> Removing physical U2F keys from an account without request seems to be the worst possible reaction to suspicious activity.
Exactly, unless they were added during the suspicious activity. But this seems to be not the case.
I work in cybersecurity and I've seen hackers setting up PINs etc on hijacked Whatsapp accounts just to make it harder for the legit owner to recover it. So if it was a really recent addition it might make sense. If the Yubikey was there for ages it's a really stupid move because it's the one way the real owner can prove themselves.
Articles like these (which can generally be grouped under the "what the hell is Google doing with my account and my data, and why can't I reach out to a human to get out of this Kafkaesque nightmare?") are popping on HN on a daily basis.
I've previously been reported for commenting on a previous article that Google is a faceless company that produces shitty products and it doesn't actually doesn't give a shit of user experience, negative feedback nor deleting/locking accounts (and, often, years of work) for no clear reasons.
Somebody responded "on HN we often hear only one side of the story (people getting a negative experience with Google) and not Google's side".
So, since many Google employees are also here on HN, I ask you folks: do you have any words to say in defense of these crappy policies?
If yes, then I'm happy to change my mind about Google, and eat back all the countless offenses I've thrown at the company over the years if convinced by enough plausible arguments.
If no Google employees can come here (or, even better, directly reach out to those impacted by their bad decisions) and defend their policies, then I abide to my words: Google is a shitty company that produces shitty products, it is proud of being a faceless company that doesn't care about supporting users (even though it makes a lot of money out of their data), it makes horrible business decisions, and it leaves people in the dark when locked out of their accounts. Such companies, in a healthy market with enough competition, deserve to rot and fail and be mourned by nobody.
Not a Google employee (any more) but familiar with the culture from past experience.
The mindset is that the company's costs must scale non-linearly against revenue for the company to survive. As a result, engineering solutions that require zero humans are preferred over hiring humans. Sometimes humans are acceptable in the short-term (usually if it results in more revenue).
Why do employees allow company leadership to allow this to happen? Internally, I think stuff like this does get raised and actions are taken to address the "bugs". But I think there is also an attitude that Google is not going to change course because they believe this is a better approach in the long run. "What's a few inconvenienced users when you can solve problems for a billion+ people??"
From a business perspective, I can understand it. From a human perspective it sucks.
I would assume that it is mostly Google engineers on the site, and they do not have any link with these policies nor provide any information (either legal clause or simply that they don't know).
Not to play the devil's advocate but Google is still a great research company, helping the open-source community and the tech industry.
I think your commentary is unfair; they make great business decisions. They realize that the benefit of fucking over a few users here and there is outweighed by the cost of helping them.
And people that matter have a back channel via employees or account reps to clear things up.
So in order to get a chance to be heard either you need a backdoor to a Google employee, or you need to be on a business account.
Therefore, unless you fall into one of these categories, you probably shouldn't use Google products - or, even worse, rely on it for sensitive things such as your emails, your photos or your work documents.
Google generally does stuff like that when they believe somebody else had access to your account and made changes. This sometimes involves the attacker enrolling for (their own) 2FA or changing recovery methods to lock you out. So, the action of removing 2FA is in itself not unreasonable.
It's possible that their logic has some sort of a bug, especially if it only happens when you visit a specific service - and in that case, getting on HN might be the best way to get it looked at by a human... but also make sure you don't have any other issues going on.
Removing security keys that have been registered for years is very unlikely to be the right move even if my device has been compromised, as they are one of the most reliable ways I could prove I am the original account owner at some later point.
If the message had stated "We have removed recently added security keys" I would be a lot more understanding!
If you had your recovery keys stored in a note on lastpass you might have wanted to rotate those as well recently.
Yeah, in theory those recovery keys should still be secure, but you know for certain that a hostile attacker has the encrypted secure note, and without any confidence in lastpass it makes sense to change them as well.
Unfortunately this means you look exactly like someone doing an account takeover and changing the password and recovery keys on the account.
> getting on HN might be the best way to get it looked at by a human... but also make sure you don't have any other issues going on.
Wait, why are we normalizing this? Getting on HN is always the second-best way to get it looked at by a human. The best would be, you know, Google devs doing their job and helping their users instead of solving LeetCode or writing their next promo packet or whatever it is they do all day.
I'm not a big fan of this trend where Google and other companies are essentially outsourcing their (horrible) customer service to this message board.
I mean I'll still upvote the post in case I need to invoke this terrible fallback in the future, but I think it's reasonable to grumble about it.
To their defense: given the company's business model, there's probably no other way of handling it. They make money at a massive scale, and as an individual user, you're not worth enough to provide customer support - or really, any special consideration.
The problem might be the business model itself. Google is not attached to any one of its billions of users, but they can cause a lot of pain if they randomly cut you off - especially in a world where email is essentially online identity. But then, I'd wager that a good 90% of us are employed in places that want to replicate that model at any cost... glass houses and all.
Google's implementation does not seem to be doing much good anyway. To be fair, it is not just Google -- most companies feel the same pressure of having to implement MFA but then also make it convenient for clueless users to recover their access.
The right way to implement hardware keys is to allow registering multiple of them (so that you can put at least one or two off-site -- in a secure storage) and then not let you recover the access under any circumstances without showing you still own at least one of those keys.
If you can recover access without the keys then what is the point of keys in the first place?
This annoys me a lot - I do sympathise with the fact that these services are regularly bombarded with users unable to log in, but modern authentication tools have existed for a while now and it's time everyone learned to use them. A lot of services insist on including your phone number as a backup authentication method, making you vulnerable to simjacking, or your email address for the same purpose (basically offloading the authentication problem to someone else). That's if you can't bypass it altogether.
For services that allow it I have both a TOTP app on my phone and a YubiKey registered, which I figure is sufficient redundancy. Other people could have an old phone registered as well if they don't want to buy a security key. It's a very minor hassle to set up and I can't see why people can't do it.
"but modern authentication tools have existed for a while now and it's time everyone learned to use them"
It's a nice thought, but overall computer literacy is still highly varied, and it likely will be for a very long time.
We still have a large percentage of users who use computers sparingly and by rote. I have family members who need a lot of help to do day to day setups and are going to have a hard time with MFA devices or apps.
"Other people could have an old phone registered as well if they don't want to buy a security key. It's a very minor hassle to set up and I can't see why people can't do it."
Minor hassle for you. Major hassle for a lot of users. Try real hard to put yourself in the place of a 77-year-old user who has limited sight and only needs to use a computer to accomplish very specific tasks - and has zero interest in doing more than basic email, banking, and a few other things that can only be done online. They have a smartphone only because it's a connection to their grandkids.
Because of the smartphone they're saddled with a Google or Apple ID that they'd otherwise never bother with. A TOTP app or YubiKey? That's well outside their comfort zone.
This isn't because these users are dumb. But the assumption that "it's time everyone learned" is based on the idea that everybody is using computers regularly and has resources for educating them - which is simply not true.
My kids, my wife, and my in-laws all use computers very differently than I do and it's extremely educational how people outside the industry see and use computers.
My 17-year-old only uses a Chromebook for school (grudgingly) and would rather do everything on their phone. My wife is fairly computer savvy, but still hits roadblocks. (She does enjoy forwarding me screenshots of particularly bad Phishing attempts...) And my older in-laws occupy most of their time far, far away from their computer. Singular.
Anyway - it'd be lovely if folks had way more empathy for the huge swaths of people who have less experience with computers. It's not the priority for them that you imagine that it should be.
You can duplicate the totp too. Either save the initial seed generated by the site(s), or depending on the app it may provide a way to export the seeds.
You don't go through the setup process on the sites again. The sites have no knowledge that you have 1 or 21 new totp apps set up. You just enter the saved seed keys into the app and it starts spitting out the same correct codes as the other apps you already had setup.
Gnome authenticator can export a json file containing the keys to all the sites you have in it. You can then take those (just manually read them in a text editor), and enter them into Google Authenticator on a phone, and now you have 2 working authenticator apps, both spitting out the same correct codes every 30 seconds.
Further, you take that same json and paste it into a note in a keepass record, or save the individual seed keys in individual site entries just like the passwords, and copy that keepass db file all over the place including cloud drives, and including places you can access without the totp.
Now you can reproduce a working authenticator from scratch on any device at any time no matter where you are and no matter what happens to your phone or laptop. Buy a brand new phone or laptop, have a way to get a copy of your keepass db without needing the totp app, and in a couple minutes you have a working totp app again.
You never really have to even use the single-use emergency bypass codes. Keeping copies of the initial setup seeds is really no different from keeping copies of the emergency codes, but the setup seeds reproduce a fully working app not just a one-time access to a site.
And even if some app doesn't provide an export like gnome authenticator, you can also just record the key the first time it is generated instead of just scanning the qr code. Once you've saved it, you can use it as many times as you want.
I run a SaaS for what you might imagine would be highly technical, educated clients, and despite this I am bombarded by users who seemingly have never done a Register -> Activation email workflow.
In realm of real hardware security modules this is actually simple, at least in theory. (I worked as a security officer for credit card payment company and we had real HSM boxes worth small fortune each). What you do is you initialise the hardware device with same cryptographic material. You can make as many clones as you want, securely. In practice it is a huge headache but it is due to amount of procedures and paperwork you need to do.
Now, I am not an expert on Yubikeys and the protocols used by these tokens, but I know they have protection against reply attacks meaning they keep the sequence number that is incremented for each challenge/response. Pretty sure it could be made to support multiple keys. It would be really nice if I was able to initialise multiple yubikeys and use them interchange-ably (and keep two in safe deposit box just in case).
Phone was stolen while traveling and I needed to log into my account to get my flight information. Google wouldn't let me log in from a new computer even though I don't have 2 factor setup. I had to use my 'recovery e-mail' to confirm an e-mail just to login, and that other e-mail address also required a 'recovery e-mail' to login. Luckily my 3rd e-mail down the line of recovery e-mails was at a website that didn't require a recovery e-mail, e-mail. The steps it took to just log into my account without 2 factor enabled was insane. It was a miracle I was able to do anything at all after having my phone stolen.
Edit: note I luckily had memorized all three passwords to the different e-mail addresses or I would have been up a creek.
Hi HN. I posted this here because it seems to be the best way to get someone at google to look at something.
To preempt some comments along the lines of "why are you relying on google in 20xx", I try my best not to these days but I still rely on them to forward emails from my old accounts, or for services like youtube where you must have a google account for full features.
It's undeniably shitty behaviour from the Goo but I'm increasingly getting the message that the only sane attitude is detachment from anything I posted in some past , more naive age. Scribe on vellum or linen rag that which is for the ages, and ignore the rest. If it's on a server I don't even mourn it, I killed it already by putting it there.
That’s how I think about it. What’s the big deal really to lose things from the past? I still have way more of my personal history solidified in in recorded form than people of ages past. They managed just fine, I will too.
This 'just to be safe' procedure happens when Google thinks a bad guy is logged into your account. The bad guy might have changed the password, changed the 2fa, stolen login cookies or other malicious things.
What Google ought to do is to display a message saying:
* Google suspects someone else, or a virus, has access to your account with malicious intent.
* Google will help you secure your account.
* It is necessary to prove you are the legitimate account owner before we can allow you access to the account. To do this, we will ask for you to log into the account with as many possible devices and methods as possible. Into each device you should type '7867' after logging in.
* We ask this because a malicious actor or virus probably will only have control of a few of your devices, passwords or security keys, so we can identify you as the true account holder because you have more.
* We will then lock out the malicious actor, and you can change any passwords or security keys they used. If one of your devices was used by a virus, we'll block it until you have reset it.
I had a similar experience recently when setting up a new TCF TV for my mother. I didn’t see a “was this you?” email to her Gmail account after logging her in to Android TV, and within hours her password had been invalidated by Google. The message when trying to log in at gmail.com was “Your password has been changed in the last week”, which caused me great concern and an hour or so changing passwords, etc. If the message had said “Google invalidated your password” I’d still have been pissed, but at least not panicked.
Readit News
Exactly, unless they were added during the suspicious activity. But this seems to be not the case.
I work in cybersecurity and I've seen hackers setting up PINs etc on hijacked Whatsapp accounts just to make it harder for the legit owner to recover it. So if it was a really recent addition it might make sense. If the Yubikey was there for ages it's a really stupid move because it's the one way the real owner can prove themselves.
1. You login with your key
2. Google flags you as suspicious
3. Google removes the keys from the account because the suspicious actor used them to login and could have been stolen
I've previously been reported for commenting on a previous article that Google is a faceless company that produces shitty products and it doesn't actually doesn't give a shit of user experience, negative feedback nor deleting/locking accounts (and, often, years of work) for no clear reasons.
Somebody responded "on HN we often hear only one side of the story (people getting a negative experience with Google) and not Google's side".
So, since many Google employees are also here on HN, I ask you folks: do you have any words to say in defense of these crappy policies?
If yes, then I'm happy to change my mind about Google, and eat back all the countless offenses I've thrown at the company over the years if convinced by enough plausible arguments.
If no Google employees can come here (or, even better, directly reach out to those impacted by their bad decisions) and defend their policies, then I abide to my words: Google is a shitty company that produces shitty products, it is proud of being a faceless company that doesn't care about supporting users (even though it makes a lot of money out of their data), it makes horrible business decisions, and it leaves people in the dark when locked out of their accounts. Such companies, in a healthy market with enough competition, deserve to rot and fail and be mourned by nobody.
The mindset is that the company's costs must scale non-linearly against revenue for the company to survive. As a result, engineering solutions that require zero humans are preferred over hiring humans. Sometimes humans are acceptable in the short-term (usually if it results in more revenue).
Why do employees allow company leadership to allow this to happen? Internally, I think stuff like this does get raised and actions are taken to address the "bugs". But I think there is also an attitude that Google is not going to change course because they believe this is a better approach in the long run. "What's a few inconvenienced users when you can solve problems for a billion+ people??"
From a business perspective, I can understand it. From a human perspective it sucks.
Not to play the devil's advocate but Google is still a great research company, helping the open-source community and the tech industry.
And people that matter have a back channel via employees or account reps to clear things up.
Therefore, unless you fall into one of these categories, you probably shouldn't use Google products - or, even worse, rely on it for sensitive things such as your emails, your photos or your work documents.
It's possible that their logic has some sort of a bug, especially if it only happens when you visit a specific service - and in that case, getting on HN might be the best way to get it looked at by a human... but also make sure you don't have any other issues going on.
If the message had stated "We have removed recently added security keys" I would be a lot more understanding!
Yeah, in theory those recovery keys should still be secure, but you know for certain that a hostile attacker has the encrypted secure note, and without any confidence in lastpass it makes sense to change them as well.
Unfortunately this means you look exactly like someone doing an account takeover and changing the password and recovery keys on the account.
Right, that's likely the "bug" part. On HN of all places, people shouldn't be surprised that bugs happen.
Wait, why are we normalizing this? Getting on HN is always the second-best way to get it looked at by a human. The best would be, you know, Google devs doing their job and helping their users instead of solving LeetCode or writing their next promo packet or whatever it is they do all day.
I'm not a big fan of this trend where Google and other companies are essentially outsourcing their (horrible) customer service to this message board.
I mean I'll still upvote the post in case I need to invoke this terrible fallback in the future, but I think it's reasonable to grumble about it.
The problem might be the business model itself. Google is not attached to any one of its billions of users, but they can cause a lot of pain if they randomly cut you off - especially in a world where email is essentially online identity. But then, I'd wager that a good 90% of us are employed in places that want to replicate that model at any cost... glass houses and all.
The right way to implement hardware keys is to allow registering multiple of them (so that you can put at least one or two off-site -- in a secure storage) and then not let you recover the access under any circumstances without showing you still own at least one of those keys.
If you can recover access without the keys then what is the point of keys in the first place?
For services that allow it I have both a TOTP app on my phone and a YubiKey registered, which I figure is sufficient redundancy. Other people could have an old phone registered as well if they don't want to buy a security key. It's a very minor hassle to set up and I can't see why people can't do it.
It's a nice thought, but overall computer literacy is still highly varied, and it likely will be for a very long time.
We still have a large percentage of users who use computers sparingly and by rote. I have family members who need a lot of help to do day to day setups and are going to have a hard time with MFA devices or apps.
"Other people could have an old phone registered as well if they don't want to buy a security key. It's a very minor hassle to set up and I can't see why people can't do it."
Minor hassle for you. Major hassle for a lot of users. Try real hard to put yourself in the place of a 77-year-old user who has limited sight and only needs to use a computer to accomplish very specific tasks - and has zero interest in doing more than basic email, banking, and a few other things that can only be done online. They have a smartphone only because it's a connection to their grandkids.
Because of the smartphone they're saddled with a Google or Apple ID that they'd otherwise never bother with. A TOTP app or YubiKey? That's well outside their comfort zone.
This isn't because these users are dumb. But the assumption that "it's time everyone learned" is based on the idea that everybody is using computers regularly and has resources for educating them - which is simply not true.
My kids, my wife, and my in-laws all use computers very differently than I do and it's extremely educational how people outside the industry see and use computers.
My 17-year-old only uses a Chromebook for school (grudgingly) and would rather do everything on their phone. My wife is fairly computer savvy, but still hits roadblocks. (She does enjoy forwarding me screenshots of particularly bad Phishing attempts...) And my older in-laws occupy most of their time far, far away from their computer. Singular.
Anyway - it'd be lovely if folks had way more empathy for the huge swaths of people who have less experience with computers. It's not the priority for them that you imagine that it should be.
You don't go through the setup process on the sites again. The sites have no knowledge that you have 1 or 21 new totp apps set up. You just enter the saved seed keys into the app and it starts spitting out the same correct codes as the other apps you already had setup.
Gnome authenticator can export a json file containing the keys to all the sites you have in it. You can then take those (just manually read them in a text editor), and enter them into Google Authenticator on a phone, and now you have 2 working authenticator apps, both spitting out the same correct codes every 30 seconds.
Further, you take that same json and paste it into a note in a keepass record, or save the individual seed keys in individual site entries just like the passwords, and copy that keepass db file all over the place including cloud drives, and including places you can access without the totp.
Now you can reproduce a working authenticator from scratch on any device at any time no matter where you are and no matter what happens to your phone or laptop. Buy a brand new phone or laptop, have a way to get a copy of your keepass db without needing the totp app, and in a couple minutes you have a working totp app again.
You never really have to even use the single-use emergency bypass codes. Keeping copies of the initial setup seeds is really no different from keeping copies of the emergency codes, but the setup seeds reproduce a fully working app not just a one-time access to a site.
And even if some app doesn't provide an export like gnome authenticator, you can also just record the key the first time it is generated instead of just scanning the qr code. Once you've saved it, you can use it as many times as you want.
Users are hard.
Now, I am not an expert on Yubikeys and the protocols used by these tokens, but I know they have protection against reply attacks meaning they keep the sequence number that is incremented for each challenge/response. Pretty sure it could be made to support multiple keys. It would be really nice if I was able to initialise multiple yubikeys and use them interchange-ably (and keep two in safe deposit box just in case).
Google allows this.
Thank you Google for making my account "Safe".
Edit: note I luckily had memorized all three passwords to the different e-mail addresses or I would have been up a creek.
To preempt some comments along the lines of "why are you relying on google in 20xx", I try my best not to these days but I still rely on them to forward emails from my old accounts, or for services like youtube where you must have a google account for full features.
Deleted Comment
What Google ought to do is to display a message saying:
* Google suspects someone else, or a virus, has access to your account with malicious intent.
* Google will help you secure your account.
* It is necessary to prove you are the legitimate account owner before we can allow you access to the account. To do this, we will ask for you to log into the account with as many possible devices and methods as possible. Into each device you should type '7867' after logging in.
* We ask this because a malicious actor or virus probably will only have control of a few of your devices, passwords or security keys, so we can identify you as the true account holder because you have more.
* We will then lock out the malicious actor, and you can change any passwords or security keys they used. If one of your devices was used by a virus, we'll block it until you have reset it.