It doesn't matter if you have a reminder, a banner, someone going to your door to ask you to confirm.

If you miss that step, because you're in a hurry, your kid pressed the button while you looked away, or whatever, you shouldn't be immediately locked out of your whole life without recourse.

We allowed ourselves to be held hostages by these companies, but we should know better now.

You don't know how this person lost their number. How quickly they lost access to it. What actually happened.

Maybe the last time this banner appeared, they still had their number. Maybe things just co-coincided with the worst possible timing. Stuff like that can happen.

I'm really not comfortable calling them completely incompetent over this.

Also there have been reports of people getting locked out for no fault of their own as well. And those people too have no chance to do something about it.

But even if it is incompetence or gross negligence - as a software company, you'd still want people to be able to report that stuff happening, so that at least you get statistics that you can use to measure the effectiveness of any improvements you try to make.

If those problems occur so frequently that it's no longer financially feasible for you to actually look into them... then maybe there's some incompetence going on at your own side, right?

> that many times

If you're already logged into Chrome and logged into your phone, it might take a few years before you get to "many times"

How would someone be logging in if their current, valid 2FA is no longer accessible?

I don't know when the last time was I logged into my Google account. Probably when I got my current phone. No login = no question if your 2FA details are current.

Also, Google doesn't always make it clear when something is being added as 2FA. E.g. if you log into an Android phone future logins will use it as 2FA.

I ran into this problem one time. I had some android that was absolutely not my primary phone that I logged into, and it was sitting plugged in, in my basement for diagnostic reasons (I just needed an android running with a linux shell for testing). About a year after forgetting about it I was trying to log into Google and they prompted me for my 2FA, which I happily provided since I use Google authenticator.

Then, when trying to access my passwords stored on my google account (passwords.google.com) I was prompted with a message saying that there was suspicious activity on my account, and I needed to approve a pop up on this android phone. Google would not let me access the password manager until I could physically drive back to that phone to approve it. They refused to provide me with any alternative options despite having a yubikey and sms. Finally, I navigated to my inbox (everything else would load except for that password manager) and went into details at the bottom of the page, then forcibly signed out of that android phone. Bear in mind this was the same device that it refused to let me access the password manager on.

Anyway, after removing the device from my account it let me access passwords.google.com

From my experience google will show that banner for a couple of times if you log in from an unusual device and only after that will require you the complete login with the 2FA

If only. An old phone number of mine is still somehow tied to my Google account. I can’t for the life of me figure out how to remove it. Google sometimes randomly decides to send the access code to my old number, which I no longer have, instead of using the new one. The only solution when that happens is to try the login again from an incognito window, hoping the Google decides to use the right number. Getting locked out someday is a very real possibility for me.

People still fall through the cracks.

Yes, and people still fall through literal cracks and die every day.

You can't force people to be truthful online, just like you can't fill up every crack on the Earth with cement.

If I ask you to confirm you haven't changed your number and you outright lie then I'm sorry but it is what it is.

Why would anyone willingly and knowingly do business with someone like you? This attitude is wildly inappropriate both in formal, business relations, and in private, social ones. To treat someone like that is something that should bring a person to bury their head in their hands out of shame.

What attitude? Asking your clients to be truthful in exchange for a mutually trustful relationship?

Shoving yet another banner in the user's face that is styled like every other banner ad you place in their way, including the one that begs you to download chrome or to sign up for google's latest service does not constitute a meaningful attempt to communicate with the customer. And the customer's blind dismissal of yet another annoying banner does not constitute dishonesty.

It is completely disingenuous to frame this as though Bob walked up to Alice after lunch and asked her "Has the phone number you used for authentication changed?" and she lied and said "No".

And it seems obvious that in most cases, users that lose access to 2FA methods are not asked "has your 2FA changed?" while they still have access to the account. It is far more likely that one day their cookies are reset or google decides it's time to reauthenticate and they realize that they changed their phone number when they switched phone plans a week ago, and they hadn't thought about the consequences.

Well if someone falls through a literal crack IRL then there will be emergency services ready to try to get them out and we don't just say they shouldn't have been absent minded so now they get to rot down there. And if a particular crack swallows up multiple people then we won't say that's life but find ways to fix that crack (probably even after the first person).