Yeah, Google's lack of support is notorious at this point. It's why just about any YouTuber who gets their account hacked is reduced to begging for help on Twitter, since there seems to be no-one at the company able to help directly if contacted from the site itself.
Does make me think that there should be regulations about support to prevent this sort of thing though. Maybe at the very least there should be a mandated reason for banning/deleting an account and an appeal process with an actual person on the other end. Yes people might use it to figure out how to 'abuse' the system. But that's life. We don't hide the laws so the only way people know what's legal and what isn't is to get arrested for breaking them.
I do wonder what the solution to number 3 is though. Feels like an issue with services using Google login, not Google itself. If you registered with an email and that domain expired, someone could also reset the password for much the same effect. Short of Slack and the like asking you some sort of security question upon logging in each time, I'm not sure what a good solution would be to fix this sort of flaw.
I genuinely don't understand why (at least power users) users don't seem to understand this, they never "own" their account, thousand have lost everything due to a mistake, login once via anonymizing solution and so-on and bam, account ban, I've lost so much money in "crypto" (on some exchanges) because of 2-FA perma loss due to Gmail ban back in 2015, storing your business on Google and mixing-up with your personal life is just reckless at this point, it's not like people don't "know" that they can lose everything from 1 day to another, I hope this movement of moving out from Google will be much more generalized.
I am the one who had been using g suite before it became google workspace for more than a decade.. Last year I changed my email provider, cancelled workspace subscription and deleted the google account only to create a new one with the same email address as a normal user. Used google takeout to transfer all valuable assets out.
I lost access to literally nothing! SSO binds your email address as the primary account idenitifier in all known to me services. Does not matter what IDP you use to “sign in with”.
I find this twitter thread misleading. Unless the affected account was using @gmail.com as their primary identity.
Buy a domain and set up email on custom domain. backup emails periodically outside of the provider to be able to switch easy if needed. Same applies to other data stored in SAAS of any kind. This is the rule of thumb if the risk of losing access to tour primary IDP is critical.
alright, i'll take your point and say that Google is not a viable SSO provider. now what?
sure i could buy a custom domain and host an email server on it, but now i have to care about server maintenance, SSL, and paying yearly for the domain. but that doesn't mean i get to keep it forever! just as Google can, the hosting provider can block my account, or even go down itself. then what? i'd be in the same situation where i'm locked out.
or suppose i don't have money to pay for the domain (which is a rare possibility, but it is not impossible). now someone buys my domain, and registers an email with the same address as mine. now what? i'm screwed!
i agree that having only one centralized login method for all of one's accounts is bad, but this article doesn't provide a safe alternative.
9 comments
[ 4.2 ms ] story [ 15.6 ms ] threadDoes make me think that there should be regulations about support to prevent this sort of thing though. Maybe at the very least there should be a mandated reason for banning/deleting an account and an appeal process with an actual person on the other end. Yes people might use it to figure out how to 'abuse' the system. But that's life. We don't hide the laws so the only way people know what's legal and what isn't is to get arrested for breaking them.
I do wonder what the solution to number 3 is though. Feels like an issue with services using Google login, not Google itself. If you registered with an email and that domain expired, someone could also reset the password for much the same effect. Short of Slack and the like asking you some sort of security question upon logging in each time, I'm not sure what a good solution would be to fix this sort of flaw.
I lost access to literally nothing! SSO binds your email address as the primary account idenitifier in all known to me services. Does not matter what IDP you use to “sign in with”.
I find this twitter thread misleading. Unless the affected account was using @gmail.com as their primary identity.
Buy a domain and set up email on custom domain. backup emails periodically outside of the provider to be able to switch easy if needed. Same applies to other data stored in SAAS of any kind. This is the rule of thumb if the risk of losing access to tour primary IDP is critical.
Assess the risk and act accordingly.
Do you mean that you're setting up SAML/OpenID for every service you use?
> Does not matter what IDP you use to “sign in with”.
I don't understand. The service provider needs to check the identity of the IdP, or IdP-B could impersonate user alice@foo belonging to IdP-A
sure i could buy a custom domain and host an email server on it, but now i have to care about server maintenance, SSL, and paying yearly for the domain. but that doesn't mean i get to keep it forever! just as Google can, the hosting provider can block my account, or even go down itself. then what? i'd be in the same situation where i'm locked out.
or suppose i don't have money to pay for the domain (which is a rare possibility, but it is not impossible). now someone buys my domain, and registers an email with the same address as mine. now what? i'm screwed!
i agree that having only one centralized login method for all of one's accounts is bad, but this article doesn't provide a safe alternative.