Gmail's backup codes are useless to access account
Ok, I have a work account on Gmail. Having the experience of being locked out of Gmail previously (endless loop of "You are entering the correct password but we're not sure that it is you, try again later"), I created a 2fa via Google Authenticator and set up Backup Codes and thought I'm safe from them asking me to sign in on another device or enter sms code (I don't carry that phone with me).
So, one sunny day I decided to add standard iOS mail app to this account, and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.
Ok, I don't have that phone with me, so I try to log in with Authenticator, and no, no good: 'we are not sure that it is you, enter code sent to sms'. Ok, I dig backup codes, enter them, and still get 'we are not sure what it is you' message.
What's even the point of allowing to set up Authenticator or Backup Codes if they don't do anything?
If there are some people from Google reading this, please, don't reach out to me offering to help. Just change this dumb system.
23 comments
[ 1.9 ms ] story [ 40.0 ms ] thread"Automatically suspended by Google systems for being at risk"
+ This is an automated message. Replies are not monitored.
https://www.linkedin.com/pulse/when-you-get-locked-out-your-...
Good luck.
I'm interested in EU-based products first. But they need to handle spam well!
But then I thought- what if I just try that password to login. And it worked.
So when I thought I had forgotten my password, gmail prompted me for a piece of information that I got correct, and then wouldn't accept it.
I also have another email account that forwards all mail to my main account, but I've definitely forgotten that password, and I have no way to actually get back into that account, even though I've tried. I guess it just forwards mail forever.
More than once, I was in a different country and tried logging into a workspace gmail account. Google flags it as a strange activity (fair enough) and needs to authenticate me. It asks me to enter the complete address for my recovery email (I do this), it sends me a code to use for sign in (I do this) but it still refuses to sign me and says it can't authenticate me. It says I need to sign in from a location that I've signed in from before.
So, for the period that I was out of the country, I couldn't access my email. This happened each time I'm in a new country. My only work around was to sign in to my email (on my laptop) before traveling and not sign out (for security reasons, I don't like to do this).
Something similar happened when I used a new laptop.
I just don't understand this. What then is the point of having recovery email and phone number if you won't use them?
Ask HN: GCP Outage?
https://news.ycombinator.com/item?id=44605732
Needless to say I decided to forward all mail elsewhere. I wouldn't touch Google for work with a 3m pole.
Please Google let me have a normal TOTP authentication. No SMS, no "open the gmail app on this other device and tap this prompt", no mandatory Google Authenticator, etc.
It's interesting you got that message (via email?) one hour after you successfully signed in on your iphone. Are you sure it was not some phishing email or something? Also are you still logged in on that account or did you get logged out?
Surely, an AI can check each shut-off account, work out the identity, and then allow the claimed user to send in a picture of themselves holding some ID.... some variation on that anyway. A Gmail employee can do the final checking after voice chat, and the user could even pay for this.
They could ask questions like: Has person X ever emailed you? When did you meet that person? What's their email address?
Also, generally speaking, are voice biometrics ever used? That could work well. "Please send us a sound file of you saying _______" or call some number and speak to an automated checker. I suppose so many companies could get voiceprints by this stage of people they have recorded.
>If there are some people from Google reading this, please, don't reach out to me offering to help.
I wouldn't worry yourself on that front, unless you are some kind of celebrity, they don't seem to care that a basic, core function of one of their most popular products can fail in a manner that totally locks people out.
The whole point of the backup codes is to facilitate account recovery, and it's really hilarious to me that a company full of allegedly elite engineers can't do one simple thing.
I point folks to 0365 for the their cloud needs nowadays -- Microsoft does this strange thing where you pay them money for services that works rather well, and office itself is streets ahead of docs. (And if you enter a code... it WORKS.)