My mom got locked out of her 10yr gmail account. She doesn't have access to the phone number she added for 2FA. This is after she has the right password and also has access to the recovery email.
This basically locked her out of her whole online life because for all other social accounts she uses sign in with Google.
There is no human support, and their support website says if you cannot recover the account, create a new one.
Once you are the dominant provider of something that is nearing life-essential utility status, you should provide support and escalation routes, and you should be accountable.
...Only to find that you can't transfer ownership of a Google Doc from a Gmail account to a Workspace account because "security."
So at this point we have docs scattered across all kinds of Google accounts and domains which is the least secure thing I could imagine, great job Google.
100% in support of regulating the pants off of this company as well as evaluating alternatives to them.
But in essence: Share the files, make a copy once shared, delete the shared file and only the copy exists.
Better though: Don't use Google Drive for business critical docs if you're not a very high spend Google customer able to talk with an account manager. If you're a small/hobby user or individual, keep critical docs offline as well as online. Just consider it part of your business continuity plan.
I set up a business account in one country and then moved to another country. Several years later I need to re-enter credit card info. It doesn't let me now because my billing address is now from a different country. Google's only solution? Create a new google account.
But are you sure about this problem? If you create Shared drives in a Google workspace, they take ownership of anything I move into it (after dismissing a warninge explaining what will happen), even if I take files in folders shared to me from someone else's gmail account
(The ownership model of drive was indeed terrible before they implemented the shared/team drives.)
It should also be noted that as soon as that regulation no longer applied (Brexit), high roaming charges were immediately brought back in to effect.
EU-style regulation works.
Rationale was that treating people from one EU country differently than from another was against the union. Imagine paying inter-state roaming in the US.
Right now Google is not asking information that would allow them to really verify my identity. Not sure if people would like Google to start demanding that kind of information, like personal identity code (for countries where it is available), passport numbers, home addresses etc.
Without strong identity checks, the system is prone to fraud. Black hats can either social e engineer their way around the support agents or use leaked personal data to impersonate people to gain access to their accounts.
Why can't they offer identity verification as an option? It's not exactly difficult to do technically.
I have a google account made in 2004 (it is nearly 18 years old) and some time ago youtube started to ask me to verify my age by sending my ID or using a credit card.
I think it was a "bug" on their side, since a google search showed a lot of other people complaining about this -> verify your age.. on a 15+ year old youtube account.
Solutions like yubikeys and passkeys theoretically solve this problem, but open other problems: not least what if you lose the key or the device that the passkey is stored on? Then you're no longer you as far as the authenticating party (Google in this case) is concerned. What's more, whoever stole your phone is you as far as they care, because that's all they have to say who is who.
Your devices should require further authentication (password/biometrics) but is that a guarantee? Could Google or anyone else really guarantee that any client device connecting to their service is unhackable, bearing in mind that many of their users may be on cheaply made and fully out-of-support Android devices or Windows XP?
It's a really hard problem to solve.
Google at least have your past IP addresses which should allow law enforcment to identify you (at least narrow the question down to a handful of people who could all be asked if they have a claim to the account unless you only ever accessed it from public networks). Doing all that detective work is not going to be cheap but right now you don't even have the option to pay for it if your online account is worth a lot to you.
Deleted Comment
Once it will be understood, losing xx-years accounts wouldn't be a problem.
I know this is controversial idea, but the more I see cases like that, the more I am sure about it
Google provides a way to "submit corrections", but there is no accountability, and these corrections might or might not get applied. In my case, they are sometimes applied: some phones will show the right location, and some will show the wrong one. Again, no accountability.
Yes
Article 22 of the GDPR. Essentially it sates that if automated decision making occurs, you must be able to appeal to a human.
https://www.gdpr-toolkit.co.uk/individuals-rights/the-rights...
This is aside from common law, which might give some protection in that entities managing your goods (and maybe your data?), even voluntarily, have a have a duty of care to keep them safe.
A phone number used for this purpose would definitely identify a person, and so qualify as personal information.
What solution could Google offer without creating a security backdoor? Google might not ever be sure as to the identity of the account holder.
The only reliable alternative I see is requiring a government photo ID containing a permanent physical address on account creation. I wouldn’t want that, would you? And even then, some would manage to create impossible situations.
It sucks, really hard. No other way to paint it. I’m not arguing for Google here. Still, the user has responsibilities too. If you ignore an oil warning light on your car for too long, eventually the engine breaks.
The comparison falls flat though when you consider that you can pay money and get the car fixed and still have the car in the end.
The complaint is not "fix my self-inflicted problems for free for me", it is that there is no way to get anything fixed even if one is willing to pay and acknowledge it's one's own fault.
All of this falls apart if the goods/service is free... And one can't really argue Google is a monopoly with regards to email services (search and ads are quite separate).
So I doubt EU could do anything about it unless one uses paid services.
That was very true, but I think this is changing. Recent dealings with Facebook and the privacy regulations give some hope there.
> And one can't really argue Google is a monopoly with regards to email services
EU regulations do not care about monopolies. The main issue is abuse of dominant position, which Google definitely has. The mobile carriers is an appropriate comparison, I think. None of them has anything like a dominant position across the continent, but their collective behaviour was suboptimal and costly for the customers, which was a strong enough motivation for the EC to intervene. I can see a blanket regulation about the processes that need to be put in place to close or recover accounts. In the same way that these companies are required to have dedicated people for GDPR requests.
Also note that EU regulations are much less concerned about random customers than American laws. The EU framework is all about competition and how to preserve it, under the arguable belief that quantitatively increasing competition will benefit the final customers.
If you take deliverability to the average email account into account then they are not far from one.
For example GDPR, right to be forgotten, cookie warnings etc show the EU is more than happy to pass regulations that impact ad-supported services.
The current regulations may be ineffective or poorly enforced - but it shows they're able and willing to pass laws.
Just because a service is free does not mean consumer protection and data protection laws (including GDPR) no longer apply.
Why would you think otherwise?
If roaming charges were high because there wasn't enough competition in the market then that's what the EU should have tackled. Otherwise high prices will just move on to other items on our phone bills and the whole thing becomes a game of whack-a-mole that the best connected special interest groups will always win.
Governments should regulate to make sure that markets actually work and that everybody has basic rights such as getting access to their own data after proving who they are.
Really, the people that don't are rare.
Regulation has gone swimmingly, especially when you consider that roaming charges were completely arbitrary. It costs a carrier functionally nothing to forward traffic to another carrier, eçept for whatever price that carrier has set arbitrarly. Regulation has given me a 25 Gb data cap when travelling, greatly increasing the quality of my vacations, allowing me access to information, safety tips and travel-oriented services as a tourist.
Sure, carriers have lost some income over this (not all, only on european travel) but they are massively profitable, and should be treated as a public utility already.
It's never gonna be possible to 100% prevent any possibility that could cause loss of access to your 2FA. Some people will always fall through the cracks - whether that's due to their own negligence, lack of technical understanding or some algorithmic false positive doesn't really matter imho.
The real problem here is, that there's nothing that can be done to resolve something like that, AFTER it already happened. Not even if you were willing to pay for support to help you.
If you got good contacts, are famous, manage to go viral or something, you might be able to actually get help - but as a regular, boring, everyday person, you're just fucked. The only "advice" you are gonna get is: "you should have done this or that beforehand..." - and the obvious answer to that is: "I would have, had I only known!"
The only thing you can do, is post your story on HN and Twitter, and hope someone from Google reads it, and goes out of their way to actually help you - which obviously is AGAINST standard company procedure.
log into Google
giant banner appears
"Hey, is this still your phone number? If it's not you better change it otherwise we can't recover the account!"
click 'no'
change it to a new one
done.
If you miss that step, because you're in a hurry, your kid pressed the button while you looked away, or whatever, you shouldn't be immediately locked out of your whole life without recourse.
We allowed ourselves to be held hostages by these companies, but we should know better now.
We think we have internet identity system figured out. We don't. We are just pretending we do with stupid stuff like password, email recovery codes, 2FA, device auth, social network recovery, facial recognition, fingerprint, etc.
So far we have leveraged brain memory, hardware device, face, finger, and friends for authentication. What else can we do to make this better?
“We” do. There are companies that have very strong security and IAM protections. Others have chosen to invest almost nothing. Your vague wording conflates these two very different things.
Some companies have a great concept of identity and have placed high value on identity verification.
Free email accounts aren’t protected the same way retirement investment accounts are because they carry different risk profiles and different value.
One person posted. Hundreds or thousands read about it. The comments aren’t solely intended to OP and aren’t solely for this instance.
I agree that there are few suggestions that will help OP this time. But that’s all the more reason that others learn to take the issue seriously before they encounter it.
They would only get a message if you hit "try another way" and choose one of your alternative numbers during the login challenge.
Where is this option?
After a waiting period of about 3-4 years they changed the process and I could indeed recover my account. Maybe sooner, but I discovered this by accident. I don't remember the details, I think I failed to answer a recovery question at the time. Certainly my fault, but there was no route to regain access until they revamped the whole process.
Alternative idea: If you're really desperate, you could even try to dig up the phone number owner's address and show up at their door or something and explain it that way. (Note I'm not recommending these per se; I'm just pointing out what's possible. Obviously be very careful to consider everything before doing such a thing.)
It is a super bad idea for anyone to give out 2FA codes, they could easily found your email associated with a specific number from a security leak and attempt to steal it.
You'd trust the current owner of the phone number to be honest (because you are contacting them), not the other way around.
Just add sneaking into their bedroom at night to grab their phone.
Raiders of the lost GMAIL-(Account).
that's what the green bubbles are for
Just kidding - but seriously this has been done before and your advice is sound.
Or pay a hacker to do a sim swap.
SMS 2FA is ridiculous
I've certainly had nerve racking moments where my login has been flagged as unusual and I wasn't sure if it would let me in (and I'm completely locked out of my childhood account though it's not been used in over 10 years)
It's a good feature for those with the password "password" but if you've used a strong single use password it just gets in the way
Whenever these posts hit HN there is some people going "well if they don't do this then a lot of accounts will get hacked" - fine! Fucking make my account vulnerable if I want it to, the chances I get hacked are probably still 10x lower than getting locked out by Google's shit AI crap "protecting" accounts. And well if it does happen, those same people can at least have their "told you so" moment. Fucking bullshit.
If I get hacked, it's on me. Google can even add a "you can't sue us for damages" clause in their Terms (which they probably already have) - just don't lock me out of my own freaking account.
In Canada, banks have this for things like e-transfers and preventing suspicious transactions. However, when people acknowledge the warnings and still go ahead anyway, they cry bloody murder and the bank ends up refunding people for fraudulent activity the people explicitly authorized after being warned.
2FA is a great thing and I think everyone should use it.
With that said, I don't want 2FA on my alternate/testing/dev accounts. I simply don't want demo accounts linked to my phone number. I'd like to opt-out of "standard security" (MFA) and accept the risks on non-primary accounts.
In another, non-Google case, Apple once demanded that I provide the answers to challenge questions for an account I didn't use often even though I had my username and password correct. To me, the challenge questions are something that should only ever be used to verify in the case that I don't know my password, and it took me three days of trying against the rate limit to get enough tries to figure out the spelling of the answer for one of my questions. What made it really ridiculous is that the only reason this account existed was to give me access to developer account that was actively billing my credit card that I couldn't access... at least with Apple there was a customer service representative who was willing to try to figure something out as they agreed that it was ridiculous that I was paying money for something I couldn't even log in to cancel (though she wasn't sure if she could actually do anything...).
Maybe hugely insecure but I enable google authenticator then put that recovery code and key everywhere I can.
Anyway, it's not possible to configure 2FA in the way we want. The Google prompts configuration says "To turn off Google prompts on a device, sign out of your Google Account on that device."
There's no way to enforce the Authenticator. Not even make it default.
For now I have removed every android I could from their logged-in-devices page and hope that suffices.
I had a similar story with my own accounts.
It's just lost forever, luckily I had many others, and didn't associate my whole life to any single account or provider, nor used social sign in, so it was not life altering, just a bit of work.
But selfishly, I hope those kind of story get published more and more so that people finally realized that what we told them not to do the for the last 20 years was not just for the sake of it.
People don't listen to preventive talks. We see that with cyber security, climate change, and so on.
They only start to move when they get hurt.
I wished people would have listened to us when we advised not to give everything to GAFAM, not to put everything online, and not everything on one provider. And certainly not to trust them with being on your side.
So they wouldn't have to get hurt.
But this is not how we, as a specie, learn. We need to get hurt.
So make sure a lot of people know about this. Not just in the hope to get the account back, but because maybe more people will listen this time.
For Facebook, I’m currently completely locked out. I have the right username and password, but the email accounts I used to create the Facebook account are disabled now, being university accounts.
At one point, Facebook wanted my credit card or driver’s license as proof to tenable the account, which I wasn’t comfortable with. Then it got paired down to three randomly chosen connections that I needed to contact outside of Facebook. Once chosen by Facebook, these contacts cannot be changed. For me, it included a deceased person and two people I haven't even seen since high school. Now, it just wants to validate the email addresses with no other options.
So now what? Nothing in my control ever went wrong. I know my account, I am the person, and I have the username and password. It would be nice to be able to just call a number with a human on the other line to verify that it is me.
We've entered the era of "death by scale". We and the government allow these companies to treat customers and people as statistical entities. They don't give a shit if their products either flat out don't work or ruin a customer's life for "only" x percent if x is small enough.
I agree that in b), it sucks that once chosen, the 3 people cannot be change (although I kinda see the security angle of it), but what else would you want Facebook to do if you lost access to your email?
For gmail, have several addresses, with redirections to each others, use imap, don't use social sign it.
And if FB stole it, congrats, you are rich off the settlement.
You had multiple reasonable options to recover, declined them and now complain that "Nothing in my control ever went wrong". This annoys me so much
You don't need to host the email servers yourself. Many email hosting services will let you use our own domain with them.
If you want to use an email hosting service that does not directly support using your own domain, many domain registrars include free email forwarding so you can forward mail sent to your domain to your address at your email host, although there might be problems with sending from your domain if you use the forwarding approach [note 1].
It might at first seem that this is just pushing the problem back a little. Instead of the problem being losing your account at a mail hosting service like Gmail, you now have to worry about losing your domain.
The big difference is that a domain registration is a lot more passive. With a Gmail or other mail hosting account it is something you are actively using. Content you generate goes through it. Content other people generate goes through it to you. That gives all kinds of opportunities to trigger false positives on their automated anti-abuse systems.
With a domain you register it and designate name servers and periodically pay to keep it from expiring. Most registrars include basic name service so you don't have to deal with finding a name service provider. Once you've set up name service to designate your email host as handling your domain, or set up forwarding if that's what you are doing, you pretty much don't have to touch anything there and content to/from you doesn't go through those systems so there is simply much less opportunity for something to trigger some sort of automated anti-abuse systems.
Pick you domain and registrar carefully. Don't pick a domain name that is close to some trademark. Pick a top level of .com or .net or maybe your country's top level if you are going to want to send email from that domain [note 2]. Pick a registrar that is not in some country likely to do things that get your country to put sanctions on it.
[note 1] You might not have enough control over the headers on outgoing mail to be able to send a mail that doesn't look like a forgery attempt. For email addresses that you will just need for receiving things the forward approach should be fine, which will cover email needed for account recovery in most cases.
[note 2] The newer top level domains that are available for general use have been pounced upon by large numbers of spammers, to the point that having an email address in them can make it very difficult to get through spam filters. Spammers are all over .com and .net too of course, but that's also where most of the non-spammers are too. With the newer top levels the spammers jump on in large numbers from the start and so from the point of view of a random email receiver those domains are mostly spam.
For most users, it’s not a bit of work, but a life changer (as in this case, right). Most sites only allow G and f SSI, and that’s it. Quick registration is a killer feature and it’s a shame that it is not a part of the tech stack at much lower level than google/site integration. It’s almost 20 years of mass-internet and it still sucks at account registration.
These two things would ideally stay separate. Of course, an expert in Computer Science would certainly have his/her own tld domain with email, and maybe use gmail only for proper email work, right?
Well... Not so sure about that. I'm a tech person myself, and my gmail is my online identity. I would suffer the same fate if I were to go through the same issue as OP's mother.
Perhaps there's space here for a startup, or a service, that allows you to fix this. Something that would make regulatory bodies not too unhappy about it.
I wonder if Google could offer real customer support. I know offering support goes against everything Google stands for, but I'm sure many people would be willing to pay non-trivial amounts of money to get actual support from Google.
So if you unfortunately get locked out of your google account, you could pay for support that can actually resolve your issue.
(I realize paying to fix your problem may rub some people the wrong way. However, I would rather pay for a support ticket than be locked out of my account forever.)
Would you pay $200/hour for customer support?
In my case, I did the Google "security checkup" and clicked "yes" when it asked if I wanted to improve my security by using my phone as a security factor. I thought this was just going to cause it to generate those helpful "Did you just sign in" prompts. No: that option actually signs you up to use your phone as a hardware security token which requires you to physically connect your phone through its USB port. Guess what doesn't work on my phone? My freakin USB-C port (!!!!). Eventually I found the loophole that signing in from the hardware key device itself prompts you to use a different 2nd factor and I was able to disable the security that way. It boggles my mind that I was able to enable that security option without proving I could actually use the hardware device to unlock first. But it completely activated it without me ever doing that.