Ask HN: Gmail account security
I have a gmail account that I rarely use, but I know the password. I enter it correctly and get the following message:
You’re trying to sign in on a device Google doesn’t recognize, and we don’t have enough information to verify that it’s you. For your protection, you can’t sign in here right now. Try again from a device or location where you’ve signed in before.
Even if I get the code from the recovery email account, it won't work. Is this the AI hell Google throws you into if you get a new phone and computer in the same year? Has anyone else on HN run into this and found a solution?
806 comments
[ 0.24 ms ] story [ 336 ms ] threadNow they're going to start charging me for that, I'm considering which non-google mail option I will choose instead, I've been sticking with gmail against all my privacy and ethical objections, because it works so well and is free. It's no longer going to be free soon, and I'm pretty sure their competitors work as well as they do (or very close to), so I can _finally_ get over the inertia that's made me feel _almost_ bad enough to leave gmail but not quite bad enough to pay money or do the work required. Right now, it looks like Fastmail or Protonmail are going to get my money.
If I happened to forget/lose all passwords (lost laptop, burned house etc.), I would probably need to deal with the hosting company who would try to identify me with my credit card or some other way (phone number, mailing a letter to my physical address on file). Nothing is absolutely secure but I think it is secure enough for me while I also have fair good chances to recover my lost access. I am not a big target to scammers anyway.
I hear that many accounts of celebrities get hacked and I wonder how? Apparently even with 2FA it is not that secure. Some countries let you order a replacement SIM quite easily and then it can get intercepted (maybe by stealing from mailbox or similarly). This appears to be a reason why google has been refusing access even with 2FA in place.
I still host my mail at home and am my own registrar. There are still human elements of course but I've minimized them to the extent that is currently feasible.
Personally, I'm still happy with Fastmail, which uses customer subscriptions fees to fund a professional support department, as well as contributing to email-related FOSS. (Among other things, obviously.)
https://fastmail.blog/open-technologies/jmap-new-email-open-...
We (Fastmail) are set up for human-to-human emails rather than bulk mailing, so if you try to do bulk mailing you're likely to hit limits and possibly terms of service issues - if you're trying to do the kind of thing that people use mailgun for, then I'd recommend using something like mailgun instead!
A bug I reported is actually sent to the development team, and it's fixed. It took 5 weeks, though.
Had one other contact that was handled by normal support, that was just a day.
[1] https://arstechnica.com/gadgets/2022/01/google-tells-free-g-...
People are pissed.
[0] FastMail loses customers, faces calls to move over anti-encryption laws https://www.itnews.com.au/news/fastmail-loses-customers-face...
[1] Goodbye FastMail https://www.ctrl.blog/entry/goodbye-fastmail.html
I suppose hypothetically if Fastmail was a zero-knowledge service that law might mean they need to break it, but it's not a zero-knowledge service so the issue doesn't arise.
You're going to be hard pressed to find a service provider which ignores valid warrants. Such a service provider would need to either operate unlawfully, or not hold the information (ie be zero-knowledge).
Even Protonmail, the bastion of email privacy, has supplied the IP address of a user in the face of a warrant.[0]
[0] https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...
If you absolutely must have email out of the hands of low to mid grade government entities you need to implement the technical solutions yourself. If you want more, just forget it, if they want your mail they'll just get it at your endpoint anyway.
(also, "most email is unencrypted in transit" is a very out of date take, I've checked all correspondence I've had with medical practicioners in the past 2 years, and all where at least TLS 1.2 on the transport, close to half 1.3 - and i was sent around quite a lot last year)
Very off-topic, but this is exactly the most important and consistently underappreciated angle to the Hillary Clinton email server scandal. She deliberately designed her team's communications infrastructure to be maximally resistant to legal process.
I don't want to make this political, it just bugs me that media coverage--regardless of political slant--always seems focused on irrelevant details and ignores what (arguably) makes it an actual scandal.
I'm planning a move too, but Fastmail's price doesn't strike me as competitive enough compared to Google's price. Amazon WorkMail is $4/user/month and Rackspace Email is $3/user/month.
> Sharing contacts is an easy way to let all users in an account have access to common address book entries.
> Businesses can share their corporate directory easily. Families can share contact information of extended family members.
- I want better parsing of dates, so I can click on them, and add to my calendar.
- The calendar needs to be able to show more than one timezone at the same time.
- Have a way to create a secondary icon on your phone to go to the calendar. (You have to click multiple buttons)
- An iOS calendar widget would also be great.
Then, I gave up, moved all my services to another email account, and after 2 or 3 months tried logging in, and it suddenly allowed me to log in.
Needless to say, I will never again use gmail for critically important things.
That's a hot take. If it was critically important, you'd have 2FA and a recovery phone number associated with it - which would have prevented you from getting stuck in a trust-fail situation to begin with.
Use whatever service you want, but your takeaway from this situation is a bit absurd.
Edit to add: I'm not saying Google's algorithm is perfect here, but relying on heuristic voodoo ("I use the same IP, so I should be fine") for "critically important things" instead of using well-established means of securing access to critically important things (e.g. 2FA, backup mobile number) is a bit insane.
See: Apple ID, where failed password attempts (by anyone) causes Apple to force users to change their known password.
Contrast that to my bank where I can go to the branch, show ID, and get problems logging in resolved.
However, google customer service is definitely erratic since loads of other people have had bad experiences. The best thing to do if you're using Gmail is to enable 2fa and backup the recovery codes offline and somewhere safe. This could probably get you into your account without needing to talk to support.
Quite. If you play the game then all is well but if you don't then you are given very short shrift and no recourse to a higher power or anything at all.
There is very little oversight. If you fall afoul of the "algorithm" or whatever bollocks is running the show, then you have to fall back on calling them out on the socials. Get enough traction on that and lo: "soz, lol, we failed here but your <whatevs> is important to us ... in this case ... etc ..."
Email is too important to rely on a free service which has a history of shutting people out, at any time, for any reason.
I'm a satisfied Fastmail paying user for years
Fastmail was blown offline by a couple of DDoS attacks recently. Both of them impacted my ability to access Fastmail, but I suppose you didn't happen to try to access your account during those attacks.
Life on a crowded planet depends on third parties; choosing vendors well is a critical life skill.
Fastmail have a long-standing reputation for treating customers right; certainly not a reputation google shares.
What's needed is enough of these cases to bring a class action against Google.
It's over a decade since I've used a Google account and I was similarly ignored even back then.
This happens to me from time to time, and the only way I can get back in is through Android. I keep an Android phone on hand at all times for this very reason.
Don’t blame the human for inadequate preparation; I assure you, no amount of preparation will save you from Google’s AI.
When it gets in this state, nothing will work besides going to g.co/sc on Android--it can't be any other platform, regardless of how long I've had the device--and approving the code request there. If I approve it from any other device, even with a YubiKey, it'll give me a code on g.co/sc, but I'll be told it's invalid and I'll get one of those emails telling me the code was correct but declined due to suspicious activity.
I appreciate the attention to security, but c'mon, it's a YubiKey, and I'm logging in from my usual residential location.
That perhaps this deals with a very real threat? Google has no incentive to make it difficult for you to log in, it's the exact opposite.
What a lot of the grumpy posters here probably aren’t mentioning is that many ate probably doing high risk signal stuff like running through public VPNs. Google and Microsoft know a lot about what you are doing and what scammers do. They score risk accordingly.
Usually it happens when I’m using multiple devices simultaneously—for example, Android and iOS. It’s understandable that Google considers that to be suspicious, but if Google isn’t going to learn on its own, there needs to be some way for me to confirm that nothing is amiss. It’ll ignore everything from TOTP codes to YubiKeys.
Not saying it's not true (I believe you), just that it's not designed to be a suspicious case, at least.
Account lockouts are bad enough, but more serious things driven by AI are bound to reveal their fallibility. I sincerely hope tech workers have the integrity to take responsibility, judging by the current political climate and its participants' willingness to venture into thinking (surrounding the value of human life, among other things) that was considered taboo not long ago.
The moral and practical capacities of AI will reflect the limits of those designing them, at best.
That they sometimes get it wrong sucks, but calling their attempts to do so "actual stupidity" is pretty rude.
Seriously! What! The! Hell!
I too have thought before that having 2FA (and linking a phone number, which I hate to do) would avoid tripping in such situations and that the systems would consider a different situation (like a different IP address/location, a different browser) as reliable enough with 2FA. But this irks me a lot.
I don’t really use Gmail much and have other paid alternatives, but I have some old stuff that may be mildly inconvenient if I were to lose them. Need to download the data and dump these accounts.
That way at least if you no longer can access your account, or you get banned, or whatever, you don't loose your address (since you can just move to another provider).
Also, use an email client on your PC (such as Thunderbird) and configure it to keep a copy of all your emails locally (and possibly have the PC backed up). That way if you loose access to your account you don't loose access to your mail, that you can even upload again in the new provider server.
She literally had to ask her friend, who asked me, I asked one of my friends to ask one of his friends who works at Google to put in an internal ticket. It was thankfully resolved quickly (she lost access to all her work materials), but the process is insane.
Use your own domain with Fastmail. Yesterday.
More than your own domain, BACKUPS.
Unfortunately... it was Google (so kind of hiring the wolf to care for my sheep, as it turns out).
And now they're cutting off all of us free tier folks. Which I can't fault them for, but still blame them for. Because I'm petty and entitled or whatever.
I'll lose important things like my Google Voice number that I've had for a decade unless I pay for a business account.
It is very frustrating. I did a lot with Google Apps on that domain, and migrating that stuff out to a consumer account is a painful process.
https://github.com/marwatk/gsuite-to-gmail/#google-voice
For me ideally I would like to move to something else (even paid) just because someday Google deciding to block me for whatever reason scares me quite a bit after having everything for the last decade attached to this account. I would like to export my emails, switch my domain to the new service, and import everything - but I have no idea how realistic that will be yet.
I'm documenting everything here if you're interested:
https://github.com/marwatk/gsuite-to-gmail/#google-voice
I adopted Fastmail for my domain email, and it has been a good experience (I do know that Fastmail is a five-eyes company with all the related issues around privacy, and I researched alternatives for several weeks, but I guess in the end I was willing to trade privacy for ease-of-use, uptime and various other factors).
Now I am looking into getting away from other Cloud-provided backups such as Prime Photos, iCloud, etc., moving to self-hosted NAS storage.
It lets me track who is sharing my email address and gives me control over that (set up simple filter to automatically delete any email received at ticketmaster@mydomain.com when I start getting spam on it).
It’s been really effective - such a part of my day-to-day flow now I can’t go back.
The transition was pretty painless. I setup an email forward from gmail to my proton inbox using gmail@mydomain.com, every email I received at that address I’d go update my contact information with. After a bit, I was able to turn off the forwarding. Basically the classic strangulation pattern for microservice migrations applied to email.
And you can't convert your account to a regular Google account. I really want to untangle all this, but there's no way to (for example) export your Google Photos sharing settings and import them into a new account. I have hundreds of GPhotos albums, with many of them shared with various people, and if I migrate to a new, regular Google account, I'll have to manually set up all those sharing settings again. And this is just one of many difficulties; I'm assuming I'll also lose all my Hangouts/Chat history as well, with no ability to import the old history.
But I'll be doing all this sometime soon, as Google has decided to finally pull the rug out from under those of us who signed up for GSuite when it was free (well, "Google Apps for Your Domain", as it was known back then), and will start charging later this year.
This is all incredibly frustrating, and the level of lock-in is pretty severe after more than a decade of having this account. If I could do it all over again, knowing what I know now, I would have created a Google account without GMail[0], using my email on my custom domain, and hosted my mail somewhere else. Though, admittedly, back when GMail was first a thing, webmail otherwise universally sucked.
[0] https://accounts.google.com/signupwithoutgmail?hl=en
My favorite is that I cannot migrate my Nest account to a Google account because it does not support Google Workspaces accounts. I use it with my own domain and it is my private Google account.
If you think this is bad you should check out iCloud. They're all as scummy as each other about locking in users so the friction to leave is sufficiently high.
Do you have a citation for this? I heard last year they were going to start charging for new accounts, but that since I set it up on my domain in 2008 I was grandfathered into the free plan indefinitely.
https://news.ycombinator.com/item?id=29996432
Well this is horrifying. Of course, not much worse than Google unilaterally and permanently banning a Gmail account.
that way I've got the comfort of gmails features but always have a "real" mailbox to fall back to if anything happens
The first time this happened I completely lost all access to my Google account. I transferred all of my important email correspondence over to a Microsoft account and I have never looked back. Unfortunately I still need to maintain another Google account for my phone (Android) to work properly, so there are times I still get bitten by it. It's absolutely infuriating when you get a new phone and specifically need to log in with your Google account to be able to do anything, that's exactly the time Google blocks you from being able to get into your account, because it's apparently detected the new phone and decided you're a hacker.
This also happens to me regularly with PayPal, almost always when I am traveling overseas, at exactly the moments that I really need PayPal to work so I can pay for something related to my travel. It's so annoying. Tech support never, ever solve the problem. All you can do is wait and try again later until magically it works. Sometimes weeks later.
The only thing I can say for certain is to never try log into your account over open wifi or over a VPN connection, because somehow Google (and PayPal) seem to flag that as a hack attempt no matter how many times you correctly confirm your identity. And once you've been flagged once, your account gets caught in some kind of loop where even after you get back onto an apparently blessed IP address, you're still locked out for some unspecified period.
They won't let me reset my password.
They won't let me reset my password.
The fact that I've had to learn this through trial & error and spend time & money setting up a personal VPN host is crazy.
This is mindblowingly idiotic. Do they have such a bad vacation policy for their employees that not a single ONE of their engineering managers has experienced the above? Do they just sit in front of their desks for 365 days a year and never leave their country borders?
The scenario you present is a really obvious risk as phone thieves often compromise those devices.
One of these days someone will not be able to get their heart medications or a flight home because of this damn Gmail policy.
I have been quite impressed with the improvement they've made in the last year or so regarding these locks. It's probably a sudden change when you've been more predictable before that gets flagged.
Only trouble I sometimes run into is Google Search (or Books?) locking me out with increasingly difficult captchas if you keep running searches for 18 hours straight.
One of my personal favorites -- a bank automatically associated phone numbers you called them from to the account, and later they forced SMS 2FA onto the account regardless of any other security you had in place (and of course made the common mistake of allowing account takeovers with JUST that 2FA and a username). Those automatically registered numbers weren't exempted.
1. Forwarding everything to my free tier google apps for business on my domain
2. Annually logging into my throwaways. it seems if i login to them once a year from home, they dont pull this.
3. do NOT attempt to login to my throwaways from a proxies connection (SSH/SOCKS on a VPS or something like that, which i frequently use at work)
your habits are going to have to change soon...
Currently I may just pay the cost. Or move to a more privacy focused service like ProtonMail and at least give my money to a place I support.
One less risk to worry about.
I'd also suggest not to rely on a phone number as 2nd factor, it's not that super safe.
2. If you get a new device, you need to un-enrol and re-enrol in all 2fa providers with g authenticator - it's a nightmare. Very hard if the old device got fatally dropped in a pool! I know at least with Authy you can carry the tokens to a new device.
This is relatively new - a few years ago Authenticator did not support this.
Oh, and make sure before you use the emergency device, time is synced - codes won't work otherwise.
Thanks, this was around when my device went for a swim.
I use Authy these days.
https://android.stackexchange.com/questions/20899/why-does-t...
[1] https://github.com/andOTP/andOTP
[2] https://getaegis.app/
I'm not impressed with Authy's privacy policy, especially this part which mirrors the Google issues:[3]
> We use the information we gather from you to monitor for unusual or suspicious activity in your account, to communicate with you about your account, and as additional information that can be used to validate who you are if you need to recover your account or your account has been or may be compromised.
Authy also collects and shares more of your private information than most OTP apps:[3]
> When you use our app we collect: Your phone number, device information, and email address.
> We also share your information with our third party service providers as necessary for them to provide their services to us. We may also have to share your information with third parties if required to do so by law.
> Your information will be transferred to the U.S.
[3] https://www.twilio.com/legal/privacy/authy
my fall-back is Microsoft Authenticator.
HN outrage at Kafkaesque account lock-outs makes me imagine bureaucrats complaining about an approval requirement they themselves created. It is frustrating and I know data loss can be devastating. If people in the tech community individually follow basic security procedures, that helps us further discover pain points in the work toward better security. Who better to have to deal with these problems than people who focus on leveraging effort?
I just wanted to recommend Aegis as an alternative to Google Authenticator. It allows backing up codes to an encrypted (password protected) file. Plus it's FOSS.
A single password manager should only be used to store TOTP secrets alongside passwords if you're comfortable with both of them being accessed from the same devices. It's possible to store your TOTP secrets in a Bitwarden account or a KeePass file, and your passwords in another account or file, hosted/stored in different locations.
[1] https://bitwarden.com/pricing/business/
[2] https://github.com/dani-garcia/vaultwarden
[3] https://keepass.info/download.html
Well, I have my PayPal account set up with a strong unique password and 2FA via an authenticator app. Recently installed the PayPal app on my smartphone, and it asked for CAPTCHA, password, 2FA token, and then additionally SMS to an old phone number I still had on file. How does it make sense to ask for 3 factors? At any rate, I logged in on the computer and updated the phone number. Still wouldn't let me log in on the smartphone, needed to contact customer support.
Look, I understand that many people choose bad passwords and they get pawned and all, and I'm glad that the providers are a bit smarter and use other factors (cookies, IP, phone number...), but it really penalises security and privacy conscious users. If you use strong passwords and 2FA, but use VPNs, switch phone numbers, clear cookies, etc., you get flagged and locked out. Very annoying.
If so, yeah that's pretty bad..
I currently have it secured with my backup codes (printed and stored in a secure location), as well as two Yubikey (one primary, one backup).
I'd be seriously angry if Google locked me out of my account.
Even with 2FA setup, correct password correct TOTP, it did not let them in because it was suspicious. I also checked "it was me" in all their security alerts. It would only let the person in with sms based 2fa, which was a pain.
I've largely given up on personal use of email, full stop.
Have had an account since the 1980s.
There are 3rd party authenticator apps (not Google Authenticator, though) that will allow you to seamlessly back up and restore the 2nd authentication factor, even to a different device. Ideally, it then becomes no less convenient than a password.
I forget now why I was originally trying to login. I may have been trying to setup 2fa even. Not gonna happen now.
Imagine the insanity if the email account that received the code in turn asks for a code sent a code to the first one.
So far as I can tell, 2FA in a low touch environment means it is a matter of when not if you will be locked out without recourse.
I only managed to solve it by digging out an old phone that was still signed into the Google account... if I had factory reset that then I suspect I would have lost it forever
this experience is one of the many reasons I've dumped Google wherever possible
Just says "you can’t sign in" and that's it: https://i.imgur.com/4YrElkJ.png
I used to do this back in the day to augment my Netflix selection.
All the geo-IP nonsense is absolutely crazy, including these random login blocks and "security" checks. You also get UI reset to languages you don't understand, because no, websites can't use the language you set in your browser, they have to use some geo-IP nonsense to select a language (especially funny with IPv6). And there's no persistent switch if you use private mode, because they don't respect UA settings.
Offline backups is a must at this point.
This is important. I've decided to move all of the services I care about to a paid platform with properly paid support staff. This whole 'get it for free!' crap with the tech companies is just too much risk. I make more than enough money, I can afford a few bucks for the things that matter. Gmail is an awful choice for something so critical as your primary email account.
With the current implementation, 1 and 2 still mostly works, and they don't care that they make it impossible/inconvenient for 3.