Ask HN: Gmail account security

1508 points by caseyf7 ↗ HN
I have a gmail account that I rarely use, but I know the password. I enter it correctly and get the following message:

You’re trying to sign in on a device Google doesn’t recognize, and we don’t have enough information to verify that it’s you. For your protection, you can’t sign in here right now. Try again from a device or location where you’ve signed in before.

Even if I get the code from the recovery email account, it won't work. Is this the AI hell Google throws you into if you get a new phone and computer in the same year? Has anyone else on HN run into this and found a solution?

806 comments

[ 0.24 ms ] story [ 336 ms ] thread
I once forgot my gmail password. There was no way for me to recover it. Eventually I found it after 6 months, but it was a very difficult 6 months. bank emails, work emails, etc were in the google 7th circle of hell, and there was nothing I could do. I don't have any good advice for you really except is there a way you could vpn to a location closer to where you typically access gmail?
I have one of the old gsuite free accounts with a personal domain, so my backup plan for that for the last ~15 years has always been "if google graveyard gmail, at least I can but mail service elsewhere and update my MX records".

Now they're going to start charging me for that, I'm considering which non-google mail option I will choose instead, I've been sticking with gmail against all my privacy and ethical objections, because it works so well and is free. It's no longer going to be free soon, and I'm pretty sure their competitors work as well as they do (or very close to), so I can _finally_ get over the inertia that's made me feel _almost_ bad enough to leave gmail but not quite bad enough to pay money or do the work required. Right now, it looks like Fastmail or Protonmail are going to get my money.

This happened to me. It was impossible to access my gMail account, knowing my username/password/recovery email/all recovery codes... until I returned to my home country / home address. Then gMail let me in.
Same here, I got an email to my main mail account saying Google has blocked a login attempt to another old Gmail account of mine that I haven't used for a long time (the old account has the new account listed as the recovery email). So I tried to log in to that old account, and got the same message to "try again later". I tried a few more times over the next few weeks but always the same message. So even with the correct password and access to the recovery email I still can't log in to the old account, and there's no way to get around it. I just gave up.
I stopped using gmail. I pay for my own domain (approx $10 per year and subscribe a hosting service that costs about $4/month). The total cost is not much different from a paid google email which is about $50/year.

If I happened to forget/lose all passwords (lost laptop, burned house etc.), I would probably need to deal with the hosting company who would try to identify me with my credit card or some other way (phone number, mailing a letter to my physical address on file). Nothing is absolutely secure but I think it is secure enough for me while I also have fair good chances to recover my lost access. I am not a big target to scammers anyway.

BTW A paid Google email via Workspace (previously G Suite) has gone up to $6/month/user, so $72 USD a year for a single user setup.
In most cases it’s easy to social engineer hosting company staff into granting unauthorized access (even the major ones) all it takes is a bit of know-how and maybe a photoshopped ID. The weakest link in any security stack is always the human element. The fact that Google makes it impossible to get in touch with a human is why I trust it.
It can be done but it is not guaranteed. Smaller companies have more geeky staff who would be more suspicious and wouldn't let that easily to be had. They have more accountability.

I hear that many accounts of celebrities get hacked and I wonder how? Apparently even with 2FA it is not that secure. Some countries let you order a replacement SIM quite easily and then it can get intercepted (maybe by stealing from mailbox or similarly). This appears to be a reason why google has been refusing access even with 2FA in place.

The biggest risk I think is falling a victim of the scam. I usually get emails purportedly from my hosting provider (sometimes from my bank etc.) that I need to verify payment or something like that. Obviously they are fake but I can understand that even an attentive person can have a bad day and click on a malicious link and enter all required details. Google is probably better in filtering out such scam. And yet I wonder if it still happens often enough that they actively block login attempts if they are from unusual locations.
This is one of the reasons I've been reluctant to start using a hosting provider (in addition to social engineering, it's always possible that their infrastructure gets compromised). Their problems become my problems. And on the other hand, some of the big ones are also prone to arbitrarily blocking you for random reasons, just like Google. Didn't take long for Hetzner to block me.

I still host my mail at home and am my own registrar. There are still human elements of course but I've minimized them to the extent that is currently feasible.

Wasn't aware of this, but can't say I'm surprised.

Personally, I'm still happy with Fastmail, which uses customer subscriptions fees to fund a professional support department, as well as contributing to email-related FOSS. (Among other things, obviously.)

Fastmail's UI is just faster too.
I actually enjoy watching it tender at light speed!
It's too bad their app doesn't have offline support. I use that feature of Gmail app a lot
On iOS and macOS I just use the standard Mail.app. Works well and even push notifications work.
IME, that's my biggest complaint. Even plain text emails take 2+ seconds to load.
Somethings wrong or suboptimal for you. Just tested this in the middle of the US with some messages from years ago to make sure they weren't cached and it was like 2-3 tenths of a second.
Do they offer an api?
You mean IMAP and SMTP protocols, right?
I mean an api like mailgun
That's more for sending email. There's two APIs for sending: SMTP and JMAP. Both work completely fine, and have the same overall sending rate limits.

We (Fastmail) are set up for human-to-human emails rather than bulk mailing, so if you try to do bulk mailing you're likely to hit limits and possibly terms of service issues - if you're trying to do the kind of thing that people use mailgun for, then I'd recommend using something like mailgun instead!

Have you used Fastmail's support?
Yes. It’s great!
Good to hear. I’ve been with them for a few years and support was one of the reasons I moved over from Gmail but I’ve never actually needed it.
I tried it, they are responsive and helpful.

A bug I reported is actually sent to the development team, and it's fixed. It took 5 weeks, though.

Hah, I had a bug/request for clarification (their rewriting of media queries), it got escalated 2 times to the dev team, and it took 2 or 3 weeks to get that answer :D

Had one other contact that was handled by normal support, that was just a day.

I have, yes, and the response was swift and helpful!
Yes - it was almost instantaneous, super helpful.
Last week's news gave a lot of people the nudge they needed to finally migrate away from their legacy free GSuite accounts to something more reliable.
Can I ask which news? I'm already a happy Fastmail customer, just curious.
This [1] Neat fact, Google is yet to tell me they are making this change to my account.

[1] https://arstechnica.com/gadgets/2022/01/google-tells-free-g-...

Yeah, I haven't gotten the official notification yet either. Maybe going in waves?
I disabled the GMail service in my GSuite account, will they honor the domain's current MX records? Because I know they don't for calendar invites.
Not that anyone will likely see this, but I just now finally got my notice from Google about this change.
Same. Has anyone heard of anyone who HAS gotten a notification?
Same here but I pre-emptively moved everything to Fastmail (coincidentally) anyway, was the nudge I needed to finally drop the last of my Google services
Wait what? This is the first I've heard of it. Bad timing.
Yep. I've been a Fastmail customer for a while with a couple of my own personal accounts, but our family e-mail domain was a legacy GSuite account. I'd get pushback from my brothers when I'd suggest we switched to a paid service, because they didn't want to pony up for email accounts for their kids. Cheapskates :). But now Google is forcing the issue, and Fastmail is cheaper. And they have a $3/month account which is good for the kids who don't get tons of email.
I'm also a happy customer of Fastmail. Can recommend.
I'm still a happy Fastmail customer after around 17 years.
Fastmail looks great, but having "Get the email features you need, without giving up your privacy" and "Your data is always private" at the top of their homepage while knowing full well that is far from the case[0,1] seems disingenuous.

[0] FastMail loses customers, faces calls to move over anti-encryption laws https://www.itnews.com.au/news/fastmail-loses-customers-face...

[1] Goodbye FastMail https://www.ctrl.blog/entry/goodbye-fastmail.html

Fastmail is not a zero-knowledge service. Unless I'm missing something, anti-encryption laws seem to be irrelevant, since they don't really change the position at all.

I suppose hypothetically if Fastmail was a zero-knowledge service that law might mean they need to break it, but it's not a zero-knowledge service so the issue doesn't arise.

You're going to be hard pressed to find a service provider which ignores valid warrants. Such a service provider would need to either operate unlawfully, or not hold the information (ie be zero-knowledge).

Even Protonmail, the bastion of email privacy, has supplied the IP address of a user in the face of a warrant.[0]

[0] https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...

You are never safe from these shenanigans, not in Switzerland and not in Germany.

If you absolutely must have email out of the hands of low to mid grade government entities you need to implement the technical solutions yourself. If you want more, just forget it, if they want your mail they'll just get it at your endpoint anyway.

(also, "most email is unencrypted in transit" is a very out of date take, I've checked all correspondence I've had with medical practicioners in the past 2 years, and all where at least TLS 1.2 on the transport, close to half 1.3 - and i was sent around quite a lot last year)

> If you absolutely must have email out of the hands of low to mid grade government entities you need to implement the technical solutions yourself.

Very off-topic, but this is exactly the most important and consistently underappreciated angle to the Hillary Clinton email server scandal. She deliberately designed her team's communications infrastructure to be maximally resistant to legal process.

I don't want to make this political, it just bugs me that media coverage--regardless of political slant--always seems focused on irrelevant details and ignores what (arguably) makes it an actual scandal.

I'm not expecting government-resistance from any third-party service.
I moved my email to Fastmail this week in the wake of the Google Apps announcement. Having your own domain is great since your email becomes provider-agnostic. While Fastmail had a great import tool, I could have transferred my Gmail myself from backups. I'll be ready to do the same if Fastmail goes under or is no longer competitive.
I've heard this from a several posts this week. Genuine question: since maintaining GSuite is expect to cost $6/user/month and Fastmail costs $5/user/month, do you really find the $1/user/month in savings worth the trouble of moving email providers and losing Drive/Docs etc.?

I'm planning a move too, but Fastmail's price doesn't strike me as competitive enough compared to Google's price. Amazon WorkMail is $4/user/month and Rackspace Email is $3/user/month.

Fastmail is doing only email and has been doing it for a long time. I simply trust them more to care for their users and for me it is worth the price.
There's going to be a lot of hassle, but I'm planning to move many of the Google services to old Gmail accounts. To some extent it's more of a justification to reduce reliance on Google. When running the numbers I was initially confused about the pricing for Gsuite and thought "standard" was the lowest tier ($10/month/user), so it's not the most strategic decision price-wise.
I moved my family to Fastmail a couple months ago and it’s been wonderful. Never knew I wanted “shared contacts”, but it’s the best feature ever. Once I figured out it existed, I spent a couple days making really good cards for family members and family friends, and all that work is shared with the whole family.
(comment deleted)
I too have used Fastmail for over a year now, but I do wish they would add a few much needed features.
Would you mind sharing which features are missing that you miss?
- A phone app that can handle being offline. (the biggest issue IMO)

- I want better parsing of dates, so I can click on them, and add to my calendar.

- The calendar needs to be able to show more than one timezone at the same time.

- Have a way to create a secondary icon on your phone to go to the calendar. (You have to click multiple buttons)

- An iOS calendar widget would also be great.

Had this. It was telling me to try again 'later'. Ok, i did 'try later' every day for three weeks, and they didn't let me in. Using the very same IP address as I used to always access it, no less.

Then, I gave up, moved all my services to another email account, and after 2 or 3 months tried logging in, and it suddenly allowed me to log in.

Needless to say, I will never again use gmail for critically important things.

> Needless to say, I will never again use gmail for critically important things.

That's a hot take. If it was critically important, you'd have 2FA and a recovery phone number associated with it - which would have prevented you from getting stuck in a trust-fail situation to begin with.

Use whatever service you want, but your takeaway from this situation is a bit absurd.

Edit to add: I'm not saying Google's algorithm is perfect here, but relying on heuristic voodoo ("I use the same IP, so I should be fine") for "critically important things" instead of using well-established means of securing access to critically important things (e.g. 2FA, backup mobile number) is a bit insane.

Something can be critically important for a person to access on-demand and not be something they’re especially concerned about an attacker accessing. Two completely unrelated dimensions of access needs.
They are not mutually exclusive. An attacker accessing a service can hinder or even completely stop your ability to access that service (i.e. change your password).
Or do things that trigger the provider to force you to change your password.

See: Apple ID, where failed password attempts (by anyone) causes Apple to force users to change their known password.

With Google’s nonexistent customer service I’d be afraid of being locked out for any arbitrary reason and having no recourse no matter what recovery procedures I prepared for.

Contrast that to my bank where I can go to the branch, show ID, and get problems logging in resolved.

I personally had a great experience with google support when I once stupidly locked myself out of my account. The whole thing was resolved in about 3 days.

However, google customer service is definitely erratic since loads of other people have had bad experiences. The best thing to do if you're using Gmail is to enable 2fa and backup the recovery codes offline and somewhere safe. This could probably get you into your account without needing to talk to support.

I have never heard of anyone anywhere ever being able to access Google support once they were locked out -- you need to be logged in to access what little tech support they offer.
"With Google’s nonexistent customer service"

Quite. If you play the game then all is well but if you don't then you are given very short shrift and no recourse to a higher power or anything at all.

There is very little oversight. If you fall afoul of the "algorithm" or whatever bollocks is running the show, then you have to fall back on calling them out on the socials. Get enough traction on that and lo: "soz, lol, we failed here but your <whatevs> is important to us ... in this case ... etc ..."

A plug from a very satisfied customer: I pay $5/month for Fastmail. I've emailed support before and reached a human within hours. They helped me with my problem, because it was their job and I'm paying them to do it.

Email is too important to rely on a free service which has a history of shutting people out, at any time, for any reason.

Ditto.

I'm a satisfied Fastmail paying user for years

Reasonably confident one of my support tickets even got answered by the CEO once. They're a shockingly human-focused company.
Yeah, likely - I've answered a few tickets here and there :)
So happy to see this. I've started the transition of my 25-year-old .org domain from Gsuite legacy to you tonight :)
That's really cool! I'm just now migrating my Gmail-led life (15 years) to Fastmail, and it has been great so far.
Yep, Fastmail is great. Google cannot be trusted. With google you are the product, not the customer. The Fastmail service and features are better than gmail as well.
Just wanted to +1 this. I've been a happy customer of Fastmail since ~2013, never had a single issue, great service
> never had a single issue

Fastmail was blown offline by a couple of DDoS attacks recently. Both of them impacted my ability to access Fastmail, but I suppose you didn't happen to try to access your account during those attacks.

Still the problem with Fastmail is the same as with Google. Leaning on 3rd party service that you have no control of. There are so many things that could go wrong there, they can be hacked, go bankrupt, closed by authorities, insided. Everyone should have an appropriate personal disaster recovery plan that includes stuff like recovering from loss of service supplier.
This is a false equivalence.

Life on a crowded planet depends on third parties; choosing vendors well is a critical life skill.

Fastmail have a long-standing reputation for treating customers right; certainly not a reputation google shares.

Well, there's always a risk profile no matter what you do. But the risk profile with a company that's obsessed with AI and doesn't believe in having any customer support is much higher than one that you pay and has very good customer support.
Fastmail has been extremely responsive to any random minor issues that have cropped up for me or the several people I got to transition to their service over the last 7 years.
If you have your own domain it doesn't matter much. You can always move your domain to a better host.
I prepay for the 3-year package and it comes out to $3/mo or something. I'm not going to stop using email, and Fastmail is fantastic so I'm not going to switch away, so it's worth prepaying.
What do you do if Google buys Fastmail?
Switch to something else ASAP.
Fastmail is Australian. That is a nonstarter if you want any amount of privacy.
FYI, google has customer service if you're paying them. I pay $6 a month for gsuite. I've contacted customer service 3 times. Got them instantly.
They're supposed to have paid customer service for non-business users too if you pay for Google One, no idea how effective that is.
I was wondering that as well because I have Google One. When I go to the support page it claims 24/7 support for phone and chat in 2-3 minutes and e-mail support within 24 hours.
I have no idea what Google One is, but I get that level of support for the $12/month I pay them for Google Suite and have had great support experiences multiple times over the past decade.
I've read stories here on HN about non-existent Google customer support from people who worked at companies that were paying Google millions.
I live in a third world country on little island in the middle of the Pacific Ocean, yet have had Google respond within minutes every time I've had an issue (multiple times over the past decade). They have provided support both by phone and chat. I pay them 2 figures a month.
+1 on this. I’ve actually had them call me back proactively multiple times on a simple case too. Obviously it’s all anecdotal. But I have been happy with them (when paid)
If you have a Pixel, there's also chat + phone support in the help menu, though I'm not sure whether they handle account issues. (I used it a couple times because of, you guessed it, hardware issues)
"With Google’s nonexistent customer service..."

What's needed is enough of these cases to bring a class action against Google.

It's over a decade since I've used a Google account and I was similarly ignored even back then.

I have a few thousand dollars I earned with Adsense a bunch of years ago. They suspended my account and prevented me from getting the money. Every now and then I get a letter from some auditor that says I can claim the money. Just need to login to my google account. Needless to say google customer service hasn’t helped. Definitely need some class action suits to change their behavior, and I hate class action suits.
Exactly. But don't hold your breath waiting.
(comment deleted)
Actually, I specifically declined setting up a recovery phone number because I accessed it from the location where receiving codes would be impossible on my phones. I always accessed it from the same IP using my own VPN server, entered the correct password, and still Google decided that they are 'not sure that it is not really me, try again later'. No thanks.
What about downloaded back up codes ? Phone push approval? U2f key? Authenticator app? Can't imagine complaining about being shut out if you didn't have at least one or all of these set up. Google even nags you about setting these up.
Why can't you imagine that? This gatekeeping you're doing is rude and doesn't make sense. 2FA's very purpose is to increase shut outs when enabled.
It might be 2FA's very purpose, but I've found that a 2FA-less account is a lot more distrusting of logins. Some of my relatives don't have 2FA set up and they got more "verify it's really you" prompts compared to my personal MFA'd account.
Because Google is abusing the concept.
I have 2FA and a recovery email on my Gmail account, yet I have run into this issue. If Google thinks something is suspicious, it will decline your 2FA codes and recovery attempts—it will just tell you that you entered the wrong code. Only after you finally get back in do you find an email in your inbox explaining that the correct code was entered, but Google blocked it because it was suspicious.

This happens to me from time to time, and the only way I can get back in is through Android. I keep an Android phone on hand at all times for this very reason.

Don’t blame the human for inadequate preparation; I assure you, no amount of preparation will save you from Google’s AI.

Microsoft & Zoho Mail does the same, and when they do it, they also revoke all of your app specific password for good measure, so SMTP is a toast too.
If you're entering a code, the 2FA method you're using is still susceptible to mitm-style phishing attacks, which is what this kind of location based check is securing against. You'd need a push notification or yubikey based 2fa check to get the same level of security.
AIUI, they do send push notifications if you happen to have a mobile device that's logged in to the same account. Maybe they should do the same for the "suspicious login to an unused 'secondary' account" scenario? They're already sending "recovery" emails, so it wouldn't be that big of a change.
I have several YubiKeys linked to my account. It will decline those as well. It demands that I sign in from Android sometimes, seemingly for no reason.
That's especially weird. I've had Google decline TOTP/Google Authenticator and SMS one time when I was troubleshooting a OAuth issue, but declining U2F? Are you logging in from various different VPN servers daily, or just through the same few ISPs?
No VPNs, just my home network with an IP address that rarely changes. What seems to throw it off is when I log in from "conflicting" platforms, particularly iOS + Android. I also have multiple iPhones for work, and it very much dislikes that.

When it gets in this state, nothing will work besides going to g.co/sc on Android--it can't be any other platform, regardless of how long I've had the device--and approving the code request there. If I approve it from any other device, even with a YubiKey, it'll give me a code on g.co/sc, but I'll be told it's invalid and I'll get one of those emails telling me the code was correct but declined due to suspicious activity.

I appreciate the attention to security, but c'mon, it's a YubiKey, and I'm logging in from my usual residential location.

If we reason from good faith and consider that this is intentional and not a bug, have you considered that Google did not implement "blocking suspicious 2FA" just to mess with you?

That perhaps this deals with a very real threat? Google has no incentive to make it difficult for you to log in, it's the exact opposite.

It’s definitely a point that should be made. Typical TOTP tokens are weak MFA in takeover scenarios. Especially considering that people have a bad habit of syncing them between devices.

What a lot of the grumpy posters here probably aren’t mentioning is that many ate probably doing high risk signal stuff like running through public VPNs. Google and Microsoft know a lot about what you are doing and what scammers do. They score risk accordingly.

I agree to some extent, but also consider that whoever designed this may not be as intelligent or as widely experienced in certain matters as is necessary for the real world.
The problem is not really that they do it, but that they don't adequately inform users about this risk and that they fail to offer proper support and alternatives when it gets triggered. If they offered proper support a whole lot of the user despair and anger would disappear.
I have no doubt it deals with a real threat. That doesn’t change the fact that I’m regularly unable to log into my Google account.

Usually it happens when I’m using multiple devices simultaneously—for example, Android and iOS. It’s understandable that Google considers that to be suspicious, but if Google isn’t going to learn on its own, there needs to be some way for me to confirm that nothing is amiss. It’ll ignore everything from TOTP codes to YubiKeys.

I have an opposite anecdote: I moved to iOS but kept my (4-year-old) Android device active, and now I basically hop between a few iOS devices (but just one iPhone) and a Pixel 2 regularly. The only account that appears to dislike that is my work Microsoft 365 account that demanded I reauth all devices a couple times.

Not saying it's not true (I believe you), just that it's not designed to be a suspicious case, at least.

I think we need to quit calling it AI, and instead call it AS: Actual Stupidity
Some time ago I used to run a userscript which replaced all occurrences of "Artificial Intelligence" and "AI" with "Artificial Idiocy". Added some charm to buzzword-heavy press releases :D.
Agreed. The moment we allow AI to take the blame for irresponsible decisions made by the humans who designed and maintain said AI, is the moment we stop holding people accountable for real damage done.

Account lockouts are bad enough, but more serious things driven by AI are bound to reveal their fallibility. I sincerely hope tech workers have the integrity to take responsibility, judging by the current political climate and its participants' willingness to venture into thinking (surrounding the value of human life, among other things) that was considered taboo not long ago.

The moral and practical capacities of AI will reflect the limits of those designing them, at best.

This is an incredibly harsh and naive take. Authenticating logins at scale is an incredibly hard problem. There are tons of phishing campaigns and attackers seeking to get access to Google accounts all the time.

That they sometimes get it wrong sucks, but calling their attempts to do so "actual stupidity" is pretty rude.

> If Google thinks something is suspicious, it will decline your 2FA codes and recovery attempts—it will just tell you that you entered the wrong code.

Seriously! What! The! Hell!

I too have thought before that having 2FA (and linking a phone number, which I hate to do) would avoid tripping in such situations and that the systems would consider a different situation (like a different IP address/location, a different browser) as reliable enough with 2FA. But this irks me a lot.

I don’t really use Gmail much and have other paid alternatives, but I have some old stuff that may be mildly inconvenient if I were to lose them. Need to download the data and dump these accounts.

(comment deleted)
I do wonder how many people will be locked out of their lives when they change phone numbers. 2FA across the industry seems to have rolled out this critical dependency without drawing enough (IMHO) awareness.
The only way to avoid getting into a trust-fail situation with Google is to be completely signed into it at all times so they can monitor you 24/7.
You didn’t understand the story. It’s google that’s using heuristic voodoo for critical things.
My solution is, buy your own domain. It's cheap and it will cost you only 20$ a year or something like that. I'm not saying run your own email service (I do, but I recognize that it's complex and not worth for most people), but use a public email service (like also GMail) with your own domain.

That way at least if you no longer can access your account, or you get banned, or whatever, you don't loose your address (since you can just move to another provider).

Also, use an email client on your PC (such as Thunderbird) and configure it to keep a copy of all your emails locally (and possibly have the PC backed up). That way if you loose access to your account you don't loose access to your mail, that you can even upload again in the new provider server.

(comment deleted)
Not FUD, putting your eggs in the Google basket "considered harmful" - unless you pay (Gmail for your domain). I had a similar lockout but on my paid account, got fixed in about 48h. It's happened to like 10 other folk I know over the last 2-3 years
I don't know if it's FUD, but it's true. It happened to a person I know, and in her case, the resolution was "ask around until a friend of a friend of a friend of a friend works at Google".

She literally had to ask her friend, who asked me, I asked one of my friends to ask one of his friends who works at Google to put in an internal ticket. It was thankfully resolved quickly (she lost access to all her work materials), but the process is insane.

Use your own domain with Fastmail. Yesterday.

> It was thankfully resolved quickly (she lost access to all her work materials),

More than your own domain, BACKUPS.

Indeed, I only consider myself tangentially in the tech world, but I do have access to a private facebook group with many old co-workers and sometimes this sort of request will go out to current FB or Googlers. Inevitably some will complain that it's inappropriate and should go through official channels and others will point out that this back channel is often the only real resolution.
Google now have support, including phone and chat, via Google One ( basically if you pay for extra storage for Gmail/GDrive/Photos/etc.).
Interesting, I wonder if you can somehow pay after you're locked out.
I usually do use emails only on my own domains, but in this specific instance I wanted an account that could not be easily traced to me (nothing illegal, just some investigative activity), and this was how I've found out how erratic and merciless our new Google AI overlords are.
And if you don't run a local mail client like Thunderbird, make sure to take a Google Takeout backup as frequently as your threshold for losing recent mail. The backup of GMail includes all your mail in a standard .mbox format.
https://purelymail.com/ is cheap and great, albeit still in beta.
I looked at Purelyemail recently and it looked attractive for what it does and what it provides for a low price of $10 a year (compared to Fastmail and others, which can be quite expensive for more than one user/mailbox). But the fact that there’s just one person behind it makes me uncomfortable to consider it for any serious use. But that also probably works in favor of the low price.
I did this! Kind of. I bought a domain and was lucky enough to get in to a custom domain email (and more) service with a big company years ago when they had a free version.

Unfortunately... it was Google (so kind of hiring the wolf to care for my sheep, as it turns out).

And now they're cutting off all of us free tier folks. Which I can't fault them for, but still blame them for. Because I'm petty and entitled or whatever.

Same here and it's a massive problem because nearly all of my digital presence is associated with, not just that email address, but that Google account specifically.

I'll lose important things like my Google Voice number that I've had for a decade unless I pay for a business account.

You can port your number out. I'm working on doing that myself. I think Google charges like $3 for some reason to do it, but whatever.
Keep in mind you can port out a Google Voice number, also if you pay for Apple services domain hosting is free for iCloud+ users now, although you don’t get as many addresses.

It is very frustrating. I did a lot with Google Apps on that domain, and migrating that stuff out to a consumer account is a painful process.

Same situation here. Have you done the research yet to decide on a new service, or are you planning on starting to pay?

For me ideally I would like to move to something else (even paid) just because someday Google deciding to block me for whatever reason scares me quite a bit after having everything for the last decade attached to this account. I would like to export my emails, switch my domain to the new service, and import everything - but I have no idea how realistic that will be yet.

I switched to Apple's (paid) iCloud+(?) and it was entirely smooth, even though it was still in beta at the time (or alpha: the signup notification I got still had editorial comments in it).
Zoho has a free tier that allows a domain.
I've been working on this but my family is pretty hung up on Google Photos so we're migrating most things there trying to preserve as much as possible. We're doing Google One family. As much as Google has annoyed me with the change, the other options weren't any better (O365, iCloud+, random non-FAANG services)

I'm documenting everything here if you're interested:

https://github.com/marwatk/gsuite-to-gmail/#google-voice

Having had my primary Gmail account blocked twice in the last two months, apparently through VPN usage, I became sufficiently terrified to decide to start to move all my email to my own domain.

I adopted Fastmail for my domain email, and it has been a good experience (I do know that Fastmail is a five-eyes company with all the related issues around privacy, and I researched alternatives for several weeks, but I guess in the end I was willing to trade privacy for ease-of-use, uptime and various other factors).

Now I am looking into getting away from other Cloud-provided backups such as Prime Photos, iCloud, etc., moving to self-hosted NAS storage.

The only alternative I found to Fastmail that was somewhat competitive in terms of tech & security features and not one of those countries was mailbox.org but their webmail is not Fastmail's and Germany isn't far behind those 5.
I’ve been really happy with ProtonMail. I use their professional account with a catch-all email address on my domain, and I give each vendor I interact with their own dedicated email address (I.e. homedepot@mydomain.com, ticketmaster@mydomain.com, etc.)

It lets me track who is sharing my email address and gives me control over that (set up simple filter to automatically delete any email received at ticketmaster@mydomain.com when I start getting spam on it).

It’s been really effective - such a part of my day-to-day flow now I can’t go back.

The transition was pretty painless. I setup an email forward from gmail to my proton inbox using gmail@mydomain.com, every email I received at that address I’d go update my contact information with. After a bit, I was able to turn off the forwarding. Basically the classic strangulation pattern for microservice migrations applied to email.

That sounds pretty good. I do something similar but use POP and Thunderbird, which I'm looking to move away from. Does ProtonMail automatically set the From address when you start writing an email to a company you have a dedicated address for?
And be careful not to have your domain recovery procedure tied to the same email account that you might need to recover.
Or get a paid e-mail service where you can have support. I use Fastmail for this exact reason.
I agree with the advice to get your own domain, and then use a service to manage email for it. But don't use GSuite/Google Workspaces/whatever they're calling it now. Your Google account will be somewhat crippled and will be missing a bunch of features, because Google has just decided GSuite accounts should not have those features.

And you can't convert your account to a regular Google account. I really want to untangle all this, but there's no way to (for example) export your Google Photos sharing settings and import them into a new account. I have hundreds of GPhotos albums, with many of them shared with various people, and if I migrate to a new, regular Google account, I'll have to manually set up all those sharing settings again. And this is just one of many difficulties; I'm assuming I'll also lose all my Hangouts/Chat history as well, with no ability to import the old history.

But I'll be doing all this sometime soon, as Google has decided to finally pull the rug out from under those of us who signed up for GSuite when it was free (well, "Google Apps for Your Domain", as it was known back then), and will start charging later this year.

This is all incredibly frustrating, and the level of lock-in is pretty severe after more than a decade of having this account. If I could do it all over again, knowing what I know now, I would have created a Google account without GMail[0], using my email on my custom domain, and hosted my mail somewhere else. Though, admittedly, back when GMail was first a thing, webmail otherwise universally sucked.

[0] https://accounts.google.com/signupwithoutgmail?hl=en

Yea it is odd that not all Google accounts are the same.

My favorite is that I cannot migrate my Nest account to a Google account because it does not support Google Workspaces accounts. I use it with my own domain and it is my private Google account.

What features does GSuite lack?
Two that affect me: can't use it with Nest, can't buy family plan YouTube subs.
Family sharing of Youtube TV is another one.
I had this week to transfer a small account of 2.5GB between 2 google workspace accounts. All paid accounts. It took 3 days to transfer the 2.5GB account with Google's data migration process. Downloading and uploading the emails with Thunderbird would have taken maybe 3 hours at most.
>export your Google Photos sharing settings and import them into a new account. I have hundreds of GPhotos albums, with many of them shared with various people, and if I migrate to a new, regular Google account, I'll have to manually set up all those sharing settings again.

If you think this is bad you should check out iCloud. They're all as scummy as each other about locking in users so the friction to leave is sufficiently high.

> Google has decided to finally pull the rug out from under those of us who signed up for GSuite when it was free…and will start charging later this year.

Do you have a citation for this? I heard last year they were going to start charging for new accounts, but that since I set it up on my domain in 2008 I was grandfathered into the free plan indefinitely.

That's true about GSuite being crippled compared to Gmail, but I accepted that as the price to pay for having my main email use my own domain.
Won't work though, big email providers have made it a nightmare to run your own email.
The only problem is now you have to make sure you dont get your domain hijacked. This was the reason I went back to gmail (and outlook).
And what email address did you use, when registered your domain?
The issue with running your own domain is that it could be blacklisted by google (and Facebook) if you get hacked, and then you're fucked big time. I encountered that because of an outdated Wordpress. Domain was blacklisted everywhere on the internet. Luckily I didn't have email set up on it.
>Domain was blacklisted everywhere on the internet.

Well this is horrifying. Of course, not much worse than Google unilaterally and permanently banning a Gmail account.

I guess one potential downside is if you mess up and forget to renew the domain on time and some jerk (automated system) buys it up and tries to resell it for a ridiculously high price. Happened to me even on my firstnamelastname.com domain.
Honestly i really like Gmail as a client, but I've read too many Google horror stories over the years. Therefore I've always had this setup: own domain & mailbox at a trusty provider, and then just forwarding copies to a gmail account + sending via smtp

that way I've got the comfort of gmails features but always have a "real" mailbox to fall back to if anything happens

This is exactly my experience too. My Google accounts just randomly decide to stop working from time to time, and if I no longer have the same phone number that I did before (or if I'm traveling overseas and cannot get a "confirmation call"), there is no way at all to get in. Usually after a mysterious and unexplained period of time, my account gets un-flagged again and I can log in as per normal.

The first time this happened I completely lost all access to my Google account. I transferred all of my important email correspondence over to a Microsoft account and I have never looked back. Unfortunately I still need to maintain another Google account for my phone (Android) to work properly, so there are times I still get bitten by it. It's absolutely infuriating when you get a new phone and specifically need to log in with your Google account to be able to do anything, that's exactly the time Google blocks you from being able to get into your account, because it's apparently detected the new phone and decided you're a hacker.

This also happens to me regularly with PayPal, almost always when I am traveling overseas, at exactly the moments that I really need PayPal to work so I can pay for something related to my travel. It's so annoying. Tech support never, ever solve the problem. All you can do is wait and try again later until magically it works. Sometimes weeks later.

The only thing I can say for certain is to never try log into your account over open wifi or over a VPN connection, because somehow Google (and PayPal) seem to flag that as a hack attempt no matter how many times you correctly confirm your identity. And once you've been flagged once, your account gets caught in some kind of loop where even after you get back onto an apparently blessed IP address, you're still locked out for some unspecified period.

I just ran into this yesterday. Tried to log into Paypal and forgot my pwd. I tried to reset it using the "Forgot password?" link. I entered my email address, and the response was "Sorry, we couldn’t confirm it’s you".

They won't let me reset my password.

I just ran into this yesterday. Tried to log into Paypal and forgot my pwd. I tried to reset it using the "Forgot password?" link. I entered my email address, and the response was "Sorry, we couldn’t confirm it’s you".

They won't let me reset my password.

Having a VPN back to your home IP really helps with the overseas logins in my experience. If it doesn't work turn on the VPN and it sees you coming from a 'trusted' IP and you're set.

The fact that I've had to learn this through trial & error and spend time & money setting up a personal VPN host is crazy.

Yeah this sounds like utter bullshit to me. What if you're travelling, all your devices get stolen, and you're logging in from a public computer or friend's computer to contact your family?

This is mindblowingly idiotic. Do they have such a bad vacation policy for their employees that not a single ONE of their engineering managers has experienced the above? Do they just sit in front of their desks for 365 days a year and never leave their country borders?

My guess is they get defrauded more often.

The scenario you present is a really obvious risk as phone thieves often compromise those devices.

No, I think it's a huge risk to be stuck somewhere these days without any means of contacting your family or getting emergency money sent to you. Especially if you're in a place that's politically unstable or where helping strangers isn't the norm.

One of these days someone will not be able to get their heart medications or a flight home because of this damn Gmail policy.

It's definitely more complicated than that. I travel a lot, sometimes to places where borders are dotted lines, cities use a script I can't read, but every hill is "charlie-5" or somesutch... VPNs, public terminals, government networks on .mil.<country> domains, etc.

I have been quite impressed with the improvement they've made in the last year or so regarding these locks. It's probably a sudden change when you've been more predictable before that gets flagged.

Only trouble I sometimes run into is Google Search (or Books?) locking me out with increasingly difficult captchas if you keep running searches for 18 hours straight.

Not just Google, I'm regularly locked out of banks, state resources, and all kinds of other shit because of various combinations of bad decisions producing toxic login flows.

One of my personal favorites -- a bank automatically associated phone numbers you called them from to the account, and later they forced SMS 2FA onto the account regardless of any other security you had in place (and of course made the common mistake of allowing account takeovers with JUST that 2FA and a username). Those automatically registered numbers weren't exempted.

If they need only SMS for a takeover, it's 1fa, not 2fa.
I make a habit of

1. Forwarding everything to my free tier google apps for business on my domain

2. Annually logging into my throwaways. it seems if i login to them once a year from home, they dont pull this.

3. do NOT attempt to login to my throwaways from a proxies connection (SSH/SOCKS on a VPS or something like that, which i frequently use at work)

> my free tier google apps for business on my domain

your habits are going to have to change soon...

Yeah....its unfortunate.

Currently I may just pay the cost. Or move to a more privacy focused service like ProtonMail and at least give my money to a place I support.

Had the same thing happen to me, I know the password, have access to the recovery email but Google won't let me login. Spent months in a support thread with Google and eventually gave up. Still really bummed about it tbh
I just accepted I can't get to that account anymore...
So in theory if someone was to ever accidentally or intentionally reset the location info for where all gmail accounts have logged in from, then effectively everyone would be unable to access their gmail account?
If that were to happen it would take about 5 minutes until this security feature would be deactivated.
If it happens to everyone then yes. But now imagine it happens to just you.
Worse, one day it just doesn't work.
Just out of curiosity, do you have two-factor authentication set up? Or the Gmail app on a mobile device? Or do you really just have the recovery account?
I always use the 2FA and whatever happens it seems to allow me back in. I would think this happens with a phone number too.
That doesn't help OP now, but I found it helpful to enable 2FA with Google Authenticator, and keep emergency backup codes in a safe place. It's slightly more hassle, but there are less 'soft AI' barriers between you and your successful login.

I'd also suggest not to rely on a phone number as 2nd factor, it's not that super safe.

I'd suggest not to rely on google for anything you wouldn't want to lose.
2022 me agrees with you, but 2003 me getting an invite to GMail when it was a brand new service and essentially a completely different company with a different landscape didn't know better. Now I have nearly two decades of accounts and things tied to GMail =(
Google Takeout is a pretty nice service still. It's good to back up your accounts regularly.
Unfortunately Takeout doesn't really do anything to help with purchases.
I think the main problem with many people isn't so much the archive of email that they would lose from not using GMail anymore, it's the many years of accounts that are authenticated with it. There are literally hundreds of services I have that are registered to that e-mail address now.
I’d recommend a non-Google 2FA app. Microsoft has one, and Authy is popular. Personally I’m happy with OTP Auth. Some password managers can also handle 2FA, e.g. Strongbox.
Any particular reason?
1. In a thread about being locked out of google services because of AI black box, it makes sense to reduce dependence anywhere possible

2. If you get a new device, you need to un-enrol and re-enrol in all 2fa providers with g authenticator - it's a nightmare. Very hard if the old device got fatally dropped in a pool! I know at least with Authy you can carry the tokens to a new device.

I just want to chip in and say that 2. can be helped somewhat by having a second device (maybe old smartphone on wifi) that you export all authenticator keys to. Stick the old phone in a safe and make sure it's still working every so often (2x/year?)

This is relatively new - a few years ago Authenticator did not support this.

Oh, and make sure before you use the emergency device, time is synced - codes won't work otherwise.

> This is relatively new - a few years ago Authenticator did not support this.

Thanks, this was around when my device went for a swim.

Aside from the other reasons cited, at least once in the past Google replaced Authenticator with a new app and I had to re-configure all of my 2FA from scratch to transfer over. Deeply untrustworthy, it's already bad enough having to reconfigure 2FA when I get a new phone without them forcing me to do it again.

I use Authy these days.

https://android.stackexchange.com/questions/20899/why-does-t...

I'd recommend andOTP here as it is open source and not tied to any company that's trying to sell you anything.
Seconding andOTP[1] or Aegis,[2] if you're looking for an Android app that only handles OTP authentication. Both of these apps allow file-based import/export so that you can back up your codes and restore them elsewhere, no proprietary cloud service needed.

[1] https://github.com/andOTP/andOTP

[2] https://getaegis.app/

I'm not impressed with Authy's privacy policy, especially this part which mirrors the Google issues:[3]

> We use the information we gather from you to monitor for unusual or suspicious activity in your account, to communicate with you about your account, and as additional information that can be used to validate who you are if you need to recover your account or your account has been or may be compromised.

Authy also collects and shares more of your private information than most OTP apps:[3]

> When you use our app we collect: Your phone number, device information, and email address.

> We also share your information with our third party service providers as necessary for them to provide their services to us. We may also have to share your information with third parties if required to do so by law.

> Your information will be transferred to the U.S.

[3] https://www.twilio.com/legal/privacy/authy

FreeOTP, PIN Genie Vault are two OTP authenticator that has zero access to your phone and zero data sent back to them.

my fall-back is Microsoft Authenticator.

1Password has had really nice 2FA support for years now
Would be good but on my accounts which didn't have 2FA, they seemed to have removed Authenticator as an option: only phone numbers available now.
You still can if you muck around with the dark-UX flow.
Easily the most straightforward recommendation possible. Thank you.

HN outrage at Kafkaesque account lock-outs makes me imagine bureaucrats complaining about an approval requirement they themselves created. It is frustrating and I know data loss can be devastating. If people in the tech community individually follow basic security procedures, that helps us further discover pain points in the work toward better security. Who better to have to deal with these problems than people who focus on leveraging effort?

> 2FA with Google Authenticator

I just wanted to recommend Aegis as an alternative to Google Authenticator. It allows backing up codes to an encrypted (password protected) file. Plus it's FOSS.

I use 1password as an Authenticator replacement, which saves time when logging in.
I hope you're not storing your passwords in there too
Bitwarden ($10/year Premium Bitwarden plan[1] or self-hosted Vaultwarden[2]) and KeePass[3] are also password managers that support TOTP authentication. They are open source and less expensive than 1Password.

A single password manager should only be used to store TOTP secrets alongside passwords if you're comfortable with both of them being accessed from the same devices. It's possible to store your TOTP secrets in a Bitwarden account or a KeePass file, and your passwords in another account or file, hosted/stored in different locations.

[1] https://bitwarden.com/pricing/business/

[2] https://github.com/dani-garcia/vaultwarden

[3] https://keepass.info/download.html

> enable 2FA with Google Authenticator [...] also suggest not to rely on a phone number as 2nd factor

Well, I have my PayPal account set up with a strong unique password and 2FA via an authenticator app. Recently installed the PayPal app on my smartphone, and it asked for CAPTCHA, password, 2FA token, and then additionally SMS to an old phone number I still had on file. How does it make sense to ask for 3 factors? At any rate, I logged in on the computer and updated the phone number. Still wouldn't let me log in on the smartphone, needed to contact customer support.

Look, I understand that many people choose bad passwords and they get pawned and all, and I'm glad that the providers are a bit smarter and use other factors (cookies, IP, phone number...), but it really penalises security and privacy conscious users. If you use strong passwords and 2FA, but use VPNs, switch phone numbers, clear cookies, etc., you get flagged and locked out. Very annoying.

I'm having a hard time getting my head wrapped around the idea of relying on Gmail (or any other online identity provider) without enabling 2-factor authentication. The best way to avoid this kind of "AI hell" is just to take control of your own account security and set up some additional factors.
Google will still lock you out with 2fa. It’s pretty bad
Even with a FIDO2/U2F/WebAuthn key?

If so, yeah that's pretty bad..

Yeah I got locked out dispite having printed codes and authy setup. Lasted a day or so
That's a scary thought, being locked out of a primary email address despite taking security seriously.

I currently have it secured with my backup codes (printed and stored in a secure location), as well as two Yubikey (one primary, one backup).

I'd be seriously angry if Google locked me out of my account.

Recently i wanted to setup a shared gmail account with some people.

Even with 2FA setup, correct password correct TOTP, it did not let them in because it was suspicious. I also checked "it was me" in all their security alerts. It would only let the person in with sms based 2fa, which was a pain.

Except Google does not honor the recovery account. Even with access to the recovery code, Gmail just ignores it.
For some people, anonymity of use has a higher priority.

I've largely given up on personal use of email, full stop.

Have had an account since the 1980s.

One of the main reasons why I don't want to activate 2FA in my Google account is precisely because while I don't have highly sensitive data in that account, I do have lots of convenient things that I need in a day-to-day basis, so I wouldn't want to be locked out of my account. And 2FA provides more ways in which this can happen (for example, the smartphone with the authenticator program breaks). So now the option is either having the risk of being locked out because of 2FA, or having the risk of being locked out because of the AI being "angry" at us for not activating 2FA?
> for example, the smartphone with the authenticator program breaks

There are 3rd party authenticator apps (not Google Authenticator, though) that will allow you to seamlessly back up and restore the 2nd authentication factor, even to a different device. Ideally, it then becomes no less convenient than a password.

Unless you have an older account, rarely used except to forward email to another address, and google unilaterally decides to lock you out without telling you they're changing their policy. Apparently the big google brain decided somebody other than myself guessed my 40 random char password. I've long decided I will never be able to login to my gmail account.

I forget now why I was originally trying to login. I may have been trying to setup 2fa even. Not gonna happen now.

Oh god, have you had the M.C. Escher-esque experience of trying to sign in to an email account, and it hits you with a two-factor-auth prompt that sent the code to another email address?

Imagine the insanity if the email account that received the code in turn asks for a code sent a code to the first one.

Having 2 logins is still 1 factor, the situation is not insanity it's the designed intent of MFA you shouldn't get access in that scenario.
(comment deleted)
I had this exact same problem... I was logging in on the same IP address I've used for 10 years

I only managed to solve it by digging out an old phone that was still signed into the Google account... if I had factory reset that then I suspect I would have lost it forever

this experience is one of the many reasons I've dumped Google wherever possible

Yep, have had that issue for over a year now, I am completely unable to access my old gmail account despite having the password, recovery email and everything else.

Just says "you can’t sign in" and that's it: https://i.imgur.com/4YrElkJ.png

Try using a VPN to log in from the location you last used the account
Logging in from a known VPN IP will likely flag the activity as even MORE suspicious from Google's AI's POV.
That has not been my experience. I was able to recover two google accounts by using a VPN
Perhaps a better alternative than VPN (given it may look suspicious) would be to spin up an $cloud instance at whatever location and using a SOCKS proxy.

I used to do this back in the day to augment my Netflix selection.

This is no better. All the big cloud providers have their CIDR ranges published
Not sure why you're downvoted. Setting up VPN on my home router and using that VPN on my next travel will be the first thing I'll do prepping for a vacation. Using VPN is a right solution.

All the geo-IP nonsense is absolutely crazy, including these random login blocks and "security" checks. You also get UI reset to languages you don't understand, because no, websites can't use the language you set in your browser, they have to use some geo-IP nonsense to select a language (especially funny with IPv6). And there's no persistent switch if you use private mode, because they don't respect UA settings.

Once again this shows that we're at the mercy of the giant AI machine. For fear of having my data locked into Google, I migrated to my own domain and e-mail hosting elsewhere. I'm still at the mercy of the hosting and domain registrar at that point, but at least they have phone numbers I can call to get support and talk to a human.

Offline backups is a must at this point.

> at least they have phone numbers I can call to get support and talk to a human.

This is important. I've decided to move all of the services I care about to a paid platform with properly paid support staff. This whole 'get it for free!' crap with the tech companies is just too much risk. I make more than enough money, I can afford a few bucks for the things that matter. Gmail is an awful choice for something so critical as your primary email account.

It's especially annoying that you can't turn this nonsense off. I had this happen to me when I was abroad, obviously with no way to recover when I was abroad and I needed access to certain mails. Nice feature.
Some similar thing happen to me. Gmail login page says that I need to acknowledge that me is me and it forces me to change password... I occasionally get this message on screen when I change countries with VPN. I need to use VPN different countries because this is required by my work (development of streaming services). I get so much annoyed. Recently I spent Christmas in Norway (not the country of my origin) and that happened again. I had to access Gmail to check in the flight so I was forced to change the password. This is ridiculous!
If there is one Google service I'd happily pay 10 bucks a month for (given that they would then provide proper support), it'd be gmail.... It'd be a nightmare for any gmail user when suddenly their account is blocked for no particular reason. This post is reminding me to look for alternatives.
They're trying to deter you from using Gmail anonymously/as a burner email.
I think that's it. They might consider three use cases: 1. normal usage multiple times a day, 2. grandma using it once a month, but always from the same device at the same location, 3. people using as an anonymous/burner account (likely from a clean/incognito browser session, maybe using a VPN, without phone number on file, etc.)

With the current implementation, 1 and 2 still mostly works, and they don't care that they make it impossible/inconvenient for 3.

Try to login from a device that you used previously to login to other different accounts that you touched from the same device that was used to login previously.
Happened to my grandma, who have had the same address for over 10 years. Was quite the ordeal to have her change over to a new adress once we decided it was meaningless to hope to regain access.