Putting any Google service connected to your account as a recovery method for your Google account seems like a problem to me. I don't know why the author didn't get any alternative recovery options if they had those configured like they said, but this is a good reason to only enter external services as any kind of contact or recovery mechanism.
Worryingly, after the whole ordeal the author still seems to choose to rely on their Google account now as much as before this all happened. It's kind of a miracle they got through to Google in the first place and it definitely won't happen again; it worries me that this post doesn't end with "and that's why I split my life across separate dedicated services". It feels like the author learned This One Cool Trick instead of the underlying lesson, which is that Google (or Apple, or Microsoft, or any big provider) cannot be trusted to not randomly cut you off without warning.
Unfortunately even doing everything right is no guarantee. I have Google accounts that Google will not let me into even though I have the correct password because it requires a connection from the same network as past logins, which are in places I no longer live. I've read accounts from others in the identical situation.
My answer to this is that I've completely moved off of Google except for an account I use for YouTube/Maps access that I could painlessly lose.
> I have Google accounts that Google will not let me into even though I have the correct password because it requires a connection from the same network as past logins
I don't get how that can possibly be a requirement. I mean, it's trivial to dream up a scenario where it is 100% legit to be in this situation.
I loathe these kinds of security measures that make up literally impossible tasks for some people.
There should always be a break-glass. That break-glass should not be tied to a piece of hardware. That's why I don't use 2FA unless there are break-glass OTP, or I can use a generic authenticator. Authy, for example, allows me to install 2FA on my phones and desktop - no need to worry about losing my phone meaning I can't get into my accounts.
My bank on the other hand, uses Symantec VIP, which has no backup or break-glass. So my bank (the only one offering 2FA) is 1FA.
Most OTP systems will show you a bunch of recovery codes you can write down or print out or email yourself or whatever you want to do with them.
Authy is a great option but annoyingly it's tied to your phone number rather than a username, so you can lose access to that if you break your phone in a place where you can't easily get a new SIM card (i.e. if you're on holiday). You also need to remember to actually enable multi device in the settings, as it's off by default. It's a good service, but it's not without its own pitfalls.
I'm always wary of custom 2FA systems that banks and governments like to use, especially if they do nothing to actually avoid phishing. If you're going to make your own version of TOTP, at least solve the biggest problems TOTP faces. For this reason I like to configure krypt.co as my primary 2FA method (for as long as that's kept running) with TOTP (and optionally device-local webauthn) as a backup solution.
Same, correct password but because God forbid I'm a human and I moved my body to a different network you don't get access.
All these algorithms and engineers yet login functionality fails.
There must be something else in your inability to access your account because I have been using a VPN for more than nine (9) years, changing locations every 5-7 days, and I have no problems accessing my Google account.
Interestingly, I remember creating a new Google account a couple of years ago from the Philippines, without a VPN, and when I moved back to the US I couldn’t access it anymore.
I believe the account’s age has something to do with the restrictions.
I kind of hope she reached that conclusion but just didn't include that in the post. In particular having your primary phone and email tied to Google is just a bad idea, period. They do not care. They do not have the capacity to care, by design.
I propose Google Human™, a new service that gets you in contact with a Google support person, where you pay a rate of $5.00/mo to get premium Human™ support services, so you can get back into your account without having to yell over social media in an outrage and 'escalate' your issue to Google employees over Hackernews or Twitter.
This isn't really a story about missing access to human tech support at Google so much as it is a story about Account Recovery, The Hardest Problem In Authentication. Anything Google did to make it take just a day or two to recover a totally locked account would be abused ceaselessly to take over people's accounts.
There are no good answers here. A lot of things that work as one-offs or rarities will stop working if everyone does them. If there's a FCC form you can file that short-circuits Google's current process, and it becomes popular, that form is going to stop working. Restoring your access to a locked account is simply less important than ensuring strangers can't "restore" access to your account.
Obviously, one good change Google could make here would be to refuse to accept Google Voice numbers as an authentication factor.
There have been complaints after complaints about people being locked out of accounts, and there are no easy ways to recover - often no way at all.
To say that the paid support you're paying for can't help you access the service you're paying for, that's a bit rich.
> Restoring your access to a locked account is simply less important than ensuring strangers can't "restore" access to your account.
That's a false dichotomy. If you can pay, say, $200, and get 30 minutes with a tech who has access to your email and can go through a manual, interactive process to verify you are who you say you are - for example, if you can prove you hold the credit card that's been used to pay for Google One for the past couple of years - well, these "strangers" are going to have to work REALLY hard to "restore" their access to your account. Probably well more than $200 and more than it costs to install a keylogger and sniff your password anyway.
It doesn't so much matter if you like the current state of affairs; it is what it is. If paid Google support could easily reset accounts (or, really, reset accounts at all), the accounts of paid support subscribers would regularly get taken over. Try to design an account recovery program for a service with, say, more than 10,000 clients to see why.
Think through what you'd hope Google would be able to do here. How do they authorize the request to unlock the account? Now imagine a well-funded adversary that knows exactly how Google's processes work (probably because they continuously pay for accounts and have them reset, to track what Google's doing). What's the reliable signal Google can use here, one the majority of their users actually have access to, that they can quickly execute on?
There are companies that have relatively quick Account Recovery processes through customer support. But those companies either aren't worth defrauding, or are regularly but quietly defrauded.
At least for accounts that have services that have a billing address, they could send a postcard with a special code to unlock the account. In the case of the OP, that would have solved the problem.
Historically, that's how things like PINs were often reset. Of course, the more frictions and tie-ins to physical things you throw in, the more people will have legitimate sob stories about how they don't have that phone number any longer or they just moved and so forth. There's always going to be tradeoffs.
To what address would Google send such a postcard? What do you do about the problem of estranged spouses and the like triggering recovery to break into their partners or ex-partners account? It's a mess. All the options are.
Remember, this is the most valuable account most people possess.
> What do you do about the problem of estranged spouses and the like triggering recovery to break into their partners or ex-partners account? It's a mess. All the options are.
Nothing? Google sends postcards to verify business addresses already. If it's good enough for the bank to send me a card and PIN via post it should be good enough for Google. We have laws in place to deal with estranged spouses breaking into accounts.
Everything you say is true but I think the weights on your arguments are off.
A well funded adversary WILL take over your Google account. They'll do it by installing a keylogger and stealing your cookies, they'll do it because they know what signals the account recovery process is looking for - much better than you do, they'll do it because hacking you is far easier than hacking Google. (Two-factor authentication done properly, with printed backup codes in a safe location, can prevent hijacking most of the time.)
Second, Google accounts constantly do get hijacked every day. This draconian status quo might have been justified if it would prevent all hijackings, but it doesn't.
Third, my Google account is not my most important account. My bank account and portfolio which hold my life savings are arguably more important. But somehow I'm not worried at all about losing access to them.
Again, no system is perfect and it's mathematically impossible to identify the correct person for every account. But I still believe you can get the same false positive and false negative ratios without getting blog post after blog post from people who are completely stuck.
I'm not going to debate any of this stuff, because it's not the point I came here to make. My point is that the problem this person is having is with Account Recovery, The Hardest Problem in Authentication, not with poor customer support. You're welcome to argue that Google should take Account Recovery, The Hardest Problem in Authentication less seriously. All signs point to them taking it more and more seriously, but that doesn't mean you can't campaign.
My point is different. Recovery is the hardest problem in authentication, but when you're as big and as significant as Google is, you owe it to your users, paying or not, to get it right, however hard it is.
Nah, I'm talking about edge cases Beyond the 99% of cases which I assume they get right, recovery is a cost center.
There's a single potential client (maybe two if you add Facebook) who seems to be showing no interest in getting it right. Not the best business proposition.
In the sense of the general account recovery problem, yes. I'm pretty sure it's mathematically provable to be impossible.
But the account recovery problem facing Netflix or Github is different from the one facing smaller companies which is different from the one facing Google. I honestly doubt there is a one-size-fits-all solution, I definitely don't have it, but I'd be happy to be surprised.
If I needed to, I could physically walk to my bank and they would unlock my bank account on the spot. That also seems like an excellent protection against people getting their account hacked from overseas. No Indian call center is going to show up in person inside the US to recover your account, so those people that do show up have a high likelihood of being the correct person. Google could also require people to show their ID card and sign a copy of it so that if an account is maliciously reset this way, the original account owner can subpoena them to get the ID card copy that the scammer used.
It's not rocket science. All banks can do it. It's just a tiny bit more expensive than saying "fuck you" to 0.1% of your customers.
AWS has a decent (corporate) solution to this. They simply outsource account recovery and user attestation to the state and the finance industry. You stake money on a financial medallion (a contractual instrument that's a guarantee of sorts). Presumably you will get sued and armed men will come after you if you commit fraud. It doesn't scale well outside of the big cities but it could be a viable option for Google.
Requiring physical presence in some manner makes identity verification, if not failsafe, a lot harder and riskier to spoof. I observe that my broker was allowing transfers over the phone early in the pandemic. But when I did a similar transaction earlier this year, they were back to needing me to go into an office.
Most civilized countries have strong authentication methods which are behind easy and cheap APIs for Google and others to use if they really care about restoring access.
I'm sure there are ways to authenticate yourself digitally in a strong fashion in the USA as well, with online banks maybe?
In any case, lacking that, one could just walk into a Google office with a passport there. There are official ways to do authentication if these corporations really cared.
Too bad low-level support workers cannot do anything. All they will be able to do is read the AI-auto-generated text to you and answer your questions by reading from the prepared responses. You pay for having a human read to you what the computer system produced. For supporters to be cheap and exchangeable (for the business) they are bound to executing the prepared algorithm and script without option to deviate. Often they cannot even access relevant information about you, never mind updating anything in the database.
To get someone able to actually make decisions, especially when they are against a measure the system automatically put in place following its programmed or AI-.derived rules, you need to go at least two levels higher. Even "managers" often - usually? - only have digression within pre-determined possibilities and scenarios.
100% true.
What to say to get escalated to these levels?
In situations like this I asked to escalate it but was denied. Said there was 'nothing they could do' and parroted the relevant sections to ad nauseum.
Largely, support has been relegated to very extensive and exhaustive FAQs and if your issue is not found in them, you have to pick up the phone and spend 5 hours trying to reach a human at Google, or yell all over social media as a last resort.
You can find a number for google? I've been trying to find Ebay's number for months. Support told me I have to call them, but they are not allowed to tell me the phone number.
I'm not enough of an influencer to get my rants here noticed.
What I find funny is that low level support at Google can't do anything at all to help you, unless it's a low level Google Ads rep. Then they ask for carte blanche access to make any and all changes to your Ads account to 'help you'.
It all comes down to which direction, and how much, the money is flowing with them.
This has so much extortion potential I'm surprised all the major tech companies aren't doing it and milking it for all it's worth. It's amazing they have left this cash on the table for this long.
Google One comes with phone, chat, or email support in 23 languages. Hit the support button and they call you within minutes, which is a support system on par with Bloomberg terminals. $1.99/month.
Didnt know this - I was gonna subscribe potentially to GSuite for personal stuff but I guess I already have official support. Probably will just stick with that then!
edit: As people are pointing out below, however, is there no way to use Google One support if you are locked out of your account?
When I was a Google employee, I helped a friend go through their account lockout issue. It was because they used MFA to a phone number, but later changed their phone number, which made them unable to login. He tried so many times that some velocity threshold was hit, further limiting the possibilities.
My friend needed to respond to some interview scheduling, so, it was a stressful situation.
Part of the problem was that it was hard for my friend to find a way to create a support ticket. He did in the end and got in a line of communication via an alternate email.
There were many miscommunications from both my friend and the support agent. While Account Recovery or even basic identification are hard to navigate for technically-minded folks, it's even more challenging for non-technical folks, including the support agent.
In the end, I got in touch with the support person, helped translate what they wanted to know to my friend, and likewise, translated what my friend was saying in a way that the support person could understand.
I don't think I was able to see the support ticket itself, because of PII restrictions. In the end, my friend was able to restore service. I doubt he'd have been able to without my support in time to respond to the interview scheduling.
This was more or less my exact same scenario as well. MFA with an old phone number makes account recovery from Google about close to impossible. I had a friend who worked at Google that was able to create a support ticket for me. Before talking to my friend, every single customer service support rep more or less confirmed that I was completely SOL.
It is the reason why I have transitioned from Google.
I'm thinking of doing this and I haven't yet figured out how to migrate all the accounts I have associated with my GMail account. Do you have any suggestion/tips for a fellow potential immigratnt? :)
I moved to Tutanota and what I did is forward all my Gmail emails to my Tutanota email. It made it much easier to switch because I could immediately start using Tutanota and then migrate my accounts overtime to eventually delete Google completely.
Nope. As the article says... contact the FTC to port the phone number since they (or their supplier) are in violation of law... get response within a day and number ported within 30 days.
1. (Optional) Register a domain (So if you need to migrate in the future, you don't need to change your email address!)
2. Sign up for paid service somewhere else. Paid email services are extremely cheap, and worth it to have a phone number where you can call a real human person.
* If you wish to continue using the Gmail interface, skip step 3 *
3. Forward Gmail to the new account.
4. As you see messages you want coming to your Gmail account, switch them to your new account.
5. (Optional) If you really like the Gmail interface, use IMAP/SMTP to check your email in Gmail, even though it's really coming from/to your external account!
It's really easy to get away from GMail, and definitely worth it.
Your concerns are valid, but at least for 1 and 2, you can be proactive about preventing them, compared to preventing loss of your Google account which is just... crossing your fingers.
As for 3, well, I really don't care in the least what happens after I die. I won't be around anymore.
I can't really speak about how much of a problem 4 is, because it's never happened to me. I suspect the people who get their email classified as spam while using a large email provider actually are doing something wrong.
As a sender, you don't know when #4 happens. Regular people don't check their spam folders. Regular people don't go out of their way to give the sender a head's up that it was classified as spam.
I know it happens to me, because I have to verbally follow-up sometimes.
The only way you would know if #4 doesn't happen to you, is if you're doing something wrong, like trying to track when people open the email.
Just do it! You'll have to choose anyway if you are one of the many folk here who use(d) a grandfathered free Google workspace plan with your own domain: it ends on June 1st, or thereabouts, and you'll be shunted into a paid plan (although there seems to be a waiting list for a free plan).
I did it last week. I signed up for Fastmail, followed their excellent documentation, and now only have a mandatory (new) Google account for a few apps in the Play Store that are not available anywhere else (but nothing paid). If I lose access to my Google account, I lose nothing.
My Fastmail migration basically went like this:
* Clean up mailbox, truncate mailing list folders.
* Copy mail to Fastmail using their importer.
* Change domain settings at your domain host (changing MX-records and a bunch of others); mail now goes to Fastmail.
* Set up mail and calendars in Thunderbird on Ubuntu and K-9 Mail on GrapheneOS.
The setting up part is easy. It's migrating user logins, subscriptions, and everything else tied to your GMail account that takes time and energy. Someone really aught to create a migrator app to get people off GMail and do the hard stuff.
This might actually be a great service for fastmail et al to provide: after you import old mailboxes, they should scan them for signup mails and show you a list with to migrate accounts i.e. red marks.
After migrating an account, they know it, as they can scan your mail. Slowly, each red mark on your dashboard gets replaced with a green mark.
Actually I was thinking it would be a good idea for a password manager to implement. They have all of the credential information, they'd just have to implement "Change my userid" logic for all websites out there. That's definitely a hard problem to solve...
I would love to do this - and it would be easy, as I'm already forwarding from my own domain and have been for 25 years - but I receive so much spam (>600 per day vs. ~20 non-spam per day) that only Gmail's spam filtering is good enough. I've tried others (like Fastmail) and typically ~50/day get through their spam filters, vs. at Gmail where on a typical day 1-2 get through.
As soon as anyone besides Gmail can successfully do spam filtering, I'm stuck with them.
(Why do I get so much spam? Because I've been using the same email address, never hiding it at all even on Usenet, for 25 years.)
Have you tried training a user-specific spam filter like bogofilter? You might need to save a few months of spam for training. I have a quite good false positive and negative rates.
I use gmail because it has this obscure addon thing that shows the number of unread emails in the favicon. Default gmail and all other email providers I have tried show the unread emails count in the title which is invisible on pinned tabs.
I have three email accounts outside of gmail that are forwarding to gmail so I can have a favicon counter. Those email accounts maintain their own copies of the emails. If gmail were to lock me out I would lose my favicon counter. I would need to get a new phone number to create a new account and set up the fowards to the new address.
Why do I insist on this convoluted setup? My previous email client was a firefox addon that showed me that counter and it made me read my emails. Every email account that doesn't follow this set up that I have has lots of unread emails.
I have a thunderbird instance with 140 unread emails open right now. I have 0 on gmail.
After reading stories like this, I've moved to "single purpose" accounts with Google. I have a youtube account, firebase account and a google analytics account, and all of them are seperate from one another. My hope here is if google shuts down a single account, I only loose access to what that account did.
I read somewhere on HN in the last couple months that Google is prone to banning/deleting accounts that it thinks are associated with accounts it bans, so I would not do this.
I even recall an article where the google developer account of a company was blocked because it got associated with the personal account of one of their old employees.
I think Google allows 3-4 accounts since it's common for families to all use Gmail, so they're lenient in that regard. Obviously, creating 10 accounts with 10 Twilio numbers would arouse suspicion and those accounts would be swiftly banned.
Multiple accounts are allowed, sure. That's not the issue.
The issue is trying to use multiple accounts as a kind of loss mitigation strategy. If Google knows about your multiple accounts, and one of them gets banned, they're _all_ at risk of getting banned just for being associated with the one.
Hope you're running all the up-to-the-minute anti-fingerprinting you can find. For a long while any time I went to YouTube even in a private window they'd ask me to log in under my old Google account that I hadn't used on that computer for years. It was creepy as hell and I'm still not sure if they've stopped because they can no longer associate that account with that computer or if they're just confident enough now not to ask.
Considering how much our digital lives are interwoven with our real lives, who will be held responsible if someone takes their life in shear helplessness basis Google’s absolutely thoughtless and inhuman actions and unresponsiveness in the wake of them?
It might seem hyperbole but it isn’t. Who is to say it hasn’t already happened?
Google is just one of many companies that are too big to actually communicate (like Verizon, AT&T, Amazon, Microsoft) and have to be forced to do anything if you're not paying them tons of $$$. They do what they want.
If your livelihood is tied to your email / phone, then you really should consider a company with which you can communicate.
I have considered paying for a personal GSuite account partially because of this - I use my Google account for a lot of MFA stuff so it is fairly critical to things I do. At work we have a corporate account and their support is pretty solid (especially the chat support - I seem to get someone very quickly and they are way better than your typical tier 1 drone). I get that people are upset over this but are we REALLY surprised that we get shit support for a FREE service?
They also have a separate site / login / forum for proposing new ideas, bugs, etc etc that you can use if you have an actual corporate account (strangely it requires creating a separate login and password). I have found that using this forum you can also get some decent support for weird issues or bugs or suggestions (sometimes from other users as well).
associate a VIOP number with your google sphere, so when it happens, file an FCC complaint re undue termination of telephonic service.
it seems this was the only thing that elicited a proper response.
reading the article and google response to FCC complaint makes it evident, that google is full of it as far as "we cant do anything about it" is concerned.
the only problem i see is that it seems the complaint was dropped or left orphan, rather than followed up on. thats why google keeps on doing it because there are no real consequences other than being told to Give it Back.
it reminds me of when one kid swipes a toy out of anothers hands and keeps doing it because there is no real deterrent in play.
I would completely unsurprised if Google kills off Voice specifically because there's a regulator who makes them provide customer support and they'd rather not.
After the response, the best thing would be to sue Google, of course. Not once, Not for big values. One small cause for each small annoyance. Not at the same time nor the same jurisdiction. Then read all the defences they make and mix then among the causes. If their system is so fragmented that they can't deal with your original problem of losing acess to your account, so they'll have trouble finding the pieces to defend themselves. And if they can find, even better, use it as a proof that they can connect the dots when they want to.
It sounds like they responded to the complaint by unlocking the number, allowing her to port it out. Not by restoring her access. Not much of a deterrent.
> I'm not the type to get bitchy with customer service reps. I've managed teams that do that job, and I know how scripted their support has to be.
"has to be" burns. It could be different. Why is a script essential? These support scripts drive me crazy. I would probably melt down in the OP's case.
Answers like "they allow less skilled first line workers" don't count because one could hire skillful people to solve problems on first contact.
Recently we had to deal with amazon. And we try not to Karen when we call any customer support. But man does the getting audibly angry and asking for a manager actually get the ball rolling. There's a reason people do this, and the reason is because companies don't care until you show some anger.
May be Google can have trusted contacts to help the account recovery. If I set-up 5 trusted contacts, all of them would receive different temp passwords and the temp passwords from at least 3 would be necessary to recover. The only risk is 3 out of 5 trusted contacts getting compromised at the same time or 3 of them colluding which again is unlikely with trusted contacts.
My elderly parents were on google forever. Forgot password because they'd just stayed logged in.
What was weird is even though they had a recovery email (mine) that we were able to get a code too google had a second check - a requirement to TEXT a code to the phone number on the account. Unfortunately my elderly parents had put a landline phone down - which doesn't accept text messages.
I gave google the benefit of the doubt on that, because they'd actually forgotten the password.
More seriously, I was doing an apps setup (way way back) for a nonprofit. They give you a weird temp email domain, then you port in your domain etc etc. Some issue (no fault of ours) got the state stuck in a doomloop. Even though it was a paid service, there was no support.
I contrast that with AWS. Fine support on store side and on compute side in my experience.
In this case I'd consider Google Workspace. It costs, but it gives you ironclad control over the accounts, and your parents won't lose access to their accounts no matter what they do.
As a bonus, Workspace is sold by partners, so you contact actual humans if Google does anything weird.
Yeah I agree - this is the real comparison to AWS. You have to pay for AWS which is mostly a professional service (even if there are free aspects) vs Google services that are mostly all free. In my professional experience the support for Workspace has been excellent. Luckily I have never had to contact their support for my personal stuff.
Google is a monster that people should know not to trust. Better to not use a Google account for anything serious or unless you really have to. Even then, expect and prepare for the worse. Way too many, "Google locked me out.", stories.
Think hard about this question now and start working on reducing your reliance on any such freely registered online account. That goes a hundredfold for the email account you use as a recovery address.
I got locked out of my Gmail over a decade ago when it was just another webmail service (but with 1GB of free storage.) I believe there was some sort of unauthorized log in attempt, I couldn't find any answers or get any help from Google until I started googling for random Google employees and found a phone number for one.
He was a bit put off by getting my rando phone call, but I explained my predicament and he took the time to look into it and helped get my account restored. Thanks Google engineer guy!
I'm going to be 18 this week and I'm concerned of Google having more power over my personal data et cetera.
I've already migrated everything (mail, chat, storage, ...) to a self hosted server at home, but I can't delete my Google account because I paid 25 $ for the Google Play developer account, and I don't want to lose access to that.
Is there any way to use the developer account without a Google account?
There are enough comments about Google supports, so I won't comment on that. OP however has worked in tech for 20 years, yet made a very naive mistake - circular dependency, so to speak. They used a VOIP number from the same account as the recovery phone number.
The real lesson to me is don't use a Google Voice (or probably any carrier) number as a recovery for anything too important. An attacker can just contact the FCC to threaten your carrier into releasing the number to be ported without you authorizing it.
I had this happen before and I was asked a bunch of obscure questions such as the month the acct was opened. They restored access but it took a few months.
Google's response… «We are disappointed that […] experienced […] difficulties […]»… ah stfu, you are lying, you are not at all disappointed. They also show no intention at all to find out what happened so they can improve their internal processes. Working as intended…
before you make a new one you probably need to reinstal, or scrub the OS for google bugs, replace the NIC, and get a new router, new modem, new ISP with a new, pseudonymous/business account.
you might be able to evade google fingerprinting if you do all these things.
it would not surprise me if google pays to be allowed to crawl everything that touches google for even one tick, so they may still connect the dots when the AI sees a browser activity graph just like your last one. Who knows how well a VPN my hide your breadcrumbs, i just avoid making accounts with google or letting any overt analytics through my browser.
Worryingly, after the whole ordeal the author still seems to choose to rely on their Google account now as much as before this all happened. It's kind of a miracle they got through to Google in the first place and it definitely won't happen again; it worries me that this post doesn't end with "and that's why I split my life across separate dedicated services". It feels like the author learned This One Cool Trick instead of the underlying lesson, which is that Google (or Apple, or Microsoft, or any big provider) cannot be trusted to not randomly cut you off without warning.