Thunders

Before reviewing the available workarounds, keep in mind:

This issue occurs when authenticating a Google account protected by MFA (SMS, OTP, prompts).

It affects both Google Workspace and personal Google accounts.

This happens regardless of the location you are executing from

- This issue occurs when authenticating a Google account protected by MFA (SMS, OTP, prompts).
- It affects both Google Workspace and personal Google accounts.
- This happens regardless of the location you are executing from

Some users experience a phone number verification request when trying to sign in through Thunders.

This challenge appears during Google’s authentication flow because the login attempt originates from a new IP address, not because of a missing or misconfigured geographic region.

Google detects a new IP → flags the login → enforces phone/MFA verification.

Even if you add “Canada” or another region in Thunders’ test settings, Google will still require additional verification.

Google continuously evaluates login attempts using:

- Device fingerprint
- Location history
- Account risk profile
- MFA settings

Since Thunders executes from a different IP than your usual device, Google interprets the login as “untrusted” and triggers extra verification (SMS, prompt, etc.).

This is expected behavior from Google and cannot be bypassed through standard settings.

Below are practical solutions adopted by teams who must run tests involving Google authentication.

They are listed from most stable to least recommended.

Option 1 — Google Workspace Test Accounts (Recommended)

Create dedicated test accounts inside a separate Google Workspace domain.

Disable MFA and strict security policies only for these test accounts.

Use these accounts exclusively for automation and testing.

- Create dedicated test accounts inside a separate Google Workspace domain.
- Disable MFA and strict security policies only for these test accounts.
- Use these accounts exclusively for automation and testing.

Fully supported by Google’s best practices

- Stable
- No OTP, no CAPTCHA
- No need to manage cookies or tokens
- Fully supported by Google’s best practices

Admin access to a Workspace domain (often paid)

- Admin access to a Workspace domain (often paid)

This is the cleanest and most reliable long-term approach.

Option 2 — OAuth Test Users / Service Accounts

Use Google Service Accounts for backend/API flows.

Create a <code>/login-for-test</code> page in your application that:

1. Authenticates server-to-server with a Google test account

- Use Google Service Accounts for backend/API flows.
- Create a <code>/login-for-test</code> page in your application that:
 1. Authenticates server-to-server with a Google test account
 1. Redirects the user already logged in

- Avoids CAPTCHAs and OTP entirely
- Strong security model
- Works reliably for backend-driven flows

Not suitable for all frontend login flows

- Requires development on your application
- Not suitable for all frontend login flows

Perfect for applications with backend-based identity flows.

Option 3 — Pre-Authenticated Session (Cookie Injection)

Export cookies/storage using <code>storageState()</code>.

Reuse this authenticated session in your tests.

1. Log in manually once using MFA.
2. Export cookies/storage using <code>storageState()</code>.
3. Reuse this authenticated session in your tests.

- Session expires → you must re-authenticate manually.
- Not scalable for large teams.
- Cookie injection is on the Thunders roadmap for native support.

Useful as a temporary workaround, not ideal long-term.

Option 4 — OTP Automation (Coming soon)

Thunders will soon offer an ability to automate OTP, using Thunders email accounts and Phone numbers:

Email-based MFA using Thunders virtual server

- Email-based MFA using Thunders virtual server
- Virtual SMS services

These introduce some security risks if you use real accounts

They could Google’s security expectations

They are more fragile (SMS can sometimes not arrive to destination, emails as well)

- These introduce some security risks if you use real accounts
- They could Google’s security expectations
- They are more fragile (SMS can sometimes not arrive to destination, emails as well)

Because of this, we do not recommend automating MFA for real Google accounts.

Need Help Implementing Your Solution?

We’re happy to guide you through whichever workaround fits your product and constraints.

You can reach us anytime at <a href="mailto:support@thunders.ai" rel="nofollow noopener noreferrer" target="_blank">support@thunders.ai</a> - our team will help you set everything up smoothly.

Google Authentication with MFA – Why Am I Asked for a Phone Verification?

Home

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Google Authentication with MFA – Why Am I Asked for a Phone Verification?

Prerequisites

What Is This Issue About?

Why Does It Happen?

Available Workarounds

Option 1 — Google Workspace Test Accounts (Recommended)

Option 2 — OAuth Test Users / Service Accounts

Option 3 — Pre-Authenticated Session (Cookie Injection)

Option 4 — OTP Automation (Coming soon)

Need Help Implementing Your Solution?