134 comments

[ 3.5 ms ] story [ 196 ms ] thread
Hi HN. I posted this here because it seems to be the best way to get someone at google to look at something.

To preempt some comments along the lines of "why are you relying on google in 20xx", I try my best not to these days but I still rely on them to forward emails from my old accounts, or for services like youtube where you must have a google account for full features.

It's undeniably shitty behaviour from the Goo but I'm increasingly getting the message that the only sane attitude is detachment from anything I posted in some past , more naive age. Scribe on vellum or linen rag that which is for the ages, and ignore the rest. If it's on a server I don't even mourn it, I killed it already by putting it there.
That’s how I think about it. What’s the big deal really to lose things from the past? I still have way more of my personal history solidified in in recorded form than people of ages past. They managed just fine, I will too.
>What’s the big deal really to lose things from the past?

Losing pictures of my kids when they were young would be devastating. For some things, it’s a very big deal.

Sad, sure, but devastating?
Yes.

Why would it even occur to you to police how someone feels about losing things of immense personal significance?

Not the GP, but it's not necessarily policing. Sometimes readers want to know if you're using hyperbole vs. speaking plainly.

Also: HN is a place for discussion and debate. You shouldn't expect any of your claims to be immune from scrutiny.

I tend to agree, but you can also run your own servers.
(comment deleted)
Sad story, it is the same with all the newfangled companies: you are a product, not a customer
The joke is on the customers, then, who are treated as badly as users.
I think Google needs to add a better way to secure old / previously inactive accounts. My guess is because your account was old, and your current device, IP and overall fingerprint was different it decided you were an intruder.
Removing pre-existing security measures due to suspicious activity seems an odd strategy.
This seems inadequate to explain the removal of security keys. Unless Google inferred that OP was not just a garden variety intruder, but some sort of advanced persistent threat that had added such keys long ago?
Yep I don’t know what’s going on here. OP posted another reply with the time they added their keys and they aren't recent.
I don't know, while this account is old and fairly infrequently used I normally have it in the google account switcher dropdown logged in rather than completely logged out.
Reading stories like these, I’m glad I don’t even have a Google account.
I remember how promising early Google was, how great Gmail appeared to be. Now the search is barely usable, your account gets nuked because you logged in a minute later than usual and they still don't have any support. Strangely businesses haven't completely abandoned everything to do with them, they clearly don't care about their paying customers let alone the free tier ones.
> Removing physical U2F keys from an account without request seems to be the worst possible reaction to suspicious activity.

Exactly, unless they were added during the suspicious activity. But this seems to be not the case.

I work in cybersecurity and I've seen hackers setting up PINs etc on hijacked Whatsapp accounts just to make it harder for the legit owner to recover it. So if it was a really recent addition it might make sense. If the Yubikey was there for ages it's a really stupid move because it's the one way the real owner can prove themselves.

The account has had some security keys set up since ~2020, with additional keys added last year.
It could be accounting for the scenario where old keys are stolen.

1. You login with your key

2. Google flags you as suspicious

3. Google removes the keys from the account because the suspicious actor used them to login and could have been stolen

Makes rather little sense if so, given it's a hardware key. The most likely casees where the key is used to do something that trips this afaict are:

* genuine key, user does something fine that trips a heuristic

* genuine key, user's device is compromised

In either of these cases removing the key is making the account less secure. Google also removed all the keys associated with the account instead of just the key that was used.

Having a yubikey physically stolen and also knowing the details to log in with seems like it should be very rare.

If they're going to have a process that removes the keys they need to be so confident that they lock the account and go through some sort of IDV process to turn it back on. Removing the keys and leaving you with just a password that you just set up on the device that just logged in using the key is obviously not the right approach if you think the key's compromised because the password's just as compromised.

If the attacker has password+security key(+its PIN), what help is dropping the security level to just password -- the attacker has that too.
The password is reset so they wouldn't have it
(comment deleted)
Related, but different, & if there's someone at Google looking at this:

There was a Titan Bluetooth Key (for 2FA) Vulnerability, you've said you'll replace the affected keys[1], but you're no longer doing so. Which is frustrating.

[1] https://security.googleblog.com/2019/05/titan-keys-update.ht...

You'll have better luck with a separate post, even if it doesn't hit the front page. I would over-describe the problem, state it in 3 different ways, so some kind soul searching is more likely to find it.
Google's implementation does not seem to be doing much good anyway. To be fair, it is not just Google -- most companies feel the same pressure of having to implement MFA but then also make it convenient for clueless users to recover their access.

The right way to implement hardware keys is to allow registering multiple of them (so that you can put at least one or two off-site -- in a secure storage) and then not let you recover the access under any circumstances without showing you still own at least one of those keys.

If you can recover access without the keys then what is the point of keys in the first place?

> The right way to implement hardware keys is to allow registering multiple of them

Google allows this.

You missed the second part.
I see, so you're saying that it's good that Google does the first part, but needs to add the second part. Awareness that Google does the first part wasn't clear from the comment.
Any security mechanism is pretty much worthless if it can be trivially circumvented.

So yes, the second part is pretty important

Actually both parts are important, either is worth little without the other. Having well implemented hardware key is useless if you can't configure more than one -- too much risk having a single piece of hardware that if it fails or you loose it will lock you irrevocably from the account.

It's also possible to do this via advanced protection, it just makes account recovery ~impossible, so you have to explicitly opt in.
This annoys me a lot - I do sympathise with the fact that these services are regularly bombarded with users unable to log in, but modern authentication tools have existed for a while now and it's time everyone learned to use them. A lot of services insist on including your phone number as a backup authentication method, making you vulnerable to simjacking, or your email address for the same purpose (basically offloading the authentication problem to someone else). That's if you can't bypass it altogether.

For services that allow it I have both a TOTP app on my phone and a YubiKey registered, which I figure is sufficient redundancy. Other people could have an old phone registered as well if they don't want to buy a security key. It's a very minor hassle to set up and I can't see why people can't do it.

You can duplicate the totp too. Either save the initial seed generated by the site(s), or depending on the app it may provide a way to export the seeds.

You don't go through the setup process on the sites again. The sites have no knowledge that you have 1 or 21 new totp apps set up. You just enter the saved seed keys into the app and it starts spitting out the same correct codes as the other apps you already had setup.

Gnome authenticator can export a json file containing the keys to all the sites you have in it. You can then take those (just manually read them in a text editor), and enter them into Google Authenticator on a phone, and now you have 2 working authenticator apps, both spitting out the same correct codes every 30 seconds.

Further, you take that same json and paste it into a note in a keepass record, or save the individual seed keys in individual site entries just like the passwords, and copy that keepass db file all over the place including cloud drives, and including places you can access without the totp.

Now you can reproduce a working authenticator from scratch on any device at any time no matter where you are and no matter what happens to your phone or laptop. Buy a brand new phone or laptop, have a way to get a copy of your keepass db without needing the totp app, and in a couple minutes you have a working totp app again.

You never really have to even use the single-use emergency bypass codes. Keeping copies of the initial setup seeds is really no different from keeping copies of the emergency codes, but the setup seeds reproduce a fully working app not just a one-time access to a site.

And even if some app doesn't provide an export like gnome authenticator, you can also just record the key the first time it is generated instead of just scanning the qr code. Once you've saved it, you can use it as many times as you want.

If you're putting it in keepass anyway, you might as well use it (either the original C# one with plugins or KeepassXC) as your authenticator app. Mobile keepass applications support the same.
keepass (xc, and Keepass2Android) can act as a totp app? And displays or exports the seeds? I am ashamed to say it never ocurred to me to even look!

I don't think my android app can do it. I don't see anything about it in the ui and no plugin about it.

Not at my laptop to check keepassxc, but I'll obviously look when I can, so the question was rehtorical. Just wanted to say "what?!?! what is this you speak of?"

The disadvantage of this approach is that you can't invalidate those devices individually - if one is compromised (i.e. lost), they're all compromised.
I don't see hlw this makes any difference vs a single device.

If I only have a single device set up, and I lose that device, I still have to go to all the configured sites, only now without my auth app.

What prompted me to figure out how to clone the setup was when my phone screen broke while away from home, and 2fa enabled on both google and Ting.

I couldn't even just buy a new phone because how could I migrate the number? Luckily I never had to find out if Ting has an answer for that, since I was able to get the screen replaced without wiping the phone.

I wasn't really screwed because I did have recovery codes for Ting in keepass, and had access to that. And that would have allowed me to move my number to a new phone, where I could once again receive sms to recover everything else. But I did not have recovery codes for anything else, because I just didn't fully understand the process when I first set them up, so for a few other things, I was maybe almost screwed if I couldn't regain access to that one special golden device.

So, no more one special golden device.

"but modern authentication tools have existed for a while now and it's time everyone learned to use them"

It's a nice thought, but overall computer literacy is still highly varied, and it likely will be for a very long time.

We still have a large percentage of users who use computers sparingly and by rote. I have family members who need a lot of help to do day to day setups and are going to have a hard time with MFA devices or apps.

"Other people could have an old phone registered as well if they don't want to buy a security key. It's a very minor hassle to set up and I can't see why people can't do it."

Minor hassle for you. Major hassle for a lot of users. Try real hard to put yourself in the place of a 77-year-old user who has limited sight and only needs to use a computer to accomplish very specific tasks - and has zero interest in doing more than basic email, banking, and a few other things that can only be done online. They have a smartphone only because it's a connection to their grandkids.

Because of the smartphone they're saddled with a Google or Apple ID that they'd otherwise never bother with. A TOTP app or YubiKey? That's well outside their comfort zone.

This isn't because these users are dumb. But the assumption that "it's time everyone learned" is based on the idea that everybody is using computers regularly and has resources for educating them - which is simply not true.

My kids, my wife, and my in-laws all use computers very differently than I do and it's extremely educational how people outside the industry see and use computers.

My 17-year-old only uses a Chromebook for school (grudgingly) and would rather do everything on their phone. My wife is fairly computer savvy, but still hits roadblocks. (She does enjoy forwarding me screenshots of particularly bad Phishing attempts...) And my older in-laws occupy most of their time far, far away from their computer. Singular.

Anyway - it'd be lovely if folks had way more empathy for the huge swaths of people who have less experience with computers. It's not the priority for them that you imagine that it should be.

Scammers and thieves don't care that you're old and scared of computers. Even if you don't think someone is going to want to bother hacking your email or instagram, surely we can all agree that online banks needs to be as secure as possible? I have trouble believing that someone can be literate yet unable to download Google Authenticator and scan a QR code if they really need to. It's just not asking that much. Someone with accessibility issues will no doubt find it harder, but everyone else is going to need a much better excuse. These are exactly the people that are most vulnerable to being robbed.

It shouldn't be up to these users anyway, a bank can and should insist on MFA. I think you'll find most people will figure it out just find once they don't have a choice.

> It shouldn't be up to these users anyway, a bank can and should insist on MFA.

What kind of MFA?

"I have trouble believing that someone can be literate yet"

Several things here: 1) Perfectly literate people can be computer illiterate for many reasons. That you have trouble accepting this doesn't make it not true.

2) Some people aren't literate or are only semi-literate. Many years ago I worked at a bank for about a year, and the bank served a lot of farmers - some of whom had not complete their education and were functionally illiterate. Some of those folks are probably still alive and no more literate than they were then.

3) Some people are perfectly literate in one language, but not fluent in English and user education materials are not available in their language(s).

"It shouldn't be up to these users anyway"

Users are why banks and any business exists, not the other way around.

"most people will figure it out just find once they don't have a choice."

Most isn't all. Not even close. I find the willingness to abandon large swathes of the population really inhumane.

I run a SaaS for what you might imagine would be highly technical, educated clients, and despite this I am bombarded by users who seemingly have never done a Register -> Activation email workflow.

Users are hard.

Really, there needs to be some way to add a secondary key that's in secure storage without removing it from secure storage.
In realm of real hardware security modules this is actually simple, at least in theory. (I worked as a security officer for credit card payment company and we had real HSM boxes worth small fortune each). What you do is you initialise the hardware device with same cryptographic material. You can make as many clones as you want, securely. In practice it is a huge headache but it is due to amount of procedures and paperwork you need to do.

Now, I am not an expert on Yubikeys and the protocols used by these tokens, but I know they have protection against reply attacks meaning they keep the sequence number that is incremented for each challenge/response. Pretty sure it could be made to support multiple keys. It would be really nice if I was able to initialise multiple yubikeys and use them interchange-ably (and keep two in safe deposit box just in case).

They probably asked you for your phone number at the same time....
I did not get asked for a phone number or use SMS 2FA during this process.
Tangent: Instagram managed to lock me out of their service for a week or so a couple of days ago. My browser was signed in into my account, but I have not used it for like a month.

Got logged out. I log back in (using 2FA btw). "Please give us your phone number so we can verify it's you" I enter my phone number. I don't really get the point of this because they did not have my number before, so what are they actually verifying here? Anyway, I trust Facebook with my phone number lol. I get a code, I enter it. "Your account activity is suspicious and we will limit your account for a bit" That was it. No redirect, no link to click, nothing. So I go back to instagram[.]com and have to do the same thing again?

Well maybe my browser is on a block list now or sth. So I go to my phone (where I was signed in). And the App is broken completely, looks like the session was invalidated.

I log out, log back in, do 2FA, enter the code again. Same result.

I checked back in a couple of days ago and it seems like I have access again.

It is unfathomable how this can happen. How can the front gate to your multi billion service just not work to the point where you DOS yourself?

Also this account has 0 images, and just a couple of followers, so there is literally nothing to protect.

In moments like these you really start to notice the missing communication channels to the big tech companies. Is there any other industry that has zero customer support?

It seems like most industries are moving towards no support because "we need to scale at all costs and to the detriment of customers" seems to be the capitalism drumbeat. Customers these days, to many companies, are just statistical artifacts in their system.

I had a case the other day where I called my insurance company. The automated system couldn't understand my answers (I was actually trying to answer the given prompts rather than just repeating "representative" over and over). It replied "it looks like we're having a problem" and proceeded to just say goodbye and hang up on me. More than infuriating, and that's an understatement.

This isnt capitalism. It's more corporatism.

Capitalism responded to market forces and the needs of the customer.

Capitalism also tends toward the mean at the expense of the edge cases.
Yes, companies which have real customer service will in theory have a competitive advantage over companies which have a voice response system that hangs up on the customer.

What often happens though, is that consumers go with the lowest price above all other considerations. Then they get the hard lesson in "you get what you pay for."

It's the same reason that air travel is so awful. You'd think that one or more of the airlines would compete on comfort and service, but that's impossible when travelers go to Expedia and overwhelmingly pick the flight with the lowest price.

I personally don't pay rock bottom for insurance, and I have an agent I can call and talk to without any intervening voice menus. A human in a local office answers the phone.

You pay health insurance out of pocket? I was referring to my medical insurance provided by my company.

I in general try to speak with my wallet, so to speak, but it’s like posting into the ocean. And with some things, like mail and shipping services, there are no options.

That's all semantics, we can't say "Capitalism is when the system does good things, and Corporatism is when it does bad things", the difference is not meaningful since Capitalism leads to/is Corporatism.
Disagree. A robust anti-trust environment would alleviate 90% of these issues. What we are in now (in the US) is an environment of corporate political capture, which is not inevitable, as a similar situation was demonstrably reversed in the early 20th century by strong anti-trust legislation and enforcement.

The companies get away with this because they have massive market power, and they have used the wealth generated by that power to capture our political system.

    Capitalism responded to market forces and the needs of the customer.
Did it? When? I can't name a single era when "capitalism" (a fuzzy term) actually responded to consumer demands in the way that the parent poster described. Whether it's railroad robber barons screwing over farmers, Ford selling cars with an unacceptable risk of catching fire, or Google arbitrarily deleting people's entire digital identities, large corporations have always treated their customers as a collection of statistical artifacts (to quote another poster elsewhere in this thread).
The problem is that there's zero law enforcement against corporation-vs-consumer fraud. Companies have noticed and are taking advantage of it (basic market pressures - if they don't, their competitor will).

Why make it easy for our customers to contact us (presumably to make a claim - ie the whole reason insurance products exist) when we can just pretend it's easy, collect money based on that lie and get away with it?

This makes me worried, because I am pretty sure Google is going to start removing keys based on attestation certificates.

I believe that this is much more about rate limiting than about security for the end users.

I'm sure that they have outstanding customer support. But you, however, are not the customer.
I'm confident they don't have outstanding customer support, even for actual customers (who are not you).

Outstanding customer support would entail expense, threatening profits. The money of happy and unhappy customers turns out to be the same color.

(comment deleted)
Google generally does stuff like that when they believe somebody else had access to your account and made changes. This sometimes involves the attacker enrolling for (their own) 2FA or changing recovery methods to lock you out. So, the action of removing 2FA is in itself not unreasonable.

It's possible that their logic has some sort of a bug, especially if it only happens when you visit a specific service - and in that case, getting on HN might be the best way to get it looked at by a human... but also make sure you don't have any other issues going on.

Removing security keys that have been registered for years is very unlikely to be the right move even if my device has been compromised, as they are one of the most reliable ways I could prove I am the original account owner at some later point.

If the message had stated "We have removed recently added security keys" I would be a lot more understanding!

If you had your recovery keys stored in a note on lastpass you might have wanted to rotate those as well recently.

Yeah, in theory those recovery keys should still be secure, but you know for certain that a hostile attacker has the encrypted secure note, and without any confidence in lastpass it makes sense to change them as well.

Unfortunately this means you look exactly like someone doing an account takeover and changing the password and recovery keys on the account.

Thanks for the heads up.

I don't use lastpass, but if I did I wouldn't have to because this "Just to be safe" process also reset/removed the recovery keys.

> registered for years

Right, that's likely the "bug" part. On HN of all places, people shouldn't be surprised that bugs happen.

Unfortunately due to a lack of customer support posting here gives me the best chance of getting it fixed!

If google had working support flows I would not have written this up or posted here about it.

A few years back I lost access to a different google account as the recovery phone number was a landline and google was trying to send SMS messsages to it. I had the right password but it thought I was suspicious and insisted on SMS verification. I never managed to reach a human to get something done about the issue.

> Unfortunately due to a lack of customer support posting here gives me the best chance of getting it fixed! > If google had working support flows I would not have written this up or posted here about it.

They do, you just have to pay for that privilege via Google One.

If you are locked out you can't access Google One's support.
My understanding is that you can always call them, even if your account is blocked.
I don't have it but it looks like you have to initiate the call from the Google One page and they call you, they don't have an inbound number.

Googling "google one phone number" did show me a potential scam result in the infobox at "gooogle-live-personn" on google sites that obviously isn't official. You can't make this stuff up.

Went ahead and escalated this one internally. That's pretty bad.
That page is weirdly interesting to me. It's hosted on sites.google.com which was probably one of the worst ideas google ever had, security wise (yes mom, always make sure the page says Google.com - but not sites.google.com). It's clearly one of those blog spam page types, with the same 3 bits of information repeated over and over again. It does not have any clear phishing links, in fact it tells you to open support.google.com in your browser without a link. One of the number it links it's the official adwords support number (https://support.google.com/google-ads/answer/7218750).

Only after all of this it links to another number, which from what I can tell is a scam phone center which will offer to help you with your account for some money. I really wonder if they're betting on everything else being so hopeless that a person will eventually try to call this other number after trying all the other options before.

It does tell you something about Google support if scammers can do that...

> getting on HN might be the best way to get it looked at by a human... but also make sure you don't have any other issues going on.

Wait, why are we normalizing this? Getting on HN is always the second-best way to get it looked at by a human. The best would be, you know, Google devs doing their job and helping their users instead of solving LeetCode or writing their next promo packet or whatever it is they do all day.

I'm not a big fan of this trend where Google and other companies are essentially outsourcing their (horrible) customer service to this message board.

I mean I'll still upvote the post in case I need to invoke this terrible fallback in the future, but I think it's reasonable to grumble about it.

To their defense: given the company's business model, there's probably no other way of handling it. They make money at a massive scale, and as an individual user, you're not worth enough to provide customer support - or really, any special consideration.

The problem might be the business model itself. Google is not attached to any one of its billions of users, but they can cause a lot of pain if they randomly cut you off - especially in a world where email is essentially online identity. But then, I'd wager that a good 90% of us are employed in places that want to replicate that model at any cost... glass houses and all.

Were you using a VPN or something? I’m curious if this was tripped by setting off impossible-travel flags or something. It seems plausible that this is just anti-account takeover logic working as-expected, but with a false positive alert.
Anti-ATO should not clear out security keys that have been registered for a long time. If suspicious new keys were added, it should clear those.

From the audit log in my email no new keys were added before this was tripped.

I am not using a VPN and as far as I know I am not doing anything unusual. I might be committing the crime of having a Linux Firefox user agent but I somewhat doubt that was the problem, that's not that unusual.

I was hoping that using hardware keys would eliminate some of the security hoops that we have to jump through. And it does seem to help. But the whole reason that I have a key is so I do not have to supply my phone number, and I have a more trusted way of proving my identity, even if I am connecting from an unusual location.
I had a similar experience recently when setting up a new TCF TV for my mother. I didn’t see a “was this you?” email to her Gmail account after logging her in to Android TV, and within hours her password had been invalidated by Google. The message when trying to log in at gmail.com was “Your password has been changed in the last week”, which caused me great concern and an hour or so changing passwords, etc. If the message had said “Google invalidated your password” I’d still have been pissed, but at least not panicked.
Google twice removed my password from my Google account... i.e.: I could not login even with the correct password.
Personally, just to be safe I have ceased to use many "big name" services, preferring for instance to have my mails locally, paying a service (not that much) with a hotline... My personal policy is: if I can't phone them, if I have no local registered office to contact in case of need, if I do not have my data locally in usable forms, that's means is not safe for me going with them.
One of my personal rules for life is that wherever possible I avoid businesses which are big enough to have call centres, especially if those call centres are in another country. Obviously that's impossible for a lot of things, but I try. The small local ISP I use, for example, is totally worth the additional cost. I can call them, and there's no "press 6 for support, your call is important to us" nonsense. A couple of rings, and I'm stright through to an expert who has the knowledge and authority to fix my problem right away.
》As google has no support channels I can use, my only recourse is to write this blog post and hope someone sees it.

By 2030 we will need to build a social network with at least 10k users to get some attention from the Gooverlords.

Articles like these (which can generally be grouped under the "what the hell is Google doing with my account and my data, and why can't I reach out to a human to get out of this Kafkaesque nightmare?") are popping on HN on a daily basis.

I've previously been reported for commenting on a previous article that Google is a faceless company that produces shitty products and it doesn't actually doesn't give a shit of user experience, negative feedback nor deleting/locking accounts (and, often, years of work) for no clear reasons.

Somebody responded "on HN we often hear only one side of the story (people getting a negative experience with Google) and not Google's side".

So, since many Google employees are also here on HN, I ask you folks: do you have any words to say in defense of these crappy policies?

If yes, then I'm happy to change my mind about Google, and eat back all the countless offenses I've thrown at the company over the years if convinced by enough plausible arguments.

If no Google employees can come here (or, even better, directly reach out to those impacted by their bad decisions) and defend their policies, then I abide to my words: Google is a shitty company that produces shitty products, it is proud of being a faceless company that doesn't care about supporting users (even though it makes a lot of money out of their data), it makes horrible business decisions, and it leaves people in the dark when locked out of their accounts. Such companies, in a healthy market with enough competition, deserve to rot and fail and be mourned by nobody.

I think your commentary is unfair; they make great business decisions. They realize that the benefit of fucking over a few users here and there is outweighed by the cost of helping them.

And people that matter have a back channel via employees or account reps to clear things up.

So in order to get a chance to be heard either you need a backdoor to a Google employee, or you need to be on a business account.

Therefore, unless you fall into one of these categories, you probably shouldn't use Google products - or, even worse, rely on it for sensitive things such as your emails, your photos or your work documents.

I would assume that it is mostly Google engineers on the site, and they do not have any link with these policies nor provide any information (either legal clause or simply that they don't know).

Not to play the devil's advocate but Google is still a great research company, helping the open-source community and the tech industry.

Not a Google employee (any more) but familiar with the culture from past experience.

The mindset is that the company's costs must scale non-linearly against revenue for the company to survive. As a result, engineering solutions that require zero humans are preferred over hiring humans. Sometimes humans are acceptable in the short-term (usually if it results in more revenue).

Why do employees allow company leadership to allow this to happen? Internally, I think stuff like this does get raised and actions are taken to address the "bugs". But I think there is also an attitude that Google is not going to change course because they believe this is a better approach in the long run. "What's a few inconvenienced users when you can solve problems for a billion+ people??"

From a business perspective, I can understand it. From a human perspective it sucks.

Great so when something like the recent LastPass leak happens and I go in and cycle my password, 2fa and backup codes out of simple precaution Google is going to perhaps mark that all as suspicious and undo it for anyone who might come along and pretend to have lost access to my account?
Its a surprisingly risky to update your login credentials. Users do it so rarely its perceived as suspicious even when it comes from known IPs and everything else looks healthy. Given its Google if it goes wrong you loose the account completely. Its insane you have to weigh up the potential consequences of doing the right thing for security but that is how Google has set the system up.
This happened to me on Instagram. I changed my password then logged out to test it. When I tried to log in, I received a generic error. I Googled the message and it appeared to be a “temporary” IP block and people claimed it should work in 24 hours. So I tried the next day, same error. I left it a bit more and came back 3 days later - same error. I then turned on my VPN and was immediately able to log in. So the IP I’ve been using for 2+ years, the one that changed the password, on a known browser, is blocked. But a random IP Instagram has never seen before? No worries!
We need a general solution to reestablishing authentication.

The hard-line solution would be that you go to a post office, airport, police station, motor vehicle office, passport office, or bank, they take your fingerprints, picture, and a retinal scan, you get a new ID card and token, and your old ones are invalidated.

The US just pushed the date for REAL ID enforcement further out, again. This time from spring 2023 to 2025.[1] REAL ID terrifies illegal aliens. Once everyone legal in the US has one, getting a job or traveling will be much harder.

[1] https://www.cnn.com/travel/article/dhs-real-id-deadline-exte...

It's already illegal to hire illegal aliens. Why will REAL ID change anything in that regard?

Employers who disregard the law now will continue to disregard the law.

> It's already illegal to hire illegal aliens. Why will REAL ID change anything in that regard?

It's hard to enforce that when there's no easy way to prove someone isn't in the country legally.

How does Real ID help prove that someone who doesn’t have one isn’t here legally?

I am here legally and renewed my license since my state offered Real ID. I still got the old “Not for Federal ID” license. If I show that to someone, does that somehow prove I’m not here legally?

If you represent an expired or otherwise invalidated license as legitimate proof of ID then that's fraud. I'm sure a sufficiently dedicated citizen can find a way to pretend to be here illegally, but as long as you're not going to mix up a reasonable law-abiding citizen with an illegal immigrant you can arrest them and sort it out afterwards.
I have literally no idea what you’re talking about.

My state offers RealID now. When I renewed last year, I received a valid, current, expires in 2026, drivers license that is not a Real ID/is Not for Federal ID. (I’m a citizen.)

Are you trying to say that Real ID makes it easier to prove someone is here legally? I agree with that.

P => Q does not mean that (not P) => (not Q) ∴ RealID doesn’t help prove someone is not here legally.

Businesses just ask for a social security number, and a random one is provided.

So they can plead ignorance.

No, they are supposed to ask for documentation, not just a number.

https://www.uscis.gov/i-9-central/form-i-9-acceptable-docume...

That's if you're hiring an immigrant as an immigrant, not as something who pretends to be a citizen.
No that's incorrect. I-9 verification is for everyone including citizens. Basically you need to show proof that you are legally allowed to work in the US which also applies to citizens. Source: I am an employer.
My bad. I wish I could delete my comment now :(

I think I saw it's USCIS form and jumped to conclusion...

Enforcement is weak, and there's strong political pressure to keep it weak.

"You may NOT require your employees or potential employees to use Self Check or myE-Verify under any circumstances. Requiring applicants to provide proof of their employment authorization before they accept an offer of employment is known as “pre-screening” and it may constitute a violation of the anti-discrimination provision of the Immigration and Nationality Act. You may not require an employee, once hired, to use Self Check or myE-Verify. Use E-Verify to confirm a new employee’s work authorization."

[1] https://www.e-verify.gov/mye-verify/self-check/employers

It won’t stop cash transactions, but it will hinder inter-state movement as generally give police an extra reason to detain somebody.
It depends on state to state. In California, you can get non-REAL ID if you have at least one form of ID (i.e. passport from another country). Doesn't matter whether you're documented or not.

REAL ID looks different and essentially proves that you are not undocumented.

Visually, there used to be no difference between ID for undocumented and documented, so you can travel freely. My immigration lawyer recommended against traveling to AZ with that ID.

Not sure what it changes in terms of hiring. Even with REAL ID after background check, I had to submit proof that I'm allowed to work in this country.

(comment deleted)
Amazon uses Whole Foods for returns. Apple can push to all your devices for MFA. Imagine the impact on perception of google customer service if they deployed support kiosks to grocery stores.
Tying commercial account unlocks to governments feels like a terrible idea.
That sounds like a one-way ticket to a police state.
Yea. To say nothing about the abuses possible if the US was in charge of the account unlocks for American citizens, picture for a moment if the Russian government was responsible for unlocks for Russian users of Google.

And then there’s the question of how the heck you scale this if you’re a new company and want to handle unlocks for global users.

It sounds like a one-way ticket to not being frustrated at the government and inadequate, duplicated, pointless state ID processes.
What checks and balances would be in place to prevent government from abusing control of national ID? How long do you think it would be before you were required to provide national ID before creating an account on the major social media outlets, accounts that they would ask the outlets to lock when they don't like the speech (as they literally just did with Twitter)? How long would it be before they used that ID to lock people out of their bank accounts, like they just did in Canada and regularly do in China? How long before you have to present that ID at checkpoints, and they use it to limit your travel, as they would have during the COVID lockdowns?

I don't want to live in a police state for the sake of "convenience", and that's exactly what people in power would do if you let them.

Real ID is terrible, and I am a perfectly legal not alien nor criminal.
(comment deleted)
Not meaning to hurt any feelings here, but are you aware that people in Sweden have been filing taxes, accessing medical records etc. online for years with the help of nation-wide https://en.wikipedia.org/wiki/BankID ?

As for REAL ID, it just seems like a requirement for the plastic ID, which seems to be weaker than the old EU requirements https://en.wikipedia.org/wiki/National_identity_cards_in_the...

Not meaning to hurt any feelings here, but have you ever tried explaining to someone in rural Texas that you really think that a Government issued ID with which your taxes and medical records can be easily tracked is a good idea?

Federalism in the US, a large section of the population that has no intent to travel outside the country, and general suspicion of the Government in a lot of states means that there is a patchwork of different IDs with different requirements, all of which are perfectly valid for their own jurisdiction. Real ID is just a way to set a basic standard for this kind of ID that will be required for (mostly interstate) air travel.

A better analogy for you might be a European ID. Get back to me when you can file taxes and access medical records anywhere in Europe using the same ID. (I half expect someone to pipe up saying that this is indeed possible and make me eat my words.)

Unfortunately for the Texan, this information is already being tracked. I imagine it’s easy for the government to do so.

It’s just harder for the Texan, and for every single other person in the country, to interact with the government. National ID would even save government resources! Imagine all the duplicated state processes and spending that could be eliminated! Imagine the various political arguments about voter ID that wouldn’t even matter if every single person was assigned an ID for free at birth.

Google support bot requires HN Google account nightmare stories to reach 1000 points or be posted by paulg before they are addressed.

(FWIW I addes YUbikeys to 2 old long-term Google accounts about 6 months ago and they are still there. I did do this from the home location I usually use Google from, though.)

Unfortunately for my hopes of getting this fixed, this post started getting flagged after it sat at the number 1 spot earlier today, or maybe Dang bumped it down because there are too many google support posts.

:P

(comment deleted)
February this year I migrated my Mojang (Minecraft) account to a Microsoft Account, which I created solely for this use. I played a bit on a local world with just myself. The account had a unique, secure password and was secured with TOTP 2FA when I set it up.

I recently tried to play the game again but was told I had to login again. Doing so locked my account because it had been used in ways which violated Microsoft's ToS: hacking, phishing or scamming other users. They demanded my telephone number before they'd allow me to use it again.

I basically consider this account and the game lost now. I didn't buy this game when it was owned by Microsoft, but will never buy anything from Microsoft which requires me to have an account with them ever again.

Iirc that's a common occurrence. For some reason Microsoft really wants phone numbers associated with accounts.
They did the same thing to an account I used to access Bing Webmaster Tools. Instead of giving them anything, I now actively move friends and family away from Bing. Not that many of them used it in the first place, but now there are none left as far as I know.
Yeah that was a frustrating experience. I caved though, but they also didn't like that I was using a phone number already associated with an account that I use for office... I didn't want them to be the same account.

Tangent, after giving in to the phone I became more disillusioned with Minecraft as 1) MS appears to have canceled a 3rd installment of music from C418 over licensing issues (C418 wanted rights) and instead got some new artists whose music is good but doesn't fit the nostalgic vibe and seems played more often as well as with regularity in certain scenarios (previously it was fully random) and 2) classic case of S****horpe censoring and bans, applied to inoffensive words, peoples names, other languages, private servers, peoples pre-existing user name, even within commands, etc...

(comment deleted)
What Phone are you using? IPhone? Android? Unless you have no phone or a pine phone, can you expand on why is is ok to have an apple or google account, but not a Microsoft Account?
I noticed recently I couldn't use my 2FA key to get in to Google, but I never got a notification about it. Don't know when it was removed or why but was annoying getting back in (especially as text verification was a disabled option for some reason), and then setting it back up again.
This 'just to be safe' procedure happens when Google thinks a bad guy is logged into your account. The bad guy might have changed the password, changed the 2fa, stolen login cookies or other malicious things.

What Google ought to do is to display a message saying:

* Google suspects someone else, or a virus, has access to your account with malicious intent.

* Google will help you secure your account.

* It is necessary to prove you are the legitimate account owner before we can allow you access to the account. To do this, we will ask for you to log into the account with as many possible devices and methods as possible. Into each device you should type '7867' after logging in.

* We ask this because a malicious actor or virus probably will only have control of a few of your devices, passwords or security keys, so we can identify you as the true account holder because you have more.

* We will then lock out the malicious actor, and you can change any passwords or security keys they used. If one of your devices was used by a virus, we'll block it until you have reset it.

Google have locked my account after I travelled to US. After that day, I have never used Google. Currently, there is no way to access the account.

Thank you Google for making my account "Safe".

Phone was stolen while traveling and I needed to log into my account to get my flight information. Google wouldn't let me log in from a new computer even though I don't have 2 factor setup. I had to use my 'recovery e-mail' to confirm an e-mail just to login, and that other e-mail address also required a 'recovery e-mail' to login. Luckily my 3rd e-mail down the line of recovery e-mails was at a website that didn't require a recovery e-mail, e-mail. The steps it took to just log into my account without 2 factor enabled was insane. It was a miracle I was able to do anything at all after having my phone stolen.

Edit: note I luckily had memorized all three passwords to the different e-mail addresses or I would have been up a creek.