You can't recover your Google account if you lose your 2FA device
I have a Google account which used a phone number I no longer have for 2FA. I have the correct password to it, but can't login to it without 2FA. Google sends me to an account recovery sequence when I try to regain control over the account, but there's actually no way to complete this either without the phone. Of course there's no human support available. The only "suggestion" they provide is to create a new Google account, which certainly isn't helpful...
Screenshot attached. (Email address in that screenshot has been blanked out). https://imgur.com/a/OT1pqy9
To be clear, I still have access to the email address in question and could certainly retrieve any recovery code they send there. They don't offer that option though. Phone or nothing.
62 comments
[ 5.6 ms ] story [ 120 ms ] threadYour two options are:
1. Tweet at Google to get human support (sometimes works, sometimes doesn't)
2. Talk to a Google employeee, because they have access to an internal support ticketing system that you don't
When everyone has 2FA, 2FA backup keys become kind of impractical in the same way it becomes impractical to remember all your passwords.
> When everyone has 2FA, 2FA backup keys become kind of impractical in the same way it becomes impractical to remember all your passwords.
This statement makes absolutely no sense. If you can't remember your passwords (and even if you can) you should use a password manager. The same can also hold your recovery keys. I also have a printed copy of the recovery codes in a file as well.
In theory (and in practice for those who care) recording recovery data is simple and quick but for the same reasons passwords are failing us, seem to rarely be recorded.
It was a learning experience. I setup another Google account after this, but made sure I had a copy of the recovery codes which will allow me get me back in if I lost my 2FA device (in this case a Yubikey).
I prefer a Yubikey over basic SMS since it's easier to get a SIM lost than a Yubikey. I have the Yubikey on my keychain.
I don't have any other recovery codes for this account.
This circumstance is how 2FA is meant to work, otherwise an unauthorised someone could access your account, especially if they had comprised your primary email account. More often than not, people do not secure their email accounts.
On one hand I'm glad there is no way to access an account without any of the agreed methods, and on the other empathise that this is scant consolation for losing an account :-(
I don't think they were ever set up for this account, or I would have a record of them, and Google would presumably be offering them as an alternate recovery option (it's not).
I could get a recovery code via my primary email since I still have access to that but Google isn't offering to send one there either.
When I was changing phones and wasn't sure that Google Authentication app would move to the new phone seamlessly I actually disabled 2FA on all my accounts before activating the new phone and then set it up again over there. Did I need to do this, probably not but it did ensure that I wouldn't loose access due to a missing 2FA app.
No, this doesn't sound correct at all. I just doublechecked with some other Google accounts to be sure. All of them had 2FA enabled and didn't have any recovery codes generated. You have to manually generate them.
1. Setup a backup email for recovery
2. Copy paste and save Backup Codes somewhere remote
3. If you are using an app like "Google Authenticator", they have an easy way to Export the settings on another phone. Do it on your wife's/gf's/family/sibling etc phone and that way you have another backup of 2FA codes.
4. Do not use the "Google Prompt" option because that only works on primary device.
Google didn't invent any of this, it is fully standardized (see RFC6238). There are lots of fully compatible alternatives with better options for security and backup and restore.
Personally, I use FreeOTP+ with a password lock and secret keys backed up off device.
Secondary opinion, why is the Google app lacking? Because they really don't want people to use it. They much prefer you reveal your phone number and use SMS instead. This way they can easily identify you personally.
Remember, everything Google does is subtly designed to help violate your privacy in some way. The quickest way to convince me not to use an app is to put a "Google" label on it.
Sure, companies may do some evil things intentionally, but an app UI sucking is usually the default state of things and not some malice necessarily. In this case, I think part of the neglect of Google Authenticator is them trying for years to pivot to other forms of two-factor authentication that are more phishing-resistant than an OTP (Yubikey-like and smartphone based systems).
https://hn.algolia.com/?q=sms+2fa
Yes, that probably explains why they prefer OTP over SMS --- because it is more secure --- and it totally violates your privacy.
You can set a backup email address for Google accounts if they're using Google email addresses, but you can't do this if they're using non-Google email addresses as the primary address, such as the one in that link. I'm logged in to such an account right now and there's no way to do this. The account primary email is also set as the recovery email address and there's no way to add another.
It's actually deceptive to the user to even call it a recovery email address in this case, since Google will never offer to alternatively send a verification code there if the 2FA device is unavailable.
All 2FA sites do that?
The other alternative is that you have some support person on the end of the phone who can grant access to accounts. Historically this has been a ripe for social engineering attacks leading to stolen accounts.
It is not hard to setup mfa on your google account so that there are no single points of failure.
"You can't recover lost 2FA if you don't save the recovery codes like the setup tells you to do."
No recovery codes were ever generated for this account.
I don't think it's reasonable to lock out a user who has the correct password and access to the primary email on the account.
I understand there are situations in which both of those could be compromised but locking out all users with no human customer support, review, or recourse is unacceptable in my opinion.
And if I had known that I'd be locked out of my account in this way, even though I still have the correct password and access to the primary email, with no way to reach a human about it, of course I'd have generated those codes.
"You can't recover your Google account if you lose your 2FA device, don't set a backup email account, don't save backup codes, or anything else Google recommends you do to avoid losing access to your Google account."
Heck, Google even pesters me occasionally upon login to confirm all the above info is still good.
There's a lot of things to criticize Google about, but I don't think this is one of them.
My interpretation was that they do have a backup email address registered.
The email I received today was one of the "pestering" emails you refer to. Cannot be implemented since I'm not signed in anywhere currently and unable to login.
I can confidently say this about every account I have barring my primary email (outlook).
Tbh, if I were Google, I'd force the user to prove they have a second second-factor added before enabling. Force them to enter the first half of one recovery code or something. Of course, if anyone really asked me, I've been screaming about SMS 2FA for forever, but its just one of those things most people just can't be bothered to care about until...