Gmail as a threat to data access: forced 2-factor login, random lock-outs
--------------
Issue 1:
On my main account, Google recently forced me to accept 2-factor login via my Android phone. I did not volunteer to do this.
I now cannot log-into my email without having my phone present.
I forgot my phone at home one day. I couldn't log-into my Gmail in my office that day.
Fortunately I didn't have any important presentation or someone dropping into my office whom I had to show something in my Gmail, etc. Or I'd have been in a soup.
Let's say I'm traveling somewhere, and I lose my phone. And I have access to someone's PC. If I want to log in to use "Find my Android" to find my phone, I cannot do this without my phone. In what universe does this make sense? (Not to mention if I want to log in to check urgent messages, or to send urgent messages.) As useful as it is, the smartphone does not deserve such over-weighting.
--------------
Issue 2:
On some of my secondary Gmail accounts, on my primary device (a Windows PC), Gmail will randomly refuse to log me in (usually in an incognito Chrome window) even after correctly guessing my "recovery email address", AND using a code emailed to my "recovery email address", AND using a code texted to my phone.
After refusing to log me in, it will send a self-congratulatory email to my "recovery email address" letting me know that it just stopped a serious security threat by refusing to allow a suspicious log-in attempt.
The main reason for this behavior seems to be that "the device isn't recognized".
In this email they send to my "recovery email address" there's no way for me to indicate that this was a genuine attempt.
The oddest part of this saga is that there seems to be no way for me to train Gmail to recognize a new device. Because a device being "an unrecognized device" is grounds for not allowing me to log-in.
Update: just want to clarify that my secondary Gmail accounts don't have 2FA (yet).
--------------
Is this the best that such a large software company can do? Is this a hint at the future when flawed AI will get to decide whether you can log-in or not?
I hope this is an indicator of the beginning of the end for Google.
15 comments
[ 0.24 ms ] story [ 33.4 ms ] threadIt is possible to train another device to be Google Authenticator, its a QR exchange. So, selection of which second factor is material here: it can be the device you own, or it can be the TOTP. Its not either/or, it can be both, you pick which.
(not a googler btw. Just a happy 2FA adopter since S/Key)
I also don't understand why you don't have 2FA on your secondary gmail accounts, but that isn't material to the point: Any google account which does have 2FA should (as I understand it) support multiple modalities of 2nd factor simultaneously so you don't get cut off simply by losing a phone, if you enable the alternates. I mentioned two, there is the third, the yubikey type option which I think is now in general release, but comes at a $cost.
Maybe I misunderstand something in the points you're raising. Maybe its a nuance of the loss of the primary device and the use of backup recovery accounts, but the way I read it, the backup account recovery path is AFTER you explore alternate 2FA paths to account recovery.
I have my TOTP on two devices because I kept the QR code to bootstrap and also used the migration tool in google authenticator. I also have them in BitWarden. And I have the security one-time codes printed out. At this point, loss of a single device in the two I have to authenticate with is an irritation. This kind of feels like a 3-2-1 story: three forms of authentication, two online, one offline.
Are you talking from experience (with Gmail) or just talking "best practices"?
When I came back to the US, I could not log into the account anymore. First of all, it would force me to receive a text or call with my EU number even though I never turned ON 2fa. Then, when trying to recover it further, I can answer all the questions correctly and then google says "Google couldn’t verify this account belongs to you."
By now, the EU number has probably already been recycled and the contents of the account are completely inaccessible to anyone (even though I _know_ all of the credentials/recovery details).
Get a clue and use MFA for everything. It's 2021 and you're on a tech site for crying out loud...
Glad to hear you find it funny.
> Someone was trying to take over your account
Nope. If you read the original post again, you'll find out that "I" was trying to log into it.
> use MFA for everything
I would love to use MFA for this particular secondary email account. If only Gmail lets me log-into it so I can enable it.
A while ago someone replied to one of my posts and said "Your phone number is not a secret". I know that. My issue is that if I give it to these big companies, they feel like they can do whatever they want with it. So as much as possible, I don't give it to them, at least not willingly.
You should try Fastmail. I switched and love it.
After an iPhone upgrade and SIM swap, they couldn’t login to Gmail on an unrecognized device because the only option for verification was to “open the Gmail app on your LG sunrise”.
No 2FA enrollment ever took place, therefore no SMS fallback, recovery codes, or recovery email were offered as backup methods.
By sheer luck we found an old laptop where Gmail was used recently enough to recognize the browser.
At that point, only after removing the LG phone from “Account > My Devices” was it possible to enable 2FA and enroll a new iPhone as usual.
This “silent opt-in” (without 2FA) of the phone’s Android Gmail app as the only way to confirm unusual logins is likely limited to a subset of low-tech users / low-end devices who missed the Google account security checkup prompts.
1. You need to have several code generators that are initialized with the same secret. I actually have one on all of my computers, it's just a couple of Python lines. Well, a smart human attacker could probably find my generator on the computer reducing it to 1FA. But the risk of a smart human attacker spending hours to analyze the contents of my computer (using full disk encryption) is smaller than me forgetting, losing, breaking my phone.
2. Google does not allow you to setup 2FA without a phone. That's part of their the customer is the product thinking. It eliminates privacy and is a risk to your data when your phone number changes.