EDIT: You know, after some time to cool off, Google Authenticator 2FA can still be enabled and isn’t being phased out like the less secure SMS 2FA, so it’s really not the end of the world here. The chance of permanent lockout is avoided, even if the whole Google Prompt system is still wack.
I don’t get this. Is this an SMS-based 2FA? If so, I’m not sure that Google has any ability to block that. Your carrier might, though, but that wouldn’t be controlled by your device’s OS. The option being greyed out on a third-party site has little to do with anything happening locally on your device.
If this is a push-based 2FA, then… yeah, you wiped the device, along with any tokens previously stored on it. This is also why any time you set up 2FA on any service, almost all of them warn you like a million times “If you lose or transfer your device before disabling 2FA, you will lose access to your account” before you complete the process.
I can swear google gives you 10 otps to print out when enabling 2fa as well. Also if using totp, backing up your seed would also be an option
The problem is they are turning OFF the SMS and instead sending a special dialogue to a nonexistent device for the user to hit a prompt. The device was never used, though, and it was never set up for 2FA. My default has always been SMS which they are now disabling.
Deprecating SMS authentication is a good thing, in all honesty. SMS is not a secure form of data transfer, and is trivially intercepted. You can buy and setup an illegal Stingray device relatively easily, and capture basically all wireless data from a phone within range.
That said, if the device was truly never used for 2FA, then there wouldn’t be any push-based 2FA on the account to begin with. Unless there’s another device that’s been authenticated with your account somewhere, like an old phone. In which case, that’s where your login requests are being pushed to. That’s a setting that can only be enabled by successfully authenticating with a device at least once in the past.
If there was never any other authenticated device, then that setting on your account isn’t there. Enabling that feature is a two-step process, and step 1 involves configuration on a local device before it can be enabled remotely on your account.
SMS could potentially be a secure form of Data Transfer if companies weren’t allowed by limp dinosaur legislators to gut your phone for any useable data with a simple app, but yeah I can see how it’s current state is lackluster.
You’re wrong, btw, the Google Prompts feature is Default and cannot be turned off.
You’re wrong, btw, the Google Prompts feature is Default and cannot be turned off.
Only if there’s a previously-authenticated device. That setting can’t be enabled without a key, and one of the required keys is produced locally by a logged-in device (which is why your device is trusted to stay logged in indefinitely). If enabled without a key, it’s nonfunctional and should error itself out and revert to a disabled state.
If that somehow hasn’t happened (which, in all honesty, would be very surprising to learn) and the setting is enabled on your account, then that’d be something you’d need to submit a request to Google to have fixed, otherwise you have zero recovery on that account.
Are you a thousand percent sure you’ve never had any other device logged into that Google account? When you attempt to log in, it should show you the device name it’s sending the request to. For instance, when I log into my Gmail from an Incognito window right now, it says to check my Pixel 6 Pro. What’s it saying for you?
No, I’m telling you, it’s on by default when you purchase a Google Device. It doesn’t need to be set up.
What device does it say it’s sending the request to?
A device. The fact that any device is getting a google prompt and it cannot be disabled is the issue.
The SMS vulnerability is not because of your apps. It’s because of the LTE protocol itself. It can be intercepted or redirected without touching your phone.
If you login to the Gmail app on any device, it can also act as 2FA. Does not need to be the one where they send the push…any logged in device will work.
Yeah thats the problem, you can’t turn it off.
Last time I login, there is a “try another way” button that allow me to use sms or totp code. Is this not the case for you?
I thought the same thing, until I tried to log in over a VPN in an actual other country (not just spoofed GeoIP like most piracy VPNs do).
I clicked “try another way” and got to choose between “notification on your device” and “cancel”.
Google has some kind of fancy security system that will require you to use the highest form of authentication when something fishy is going on. Multiple failed attempts from a foreign IP address on a device resolution you’ve never used before? Gonna hit you with a mandatory device prompt. Login from a browser with an expired session? Probably not even a 2FA prompt.
The idea and implementation are done very well, but Google does lack the customer support infrastructure to resolve issues like “I’m in another country and I dropped my phone”.
You can use Yubikeys or equivalent if you want to always have a way back into your account. Use two for optimal protection against lockout (one primary you use all the time, one stored away safely intended for recovery).
I guess if you’re locked up like OP, you’re basically fucked, right?
Probably. Wouldn’t be surprised if you were equally fucked with Microsoft as well. Faceless tech companies without useful customer support are hell to recover access to. The most reliable way to get any kind of action taken on your behalf is to go through their legal team.
You can also try to make a thread on Orange Reddit where a lot of Googlers/Applers/Microsofters tend to hang out. The process is 1) write a clear blog post with tons of screenshots and submit it 2) get lucky enough to reach the front page 3) gather enough outrage that the comments start complaining about big tech 4) hope that someone over at Google notices and reaches out to you. Also works with Stripe and Cloudflare!
Cool but that doesn’t fix the fact that the default method is one that literally does not function and can result in a permanent lockout. Though, I admit, SMS is way less secure than the Authenticator App.
It’s the default because you made it the default. Change your damn security settings Google can’t do that for you! Quick to rant about something without knowing how it works or how you got there is on you and not Google.
This is Lemmy you can’t expect people to be calm or rational
Well he’s also just wrong, Google Prompts cannot be disabled.
OMG THIS GUYS RIGHT GET HIM!!!
They
Do Not
Allow you
To turn off
Google Prompts Default Option
something similar happened to me too, account that didnt have 2fa enabled at all suddenly asking for confirmation on a device i just wiped
it sorted itself after a couple of hours, maybe a bug
This is like uninstalling Windows, installing Linux, and then blaming Microsoft because a feature you used in Windows doesn’t work in Linux
No, this is
- buying a surface from Microsoft
- immediately wiping it and installing Linux
- Microsoft then forcing you to authenticate using the device that is only tied to your account via purchase, and NOT login records, AND disabling other forms of auth
If installing linux was a feature sold to you by Microsoft, and then Microsoft removed the ability for the feature to work on Linux, then that would be accurate.
I stalling Linux is now a feature from Microsoft. They even rolled out a guide recently.
It’s like installing Linux, then Microsoft not allowing you to access GitHub from any device.
Lmao
deleted by creator
You actually have to buy the unlocked bootloader version of phones directly from Google, not something the vast majority of people could accomplish on their own. It’s a selling feature they provide so they can cut out middlemen at carrier services like Verizon (either that or Verizon locks it themselves, idk). I feel like if they wanted to detect that a device hasn’t been used in months or years before requiring you use it and only it for 2FA, they could.
I think the carriers are required to do it after the phone is fully paid for.
usually u gotta ask them to do it, but yea. dunno about required but I’ve never had issues
It’s been a minute, but I think some federal agency made a rule about it a few years back.