Tell HN: Locked out of Gmail account even after right password, recovery email

326 points by hargup ↗ HN
My mom got locked out of her 10yr gmail account. She doesn't have access to the phone number she added for 2FA. This is after she has the right password and also has access to the recovery email.

This basically locked her out of her whole online life because for all other social accounts she uses sign in with Google.

There is no human support, and their support website says if you cannot recover the account, create a new one.

318 comments

[ 3.1 ms ] story [ 282 ms ] thread
Never sign-in with social logins for accounts you are not prepared to lose.
(comment deleted)
Could she try to regain access to the phone number?
Which is why you don't use such services for important things.
What do you use? Host your own e-mail? Or use some provider that will close in a few years? Should non-tech person get a tech degree and then with that tech knowledge spend 2 weeks choosing their multiple providers and then carefully make decision which one to use for different accounts?

How about if somebody can't afford and don't want to use Apple? Just not use smartphones? We're at the point where government services (at least here in EU) require you to use smartphone unless you provide written document that for some reason you are unable to.

I've always been "don't like it don't use it" guy and that's a clear and simple argument but it doesn't work in the context of where we are currently. Just the fact that govs and banks only provide you google play services and app store apps which they often require you to use is enough of a problem.

I use a mail hoster with my own domain. This way if they ever do shanenenigans I just have to migrate the IMAP directories to someone else and point the domain(s) there.

However I have been using the same mail hoster without troubles for the past 10 years.

I actually wish there was a way to opt-out of the suspicious login detection mechanism.

I've certainly had nerve racking moments where my login has been flagged as unusual and I wasn't sure if it would let me in (and I'm completely locked out of my childhood account though it's not been used in over 10 years)

It's a good feature for those with the password "password" but if you've used a strong single use password it just gets in the way

Yes, this so many times.

Whenever these posts hit HN there is some people going "well if they don't do this then a lot of accounts will get hacked" - fine! Fucking make my account vulnerable if I want it to, the chances I get hacked are probably still 10x lower than getting locked out by Google's shit AI crap "protecting" accounts. And well if it does happen, those same people can at least have their "told you so" moment. Fucking bullshit.

I completely agree.

If I get hacked, it's on me. Google can even add a "you can't sue us for damages" clause in their Terms (which they probably already have) - just don't lock me out of my own freaking account.

I’m curious if they can do this/how politically feasible it is.

In Canada, banks have this for things like e-transfers and preventing suspicious transactions. However, when people acknowledge the warnings and still go ahead anyway, they cry bloody murder and the bank ends up refunding people for fraudulent activity the people explicitly authorized after being warned.

This is a good point.

2FA is a great thing and I think everyone should use it.

With that said, I don't want 2FA on my alternate/testing/dev accounts. I simply don't want demo accounts linked to my phone number. I'd like to opt-out of "standard security" (MFA) and accept the risks on non-primary accounts.

I've long enjoyed bridging instant messaging accounts through my XMPP server, ie, logging in to various service from a cheap server in a datacenter, so I'm with you 100%. I'd like to opt of suspicious login for a LOT of services. It's not like anything critical rely on my skype/facebook/otherCrappyOnlineServiceIStillUseSometimes account anyway...
That's part of the vendor lock-in deal.
In this case, more like lock-out though.
I'm sorry for the pain it will cause you.

I had a similar story with my own accounts.

It's just lost forever, luckily I had many others, and didn't associate my whole life to any single account or provider, nor used social sign in, so it was not life altering, just a bit of work.

But selfishly, I hope those kind of story get published more and more so that people finally realized that what we told them not to do the for the last 20 years was not just for the sake of it.

People don't listen to preventive talks. We see that with cyber security, climate change, and so on.

They only start to move when they get hurt.

I wished people would have listened to us when we advised not to give everything to GAFAM, not to put everything online, and not everything on one provider. And certainly not to trust them with being on your side.

So they wouldn't have to get hurt.

But this is not how we, as a specie, learn. We need to get hurt.

So make sure a lot of people know about this. Not just in the hope to get the account back, but because maybe more people will listen this time.

Here’s why I down voted you, even though you’re right. “I told you so” is never helpful when someone is in pain. It actually exacerbates their pain.
Wasn't that their point though? That most folks only really learn through sufficient pain?
Yes. That comment is unhelpful and only exacerbates the pain.
I don't want to nitpick but if they believe that most people only really learn through pain then they would likely also believe exacerbating pain is indeed helping.
What is the alternative? For Gmail, I take the precautions of configuring mobile phone, authenticator app, backup email address, and printed out codes. What else can I do? Is it really better to use several different email addresses?

For Facebook, I’m currently completely locked out. I have the right username and password, but the email accounts I used to create the Facebook account are disabled now, being university accounts.

At one point, Facebook wanted my credit card or driver’s license as proof to tenable the account, which I wasn’t comfortable with. Then it got paired down to three randomly chosen connections that I needed to contact outside of Facebook. Once chosen by Facebook, these contacts cannot be changed. For me, it included a deceased person and two people I haven't even seen since high school. Now, it just wants to validate the email addresses with no other options.

So now what? Nothing in my control ever went wrong. I know my account, I am the person, and I have the username and password. It would be nice to be able to just call a number with a human on the other line to verify that it is me.

We've entered the era of "death by scale". We and the government allow these companies to treat customers and people as statistical entities. They don't give a shit if their products either flat out don't work or ruin a customer's life for "only" x percent if x is small enough.

I never used facebook for this reason and advised people not to. Now that you are locked in, there is not good solution. It's like smoking and getting cancer, there is no magic to solve the problem and a lot of pain. The best is to not start.

For gmail, have several addresses, with redirections to each others, use imap, don't use social sign it.

Well, I never used Facebook for any login nor did I ever give them my personal phone number or email because I never had any reason to. I deactivated the account a couple years ago, which doesn't delete it. It would just be nice if they let me recover it, but they don't want that as they'd rather force me to create a new account to get their hooks in.

I also never use social sign in for anything other than using my GitHub account for certain things.

What you can do is to not use providers like Google or Facebook for you e-mail or identity. Pay for a good e-mail service with human beings in charge and use a safe password, probably a password manager that generates it.
This.

I rarely needed to ask for support, but every time FastMail response was by an actual humans, not by a tincans.

Until fastmail either grows like google and becomes a death-by-scale problem, or goes under for some random reason.
Yes, but then you just take your domain and go somewhere else.
Do you or others have suggestions for email providers? I have been considering using Fastmail.

Do people use custom domain names to get around the fact of switching email providers? Aren’t there rejection/filter issues when using custom domain names?

Facebook did offer you two ways to recover: a) provide your driving license or credit card (a reasonable offer, IMHO) and b) reaching out to your three friends online.

I agree that in b), it sucks that once chosen, the 3 people cannot be change (although I kinda see the security angle of it), but what else would you want Facebook to do if you lost access to your email?

Accept my username or password that's being rejected for no reason? Driver's license or credit card is unacceptable, to me, to give to an organization like Facebook. Still, those options went away.

I don't understand why it can't just ask me questions about my account. It's not like I'm resetting my password. It was Facebook that randomly decided it needs to send an email, something it never did for the longest time.

Why is a credit card so horrible? It is designed to be given away anyway.

And if FB stole it, congrats, you are rich off the settlement.

How should the person on the phone verify your identity if not by your drivers license or similiar ID?
For email I'd say the most important precaution is to have an address at some domain of your own.

You don't need to host the email servers yourself. Many email hosting services will let you use our own domain with them.

If you want to use an email hosting service that does not directly support using your own domain, many domain registrars include free email forwarding so you can forward mail sent to your domain to your address at your email host, although there might be problems with sending from your domain if you use the forwarding approach [note 1].

It might at first seem that this is just pushing the problem back a little. Instead of the problem being losing your account at a mail hosting service like Gmail, you now have to worry about losing your domain.

The big difference is that a domain registration is a lot more passive. With a Gmail or other mail hosting account it is something you are actively using. Content you generate goes through it. Content other people generate goes through it to you. That gives all kinds of opportunities to trigger false positives on their automated anti-abuse systems.

With a domain you register it and designate name servers and periodically pay to keep it from expiring. Most registrars include basic name service so you don't have to deal with finding a name service provider. Once you've set up name service to designate your email host as handling your domain, or set up forwarding if that's what you are doing, you pretty much don't have to touch anything there and content to/from you doesn't go through those systems so there is simply much less opportunity for something to trigger some sort of automated anti-abuse systems.

Pick you domain and registrar carefully. Don't pick a domain name that is close to some trademark. Pick a top level of .com or .net or maybe your country's top level if you are going to want to send email from that domain [note 2]. Pick a registrar that is not in some country likely to do things that get your country to put sanctions on it.

[note 1] You might not have enough control over the headers on outgoing mail to be able to send a mail that doesn't look like a forgery attempt. For email addresses that you will just need for receiving things the forward approach should be fine, which will cover email needed for account recovery in most cases.

[note 2] The newer top level domains that are available for general use have been pounced upon by large numbers of spammers, to the point that having an email address in them can make it very difficult to get through spam filters. Spammers are all over .com and .net too of course, but that's also where most of the non-spammers are too. With the newer top levels the spammers jump on in large numbers from the start and so from the point of view of a random email receiver those domains are mostly spam.

Can you recommend a good domain registrar to keep your domain on that isn't google?
I use Namecheap and they have been fine. A lot of others on HN also use them. Some people didn't like it that they kicked off their Russian customers when Russia invaded Ukraine, but Namecheap has a lot of employees in Ukraine and it doesn't seem unreasonable to not provide service to places that are at war with where your employees are.

I've seen a lot of mention of Gandi on HN, mostly favorable.

What's wrong with providing a credit card?! What's wrong with asking your high school friends to help you recover the account?

You had multiple reasonable options to recover, declined them and now complain that "Nothing in my control ever went wrong". This annoys me so much

You can be annoyed all you want, but the process is insane. The only options available to me are my two university emails. One of the email domains simply no longer exists. I actually took the time today to call my old university, and they were kind enough to temporarily turn on my old university email address for the other email tied to my Facebook account. Facebook won't send the code to the email after I correctly login. It reports an error. (I verified that the email is working.) There's no way to report the error anywhere. The only way you can report an error to Facebook is to be logged into Facebook. There's another login screen that allows you to reset your password. I did so there since that actually worked by sending an email code. After I do that, it takes me back to the "browser verification" screen. Now, the email I verified has disappeared from that list! The only one left is the email that is tied to a domain that no longer exists. It is impossible to get an email at that address. It's ridiculous.

TLDR: I actually recovered my old university email address, and Facebook refuses to send a code to that email and has now removed it as an option.

nor used social sign in, so it was not life altering, just a bit of work

For most users, it’s not a bit of work, but a life changer (as in this case, right). Most sites only allow G and f SSI, and that’s it. Quick registration is a killer feature and it’s a shame that it is not a part of the tech stack at much lower level than google/site integration. It’s almost 20 years of mass-internet and it still sucks at account registration.

This might sound dumb, but if the phone number belongs to someone else now, could you just call/text them and explain the situation and (eventually) ask them to read you the code or something? Admittedly it'd sound suspicious as heck, but if you're willing to provide sufficient proof of your identity and somehow offer a reward in a safe manner, the person might understand and be willing to help? You'd have to be pretty smooth about it, but it seems worth preparing for and giving it a try.

Alternative idea: If you're really desperate, you could even try to dig up the phone number owner's address and show up at their door or something and explain it that way. (Note I'm not recommending these per se; I'm just pointing out what's possible. Obviously be very careful to consider everything before doing such a thing.)

Social engineering works for hackers all the time, imagine if you had an actual mom doing it.
I'm not sure what context Google provides in those text messages, but if it is just a one-time code; how would I know, you aren't trying to log into one of my accounts?
This is literally why I said it would sound suspicious. Most people wouldn't be able to tell. Which is why I said you'd need to provide some kind of sufficient proof of your identity (or some adequate alternative) to address their fears.
If you are desperate, you might have to just trust that person your login/password, ask them to login to your acc and change/add phone number.
Fantastic suggestion! Definitely a great option if they're willing to take the risk.

If not, another one I was thinking was asking them to meet at their local police department and looping in an officer into the story or something. Different things work for different folks so they'd have to get creative to find the right solution.

Ah yes, the old playbook of using police for free instead of running a customer support department in your trillion dollar company.
There might be an opportunity here for a trusted, legally bound third party to validate people identities and ensure smooth transfer of ownership...

Oh wait, I believe these are called notary offices in meatspace!

(tangent: at some point I thought that maybe notaries could sign one's PGP key instead of relying on rare/non-existent signing parties)

Does google allow to have same phone number listed as 2FA on multiple google accounts?
Yes.
I would be very wary of associating multiple Google accounts together. You don't need a single mistake from your personal account to cause a closure of your business account - and Google is known to do that. I recently had "nicer" auto_corrected to "ni66er" (Android keyboard swiping) even though I've never used that racial slur in my life. I could see how that might set off a chain reaction leading to account closure.
Sounds like a great movie!

Just add sneaking into their bedroom at night to grab their phone.

I'm not sure if this is intended to be a joke or something else, but I'm fairly sure knocking on someone's door or calling them without solicitation for something like this isn't a crime.
>Sounds like a great movie!

Raiders of the lost GMAIL-(Account).

Like that wallet scene at the end of Sideways?
or SS7 hack yourself

that's what the green bubbles are for

I have no idea what this means?
SMS text messages could be intercepted (ab)using SS7, which is the protocol interconnecting the various phone carriers. You "just" need to get access to the SS7 network... hard but by no means impossible.
*THIS GUY CONS*

Just kidding - but seriously this has been done before and your advice is sound.

I received a call one time with a SOB story about someone locked out of their yahoo email account with my phone number, which I've had for over a decade. In the back I could hear people talking, person had a thick accent from a country known to scam people. I knew it was a scam so I started probing more and they finally hung up.

It is a super bad idea for anyone to give out 2FA codes, they could easily found your email associated with a specific number from a security leak and attempt to steal it.

You contact them and ask them to reset your login details. You offer $100 and you give the username to them asking them to complete the password reset procedure.

You'd trust the current owner of the phone number to be honest (because you are contacting them), not the other way around.

Or go register the phone number yourself

Or pay a hacker to do a sim swap.

SMS 2FA is ridiculous

If there was a workaround for 2FA, it would be pointless.
Correct, but it's probably not necessary to permanently lock someone out. All that is needed is a significant delay.

You could just block access and say "come back in 28 days". In the meantime, warning SMS and email messages could be sent to the account contact alerting them of a possible takeover attempt with a link to disavow the attempt.

The workaround is supposed to be real human customer support.

Banks dont permanently lock you out of your account/card if you forget the PIN.

Yep. I got locked out of my eBay and GitHub accounts for two different reasons, but through their human support I was able to recover the accounts.
Banks verify your identity when you open your account, which they can refer to later on. Gmail does not, so any “proof of ownership” you can provide is circumstantial.
Banking is a heavily-regulated industry. Their regulators can (& have) seized & shut down a fair number of banks. And the Rich & Powerful would react very badly to any "a bank can lock you out of your money..." precedents.

Basically (& sadly), you're comparing blueberry waffles to the moon. I blame the English usage of "account" for both situations, even though there's very little similarity between a bank "account" and a Gmail "account".

The answer is for Google to be better regulated
Okay. Is there any even-remotely-plausible prospect of that happening in the foreseeable future?

Or is this situation basically "there should be a cure for cancer...but since there is not, here are a whole bunch of laborious things which you need to seriously consider doing, to reduce your risk of dying from cancer..."?

Regulating Google is indeed as hard as curing cancer
It's possible to implement 2FA recovery without making 2FA pointless. 2FA means you need 2 factors. Password + access to recovery email is 2 factors. Whether this is considered a "workaround" or not is debatable.
That's the problem with 2FA as it is done these days. The second factor is not under your control. It begs the question if 2FA makes your setup more secure or less. In this case, it backfired.

People are trusted with their own keys to their apartments, cars and houses.

Will we ever trust people with their own keys to their social life?

Google forced 2FA for (all?) accounts earlier this year. I turned it off immediately, because I was more worried about losing access than someone guessing my password (besides, Google has other mechanisms already in place like IP checks or new device checks). I can't believe Google would activate 2FA on all accounts. It seems too easy for it to go wrong for normal people.
I relogged into gmail recently and no 2fa was required.
You must have disabled it some time back.
There are a couple of options to fix this: - Use QR code and save the image to another secure store (I save them in KeePass) - Use an MFA program that allows you to back them up or restore to a new device (I use Authy)
And what if you somehow lose access to your password manager?
Make a script to send the Keepass database you your email weekly.

WAIT

There's a big difference between Google (which will lock you out for no good reason, or ban your account without stating a cause, and has no support or appeal process) and 1password (which AFAIK doesn't randomly block/ban accounts). You can still forget your password to either, but one is clearly safer.
I'm personally using KeePassX, and so, all I need is the kdbx password safe file, the key file, and software that opens it. The password file has backups, and is synced to multiple locations; the key file too, and it's something I can re-download from the internet from multiple locations; and there are multiple implementations of the software for different platforms. So for myself, I don't worry about this angle.

As an alternative, I read that other people print their password list from time to time, and put it in their actual safe or a bank's deposit box.

Same, but I use a master password for my kdbx file so I don’t have to worry about yet another file.
Has anybody ever had any luck with getting a lawyer to write a letter to Google (or other big tech) in such a situation?
What would it say? My kid persuaded me to use 2-factor login and I lost one of my 2 required passwords and now I demand access to my account?
(comment deleted)
This is not 2FA that has been deliberately enabled, Google is applying an account security heuristic that says « the login is from a new device, this user has a cell phone, require confirmation via the phone ».
The question seems to say it was deliberately added as 2FA:

>She doesn't have access to the phone number she added for 2FA

Disclosure: I work at Google but not on anything related to this.

I would provide written testimony that you are the account holder and evidence for instance a photo of an ID, email excerpts, email send to the recovery address.

Anything that would get Google to update the 2FA phone number.

I kind of did, but I'm in the EU and I had no 2FA.

When I got locked out of my account I wrote (in pen and paper) to their GDPR team saying essentially "You don't have to give me my account back, but you do have to give me a dump of my emails".

After some back and forth (they told me to use Google Checkout, which I couldn't access because I was locked out) they decided that giving me the account back was easier, and they did.

Sorry for the stress this is no doubt causing your mother.

Unfortunately I have seen similar and they never recovered access. It is just lost to the void that is Google support for their free services.

Yes I know it is the risk you run using a free service but I feel there should be some official process for a real human to get involved to get the account back. As you say you can lose access to your whole damn world these days.

It is crazy we have so many protections for your account getting hacked yet absolutely nothing to recover the same account should some automated system determine you are not you.

Googles services are not free. You pay by letting them show you ads and use your data.
Yes, yes we all know that.

That is being very pedantic though as to OPs mother (and the vast majority) Gmail and the related Google services were 'free' in that she didn't enter her credit card details and pay a monthly/yearly fee like she does with Netflix.

No, its not being pedantic. If it was a truly free service that the company provided for no income at all I could excuse their lack of support.

Not having support for customers you make money on is despicable.

If you ask any random person on the street "is Gmail free?" they will answer yes just like Wikipedia calls Gmail a free email service and if you search for "best free email services" Gmail is usually top of the list.

I fully agree with you there is an agreement that the user gets Gmail (or Google service) at zero monetary cost in exchange for them showing you ads and using your data however they see fit. And you can argue if that is 'free' or not but to the vast majority they see these things as free, rightly or wrongly.

Is 'free' the wrong adjective? Perhaps but it is what is used for a non-paid service.

> Not having support for customers you make money on is despicable.

I agree. Like I said it is crazy there is no real support process to get your account back when there are a lot of processes to keep your account safe.

Would your opinion - "despicable" - change if the Google was very clear, in their T&C's when you sign up, about their level of support (zilch) for "free" accounts?
Not as long as they make money on it, if they make money off a product they need to provide the basics, and ensuring access to the product is part of that.
Okay. Might you know if there is any company providing "free" e-mail accounts (broadly comparable to GMail), with all the "basics" which you want, and at least breaking even financially on that?

If "no", is there good reason to believe that Google could manage to do that?

If "no", would it be okay for Google (a for-profit company, not a charity) to discontinue free GMail service (presumably with some warning, etc.), because it was not a viable business to be in?

Apple provides phone support for icloud, which includes email. You dont need any apple devices to sign up for icloud and the lowest storage plan is free.

Microsoft also offers chat support for outlook.com

I have not tried the support from microsoft but apple support have been helpful when I had a relative with problems accessing their account. That was not for a paid icloud account.

Okay. I'm not usefully familiar with GMail vs. Hotmail vs. Apple vs. etc. Might you know why those don't get more favorable mentions - "other people reading this item should note that $Alternative_1 and $Alternative_2 are not nearly as bad as GMail...." - on HN, in this context?

(Yes, I am familiar with the "nobody ever fired for buying IBM" aura that usually surrounds Google):

Protonmail offers free accounts that come with email, calendaring, etc. They offer support where you can contact a human being if you get locked out of your account. It is inexcusable that Google, considering their huge profit margin, chooses to offer basically zero human support and relies on brutish algorithm-based support.
Wait a few days. It may be possible at a later date.

I'm not storing cookies when using GMail and at a time I regularly got those suspicious login type messages when the browser updated to a new version. At one point I had to click a link in the recovery email and enter the month when the account was created. Pretty much guessed several times until nothing worked. Tried again a day or a few later and got in again.

> Wait a few days.

Sounds exactly like what someone named waitforit would say

The account was created a few minutes ago. My guess is that they did that to reply to OP, hence the username. Still funny though.
> At one point I had to click a link in the recovery email and enter the month when the account was created.

Seriously?! Who comes up with these security questions? This is such a useless question, on the one hand it's insecure because it is a 1/12 chance of guessing right, but also who remembers what month they created an email account? I would venture a guess most people here couldn't even get the year right (I certainly couldn't). Seems the question is only useful to lock out the legitimate owner.

>on the one hand it's insecure because it is a 1/12 chance of guessing right, but also who remembers what month they created an email account?

IIRC, they require both month and year, so there'd be a bit more guesswork involved. I added the exact creation date for all my Google accounts to my password manager when I learned about this verification method.

Ouch... I just checked mine, and I was right about the month but off by 3 years.
Did she log in from a different geographical location? That can matter.
I have absolutely no respect for geographical location checks in this kind of thing. I can immediately think of five services that I occasionally log into that in practice email me about every new session, at least two because they always do and at least two because they think it’s from an unknown location (not device, location), even though they always list my location as Melbourne. Seems to me they’re either lying about remembering locations at all, or have all implemented it as a check for exact IPv4 addresses (/32), which is a very poor proxy for geographical location and almost completely useless for a significant fraction of internet users. I use mobile data for my internet connection. My public IP address changes from session to session.
I ran into a situation earlier this year where I tried to log in to my Google account in a pinch on someone else's computer and I could not because, even though I did NOT turn on any fancy 2fa options and had ONLY ever wanted Google to use my phone number or alternative e-mail address (at MOST) for such purpose, they refused to let me log in unless I approved some special 2fa mechanism in the YouTube app I had logged in on a Google Fi Android phone that I only use for testing and had over a thousand miles away from me at my desk. It was ridiculous.

In another, non-Google case, Apple once demanded that I provide the answers to challenge questions for an account I didn't use often even though I had my username and password correct. To me, the challenge questions are something that should only ever be used to verify in the case that I don't know my password, and it took me three days of trying against the rate limit to get enough tries to figure out the spelling of the answer for one of my questions. What made it really ridiculous is that the only reason this account existed was to give me access to developer account that was actively billing my credit card that I couldn't access... at least with Apple there was a customer service representative who was willing to try to figure something out as they agreed that it was ridiculous that I was paying money for something I couldn't even log in to cancel (though she wasn't sure if she could actually do anything...).

Re. Apple, I bought an iPad, took it to another country and gave it to someone. After a few years when they tried to access it, they could not. I contacted support, they wanted to see the purchase receipt before helping to unlock it.
I hate this, but you MUST enable 2fa in the way YOU want, or else google will opt you into "2fa" you never consented to on some app you don't remember installing.

Maybe hugely insecure but I enable google authenticator then put that recovery code and key everywhere I can.

After reading this comment I tried to disable the 2FA with phone apps that I never asked for. Curiously, I'm not even signed in the app - I'm signed in Google Calendar but I get the prompts in Gmail app where I'm signed into work account only.

Anyway, it's not possible to configure 2FA in the way we want. The Google prompts configuration says "To turn off Google prompts on a device, sign out of your Google Account on that device."

There's no way to enforce the Authenticator. Not even make it default.

I ran into the same fucking thing recently! It asked me to 2FA off of a random android phone I don't use, despite 2FA being disabled. First time I went "welp, time to consider alternatives".

For now I have removed every android I could from their logged-in-devices page and hope that suffices.

When you enable 2FA, you are given 10 backup codes for that specific reason and it tells you to print/save them, but everyone just ignores it - do it now.

You can also add multiple phone numbers, I got two just in case I loose one for some reason. Like if I loose my mobile, I'd need to sign in to google to locate it and I can use another number (my wife) to get 2FA code. And I have authy with my google 2FA by default, you can have multiple devices as well.

It's too late now, but this should be a lesson to anyone to always cultivate the MFA methods in their accounts: review them on a regular basis, remove methods that aren't secure or safe, and always, always print out those emergency codes on a sheet of paper and store it safely away, offsite if possible. If your mom had printed out paper codes, then she'd have recourse to a sure recovery method at this point.

Also worth a try is to pay for Google One. Rumor on the streets says that paid members have a better chance at bending the ear of a human customer service representative. It may be worth the extra few bucks per year.

I have a gmail account I never enabled 2fa on, or set up a recovery email. However, it had an old phone number I haven't used in >8 years.

2 years ago, I tried logging into the account, and google told me I needed to verify an SMS message due to logging in from a new location (I had logged into this account from Canada before).

I tried calling the old phone number, but it's disconnected. So unless I want to move back to the U.S. to try to get that same phone number again, I probably won't be able to access this account until someone gets that phone number, and I manage to talk them into passing along the authentication message

I believe it is time for regulatory support. I know it is fashionable to mock the EU regulatory efforts in the US, but the EU has a tendency to step in once something reaches proportions where regulation is actually needed. Ridiculously high roaming charges, for example, have been eliminated through regulation.

Once you are the dominant provider of something that is nearing life-essential utility status, you should provide support and escalation routes, and you should be accountable.

It and food regulation are some of the things they have way better.
Phone companies are regulated, and the solution to this problem is basically for google to allow itself to become vulnerable to social engineering, just like phone companies are.
I don't know what the situation in Germany is, but as I only ever hear about those issues from the US, I assume its something ridiculously bureaucratic, which might actually be a plus in this case?
According to the linked [0] report, of the two providers in Germany that were asked, one had 1-10 incidents, and one 11-30. In a year. So I guess those issues exist, it’s just a minority issue. The related German Wikipedia page [1] and almost all articles I can find also mainly talk about the USA. It seems you can usually add another required password for phone changes, but mainly it’s just not an issue. No ridiculously bureaucratic requirements, though.

[0]: https://www.enisa.europa.eu/publications/countering-sim-swap...

[1]: https://de.wikipedia.org/wiki/SIM-Swapping

So in Germany, you need to prove your identity to buy a SIM card. You can't really buy an anonymous phone, because every SIM card is tied to someone's identity.

This probably doesn't prevent SIM swapping entirely, but you will need to also steal the other SIM card you're swapping the number to.

Ah, I guess I forgot about that. Yeah, you either need to intercept the new SIM sent to the original customer, or defeat the identification procedure. That adds quite the hurdle compared to countries that have no such requirements.
At least for now you can still easily anonymously buy (activated) sims from other european countries.
But I think you can't use those for taking over a number in a SIM swap.
No, just require them to answer their phone. Charge a fee if necessary.
Whereas currently your google account can be taken over without any social engineering at all.
Does EU have any regulation to prevent it? I hoped that the latest Digital Markets Act would have any provision against it, but afaik it didn’t.
No, people in the EU also have the same thing happen with Google.
This is not clear. Even if it is regulated, the question is if anybody ever successfully sued to get this right, and then the question is what is the fine that would be given. Is it large enough to make the company change its ways in the future?
GDPR Article 16 gives you the right to have inaccurate personal information amended, taking in to account the purpose of the information.

A phone number used for this purpose would definitely identify a person, and so qualify as personal information.

Presumably you need to prove who you are to make changes to your record however. GDPR doesn’t give me the right or require a company to change a phone number if I call them up and tell them to change the number for some random name without proof of identity.
> Does EU have any regulation to prevent it?

Yes

Article 22 of the GDPR. Essentially it sates that if automated decision making occurs, you must be able to appeal to a human.

https://www.gdpr-toolkit.co.uk/individuals-rights/the-rights...

This is aside from common law, which might give some protection in that entities managing your goods (and maybe your data?), even voluntarily, have a have a duty of care to keep them safe.

I have a bunch of business documents owned by a Gmail account. I was concerned that one of these random lockouts could happen to me and basically shut down my business, so I set up a Google Workspace account.

...Only to find that you can't transfer ownership of a Google Doc from a Gmail account to a Workspace account because "security."

So at this point we have docs scattered across all kinds of Google accounts and domains which is the least secure thing I could imagine, great job Google.

100% in support of regulating the pants off of this company as well as evaluating alternatives to them.

I agree we need more regulation..

But are you sure about this problem? If you create Shared drives in a Google workspace, they take ownership of anything I move into it (after dismissing a warninge explaining what will happen), even if I take files in folders shared to me from someone else's gmail account

(The ownership model of drive was indeed terrible before they implemented the shared/team drives.)

Very interesting! Looks like we would need to upgrade our Workspace plan (and basically double our cost) to use this feature, which is not great, but it might be a solution.
We're only talking a few docs by a single account... it is possible, semi-manually: https://medium.com/@buro9/one-account-all-of-google-4d292906... The Drive section of that.

But in essence: Share the files, make a copy once shared, delete the shared file and only the copy exists.

Better though: Don't use Google Drive for business critical docs if you're not a very high spend Google customer able to talk with an account manager. If you're a small/hobby user or individual, keep critical docs offline as well as online. Just consider it part of your business continuity plan.

Wifey's paying Google, yearly, for her SME's little GSuite / Google Workspace account. She's not paying a lot of money to Google (no adwords or anything: just the GSuite monthly payments for a few people). And yet when she calls, she gets support.

I'm not saying Google is great: what I'm saying is that once you pay even for the smallest business suite, you get to get actual people on the phone who are there to help you.

It doesn't preserve everything like versioning, sharing info, etc, but if you're worried about losing access to these documents going to https://takeout.google.com every couple of months is certainly worth it.
Don't ever move countries.

I set up a business account in one country and then moved to another country. Several years later I need to re-enter credit card info. It doesn't let me now because my billing address is now from a different country. Google's only solution? Create a new google account.

Apple is the same - in the UK for a few weeks and want to download, say, the free BBC app? Can't do that, because your credit card isn't a British one, so you could be trying to violate geofencing restrictions built into the App Store.
Oh, this is such a pain, I know this well. You can't even install some apps, because you are not in the correct "store", which is tied to your credit card billing address. So if you move to the US, you won't be able to use many local store apps. Totally ridiculous.
This is particularly annoying when the local app is necessary for public transport, Covid, concert tickets or similar.
This is a problem that is is very hard to solve on the global scale.

Right now Google is not asking information that would allow them to really verify my identity. Not sure if people would like Google to start demanding that kind of information, like personal identity code (for countries where it is available), passport numbers, home addresses etc.

Without strong identity checks, the system is prone to fraud. Black hats can either social e engineer their way around the support agents or use leaked personal data to impersonate people to gain access to their accounts.

And that's totally fine. People should not treat IT services as something reliable, it is extremely unreliable and prone to many issues thing.

Once it will be understood, losing xx-years accounts wouldn't be a problem.

I know this is controversial idea, but the more I see cases like that, the more I am sure about it

> And that's totally fine. People should not treat IT services as something reliable,

Problem is the "society" around us (for lack of a better word) treats IT services as something reliable, see how more and more countries go digital/electronic only when it comes to payments or relationship with the government.

Exactly. that's why governments love IT and push it - they weaponise it against citizens.
Websites & apps treat your e-mail or phone number as your identity. Is it ideal? No, but it's reality.

Until everyone can agree on a better system, your e-mail is your online identity across countless websites. This makes losing your e-mail (with no customer support to regain access) a huge vulnerability in everyone's personal life.

Then don't use it? If there would be more reluctance against ubiquitous (and pointless) IT services, perhaps the situation with overreliance wouldn't have happened.
I dont know why you get down voted because you are absolutely right.

I would go even further and demand regulators to define standards to enable migration or self hosting.

Unfortunately HN crowd is more and more resembling reddit communities, where emotional downvoting is a way to express themselves instead of maintaining well argumentative discussion. Doesn't surprise me anymore
> Right now Google is not asking information that would allow them to really verify my identity.

I have a google account made in 2004 (it is nearly 18 years old) and some time ago youtube started to ask me to verify my age by sending my ID or using a credit card.

I think it was a "bug" on their side, since a google search showed a lot of other people complaining about this -> verify your age.. on a 15+ year old youtube account.

(comment deleted)
>Right now Google is not asking information that would allow them to really verify my identity.

Why can't they offer identity verification as an option? It's not exactly difficult to do technically.

Can you imagine how complicated this is, and controversial?

How to do this exactly? Do you want Google to be proving who people are by fingerprints, irises? Google has never gotten into this business. There would be so many issues. And is collecting biometric info an absolute bulletproof way to verify identity? And doesn't have pitfalls compared to current system?

Then how about just ID documents? Who would provide the locations to verify these documents? How many hundreds of types of documents would be suitable to prove identity? And thousands of locations would be necessary to serve everyone. Would they be honest / absolutely trustworthy?

Do you know how many people out there are waiting to try impersonating people by forging documents, given the money at stake, and how many outlets (that you'd have to employ as verification agents) would be susceptible to corruption to defraud people who'd relied on these documents as proof of their identity (and keys to their online accounts)? If you register with an identity document, and that becomes your method of proof, what if someone located in another country asserts that they're you with some different form of a document that says your name on it?

It's extremely complicated.

Google is already in the payments business, which requires a significant amount of identity verification. They aren't at the level you're describing, but they're also not completely new to the business of verifying IDs, albeit via uploaded photographs rather than physical kiosks.
It doesn't matter how complicated it is, given how critical a google account can be in a person's life, Google has an obligation to make a good faith effort to resolve issues like these, and if that obligation is not expressed in their terms of service, then legislatures and regulators should compel them by force of law.

The fact is that Google is already in the business of authenticating identities and actually does so in circumstances where the law compels them to, but they have deemed it too expensive to do so in the context of recovering accounts, where they remain uncompelled.

As it stands, the GDPR compels Google to make a meaningful attempt to authenticate whether you are the legitimate account holder when you submit an SAR or Data Deletion Request. But, Google, under no circumstances will attempt to identify you if you fail or are deemed ineligible for their automated account recovery process, unless you are eligible for their "In cases of nepotism or media pressure" emergency account recovery procedure.

Well, wait a second, I think you're going too far. Just because maybe you use Google to a very dependent level in your life, doesn't make it a public good that people have an entitlement to and suddenly you place legal obligations on them.

Your email is not your identity, and your particular email address is not a right. If Google has made available options to secure your email address, what exactly are you entitled to compel Google to do that does not conflict with the security decisions they've also made to protect your account from fraud?

The paradigm of 18th century economic theories, which I doubt that you sincerely subscribe to excepting this one matter, is no longer relevant. When the power wielded over, and the access afforded to an individual by a private corporation is so great that when denied access that person has no meaningful alternative and is meaningfully and irreparably harmed, that does become a matter of public concern. Whether or not users were informed when signing up that google would come to hold the keys over almost the entirety of their identity as it exists on the internet, and that their identity on the internet would come to represent a huge fraction if not the majority of their identity in the world, that is the circumstance we find ourselves in. Our identity on the internet is for most, an essential and non-negotiable element of the infrastructure of the modern world. A person who loses access to that identity may very well be losing access to their only means of employment and their only means of communications with certain friends and family members, and documents that are critical to their freedom and identity in the physical world (scans of passports, birth certificates, vaccination cards.)

The fact is that these corporations are not innocently providing simple little services that users might occasion to use for a bit of time and then freely put down; they provide services that grant them at times more power than nation states over the lives of individuals who are completely powerless to respond. Given that they wield power over a service which is not optional for most of their "clients", whether or not they meant to (they meant to), they are providing a public good. And if they are unwilling to do so in a way that aligns with the values of the citizens of ostensibly democratic nations, then the citizens of those nations should vote to either compel them to offer their services in alignment with the public good or have their property and right to conduct business in that nation seized.

And whether or not many are aware of it, this would not represent a sea-change in policy for any Western government that I know of. This would simply be the very late, but reasonable extension of more than a century of well-established legal precedent that already exists. For example, in the United States, we call corporations that are regulated in such a manner "Public Utilities", in Germany they are called "Öffentliches Versorgungsunternehmen" and in France they are called "Entreprises de Services Publics" and in Spanish they are called "Empresas de Servicios Públicos"

Yesterday I opened an online account at a bank, using my phone. The website asked me to take clear pictures of my ID card, and then record a selfie video doing a few movements and saying a few numbers. Done, in literally 5 minutes. Then of course regular logins are done with a password and 2FA, it's not like I have to show my ID every time, but I suppose if I got locked out of my account it's what they would use to identify me.

If banks can do it I don't see why Google can't. For many people, getting locked out of a Google account where they hold all their photos, connect to people via email, have their purchased Android apps, etc. is not much better than getting locked out of a bank account (depends on how much money on the account, I guess, but in many cases this is so).

the point that no one generally knows your IBAN number or calls the customer service - reset this account by telling this is my new ID card as I lost my previous ID.

Whereas your google email is known to many. What happens if some one photoshops a ID and says it is you?

Further more how should the ID prove I am the owner for john.doe@gmail?

The identity checks also introduce their own vulnerabilities, in the form of social engineering where there wasn't an escalation route before.

Solutions like yubikeys and passkeys theoretically solve this problem, but open other problems: not least what if you lose the key or the device that the passkey is stored on? Then you're no longer you as far as the authenticating party (Google in this case) is concerned. What's more, whoever stole your phone is you as far as they care, because that's all they have to say who is who.

Your devices should require further authentication (password/biometrics) but is that a guarantee? Could Google or anyone else really guarantee that any client device connecting to their service is unhackable, bearing in mind that many of their users may be on cheaply made and fully out-of-support Android devices or Windows XP?

It's a really hard problem to solve.

Since this should only be a last resort you could limit any recovery to accounts that have no recent logged in activity to reduce risk.

Google at least have your past IP addresses which should allow law enforcment to identify you (at least narrow the question down to a handful of people who could all be asked if they have a claim to the account unless you only ever accessed it from public networks). Doing all that detective work is not going to be cheap but right now you don't even have the option to pay for it if your online account is worth a lot to you.

Yes the EU does do that sometimes, but roaming charges aren't exactly a great example. What happened there is that relatively wealthy people who travel a lot got themselves a rebate that average earners are now having to pay for through their phone bills.

If roaming charges were high because there wasn't enough competition in the market then that's what the EU should have tackled. Otherwise high prices will just move on to other items on our phone bills and the whole thing becomes a game of whack-a-mole that the best connected special interest groups will always win.

Governments should regulate to make sure that markets actually work and that everybody has basic rights such as getting access to their own data after proving who they are.

_Every_ European travels internationally. Have you seen our borders? If we drive 500km in any direction we probably crossed at least 3 borders.

Really, the people that don't are rare.

Some people travel _far_ more than others and you can be pretty sure that the distribution mirrors the wealth distribution. I have seen our borders. I am European myself, with roots in more than one country.
Ah, no, not really. My family is not exactly wealthy, and they traveled frequently to France by car. And with Ryanair is incredibly cheap to travel nowadays.
Yep. I’m always amazed when I hear Italian students with no money saying they went to Paris or London for less than €10 with Ryanair. For those who don’t like planes, there are low-cost bus companies over the whole continent. Trains are more expensive, but a Paris-Milan is still only €40 if you book in advance.

The Instagram/TikTok feeds of 20-25 y/o are full of these lists of European cities you can visit in a weekend with a low budget.

See also: Erasmus.

Which is great. We need everyone to experience other countries’ cultures. This is the best way to keep the continent politically stable in the future. Well, as stable as it can be anyway. Avoiding another major war would be nice.
For the people who do it that often, roaming charges are not a problem. Even before they disappeared, they were not that expensive.

The people who benefit most are those who cross a border to go to work, those with family in a different country, and normal people taking advantage of the unsustainably low prices of intra-EU flights. Not really rich people.

This post is so out of touch with regular people I don't even know how to answer. It's just ridiculous.
Tell that to the people who live near a border and have their phones frequently associate with a tower on the ‘wrong’ side.

I think your post is in poor taste.

Competition only gets you so far in spaces where conyism, corruption and monopolies are in place. For example, the eu could have tried to promote competition by encouraging carriers to make deals in other countries to get roaming charges down, but the truth is that the deals were already made, just that it wasn't advantageous to carriers to drive down the prices, and stirring up competition by starting a new carrier is both infeasible and futile, because established carriers won't give you a better deal because they have a vested interest in the status quo.

Regulation has gone swimmingly, especially when you consider that roaming charges were completely arbitrary. It costs a carrier functionally nothing to forward traffic to another carrier, eçept for whatever price that carrier has set arbitrarly. Regulation has given me a 25 Gb data cap when travelling, greatly increasing the quality of my vacations, allowing me access to information, safety tips and travel-oriented services as a tourist.

Sure, carriers have lost some income over this (not all, only on european travel) but they are massively profitable, and should be treated as a public utility already.

Alright, sure, I agree with you. What now?
It seems that in EU customer protection revolves around making sure one doesn't get scammed out of their money, warranties are honored in time, things delivered actually match what was described at time of purchase etc.

All of this falls apart if the goods/service is free... And one can't really argue Google is a monopoly with regards to email services (search and ads are quite separate).

So I doubt EU could do anything about it unless one uses paid services.

Presumably jwr means regulation more broadly than just consumer protection.

For example GDPR, right to be forgotten, cookie warnings etc show the EU is more than happy to pass regulations that impact ad-supported services.

The current regulations may be ineffective or poorly enforced - but it shows they're able and willing to pass laws.

> I doubt EU could do anything about it unless one uses paid services

Just because a service is free does not mean consumer protection and data protection laws (including GDPR) no longer apply.

Why would you think otherwise?

Without ‘consideration’ ( payment) one can usually argue that no contract exists for the laws to be inserted into.

Closing that loop hole was valuable.

One can argue that under US legal system only.
> All of this falls apart if the goods/service is free...

That was very true, but I think this is changing. Recent dealings with Facebook and the privacy regulations give some hope there.

> And one can't really argue Google is a monopoly with regards to email services

EU regulations do not care about monopolies. The main issue is abuse of dominant position, which Google definitely has. The mobile carriers is an appropriate comparison, I think. None of them has anything like a dominant position across the continent, but their collective behaviour was suboptimal and costly for the customers, which was a strong enough motivation for the EC to intervene. I can see a blanket regulation about the processes that need to be put in place to close or recover accounts. In the same way that these companies are required to have dedicated people for GDPR requests.

Also note that EU regulations are much less concerned about random customers than American laws. The EU framework is all about competition and how to preserve it, under the arguable belief that quantitatively increasing competition will benefit the final customers.

> And one can't really argue Google is a monopoly with regards to email services

If you take deliverability to the average email account into account then they are not far from one.

> Ridiculously high roaming charges, for example, have been eliminated through regulation.

It should also be noted that as soon as that regulation no longer applied (Brexit), high roaming charges were immediately brought back in to effect.

EU-style regulation works.

Also note it applied to roaming within the EU. You’re still in their clutches if you go further afield.

Rationale was that treating people from one EU country differently than from another was against the union. Imagine paying inter-state roaming in the US.

The new UK system makes no sense. My current mobile provider (O2) will offer me unlimited data usage in the USA but will charge several pounds a day extra to use my phone in France.

Companies will charge what they're allowed until either the market forces them to behave, or failing that, the government.

O2 doesn't control the networks in France? You sure it's not the French telecom(s) setting the rates?
I'm with you. But why only when dominant? A human interaction possibility shall be part of any crucial service. Companies shall spend money for this and pay well trained personal. I know it is often vice versa and especially what mega corps try to avoid and therefore it must be enforced? Amazon is doing that rather good. With Google I had a hard time when an order failed, they weren't able to tell me why and re-rooted my calls to the wrong country because of my phone number...
While I’m generally all for consumer protections, you cannot secure against cases like this. The person affected was obviously ignoring repeated prompts for a current phone number, on a free account nonetheless.

The only reliable alternative I see is requiring a government photo ID containing a permanent physical address on account creation. I wouldn’t want that, would you? And even then, some would manage to create impossible situations.

It sucks, really hard. No other way to paint it. I’m not arguing for Google here. Still, the user has responsibilities too. If you ignore an oil warning light on your car for too long, eventually the engine breaks.

> If you ignore an oil warning light on your car for too long, eventually the engine breaks.

The comparison falls flat though when you consider that you can pay money and get the car fixed and still have the car in the end.

The complaint is not "fix my self-inflicted problems for free for me", it is that there is no way to get anything fixed even if one is willing to pay and acknowledge it's one's own fault.

It is not meant as a strict comparison and I believe you know that. IIRC, HN asks to take the strongest points of an argument, not the weakest.
To be fair, the parent is focusing on the crux of the problem though.

If this has happened (and I can think of a few other ways for this to all go wrong that involve less carelessness on the part of the account holder) it’s quite substantially more serious than having to pay to fix a car.

There are very real consequences to not having access to an e-mail account that reach far beyond the hassle of creating a new one. They reach far beyond even losing your current emails.

Google (and others) slick account creation funnels belie the seriousness of what you’re doing and the devastating consequences if anything goes wrong.

Regulation is needed urgently, but will only happen when enough famous-but-not-famous-enough-to-get-special-treatment people complain.

Fair enough, I agree.

Given this requirement, free accounts will probably not be possible. If a person uses a free email account for critical transactions, what can one say? There’s a bigger issue here regarding our increasingly digital lives that needs more comprehensive change than regulation of some areas.

Paper mail delivery is guaranteed in most of the industrialized world, more or less. Email is increasingly used as an alternative but is entirely the recipients’ responsibility. Receiving paper mail costs nothing, that’s probably why so many people choose a free provider like Google.

Also, how would you solve the issue of identity verification in case a user loses means of access?

Adding to my own comment: one thing I forgot about is Google Maps, which reached "basic utility" status in some countries. If your address is wrong on Google Maps, you will have problems, because people will be unable to find your place.

Google provides a way to "submit corrections", but there is no accountability, and these corrections might or might not get applied. In my case, they are sometimes applied: some phones will show the right location, and some will show the wrong one. Again, no accountability.

We experience this also, every delivery needs manual correction because they rely on Google and Google is just plain wrong.
We have a situation where someone turned on an option for enhanced security, combined with the fact that Google doesn’t ask for further solid information like biometrics or social security number. This person wasn’t locked out by magic algorithm.

What solution could Google offer without creating a security backdoor? Google might not ever be sure as to the identity of the account holder.

If you are geeky/nerdy just remove phone number and add QR code based 2FA. Print that QR code and scan it on your phone (as a courtesy to your mum). Yes, victim blaming but better to do this as a help rather then hosting your email service for your mum.
I had nearly this exact thing! The backup email wasn’t working. My mom was able to leverage an existing session on thunderbird to access her emails. Her SMS auth was failing as she’d change numbers. She managed to convince a phone provider to give her the old number so she could successfully authenticate.

Still mad about the lack of ability to provide proof of ownership, we had ample evidence which would have held up in court if required. But alas, google are worried about their immediate bottom line instead of their long term viability.

Side note: I swear this is an issue with very old google accounts. The backup email address was working but refused to validate, we also had the password. If you work at google, please submit a bug report on behalf of us pleb public users who have no access to such features!

And if you work for government, please propose legislation which fixes these asshole ghost companies!

Human support can be social-engineered or bribed. You hear about SIM jacking, OG Instagram account takeover, etc. because of human support.

It certainly sucks, but in this case you lost your second factor, which is very different from the other flagged-as-suspicious-and-locked-out-permanently cases.

When there is a human in the support loop, there is also a chance to reverse a mistake though.
Hmm, yes, that's actually the exact behavior that I expect from 2FA. To not let people in my account without the code.

I fully sympathize and understand that the outcome is bad, but this is just a system working 100% as expected.

This is happening to me with facebook, without 2fa. I temporarily disabled my account for a couple years as they promised you could log back in at any point to restore it. fast forward to today and even though i have the same email and password combo they are stuck in a loop asking me for my passport/state id, which i’ve provided dozens of times at this point.

sucks because i have a bunch of memories locked in that account and can’t contact a human at FB.

Did your failed log-in attempt reactivate your account? Can your friends see your old facebook account now?

Please check for me, because I'm in a similar situation but have been hesitant to try logging back in.

That's a good question! I didn't think to look until you asked. It looks like it didn't, which is a bummer because then I could have asked my friends to get my photos...
An idea would be to have more than one account on different providers and have all their emails forwarded to each other, but make sure the forwarded emails arent forwarded again.

Might go do this now.

A good preventive option that costs a bit of money is to not tie yourself to any of the providers by just buying a domain name and pointing MX at a gmail account or something. So long as you back up your emails periodically, you can always switch providers in 10 minutes and nobody will even notice.