> I explicitly don't want any non-deterministic, “risk-based” or ML decision involved in a decision as to whether I can access an account which controls critical infrastructure
I don't want this on any account, infra or not. If I can supply my password and complete MFA (TOTP/hardware key) then I want access to my account. I've been in a situation where I was logging in from a known IP, provided the correct password, correct OTP, and had access to the recovery email address on my account, and I was still denied access until I authenticated using a phone number which wasn't even associated with my account. Other people aren't so lucky and simply never gain access to their account again. It's mental. Let me make the decision. Give me a button that says "Always allow access for correct password and challenge".
> authenticated using a phone number which wasn't even associated with my account
As in, they required you to add a phone number when you didn't have one before, or they said "verify you can receive SMS at 555-123-5678" which wasn't even yours?
Yeah they forced me to provide a number during login. I don’t have any numbers associated with my account to protect against sim swapping, and I shouldn’t need a number because I have multiple methods of MFA plus recovery email. But if Google wants your phone number, Google gets your phone number. The number I provided doesn’t appear anywhere in my account but I bet it’s stored somewhere behind the scenes, so they can compare it against previous logins. I do wonder, if I got a new phone number, would it let me in or lock me out?
> There are to my recollection numerous stories of people being locked out of accounts which they have the passwords for because Google has decided that things are suspicious and having the password is not enough.
As someone who used to live/be in different countries on a regular basis, I've become so used to this that I have to remind myself that most users don't experience this regularly. I'm a bit more settled now, but I remember well the first time I saw a 'Can't complete authentication' (or something along those lines) screen, after I had already completed 1-2 extra steps. Not 'Please enable 2FA', not even 'Please use a different browser', simply 'You can't login. Have a good day.'. I've even had this on a work-related account at some point, ie one that's being paid for. Most times you can get it to work after a few days of trying your best to recreate the conditions of the last login (don't VPN to your old location, though, that usually backfires and can cost you a few more days). But I have definitely lost at least one account for good this way. I've literally started to develop anxiety about using Google login forms.
I use my own domain with an email service that I pay for (already since before this started happening) for everything important, and I can't recommend it enough. I know that you don't really "own" your domain either, but my experience with support from a local registrar is pretty good.
Just access gmail using private mode. Every single time, this device is unknown please enter your backup email address to verify who you are, even though your password is 30 chars and complex because you use a password manager.
Google is the absolute worst at this, their 'risk based' login stuff is utter crap, and when you go travelling expect to get locked out and have no recourse because there is no-one to complain to.
Honestly, you would think a multi-billion dollar company could do better, but apparently because its "algorithms", "machine-learning" and a "free service" its okay to be shit.
>Just access gmail using private mode. Every single time, this device is unknown please enter your backup email address to verify who you are, even though your password is 30 chars and complex because you use a password manager.
i have a few "junk" gmail accounts dating back 20 years or whenever gmail came to exist. a while ago i weren't able to login to it, even with backup email addresses/codes. Gmail wasn't sure that me is me and were claiming that all of those emails are under attack
> Google is the absolute worst at this, their 'risk based' login stuff is utter crap, and when you go travelling expect to get locked out and have no recourse because there is no-one to complain to.
I think it is an exaggeration to suggest this will definitely happen if you travel.
I've got mfa setup on my account, work abroad semi-regularly and have never had any issues logging in to my google account.
> As someone who used to live/be in different countries on a regular basis
Not google, but I have never even once been allowed by facebook to login while traveling. So ridiculous. It's my account, I should set the policy.
I don't use facebook much, but the only time I'd care to use it is while traveling to connect with old friends in whichever city I'm in. But no, impossible. I have no use to login to facebook from home, but that's the one and only place I can log in.
One example I can give is from a few years ago. I was in a car crash where my phone was destroyed. It was around 2 AM and I was about 500 meters from my office. I went there to use the stationary office phone to call my wife, but I didn't know her number. I thought I could check my Google account and tried to log in with my personal account. I had never logged in with my account at my workplace before. Of course, Google deemed this suspicious and asked me to confirm with an SMS to my destroyed phone or to open it and click "Allow" in the notification.
The only phone that was not changed in years was my mother's number, and I called her instead because this was the only phone I was able to recall.
After that I moved completely out of google and now I use Nextcloud for my contacts.
You're really describing a more general problem though. Imagine you hadn't been 500 meters from your office. Maybe you're in some city you don't really know and you no longer have your phone. You may not even know where you're staying because information is on the web somewhere.
Google or not, it's a good idea to have generally important information or information pertinent to a particular trip accessible in some way that isn't tied to a phone.
> Google or not, it's a good idea to have generally important information or information pertinent to a particular trip accessible in some way that isn't tied to a phone.
This is what I always do. Print hotel address, general route to the place, tickets, etc. There are too many ways for a phone to become unusable and not knowing where I can sleep is not the kind of stress I want to deal with when in a foreign place.
I now remember both my wife and my mother's phone, but this is a problem with people that are used to their devices keeping that information.
I remember my mother's phone from the time when our house phone was without display and phonebook. Her number is like 20 years old since the introduction of cellular networks. You can experiment and try to recall your brother's or sister's number or cousin maybe? Chances are that you like most people write it in your device and never check even a single digit after that.
What I wanted to describe is not my stupidity that I count on google.
I wanted to describe that I use my account every day to purchase some useless apps in the playstore, but in the most unexpected moment when I needed the account for something a bit serious I was locked out.
I don't want to make this comment long and and philosophical. And it is not rant. Just sharing my view of the story like everybody else.
You shouldn't trust Google cloud because they'll leave you hanging out to dry. You can get yourself into a situation where your account is locked and nobody at Google will help you get back into your account. Even if you spend tens of thousands a month. There's no way to escalate your way to a resolution with a normal human being, because they care more about what they spend on support than the customer. AWS would never do that.
However, risk based security isn't the problem. Risk based security has been implemented by every major company (interested in security for its users) for the last 15 years. It has nothing to do with whether you'll be locked out of an account without recourse or whether there are alternative ways for you to log in. I used to maintain those systems using middleware. Properly implemented, they're only an inconvenience to a tiny subset of users that constantly use new devices from new locations without 2FA. And you can turn them off for specific users, add an alternative authentication method/criteria, or even fine tune the sensors.
Google's implementation is crap, and the lack of support is dangerous. But risk based security is fine.
Author here. The fact that 'every major company' has implemented risk based security doesn't automatically make it a good or sensible thing. I'm against the premise of nondeterministic login processes in general, not just for Google.
I will also say that the idea of detecting users which login from "new devices" is nonsense, at least if you're talking about a webapp. There is no such thing as a "device" as far as the web is concerned, in fact massive amounts of effort are invested into web browsers and web standards to try and prevent any kind of fingerprinting. The web platform very intentionally does not give webapps any way to identify or remember a "device".
So what "you're logging in from a new device" actually amounts to is, "you deleted the permanent cookie we tried to set". Which in my case always happens because I have cookies set to be deleted the instant the last tab from a given origin is closed. Sure enough, these sites doing this irritating 'new device' authentication incorrectly think I'm logging in from a 'new device' all the time. Reminds me of cookie popups that ironically can't be disabled when a user has cookies disabled because they use cookies to remember that they've been shown. In both cases the user is penalised for being proactive with their own privacy.
Users typically use the same browser on each device, so using first party cookies to identify a device for web logins is not that far fetched of a solution.
Same exact thing has happened to us. Real company, real customers. Locked out of account entirely for 4 days with no response from the team, no apology, no explanation. Buyer beware. We’re planning on migrating to AWS once we can get a confirmed allocation of H100 GPUs (springtime) for our DL stack.
This seems...wrong? I spend tens of thousands a month on GCP. If we were somehow locked out I would immediately raise hell with my account manager. Who is spending that kind of money and doesn't have one?
You wouldn't be able to contact your account manager as your google account would be suspended and emailing from another address wouldn't elicit any response (even if you could remember your account ID/contact info).
Hopefully you have an iPhone because if you're on android, your phone wouldn't even work.
The other day I used an authenticator app for my second factor. It was successful as far as that goes but it still wanted to verify that it's me by sending a prompt to my phone. I don't call this security. This is abuse.
You're misunderstanding the above post and conflating it with a MFA authentication method. If you use another authentication provider, Google does not authenticate you at all - your provider does (Okta etc).
For those who are worried about their accounts, I would recommend setting up Google Advanced Protection Program [1]. It will ask you for a physical security key and I didn’t come across any other checks while logging in (i.e. random checks the post is talking about).
> Only app installations from verified stores, like Google Play Store and your device manufacturer’s app store, are allowed.
This part is absolutely unacceptable and it is, again, treating users like incurable idiots. I trust myself much more than anyone else in this entire universe.
I also don't see how this approach can possibly survive the upcoming EU platform regulation. In the context of the DMA, "You can use third-party app stores only if you deactivate account takeover protections" seems like a non-starter.
On a slightly related note AWS just recently forced me (and probably everybody else) to separate Amazon shopping credentials from AWS credentials. I had never liked that they were common.
New AWS accounts were already being created without associating with retail logins. It's just now that they forced this migration out of Amazon.com for old accounts.
So if I'm serious about using GCP, I also need to use an Azure service? And now I understand why most companies either choose to use AWS or stick with Azure (despite its limitations).
Readit News
I don't want this on any account, infra or not. If I can supply my password and complete MFA (TOTP/hardware key) then I want access to my account. I've been in a situation where I was logging in from a known IP, provided the correct password, correct OTP, and had access to the recovery email address on my account, and I was still denied access until I authenticated using a phone number which wasn't even associated with my account. Other people aren't so lucky and simply never gain access to their account again. It's mental. Let me make the decision. Give me a button that says "Always allow access for correct password and challenge".
As in, they required you to add a phone number when you didn't have one before, or they said "verify you can receive SMS at 555-123-5678" which wasn't even yours?
As someone who used to live/be in different countries on a regular basis, I've become so used to this that I have to remind myself that most users don't experience this regularly. I'm a bit more settled now, but I remember well the first time I saw a 'Can't complete authentication' (or something along those lines) screen, after I had already completed 1-2 extra steps. Not 'Please enable 2FA', not even 'Please use a different browser', simply 'You can't login. Have a good day.'. I've even had this on a work-related account at some point, ie one that's being paid for. Most times you can get it to work after a few days of trying your best to recreate the conditions of the last login (don't VPN to your old location, though, that usually backfires and can cost you a few more days). But I have definitely lost at least one account for good this way. I've literally started to develop anxiety about using Google login forms.
I use my own domain with an email service that I pay for (already since before this started happening) for everything important, and I can't recommend it enough. I know that you don't really "own" your domain either, but my experience with support from a local registrar is pretty good.
Google is the absolute worst at this, their 'risk based' login stuff is utter crap, and when you go travelling expect to get locked out and have no recourse because there is no-one to complain to.
Honestly, you would think a multi-billion dollar company could do better, but apparently because its "algorithms", "machine-learning" and a "free service" its okay to be shit.
i have a few "junk" gmail accounts dating back 20 years or whenever gmail came to exist. a while ago i weren't able to login to it, even with backup email addresses/codes. Gmail wasn't sure that me is me and were claiming that all of those emails are under attack
I think it is an exaggeration to suggest this will definitely happen if you travel.
I've got mfa setup on my account, work abroad semi-regularly and have never had any issues logging in to my google account.
Deleted Comment
Not google, but I have never even once been allowed by facebook to login while traveling. So ridiculous. It's my account, I should set the policy.
I don't use facebook much, but the only time I'd care to use it is while traveling to connect with old friends in whichever city I'm in. But no, impossible. I have no use to login to facebook from home, but that's the one and only place I can log in.
The only phone that was not changed in years was my mother's number, and I called her instead because this was the only phone I was able to recall.
After that I moved completely out of google and now I use Nextcloud for my contacts.
Google or not, it's a good idea to have generally important information or information pertinent to a particular trip accessible in some way that isn't tied to a phone.
This is what I always do. Print hotel address, general route to the place, tickets, etc. There are too many ways for a phone to become unusable and not knowing where I can sleep is not the kind of stress I want to deal with when in a foreign place.
That Google can't imagine a scenario like the one above is maddening.
However, risk based security isn't the problem. Risk based security has been implemented by every major company (interested in security for its users) for the last 15 years. It has nothing to do with whether you'll be locked out of an account without recourse or whether there are alternative ways for you to log in. I used to maintain those systems using middleware. Properly implemented, they're only an inconvenience to a tiny subset of users that constantly use new devices from new locations without 2FA. And you can turn them off for specific users, add an alternative authentication method/criteria, or even fine tune the sensors.
Google's implementation is crap, and the lack of support is dangerous. But risk based security is fine.
I will also say that the idea of detecting users which login from "new devices" is nonsense, at least if you're talking about a webapp. There is no such thing as a "device" as far as the web is concerned, in fact massive amounts of effort are invested into web browsers and web standards to try and prevent any kind of fingerprinting. The web platform very intentionally does not give webapps any way to identify or remember a "device".
So what "you're logging in from a new device" actually amounts to is, "you deleted the permanent cookie we tried to set". Which in my case always happens because I have cookies set to be deleted the instant the last tab from a given origin is closed. Sure enough, these sites doing this irritating 'new device' authentication incorrectly think I'm logging in from a 'new device' all the time. Reminds me of cookie popups that ironically can't be disabled when a user has cookies disabled because they use cookies to remember that they've been shown. In both cases the user is penalised for being proactive with their own privacy.
You know what the problem is, you just refuse to fix it.
Hopefully you have an iPhone because if you're on android, your phone wouldn't even work.
Also, I agree about risk-based security: it's coming everywhere.
https://cloud.google.com/architecture/identity/single-sign-o...
[1]: https://landing.google.com/advancedprotection/
This part is absolutely unacceptable and it is, again, treating users like incurable idiots. I trust myself much more than anyone else in this entire universe.
Deleted Comment
https://cloud.google.com/architecture/identity/federating-gc...
If you do so, authentication is delegated to AD. And there are other third-party options too:
https://cloud.google.com/architecture/identity