Tell HN: It is impossible to disable Google 2FA using backup codes
My situation:
I had 2FA set up with my Google Account through Google Authenticator.
I lost my Google Authenticator settings when I broke my phone.
I have 2FA backup codes. These successfully log me into my Google Account.
In order to disable 2FA, or generate new 2FA backup codes, I need to access the 2FA settings page under the Security tab. When I try to load the Two-factor authentication page, I am forced to re-authenticate with Google.
When re-authenticating to access the 2FA page, there is no option to enter a 2FA backup code or SMS verification to pass the 2FA challenge. The only option under "Choose a way to verify" is to enter a 2FA code. Entering a backup code instead of a 2FA code returns an error.
What am I supposed to do in this situation?
Yes this is a classic "maybe I can get support through public shaming" attempt. Thanks in advance.
351 comments
[ 5.5 ms ] story [ 402 ms ] threadIf you lose the phone its easier to recover.
I've seen this with a few of my posts recently where they appear in the 'new' and 'show' or 'ask' tabs, but not the frontpage.. even 300 posts deep while similarly aged and upvoted posts are on second page.
edit: now it's on the frontpage! Guess it just had to hit a vote threshold.
See: <https://news.ycombinator.com/item?id=34444459>
But that's not what's currently popular. What's currently popular is just to check a box with some poorly thought-out system and screw anyone who ever loses their phone number or 2FA device. That's dangerous and unprofessional.
At the very least if the helpdesk does reset your account, there should be a 48 hour lockout and a message sent to the account allowing the owner to dispute the change. Yes it is inconvenient in cases where the actual owner lost all of their login credentials, but this is hopefully rare.
They could've done the same with any method of authentication. Using a password isn't even enough for Google any more these days, look at Gmail+IMAP.
This is pure incompetency, not a flaw in 2FA. Whatever device this person is on has been flagged insecure enough to need repeated re-authentication of the highest level, locking them in a loop until the recovery mechanisms are exhausted.
Competent support would also have helped. Google doesn't do support for almost all of its customers but in a normal company, a support agent would've been able to help restore the account. Sure, Twitter has shown us that such support can also be a major risk to important or famous people, but that's why Google has a special program you can enable that will lock down security even more.
You would think that using a backup code would prompt a "Do you want to alter 2FA?" work flow since the user is already at the 2FA has gone wrong point.
And more to the point, a way of handling "I've lost my phone and had to buy a new cheap one" seems to be a potentially problematic edge case. Bootstrapping trust and authentication for end users without any physical token is hard, but seems necessary, especially for non technical end users, for whom password reset processes might even be the default route of access.
It would be so easy to have a Google Android/iOS app that lets you take a photo of a credit card matching a payment method from the Play Store or one of Google's paid services. That proves something you have in addition to your password.
Though, TBH, Amazon is probably in the best position to solve this problem. They have payment methods and they have physical presence everywhere. Companies like Google or whomever could hook into an Amazon API to verify identity with a one-time recovery code.
How do you get the recovery code? You show up at Whole Foods or Kohls or eventually even to an Amazon Hub Locker and prove your identity with a photo ID card. You're then provided a recovery code linked to one of your full legal name, an e-mail you've already had registered with your Amazon account, a phone number you've already had registered with your Amazon account, or a credit card number you've already had registered with your Amazon account.
A service that knows one of those things about you can then be recovered by submitting the key and selecting the link modality. (Keys submitted with the wrong link modality should be invalidated, obviously.)
It would probably work if you used the official browser, it's not a bad idea for the website to block webviews. But pretty funny that their app uses a webview which the service then blocks.
Most of the security is theater. On the other hand I think that every tech savvy person should at least try to keep the TOTP seeds.
I keep the TOTP and only sometimes keep the backup codes
I avoid the issue created from losing my phone, because the next device can generate codes immediately by importing or scanning the TOTP
I also don’t call it “2 factor” I just call it “one time passcode”
And this isn't even a good example of something that is "obvious" to some people, because Google makes it very, very clear that saving the QR code is NOT a backup option. It is labeled only as a mechanism to transfer to a new phone, so one has no reason to believe that it's non-ethereal. Further, the app disallows taking a screenshot. You have to point a camera at your phone. It's mind-blowing to suggest that it might be appropriate to blame the user for not doing this.
it doesn't matter what Google says is normal
is this really people's only experience with TOTP delivered via QR codes?
All screenshot/print/save functionality is disabled when you have the codes up on your phone.
You need an actual camera on a second device to save them in most cases.
If an attacker steals at TOTP, its only good for (I think) less than a minute. If they steal the seed, its good forever.
which isn't really destroyed by having a printout of what you entered onto your phone somewhere secure
(now if you store both in your password manager: that completely defeats the point)
The threat model is someone gets your password, not somebody gets access to your password manager.
If the latter is your threat model then yes having your 2F in there is worse, but really the former is the more common thing to protect against and the tradeoff of not having 2F in your 1Password and getting locked out because your phone breaks is worse than the risk of having it in there.
It’s similar to the tradeoff of having a nano yubikey always in your laptop or a large one on your keys. For most people the nano is better (though you should have a second one in either case)
- Site0 leaks your password because they store it poorly.
- It's just one password, but it's still leaked.
- You have 2F in 1Password so even though it's picked up in an account list the attacker can't login.
- Weeks later you learn there was a breach.
This is the common case for most accounts and breaches. Though the sites most likely to leak are also ones unlikely to have 2F so it's not perfect.
They aren't accessed often, are not used during your normal login flow, and provide you a recovery mechanism that actually works.
Yes - you should store them as securely as you can, but I'd say this is better than disabling 2fa entirely, which seems like the other sane approach.
You need to keep the seeds anyway to generate OTP codes. They are just keeping them in their vault in addition to keeping them in their OTP app.
As long as those storage methods are sufficiently secure, it's not a problem.
It helps to consider the threat model. 2FA is protection against (at least) several things: brute-force password guessing, a stolen password, a hijacked email account, etc. Since password vaults like bitwarden are designed to be uncrackable on their own, the only plausible way for an attacker to compromise one is to gain control of the user's device, at which point they don't really need access to the vault because they don't just have the keys to the kingdom, they have the kingdom.
Any technology that allows users to add security to their assets while still being convenient enough to use daily, leads to greater security overall.
Personally I think we're about a decade or two overdue to switch away from passwords (as currently implemented) and towards public/private keys managed by the browser or an extension, but I don't see that happening anytime soon as it's 100% certain that if it's ever tried, each FAANG will just try to push their own system, break the whole effort with fragmentation, and everyone will still just be using passwords in frustration for the next 100 years.
My 2FA token is just a second password that doesn't get sent over the wire directly -- it's almost like a private key where you auth via challenge... wait a minute, thought you could sneak PAKE on me?!
This. Support systems in the world post computers eating everything is basically HN posts.
Another short term option: $500-1000 right now to get a couple hours of support to unlock an account.
Basing someone’s entire online identity on a free account has always been pretty sketchy. We just haven’t come up with a better plan for most people yet.
Also, I think it's unreasonable to accept "support just sucks now" as a norm - consumer protections exist to shield us from BS like this and the US has been far too lax in flexing those muscles lately.
IMO we need USPS email addresses for the same reason we have mailboxes. The ability to be contacted digitally is just table stakes nowadays.
Right, that's why I think there should be an option for a $500 permanent email address, or maybe $50 one-time payment that doesn't guarantee permanent access but does guarantee that the email address will sit there as long as it takes for you to be able to pay to restore your account, without being deleted or reassigned.
You could also purchase a domain and point MX records anywhere, preferably at some known-good mail service which you pay for.
You already can. It’s called Google Workspace and comes with support.
This already exists.
It's why if you have a certain bank balance, when you call the bank a human in your own country picks up and speaks to you in your native tongue immediately. And if you don't have a certain bank balance, you sit on hold for 90 minutes and are repeatedly told how important your call is.
Google does not interoperate and effectively has a monopoly on web search, web video (YouTube) and is one of the two evils owning the mobile market (the other being Apple). There is no way for a competitor to emerge because it just wouldn't be able to interoperate with any of these services.
https://one.google.com/about/support
Because if so, it’s cheap insurance at $20/year.
Instead the auth requirements should be sane from the start, well publicised, and make a good tradeoff between letting bad guys in vs locking the real owner out.
There should be options beforehand to adjust the balance (eg. enabling 2FA).
To prevent lockouts, there should be some time-based weakening. Eg. if you are trying to access your account, and know only some of the required auth info, and have been unable to for 1 week, and, after blasting messages to every associated recovery phone/email address nobody else does either, then you should be allowed in.
That solves the classic "my house burnt down with my phone in. All I have is my email and password, but I have no devices left, no backup codes, no access to my phone number, nothing" case.
I used this horror story to move to Aegis from Authenticator and make an encrypted backup copy of the OTP vault, so thank you for posting. FWIW.
This is true, but OTOH there will _always_ be edge case scenarios that no one anticipates until they actually happen. Or maybe someone did anticipate, but they were drowned out by the other voices in the room saying "that can't/won't happen," so it wasn't included in the requirements. What happens when a customer encounters a problem that doesn't fit neatly into one of the user journeys that the product team planned out? Are they just shit out of luck?
I disagree, in regulated industries such as banking this is a solved problem. A combination of onshore staff, good career prospects, pay and working conditions and audit logs means I haven't heard stories of bank insiders breaching into accounts to steal. I'm sure it happened but nowhere near as frequently as fraudulent SIM swaps for example.
TLDR: don't outsource your customer service to the third world and you're already 80% of the way there.
In general, if you break into someones bank account and transfer money out, that money can be traced by authorities. In almost all cases, that money is recoverable by the government, even if individual banks like to shrug and tell the customer it isn't recoverable.
If you break into someone's email and steal their private info, it can't be traced. That makes the latter much more attractive.
1. Getting un-banished from Google ads after a failed credit card charge. No one will tell you why, appeal form doesn't tell you why and eventually I figured out a there had been a failed credit card charge 2 years ago.
2. Recovering a Facebook account with an email-password reset. The profile was frozen after it was hacked and all of a sudden a 5 year old phone number is required to unlock the profile after the password reset. --> Help page to submit a petition still tries to send you to login flow.
How can there be no way to talk to someone?!?
But yeah, this is why I dislike 2FA. There are clear security benefits, but it comes with the extreme downside of "what you know is not sufficient".
When it's e.g. a corporate-controlled account and your IT desk can just reset it to "password123!" to let you back in, it's quite a good trade-off. When it's your main email, i.e. your primary online identity, losing access is kinda a big deal, and Google has famously bad support.
But that's not even the problem here. OP has the "what you have". Just because the secondary authentication device is made of paper doesn't mean it's any less valid. But google is rejecting it and demanding the lost device.
So... sorta yes, sorta no. What they have is a ticking time bomb which goes off at the whim of a company that clearly does not care about them. That's not really "an authentication device" that anyone would willingly choose.
How so? The only downside is that you have to glance up and make sure you're on a google.com domain before entering it, in exchange for which you get massively simpler implementation, a wider variety of options, and the ability to back up token if you really want.
I just posted about something similar maybe 3 months ago?[1]
> I kid you not. Google's actual official answer to this is... create another account![1][2][3]
> Edit: Now that I have your attention:
> PSA: Go create "Backup codes" for your Google Account in your 2-Step Verification settings.
> [1]: https://support.google.com/accounts/troubleshooter/2402620?h...
> [2]: https://support.google.com/accounts/answer/7682439
> [3]: https://support.google.com/accounts/answer/7299973
[1]: https://news.ycombinator.com/item?id=33692942
To remove the lost 2FA, I need a fresh 2FA code. No alternatives given.
Seriously, Google?
Might be micro, but this is not a sign of a healthy company on an upwards trajectory.
This is needed for example to store the TOTP in a device that has no camera. Or in your Bitwarden Pro account. Obviously you wouldn't be able to scan a QR with such an application, so the actual string is needed you just copy-paste it, so it should be provided by any service that offers 2FA (I confirmed Google does)
Also, other TOTP generators like Authy and Aegis let you backup your tokens to restore to another device.
https://raw.githubusercontent.com/blues-lab/totp-app-analysi...
I keep all my 2fa secrets in pass for this reason. Never lose access again!
Imho it's a different story if you use a separate gpg-key/secret to access the 2fa secrets (which should also only happen in emergency cases).
This can easily be done with pass.
(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)
Who is more likely to visit this page (and use tools like pass) is up for you to decide.
The point still stands. Storing passwords and 2fa secrets inside in the same box will weaken the 2 in 2fa.
(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)
Grandma can always print the 2fa seed or write down the alphanumeric value and store it not next to the sheet with her passwords – same principle (I think she won't use pass anyway as opposed to the person I was originally replying to which tells me they are most likely technically literate).
I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts.
So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that... I can't keep in my password manager. But the biggest problem with both of these is I'm going to forget the password. I never forget my password manager master password because I use it weekly. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen.
It all feels so absurd that the UX side of me just rebels. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure... is just not something normal people are ever going to do.
Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have."
"Know" means it exists only in your mind; it is not stored elsewhere. "Have" means you cannot possibly produce it with your mind; it's stored elsewhere.
When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format; the latter in one's mind) is simple. Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do.
The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably).
Something you have: a password database on your PC.
Something you know: your master password.
TOTP is a nice addon, but you can store it in the same password manager. It will still help with some attacks (e. g. if a hacker manages to MITM your traffic, they only get the password + one code, which is not sufficient to log in again).
Enabling 2FA on a site (regardless of how or where the 2nd factor is stored) means if a malicious party were to obtain your plaintext password, they still wouldn't be able to access your account. So, outside of the entire discussion of password managers and secrets, 2FA does require a second factor.
Keeping your 2nd factor in the password vault does make the vault a much higher-value target. But it doesn't diminish the fact that if only your plaintext password is compromised (for example through a leak or re-use) the account is still protected until the point the 2nd factor is compromised.
Security is a spectrum, and often at odds with convenience. While demonstrating that something is provably secure is important, I feel we often fall victim to the nirvana fallacy when discussing the practical everyday use of these things.
Backing up my 2FA codes is one of the reasons that led me to create PortableSecret: https://news.ycombinator.com/item?id=34083366
Some people took issue with my comment regarding ‘not all secrets belong in your password manager’ but your comment is exactly what I meant.
And besides, this is fine as an archived backup in case someone loses their phone. It just so happens it's faster for me to xsel the output of oathtool than it is to unlock my phone, open app, select account, and remember code, esp because I live in the terminal anyway.
I think so, yeah.
> and the key is stored on some secure enclave which rate limits PIN entries, is it not?
That – I'm not so sure about. I didn't really think about it too much before you pointed it out, but it would make sense for the Android floks to have implemented it. I'll look into it a bit later!
Although, for Google, I'm using FIDO.
https://security.stackexchange.com/a/194279 explains it better than I could.
So, I thought I'd better change that... but it looks like you can't change your recovery account.
Why are 2FA apps so obtuse!
function 2fa(){
}then call it as `2fa <account>`, and make sure you store each <account>'s secret as `pass insert <account>.secret -e`.
refs: https://www.cyberciti.biz/faq/use-oathtool-linux-command-lin...
And works like a charm.
I mean, if it works for crypto wallets it might also work for 2FA...
[1]: https://digitalbunker.dev/how-do-time-based-one-time-passwor...
Now it is not that necessary because google authenticator allows transfer of data.
But when authenticator had no such option I was quite terrified and came up with idea to get another phone just as a backup and scanning 2FA code with 2 phones always for all websites. Of course backup one is always on my desk - but I don't have offsite backup for these. Problem is I don't want these TOTP tokens offsite really so it is a bit of a challange :) to come up with everything proof plan.
For example:
> "Password Store" ('pass' compatible) for Android also supports TOTP to tokens and Gpg encryption.
> With Syncthing, 'gopass' and 'Android Password Store', I have a fully open source, very easy to reason about fully in my control, password and totp storage, accessible on all my devices. All of which can only be accessed with my Yubikey that I keep in my pocket and my GPG PIN.
https://github.com/scito/extract_otp_secrets
https://spa.bydav.in/otp.html
Shameless plug, I spinned up a local html javascript page to import export these code phrases anytime, with customization options, like issuer name, account name etc.
What about adding someone who can get access to your email after six months of inactivity? Maybe they let you add that without your lost google authenticator? It'd be better than nothing.
However, I also think that Google keeps track of a "security rating" for your session; when I don't log in for a while, Google asks me for my password but when I use that same session token on another physical address I also need to authenticate with 2FA.
This may imply that failed login attempts may flag your session as even worse than before. I have no idea if this is actually how it works or if this is purely coincidental, but it may be worth keeping in mind given that you have limited backup codes available to you.
My recommendation would be to first get a Google Takeout backup stored somewhere safe, then see if you can get another 2FA method that you have control over connected to your account.
Note: I mean in mobile apps, not browsers.
You should not disable 2FA.
- Just click on the Authenticator app
- Change Authenticator app
- https://ibb.co/dPCMpdN
Just works.
On what page do you see the Authenticator app listed? I suspect it's on the "Two Factor Auth" page. My problem is that I cannot even load that page. I click on "Security" in the menu, and it's when I click on "Two factor auth" to do any 2fa-related task, that's when I'm forced to log in and provide a 2fa code (which I do not have)
Then, https://myaccount.google.com/signinoptions/two-step-verifica...
There you can see Authenticator app.
(I am doing this on desktop. Not sure about phone)
When I click the second link, I'm forced to reauthenticate. During that reauthentication my only option for 2-factor auth is... a valid 2FA code. Backup codes are not allowed.
I suspect since you originally logged in with a 2FA code (I'm guessing), your session is marked as "recently two factor verified", and when I logged in with a backup code, I was not marked the same level of "secure".
> When I click the second link, I'm forced to reauthenticate.
Here, I am being asked my password.
Then get that page.
- Private Browser Window - Log in using backup code - can change auth app without another login.
Maybe it's because I haven't used a 2FA code on this account in the past year? I typically stay logged out of my Google account and just have the email forwarded to another provider.
I too create a new chrome profile (and restarted my router) to get a different IP. (i.e) clean.
- Does this mean you are able to access emails but not change 2FA?
- If yes, do a take out ASAP.
- May be the backup codes are incorrect?
(Unless the machine learning folks on hn did some programming to prevent it!!!). For every one that complains about Google, I wonder how hn crowd pleasingly accepts pay check in the software industry.
Thanks for the takeout advice.. onto that now!
Oh dear. You're almost certainly off the critical path of integration and end-to-end testing and may have hit a legit bug.
I'd assume it's more likely the behavior really is changing, specifically because in the past, the user's login session was treated as a valid factor alongside the user's password for disabling 2FA, which was criticized as being less secure than expected. However, I'm not sure they intended for the fix to that to not allow backup codes...
That said, I do keep a Yubikey with me in my bag when I travel in case my phone breaks and I need to authenticate into a new device. I do take a Yubikey with me going to and from the office as there are other services and platforms which do challenge my Yubikey more often.
The only downside is that Google is the only site I used that supports it.
If you buy a Titan Key you get two (USB-A, USB-C), so sticking one of them in your safety deposit box, locked desk drawer at work or another secured space is a good backup.
I think you can also do that with an iPhone and the Google Smart Lock app.
In the US, porting wireless numbers has been mandated by the FCC for almost 20 years. I'm feeling my age, as I remember being excited during the process and when it finally happened.
https://www.fcc.gov/general/wireless-local-number-portabilit...
Sure, it's not the most secure way but I trust this over carriers securing my number.
Edit: looks like you can fall back to SMS (along with backups password) to add a new device.
And
"By default, each of Twilio Authy, Yandex.Key, and Salesforce Authenticator also relied solely on SMS OTP to authenticate users during recovery, but did encrypt TOTP backups using a key derived from a password before uploading them to the cloud. To compromise the backup, an attacker who hijacks the phone number will still need to conduct an offline attack to guess the backup password.
If you don't have your phone setup as "your phone" and they clone your SIM they can use your number to get 2FA codes potentially, yes, but they still need your password to log in. Supposedly they won't have that
I use that in addition to Google Authenticator on my phone.
And in addition to paper backups of the secrets (I don't print the QR code: I write the secret down, like 16 letters) which I keep in a safe.
I've also set someone as the person of trust should I not access my email for 6 months.
And I set up webauthn as well.
It's a pain but I don't want to have to deal with an account I lost access too.
I'm all for improving authentication, but it's profoundly annoying when authentication requirements are not made clear before logging in.
For a user with a password manager, forcing a user to answer "security questions" will compromise UX at best, and reduce overall security at worst.
I am sure that is less secure than a local only copy but this may be least bad of all alternatives.
You might even give a trusted person a login and have it on their phone so you can use theirs in an emergency.
“Fantastic. We haven’t heard from anyone with a complaint!”
https://github.com/tycrek/degoogle
No, the big lesson for me is to have proper backups of credentials (like the other commenter mentioned) and ensuring multiple people have access to the prod environment. Don't just turn on 2FA without having these things in place.
If you register with a yubikey, you can't register a 2nd yubikey as backup, nor can you register an authenticatior(TOTP) as a backup.
Don't know, I have a password manager that captured the password I inputted and it was exactly as it should inputted. But when I put it in google it told me that it was incorrect.
When I commented to people, everyone told me that they could change their password doing this and that, but... I wasn't. Looks like there are different security levels based on arbitrary rules and what an user could do, I was unable to do it.
I only had the account logged in in my phone, and every day I kept restoring the account, every day to be unsuccesfully.
One day, after 5 weeks from the day it happened, doing exactly the same than the previous days, one of the recovery attemps worked out, and was able to reset my password.
It completely put me off using google services, but God, it is hard to abandon your first mail services, I got way too many things hooked up with them.