Ask HN: If I get locked out of everything, please try to help me

659 points by DoreenMichele ↗ HN
I'm dirt poor. Everyone here should know that.

So my phone has been failing to charge for three weeks and I bought a new phone today and can't get it set up because the old one is dead and I can't get a verification code. So I moved the old sim card on the advice of one of my sons and the codes are still going to the old physical phone and Google says it will send me a link in 72 hours.

Google is convinced I'm trying to break into my own accounts because I can't get access to codes on my dead phone. So I may lose my access to my google account, my blogs, etc.

If anyone has contacts at google and can tell them, yea, verily, Doreen Michele Traylor is a real person who is real poor and we all know her and please let her keep her phone number and her (my full name) google account and get me out of this fucking nightmare, that would be coolios.

Please and thank you.

349 comments

[ 0.26 ms ] story [ 331 ms ] thread
(comment deleted)
This is my nightmare. This is why I refuse to use 2FA. (Except on services that require it, and I wish they didn't require it.)

Am I worried about getting hacked? Absolutely! But when I weigh the likelihood of (1) someone else getting into my account without 2FA and (2) locking myself out of my own account with 2FA, the latter seems much more likely!

I understand how backup codes work. I promise you I will loose them.

I'm seriously medically handicapped and have terrible eyesight issues. I typed the wrong password at first.

I still had 1 percent power on my phone earlier and was previously able to get a code on it and I hoped I could get one last code before it outright died, so I said "Yeah, sure, send it to my phone" since they don't really want to do it another way.

So then I had to ask another way when I couldn't get to it because that is when the phone gave up the ghost for good. And then they said "We shall send you a link in 24 hours." So I moved the sim card and got text messages saying "Was this you?" and I said "Yeah, it was." and cancelled my "account recovery process" and tried to continue setting up my new phone because the old one is dead.

And this is when Google decided I must be a for serious criminal and told me "We shall send you an email in 72 hours."

So I'm quite upset at this point.

I think you should take your phone to a store which can fix your phone. Googles code doesn't come as an SMS it comes as a notification from the Google app. Almost lost an account to this last week. Turned off 2fa.
I'm in a small town. I have no car. I no longer drive. I don't see well enough.

I work from home due to my medical situation. I have no friends locally who can drive me someplace.

Etc etc etc.

This is a non-starter for me. I need Google to fix this. I can't do anything about the busted phone at this point.

On HN you might get access to someone at Google, or someone from here might drive TO you. Any takers? I’m on the wrong continent.
(comment deleted)
Sorry to hear about your situation. We really need to host our own email or utilize a paid service, but it becomes cumbersome and expensive. I'm not sure what the solution to this is.
On the off chance it helps, because I don't see anyone else mentioning it: could it be that your charging port is stuffed with lint? If you have a thin needle, try to poke inside and see how much material can you get out of the port.

Despite this being a common problem, it's not well recognized, and it's easy to forget about it too. I went through several charging cables and almost replaced my phone half a year ago, before I remembered - and sure enough, all my charging issues were caused by a layer of lint at the back of the port, that got compacted by the charging cable so well that it formed a flat "false wall". I forgot all about it, even though I've performed the exact same fix on other people's devices in the past.

Hope it helps; if not, I apologize for wasting your time.

This has happened to me at least twice and it’s taken too long to realise each time. Further, even if you think you’ve cleaned it, it can need more. I’ve had to scrape away at it before it will charge, and even then sometimes only at an angle or with a book resting on the cable/connection. Given it’s not OP’s issue, hopefully these posts help someone else.
> even then sometimes only at an angle or with a book resting on the cable/connection

That’s probably mechanical stress causing the port to become loose. It can happen after a few years.

A plastic toothpick worked best for me, and it lowers the risk of scratching / piercing something with the needle.
How much are you paying for this service you need google to fix? I ask because with their paid email products there are a fair number of routes to get help, your admin, then if that doesn't work you can go up the chain... If you are on a free account you may not be (individually) worth a ton to google revenue wise and so support is going to be poor (they have 1.8billion+ ACTIVE gmail users I think - if they increase costs by $5/user, that's a $10B expense. )

Does helping you look like potentially helping a hacker take over an account, recognizing that google deals with totally crazy state level attacks? Google faces some significant liability and risk here.

Would you pay google to make it worth their time to help you (I actually think this should be an option - if a physical in person visit + someones time is what it takes - then google should have some system for $500 + you get to their office somewhere to recover your account)

I've had relatives in this situation. If you do know someone at a large institution with an institutional relationship I think you can sometimes get help - I had a relative go this route, wasn't sure if the IT folks there just figured out how to fix / work within google, or could escalate somewhere to get it addressed.

Because google will worry about reps selling access to account resets - they may REALLY lock this stuff down, so even if a rep wanted to help, they may not be able to (insider attacks a big issue again especially state sponsored attacks).

It's pretty tone-deaf to tell someone who's posted about being poor and previously homeless that they should have to pay Google $500 to recover their account.
Honestly to be expected here. I opened up about my own homelessness while being employed in my field of study for over 20 years. I received a bunch of vitriol and downvotes for my honesty. If ever you need a reminder that you are surrounded by "anarcho-capitalists" just scroll through any HN comments field pertaining to the intersection of ethics and the economy.
HN is a big forum, so you get all kinds here, but it is at least not mod policy to actively encourage membership to target and hate on its poorest members as was done to me elsewhere while I was homeless -- on a forum that gets chatted up an excessive amount as some wonderful online space.
There's a lot of abstract victim-blaming here re articles etc, and for sure the SV set for the most part is pretty clueless about the real world (though it looks like it's coming for them!).

But people here seem a bit less threatened by very poor individuals actually posting here than in most online places. I know from my own experience that mentioning you're homeless is usually a red rag to a bull. Add that you're an unemployed software developer, and the self-loathing middle class is often very quickly off on a hate-rampage. Less so here, for some reason. Perhaps just because people here are focused on topics of common interest, so if you're a loser (generally hated by the winners, worried that by the grace of providence they might have been you ..), at least you're one of our losers?

I don’t know all the conditions of your devices, and your accounts, so I don’t know if this will even help. It’s probably too late for this advice and your Google account, but maybe for other accounts. If not you, hopefully someone else who reads this.

Many accounts that support 2FA let you download a few (commonly 10) static codes that don’t change. If you anticipate a situation where you may lose connectivity access like this, it may make sense to download the codes and store them in a physical notebook.

You could print them and store them in a safe, or in your parents' collections of old embarrassing photos of you. Just an idea.
I carefully store backup codes on my Bitwarden vault so I know where to find them. Also, I use Yubikeys for 2FA, those are reliable enough and you don’t need to rely on phones that could break.
If you store the backup codes in your Bitwarden account, why not simply store the secret itself there, and use Bitwarden as your TOTP app?
I find it convenient to just touch a key instead of copy/pasting a TOTP
>This is why I will not use 2FA except on services where it is absolutely required

Software 2FA just computes a number based on a secret string. You treat the latter the same way you take care of your passwords. That's why it's best to handle them with your password manager. 2FA over SMS is even less of an issue (except maybe with a broken eSIM chip). Physical methods are a problem, so you have to spend money for a backup.

I could store the secret in my password manager if I paid for Bitwarden Premium (and at $10 a year, price isn't really the issue), but then what is even the point? If my password and my secret are stored in the same place then that's really just a single factor, so I'm making the login process more annoying for no reason.
I'd see it as a single point of failure, but not necessarily a single factor. If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.

Of course the threat model is kinda skewed because this case is more applicable when one's reusing passwords or using weak passwords, which shouldn't be happening if you're using a password manager.

Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP

> If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.

But as you say, since I'm using a password manager, this doesn't feel like a legitimate concern. If the application's database leaks, my password is still safe, because no one will crack a randomly generated 20+ character password.

> Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP

But they'll have the code, so as long as they use it right away, they can still get into my account and download my data / spam my contacts / whatever.

How many well-formed passwords can and will you remember? How often are you willing to change them afterwards? How secure is your 2FA app? How secure is your device against keylogging? How sure are you no one will watch what you've typed in or when you reveal it to fix a typing error? And so on. It isn't as if there are no issues with the classic way.

That's why you maintain the knowledge-possession separation at the access to your password manager (file) with a combination of a password and either a key file or hardware key.

If you store your secrets in encrypted files rather than specialized server solutions, it's also easier to separate and store them in different locations.

Sorry, I don't understand where you're going with your questions. I do use a password manager (Bitwarden). I do not use 2FA. I don't understand how using so-called 2FA but storing my secrets in the same place as my passwords would make me more secure.
You should reread your own posts. I'm only responding to what you write yourself.

If you do not understand the purpose 2FA, there are plenty of online resources available.

As I explicitly wrote, you can store secrets in separate places, and if you don't, you still protect yourself against password recovery attacks or interception and add redundancy.

(comment deleted)
Really 2FA is just a complex way to give users a strong unique password. Everything else about it is security theatre (e.g. why do you care about your password and secret stored in the same place, when your session cookie is just stored in one place and all the attacker needs)
Well, and that's why I'm not eager to enable 2FA just to store the secrets in the same place I already store my passwords (Bitwarden).
SMS is a much bigger issue if you are in another country, temporarily lose access to your phone, or work in a building without phone reception. It's prone to SIM swaps and could be intercepted by other apps on your phone. It requires having a fixed, serviced phone number, which people don't always have: children, homeless people and recent immigrants might struggle with that.

All of these scenarios happened to me, and I'm a fairly normal person.

SMS isn't an issue because you can just take out the SIM card and insert it elsewhere. What you're talking about wasn't the subject I was addressing.
I use authy (free) for 2FA TOTP and have it set up on my work laptop, my home laptop, and my phone. As long as least one of those is still good, I should still be able to get in.

I honestly don't know what's going on behind the scenes to know if this is not as secure as it "should" be. But this was my reaction specifically to the non-SMS TOTP 2fa: Wait, if I lose my phone there's literally no way possible to get in? Oh there is, if I have the backup codes... yeah right, you think I can hold on to backup codes? Surely there's something I'm missing, what is everyone else doing here? Oh, everyone else is just hoping they never lose their phone? Really?

> As long as least one of those is still good, I should still be able to get in.

Google has, in some cases, started requiring auth codes sent to specific devices, even if you're already using your own configured TOTP 2FA.

Correct. I have a fully bricked tablet because of this.
They expect that none of your devices will ever die? This makes no sense.
It makes plenty of sense to Google: engineer for the 98% use case and the remaining 2% should just go away and stop wasting their time.
100% of devices will fail, eventually. It is kicking the can down the road.
Hey it worked for the UNIX epoch, till those guys retired.
They're banking on you upgrading your device before it dies, as opposed to e.g. accidentally dropping it onto pavement and cracking the screen.

Had that happen to me, I was saved by still having the backup codes + having some unholy Tasker + Pebble automations that let me operate the phone without display - enough to launch AirDroid, use it as remote display/input to enable ADB over WiFi, and then finally use scrscpy over ADB as a remote display/input that doesn't blank out on security screens and in Google Authenticator. Only at this point I was able to transfer all the other TOTP entries in Authenticator to the new device.

Lesson learned: 2FA with TOTP is a responsibility to be taken seriously, despite what security professionals would make you believe.

Enable debugging on your phone preemptively, then you can remote display over USB :).
Doesn't matter, if the current people can get promoted. Problem is for future Googlers </sarcasm>
Many things are designed by roughly the same kind of people in roughly the same area. They are blind to a lot of use cases. Besides, it's a government's mandate to cover edge cases. Businesses only do it when compelled.
I had a similarly frustrating issue happen with PayPal, only they were refusing to let me log in with my YubiKey, insisting on SMS. But their phone system couldn't send a message to me by SMS. It errored before it even tried, because I could have gotten a code on that phone if they had actually sent it.

If I've agreed to use and keep track of a very small physical device to access my account, don't be going letting any ol' person who can access my phone number in there!

I have uninstalled Google applications from most of the mobile devices that I use for this exact reason.
Google will send you codes to devices that don’t even have the app installed. Ask me how I know.
use AndOTP with QR code from fdroid. Go to account settings in desktop browser and remove the phone as 2FA. It will not ask any code to device.
Google somehow seems to think I own this device despite it not being one of the devices on my account.
> Google has, in some cases, started requiring auth codes sent to specific devices, even if you're already using your own configured TOTP 2FA

This exact situation has been such a thorn in my side at my company lately. Does anyone know any way to disable this behavior, even just with Google Workspace accounts?

I've still yet to see a single bit of proof of this outside of claims from people who couldn't bother to do the things you're supposed to do when setting up 2FA. I remain skeptical.

All these claims and not a single screenshot of this scenario. Meanwhile I've been in 4 countries in 8 weeks and Google hasn't bothered me once beyond the normal "tap my yubikey on my keychain".

> work laptop, my home laptop, and my phone

There’s a fire or gas explosion or earthquake or something, and you need to leave all those behind. What do you do?

> Oh, everyone else is just hoping they never lose their phone? Really?

I would be very, very surprised if that’s not what the vast majority of the population is doing. Many people have a phone as their _only_ computing device, and no printer, and don’t really understand why they should be carrying around scrawled codes in their wallet.

> What do you do?

I get screwed!

I guess the right answer is that I have the backup codes carefully preserved.... off site! In case of natural disaster. Every time I sign up for a new account, I print out the backup codes, and take them to an off-site secure storage location, which of course i have... somewhere.

There's no way 90%+ of internet users are doing that.

I'm not even going to pretend I have any chance of doing that.

Ah, I see we both have a more similar view than I thought!

I really should be storing some codes for my password manager somewhere…

Although not as safe as a printout, I keep codes encrypted on a couple of flash drives, one stays in a drawer and one that's always on my person with my keys, yubikey etc. Haven't needed the codes thus far but feels like a decent compromise.
Note that flash drives typically use the absolute cheapest NAND cells available and I'm not sure what their shelf life would be...
That's a fair point, maybe I should have some SSD backups in addition to cloud backups.
90% of people just enter their phone number and call it a day because for most people it works just fine (barring simswaps hacks etc)

for the rest there are other options.

> I have the backup codes carefully preserved.... off site

Yeah f no. Most people just screenshot their backup codes and put it in a Google doc somewhere in plain text, at best. And at worst, they go "what the hell are these codes" and close the window.

Which, security-minded folks would know, is effectively equivalent to just writing passwords down in plain text.

Nobody thought to put even a tiny speck of product management into this system.

I recently switched my laptop and my phone together, even though I have the same number, I cannot recover my account. SMS is better because even if you lose your phone, you can get a replacement sim card. Only if SMS is enough. In the case of Google accounts, no, it is not enough.
Considering that Authy relies on an SMS OTP for the account creation (and possibly account recovery), I prefer to use something else that provides the benefits of cloud syncing across devices and isn’t tied to a phone number. I understand that SMS OTP is simple for most people to handle (encouraged by many platforms over the years), but I just cannot get past that barrier to choose Authy over something else for personal use.
I'm literally only using it for things that require it. (including heroku, and rubygems). My thinking is: how do I meet this requirement with the least likelyhood of later locking myself out forever, and having HN threads blaming and shaming me for not carefully preserving my backup codes in a firesafe crypt?

If someone wants me enough to target Authy with an SMS reroute attack focused on me, they're gonna get me either way. I'm not Ed Snowden here, I'm just a guy trying not to lose his car keys.

But, what's the thing you use that provides the benefits of cloud syncing across devices and isn’t tied to a phone number? For anyone that might be interested, including me if it seems as easy and as idiot-proof. (and free or cheap).

Most password managers has 2FA TOTP support these days so your OTP will be available on all devices that has your password manager installed.
Password managers usually have a comment field where you can store the backup codes.
Also, it's kinda like Google corrupted 2FA TOTP's workflow : it should work on any device that implements the right algorithm and secret key. Instead Google sometimes turns it into MFA tied to a specific mobile device.

When that happens, Google asks to confirm with a known mobile device even though I have specifically configured 2FA TOTP since 2012 to be device independent (and I currently use keepassxc or mobile equivalent to generate the totp value). Google subsequently doesn't allow login by any other method and if the required device is lost or broken you lose access.

It's simple. If you assume the real possibility of losing your digital account, then act like you'll lose it tomorrow. Adjust your life and move on. I don't care about digital accounts. I switch my main mail and phone every few years just for the sake of it. I avoid buying stuff bound to digital account. My accounts are disposable and have zero value other than nostalgic one.

I didn't lose a single account yet. I have printed backup codes, I have password manager, I have passwords backup in a text file on thumb drive, two copies. I have my domain held by registrar in my country, so I can just visit their office with my ID and talk with them. So I take some reasonable measures to protect myself. But I have no fear of losing those digital assets.

I actually gave a thought about protecting myself by creating a single 100% reliable email and then bind other accounts to that mail. Believe it or not: I didn't find any provider which would satisfy me. My worst case scenario: I'm going to jail for 20 years. Every free provider will delete my account after few years of inactivity. Paid providers usually are small enough so I wouldn't trust them anyway. My current plan is using my own domain with autopayment and enough balance on account. But of course that's not reliable. Registrar might just go bankrupt. And I can't really reserve my domain for 50 years no matter how much money would I pay.

Wow, wish I thought of that 24 years ago.

Also, check out mxroute.com for SMTP/IMAP needs.

> But of course that's not reliable. Registrar might just go bankrupt

If you registered a gTLD, you're theoretically safe from registrar bankruptcy, or even from a registrar losing all their data for whatever reason. Per the ICANN agreement, the registrars have to send a copy of their database to a third party escrow agent regularly (where I worked before we sent a differential backup everyday and a full backup once a week). This way, if the registrar cannot assume its role anymore, another registrar takes over.

Note that this is not true for ccTLDs (ie. every 2 character TLD). That's a reason you should prefer gTLDs if you want to prevent a worst case scenario. I usually recommend a .com or .net because Verisign is, in my opinion, the most reliable registry in the world. If you stick with .com/.net, you're safe from any registrar failure, and there's not a single chance that anything happens to the registry.

ccTLDs might have an emergency plan but it will depend on the registry. So if you really want a ccTLD:

- get familiar with the registry and its rules

- do NOT get the ccTLD of a country other than your own. Eligibility rules can change, so you could lose your domain if the registry decides that they now want to only sell to residents. British people lose eligibility over .eu for example, not because a change in eligibility rules, but because of a change in their own status.

- do NOT get the ccTLD of a small country, unless the registry delegates the technical stuff to a reliable registry backend. Small countries have crappy infrastructures, so DNS resolution could get unreliable. This famously happened to Notion.so (so -> Somalia) a little while ago.

> This is why I refuse to use 2FA.

That just makes it even more likely you'll lose access. If you have 2fA, Google will just ask for your 2fa. If you don't have 2fa, Google will pick some random device you signed in on once ten years ago, and tell you that you can only ever log into your account again if it's from that device.

It seems possible to disable this by manually logging out of all your devices in google account management, then never using them to log into your google account again. I've done that, but the fact that this is the only solution is unbelievably insane.
you can set up multiple redundant mfa methods, eg i have two yubikeys in separate locations plus phone totp
I understand this view. Unlike every other reply to your comment I am not going to suggest various 2FA schemes that I would invariably screw-up and just add my voice to yours.

2FA might be good for security, but it's also very ableist.

I was able to answer something snarky to you, but then I gave it more thought and realized you're right. Anything beyond a simple password is very complicated when you're dirt poor. Printing is complicated. Having a physical vault is complicated. Buying a yubikey is complicated. Paying for the premium version of a password manager is complicated.

Just like with accessibility on the web, it's so easy to forget about that when you're not in the situation yourself. Thank you

Thanks for a lovely comment. I am privileged myself, which makes it hard for me to see what systems oppress those less fortunate. But I often "peak over the fence" when I deal with my ADHD and face the challenges of renting in a volatile market. I move often, and I forget/lose stuff constantly. I have to laugh when people suggest a physical yubikey - there is no way I am not going to lose it eventually.

I don't have a lot of sympathy for big tech when it so clearly fails to enfranchise those that need it most.

Use a password manager and your problems will all disappear.
> Am I worried about getting hacked? Absolutely!

If you set a strong, long, unique password for every account, your chances of getting the account compromised are just about zero.

2FA is a good thing in most cases, but I do hate how the industry has blindly adopted it as some sort of mantra that you can't exist without. The reality is that if you chose 128+ bit passwords generated out of /dev/random, they cannot be brute-forced within the lifetime of the universe. You might get phished, which is entirely different, but if you're careful about that you'll do fine without 2FA.

How will you avoid fake login pages? Those can even phish SMS and TOTP 2FA.

Yubikey 2FA (and equivalents) help to solve this.

Bitwarden will show if I'm not on the right domain. It's not perfect, but a USB key is a nonstarter for me (going back to "I'm more worried about locking myself out than someone else getting in.")
Where do you store those passwords?
There are redundancy systems to avoid getting locked out of 2FA.

- 1st Backup Codes: Store a bunch of 2FA backup codes on a safe location, best not in YOUR home, in case it burns down.

- 2nd SMS verification: some services offer you a fallback to SMS in case you don't have your 2FA device with you. But keep in mind, that SMS is also one of the least secure 2FA methods.

- 3rd instead of having your auth codes only on one device, use a service for it like Authy, so you can install it on as much devices as you like, if one dies, it's easy to configure a new one.

> - 2nd SMS verification: some services offer you a fallback to SMS in case you don't have your 2FA device with you. But keep in mind, that SMS is also one of the least secure 2FA methods.

Isn't this a common complaint that SMS fallback cannot even be turned off? People say SMS is not secure enough so they switch to something better, but all the services do SMS fallback anyway so what is the point of using the more secure one?

Not all 2FA is the same.

SMS 2FA leads to these problems.

But A FIDO2/WebAuthn token (yubikey or similar) would help you stay secure and independent from your phone. I agree that yubikey is a bit expensive, but there are alternatives. Token2 seems quite bit cheaper, but depends on shipping: https://www.token2.com/shop/product/token2-t2f2-fido2-and-u2...

>SMS 2FA leads to these problems.

I have broken my phone multiple times, but I always stick to SMS 2FA because as long as I keep paying I will get a new SIM card in 2-3 days, and not be locked out, because of a lost or broken device.

I would avoid a Yubikey if I were homeless and someone could steal it or I could lose it.

Just stick your 2FAs in your password manager, like I do with Bitwarden. I secure it with a Yubikey, but if I lost my house, I would just remove 2FA from it. My bigger concern would be to get cut out, than people somehow guessing my master password.

SMS 2FA is always a terrible idea, homeless or not. It's honestly better to just go 1FA in that case.

I love 2FA, but only the TOTP based ones. No codes on my phone, emails or already authorized devices please
Github is extremely insistant on sending me a 2FA push notification on the mobile app every time I want to connect to the desktop. I find it very annoying because I configured TOTP based 2FA and do not want to rely on any proprietary 2FA mechanism. I just can't seem to make it understand that I want to use my TOTP tokens and only that.
remove mobile app as a 2FA. Use U2F/FIDO.
There’s no way to remove it if you have the app installed
What does it do if your device is off or somewhere inaccessible? (sounds frustrating)
Can say for sure if you have any of FAANG accounts next time you get a new laptop or even reinstall - you will get locked out.

Get a 2FA using QR code or U2F key (not SMS or phone based).

(comment deleted)
There was a post a while back around poor and homeless people encountering exactly this problem on a regular basis. Lots of people in the comments were incredibly dismissive and sometimes actively malign about it.

Edit: One suggestion from me would be to try and start the dead phone connected to power but with the battery physically removed (assuming it's removable). That might bypass whatever issue it's having and let it start up.

Problem is that support people mistakenly resetting account auth when the attacker calls up and social engineers them is a bigger and more common issue than people’s only device dying. Not to say that’s not a thing that happens, but it’s a smaller of the two problems.
It's a smaller of the two problems for the company. If you are really poor, losing access to your online life because you couldn't pay your phone bill or something can be a huge, huge problem.

I have been homeless. I'm not currently. But this is an extremely stressful situation that could do all kinds of damage to my life if I can't get it sorted.

We're talking about hackers getting access to users accounts, that's not a Google problem, that's an everyone problem.
Back at the start of 2FA rolling out it used to be an absolutely massive issue where the attackers would call up support and tell a sob story and have the account reset and in the control of the attackers.

As a user it doesn't matter how well you manage your own security when that can happen.

Yes, I am well aware of that. I have been on Hacker News since 2009 under my Mz handle and I have a Certificate in GIS from UC-Riverside, the most respected GIS program in the world at the time that I attended (2002, IIRC).

I don't try to crow about being some kind of tech genius because for the HN crowd I'm not. But I'm not poor due to being mentally retarded or something. I have an incurable medical condition as does one of my adult sons.

Perfectly average geographers on HN represent! I feel like seeing another GISer in the tech world is like seeing someone from your country while on vacation. You’ve just got to say hi because it feels so rare.

Edit: thanks! Solved. I’ve deleted this part of the comment because I always feel very socially awkward and afraid I’ll make others feel awkward.

Sorry for the pain

If you have been in hn so long you do know the numerous times people have lost accounts by not having backup to 2FA. TOTP is the only option.

I'm sure plenty of people would rather live with the small chance of a hacker even wanting to gain access to their account than the very large chance of eventually losing access to the account entirely.
Although they probably wouldn't want to live with all their emails being discarded because gmail becomes so easy to hack and everyone assumes gmail accounts are spammers.
Huge amounts of spam already originate from gmail addresses, so I don't think this is a good example. That's not to say that I think security should be weakened, though - it should not, but for other reasons.
I already assume all mail I receive is spam, Gmail or no.
Losing access because someone stole your account is even worse because of how much access a Google account gives someone.
Honestly, I would suspect that for many homeless people, the "losing access" part is much, much worse than "someone else having access".
I think the GP's point was that the "someone else having access" bit affects everyone, not just homeless people, if the company makes it easier to reset/regain access to accounts.

Bottom line, though, is that these companies should be required to find a way to maintain that high level of security, but also have a process so anyone who loses account access can get it back in a reasonable amount of time.

Once a hacker gets access they immediately change the password, and then the homeless person loses access anyway.
Having spent nearly six years homeless and also had a college class from SFSU in Homelessness and Public Policy and having written about homelessness for years, I can assure you that for the vast majority of homeless people, losing their physical phone or being unable to pay for it is a much bigger problem than other people wanting to break into their accounts and steal their identity or some such.
for the rest of us having a hacker gain access to our accounts and stealing money or scamming others is a far greater risk. And for google a far more common occurrence. There is a reason there are so many safeguards in place and its because hackers are trying all day every day to break in and steal identities and money.

Homeless people don't need to use 2fa if they are so unconcerned with someone stealing their account or identity. For the rest of us 2fa and making it hard to steal accounts is 100% a must.

The issue though is 2FA is now required. That's literally the whole reason of this post.
Kind of. The problem is that even when 2FA is disabled, Google's security panopticon will sometimes insist on additional verification anyway, even if you know your password, if it thinks something is suspicious.

If you don't have a verification method—or cannot access it—Google will literally just lock you out.

I have personally experienced this on accounts I don't access regularly.

Were you so harsh on self-entrepreneurs that came here crying out loud because Google did shut down their developer account for some unrelated payement error on a linked account?

I hope so because otherwise you are just discriminating people based on their wealth. But praise lord dollar that if you ever fall from your status you won't find pedantic guys like you when seeking for help.

There's a recurrent thread of posters blaming everybody else for having issues with the big companies, because big companies cannot make mistakes otherwise they wouldn't be "big", right.
To be fair to the commenter, the company implementing the system is to blame. I can understand why Google (or other businesses) would prioritize customers concerned about security over the homeless. One is a more profitable customer.

Does that make it right? No. Does that mean people won’t get hurt? No. Plenty of ink on HN has been spilt about how companies act according to a profit motive, and often not in societies best interest. Recognizing this doesn’t make you complicit.

For a careless user, or one who does not bother to learn about the risks, having one's account stolen is more of a danger. On the other hand, for a reasonably cautious user with a basic understanding of the risks involved, and whose life varies at all from predictable (affluent) norms, losing account access due to Google's protective measures is a bigger danger – and more of a hassle to guard against – because these protections are so easily triggered
I sympathise that this would be really difficult for homeless people.

But i am not homeless. I'm sorry if this is cold, but should i have to have an insecure account because homeless people exist?

Its not like google has a monopoly on email service providers.

but should i have to have an insecure account because homeless people exist?

No, of course not.

This is like when people who drive get chuffed about pedestrians wanting their lives to work and acting like "Well, if we do anything for you, then my life will fall apart." As if we can only build a world that works for cars or build a world that works for non-drivers and the other camp just has to accept a sucky life and all kinds of flak for not liking it.

What in the hell makes you think someone must get screwed and it might as well be those who already have the least? No one is asking you to get screwed here.

Because the topic of this thread is suggesting google should reduce security for everyone.

You can't have google letting people back in their account unverified if they ask nicely not affect other people with accounts.

(comment deleted)
> the topic of this thread is suggesting google should reduce security for everyone

I don't really see that anywhere; I think you're jumping to conclusions.

Every system will need to have some escape hatches, whether that's a governmental bureaucratic process or a Google account recovery process. Because no matter how well you design a system some folks are going to fall outside of it because the world is complex and the number of possible situations are too many to capture.

"Yes, but it's only 1%" – yes, but it's 1% for system A, and a different 1% for system B, etc. and it all adds up.

All of this is why things like appeals exist in many processes, and why we have judges in addition to mountains of laws. None of this is perfect by any means and there's lots that can be improved, but at least there's the recognition that The System isn't perfect – even if it's more symbolic than anything else at times.

If I lose access to my HN account then that might be annoying, but fundamentally it's not really a big deal, at least not for me. But some accounts/services are connected to all sorts of things and much more important than some HN account and connect to "real life" in much more complex and impactful ways. You can't on one hand have a service wanting to become central in people's lives but on the other hand also just shrug at the edge cases and pretend it's not your responsibility when people get screwed over.

It's not just a company problem. Having someone hack my google account then getting access to my bank account would be just as bad on a personal level. My whole live is managed online too.
The solution to that is to make the increasingly intrusive security processes an opt in, not to completely write off anyone who can't reliably keep a particular physical device on their person and working indefinitely.
It used to be opt in until the icloud hacking saga where the public demanded something be done. So it was decided users want mandatory security by default. Almost all of these services provide backup codes you can write down on paper as well.

Sure, some people are going to lose their only device and the bit of paper, but at that point if you have literally nothing to identify yourself with, it's going to be hard to provide a secure service to you.

It can still be opt out with a fallback on the old approach of security questions. The name of your first pet, your favorite teacher, etc.

It doesn't matter how much in general 2FA works out better for most people, there are lots of people for whom it is not viable. They know who they are. Give them an option that doesn't make their life worse.

>Give them an option that doesn't make their life worse.

This is the sort of thing that really should be handled by government

That might help for a certain subset of people in this scenario, but there are also people with subtle mental conditions that, while capable of living productive lives, are also unable to deal with MFA. There are also the elderly and non tech-literate.
> They know who they are.

OP knows who they are, but I would not be surprised if many poor/homeless users wouldn't realize they need to opt out of something until they find out the hard way when they're locked out and can't get back in.

Optional != opt in

Just make it opt out... You 2fa, do a song and dance, and 2fa is gone

(comment deleted)
Opt-in is pretty useless. If users followed security procedures, people would use strong unique passwords and we wouldn't need 2fa.
In that case I think it's fine to have a default security profile, and let people add or remove things as they see fit. On account creation, they could even present a questionnaire that determines whether the user values security or availability more, and set the security requirements accordingly.
> The solution to that is to make the increasingly intrusive security processes an opt in

Absolutely. A common phrase is "mechanism, not policy". The service providers should be enabling all kinds of mechanisms for account level security so users can pick what works best for them. They should absolutely not be imposing any kind of policy. That's where all the source of trouble comes from.

Only I know the threat models I care about for any particular account I have.

For some of them, preventing unauthorized access is the top priority and I'll enable geofencing, 2FA, hardware tokens.

For other accounts, availability is an absolute must and more important than anything else so for those I'll just have a strong password.

Only I can possibly know the correct answer, so for a service provider to come in an impose their policy on my requirements is fundamentally wrong.

> Only I know the threat models I care about for any particular account I have.

You are not neccesarily the person being negatively effective.

Email service providers are all about reputation so their stuff isn't marked as spam. When your account gets hacked and starts sending viagra ads, you are not the one who suffers the fall out.

There are lots of email providers out there with different policies. One of the reasons gmail is popular is because of these policies.

Gmail is already a well-known spammer. Loads of spam come from Google, I see it everyday, by far the biggest source of spam I see. Unfortunately, they're also so big, with so many legitimate users, that you can't block them wholesale if you're expecting to deal with the public, many of whom have a gmail address.
The problem here is there are ways to allow for both but they are labor intensive and Google (and other tech companies) do not like things that do not scale because it cost them $$$, they prefer no customer service and automation using Security as a cover for their poor practices.

In this instance if they need a code why is there not a process to hell use US Mail and send a paper code to the registered address of the account owner? Analog is often the solution to these type of problems

Tying someone's identity to their phone number is not the answer, though.

I have this at the moment - I'm travelling, moving country every few weeks, so I need a new SIM card and phone number every few weeks. My phone number is temporary at best.

I'd massively prefer to take the risk of my identity being stolen than constantly fighting security measures that assume people never change their phone number (or country of residence, etc).

You don't need to use a phone number for google. I don't have a phone number attached to my google account at all due to the risk of sim swapping despite asking my carrier to lock it, instead i have multiple hardware keys and devices + backup codes in a safe deposit box.
You do for lots of other things (and many people have it for Google as well). Most banking or payment, a random selection of apps that decide you now need verification, new apps in the new country...
yes but this is a post about google.
Google was included in my response. The vast majority will have phone number as their 2fa
If Google ever thinks you're doing something suspicious, they'll just make you authenticate using a physical device instead, by way of Android functionality they never told you about or asked you about using. Hopefully they won't demand you authenticate on a device that's defunct.
luckily, so far, this doesn't involve the phone number. Google seems to know what my device is and how to reach it without needing to know the number. Little bit scary, but really useful.
Maybe, since Google wants to be that important to people's lives, they should be force to have representatives, to whom one can go and have things sorted. Needs to check your id and then phones home (...) to get your account unlocked.
> support people

There are no "support people". Let's stop trying to humanise a giant, hostile algorithm.

> There was a post a while back around poor and homeless people encountering exactly this problem on a regular basis. Lots of people in the comments were incredibly dismissive and sometimes actively malign about it.

Even worse than that, they're often connecting from public IPs that are "suspicious" which causes automated systems to treat them more harshly.

In Canada it's gotten to the point where you need an internet connected device to participate in the most important systems; government, banking, etc.. It's very sad that device can't be supplied by the libraries. They have them, but big tech discriminates against anything that's not a personal computing device.

In the US if you are under 135 percent of the Federal Poverty Level you qualify for a free Mobile Phone with internet service. I am surprised Canada does not have a program like that
That program is not available in every State iirc
Its a federal program, its benefits are available in every state.
Some cellular partners in some states don't support it even though its a federal program.
Wild guess: Bell, Rogers, and Telus probably wouldn't allow it because they couldn't milk Canadians for as much then
My local library actually lends out hotspots, unlimited data, no charge. Its an amazing service that would be amazing to see spread around to all libraries.
The problem referenced above was that the poor people in question don't have devices, so they log in from public or loaner devices. Those are seen as "suspicious" by the algorithms, and without a personal device there is no way to convince said algorithms.

Here is the submission: https://news.ycombinator.com/item?id=32304320 (August 2022, the letter submitted is from 2021)

but big tech discriminates against anything that's not a personal computing device.

To be precise, anything that's not a "personal" computing device running the latest spyware-filled locked-down software and a browser that can be anything as long as it's the three that Google implicitly "approve".

government, banking, etc..

Banking is private-sector, but I believe the government should always be accessible even if you live like the Amish...

https://en.wikipedia.org/wiki/Amish#Canada

...and I wonder how they get along there since they're apparently present in Canada too.

In Ontario, the traditional Amish largely opt out of social programs and public education that they're eligible for; they manage as they can within their communities privately, perhaps hiring outside services as necessary. Some make use of provincial health services; you can get the documentation and ID for that with some paperwork (which they probably have - income tax statements and birth certificates, etc.) in person at government offices. Otherwise the only mandatory interaction with the state is basically birth registrations and paying income taxes. Both of those can still be done with paper forms by mail or in-person, at least for now.
The trouble with the idea of banks being accessible, is that you also need to deal with KYC checks. Not all financial things require them, but it's creeping. I wonder how many homeless people have no ID.
Losing ID is really common on the street.

Historically, you were known by people around you and you could be "verified by relative" in the case of a house fire destroying all your documents or something, but your life mostly worked in your home town and traveling or moving elsewhere was hard. Trying to cash a check anywhere but your home town was hard, etc.

I'm a former military wife and this was a big enough issue for the American military that military facilities would cash your check at the BX/PX. Local banks and such often wanted nothing to do with military members.

And now we have this highly digital, highly mobile society and if you are rich enough and such and keep all your ducks in a row all the time, you have tremendous freedom to roam the world, pay with plastic, etc. But for a lot of people, it's increasingly problematic that we default to state ID and digital formats and so forth.

These systems should enhance older methods of making life work, not crowd them out and make life a living hell for anyone who can't keep up with it. And we should be optimizing for helping ordinary people make their lives work, not optimizing for trying to squelch bad actors and too bad, so sad if innocent bystanders get run over in the process.

I don't know how to make my life work. It seems impossible at this point and it really shouldn't be. We have the means to make life for me actually work and no matter how much I do, it's never enough.

> Banking is private-sector, but I believe the government should always be accessible even if you live like the Amish

I got a notice from my state that I'm required to make future tax payments electronically. For that they require ACH. Banking may be private sector but participating in it is increasingly non-optional.

i moved to the US.. im now locked out of BCs health thingy now because my bc services card expired. and also my android version is too new
In Canada, on the way back to Massachusetts, I needed to download a repaired version of my COVID card. But the Massachusetts Government Website, that you need access to in order to do things that citizens of the state need to do regardless of their location, silently blocked Canadian IP addresses.
> they're often connecting from public IPs that are "suspicious" which causes automated systems to treat them more harshly.

What's worse is that the the error messages never explain the problem. It's just an endless sequence of "Oops! Something went wrong" "We could not fulfill your request" "Please try again later".

Could drive someone crazy if they're not savvy enough to realize what's going on.

>What's worse is that the the error messages never explain the problem. It's just an endless sequence of "Oops! Something went wrong" "We could not fulfill your request" "Please try again later".

You're absolutely right. They each carry the tone of "This content isn't available right now", like when trying to view a tweet from a shadowbanned user. I've seen that drive people, particularly family, into a kind of aggressive version of frustration.

> They each carry the tone of "This content isn't available right now"

At this point it's merely static deception. Wait until they run a GPT bot programmed to interactively lie to you, deflect, stall, misdirect and stonewall you based on your personal profile. These companies are devious and untrustworthy to their core, and the only reason anyone uses them is because they're forced to.

I tried to sign up for a tutanota email account the other day through a VPN and when it came back and said "We don't trust your IP, use another connection." rather than being annoyed I was just glad they gave me a straight answer for once. It wasn't the answer I wanted but it sure beat being gaslighted into thinking I was having connection timeouts or browser incompatibilities to waste my time.
It's a straight answer sufficiently couched in jargon that a non-technical person still isn't likely to understand the problem or how to resolve it.
Sure, but "only technical people will understand what the problem is" is infinitely better than "literally nobody will understand what the problem is".
I mean, I'll agree that it's slightly better in absolute terms. "Infinitely" is a strong word choice for a case where 95% of users will still be in the dark, unless you insist on using the term in a pedantic mathematical sense.
In the UK, less and less places accept cash.

I experienced the only slightly inconvenient of this when I was replacing my bank card, even going into a Pret, I was unlucky enough to go into one randomly that didn't accept cash.

But for people that don't have bank cards, or can't charge their phones this is a real problem.

(comment deleted)
I think a part of the problem is that the US doesn't have a vast and widespread ecosystem of cheap, relatively simple, slightly rugged android phones like a developing nation market does.

Go look at what you can buy for an Android phone if you exchange 100 USD to rupees in Rawalpindi Pakistan for instance.

Now imagine you drop your phone or screw up its hardware somehow and want to get it repaired, you can probably fix it at a local repair shop (some 1-man operation in a tiny retail stall) for $20-30 max with basic hand tools. Those guys might have a collection of pieces of the same model phone you have, or the ability to take 4 dead phones and mix/match pieces to make 2 working ones out of them and then re-sell them, etc.

While we were all watching CCP implement their social credit system, big tech gave us one while our gaze was elsewhere. These algorithmic systems can pretty quickly make you an unperson in our society.
Theoretically one is implemented by state's request and the other happens while the state is busy looking away. Yay for freedom but when you're at the receiving end of the digital stick, is the difference really significant?
It stings less when an unaccountable group of technocrats ruin your life for some reason apparently.
Is there anything I can do to help poor and homeless people with technology? I'm in New Zealand and I would like to find some more ways to help people.
Low hanging fruit: donate old but still usable tech to local programs that pass such out. Volunteering at local organizations that do such work is another possibility.

I wrote a piece called So You Want to do a Website to Help the Homeless that might interest you: https://streetlifesolutions.blogspot.com/2020/05/so-you-want...

The local police department does -- or did at one time -- pass out flyers I made listing online resources for the homeless and there is an edited version of those flyers here: http://www.eclogiselle.com/2020/10/free-and-custom-flyers-as...

I tried to establish some kind of homeless smartphone project. It never went anywhere. If you want to read what little I did as food for thought for what you might do, you can start here: https://streetlifesolutions.blogspot.com/2018/04/project-hom...

If tech is your thing, coolios. Run with that. Better to do something than to do nothing.

But if you really want to make a dent in homelessness, my research suggests that this is mostly a housing supply/housing affordability issue. We aren't building enough new housing and what we do build tends to be too big and tends to require a car to make life work, which is an additional big expense and -- at least for some people -- a logistical issue even if they had the money. Some handicapped people simply don't drive. Some seniors simply don't drive anymore. Etc.

So if you really want to work on homelessness, I would encourage you to educate yourself about housing issues in your neck of the woods and try to get involved. I write about my ideas about what I would like to see for the US here if you want to look that over: https://projectsro.blogspot.com/

Hi Doreen, I am sure many people recognize you as a long-time HN user! I hope someone from Google can reach out to their accounts team on your behalf.
Yeah as soon as she said Mz I was like oh I've seen them around.
(comment deleted)
I have to use wireless charging because the connector on my old phone is toast. It was a lifesaver for ~$15.
Same. On a Pixel no less.
For the technical solution, I would focus on getting that old phone some power. Wireless charging, gently pushing the charging connector in the magic direction, swapping the battery, taking it to a repair shop that could reflow the power connector or use some kind of battery emulator.

Google just paternalistically chooses which device they think should be your most trusted one, and then insists that you produce it. No consent, no concern for your actual security model, just pure snake oil that tech-rubes eat up as "2fA sEcUrItY". Any damn time I want to use a Google account from a desktop browser, I get the same rigamarole of having to unearth some discharged tablet and wait for it to charge, just to jump through their nonsense. I shudder to think what would happen if I took the obvious remedy and just removed those devices from my account.

I've needed to scrape the USB connector in the phone with a needle (digging around the outside and scraping the tab in the middle) in order to get the cord to stay in place. It gets filled up with pocket lint gunk, and needs cleaning every once in a while. Also since the phone is water proof I've taken to letting water run into the USB connector to really clean it.
For Apple phones: genius bar told me they’ll clean it for free no appointment. ymmv.
Is that SMS codes or an app? How can you know they're being sent to the dead phone when it's dead? Maybe they were never being sent to that number at all?

Obviously there must be a process to gain access when your phone with an authenticator app is lost or destroyed. Why is that process not working?

I know because the messages on my NEW phone that I am trying to set up state "We sent this to (your old phone -- identified by type of phone, which is different from the model I am setting up).
This is because Google has a disaster of a 2FA process where even if you have 2FA disabled, they will "send a prompt to the Google app on %s device" to verify it's you. What happens if that device doesn't have the Google app installed? You're screwed. The only fix for this is to, paradoxically, ENABLE 2FA, which then you can force to go ovet text.
I think there's some confusion about messaging. If Google knows the model/name, then it's likely not SMS being sent, but rather one of the "review this login" system pop-ups.

See if you can revert to SMS verification through some option at login. I can't verify it now, but the choice could be accessible though something non-obvious like "I'm having problems verifying". Make sure it's trying to use a text message instead of some other method... and let's hope you have it configured.

This is why you get backup codes and physically write them down.

I know it's of no consolation for you OP at this point though.

Google is extremely frustrating in this regard. I keep my TOTP in 1Password so that I can have it on multiple devices. When I tried to login in on a new device, I used the TOTP code. Google then wanted me to click approve in the YouTube app on an old device that was no longer functioning. Eventually I was able to get it to work by re-logging in a few times (I guess it gave up) but why the fuck do I even have 2FA if Google isn’t going to fucking respect it? Infuriating.
I'd expect that you'd move your number to your new phone's SIM, and that Google would then let you verify with SMS. Do they not let you do this?
It 2fa needed to connect your google account to a new phone?

If not, then 2fa just pisses people of with no security gain But I surely hope it is not!

This is highly frustrating and it sucks.

Also Google is totally doing the right thing here. The slow down and wait is precisely the thing that protects you from identity theft if somebody waits until your phone is turned off, clones your SIM, and pretends to be in precisely this situation.

Hopefully in THAT case, you notice the "somebody is trying to get into your account" and say "no, this is a hack attempt".

Good luck.

If anyone got afraid and wants to disable 2fa, go to

https://myaccount.google.com/security

The trick isn't to disable 2FA. It's to add a bunch of 2FA methods that don't rely on your cell phone: authenticator app, yubi keys, backup codes.
This is terrible advice. Please don't ever rely on authenticator apps. Try changing your phone, resetting your phone or losing your phone and watch yourself get locked out of your accounts with absolutely no recourse.
Isn't that the point of enabling multiple methods? So that the others can be used as backups? Or does enabling multiple 2fa methods potentially out you in a situation where if just 1 method is unusable you won't be able to log in?
TOTP can also be used from a PC with something like KeePassXC, and you can have the DB sync to other devices with SyncThing (including your phone where you can access them with KeePassDX). Much better than SMS which really is tied to your phone (or SIM, rather).
I chuck all my totps on my wifes phone as a backup. Google Authenticator lets you export the lot as a single QR
I agree, auth apps actually work relatively painlessly for day-to-day (especially if someone else supports them, like at work), but for me at least, as a personally managed last resort they turned out horrible. If something happens to the device(s), you're screwed. Even SMS is better, because at least you can move the sim or eventually recover your own phone number on a brand new device, even if the old one vanished. And yes, I know SMS's can be hijacked in some cases (like by a malicious mobile app) but for personal stuff there has to be some sane recovery, and Google does not give you one easily.
Swapping SIM cards to a new phone often doesn't work. Did you not read the OP?

> So my phone has been failing to charge for three weeks and I bought a new phone today and can't get it set up because the old one is dead and I can't get a verification code. So I moved the old sim card on the advice of one of my sons and the codes are still going to the old physical phone and Google says it will send me a link in 72 hours.

Wait. make a photo of QR code and send it to your spouse. Put it on her Google photos or facebook (make it private). Very unlikely both of you lose phones on the same day.
There are authenticator apps that backup up your 2FA accounts. I've been using Authy for years and have switched phones at least 5 times with it. I believe the Microsoft authenticator app also backs everything up to your Microsoft account.
"Ways we can verify it's you" seems to be limited to 1 email and 1 phone number now.
Yall need to post screenshots. I do not believe you

https://i.imgur.com/hENFQtG.png

As seen in the image, nearly 10 years, never a single issue, and there's not a chance of someone compromising one of my active 2FA options.

If you don't have 2FA enabled, it seems that Google will now sometimes arbitrarily choose a previously logged in device or previously associated phone number and require 2FA through those, so having it disabled can be even more dangerous.
I have long wondered if two factor authentication actually causes more economic harm than it solves - it just doesn’t cause that harm to be noticeably all in one place (the harm is spread to millions of users who will lose access at some point during their lives rather than concentrated on the company that implements TFA dealing with fraud).

It feels like it might.

This isn’t counting the productivity that’s lost to actually using the TFA system successfully, which is probably measurable on a population level.

This is the way of capitalism. Move costs outside your organization and call it profit.

It's why companies don't offer phone support. Or ones that do (like mine) get premium pricing.

Of course many if not most of the services would not be offered in the first place had it not been for the financial incentive offered by the market economy (i.e. 'capitalism' painted with broad strokes) so you can pick your evil: have a market economy with many players, some good and some bad... or have some alternative economical organisation with far fewer services, usually still good or bad.

At least the market economy and 'capitalism' offers the choice of foregoing on those 'premium' services by enabling me to run my own services on my own hardware connected to the 'net through my own fibre connection. Since 'capitalism' leads to more choice it puts the onus on the individual to choose wisely. For some that choice comes down to paying more for those 'premium' services, for others - like me - it means I do a little more work to be able to run my own things. If I loose access I can get it back, the hardware is right here on the farm after all. I have 2FA enabled on a number of services to protect against leaked passwords but since everything is run in-house I can always get back access if I for some reason lost (access to) my devices and backup codes.

This is a win for 'capitalism' as far as I'm concerned no matter which way you turn it - those who want to be served can get served, those who want to serve themselves can do so. You do need to make a conscious decision on what side of the divide - pay and be served or do the work to serve yourself - you want to be on since the space in between can be treacherous to navigate. You also do need to react if a supplier does not keep to its end of the bargain if the system is to work. For the likes of Google/Microsoft/Facemetabook/Apple/etc. this means you should avoid them if possible in any way and if not, make sure you have a way out if they start acting up.

In the current state, I believe it indeed causes more economic and personal harm. Properly executed MFA by both the provider and the user are great, but we have a long way to get there.
(comment deleted)
The recovery user flow, at the end of the day, should provide an option for identity proofing through a service that can consume a government provided identity credential. Login.gov, Stripe Identity, ID.me, whatever, something that can attest that you are you when provided a sanctioned credential.

You should be given the option to opt out of this, have your data E2E encrypted, and if you lose your creds your data loss is on you. But for everyone else, they can then provide ID and get their digital identity and data back (at a very low cost to the service provider, proofing is usually $1-2/request in bulk; if you want to charge the user that cost, that’s palatable).

(corp|customer identity governance and proofing is a component of my work at a fintech)

https://media.fidoalliance.org/wp-content/uploads/2019/02/FI... ("Recommended Account Recovery Practices for FIDO Relying Parties", Page 3)

https://doi.org/10.6028/NIST.SP.800-63a NIST SP 800-63A Enrollment and Identity Proofing

More than just that. 2FA should

1a) be possible to be disabled or

1b) Offer non-electronic second factors such as paper codes

2) Offer a broad range of options in general, not just phone or even worse only SMS. I can count the services that I can use my Yubikeys with on one hand

3) Be predictable (or at least be configurable like that) by the user and not behave different on weird conditions such as your IP

4) Allow to configure more than just 2 factors. 2 factors are really bad. It should usually be 1 or 3+.

5) It should educate properly about how to use it and also about the risks (e.g. increased change of losing access, especially when certain factors are used)

I think that when identity proofing actually becomes important, we should fully leave private services. That is something too important, so the state should either standardize and enforce it or offer it. Maybe, offering a wide-scale MFA / Auth solution should come with similar restrictions that we have for finance, including the identity proofing fallback your mentioned.

Not to mention the chances that your 2FA method will be used as another tracking and marketing vector. These days I'm deeply suspicious of companies that require 2FA.
Sorry, do you mean just sms 2fa or totp too? If you meant totp too, how so?
I feel like virtually every service demands a phone number on sign up partially for bots but mostly for for tracking.
I think it is hard to say actually. An account that gets killed off by 2FA failures is dead, which is definitely extremely annoying. But on the other hand — the maximum cost that could be incurred is just the value of the account, and lots of our accounts are actually basically valueless (Facebook, Twitter).

On the other hand if your account is taken over, it could be used to perpetuate scams (which could harm your loved ones if they fall for the scams), it could be used for various things that might hurt your reputation. Or depending on the type of account it might be a stepping stone to get into, I dunno, your bill-paying account for some utility company, which will probably have all your bank account details in there because utilities companies tend to not be super on the ball about that kind of thing.

Hard disagree.

MFA is the best mechanism to stop hackers from constantly hacking everyone. Without it everyone would be getting brute forced 24/7.

Why wouldn’t exponential API rate limiting not solve this brute force issue?
Because brute force does not imply a high rate. You can brute force a password by making attempts on an irregular schedule, a few attempts per hour. That will not be caught by any rate limiter as it would make the service unusable for regular users with fat fingers or misconfigured keyboards.
> I have long wondered if two factor authentication actually causes more economic harm than it solves

At Google at least, there are people who are responsible for measuring this sort of thing. 2FA adoption reduces overall account loss.

I had this happen with a cheapo android phone ages years ago, where the battery drained beyond 0% and the charging circuity wouldn't recognize it. Sent it for repairs and it conveniently came back with a dead battery again due to the long shipping time. I ended up stripping the wires out of the charger (the USB end, not 120v), and connecting it directly to the battery for 30 seconds or so. This bypasses the charging circuitry in the phone and got it up to a few % so that it would turn on. Surely this can go very wrong but it was my last idea.
in the future, at least put a high value resistor in series. Chargers are usually 5v, lithium batteries get VERY unhappy with anything past 4.2 (4.3 with newer ones) and can blow up. with no current limiting, the "blow up" stage could arrive quite fast. Also phone's various regulators that power FROM the battery might not be rated to handle 5V inputs
That's generally good advice but then it would have taken much longer to get to the point where the phone's charging circuitry could take over and the battery being near empty likely served to peg the voltage at something really low. Finally, those chargers are usually not capable of more than a few amps and given the internal resistance of the batteries at that point the bigger risk would be to fry the charger if it can't handle something suspiciously close to a short circuit.

If you're going to use a resistor use something like 100 Ohm, that way you will still be able to see some effect of your action before Christmas and if you have access to a volt meter connect it parallel to the battery to see what's going on. As for the 4.2V, that's a single cell, some phones/tablets will have a couple of those in series so you can't assume that you'll find anything up to 4.2V at the battery terminals, checking that should be your first stop before attempting any of this.

I never flag content but this was an easy one. Ignoring the utter stupidity of not being able to sanely transfer money in the US, there are countless better ways of sending someone money in a scenario like this. In fact, it's hard to think of a worse way than using crypto, and I'm far from a crypto hater.

Linking to a long form YT video with some gd floating talking head screencasting a Mac, with no text description really just seals the deal.

I don't think money is going to fix the problem at hand, but I suppose I'll extend a similar offer - I'd Western Union cash to you Doreen, if it would help, or help you purchase a good meal so you can regroup/recharge.

> Linking to a long form YT video with some gd floating talking head screencasting a Mac, with no text description really just seals the deal.

Fair enough!

> I'd Western Union cash to you Doreen, if it would help, or help you purchase a good meal so you can regroup/recharge.

Very generous of you and you're right, probably more user friendly to the OP. But I can't remember I haven't used WU in a long time.

If you're in LA and need a computer to use or an environment with wifi and power and what not to trouble shoot this, you're welcome to use my apartment. I have a spare ATT phone if you need something to act as a intermediate device (if your son wants their phone back :p).

If I worked in tech I'd offer you access to a solution but this is all I've got. I hope this problem doesn't last long for you.

> If I worked in tech I'd offer you access to a solution but this is all I've got. I hope this problem doesn't last long for you.

Sadly, even many google employees's spouses lost account with no recourse.

Lets say you are employed in US embassy in Kabul - you just think you could issue visas out of your sympathy. (i.e) FAANG has become as large as govt.

This is why you enable multiple backup ways of getting in.

I have a yubikey as my main 2FA. If I lose it or it breaks I can still get in with:

- my spare yubikey

- my phone

- backup codes

Feels. I had to get VISA to block charges from Google because I moved and changed phone numbers without remembering to change one of my emails on a custom domain.
A lot of people treat printable recovery codes as something that should be protected, locked in a safe, etc. As a result they don't bother to use them as it seems like too much effort to secure them.

Please do not treat them this way. They do not grant access to your account. Print many copies of your recovery codes and spread them around. Wallet, home, car, parents' house, etc. It doesn't matter if they get stolen or whatever, again they don't grant access to your account, and they can be revoked at any time.

I know that educating people about this is not a scalable solution to the problem of people getting locked out of their accounts. But maybe it could help you, reader of this comment, if you someday need recovery codes.

> Please do not treat them this way. They do not grant access to your account.

Can you expand on that? Once I have such code, what’s stopping me from “stealing” the account?

You need the password too. That's what makes it two factor.
They are, however, secret codes, and should be regarded as confidential. Just because you can divulge them without direct harm does not mean you should publish them on billboards and Facebook for safekeeping.
This is true but isn't relevant to my advice. If you can't see the difference between keeping a nondescript piece of paper at the bottom of a drawer at your parents' house and posting it on Facebook then you should not be making any decisions relevant to security. And using the word "secret" causes people to treat the codes as more precious than they really are, and make bad decisions like not printing them at all.
What's the more likely scenario:

1. System reports "print out these recovery codes and deposit them in multiple places so you will never lose access to your account". User John Doe posts his security codes on his Facebook page and gets hacked.

2. System reports "print out these security codes and store them in a safe place". User prints them out and stores them in a drawer, but his house burns down and the user loses access forever.

Both scenarios are shitty, but I think 1 is more likely.

Of course, you could write a detailed guideline on where to store your codes, and that you should share them with some trusted people but not everyone etc. But who's gonna read that?

People who understand security already take threat models into account, but those who don't need very simple guidelines.

If one of the factors is widely known, it's effectively not two-factor anymore.
No security system is absolute, and treating all threats as equally possible leads to terrible security decisions like not using printed recovery codes for fear of them getting stolen. You must pick a threat model before you can evaluate the security of a system.

Treating printed paper codes as "widely known" and effectively useless simply because they could theoretically be stolen is silly. In a reasonable threat model for almost all people, the intersection of the set of threats that might get access to printed paper codes and the set of threats that might hack/phish your password is very small. The vast majority of threats are still protected against, while the very real possibility of being locked out of your account is drastically reduced. It's a good trade for almost everyone.

I don't disagree with this, I disagree with the way you formulated it initially. There's a difference between sharing recovery codes with 2-3 trusted people vs. posting them literally everywhere which your original post seemed to imply.
Yea but the chances of some dude in Bangladesh finding out your 2fa code because you lost your wallet approaches 0%. Joe Blow from Kentucky ain’t gonna be the one stealing your account.
I think it’s because of the copy that usually comes with these codes. It usually reads something like “COPY DOWN THESE CODES AND KEEP THEM IN A SAFE PLACE.” Which doesn’t come off as “look, you’ll still need your password”
Yeah, the way it was written when generating the codes, I also had the impression that they would bypass everything.
Try to find a 3rd party phone repair shop. There's a decent chance they can get your old phone charging pretty quickly and cheaply if it's just your charging port being dirty / faulty.