EDIT: You know, after some time to cool off, Google Authenticator 2FA can still be enabled and isn’t being phased out like the less secure SMS 2FA, so it’s really not the end of the world here. The chance of permanent lockout is avoided, even if the whole Google Prompt system is still wack.

  • redcalcium@lemmy.institute
    link
    fedilink
    English
    arrow-up
    19
    ·
    1 year ago

    Last time I login, there is a “try another way” button that allow me to use sms or totp code. Is this not the case for you?

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      English
      arrow-up
      7
      ·
      1 year ago

      I thought the same thing, until I tried to log in over a VPN in an actual other country (not just spoofed GeoIP like most piracy VPNs do).

      I clicked “try another way” and got to choose between “notification on your device” and “cancel”.

      Google has some kind of fancy security system that will require you to use the highest form of authentication when something fishy is going on. Multiple failed attempts from a foreign IP address on a device resolution you’ve never used before? Gonna hit you with a mandatory device prompt. Login from a browser with an expired session? Probably not even a 2FA prompt.

      The idea and implementation are done very well, but Google does lack the customer support infrastructure to resolve issues like “I’m in another country and I dropped my phone”.

      You can use Yubikeys or equivalent if you want to always have a way back into your account. Use two for optimal protection against lockout (one primary you use all the time, one stored away safely intended for recovery).

        • Skull giver@popplesburger.hilciferous.nl
          link
          fedilink
          English
          arrow-up
          1
          ·
          edit-2
          1 year ago

          Probably. Wouldn’t be surprised if you were equally fucked with Microsoft as well. Faceless tech companies without useful customer support are hell to recover access to. The most reliable way to get any kind of action taken on your behalf is to go through their legal team.

          You can also try to make a thread on Orange Reddit where a lot of Googlers/Applers/Microsofters tend to hang out. The process is 1) write a clear blog post with tons of screenshots and submit it 2) get lucky enough to reach the front page 3) gather enough outrage that the comments start complaining about big tech 4) hope that someone over at Google notices and reaches out to you. Also works with Stripe and Cloudflare!

    • doctorcrimson@lemmy.todayOP
      link
      fedilink
      English
      arrow-up
      8
      arrow-down
      7
      ·
      edit-2
      1 year ago

      Cool but that doesn’t fix the fact that the default method is one that literally does not function and can result in a permanent lockout. Though, I admit, SMS is way less secure than the Authenticator App.