Edit: One suggestion from me would be to try and start the dead phone connected to power but with the battery physically removed (assuming it's removable). That might bypass whatever issue it's having and let it start up.

Even worse than that, they're often connecting from public IPs that are "suspicious" which causes automated systems to treat them more harshly.

In Canada it's gotten to the point where you need an internet connected device to participate in the most important systems; government, banking, etc.. It's very sad that device can't be supplied by the libraries. They have them, but big tech discriminates against anything that's not a personal computing device.

To be precise, anything that's not a "personal" computing device running the latest spyware-filled locked-down software and a browser that can be anything as long as it's the three that Google implicitly "approve".

government, banking, etc..

Banking is private-sector, but I believe the government should always be accessible even if you live like the Amish...

https://en.wikipedia.org/wiki/Amish#Canada

...and I wonder how they get along there since they're apparently present in Canada too.

I got a notice from my state that I'm required to make future tax payments electronically. For that they require ACH. Banking may be private sector but participating in it is increasingly non-optional.

Historically, you were known by people around you and you could be "verified by relative" in the case of a house fire destroying all your documents or something, but your life mostly worked in your home town and traveling or moving elsewhere was hard. Trying to cash a check anywhere but your home town was hard, etc.

I'm a former military wife and this was a big enough issue for the American military that military facilities would cash your check at the BX/PX. Local banks and such often wanted nothing to do with military members.

And now we have this highly digital, highly mobile society and if you are rich enough and such and keep all your ducks in a row all the time, you have tremendous freedom to roam the world, pay with plastic, etc. But for a lot of people, it's increasingly problematic that we default to state ID and digital formats and so forth.

These systems should enhance older methods of making life work, not crowd them out and make life a living hell for anyone who can't keep up with it. And we should be optimizing for helping ordinary people make their lives work, not optimizing for trying to squelch bad actors and too bad, so sad if innocent bystanders get run over in the process.

I don't know how to make my life work. It seems impossible at this point and it really shouldn't be. We have the means to make life for me actually work and no matter how much I do, it's never enough.

What's worse is that the the error messages never explain the problem. It's just an endless sequence of "Oops! Something went wrong" "We could not fulfill your request" "Please try again later".

Could drive someone crazy if they're not savvy enough to realize what's going on.

You're absolutely right. They each carry the tone of "This content isn't available right now", like when trying to view a tweet from a shadowbanned user. I've seen that drive people, particularly family, into a kind of aggressive version of frustration.

At this point it's merely static deception. Wait until they run a GPT bot programmed to interactively lie to you, deflect, stall, misdirect and stonewall you based on your personal profile. These companies are devious and untrustworthy to their core, and the only reason anyone uses them is because they're forced to.

Looks like the CRTC mandates cheap plans the mobile companies offer free phone and plans too.

https://www.telus.com/en/about/news-and-events/media-release...

I experienced the only slightly inconvenient of this when I was replacing my bank card, even going into a Pret, I was unlucky enough to go into one randomly that didn't accept cash.

But for people that don't have bank cards, or can't charge their phones this is a real problem.

Here is the submission: https://news.ycombinator.com/item?id=32304320 (August 2022, the letter submitted is from 2021)

https://news.ycombinator.com/item?id=32304320

I have been homeless. I'm not currently. But this is an extremely stressful situation that could do all kinds of damage to my life if I can't get it sorted.

Homeless people don't need to use 2fa if they are so unconcerned with someone stealing their account or identity. For the rest of us 2fa and making it hard to steal accounts is 100% a must.

I hope so because otherwise you are just discriminating people based on their wealth. But praise lord dollar that if you ever fall from your status you won't find pedantic guys like you when seeking for help.

Does that make it right? No. Does that mean people won’t get hurt? No. Plenty of ink on HN has been spilt about how companies act according to a profit motive, and often not in societies best interest. Recognizing this doesn’t make you complicit.

If you don't have a verification method—or cannot access it—Google will literally just lock you out.

I have personally experienced this on accounts I don't access regularly.

Bottom line, though, is that these companies should be required to find a way to maintain that high level of security, but also have a process so anyone who loses account access can get it back in a reasonable amount of time.

I don't try to crow about being some kind of tech genius because for the HN crowd I'm not. But I'm not poor due to being mentally retarded or something. I have an incurable medical condition as does one of my adult sons.

Edit: thanks! Solved. I’ve deleted this part of the comment because I always feel very socially awkward and afraid I’ll make others feel awkward.

If you have been in hn so long you do know the numerous times people have lost accounts by not having backup to 2FA. TOTP is the only option.

As a user it doesn't matter how well you manage your own security when that can happen.

But i am not homeless. I'm sorry if this is cold, but should i have to have an insecure account because homeless people exist?

Its not like google has a monopoly on email service providers.

No, of course not.

This is like when people who drive get chuffed about pedestrians wanting their lives to work and acting like "Well, if we do anything for you, then my life will fall apart." As if we can only build a world that works for cars or build a world that works for non-drivers and the other camp just has to accept a sucky life and all kinds of flak for not liking it.

What in the hell makes you think someone must get screwed and it might as well be those who already have the least? No one is asking you to get screwed here.

You can't have google letting people back in their account unverified if they ask nicely not affect other people with accounts.

I don't really see that anywhere; I think you're jumping to conclusions.

Every system will need to have some escape hatches, whether that's a governmental bureaucratic process or a Google account recovery process. Because no matter how well you design a system some folks are going to fall outside of it because the world is complex and the number of possible situations are too many to capture.

"Yes, but it's only 1%" – yes, but it's 1% for system A, and a different 1% for system B, etc. and it all adds up.

All of this is why things like appeals exist in many processes, and why we have judges in addition to mountains of laws. None of this is perfect by any means and there's lots that can be improved, but at least there's the recognition that The System isn't perfect – even if it's more symbolic than anything else at times.

If I lose access to my HN account then that might be annoying, but fundamentally it's not really a big deal, at least not for me. But some accounts/services are connected to all sorts of things and much more important than some HN account and connect to "real life" in much more complex and impactful ways. You can't on one hand have a service wanting to become central in people's lives but on the other hand also just shrug at the edge cases and pretend it's not your responsibility when people get screwed over.

Absolutely. A common phrase is "mechanism, not policy". The service providers should be enabling all kinds of mechanisms for account level security so users can pick what works best for them. They should absolutely not be imposing any kind of policy. That's where all the source of trouble comes from.

Only I know the threat models I care about for any particular account I have.

For some of them, preventing unauthorized access is the top priority and I'll enable geofencing, 2FA, hardware tokens.

For other accounts, availability is an absolute must and more important than anything else so for those I'll just have a strong password.

Only I can possibly know the correct answer, so for a service provider to come in an impose their policy on my requirements is fundamentally wrong.

You are not neccesarily the person being negatively effective.

Email service providers are all about reputation so their stuff isn't marked as spam. When your account gets hacked and starts sending viagra ads, you are not the one who suffers the fall out.

There are lots of email providers out there with different policies. One of the reasons gmail is popular is because of these policies.

Sure, some people are going to lose their only device and the bit of paper, but at that point if you have literally nothing to identify yourself with, it's going to be hard to provide a secure service to you.

It doesn't matter how much in general 2FA works out better for most people, there are lots of people for whom it is not viable. They know who they are. Give them an option that doesn't make their life worse.

OP knows who they are, but I would not be surprised if many poor/homeless users wouldn't realize they need to opt out of something until they find out the hard way when they're locked out and can't get back in.

This is the sort of thing that really should be handled by government

Just make it opt out... You 2fa, do a song and dance, and 2fa is gone

I have this at the moment - I'm travelling, moving country every few weeks, so I need a new SIM card and phone number every few weeks. My phone number is temporary at best.

I'd massively prefer to take the risk of my identity being stolen than constantly fighting security measures that assume people never change their phone number (or country of residence, etc).

In this instance if they need a code why is there not a process to hell use US Mail and send a paper code to the registered address of the account owner? Analog is often the solution to these type of problems

There are no "support people". Let's stop trying to humanise a giant, hostile algorithm.

Go look at what you can buy for an Android phone if you exchange 100 USD to rupees in Rawalpindi Pakistan for instance.

Now imagine you drop your phone or screw up its hardware somehow and want to get it repaired, you can probably fix it at a local repair shop (some 1-man operation in a tiny retail stall) for $20-30 max with basic hand tools. Those guys might have a collection of pieces of the same model phone you have, or the ability to take 4 dead phones and mix/match pieces to make 2 working ones out of them and then re-sell them, etc.

I wrote a piece called So You Want to do a Website to Help the Homeless that might interest you: https://streetlifesolutions.blogspot.com/2020/05/so-you-want...

The local police department does -- or did at one time -- pass out flyers I made listing online resources for the homeless and there is an edited version of those flyers here: http://www.eclogiselle.com/2020/10/free-and-custom-flyers-as...

I tried to establish some kind of homeless smartphone project. It never went anywhere. If you want to read what little I did as food for thought for what you might do, you can start here: https://streetlifesolutions.blogspot.com/2018/04/project-hom...

If tech is your thing, coolios. Run with that. Better to do something than to do nothing.

But if you really want to make a dent in homelessness, my research suggests that this is mostly a housing supply/housing affordability issue. We aren't building enough new housing and what we do build tends to be too big and tends to require a car to make life work, which is an additional big expense and -- at least for some people -- a logistical issue even if they had the money. Some handicapped people simply don't drive. Some seniors simply don't drive anymore. Etc.

So if you really want to work on homelessness, I would encourage you to educate yourself about housing issues in your neck of the woods and try to get involved. I write about my ideas about what I would like to see for the US here if you want to look that over: https://projectsro.blogspot.com/

Am I worried about getting hacked? Absolutely! But when I weigh the likelihood of (1) someone else getting into my account without 2FA and (2) locking myself out of my own account with 2FA, the latter seems much more likely!

I understand how backup codes work. I promise you I will loose them.

I still had 1 percent power on my phone earlier and was previously able to get a code on it and I hoped I could get one last code before it outright died, so I said "Yeah, sure, send it to my phone" since they don't really want to do it another way.

So then I had to ask another way when I couldn't get to it because that is when the phone gave up the ghost for good. And then they said "We shall send you a link in 24 hours." So I moved the sim card and got text messages saying "Was this you?" and I said "Yeah, it was." and cancelled my "account recovery process" and tried to continue setting up my new phone because the old one is dead.

And this is when Google decided I must be a for serious criminal and told me "We shall send you an email in 72 hours."

So I'm quite upset at this point.

I work from home due to my medical situation. I have no friends locally who can drive me someplace.

Etc etc etc.

This is a non-starter for me. I need Google to fix this. I can't do anything about the busted phone at this point.

Despite this being a common problem, it's not well recognized, and it's easy to forget about it too. I went through several charging cables and almost replaced my phone half a year ago, before I remembered - and sure enough, all my charging issues were caused by a layer of lint at the back of the port, that got compacted by the charging cable so well that it formed a flat "false wall". I forgot all about it, even though I've performed the exact same fix on other people's devices in the past.

Hope it helps; if not, I apologize for wasting your time.

That’s probably mechanical stress causing the port to become loose. It can happen after a few years.

Does helping you look like potentially helping a hacker take over an account, recognizing that google deals with totally crazy state level attacks? Google faces some significant liability and risk here.

Would you pay google to make it worth their time to help you (I actually think this should be an option - if a physical in person visit + someones time is what it takes - then google should have some system for $500 + you get to their office somewhere to recover your account)

I've had relatives in this situation. If you do know someone at a large institution with an institutional relationship I think you can sometimes get help - I had a relative go this route, wasn't sure if the IT folks there just figured out how to fix / work within google, or could escalate somewhere to get it addressed.

Because google will worry about reps selling access to account resets - they may REALLY lock this stuff down, so even if a rep wanted to help, they may not be able to (insider attacks a big issue again especially state sponsored attacks).

But people here seem a bit less threatened by very poor individuals actually posting here than in most online places. I know from my own experience that mentioning you're homeless is usually a red rag to a bull. Add that you're an unemployed software developer, and the self-loathing middle class is often very quickly off on a hate-rampage. Less so here, for some reason. Perhaps just because people here are focused on topics of common interest, so if you're a loser (generally hated by the winners, worried that by the grace of providence they might have been you ..), at least you're one of our losers?

Many accounts that support 2FA let you download a few (commonly 10) static codes that don’t change. If you anticipate a situation where you may lose connectivity access like this, it may make sense to download the codes and store them in a physical notebook.

I honestly don't know what's going on behind the scenes to know if this is not as secure as it "should" be. But this was my reaction specifically to the non-SMS TOTP 2fa: Wait, if I lose my phone there's literally no way possible to get in? Oh there is, if I have the backup codes... yeah right, you think I can hold on to backup codes? Surely there's something I'm missing, what is everyone else doing here? Oh, everyone else is just hoping they never lose their phone? Really?

Google has, in some cases, started requiring auth codes sent to specific devices, even if you're already using your own configured TOTP 2FA.

This exact situation has been such a thorn in my side at my company lately. Does anyone know any way to disable this behavior, even just with Google Workspace accounts?

If I've agreed to use and keep track of a very small physical device to access my account, don't be going letting any ol' person who can access my phone number in there!

Had that happen to me, I was saved by still having the backup codes + having some unholy Tasker + Pebble automations that let me operate the phone without display - enough to launch AirDroid, use it as remote display/input to enable ADB over WiFi, and then finally use scrscpy over ADB as a remote display/input that doesn't blank out on security screens and in Google Authenticator. Only at this point I was able to transfer all the other TOTP entries in Authenticator to the new device.

Lesson learned: 2FA with TOTP is a responsibility to be taken seriously, despite what security professionals would make you believe.

There’s a fire or gas explosion or earthquake or something, and you need to leave all those behind. What do you do?

> Oh, everyone else is just hoping they never lose their phone? Really?

I would be very, very surprised if that’s not what the vast majority of the population is doing. Many people have a phone as their _only_ computing device, and no printer, and don’t really understand why they should be carrying around scrawled codes in their wallet.

I get screwed!

I guess the right answer is that I have the backup codes carefully preserved.... off site! In case of natural disaster. Every time I sign up for a new account, I print out the backup codes, and take them to an off-site secure storage location, which of course i have... somewhere.

There's no way 90%+ of internet users are doing that.

I'm not even going to pretend I have any chance of doing that.

Yeah f no. Most people just screenshot their backup codes and put it in a Google doc somewhere in plain text, at best. And at worst, they go "what the hell are these codes" and close the window.

Which, security-minded folks would know, is effectively equivalent to just writing passwords down in plain text.

Nobody thought to put even a tiny speck of product management into this system.

for the rest there are other options.

I really should be storing some codes for my password manager somewhere…

If someone wants me enough to target Authy with an SMS reroute attack focused on me, they're gonna get me either way. I'm not Ed Snowden here, I'm just a guy trying not to lose his car keys.

But, what's the thing you use that provides the benefits of cloud syncing across devices and isn’t tied to a phone number? For anyone that might be interested, including me if it seems as easy and as idiot-proof. (and free or cheap).

When that happens, Google asks to confirm with a known mobile device even though I have specifically configured 2FA TOTP since 2012 to be device independent (and I currently use keepassxc or mobile equivalent to generate the totp value). Google subsequently doesn't allow login by any other method and if the required device is lost or broken you lose access.

That just makes it even more likely you'll lose access. If you have 2fA, Google will just ask for your 2fa. If you don't have 2fa, Google will pick some random device you signed in on once ten years ago, and tell you that you can only ever log into your account again if it's from that device.

2FA might be good for security, but it's also very ableist.

Just like with accessibility on the web, it's so easy to forget about that when you're not in the situation yourself. Thank you

I don't have a lot of sympathy for big tech when it so clearly fails to enfranchise those that need it most.

If you set a strong, long, unique password for every account, your chances of getting the account compromised are just about zero.

2FA is a good thing in most cases, but I do hate how the industry has blindly adopted it as some sort of mantra that you can't exist without. The reality is that if you chose 128+ bit passwords generated out of /dev/random, they cannot be brute-forced within the lifetime of the universe. You might get phished, which is entirely different, but if you're careful about that you'll do fine without 2FA.

Yubikey 2FA (and equivalents) help to solve this.

I didn't lose a single account yet. I have printed backup codes, I have password manager, I have passwords backup in a text file on thumb drive, two copies. I have my domain held by registrar in my country, so I can just visit their office with my ID and talk with them. So I take some reasonable measures to protect myself. But I have no fear of losing those digital assets.

I actually gave a thought about protecting myself by creating a single 100% reliable email and then bind other accounts to that mail. Believe it or not: I didn't find any provider which would satisfy me. My worst case scenario: I'm going to jail for 20 years. Every free provider will delete my account after few years of inactivity. Paid providers usually are small enough so I wouldn't trust them anyway. My current plan is using my own domain with autopayment and enough balance on account. But of course that's not reliable. Registrar might just go bankrupt. And I can't really reserve my domain for 50 years no matter how much money would I pay.

If you registered a gTLD, you're theoretically safe from registrar bankruptcy, or even from a registrar losing all their data for whatever reason. Per the ICANN agreement, the registrars have to send a copy of their database to a third party escrow agent regularly (where I worked before we sent a differential backup everyday and a full backup once a week). This way, if the registrar cannot assume its role anymore, another registrar takes over.

Note that this is not true for ccTLDs (ie. every 2 character TLD). That's a reason you should prefer gTLDs if you want to prevent a worst case scenario. I usually recommend a .com or .net because Verisign is, in my opinion, the most reliable registry in the world. If you stick with .com/.net, you're safe from any registrar failure, and there's not a single chance that anything happens to the registry.

ccTLDs might have an emergency plan but it will depend on the registry. So if you really want a ccTLD:

- get familiar with the registry and its rules

- do NOT get the ccTLD of a country other than your own. Eligibility rules can change, so you could lose your domain if the registry decides that they now want to only sell to residents. British people lose eligibility over .eu for example, not because a change in eligibility rules, but because of a change in their own status.

- do NOT get the ccTLD of a small country, unless the registry delegates the technical stuff to a reliable registry backend. Small countries have crappy infrastructures, so DNS resolution could get unreliable. This famously happened to Notion.so (so -> Somalia) a little while ago.

Also, check out mxroute.com for SMTP/IMAP needs.

Software 2FA just computes a number based on a secret string. You treat the latter the same way you take care of your passwords. That's why it's best to handle them with your password manager. 2FA over SMS is even less of an issue (except maybe with a broken eSIM chip). Physical methods are a problem, so you have to spend money for a backup.

Of course the threat model is kinda skewed because this case is more applicable when one's reusing passwords or using weak passwords, which shouldn't be happening if you're using a password manager.

Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP

But as you say, since I'm using a password manager, this doesn't feel like a legitimate concern. If the application's database leaks, my password is still safe, because no one will crack a randomly generated 20+ character password.

> Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP

But they'll have the code, so as long as they use it right away, they can still get into my account and download my data / spam my contacts / whatever.

That's why you maintain the knowledge-possession separation at the access to your password manager (file) with a combination of a password and either a key file or hardware key.

If you store your secrets in encrypted files rather than specialized server solutions, it's also easier to separate and store them in different locations.

If you do not understand the purpose 2FA, there are plenty of online resources available.

As I explicitly wrote, you can store secrets in separate places, and if you don't, you still protect yourself against password recovery attacks or interception and add redundancy.

All of these scenarios happened to me, and I'm a fairly normal person.

SMS 2FA leads to these problems.

But A FIDO2/WebAuthn token (yubikey or similar) would help you stay secure and independent from your phone. I agree that yubikey is a bit expensive, but there are alternatives. Token2 seems quite bit cheaper, but depends on shipping: https://www.token2.com/shop/product/token2-t2f2-fido2-and-u2...

I have broken my phone multiple times, but I always stick to SMS 2FA because as long as I keep paying I will get a new SIM card in 2-3 days, and not be locked out, because of a lost or broken device.

Just stick your 2FAs in your password manager, like I do with Bitwarden. I secure it with a Yubikey, but if I lost my house, I would just remove 2FA from it. My bigger concern would be to get cut out, than people somehow guessing my master password.

SMS 2FA is always a terrible idea, homeless or not. It's honestly better to just go 1FA in that case.

- 1st Backup Codes: Store a bunch of 2FA backup codes on a safe location, best not in YOUR home, in case it burns down.

- 2nd SMS verification: some services offer you a fallback to SMS in case you don't have your 2FA device with you. But keep in mind, that SMS is also one of the least secure 2FA methods.

- 3rd instead of having your auth codes only on one device, use a service for it like Authy, so you can install it on as much devices as you like, if one dies, it's easy to configure a new one.

Isn't this a common complaint that SMS fallback cannot even be turned off? People say SMS is not secure enough so they switch to something better, but all the services do SMS fallback anyway so what is the point of using the more secure one?

Get a 2FA using QR code or U2F key (not SMS or phone based).

After signing in on the new phone with the new password, you will have to do the same thing. Press try another way until you see send a verification code to your phone number. Then it will text a code to the new phone.

You're also welcome to call me and I will try to help you over the phone.

The people who created this useless and draconian account “protection” system seem to have no clue about the real world.

It feels like it might.

This isn’t counting the productivity that’s lost to actually using the TFA system successfully, which is probably measurable on a population level.

On the other hand if your account is taken over, it could be used to perpetuate scams (which could harm your loved ones if they fall for the scams), it could be used for various things that might hurt your reputation. Or depending on the type of account it might be a stepping stone to get into, I dunno, your bill-paying account for some utility company, which will probably have all your bank account details in there because utilities companies tend to not be super on the ball about that kind of thing.

You should be given the option to opt out of this, have your data E2E encrypted, and if you lose your creds your data loss is on you. But for everyone else, they can then provide ID and get their digital identity and data back (at a very low cost to the service provider, proofing is usually $1-2/request in bulk; if you want to charge the user that cost, that’s palatable).

(corp|customer identity governance and proofing is a component of my work at a fintech)

https://media.fidoalliance.org/wp-content/uploads/2019/02/FI... ("Recommended Account Recovery Practices for FIDO Relying Parties", Page 3)

https://doi.org/10.6028/NIST.SP.800-63a NIST SP 800-63A Enrollment and Identity Proofing

1a) be possible to be disabled or

1b) Offer non-electronic second factors such as paper codes

2) Offer a broad range of options in general, not just phone or even worse only SMS. I can count the services that I can use my Yubikeys with on one hand

3) Be predictable (or at least be configurable like that) by the user and not behave different on weird conditions such as your IP

4) Allow to configure more than just 2 factors. 2 factors are really bad. It should usually be 1 or 3+.

5) It should educate properly about how to use it and also about the risks (e.g. increased change of losing access, especially when certain factors are used)

I think that when identity proofing actually becomes important, we should fully leave private services. That is something too important, so the state should either standardize and enforce it or offer it. Maybe, offering a wide-scale MFA / Auth solution should come with similar restrictions that we have for finance, including the identity proofing fallback your mentioned.

At Google at least, there are people who are responsible for measuring this sort of thing. 2FA adoption reduces overall account loss.

It's why companies don't offer phone support. Or ones that do (like mine) get premium pricing.

At least the market economy and 'capitalism' offers the choice of foregoing on those 'premium' services by enabling me to run my own services on my own hardware connected to the 'net through my own fibre connection. Since 'capitalism' leads to more choice it puts the onus on the individual to choose wisely. For some that choice comes down to paying more for those 'premium' services, for others - like me - it means I do a little more work to be able to run my own things. If I loose access I can get it back, the hardware is right here on the farm after all. I have 2FA enabled on a number of services to protect against leaked passwords but since everything is run in-house I can always get back access if I for some reason lost (access to) my devices and backup codes.

This is a win for 'capitalism' as far as I'm concerned no matter which way you turn it - those who want to be served can get served, those who want to serve themselves can do so. You do need to make a conscious decision on what side of the divide - pay and be served or do the work to serve yourself - you want to be on since the space in between can be treacherous to navigate. You also do need to react if a supplier does not keep to its end of the bargain if the system is to work. For the likes of Google/Microsoft/Facemetabook/Apple/etc. this means you should avoid them if possible in any way and if not, make sure you have a way out if they start acting up.

MFA is the best mechanism to stop hackers from constantly hacking everyone. Without it everyone would be getting brute forced 24/7.

Now I can't just use KeepassXC to get into Google anymore, I have to use my phone. The problem that the OP points out provides very real and poignant evidence that this is not only annoying but dangerous.

What is it that companies have against totp? It's starting to get obnoxious. I want to use it everywhere but some companies have stopped honoring it.

I also use KeePassXC and have had phone issues in the past, so I hate relying on my phone for anything important (it's also just not as convenient as copy/pasting from KeePassXC).

It isn't useful for tracking since it is private.

If you're going to use a resistor use something like 100 Ohm, that way you will still be able to see some effect of your action before Christmas and if you have access to a volt meter connect it parallel to the battery to see what's going on. As for the 4.2V, that's a single cell, some phones/tablets will have a couple of those in series so you can't assume that you'll find anything up to 4.2V at the battery terminals, checking that should be your first stop before attempting any of this.

Right, so why don't you believe that? A lot of people have lost their only second factor in the past. That's what the recovery flow is there for.

Why not at least wait that amount of time first before escalating to using HN as a support forum?

> Google is convinced I'm trying to break into my own accounts

That's like saying that the front door is convinced you're trying to break into your house, if you try the wrong key. First, it's not useful to anthropomorphize companies and systems like that. Second, "convinced" implies certainty. Of course there is no certainty that these attempts are coming from an attacker. They're even unlikely to. But for 2FA to be a useful security product, it needs to be predictable. It cannot be that there's a button that says "I've lost my phone and need access to this account right now", even if such a button would be very useful to legit users, because obviously attackers could click on that as well.

And that's why the 72 hour wait. If it's an attacker, the legit user will be notified and can reject the recovery attempt. If it's the legit user who really doesn't have access to the account any more, then the passage of time acts as additional proof of this.

How is that in any way comparable, your house is not a digital "thing" that exists on some megacorporation's servers and is completely inaccessible to anyone by any means except via being allowed in by the corporation in question.

Wanted to say exactly that - just wait for that amount of time. Had to help recover from successful phishing attack and deal with 24h recovery process and they DID send the link.

I am moving to iCloud, the setup is better than gmail in my opinion. I am not sure if I can get my digital game library back, and many other accounts. I will try to recover my gmail account once a week, and hopefully something can happen. But as far as what I read from internet, people have been locked out their email account for years, and no one cares.

Please do not treat them this way. They do not grant access to your account. Print many copies of your recovery codes and spread them around. Wallet, home, car, parents' house, etc. It doesn't matter if they get stolen or whatever, again they don't grant access to your account, and they can be revoked at any time.

I know that educating people about this is not a scalable solution to the problem of people getting locked out of their accounts. But maybe it could help you, reader of this comment, if you someday need recovery codes.

Can you expand on that? Once I have such code, what’s stopping me from “stealing” the account?

Treating printed paper codes as "widely known" and effectively useless simply because they could theoretically be stolen is silly. In a reasonable threat model for almost all people, the intersection of the set of threats that might get access to printed paper codes and the set of threats that might hack/phish your password is very small. The vast majority of threats are still protected against, while the very real possibility of being locked out of your account is drastically reduced. It's a good trade for almost everyone.

1. System reports "print out these recovery codes and deposit them in multiple places so you will never lose access to your account". User John Doe posts his security codes on his Facebook page and gets hacked.

2. System reports "print out these security codes and store them in a safe place". User prints them out and stores them in a drawer, but his house burns down and the user loses access forever.

Both scenarios are shitty, but I think 1 is more likely.

Of course, you could write a detailed guideline on where to store your codes, and that you should share them with some trusted people but not everyone etc. But who's gonna read that?

People who understand security already take threat models into account, but those who don't need very simple guidelines.

"Ask HN: How to Recover Gmail Account"

https://news.ycombinator.com/item?id=33850676

If I worked in tech I'd offer you access to a solution but this is all I've got. I hope this problem doesn't last long for you.

Sadly, even many google employees's spouses lost account with no recourse.

Lets say you are employed in US embassy in Kabul - you just think you could issue visas out of your sympathy. (i.e) FAANG has become as large as govt.

Yes, I know 2FA is more secure, but sometimes, I just don't care that much.

The paternalism is getting more real on the web everyday.

I get around their phone number prompts by hitting the back button and trying the login again. Sometimes I get an option to add it later so I click that. So far, I have had no problems accessing my google accounts with nothing more than a fake.name_@_gmail.com identity. The names really are pretty close to that. LOL I always login in a new window with no other tabs open and delete cookies as I close the window (Firefox). It's like a brand new world every time.

Saving access to my ability to keep putting out info via the URLs in question is the thing that concerns me (with regards to my blogs per se -- a much bigger concern is keeping my phone number and email address). Migrating the content elsewhere is a huge pain. I've done it before and it sucks and I have so little traction in terms of traffic and income, I'm not sure it is worth it to me though I think it's important information and would be a shame to just abandon my projects.

Maybe this is the universe's way of telling me to stop tilting at windmills and stop believing that someday my work will be recognized as valuable. I don't know where to go from here if it all melts down, but given my inability to get taken seriously or monetize my work, perhaps letting it all die is the better answer. It's gotten me nothing but grief so far.

I'm sorry this isn't a more grateful answer. I wish things were not like this and I'm pretty stressed out.

I nearly had the same issue. My phone died and I couldn't get my new phone on Google Fi without receiving a text message but I couldn't get text messages until I was on Google Fi. My backup codes saved me.

I did buy a wireless charger to try to resolve the issue with the dead phone. After I bought it, we thought to look up the make and model of both phones. Neither of them can be charged that way.

So lesson learned: Look up such info first. If you need to help someone, keep that in mind and actually tell them (and make sure they got the memo -- if someone said this here, I didn't notice), especially if money is tight, they live without a car and/or are handicapped such that small errands and small expenses can be a painful burden.

I'm still nervous that this may not actually be resolved. One detail is not working and I suspect I know why and I think it will likely be resolved tomorrow (crosses fingers), but I said I would update when I had news, so that's what I'm doing.

(Posted from my phone.)

Google just paternalistically chooses which device they think should be your most trusted one, and then insists that you produce it. No consent, no concern for your actual security model, just pure snake oil that tech-rubes eat up as "2fA sEcUrItY". Any damn time I want to use a Google account from a desktop browser, I get the same rigamarole of having to unearth some discharged tablet and wait for it to charge, just to jump through their nonsense. I shudder to think what would happen if I took the obvious remedy and just removed those devices from my account.

1. Most probably you will need help of someone who knows a little about technology. Maybe you can ask someone you know or pay them by helping (time for time).

2. Since you said in a comment that you have poor eyesight, let someone with a magnifying glass check if the usb port on your old phone is simply clogged up. This is quite likely to be part of the issue.

3. Try different usb cables and charging ports, ideally one that you can verify that works by testing on another device (for example the new phone). These things break all the time.

4. Try carefully wiggling the usb jack while the charger is connected and it should be charging if nothing was broken. The goal here is to find a position where the phone gets charged at least for a bit. Also note: If the phone is off it might take several seconds before the phone indicates that it is actually charging. This is fidgety but could resolve your problem quickly and easily.

5. If the phone has wireless charging you can go to star bucks or restaurants, some provide wireless chargers. You might get some charging done and resolve this.

6. [Technical person needed] You can order a battery replacement (also search on craigslist). If your phone is not too new/fancy this should be very cheap. Then the technical person can swap the batteries and try charging the old phone again. If the old phone then works you can sell it and get a little money back :)

7. [Technical person needed] Depending on your exact phone (the old one) you could search craigslist for a broken one where the screen is damaged but the phone otherwise works (these should be very cheap). You can then charge this phone and and let the technical person swap the battery, same as above.

8. Repair shops: Since your problem (the part that the phone is not charging) is quite common, repair shops might have even more possible solutions. I don't know about the US but in europe many of those are very affordable, especially small ones.

9. Can you tell us the manufacturer and model of your old/broken phone? It's not unlikely that someone on HN has the some model or a battery replacement lying around and you can pick it up or pay for shipping or they might even pay for shipping it to you.