leafnose you certainly won’t get an IP linked to your area code
Pick the nearest city. It doesn't have to be perfect. According to the NANP, my "registration number" (defined at the end of this post) has an area code and an exchange code which correlate to a little one horse town with a population of less than 100 people. That town is in the same county as a nearby city that my VPN can be set to, so that's what I set it to, figuring it's not an unreasonable presumption that people from small towns visit their nearby big cities.
leafnose Google knows the IPs used by VPN services
Yeah, I know. I can't presume on how those G-Holes have their algorithms configured, but I can make an educated guess. It could be a flagging system that'll put up more barricades as your suspicion score increases. If that's the case, nothing is overkill if you're trying to get under the wire while blindfolded.
I'm closely acquainted with somebody who fine tunes the fraud prevention algorithm for a very busy eCommerce site. It checks over 100 data points, each of which has a weight value that's adjustable to a granularity of 1000 points. The sum of these points is the suspicion score, which determines whether an order should be approved and shipped, prompt the customer for secondary ID (which could raise or lower the suspicion score, depending), be flagged for manual review, or be rejected.
"Uses a known VPN" and "phone number and IP address geolocation mismatch" are separate data points with separately weighted values. The latter may have a dynamic weight value based on the distance between the two locations.
I don't know if Google has a threshold for outright rejecting a registration attempt, but if they do, it seems like I'm still able to squeeze under the wire with my VPN on. I doubt the weight value is particularly high for VPN users. VPNs seem to be quite ubiquitous these days.
leafnose Note that the guide I linked is...
... over a year old. The bar has been raised since its publishing.
I successfully created several Google accounts last year, including some for my family members who are also on GrapheneOS. I hadn't seen that guide until now, but the steps are identical to what I would do. It's not too surprising that someone out there had the same intuition as me.
One morning, we checked our phones. All of them were now demanding that we give them a phone number.
It even demanded one when I tried registering a new account from an IP address that was damn near guaranteed to be trusted; one which belonged to a non-technical senior-aged person who can't cook a meal without saying "Hey, Google! Set a timer for n minutes!"
leafnose throwaway number
I should have said registration number, not throwaway number. There's a bit of a difference between the two concepts.
If you use a throwaway number, there's always a chance that you could be prompted again for authentication several months later. I remember reading an article at one point that said signal was considering doing this. If you threw that number away on the same date that you registered, you're boned!
That's why it's better to use a registration number. What that means is a permanent phone number that's used only for service registration purposes, nothing else. I got mine through a privacy-respecting VoIP service. I can disable and enable my VoIP client's connection to this number at will, so I leave it off and only turn it on when I'm expecting to receive an SMS verification code.
It costs me the equivalent of $2.45 USD per month, paid in Monero with zero KYC. I'd have to spend more than that on a coffee and a donut to justify taking up a seat at the coffee shop.
Keep in mind, some of these VoIP numbers work with some services, but not with others. I was successful in registering with Google Play and Signal using my registration number, but not with Yahoo! If Google Play locks me out again, I'll just contact customer service for my VoIP provider and ask for a change of number.
The best part about doing it this way is I don't have to go out to a coffee shop and hope that they have an IP address that's not going to be flagged already. Now I can just stay at home, keep my VPN enabled, and go through the registration process in my underwear. As for the coffee, I can make that at home.
In hindsight, I'm glad that Google doesn't know where I drink my coffee anymore.