Ask HN: If I get locked out of everything, please try to help me
So my phone has been failing to charge for three weeks and I bought a new phone today and can't get it set up because the old one is dead and I can't get a verification code. So I moved the old sim card on the advice of one of my sons and the codes are still going to the old physical phone and Google says it will send me a link in 72 hours.
Google is convinced I'm trying to break into my own accounts because I can't get access to codes on my dead phone. So I may lose my access to my google account, my blogs, etc.
If anyone has contacts at google and can tell them, yea, verily, Doreen Michele Traylor is a real person who is real poor and we all know her and please let her keep her phone number and her (my full name) google account and get me out of this fucking nightmare, that would be coolios.
Please and thank you.
349 comments
[ 0.26 ms ] story [ 331 ms ] thread"Ask HN: How to Recover Gmail Account"
https://news.ycombinator.com/item?id=33850676
Am I worried about getting hacked? Absolutely! But when I weigh the likelihood of (1) someone else getting into my account without 2FA and (2) locking myself out of my own account with 2FA, the latter seems much more likely!
I understand how backup codes work. I promise you I will loose them.
I still had 1 percent power on my phone earlier and was previously able to get a code on it and I hoped I could get one last code before it outright died, so I said "Yeah, sure, send it to my phone" since they don't really want to do it another way.
So then I had to ask another way when I couldn't get to it because that is when the phone gave up the ghost for good. And then they said "We shall send you a link in 24 hours." So I moved the sim card and got text messages saying "Was this you?" and I said "Yeah, it was." and cancelled my "account recovery process" and tried to continue setting up my new phone because the old one is dead.
And this is when Google decided I must be a for serious criminal and told me "We shall send you an email in 72 hours."
So I'm quite upset at this point.
I work from home due to my medical situation. I have no friends locally who can drive me someplace.
Etc etc etc.
This is a non-starter for me. I need Google to fix this. I can't do anything about the busted phone at this point.
Despite this being a common problem, it's not well recognized, and it's easy to forget about it too. I went through several charging cables and almost replaced my phone half a year ago, before I remembered - and sure enough, all my charging issues were caused by a layer of lint at the back of the port, that got compacted by the charging cable so well that it formed a flat "false wall". I forgot all about it, even though I've performed the exact same fix on other people's devices in the past.
Hope it helps; if not, I apologize for wasting your time.
That’s probably mechanical stress causing the port to become loose. It can happen after a few years.
Does helping you look like potentially helping a hacker take over an account, recognizing that google deals with totally crazy state level attacks? Google faces some significant liability and risk here.
Would you pay google to make it worth their time to help you (I actually think this should be an option - if a physical in person visit + someones time is what it takes - then google should have some system for $500 + you get to their office somewhere to recover your account)
I've had relatives in this situation. If you do know someone at a large institution with an institutional relationship I think you can sometimes get help - I had a relative go this route, wasn't sure if the IT folks there just figured out how to fix / work within google, or could escalate somewhere to get it addressed.
Because google will worry about reps selling access to account resets - they may REALLY lock this stuff down, so even if a rep wanted to help, they may not be able to (insider attacks a big issue again especially state sponsored attacks).
But people here seem a bit less threatened by very poor individuals actually posting here than in most online places. I know from my own experience that mentioning you're homeless is usually a red rag to a bull. Add that you're an unemployed software developer, and the self-loathing middle class is often very quickly off on a hate-rampage. Less so here, for some reason. Perhaps just because people here are focused on topics of common interest, so if you're a loser (generally hated by the winners, worried that by the grace of providence they might have been you ..), at least you're one of our losers?
Many accounts that support 2FA let you download a few (commonly 10) static codes that don’t change. If you anticipate a situation where you may lose connectivity access like this, it may make sense to download the codes and store them in a physical notebook.
Software 2FA just computes a number based on a secret string. You treat the latter the same way you take care of your passwords. That's why it's best to handle them with your password manager. 2FA over SMS is even less of an issue (except maybe with a broken eSIM chip). Physical methods are a problem, so you have to spend money for a backup.
Of course the threat model is kinda skewed because this case is more applicable when one's reusing passwords or using weak passwords, which shouldn't be happening if you're using a password manager.
Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP
But as you say, since I'm using a password manager, this doesn't feel like a legitimate concern. If the application's database leaks, my password is still safe, because no one will crack a randomly generated 20+ character password.
> Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP
But they'll have the code, so as long as they use it right away, they can still get into my account and download my data / spam my contacts / whatever.
That's why you maintain the knowledge-possession separation at the access to your password manager (file) with a combination of a password and either a key file or hardware key.
If you store your secrets in encrypted files rather than specialized server solutions, it's also easier to separate and store them in different locations.
If you do not understand the purpose 2FA, there are plenty of online resources available.
As I explicitly wrote, you can store secrets in separate places, and if you don't, you still protect yourself against password recovery attacks or interception and add redundancy.
All of these scenarios happened to me, and I'm a fairly normal person.
I honestly don't know what's going on behind the scenes to know if this is not as secure as it "should" be. But this was my reaction specifically to the non-SMS TOTP 2fa: Wait, if I lose my phone there's literally no way possible to get in? Oh there is, if I have the backup codes... yeah right, you think I can hold on to backup codes? Surely there's something I'm missing, what is everyone else doing here? Oh, everyone else is just hoping they never lose their phone? Really?
Google has, in some cases, started requiring auth codes sent to specific devices, even if you're already using your own configured TOTP 2FA.
Had that happen to me, I was saved by still having the backup codes + having some unholy Tasker + Pebble automations that let me operate the phone without display - enough to launch AirDroid, use it as remote display/input to enable ADB over WiFi, and then finally use scrscpy over ADB as a remote display/input that doesn't blank out on security screens and in Google Authenticator. Only at this point I was able to transfer all the other TOTP entries in Authenticator to the new device.
Lesson learned: 2FA with TOTP is a responsibility to be taken seriously, despite what security professionals would make you believe.
If I've agreed to use and keep track of a very small physical device to access my account, don't be going letting any ol' person who can access my phone number in there!
This exact situation has been such a thorn in my side at my company lately. Does anyone know any way to disable this behavior, even just with Google Workspace accounts?
All these claims and not a single screenshot of this scenario. Meanwhile I've been in 4 countries in 8 weeks and Google hasn't bothered me once beyond the normal "tap my yubikey on my keychain".
There’s a fire or gas explosion or earthquake or something, and you need to leave all those behind. What do you do?
> Oh, everyone else is just hoping they never lose their phone? Really?
I would be very, very surprised if that’s not what the vast majority of the population is doing. Many people have a phone as their _only_ computing device, and no printer, and don’t really understand why they should be carrying around scrawled codes in their wallet.
I get screwed!
I guess the right answer is that I have the backup codes carefully preserved.... off site! In case of natural disaster. Every time I sign up for a new account, I print out the backup codes, and take them to an off-site secure storage location, which of course i have... somewhere.
There's no way 90%+ of internet users are doing that.
I'm not even going to pretend I have any chance of doing that.
I really should be storing some codes for my password manager somewhere…
for the rest there are other options.
Yeah f no. Most people just screenshot their backup codes and put it in a Google doc somewhere in plain text, at best. And at worst, they go "what the hell are these codes" and close the window.
Which, security-minded folks would know, is effectively equivalent to just writing passwords down in plain text.
Nobody thought to put even a tiny speck of product management into this system.
If someone wants me enough to target Authy with an SMS reroute attack focused on me, they're gonna get me either way. I'm not Ed Snowden here, I'm just a guy trying not to lose his car keys.
But, what's the thing you use that provides the benefits of cloud syncing across devices and isn’t tied to a phone number? For anyone that might be interested, including me if it seems as easy and as idiot-proof. (and free or cheap).
When that happens, Google asks to confirm with a known mobile device even though I have specifically configured 2FA TOTP since 2012 to be device independent (and I currently use keepassxc or mobile equivalent to generate the totp value). Google subsequently doesn't allow login by any other method and if the required device is lost or broken you lose access.
I didn't lose a single account yet. I have printed backup codes, I have password manager, I have passwords backup in a text file on thumb drive, two copies. I have my domain held by registrar in my country, so I can just visit their office with my ID and talk with them. So I take some reasonable measures to protect myself. But I have no fear of losing those digital assets.
I actually gave a thought about protecting myself by creating a single 100% reliable email and then bind other accounts to that mail. Believe it or not: I didn't find any provider which would satisfy me. My worst case scenario: I'm going to jail for 20 years. Every free provider will delete my account after few years of inactivity. Paid providers usually are small enough so I wouldn't trust them anyway. My current plan is using my own domain with autopayment and enough balance on account. But of course that's not reliable. Registrar might just go bankrupt. And I can't really reserve my domain for 50 years no matter how much money would I pay.
Also, check out mxroute.com for SMTP/IMAP needs.
If you registered a gTLD, you're theoretically safe from registrar bankruptcy, or even from a registrar losing all their data for whatever reason. Per the ICANN agreement, the registrars have to send a copy of their database to a third party escrow agent regularly (where I worked before we sent a differential backup everyday and a full backup once a week). This way, if the registrar cannot assume its role anymore, another registrar takes over.
Note that this is not true for ccTLDs (ie. every 2 character TLD). That's a reason you should prefer gTLDs if you want to prevent a worst case scenario. I usually recommend a .com or .net because Verisign is, in my opinion, the most reliable registry in the world. If you stick with .com/.net, you're safe from any registrar failure, and there's not a single chance that anything happens to the registry.
ccTLDs might have an emergency plan but it will depend on the registry. So if you really want a ccTLD:
- get familiar with the registry and its rules
- do NOT get the ccTLD of a country other than your own. Eligibility rules can change, so you could lose your domain if the registry decides that they now want to only sell to residents. British people lose eligibility over .eu for example, not because a change in eligibility rules, but because of a change in their own status.
- do NOT get the ccTLD of a small country, unless the registry delegates the technical stuff to a reliable registry backend. Small countries have crappy infrastructures, so DNS resolution could get unreliable. This famously happened to Notion.so (so -> Somalia) a little while ago.
That just makes it even more likely you'll lose access. If you have 2fA, Google will just ask for your 2fa. If you don't have 2fa, Google will pick some random device you signed in on once ten years ago, and tell you that you can only ever log into your account again if it's from that device.
2FA might be good for security, but it's also very ableist.
Just like with accessibility on the web, it's so easy to forget about that when you're not in the situation yourself. Thank you
I don't have a lot of sympathy for big tech when it so clearly fails to enfranchise those that need it most.
If you set a strong, long, unique password for every account, your chances of getting the account compromised are just about zero.
2FA is a good thing in most cases, but I do hate how the industry has blindly adopted it as some sort of mantra that you can't exist without. The reality is that if you chose 128+ bit passwords generated out of /dev/random, they cannot be brute-forced within the lifetime of the universe. You might get phished, which is entirely different, but if you're careful about that you'll do fine without 2FA.
Yubikey 2FA (and equivalents) help to solve this.
- 1st Backup Codes: Store a bunch of 2FA backup codes on a safe location, best not in YOUR home, in case it burns down.
- 2nd SMS verification: some services offer you a fallback to SMS in case you don't have your 2FA device with you. But keep in mind, that SMS is also one of the least secure 2FA methods.
- 3rd instead of having your auth codes only on one device, use a service for it like Authy, so you can install it on as much devices as you like, if one dies, it's easy to configure a new one.
Isn't this a common complaint that SMS fallback cannot even be turned off? People say SMS is not secure enough so they switch to something better, but all the services do SMS fallback anyway so what is the point of using the more secure one?
SMS 2FA leads to these problems.
But A FIDO2/WebAuthn token (yubikey or similar) would help you stay secure and independent from your phone. I agree that yubikey is a bit expensive, but there are alternatives. Token2 seems quite bit cheaper, but depends on shipping: https://www.token2.com/shop/product/token2-t2f2-fido2-and-u2...
I have broken my phone multiple times, but I always stick to SMS 2FA because as long as I keep paying I will get a new SIM card in 2-3 days, and not be locked out, because of a lost or broken device.
Just stick your 2FAs in your password manager, like I do with Bitwarden. I secure it with a Yubikey, but if I lost my house, I would just remove 2FA from it. My bigger concern would be to get cut out, than people somehow guessing my master password.
SMS 2FA is always a terrible idea, homeless or not. It's honestly better to just go 1FA in that case.
Get a 2FA using QR code or U2F key (not SMS or phone based).
Edit: One suggestion from me would be to try and start the dead phone connected to power but with the battery physically removed (assuming it's removable). That might bypass whatever issue it's having and let it start up.
I have been homeless. I'm not currently. But this is an extremely stressful situation that could do all kinds of damage to my life if I can't get it sorted.
As a user it doesn't matter how well you manage your own security when that can happen.
I don't try to crow about being some kind of tech genius because for the HN crowd I'm not. But I'm not poor due to being mentally retarded or something. I have an incurable medical condition as does one of my adult sons.
Edit: thanks! Solved. I’ve deleted this part of the comment because I always feel very socially awkward and afraid I’ll make others feel awkward.
If you have been in hn so long you do know the numerous times people have lost accounts by not having backup to 2FA. TOTP is the only option.
Bottom line, though, is that these companies should be required to find a way to maintain that high level of security, but also have a process so anyone who loses account access can get it back in a reasonable amount of time.
Homeless people don't need to use 2fa if they are so unconcerned with someone stealing their account or identity. For the rest of us 2fa and making it hard to steal accounts is 100% a must.
If you don't have a verification method—or cannot access it—Google will literally just lock you out.
I have personally experienced this on accounts I don't access regularly.
I hope so because otherwise you are just discriminating people based on their wealth. But praise lord dollar that if you ever fall from your status you won't find pedantic guys like you when seeking for help.
Does that make it right? No. Does that mean people won’t get hurt? No. Plenty of ink on HN has been spilt about how companies act according to a profit motive, and often not in societies best interest. Recognizing this doesn’t make you complicit.
But i am not homeless. I'm sorry if this is cold, but should i have to have an insecure account because homeless people exist?
Its not like google has a monopoly on email service providers.
No, of course not.
This is like when people who drive get chuffed about pedestrians wanting their lives to work and acting like "Well, if we do anything for you, then my life will fall apart." As if we can only build a world that works for cars or build a world that works for non-drivers and the other camp just has to accept a sucky life and all kinds of flak for not liking it.
What in the hell makes you think someone must get screwed and it might as well be those who already have the least? No one is asking you to get screwed here.
You can't have google letting people back in their account unverified if they ask nicely not affect other people with accounts.
I don't really see that anywhere; I think you're jumping to conclusions.
Every system will need to have some escape hatches, whether that's a governmental bureaucratic process or a Google account recovery process. Because no matter how well you design a system some folks are going to fall outside of it because the world is complex and the number of possible situations are too many to capture.
"Yes, but it's only 1%" – yes, but it's 1% for system A, and a different 1% for system B, etc. and it all adds up.
All of this is why things like appeals exist in many processes, and why we have judges in addition to mountains of laws. None of this is perfect by any means and there's lots that can be improved, but at least there's the recognition that The System isn't perfect – even if it's more symbolic than anything else at times.
If I lose access to my HN account then that might be annoying, but fundamentally it's not really a big deal, at least not for me. But some accounts/services are connected to all sorts of things and much more important than some HN account and connect to "real life" in much more complex and impactful ways. You can't on one hand have a service wanting to become central in people's lives but on the other hand also just shrug at the edge cases and pretend it's not your responsibility when people get screwed over.
Sure, some people are going to lose their only device and the bit of paper, but at that point if you have literally nothing to identify yourself with, it's going to be hard to provide a secure service to you.
It doesn't matter how much in general 2FA works out better for most people, there are lots of people for whom it is not viable. They know who they are. Give them an option that doesn't make their life worse.
This is the sort of thing that really should be handled by government
OP knows who they are, but I would not be surprised if many poor/homeless users wouldn't realize they need to opt out of something until they find out the hard way when they're locked out and can't get back in.
Just make it opt out... You 2fa, do a song and dance, and 2fa is gone
Absolutely. A common phrase is "mechanism, not policy". The service providers should be enabling all kinds of mechanisms for account level security so users can pick what works best for them. They should absolutely not be imposing any kind of policy. That's where all the source of trouble comes from.
Only I know the threat models I care about for any particular account I have.
For some of them, preventing unauthorized access is the top priority and I'll enable geofencing, 2FA, hardware tokens.
For other accounts, availability is an absolute must and more important than anything else so for those I'll just have a strong password.
Only I can possibly know the correct answer, so for a service provider to come in an impose their policy on my requirements is fundamentally wrong.
You are not neccesarily the person being negatively effective.
Email service providers are all about reputation so their stuff isn't marked as spam. When your account gets hacked and starts sending viagra ads, you are not the one who suffers the fall out.
There are lots of email providers out there with different policies. One of the reasons gmail is popular is because of these policies.
In this instance if they need a code why is there not a process to hell use US Mail and send a paper code to the registered address of the account owner? Analog is often the solution to these type of problems
I have this at the moment - I'm travelling, moving country every few weeks, so I need a new SIM card and phone number every few weeks. My phone number is temporary at best.
I'd massively prefer to take the risk of my identity being stolen than constantly fighting security measures that assume people never change their phone number (or country of residence, etc).
There are no "support people". Let's stop trying to humanise a giant, hostile algorithm.
Even worse than that, they're often connecting from public IPs that are "suspicious" which causes automated systems to treat them more harshly.
In Canada it's gotten to the point where you need an internet connected device to participate in the most important systems; government, banking, etc.. It's very sad that device can't be supplied by the libraries. They have them, but big tech discriminates against anything that's not a personal computing device.
Looks like the CRTC mandates cheap plans the mobile companies offer free phone and plans too.
https://www.telus.com/en/about/news-and-events/media-release...
Here is the submission: https://news.ycombinator.com/item?id=32304320 (August 2022, the letter submitted is from 2021)
To be precise, anything that's not a "personal" computing device running the latest spyware-filled locked-down software and a browser that can be anything as long as it's the three that Google implicitly "approve".
government, banking, etc..
Banking is private-sector, but I believe the government should always be accessible even if you live like the Amish...
https://en.wikipedia.org/wiki/Amish#Canada
...and I wonder how they get along there since they're apparently present in Canada too.
Historically, you were known by people around you and you could be "verified by relative" in the case of a house fire destroying all your documents or something, but your life mostly worked in your home town and traveling or moving elsewhere was hard. Trying to cash a check anywhere but your home town was hard, etc.
I'm a former military wife and this was a big enough issue for the American military that military facilities would cash your check at the BX/PX. Local banks and such often wanted nothing to do with military members.
And now we have this highly digital, highly mobile society and if you are rich enough and such and keep all your ducks in a row all the time, you have tremendous freedom to roam the world, pay with plastic, etc. But for a lot of people, it's increasingly problematic that we default to state ID and digital formats and so forth.
These systems should enhance older methods of making life work, not crowd them out and make life a living hell for anyone who can't keep up with it. And we should be optimizing for helping ordinary people make their lives work, not optimizing for trying to squelch bad actors and too bad, so sad if innocent bystanders get run over in the process.
I don't know how to make my life work. It seems impossible at this point and it really shouldn't be. We have the means to make life for me actually work and no matter how much I do, it's never enough.
I got a notice from my state that I'm required to make future tax payments electronically. For that they require ACH. Banking may be private sector but participating in it is increasingly non-optional.
What's worse is that the the error messages never explain the problem. It's just an endless sequence of "Oops! Something went wrong" "We could not fulfill your request" "Please try again later".
Could drive someone crazy if they're not savvy enough to realize what's going on.
You're absolutely right. They each carry the tone of "This content isn't available right now", like when trying to view a tweet from a shadowbanned user. I've seen that drive people, particularly family, into a kind of aggressive version of frustration.
At this point it's merely static deception. Wait until they run a GPT bot programmed to interactively lie to you, deflect, stall, misdirect and stonewall you based on your personal profile. These companies are devious and untrustworthy to their core, and the only reason anyone uses them is because they're forced to.
I experienced the only slightly inconvenient of this when I was replacing my bank card, even going into a Pret, I was unlucky enough to go into one randomly that didn't accept cash.
But for people that don't have bank cards, or can't charge their phones this is a real problem.
https://news.ycombinator.com/item?id=32304320
Go look at what you can buy for an Android phone if you exchange 100 USD to rupees in Rawalpindi Pakistan for instance.
Now imagine you drop your phone or screw up its hardware somehow and want to get it repaired, you can probably fix it at a local repair shop (some 1-man operation in a tiny retail stall) for $20-30 max with basic hand tools. Those guys might have a collection of pieces of the same model phone you have, or the ability to take 4 dead phones and mix/match pieces to make 2 working ones out of them and then re-sell them, etc.
I wrote a piece called So You Want to do a Website to Help the Homeless that might interest you: https://streetlifesolutions.blogspot.com/2020/05/so-you-want...
The local police department does -- or did at one time -- pass out flyers I made listing online resources for the homeless and there is an edited version of those flyers here: http://www.eclogiselle.com/2020/10/free-and-custom-flyers-as...
I tried to establish some kind of homeless smartphone project. It never went anywhere. If you want to read what little I did as food for thought for what you might do, you can start here: https://streetlifesolutions.blogspot.com/2018/04/project-hom...
If tech is your thing, coolios. Run with that. Better to do something than to do nothing.
But if you really want to make a dent in homelessness, my research suggests that this is mostly a housing supply/housing affordability issue. We aren't building enough new housing and what we do build tends to be too big and tends to require a car to make life work, which is an additional big expense and -- at least for some people -- a logistical issue even if they had the money. Some handicapped people simply don't drive. Some seniors simply don't drive anymore. Etc.
So if you really want to work on homelessness, I would encourage you to educate yourself about housing issues in your neck of the woods and try to get involved. I write about my ideas about what I would like to see for the US here if you want to look that over: https://projectsro.blogspot.com/
best support in tech
Only support in tech.
Google just paternalistically chooses which device they think should be your most trusted one, and then insists that you produce it. No consent, no concern for your actual security model, just pure snake oil that tech-rubes eat up as "2fA sEcUrItY". Any damn time I want to use a Google account from a desktop browser, I get the same rigamarole of having to unearth some discharged tablet and wait for it to charge, just to jump through their nonsense. I shudder to think what would happen if I took the obvious remedy and just removed those devices from my account.
Obviously there must be a process to gain access when your phone with an authenticator app is lost or destroyed. Why is that process not working?
See if you can revert to SMS verification through some option at login. I can't verify it now, but the choice could be accessible though something non-obvious like "I'm having problems verifying". Make sure it's trying to use a text message instead of some other method... and let's hope you have it configured.
I know it's of no consolation for you OP at this point though.
If not, then 2fa just pisses people of with no security gain But I surely hope it is not!
Also Google is totally doing the right thing here. The slow down and wait is precisely the thing that protects you from identity theft if somebody waits until your phone is turned off, clones your SIM, and pretends to be in precisely this situation.
Hopefully in THAT case, you notice the "somebody is trying to get into your account" and say "no, this is a hack attempt".
Good luck.
https://myaccount.google.com/security
> So my phone has been failing to charge for three weeks and I bought a new phone today and can't get it set up because the old one is dead and I can't get a verification code. So I moved the old sim card on the advice of one of my sons and the codes are still going to the old physical phone and Google says it will send me a link in 72 hours.
https://i.imgur.com/hENFQtG.png
As seen in the image, nearly 10 years, never a single issue, and there's not a chance of someone compromising one of my active 2FA options.
It feels like it might.
This isn’t counting the productivity that’s lost to actually using the TFA system successfully, which is probably measurable on a population level.
It's why companies don't offer phone support. Or ones that do (like mine) get premium pricing.
At least the market economy and 'capitalism' offers the choice of foregoing on those 'premium' services by enabling me to run my own services on my own hardware connected to the 'net through my own fibre connection. Since 'capitalism' leads to more choice it puts the onus on the individual to choose wisely. For some that choice comes down to paying more for those 'premium' services, for others - like me - it means I do a little more work to be able to run my own things. If I loose access I can get it back, the hardware is right here on the farm after all. I have 2FA enabled on a number of services to protect against leaked passwords but since everything is run in-house I can always get back access if I for some reason lost (access to) my devices and backup codes.
This is a win for 'capitalism' as far as I'm concerned no matter which way you turn it - those who want to be served can get served, those who want to serve themselves can do so. You do need to make a conscious decision on what side of the divide - pay and be served or do the work to serve yourself - you want to be on since the space in between can be treacherous to navigate. You also do need to react if a supplier does not keep to its end of the bargain if the system is to work. For the likes of Google/Microsoft/Facemetabook/Apple/etc. this means you should avoid them if possible in any way and if not, make sure you have a way out if they start acting up.
You should be given the option to opt out of this, have your data E2E encrypted, and if you lose your creds your data loss is on you. But for everyone else, they can then provide ID and get their digital identity and data back (at a very low cost to the service provider, proofing is usually $1-2/request in bulk; if you want to charge the user that cost, that’s palatable).
(corp|customer identity governance and proofing is a component of my work at a fintech)
https://media.fidoalliance.org/wp-content/uploads/2019/02/FI... ("Recommended Account Recovery Practices for FIDO Relying Parties", Page 3)
https://doi.org/10.6028/NIST.SP.800-63a NIST SP 800-63A Enrollment and Identity Proofing
1a) be possible to be disabled or
1b) Offer non-electronic second factors such as paper codes
2) Offer a broad range of options in general, not just phone or even worse only SMS. I can count the services that I can use my Yubikeys with on one hand
3) Be predictable (or at least be configurable like that) by the user and not behave different on weird conditions such as your IP
4) Allow to configure more than just 2 factors. 2 factors are really bad. It should usually be 1 or 3+.
5) It should educate properly about how to use it and also about the risks (e.g. increased change of losing access, especially when certain factors are used)
I think that when identity proofing actually becomes important, we should fully leave private services. That is something too important, so the state should either standardize and enforce it or offer it. Maybe, offering a wide-scale MFA / Auth solution should come with similar restrictions that we have for finance, including the identity proofing fallback your mentioned.
On the other hand if your account is taken over, it could be used to perpetuate scams (which could harm your loved ones if they fall for the scams), it could be used for various things that might hurt your reputation. Or depending on the type of account it might be a stepping stone to get into, I dunno, your bill-paying account for some utility company, which will probably have all your bank account details in there because utilities companies tend to not be super on the ball about that kind of thing.
MFA is the best mechanism to stop hackers from constantly hacking everyone. Without it everyone would be getting brute forced 24/7.
At Google at least, there are people who are responsible for measuring this sort of thing. 2FA adoption reduces overall account loss.
If you're going to use a resistor use something like 100 Ohm, that way you will still be able to see some effect of your action before Christmas and if you have access to a volt meter connect it parallel to the battery to see what's going on. As for the 4.2V, that's a single cell, some phones/tablets will have a couple of those in series so you can't assume that you'll find anything up to 4.2V at the battery terminals, checking that should be your first stop before attempting any of this.
Linking to a long form YT video with some gd floating talking head screencasting a Mac, with no text description really just seals the deal.
I don't think money is going to fix the problem at hand, but I suppose I'll extend a similar offer - I'd Western Union cash to you Doreen, if it would help, or help you purchase a good meal so you can regroup/recharge.
Fair enough!
> I'd Western Union cash to you Doreen, if it would help, or help you purchase a good meal so you can regroup/recharge.
Very generous of you and you're right, probably more user friendly to the OP. But I can't remember I haven't used WU in a long time.
If I worked in tech I'd offer you access to a solution but this is all I've got. I hope this problem doesn't last long for you.
Sadly, even many google employees's spouses lost account with no recourse.
Lets say you are employed in US embassy in Kabul - you just think you could issue visas out of your sympathy. (i.e) FAANG has become as large as govt.
I have a yubikey as my main 2FA. If I lose it or it breaks I can still get in with:
- my spare yubikey
- my phone
- backup codes
Please do not treat them this way. They do not grant access to your account. Print many copies of your recovery codes and spread them around. Wallet, home, car, parents' house, etc. It doesn't matter if they get stolen or whatever, again they don't grant access to your account, and they can be revoked at any time.
I know that educating people about this is not a scalable solution to the problem of people getting locked out of their accounts. But maybe it could help you, reader of this comment, if you someday need recovery codes.
Can you expand on that? Once I have such code, what’s stopping me from “stealing” the account?
1. System reports "print out these recovery codes and deposit them in multiple places so you will never lose access to your account". User John Doe posts his security codes on his Facebook page and gets hacked.
2. System reports "print out these security codes and store them in a safe place". User prints them out and stores them in a drawer, but his house burns down and the user loses access forever.
Both scenarios are shitty, but I think 1 is more likely.
Of course, you could write a detailed guideline on where to store your codes, and that you should share them with some trusted people but not everyone etc. But who's gonna read that?
People who understand security already take threat models into account, but those who don't need very simple guidelines.
Treating printed paper codes as "widely known" and effectively useless simply because they could theoretically be stolen is silly. In a reasonable threat model for almost all people, the intersection of the set of threats that might get access to printed paper codes and the set of threats that might hack/phish your password is very small. The vast majority of threats are still protected against, while the very real possibility of being locked out of your account is drastically reduced. It's a good trade for almost everyone.
https://messages.google.com/disable-chat