Gmail's backup codes are useless to access account

116 points by Andrew_nenakhov ↗ HN
Ok, I have a work account on Gmail. Having the experience of being locked out of Gmail previously (endless loop of "You are entering the correct password but we're not sure that it is you, try again later"), I created a 2fa via Google Authenticator and set up Backup Codes and thought I'm safe from them asking me to sign in on another device or enter sms code (I don't carry that phone with me).

So, one sunny day I decided to add standard iOS mail app to this account, and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.

Ok, I don't have that phone with me, so I try to log in with Authenticator, and no, no good: 'we are not sure that it is you, enter code sent to sms'. Ok, I dig backup codes, enter them, and still get 'we are not sure what it is you' message.

What's even the point of allowing to set up Authenticator or Backup Codes if they don't do anything?

If there are some people from Google reading this, please, don't reach out to me offering to help. Just change this dumb system.

23 comments

[ 1.9 ms ] story [ 40.0 ms ] thread
In my opinion, the #1 way to make Gmail better is to enable forwarding. Then you don't have to deal with their ugly interface, login system, new features, weird compose window, etc....
One of the first things I do with all of my Google accounts is set up TOTP authentication and not with Google Authenticator. So far I haven't had any issues getting into an account after not logging in for a while (because my gmails all forward) but I wonder if Google will disable standard TOTP in favor of requiring Google Authenticator (which will be a problem because then I would need to get a separate handset for each account).
There's a button in the admin page for your workspace admin to disable extra security prompts for 10 minutes. Just ask them to help.
A bit of a sidenote but: what is a gmail alternative that really works? For instance, spam handling is worse in pretty much any alternative I've tried.

I'm interested in EU-based products first. But they need to handle spam well!

None of these things is a saving throw versus suspicious login detection. It's for the safety of your account. Wait an hour or two, or resolve the reason for the suspicious activity if you may have caused it (VPN, for example).
I created a gmail account in 2004 and then completely forgot about it. Just last week I realized that I had registered that account. I went to the forgot my password page, and it prompted for the last password I remembered using, which I took a guess at. It told me that wasn't enough information to recover the account, and that was it, because I didn't have a backup phone, email etc. attached.

But then I thought- what if I just try that password to login. And it worked.

So when I thought I had forgotten my password, gmail prompted me for a piece of information that I got correct, and then wouldn't accept it.

I also have another email account that forwards all mail to my main account, but I've definitely forgotten that password, and I have no way to actually get back into that account, even though I've tried. I guess it just forwards mail forever.

(comment deleted)
It isn't just the backup codes.

More than once, I was in a different country and tried logging into a workspace gmail account. Google flags it as a strange activity (fair enough) and needs to authenticate me. It asks me to enter the complete address for my recovery email (I do this), it sends me a code to use for sign in (I do this) but it still refuses to sign me and says it can't authenticate me. It says I need to sign in from a location that I've signed in from before.

So, for the period that I was out of the country, I couldn't access my email. This happened each time I'm in a new country. My only work around was to sign in to my email (on my laptop) before traveling and not sign out (for security reasons, I don't like to do this).

Something similar happened when I used a new laptop.

I just don't understand this. What then is the point of having recovery email and phone number if you won't use them?

I’d love to see a fully mapped login/auth flowchart with every permutation. New accounts, ancient accounts, accounts with 2FA, without. I bet Google themselves dont even have one now. Remind yourself they are really just an advertising monopoly that does other things as a side project.
If you want to prevent SMS from being used, remove the recovery phone number and/or 2-step phone number from your account. That's how I've had my account set up for many years, to prevent SIM swapping attacks. Just make sure you set up all the other 2-step options.
Google will occasionally brick my account telling me I "didn't provide enough info for Google to be sure this account is really yours". There is absolutely nothing I can do but wait for it unbrick itself after a while, all while not being able to read any mail that comes its way. Support is completely useless.

Needless to say I decided to forward all mail elsewhere. I wouldn't touch Google for work with a 3m pole.

+1!

Please Google let me have a normal TOTP authentication. No SMS, no "open the gmail app on this other device and tap this prompt", no mandatory Google Authenticator, etc.

From all my years working in IT I've never had a good experience with the iOS/macOS mail app for either Exchange or Gmail, things break constantly. You're much better off using the proper Gmail or Outlook app.
LinkedIn did the same thing to me after I have enabled 2FA, completely locking me out of all my devices. Then, they asked me to send a picture of my driver's license to a third-party company, who does some kind of validation I guess, to re-enable my account. God, I wish I can delete my LinkedIn account, but it is my only professional visibility to the business world.
> and lo, an hour after connection I get a message, that due to strange activity on my account, I need to enter code sent via sms.

It's interesting you got that message (via email?) one hour after you successfully signed in on your iphone. Are you sure it was not some phishing email or something? Also are you still logged in on that account or did you get logged out?

Since this is a work account, I think this is more between you and your IT team than it is between you and Google.
Has there been any lawsuits for people such as yourself? "Can't get my mail but will get some money." There must be millions of people unhappy about the situation.

Surely, an AI can check each shut-off account, work out the identity, and then allow the claimed user to send in a picture of themselves holding some ID.... some variation on that anyway. A Gmail employee can do the final checking after voice chat, and the user could even pay for this.

They could ask questions like: Has person X ever emailed you? When did you meet that person? What's their email address?

Also, generally speaking, are voice biometrics ever used? That could work well. "Please send us a sound file of you saying _______" or call some number and speak to an automated checker. I suppose so many companies could get voiceprints by this stage of people they have recorded.

I also had my backup codes fail, which caused me to lose access to the email account I had had since I was a teenage hacker. In the Google Voice was the cell number I'd had all my life. Two decades of emails, documents, conversations, and contacts lost forever through no fault of my own.

>If there are some people from Google reading this, please, don't reach out to me offering to help.

I wouldn't worry yourself on that front, unless you are some kind of celebrity, they don't seem to care that a basic, core function of one of their most popular products can fail in a manner that totally locks people out.

The whole point of the backup codes is to facilitate account recovery, and it's really hilarious to me that a company full of allegedly elite engineers can't do one simple thing.

I point folks to 0365 for the their cloud needs nowadays -- Microsoft does this strange thing where you pay them money for services that works rather well, and office itself is streets ahead of docs. (And if you enter a code... it WORKS.)

phone numbers and email are virtually mandatory nowadays for banking, taxes, and many other things, including dealing with government bureaucracy... so why the hell is not made mandatory by law to be able to go to an email/sim phone service provider's office with your ID/passport/drivers license and be able to recover your account/number?? (allowing users to choose to provide that identification&recovery info when creating their email obviously)