Tell HN: I can't login to Gmail due to phone cannot be used for verification
Anyone has any idea how to recover it other than.... find other number? I've used my father's and mother's number. However, it seems all number have been flagged as "cannot be used for verification". Any other ways to login?
47 comments
[ 50.8 ms ] story [ 789 ms ] threadToday I have to enforce MFA at the small company I'm working at, and just a month prior I held a cybersecurity seminar for them and explained that "phone MFA is… okay… but you should really use verification apps." But I didn't realize that you can't even enable authenticator-app-MFA with Google without doing it through a phone first… just infuriating.
Nothing mysterious. Authy and Google Authenticator simply implement the same standard, RFC 6238.
https://datatracker.ietf.org/doc/html/rfc6238
Maybe they've fixed that since then, but I don't care. I'd rather risk a theoretical flaw in Authy's E2EE than risk getting screwed again, and by now much more thoroughly, by the flaw I know about in Google Authenticator.
SMS 2FA is a different proposition, in that the authentication provider sends you the intended response directly. This is a little easier for nontechnical users in that it doesn't require an app that can compute TOTP responses, but it's markedly less secure in that anyone receiving or intercepting the SMS can immediately respond to the challenge, and less resilient in that you can't authenticate at all if you don't receive the SMS - which is the failure mode under discussion here.
[0] https://getaegis.app/
I hadn't considered MFA because I use Authenticator and have most of my TOTP seeds in 1Password anyway, but man I'm thinking I dodged a bullet because there are a handful of things that use SMS only.
Because Google knows best.
I just bought a prepaid card only for this - Google, Facebook, Twitter, Instagram. I don't use it for anything else. I took it out and hope to remember to top it up for another year to keep it in service. It's so stupid.
i have a gmail account I haven’t accessed in many months.
In that time I’ve updated my hardware.
Now google says “we don’t recognize this device” and won’t let me log in.
I have a backup email configured and gmail actually sends a note to that backup email saying someone has my password for the other account. But won’t let me use that backup email to verify the login on the old email address.
Wtf.
The longer you've been locked out, the more confidence Google will have that it's really you trying to log in. That said, the system is really dumb. I have a friend who just got locked out of her account for multiple days because she had a Google phone number, and so of course Google wouldn't let her log into her account to retrieve the text they were trying to send her. Now obviously if she had purposely enabled 2FA using this number then that would have been a mistake, but it's less obvious that one day they would just randomly decide to enable it for her using a phone number that obviously would not work.
Edit: Now that I have your attention:
PSA: Go create "Backup codes" for your Google Account in your 2-Step Verification settings.
[1]: https://support.google.com/accounts/troubleshooter/2402620?h...
[2]: https://support.google.com/accounts/answer/7682439
[3]: https://support.google.com/accounts/answer/7299973
Once logged in I could change the phone number.
Really stupid way to do it. No reason to lock someone out with the right password.
A better alternative would be to show partial digits of an old number and ask you to complete it.
I'm lucky that I have a server in the US that I regularly use as a VPN so I could try again from a known ip.
It could be because I wasn't spamming them with tweets i.e. I only sent them about 14 tweets total between their two handles over the course of a week, but I can see how they might've blocked someone else doing the same.
> Also, would this be affected by the latest changes at Twitter?
Sorry, I'm not familiar with those changes, so I'm not sure.
Please don't complain that a submission is inappropriate. If a story is spam or off-topic, flag it. Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did.
It was a slow decay, though, where over the course of a few months I just became less and less able to log in. (Unfortunately when I could log in, I couldn't do anything to change my recovery phone number to one I actually had access to because that triggered another verification round that I could not pass because I didn't have access to the old phone number.)
The best advice I can offer is to try find an old device that you once logged in from and you haven't upgraded or cleared cookies or anything. Then try to go back to the same country, city and ISP you used where it worked. Do not log in from public wifi! Make sure all your OS-level language, time zone and region settings are the exact same as they were last time you were successful too. If you are lucky you may be able to get in without a phone number and back up your data somewhere else.
It was not as bad as that guy that Google totally F'd because of the pictures of his kid's genitals that his doctor requested, where he had a google fi phone and gmail email etc. He had no ways around at all. But still scary enough.
I almost couldn't even just buy a new phone to regain access to txt, because Ting web site forces you to enable 2fa, and I had it using google authenticator on the same phone.
So I couldn't receive txt verification codes, couldn't respond to google's "yes it's me" thing, couldn't use my authenticator app to access my account on Ting to move my number to another device so I could receive txts...
Luckily, I HAD saved the recovery codes from Ting and I had those in my keepass db which I have many ways to access, so I was able to use that to get in to the Ting acct if I needed to move the number to a new device. (plus I just now remembered this phone has a removable sim card so maybe I could have moved the number that way, but what if the phone had been esim?)
In the end, I was able to get the screen replaced at a local shop without resetting the phone, so I regained access to the pre-existing Authenticator install, and regained ability to repond to google's "yes it's me" on the previously recognized device.
And if the phone had been unrepairable, I would have been able to move my number to a new device and eventually recover everything else by txt because I did have a way to get into my Ting acct.
I had a lot of non-critical things registered with a gmail acct for convenience, but the important things I use a mix of other emails with gmail also as a backup, but a few of the most important things were using google authenticator and I didn't have a 2nd authenticator app up & running on any other device, and didn't know about exporting the original seed when I first set it up so I couldn't just fire up some other new device and install an auth app and start using it.
I DID have single-use recovery codes for some sites saved in my keepass db, but not all.
So after this wake-up call, I was able to use my old phone to get into everything and re-do the 2fa on everything.
I found I could use Gnome Authenticator app on my laptop, and export the seed tokens and save a json text blob in my keepass, and verified that I can take a brand new laptop, install keepassxc and gnome authenticator, import that json, and successfully use the brand new machine to access the 2fa-protected sites without needing my existing phone or laptop, and without needing access to any google acct. I do have gmail as a backup email for things where protonmail or something else is the primary.
I also keep the single-use emergency codes for each individual site in keepass as well as printed just because "why not?" though I really don't imagine the print copies ever being used.
So all I need is access to any copy of my keepass db (which I can scatter around at will and can access any number of ways, thumb drives, home nas, google drive, random vps, copies on devices, etc, so I do NOT need access to a google drive or onedrive etc to retrieve it) And everything else can be reconstructed from new downloads of all purely open source software and the keepass db password.
But what struck me is how it's really up to the user to deviate from the easy path and go way out of their way to be safe. They are not safe by default if they just do what google says all along the way. By default, google will happily make themselves a single point of failure for your entire life, which is easily tripped and provides no channels for correcting errors.
On-line-only banking/investing accts with no local physical office are particularly scary, when they do not know you any other way than by your login. Yo...