Tell HN: It is impossible to disable Google 2FA using backup codes

657 points by gravitronic ↗ HN
I would like to inform the HN community, if your plan to recover your Google account in the event of losing your phone is to use a 2FA backup code, or SMS recovery, to remove the old 2FA setup and set up a new 2FA code, that that may not be possible.

My situation:

I had 2FA set up with my Google Account through Google Authenticator.

I lost my Google Authenticator settings when I broke my phone.

I have 2FA backup codes. These successfully log me into my Google Account.

In order to disable 2FA, or generate new 2FA backup codes, I need to access the 2FA settings page under the Security tab. When I try to load the Two-factor authentication page, I am forced to re-authenticate with Google.

When re-authenticating to access the 2FA page, there is no option to enter a 2FA backup code or SMS verification to pass the 2FA challenge. The only option under "Choose a way to verify" is to enter a 2FA code. Entering a backup code instead of a 2FA code returns an error.

What am I supposed to do in this situation?

Yes this is a classic "maybe I can get support through public shaming" attempt. Thanks in advance.

351 comments

[ 5.5 ms ] story [ 402 ms ] thread
I do recommend toget 2fas.com asap and export your codes to iCloud/G Drive.

If you lose the phone its easier to recover.

Yeah, apparently that 2FA handshake is crucial with some providers. I was not expecting this, I thought careful management of my 2FA backup codes would suffice!
Side-comment: is there a type of shadowban with HN where my posts do not make it into the frontpage, even 2 or 3 or more pages deep?

I've seen this with a few of my posts recently where they appear in the 'new' and 'show' or 'ask' tabs, but not the frontpage.. even 300 posts deep while similarly aged and upvoted posts are on second page.

edit: now it's on the frontpage! Guess it just had to hit a vote threshold.

I clicked into this off the front page.
Just updated my comment, I guess there's some other criteria or age to hit before it gets ranked.
I believe that text posts are ranked lower than links.
I hate current popular implementations 2FA and similar IT fads for this exact reason. They are inherently insecure, and any security professional who pushes them without serious thought through all the failure modes should be blacklisted from the industry.
Competently administering 2FA essentially requires human intervention to handle the "I lost all my credentials" case because it will happen with probability 1 eventually. Workplaces can do this because you can call IT and have an already established identity based in the real world.
100%. I've never had any issues with IRL 2FA. If I lose or damage my CAC card I can go to the ID card office with a different photo ID and get a new one with new certificates and set a new PIN. My old certificates will be revoked.

But that's not what's currently popular. What's currently popular is just to check a box with some poorly thought-out system and screw anyone who ever loses their phone number or 2FA device. That's dangerous and unprofessional.

The problem with this is that we are talking about pseudo-anonymous signup for websites. They can't go back and verify the credentials you used to create the account because you didn't provide any. But if this is the case then the help desk is a major security vulnerability, since just anybody can claim to be you and take over your account. The help desk has little to no way to actually verify your identity.

At the very least if the helpdesk does reset your account, there should be a 48 hour lockout and a message sent to the account allowing the owner to dispute the change. Yes it is inconvenient in cases where the actual owner lost all of their login credentials, but this is hopefully rare.

This isn't a security flaw, this is incompetency. Google not allowing disabling or altering 2FA after resorting to a backup code is simply bad design.

They could've done the same with any method of authentication. Using a password isn't even enough for Google any more these days, look at Gmail+IMAP.

This is pure incompetency, not a flaw in 2FA. Whatever device this person is on has been flagged insecure enough to need repeated re-authentication of the highest level, locking them in a loop until the recovery mechanisms are exhausted.

Competent support would also have helped. Google doesn't do support for almost all of its customers but in a normal company, a support agent would've been able to help restore the account. Sure, Twitter has shown us that such support can also be a major risk to important or famous people, but that's why Google has a special program you can enable that will lock down security even more.

(comment deleted)
>Google not allowing disabling or altering 2FA after resorting to a backup code is simply bad design.

You would think that using a backup code would prompt a "Do you want to alter 2FA?" work flow since the user is already at the 2FA has gone wrong point.

I'm sorry, but when you lose control of and access to your data, but someone else has control and access, that is a security flaw. There is no meaningful difference between broken 2FA and ransomware.
Passwordless is going to make this even worse - there's no migration path (yet) from platform ecosystems to each other. I've not seen any serious progress on how to switch from Apple to Google, which doesn't involve doing things one by one, site by site.

And more to the point, a way of handling "I've lost my phone and had to buy a new cheap one" seems to be a potentially problematic edge case. Bootstrapping trust and authentication for end users without any physical token is hard, but seems necessary, especially for non technical end users, for whom password reset processes might even be the default route of access.

2FA is any two of what you know, what you have, or who you are.

It would be so easy to have a Google Android/iOS app that lets you take a photo of a credit card matching a payment method from the Play Store or one of Google's paid services. That proves something you have in addition to your password.

Though, TBH, Amazon is probably in the best position to solve this problem. They have payment methods and they have physical presence everywhere. Companies like Google or whomever could hook into an Amazon API to verify identity with a one-time recovery code.

How do you get the recovery code? You show up at Whole Foods or Kohls or eventually even to an Amazon Hub Locker and prove your identity with a photo ID card. You're then provided a recovery code linked to one of your full legal name, an e-mail you've already had registered with your Amazon account, a phone number you've already had registered with your Amazon account, or a credit card number you've already had registered with your Amazon account.

A service that knows one of those things about you can then be recovered by submitting the key and selecting the link modality. (Keys submitted with the wrong link modality should be invalidated, obviously.)

It would be useful if people went to their Google Account page, clicked the Security tab, then tried to access the Two Factor Auth page and reported back what options they had to authenticate. Do you have options other than "enter a two factor auth code"? Can you authenticate on that page with SMS or a backup code?
Using the Google app on my Android phone (stock, unrooted, GPlay enabled), the Security, 2FA link launches a WebView screen. It has my username prefilled. When I click Next, I'm given a failure page saying "This browser or app may not be secure". The Web View app is up to date, version 108.
Wow, that's.. even worse than my experience.

It would probably work if you used the official browser, it's not a bad idea for the website to block webviews. But pretty funny that their app uses a webview which the service then blocks.

And that is why I utilize the "very secure" flow of also keep the original qr codes ... in a keepass vault, but still.

Most of the security is theater. On the other hand I think that every tech savvy person should at least try to keep the TOTP seeds.

Good idea! That had never occurred to me before this incident.
You have to take a photo of the screen on another phone, Google disallows you from screenshotting them.
Just use a different 3rd party authenticator app
Really? At what point do we blame the victim because this is so obvious to me.

I keep the TOTP and only sometimes keep the backup codes

I avoid the issue created from losing my phone, because the next device can generate codes immediately by importing or scanning the TOTP

I also don’t call it “2 factor” I just call it “one time passcode”

Nothing is "obvious" in tech any more, because there is simply too much. Two "tech savvy" people will often each have things they think is "obvious" that the other isn't familiar with.

And this isn't even a good example of something that is "obvious" to some people, because Google makes it very, very clear that saving the QR code is NOT a backup option. It is labeled only as a mechanism to transfer to a new phone, so one has no reason to believe that it's non-ethereal. Further, the app disallows taking a screenshot. You have to point a camera at your phone. It's mind-blowing to suggest that it might be appropriate to blame the user for not doing this.

all TOTP is the same

it doesn't matter what Google says is normal

is this really people's only experience with TOTP delivered via QR codes?

I would love to save the QR codes, but Google bans screenshots in the Authenticator app.
Other apps will reveal the underlying seed string. No need to deal with QR codes after scanning them once.
Take a photo with a second phone/webcam?
Auhenticator has an option to generate back up codes. it creates one or two QR codes that you can scan in a new Authenticator app and it will clone all of your accounts.
Good luck trying to save those QR codes, though. I had to resort to pulling out my DSLR to take a photo of my phone with them.

All screenshot/print/save functionality is disabled when you have the codes up on your phone.

You need an actual camera on a second device to save them in most cases.

Not true, I just did it a few weeks ago when moving to a new phone. Just screenshotted the backup QR code and when I got my new phone later I used the screenshot.
At least on recent Android versions, it blocks you from screenshotting it, FWIW.
Not in iOS, apparently. I recently printed out my QR codes by screenshotting Authenticator's export screen on an iPhone. I just tested a moment ago and it still works.
An app can deny access to take screenshots in Android. In iOS, there's no way to deny screenshots, but apps can be notified if a screenshot is taken. What the app then does with that information... you may not know ahead of time. Be careful out there!
If you're on Android, get Aegis. It's better anyway and you can export backups.
Doesn't keeping the seed remove the whole point of one time passwords?

If an attacker steals at TOTP, its only good for (I think) less than a minute. If they steal the seed, its good forever.

the point is to have a second factor

which isn't really destroyed by having a printout of what you entered onto your phone somewhere secure

(now if you store both in your password manager: that completely defeats the point)

It doesn’t.

The threat model is someone gets your password, not somebody gets access to your password manager.

If the latter is your threat model then yes having your 2F in there is worse, but really the former is the more common thing to protect against and the tradeoff of not having 2F in your 1Password and getting locked out because your phone breaks is worse than the risk of having it in there.

It’s similar to the tradeoff of having a nano yubikey always in your laptop or a large one on your keys. For most people the nano is better (though you should have a second one in either case)

If you're using a password manager, you probably have one-time secure passwords, so the only probable way someone gets it is by stealing your password manager.
Er, not one-time use passwords, I mean the password is only used on one website.
This isn't accurate - they don't get access to multiple stuff.

- Site0 leaks your password because they store it poorly.

- It's just one password, but it's still leaked.

- You have 2F in 1Password so even though it's picked up in an account list the attacker can't login.

- Weeks later you learn there was a breach.

This is the common case for most accounts and breaches. Though the sites most likely to leak are also ones unlikely to have 2F so it's not perfect.

So the attacker gets access to the plaintext passwords but not the rest of the database or the ability to skip the 2FA server-side, and the site doesn't notice. Guess I can see that happening still, since the password DB is likely separate.
Well, we should move to multi-party computation when you can distribute secrets between different devices with redundancy and security.
I think that’s the point, and why “very secure” is quoted.
Vaulting the seeds is fine - IMO.

They aren't accessed often, are not used during your normal login flow, and provide you a recovery mechanism that actually works.

Yes - you should store them as securely as you can, but I'd say this is better than disabling 2fa entirely, which seems like the other sane approach.

> Doesn't keeping the seed remove the whole point of one time passwords?

You need to keep the seeds anyway to generate OTP codes. They are just keeping them in their vault in addition to keeping them in their OTP app.

As long as those storage methods are sufficiently secure, it's not a problem.

Yes. A lot of the common solutions to making TOTP more user-friendly defeat it. You might as well just use single-factor auth with a strong random password stored in your manager, which is what I do.
In Bitwarden you can just store the key itself and it'll generate the codes for you, right next to your password, so convenient!
I expect the "so convenient" is sarcastic, but yes it is more convenient and also more secure.

It helps to consider the threat model. 2FA is protection against (at least) several things: brute-force password guessing, a stolen password, a hijacked email account, etc. Since password vaults like bitwarden are designed to be uncrackable on their own, the only plausible way for an attacker to compromise one is to gain control of the user's device, at which point they don't really need access to the vault because they don't just have the keys to the kingdom, they have the kingdom.

Any technology that allows users to add security to their assets while still being convenient enough to use daily, leads to greater security overall.

Personally I think we're about a decade or two overdue to switch away from passwords (as currently implemented) and towards public/private keys managed by the browser or an extension, but I don't see that happening anytime soon as it's 100% certain that if it's ever tried, each FAANG will just try to push their own system, break the whole effort with fragmentation, and everyone will still just be using passwords in frustration for the next 100 years.

What's the word, tongue in cheek? I meant it sincerely but phrased in a sarcastic tone. I unironically do this and it's saved me from two phone breakages. I cannot understand how anyone would trust any of their accounts to a single physical device that is routinely lost, stolen, or broken.

My 2FA token is just a second password that doesn't get sent over the wire directly -- it's almost like a private key where you auth via challenge... wait a minute, thought you could sneak PAKE on me?!

I have a spare cheap android phone with Google authenticator. I export accounts from my primary phone to this phone every quarter or so as a low tech backup.
> What am I supposed to do in this situation?

This. Support systems in the world post computers eating everything is basically HN posts.

When I had a self-inflicted issue with my non-Google email service I context support and has the issue resolved within a couple hours.
How does one contact support? Every path I've tried leads to a support community forum. I haven't tried posting there yet as I assumed it was a black hole. Are you saying that that works?
He said non-google. There is no decent support from google.
Maybe the next million new jobs is just rebuilding a reasonable level of customer support at all tech companies, funded by modest usage fees. $5/mo, $50/yr, or $500 for lifetime guaranteed permanent access so no lockouts are possible, I would definitely pay for Gmail or an equivalent service. And there are people who I’m sure would pay much more.

Another short term option: $500-1000 right now to get a couple hours of support to unlock an account.

High fees mean that most people even in places like the USA cannot afford it. Would be nice to have modest customer service options for everyone.
That’s expensive.
Won't somebody just think of Googles pocketbook. The only way they can stay afloat is telling people to go fuck themselves when Google messes something about their entire online identity up, clearly.
Or people could pay for the Workspaces account which come with support.

Basing someone’s entire online identity on a free account has always been pretty sketchy. We just haven’t come up with a better plan for most people yet.

Maybe, alternatively, this is just an indicator that ad-based "free" services aren't really realistically economical and we should all be paying google 50c/mo for our email addresses.

Also, I think it's unreasonable to accept "support just sucks now" as a norm - consumer protections exist to shield us from BS like this and the US has been far too lax in flexing those muscles lately.

Gmail is the ultimate root of way too many services for me, but I don’t really see any alternative. For example there are lots of nice paid services out there that look great, but eventually I’m going to forget to pay, or the company will go under, or whatever.

IMO we need USPS email addresses for the same reason we have mailboxes. The ability to be contacted digitally is just table stakes nowadays.

> For example there are lots of nice paid services out there that look great, but eventually I’m going to forget to pay, or the company will go under, or whatever.

Right, that's why I think there should be an option for a $500 permanent email address, or maybe $50 one-time payment that doesn't guarantee permanent access but does guarantee that the email address will sit there as long as it takes for you to be able to pay to restore your account, without being deleted or reassigned.

Purchase a domain and use your registrar's SMTP and IMAP servers. I have been doing this for about 5 years now and it feels great. I get to pay annually for a bundle of related services (domain, DNS, email, ...) instead of freeloading in a place where I'm the product and there is no support.

You could also purchase a domain and point MX records anywhere, preferably at some known-good mail service which you pay for.

You don't need to use your registrar. I'm grandfathered in with free G Suite, but there's other services that can do this on the cheap or free.
How grandfathered? I had a customer recently whose small business was "grandfathered" into G Suite's free plan... until Google started choking back hard on what features were available.. The free plan still exists but they were essentially forced into buying a subscription.
> I would definitely pay for Gmail

You already can. It’s called Google Workspace and comes with support.

Maybe the next million new jobs is just rebuilding a reasonable level of customer support at all tech companies, funded by modest usage fees

This already exists.

It's why if you have a certain bank balance, when you call the bank a human in your own country picks up and speaks to you in your native tongue immediately. And if you don't have a certain bank balance, you sit on hold for 90 minutes and are repeatedly told how important your call is.

That's called competition. Banks interoperating with each other means competitors serving different segments of the market can spring up.

Google does not interoperate and effectively has a monopoly on web search, web video (YouTube) and is one of the two evils owning the mobile market (the other being Apple). There is no way for a competitor to emerge because it just wouldn't be able to interoperate with any of these services.

Buying Google One entitles you to general Google apps support.

https://one.google.com/about/support

My comprehension of the actual costs of the infrastructure required to run those services leads me to believe that Google One is essentially insanely overpriced. Perhaps it's due to high service needed customers self-selecting for the service or it's just price gouging - but the pricing for that is well above what such limited cloud storage offerings normally cost.
I have Google One and tried their support once or twice but wasn't impressed. I strongly doubt their ability to help with any somewhat technical question.
Does this really grant access to tech support for weird access issues like the OP?

Because if so, it’s cheap insurance at $20/year.

Allowing customer service to bypass customer auth requirements is just weakening your system. There will always be a CS agent who is bribed, makes a mistake, etc. And besides, the agent following a flow chart has no better info to make the decision on than a computer.

Instead the auth requirements should be sane from the start, well publicised, and make a good tradeoff between letting bad guys in vs locking the real owner out.

There should be options beforehand to adjust the balance (eg. enabling 2FA).

To prevent lockouts, there should be some time-based weakening. Eg. if you are trying to access your account, and know only some of the required auth info, and have been unable to for 1 week, and, after blasting messages to every associated recovery phone/email address nobody else does either, then you should be allowed in.

That solves the classic "my house burnt down with my phone in. All I have is my email and password, but I have no devices left, no backup codes, no access to my phone number, nothing" case.

In this particular case I feel like it's a bug that backup codes are not treated as secure as 2fa codes, and that I need explicitly a 2fa code to disable 2fa is just broken (in my specific case)
Right? Backup codes should be considered the most secure overrides for the other resources. What's the point of them being "backup" codes if you'll need something other than the backup for a break-glass event?
It definitely seems like a 1FA backup instead of a 2FA backup in your case. :(

I used this horror story to move to Aegis from Authenticator and make an encrypted backup copy of the OTP vault, so thank you for posting. FWIW.

> Allowing customer service to bypass customer auth requirements is just weakening your system. There will always be a CS agent who is bribed, makes a mistake, etc. And besides, the agent following a flow chart has no better info to make the decision on than a computer.

This is true, but OTOH there will _always_ be edge case scenarios that no one anticipates until they actually happen. Or maybe someone did anticipate, but they were drowned out by the other voices in the room saying "that can't/won't happen," so it wasn't included in the requirements. What happens when a customer encounters a problem that doesn't fit neatly into one of the user journeys that the product team planned out? Are they just shit out of luck?

> Allowing customer service to bypass customer auth requirements is just weakening your system

I disagree, in regulated industries such as banking this is a solved problem. A combination of onshore staff, good career prospects, pay and working conditions and audit logs means I haven't heard stories of bank insiders breaching into accounts to steal. I'm sure it happened but nowhere near as frequently as fraudulent SIM swaps for example.

TLDR: don't outsource your customer service to the third world and you're already 80% of the way there.

I suspect that the level and sophistication of attacks on the banking sector is far lower than equivalent attacks for data/accounts.

In general, if you break into someones bank account and transfer money out, that money can be traced by authorities. In almost all cases, that money is recoverable by the government, even if individual banks like to shrug and tell the customer it isn't recoverable.

If you break into someone's email and steal their private info, it can't be traced. That makes the latter much more attractive.

That or embarrass the company publicly in front of your large twitter audience
Completely agree! Especially in consumer. I have two situations that are still unresolved.

1. Getting un-banished from Google ads after a failed credit card charge. No one will tell you why, appeal form doesn't tell you why and eventually I figured out a there had been a failed credit card charge 2 years ago.

2. Recovering a Facebook account with an email-password reset. The profile was frozen after it was hacked and all of a sudden a 5 year old phone number is required to unlock the profile after the password reset. --> Help page to submit a petition still tries to send you to login flow.

How can there be no way to talk to someone?!?

TOTP is bad 2FA. Google supports U2F security keys. Use them.
If you lose your U2F security key, are you sure you'll be able to remove it from your Google account? Because what I'm experiencing right now is that they support TOTP and you can't remove it if you lose it..
Yes, I lost a key 6 months ago and removed it from my Google account. I have multiple other U2F keys also registered.
Having those extra registered I think is the missing bit. The OP could have also registered additional 2FA methods, but didn’t thinking backup codes were as advertised.
Specifically you need multiple registered keys, to prevent this current situation.

But yeah, this is why I dislike 2FA. There are clear security benefits, but it comes with the extreme downside of "what you know is not sufficient".

When it's e.g. a corporate-controlled account and your IT desk can just reset it to "password123!" to let you back in, it's quite a good trade-off. When it's your main email, i.e. your primary online identity, losing access is kinda a big deal, and Google has famously bad support.

I used to do this but it was a hassle to set up. I can't imagine a normal person (less interested in tech) to use this.
How does it work if you have 3 Gmail/Workspace accounts? Do you need multiple keys for each account?
The keys can be used on any number of accounts.
> But yeah, this is why I dislike 2FA. There are clear security benefits, but it comes with the extreme downside of "what you know is not sufficient".

But that's not even the problem here. OP has the "what you have". Just because the secondary authentication device is made of paper doesn't mean it's any less valid. But google is rejecting it and demanding the lost device.

More moving parts means more failures (as demonstrated), and in this case what they have has a (possibly very short, depending on their upcoming needs and how Google decides to re-verify them) time limit until they no longer have it.

So... sorta yes, sorta no. What they have is a ticking time bomb which goes off at the whim of a company that clearly does not care about them. That's not really "an authentication device" that anyone would willingly choose.

> TOTP is bad 2FA

How so? The only downside is that you have to glance up and make sure you're on a google.com domain before entering it, in exchange for which you get massively simpler implementation, a wider variety of options, and the ability to back up token if you really want.

"just glance up at the address bar" is not phishing-proof, and is failure prone.
Oh my god. 2-Step verification on your Google Account is actually less secure than not using it at all.

I just posted about something similar maybe 3 months ago?[1]

> I kid you not. Google's actual official answer to this is... create another account![1][2][3]

> Edit: Now that I have your attention:

> PSA: Go create "Backup codes" for your Google Account in your 2-Step Verification settings.

> [1]: https://support.google.com/accounts/troubleshooter/2402620?h...

> [2]: https://support.google.com/accounts/answer/7682439

> [3]: https://support.google.com/accounts/answer/7299973

[1]: https://news.ycombinator.com/item?id=33692942

I have 2FA backup codes! They let me log into my account! But using only backup codes, I cannot remove the lost 2FA. So now I have 8 consumable backup codes and after that I will not be able to access the account.

To remove the lost 2FA, I need a fresh 2FA code. No alternatives given.

Time to repeal 2FA. I can't believe it's required for SOC2 type 2 compliance.
2FA/MFA isn’t the problem. Google is just a pain to deal with when their products don’t work as expected. On one hand, security-wise, it’s good that they tend to design their algorithms to err on the side of being restrictive, but on the other hand, they have no legit support, so if you or their algorithms mess up and you’re locked out of your account, you’re basically on your own. For a company so many of us rely on so deeply, that’s awful!
The alternative is picking a smaller company that might be an easier hacking target or might go out of business when you're not paying attention. I have a Protonmail account but I do wonder how long they'll be around.
Nobody should be forced into this terrible scheme if even Google can’t get it working. It’s a case of “this idea isn’t bad, people just implement it wrong”. If nobody can implement it right, it’s not right. Complexity kills.
2FA is okay. But the practice of backup code sucks. Instead, save the TOTP hash and make extra sure to back it up. Then you can just reconfigure your 2FA app.
This really isn't a problem with 2FA. It is a problem with Google not understanding the reason for backup codes. It's just plain old bad design on Google's part.
The solution (which is too late to help you with now) is to take a photo of the QR code that is first showed to you when you originally set up 2FA. Keep that safe somewhere and you can always go back. For anyone who is freaked out by this and currently still has access to their google Authenticator app, I suggest exporting all your codes to a big QR code in the app and keep that safe (maybe print it out).
And for authenticators that do not allow to export the secret, while your authenticator is not lost yet, add another authenticator: and during registration, save the QR code.
(comment deleted)
There is no option to add another authenticator app at https://myaccount.google.com/security (desktop UI). I think the only feasible option is to first remove Google Authenticator and then re-enable it.

Seriously, Google?

Might be micro, but this is not a sign of a healthy company on an upwards trajectory.

It's time to de-google. Seriously. Now it's from a self-preservation POV, not a political POV.
The QR that you mention, is just an encoding of an actual string key (edit: I'm reading now that it's called seed). If possible, it is better to get the string directly, instead of its QR encoded counterpart.

This is needed for example to store the TOTP in a device that has no camera. Or in your Bitwarden Pro account. Obviously you wouldn't be able to scan a QR with such an application, so the actual string is needed you just copy-paste it, so it should be provided by any service that offers 2FA (I confirmed Google does)

You are correct about the QR code just representing a (fairly short) string, but applications can handle QR code just fine - 1password can read it directly from the screen.
There may be a plugin for it but the KeePass clients I've used don't support this by default. Generally, it would be best to look for the string (and keep both the string and the image secret!).
KeepassXC lets you store the TOTP seed value associated with an entry by right-clicking on that key and selecting "Setting up TOTP".

Also, other TOTP generators like Authy and Aegis let you backup your tokens to restore to another device.

Yes, but be careful which totp app you're using to store seed values/secret keys : some store them as plain text! Personally on android I'm using keepass2android and keepassium on ios to store both the QR image and the string value. It will also generate the OTP value at login. As you know, the keepass password file can be backed-up anywhere.

https://raw.githubusercontent.com/blues-lab/totp-app-analysi...

(comment deleted)
(comment deleted)
You can scan any QR code with the iPhone default camera app and get the string back that way. But yeah, all QR codes are just encoded strings.
Sharing a useful app I found: The Orca Scan app on iPhone can scan and decode all kinds of barcodes and qr codes
Linux:

    xclip -sel clip -t image/png -o | zbarimg -
macOS:

    pngpaste - | zbarimg -
You can do this, or you can write down the secret (Click to get the text), and use oathtool to generate codes rather than google's auth.

I keep all my 2fa secrets in pass for this reason. Never lose access again!

But be careful. If you access the passwords and 2fa secrets via the same credentials you are back to one factor authentication if secret + pass store ever get compromised.

Imho it's a different story if you use a separate gpg-key/secret to access the 2fa secrets (which should also only happen in emergency cases).

This can easily be done with pass.

How is a regular user supposed to think of all this in advance? It's ridiculous. Securely proving your identity in case of loss of proof of identity is hard enough with just passwords. With 2FA it's pretty much impossible.
I'm sure all of this will make sense to grandma, too.

(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)

It may not help grandma as much as someone who maintains some popular opensource library that you may happen to use or someone that puts parts of their savings into crypto.

Who is more likely to visit this page (and use tools like pass) is up for you to decide.

The point still stands. Storing passwords and 2fa secrets inside in the same box will weaken the 2 in 2fa.

(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)

Grandma can always print the 2fa seed or write down the alphanumeric value and store it not next to the sheet with her passwords – same principle (I think she won't use pass anyway as opposed to the person I was originally replying to which tells me they are most likely technically literate).

Grandmas usually don't set up two-factor authentication in the first place.
Google will leave grandmas no choice.
Yeah... I do the same thing. 2FA secrets in my password vault.

I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts.

So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that... I can't keep in my password manager. But the biggest problem with both of these is I'm going to forget the password. I never forget my password manager master password because I use it weekly. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen.

It all feels so absurd that the UX side of me just rebels. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure... is just not something normal people are ever going to do.

> store 2FA secrets in a different place from their passwords is just not something normal people are ever going to do

Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have."

"Know" means it exists only in your mind; it is not stored elsewhere. "Have" means you cannot possibly produce it with your mind; it's stored elsewhere.

When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format; the latter in one's mind) is simple. Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do.

The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably).

I think using a password manager is already 2FA.

Something you have: a password database on your PC.

Something you know: your master password.

TOTP is a nice addon, but you can store it in the same password manager. It will still help with some attacks (e. g. if a hacker manages to MITM your traffic, they only get the password + one code, which is not sufficient to log in again).

It's misleading to say that storing your passwords and 2FA secrets in the same place defeats the purpose. There are several vectors here, right?

Enabling 2FA on a site (regardless of how or where the 2nd factor is stored) means if a malicious party were to obtain your plaintext password, they still wouldn't be able to access your account. So, outside of the entire discussion of password managers and secrets, 2FA does require a second factor.

Keeping your 2nd factor in the password vault does make the vault a much higher-value target. But it doesn't diminish the fact that if only your plaintext password is compromised (for example through a leak or re-use) the account is still protected until the point the 2nd factor is compromised.

Security is a spectrum, and often at odds with convenience. While demonstrating that something is provably secure is important, I feel we often fall victim to the nirvana fallacy when discussing the practical everyday use of these things.

Off topic: remarkable that you've made your first comment from a near-decade-old account!
Long-time lurker, first-time caller.
> I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them?

Backing up my 2FA codes is one of the reasons that led me to create PortableSecret: https://news.ycombinator.com/item?id=34083366

Some people took issue with my comment regarding ‘not all secrets belong in your password manager’ but your comment is exactly what I meant.

My laptop, which contains all this secret information, is way, way more secure than my phone. There's the boot decrypt password, login password, then gpg password. My phone has ... A pin.

And besides, this is fine as an archived backup in case someone loses their phone. It just so happens it's faster for me to xsel the output of oathtool than it is to unlock my phone, open app, select account, and remember code, esp because I live in the terminal anyway.

Android phones are encrypted by default, but for encryption, they use the same PIN as your lock screen. There's some command you could run to replace it with a strong password while keeping screen lock PIN simple, but it didn't work for me last time I tried.
Surely the data is encrypted using a 128 bit key or better, and the key is stored on some secure enclave which rate limits PIN entries, is it not?
> Surely the data is encrypted using a 128 bit key or better

I think so, yeah.

> and the key is stored on some secure enclave which rate limits PIN entries, is it not?

That – I'm not so sure about. I didn't really think about it too much before you pointed it out, but it would make sense for the Android floks to have implemented it. I'll look into it a bit later!

I enrol any TOTP codes into 3 Yubikey's, and also keep the private key physically printed out.

Although, for Google, I'm using FIDO.

You can do this, or you can just start using Microsoft Authenticator which will sync your Authenticator codes to your Microsoft account for when you reinstall the app elsewhere.
I just checked, and my MS Authenticator is backing up to... my Google account.

So, I thought I'd better change that... but it looks like you can't change your recovery account.

Why are 2FA apps so obtuse!

on iOS, MS Authenticator backups to iCloud. No way to retain the codes on an iOS->android migration (or the opposite).
this is also fine. I have a personal preference to never look at my phone while working, and I'm always in terminal anyway ...
MS Authenticator breaks if you have to do a factory reset on the phone.
(comment deleted)
Fully understand why some people wouldn't want to do this given the LastPass hack, but some authenticators like Authy let you store a master backup password for all your codes.
If you use 1Password, the initial code (just a string) is always available in the app. You can use it to move TOTP to another app, if you wish.
Printing it out and putting it in some safe is what i did.

And works like a charm.

I mean, if it works for crypto wallets it might also work for 2FA...

Wait, they have the authority to block your google auth app? Last I checked, the app is not connected to your google account. And the app's functionality is open source (TOTP). So how does enforcement work?
Well I have a backup phone - where I would scan 2FA code with 2 phones.

Now it is not that necessary because google authenticator allows transfer of data.

But when authenticator had no such option I was quite terrified and came up with idea to get another phone just as a backup and scanning 2FA code with 2 phones always for all websites. Of course backup one is always on my desk - but I don't have offsite backup for these. Problem is I don't want these TOTP tokens offsite really so it is a bit of a challange :) to come up with everything proof plan.

And this has now just encouraged me to buy a Pixel 6A running GrapheneOS to have as a backup at all times for my important google accounts
I store them in a keepassxc database for syncing and alsomprotect it with a yubikey. Lets me back it up to other places while also allowing them to stay secure. Most other password manager solutions should also be able to be used to keep them secure and backed up.
i feel like I'm asking a dumb question but why not just use a password manager that syncs your stuff and handles 2FA like 1Password? Break the phone? no worries you've got the info on your desktop. House goes up in a fire, no worries, they've got it on the cloud and you can access from a friend's house / library / whatever.
You can't actually access your 1pw vault from wherever if you don't have an existing authenticated device or a copy of your secret key. That's intended to provide added security in case your master password is compromised. So to guard against the house burning down situation you need to either keep a printout of the secret key somewhere else (friend's house, bank box, etc.) or save it somewhere (secure) online where you can get it without using 1pw.
There are a lot of options, including free software and no-cloud alternatives, to get backups without doing that manually in such a cumbersome or fearful way your are now.

For example:

> "Password Store" ('pass' compatible) for Android also supports TOTP to tokens and Gpg encryption.

> With Syncthing, 'gopass' and 'Android Password Store', I have a fully open source, very easy to reason about fully in my control, password and totp storage, accessible on all my devices. All of which can only be accessed with my Yubikey that I keep in my pocket and my GPG PIN.

1Password stores QR codes and syncs them across any device that has access to your vault. I highly recommend this solution if you're worried about losing access to your 2FA codes. It is also easy to back up.
And this is how you turn a second factor into another first factor.
This assumes you are using TOTP.
I use VaultWarden to store my 2FA info which (aside from being very handy) replicates the codes offline on each device I sync my vault to.
This. I always keep that qr code screenshot & pharse in a seperate keypass database. Instant same 2fa anytime.

https://spa.bydav.in/otp.html

Shameless plug, I spinned up a local html javascript page to import export these code phrases anytime, with customization options, like issuer name, account name etc.

Best bet is to save those QR codes (or text codes) in a different vault. I use passwords in LastPass and QR codes in KeePass.
(comment deleted)
So if my MFA-secured Google account is working fine right now, is the best course of action to remove MFA, then re-add it with this QR picture and/or jotting down the key trick?
Can't you add a security key like a Yubikey? Do they let you do that without requiring your Google Authenticator / TOTP secret?

What about adding someone who can get access to your email after six months of inactivity? Maybe they let you add that without your lost google authenticator? It'd be better than nothing.

Time for a Google Takeout while you still have access to the account then!
I remember Google not letting me log in with my TOTP code when it insisted on me clicking a prompt I hadn't received. Only after two timeouts did it add the option to use a TOTP code. If I recall correctly, I had to let the thing fail and then click "let me try another way" or something similar. This leads me to believe that maybe Google hides certain options by default.

However, I also think that Google keeps track of a "security rating" for your session; when I don't log in for a while, Google asks me for my password but when I use that same session token on another physical address I also need to authenticate with 2FA.

This may imply that failed login attempts may flag your session as even worse than before. I have no idea if this is actually how it works or if this is purely coincidental, but it may be worth keeping in mind given that you have limited backup codes available to you.

My recommendation would be to first get a Google Takeout backup stored somewhere safe, then see if you can get another 2FA method that you have control over connected to your account.

Yep it absolutely ratchets up "suspicion" on your account, and failed attempts will quickly get your account in some sort of state where you're locked out. It's absolutely maddening.
Definitely - and I think now that I've gone to that 2FA page and let it time out (since I only have backup codes), I think it's racheted up suspicion higher as these login attempts count as "an attacker has the password but not the 2FA code!"
Definitely. I did that a few weeks ago and got an email from Google to my gmail saying something along the lines of "somebody has your password and is trying to log in!" even though it was just me on a different computer and after submitting password I realized I didn't have my phone on me so couldn't submit the 2FA. It was even a computer on the same LAN (with same WAN IP), so not like I had an active session in the US while the attempt came from Moscow...
If you login on your phone, it’s possible your phone will automatically become a “second factor” if on Android, or if you have Google apps installed on iOS. This would resolve the problem, but I can’t promise it’ll work.

Note: I mean in mobile apps, not browsers.

Thank you for this. I will make extra backups of my 2fa seeds. I currently have all of them in my bitwarden vault which won't probably ever fail me but it's better to be extra safe
Without 2FA enabled, google can and will lock you out of your own account for no good reason with zero recourse, stating they "cannot identify you" or that "your browser is insecure". We lost several paid business gapps accounts due to this.
I just tested this.

You should not disable 2FA.

- Just click on the Authenticator app

- Change Authenticator app

- https://ibb.co/dPCMpdN

Just works.

Hey, thank you so much for trying to help me.

On what page do you see the Authenticator app listed? I suspect it's on the "Two Factor Auth" page. My problem is that I cannot even load that page. I click on "Security" in the menu, and it's when I click on "Two factor auth" to do any 2fa-related task, that's when I'm forced to log in and provide a 2fa code (which I do not have)

go to https://myaccount.google.com/security?hl=en

Then, https://myaccount.google.com/signinoptions/two-step-verifica...

There you can see Authenticator app.

(I am doing this on desktop. Not sure about phone)

Thanks for the followup. I'm also on desktop.

When I click the second link, I'm forced to reauthenticate. During that reauthentication my only option for 2-factor auth is... a valid 2FA code. Backup codes are not allowed.

I suspect since you originally logged in with a 2FA code (I'm guessing), your session is marked as "recently two factor verified", and when I logged in with a backup code, I was not marked the same level of "secure".

since you told me I am using a I tried without 2FA code but with backup-code

> When I click the second link, I'm forced to reauthenticate.

Here, I am being asked my password.

Then get that page.

Probably the difference, like parent says, is that you recently used 2FA, from the same OP address etc etc, so even though you have signed in with backup code now Google still trust your sign in more than OP.
Just tested it.

- Private Browser Window - Log in using backup code - can change auth app without another login.

So weird, because I cannot!

Maybe it's because I haven't used a 2FA code on this account in the past year? I typically stay logged out of my Google account and just have the email forwarded to another provider.

(comment deleted)
I guess could be that.

I too create a new chrome profile (and restarted my router) to get a different IP. (i.e) clean.

- Does this mean you are able to access emails but not change 2FA?

- If yes, do a take out ASAP.

- May be the backup codes are incorrect?

(Unless the machine learning folks on hn did some programming to prevent it!!!). For every one that complains about Google, I wonder how hn crowd pleasingly accepts pay check in the software industry.

The backup codes are what enabled me to log in, thankfully, so I know they work.

Thanks for the takeout advice.. onto that now!

> Maybe it's because I haven't used a 2FA code on this account in the past year?

Oh dear. You're almost certainly off the critical path of integration and end-to-end testing and may have hit a legit bug.

Errr... so now the story comes out that this is more of a weirder case than everyday use.
There's probably a vague/inconsistent (possibly "AI") threat-score / heuristic. I've heard of extra security requirements being imposed for like 30 days or so when you haven't accessed for a long time (or on a new machine?) and it's just ironic how they currently put you in a catch-22
Then there is Facebook which won’t let you use your email or phone if hacker changes those. Your email was changed 20 minutes ago? Clearly the one you used for 15 years isn’t trustworthy anymore. Zero way to talk to a human about it.
Try enrolling another 2FA method while you're in there.
I cannot access the Two Factor authentication page at all - it is when attempting to access that page that I'm forced to log in again and provide a 2FA code.
Weird, this used to work... I guess they changed it at some point.
It's a mistake to believe that every user will uniformly see the same things on the same pages. Google's account abuse system will offer different options to different users based on how suspicious their behavior appears to be.
Which abuse system? I worked there and I wasn't aware of myaccount changing behavior based on how "suspicious" the session is. In fact, I didn't know sessions had such an attribute, assuming this is true. Granted, I didn't work on the account dashboard, but still.

I'd assume it's more likely the behavior really is changing, specifically because in the past, the user's login session was treated as a valid factor alongside the user's password for disabling 2FA, which was criticized as being less secure than expected. However, I'm not sure they intended for the fix to that to not allow backup codes...

You might be surprised just how subtly corporations will break accounts that they are suspicious of. There is a whole world of anti-bot measures that come across to humans as just slightly odd behavior or weird bugs. It can be weirdly capricious as well. For example, I recently was having trouble logging into a website and was having to do a ton of SMS re-authentications. When logging into the website using Chrome I was given SMS messages with a 15 minute timeout. When logging in with Firefox the same SMS verification message only had a 5 minute timeout. Several times I would go through the authentication flow and then the service would seem to just crash, loading only a blank page, but I'm pretty sure that was just an anti-bot measure kicking in. I eventually only got it to work normally by switching over to my Phone's hotspot. The website was just hating on my IP address for no disclosed reason.
To avoid a situation like this, I keep backup screenshots of the 2FA QR codes stored off-line on an encrypted USB drive.
You can also just store the data encoded in them - it's usually just a string.
No need for screenshots even, right click and Save Image almost always works. I save them all and encrypt them in a separate archive with a different password. No, your probably shouldn’t save them to your password vault (unless you know what you’re doing).
You can also save the TOTP hash instead of the QR code (which basically just contains that hash)
Or just use Aegis - you can export all your codes as an encrypted backup.
What’s that?
It's an Android app. Its easier to manage OTP codes inside your password manager. Do everything with KeepassXC and KeepassDX. How to sync a file between computers and your phone is left as an exercise to the reader. However I recommend using Syncthing.
I do the same. But lately, for some but not all sites, I've been putting 2FA codes in Bitwarden and using their app to fill the codes instead of using Authenticator apps.
I do something similar but sillier. I scan the QR code in a basic QR reader app, then regenerate it using a script I got years ago that renders a QR code using Unicode, then store that in a plaintext file (gpg encrypted) with all my other non-password-manager secrets. I started doing this after I had a bad experience with Google Authenticator not surviving the restore to a new phone.
I did the same, but I had not updated it since 2020, now I can't remember the passphrase I used back then, I probably should have kept a separate paper copy of the passphrase. Or I should have use my GPG private key to do the encryption. It is also possible that my keyboard was not in the right language or I made a typo, I have tested hundred of combinations with no luck so far.
This is why I use SMS as my second factor for my Google account. Much harder to lose. It could be vulnerable to sim swapping attacks, but I consider Google locking me out of my own account a more likely threat (and frankly I'm probably not a high-profile enough target for anyone to bother with that, and in any case they'd still need my password).
Instead of SMS, get a pair of yubikey recommended by some other posters, so you are not depending on your mobile provider as they own the number and it is just "rented" to you.
How does that work? Do you have to carry around a Yubikey/Dongle everywhere with your phone?
For my phone, I'm already logged in and never get any future challenges. I needed the Yubikey when I first logged into my phone, but after that the phone has been authenticated. If I unlink my phone to my Google account I'll need the Yubikey again, but I don't normally do that. So normally I don't carry a Yubikey with me, like when I go to the store and what not.

That said, I do keep a Yubikey with me in my bag when I travel in case my phone breaks and I need to authenticate into a new device. I do take a Yubikey with me going to and from the office as there are other services and platforms which do challenge my Yubikey more often.

I keep one on my keychain in my pocket and one at home in a fireproof box, plus a backup one that I haven't even opened next to the backup so if I lose the keychain one I have another ready to go as my "new backup".
I have a yubikey on my keyring. It's superior to sms 2fa in everyway. Its almost impossible to damage a yubikey- phones can easily be broken or stolen. You can have multiple keys linked to your account- Google only let's you have one phone. Yubikey can't be sim swapped. Never needs to be charged or have cell reception, no problems with sites not accepting international phone numbers.

The only downside is that Google is the only site I used that supports it.

Personally, I don't, since I've never wanted to log into my Google account on a device I encountered while out of the house. I'm not really sure why you'd ever do that IMO.
As others have commented, on your phone you rarely ever need to authenticate, so I keep mine at home.

If you buy a Titan Key you get two (USB-A, USB-C), so sticking one of them in your safety deposit box, locked desk drawer at work or another secured space is a good backup.

And if you have an Android phone you don't even need a pair of hardware keys, one is enough as backup, just use your phone as the main key: https://www.youtube.com/watch?v=Nhz4YLay0zc

I think you can also do that with an iPhone and the Google Smart Lock app.

Instead of Google Authenticator, I use Twilio Authy. It syncs the 2FA code across my devices. I keep a backup device at home.

Sure, it's not the most secure way but I trust this over carriers securing my number.

Me too. Although this thread is making me wonder if I'd be screwed if I somehow lost access to both of my authenticated devices. (The 'house burns down' scenario.)

Edit: looks like you can fall back to SMS (along with backups password) to add a new device.

Don't use Twilio Authy. From https://raw.githubusercontent.com/blues-lab/totp-app-analysi... : "the Twilio Authy app and Zoho OneAuth app each store backups on their own servers. This means that any user of Twilio Authy or Zoho OneAuth who enables cloud backups is unknowingly sending those companies the names of the websites/services they use and the usernames for their accounts on those platforms."

And

"By default, each of Twilio Authy, Yandex.Key, and Salesforce Authenticator also relied solely on SMS OTP to authenticate users during recovery, but did encrypt TOTP backups using a key derived from a password before uploading them to the cloud. To compromise the backup, an attacker who hijacks the phone number will still need to conduct an offline attack to guess the backup password.

This should be fine: Using your phone as SMS 2 factor authentication is a separate thing as assigning the phone as "your phone" in your Google account (which works as an account recovery too).

If you don't have your phone setup as "your phone" and they clone your SIM they can use your number to get 2FA codes potentially, yes, but they still need your password to log in. Supposedly they won't have that

I mostly agree with you, but be careful how often you apply this logic. People who are not already a target can be just as useful, for example when needing to frame someone else for a crime. I mean, who'd care about nicoburns if they disappeared, right?
I've got a fully airgapped Raspberry Pi, an old version (one without WiFi capability), which has a copy of all my "Google Authenticator", TOTP style, secrets. I made a little terminal app (so no need for a mouse / no need to boot into a GUI), with my secrets protected by a password.

I use that in addition to Google Authenticator on my phone.

And in addition to paper backups of the secrets (I don't print the QR code: I write the secret down, like 16 letters) which I keep in a safe.

I've also set someone as the person of trust should I not access my email for 6 months.

And I set up webauthn as well.

It's a pain but I don't want to have to deal with an account I lost access too.

I lost a bunch of email addresses because they decided to start enforcing the use of security answers even when I had the correct password. Then I lost some more email accounts because I logged in from different locations (I moved) and they thought I was a fraud, even though I was able to confirm using the backup email address. I'm fairly concerned that eventually I'm going to lose all my email addresses due to these increasingly draconian requirements that are sprung upon us.
>due to these increasingly draconian requirements that are sprung upon us.

I'm all for improving authentication, but it's profoundly annoying when authentication requirements are not made clear before logging in.

For a user with a password manager, forcing a user to answer "security questions" will compromise UX at best, and reduce overall security at worst.

(comment deleted)
Microsoft Authenticator syncs across all instances so you just have to log in to a new Authenticator on the new phone and the codes are there. (I think it uses OneDrive).

I am sure that is less secure than a local only copy but this may be least bad of all alternatives.

You might even give a trusted person a login and have it on their phone so you can use theirs in an emergency.

How do you login to the authenticator itself? If it's MS-account-based doesn't that itself requires 2FA and you thus have a chicken & egg problem?
It doesn't need a login... only the syncing part uses your account.
Same thing happened to me. The backup paper 2FA codes I kept failed when my Pixel phone spontaneously bricked itself.
“How’s our 2FA working out?”

“Fantastic. We haven’t heard from anyone with a complaint!”

Many years ago, I lost my phone with Google Authenticator (which doesn't have a backup option like Authy does) and got locked out from AWS. The next day there was a production issue with our website. Long story short, our website was down for more than 2 weeks while I was trying to regain access to our AWS account. #2faneveragain
I feel like the lesson there isn't 2FA == bad, but rather it's important to have backups of your most important data and credentials, including TOTP seeds.
Your website was down for more than 2 weeks not because 2FA is badly designed, but because you bet everything on your phone not getting lost or damaged. And now you refuse to secure your accounts.
> And now you refuse to secure your accounts.

No, the big lesson for me is to have proper backups of credentials (like the other commenter mentioned) and ensuring multiple people have access to the prod environment. Don't just turn on 2FA without having these things in place.

Actually in this case it's likely AWS is also responsible for having trash 2fa restrictions. AWS will only allow you to setup one single 2fa method.

If you register with a yubikey, you can't register a 2nd yubikey as backup, nor can you register an authenticatior(TOTP) as a backup.

What is also very frustrating with AWS is that you can only set up one 2FA method. You have to choose between TOTP OR security key and can't have both at the same time. I wanted to add a yubikey to my account a couple of weeks ago, but had to switch back to TOTP. A lost Yubikey means you're looked out, TOTP secrets can be backed up at least.
I completely believe you. I got in a similar situation in 2020. In that case it was a change of password of the main account that went wrong. How?

Don't know, I have a password manager that captured the password I inputted and it was exactly as it should inputted. But when I put it in google it told me that it was incorrect.

When I commented to people, everyone told me that they could change their password doing this and that, but... I wasn't. Looks like there are different security levels based on arbitrary rules and what an user could do, I was unable to do it.

I only had the account logged in in my phone, and every day I kept restoring the account, every day to be unsuccesfully.

One day, after 5 weeks from the day it happened, doing exactly the same than the previous days, one of the recovery attemps worked out, and was able to reset my password.

It completely put me off using google services, but God, it is hard to abandon your first mail services, I got way too many things hooked up with them.