#CoSoSec PSA for everyone with Google accounts:
You can use whatever kind of 2FA you would like to secure your Google account, including any third-party OTP authenticator app.
The thing is, that option is hidden by default. When initially setting up 2-Step, the options are a hardware key (very good), Google unlock (less good only because it requires you to be logged in on another phone or other device), or text/phone codes (bad).
This matters because...
1/x
1. You might not want to log into a work account on a personal device to use Google Unlock. (This is something I ran into this week when my school district said we must add 2FA to our accounts, but we must use our own personal devices, and I said hell no.)
2. You might not want to give Google your personal phone number, especially on a work account.
If you are like me and want to use an authenticator app without being logged into the account you are securing on your second device...
2/x
...there is a workaround. Go to your security settings, then 2-Step. Now here's the trick:
You must put in your phone number and receive an authorization code via text or voice. (Wait, I thought we didn't want to do that?) You can remove it later!
Now when your go back to 2-Step, the Authenticator App option will have appeared. Go turn it on. I recommend ignoring the link to Google Authenticator and installing one of these FOSS options:
https://www.privacytools.io/two-factor-authentication-2fa/
3/x
This all may be old news to many of you, but I had always used Google Unlock on my phones as 2FA for my Google accounts, and an OTP app for everything else. It's only after my employer decided they were going to force us to use our personal devices for 2FA and also not reimburse us for hardware keys if we wanted that option that I looked into this.
@voltronic I've been using the Microsoft Authenticator for years (for many third-party apps) and recently added a Yubikey as a backup. My PC is passwordless as it uses Windows Hello (any of the above or face recognition)
So now you have your non-Google authenticator app handling 2FA for your Google account, and you did not need to log into said account on your other device running your authenticator app.
Now you can go back to 2-Step settings and delete your phone number. It would be great if you never had to add it in the first place, but it's the only way you get the app option to appear. If you have a burner number, you could certainly use that instead.
/End