Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
You can't recover your Google account if you lose your 2FA device
50 points by arbuge on Oct 5, 2022 | hide | past | favorite | 58 comments
I have a Google account which used a phone number I no longer have for 2FA. I have the correct password to it, but can't login to it without 2FA. Google sends me to an account recovery sequence when I try to regain control over the account, but there's actually no way to complete this either without the phone. Of course there's no human support available. The only "suggestion" they provide is to create a new Google account, which certainly isn't helpful...

Screenshot attached. (Email address in that screenshot has been blanked out). https://imgur.com/a/OT1pqy9

To be clear, I still have access to the email address in question and could certainly retrieve any recovery code they send there. They don't offer that option though. Phone or nothing.



Proposal to change the post title to:

"You can't recover your Google account if you lose your 2FA device, don't set a backup email account, don't save backup codes, or anything else Google recommends you do to avoid losing access to your Google account."

Heck, Google even pesters me occasionally upon login to confirm all the above info is still good.

There's a lot of things to criticize Google about, but I don't think this is one of them.


Regarding the backup email account suggestion specifically, see my other comment in this thread. That's not actually possible apparently for Google accounts set up with non-Google email addresses as the primary email address, for some reason best known only to Google. For those accounts, Google also sets your primary email as the backup email, which doesn't really make sense if you think about it. To cap it all, there is no option to use that email for actually recovering the account, so even calling it a recovery email is deceptive.


> To be clear, I still have access to the email address in question and could certainly retrieve any recovery code they send there. They don't offer that option though. Phone or nothing.

My interpretation was that they do have a backup email address registered.


No, I don't have a secondary email on this account.


You cannot follow any of those recommendations if you can't login to your account to do that, which is what I was trying to do.

The email I received today was one of the "pestering" emails you refer to. Cannot be implemented since I'm not signed in anywhere currently and unable to login.


If you use Google accounts with 2FA, please do the following:

1. Setup a backup email for recovery

2. Copy paste and save Backup Codes somewhere remote

3. If you are using an app like "Google Authenticator", they have an easy way to Export the settings on another phone. Do it on your wife's/gf's/family/sibling etc phone and that way you have another backup of 2FA codes.

4. Do not use the "Google Prompt" option because that only works on primary device.


Simple solution --- don't use Google Authenticator.

Google didn't invent any of this, it is fully standardized (see RFC6238). There are lots of fully compatible alternatives with better options for security and backup and restore.

Personally, I use FreeOTP+ with a password lock and secret keys backed up off device.

Secondary opinion, why is the Google app lacking? Because they really don't want people to use it. They much prefer you reveal your phone number and use SMS instead. This way they can easily identify you personally.

Remember, everything Google does is subtly designed to help violate your privacy in some way. The quickest way to convince me not to use an app is to put a "Google" label on it.


> Secondary opinion, why is the Google app lacking? Because they really don't want people to use it. They much prefer you reveal your phone number and use SMS instead. This way they can easily identify you personally.

Sure, companies may do some evil things intentionally, but an app UI sucking is usually the default state of things and not some malice necessarily. In this case, I think part of the neglect of Google Authenticator is them trying for years to pivot to other forms of two-factor authentication that are more phishing-resistant than an OTP (Yubikey-like and smartphone based systems).


trying for years to pivot to other forms of two-factor authentication that are more phishing-resistant than an OTP

Yes, that probably explains why they prefer OTP over SMS --- because it is more secure --- and it totally violates your privacy.


SMS 2FA is not secure. Lots of HN posts about it:

https://hn.algolia.com/?q=sms+2fa


SMS 2FA is basically the same as TOTP against phishing. It is worse in that you can be hit with sim-swapping. Phishing is many orders of magnitude more common than sim-swapping. There is a real difference between these two options, but it is wildly overemphasized online. The gap between SMS/TOTP and a Yubikey or equivalent is way larger.


I was not suggesting SMS 2FA when I referred to "Smartphone-based solution". I meant relying on Secure Enclave or alike on the smartphone as the second factor in a challenge-response fashion that makes the "OTP" bound to a specific domain and thus unphishable.


Sorry I didn't see the SMS part was a quote of the parent.


Unfortunately it’s still better than no other factor especially for most people.


Anyone have any examples of widespread violation of OTP for 2FA --- something other one individual who gave his buddy his phone or something?


Regarding #1:

You can set a backup email address for Google accounts if they're using Google email addresses, but you can't do this if they're using non-Google email addresses as the primary address, such as the one in that link. I'm logged in to such an account right now and there's no way to do this. The account primary email is also set as the recovery email address and there's no way to add another.

It's actually deceptive to the user to even call it a recovery email address in this case, since Google will never offer to alternatively send a verification code there if the 2FA device is unavailable.


This happened to me, and I had a hard lockout. Luckily the account was not that important, as I only used it for the Play store.

It was a learning experience. I setup another Google account after this, but made sure I had a copy of the recovery codes which will allow me get me back in if I lost my 2FA device (in this case a Yubikey).

I prefer a Yubikey over basic SMS since it's easier to get a SIM lost than a Yubikey. I have the Yubikey on my keychain.


I have to admit I came here to wag a finger but it does kinda appear that Google will let you enroll a phone and then ... Offers... But doesn't really encourage or force the user to download backup codes.

Tbh, if I were Google, I'd force the user to prove they have a second second-factor added before enabling. Force them to enter the first half of one recovery code or something. Of course, if anyone really asked me, I've been screaming about SMS 2FA for forever, but its just one of those things most people just can't be bothered to care about until...


Aren't you very clearly and explicitly warned to print out the recovery codes for this exact emergency?

All 2FA sites do that?


I never got any message from Google advising me to do this. I did get a message today to login into my account to check my security settings and see if they were all up to date, which is what prompted this. Maybe there would have been some messages in there to this effect. But I didn't manage to login...


Yeah, i get it every time when setting up a new 2FA service anywhere + some remind me once in a while (on login) to download backup codes (for services where I haven't done so yet).


Heading is misleading.

"You can't recover lost 2FA if you don't save the recovery codes like the setup tells you to do."


Maybe setup tells you to do that now, but this is an old account and it probably didn't say anything like that when I set it up many years ago.

No recovery codes were ever generated for this account.

I don't think it's reasonable to lock out a user who has the correct password and access to the primary email on the account.

I understand there are situations in which both of those could be compromised but locking out all users with no human customer support, review, or recourse is unacceptable in my opinion.


Recovery codes have been part of Google's 2FA setup process since the 2FA feature was publicly released in February 2011. (Actually since September 2010 for Google Apps users, a.k.a. GSuite/Workspace users.)


Perhaps.

And if I had known that I'd be locked out of my account in this way, even though I still have the correct password and access to the primary email, with no way to reach a human about it, of course I'd have generated those codes.


Are they not offering you the chance to enter one of your 2FA Recovery Codes?


As stated, I no longer have the phone number used for 2FA on this account, so I can't get the recovery code that way.

I don't have any other recovery codes for this account.


Recovery codes are meant to be recorded when enabling 2FA. They can then be used (once per code) in place of a 2FA code, in case of your predicament. Have you perhaps noted these down somewhere?

This circumstance is how 2FA is meant to work, otherwise an unauthorised someone could access your account, especially if they had comprised your primary email account. More often than not, people do not secure their email accounts.

On one hand I'm glad there is no way to access an account without any of the agreed methods, and on the other empathise that this is scant consolation for losing an account :-(


> Recovery codes are meant to be recorded when enabling 2FA. They can then be used (once per code) in place of a 2FA code, in case of your predicament. Have you perhaps noted these down somewhere?

I don't think they were ever set up for this account, or I would have a record of them, and Google would presumably be offering them as an alternate recovery option (it's not).

I could get a recovery code via my primary email since I still have access to that but Google isn't offering to send one there either.


They are displayed by default when you enable 2FA. If I remember correctly there is a note stating that we should print them out or save in a secure location. They are meant to be used in this exact scenario where you don't have access to the 2FA device registered.

When I was changing phones and wasn't sure that Google Authentication app would move to the new phone seamlessly I actually disabled 2FA on all my accounts before activating the new phone and then set it up again over there. Did I need to do this, probably not but it did ensure that I wouldn't loose access due to a missing 2FA app.


> They are displayed by default when you enable 2FA.

No, this doesn't sound correct at all. I just doublechecked with some other Google accounts to be sure. All of them had 2FA enabled and didn't have any recovery codes generated. You have to manually generate them.


Perhaps call your old number and see if that person is willing to share the code with you?


It's not active any more. Calling it goes to an "out of service" message.


Could you sign up for a plan with the carrier it was on and request that number?


It wasn't a cellphone number. It was a free fax/voicemail number with jConnect. Inexplicably they changed the number I was assigned last year, and I haven't been able to reach anyone there about this, despite several attempts.


Aren't recovery codes associated with TOTP authenticator use? In this case it seems phone number was used as the second factor.


Good point. I have recovery codes saved for my account so assumed they were also generated when using SMS. SMS as 2FA really never should have been.


And this is why you should avoid using SMS for 2FA at all costs... Backup email, authenticator app, actually save the recovery codes, etc...


It's infuriating. I've dealt with this before. It should be illegal.

Your two options are:

1. Tweet at Google to get human support (sometimes works, sometimes doesn't)

2. Talk to a Google employeee, because they have access to an internal support ticketing system that you don't


If I cannot present any of our agreed methods of identification (login + 2FA, login + 2FA recovery code or login + recovery email) then I do not want a human to be able to unlock my account. That's how we get compromised. This is exactly what 2FA is designed to protect against.


Although I more or less agree with you, I think the intuition is that some "common sense" method of identification should work. E.g., you should be able to identify yourself with government-issued ID somewhere or something. I think the frustration is that at some level, e.g., the 2FA device is being privileged over something like a notarized government verification of identity by a living human. So although I agree that you shouldn't be able to just e.g., call on the phone and ask nicely, it seems like for important accounts there should be some protocol for doing it involving some real-world chain.

When everyone has 2FA, 2FA backup keys become kind of impractical in the same way it becomes impractical to remember all your passwords.


You realize that it is fairly easy to create false ID's right? There are services that do that for you with minimal fuss.

> When everyone has 2FA, 2FA backup keys become kind of impractical in the same way it becomes impractical to remember all your passwords.

This statement makes absolutely no sense. If you can't remember your passwords (and even if you can) you should use a password manager. The same can also hold your recovery keys. I also have a printed copy of the recovery codes in a file as well.


I'm in two minds about this. Look at the abusive, popular services that demand government-issued ID when signing up or "because of suspicious activity". Once that data is breached, which is only a matter of time, how useful are such IDs as proof of ownership?

In theory (and in practice for those who care) recording recovery data is simple and quick but for the same reasons passwords are failing us, seem to rarely be recorded.


Couldn't you just have centrally managed identities that Google can call upon? If I lose my German id, I'll get a new one and the old keys associated with that one will no longer work for the state run identity verification provider iirc


I had this issue despite having full access to multiple other factors. I was stuck in an automated fraud detection loop.


#2 doesn't seem possible. I don't see any way to reach any such Google employee.


Yes, unfortunately you have to already be friends with one.


This may work for a small subset of the population with the right friends at Google I guess, but certainly isn't an acceptable solution in general.


I agree. It's not a solution. It's a workaround that's necessary because Google explicitly does not want to provide a solution.


When you say "I still have access to the email address in question" - are you signed in to the account somewhere? If yes, you could turn off 2FA in myaccount.google.com as long as you remember the password (which you say you do)


Unfortunately not signed in anywhere currently.


Ah. Can you clarify what you meant by that, then? You have mail set up to be forwarded somewhere or something?


You can set up Google accounts with non-Google email addresses as the email on the account. So I can receive email, no problem.


Ah, I see. The only thing that comes to mind is to check if you followed one of the tips from this page: https://support.google.com/accounts/answer/7299973, which is to use a computer (or phone), or same location from where you have successfully accessed your account before ("like at home or at work"). Of course that is not a guarantee of anything, but worth a shot to attempt account recovery again if you have an option to try one of those things.


"Don't let yourself get attached to anything you are not willing to walk out on in 30 seconds flat if you feel the heat around the corner".

I can confidently say this about every account I have barring my primary email (outlook).


Yep. Just another example of why we should never trust google.


> Yep. Just another example of why we should never trust google.

The other alternative is that you have some support person on the end of the phone who can grant access to accounts. Historically this has been a ripe for social engineering attacks leading to stolen accounts.

It is not hard to setup mfa on your google account so that there are no single points of failure.


Not a Google fan but I don't want any other means than my 2fa to unlock my account.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: