setup on Gmail. They make you keep the phone number on it.

I have that setup currently. I needed a phone number initially but could remove it after setting up authenticator.

I'm pretty sure you can remove your number after setting up 2FA.

I just removed my phone number, actually, after seeing news of these hacks. Seems to work fine, I guess if you already have Authenticator set up.

This seems to have changed recently. You can now remove the phone as soon as you add authenticator as an option.

I wouldn't recommend it after this: https://news.ycombinator.com/item?id=11690774

I don't get it. Asking for civility in a public forum is not a bad thing (HN does it sometimes), and certainly not a factor you should be taking into account when evaluating security devices.

If you have a beef with Yubico, get a U2F token from a different manufacturer. The important thing is to get one.