This is my nightmare. This is why I refuse to use 2FA. (Except on services that require it, and I wish they didn't require it.)
Am I worried about getting hacked? Absolutely! But when I weigh the likelihood of (1) someone else getting into my account without 2FA and (2) locking myself out of my own account with 2FA, the latter seems much more likely!
I understand how backup codes work. I promise you I will loose them.
I'm seriously medically handicapped and have terrible eyesight issues. I typed the wrong password at first.
I still had 1 percent power on my phone earlier and was previously able to get a code on it and I hoped I could get one last code before it outright died, so I said "Yeah, sure, send it to my phone" since they don't really want to do it another way.
So then I had to ask another way when I couldn't get to it because that is when the phone gave up the ghost for good. And then they said "We shall send you a link in 24 hours." So I moved the sim card and got text messages saying "Was this you?" and I said "Yeah, it was." and cancelled my "account recovery process" and tried to continue setting up my new phone because the old one is dead.
And this is when Google decided I must be a for serious criminal and told me "We shall send you an email in 72 hours."
I think you should take your phone to a store which can fix your phone. Googles code doesn't come as an SMS it comes as a notification from the Google app. Almost lost an account to this last week. Turned off 2fa.
On the off chance it helps, because I don't see anyone else mentioning it: could it be that your charging port is stuffed with lint? If you have a thin needle, try to poke inside and see how much material can you get out of the port.
Despite this being a common problem, it's not well recognized, and it's easy to forget about it too. I went through several charging cables and almost replaced my phone half a year ago, before I remembered - and sure enough, all my charging issues were caused by a layer of lint at the back of the port, that got compacted by the charging cable so well that it formed a flat "false wall". I forgot all about it, even though I've performed the exact same fix on other people's devices in the past.
Hope it helps; if not, I apologize for wasting your time.
This has happened to me at least twice and it’s taken too long to realise each time. Further, even if you think you’ve cleaned it, it can need more. I’ve had to scrape away at it before it will charge, and even then sometimes only at an angle or with a book resting on the cable/connection. Given it’s not OP’s issue, hopefully these posts help someone else.
Sorry to hear about your situation. We really need to host our own email or utilize a paid service, but it becomes cumbersome and expensive. I'm not sure what the solution to this is.
How much are you paying for this service you need google to fix? I ask because with their paid email products there are a fair number of routes to get help, your admin, then if that doesn't work you can go up the chain... If you are on a free account you may not be (individually) worth a ton to google revenue wise and so support is going to be poor (they have 1.8billion+ ACTIVE gmail users I think - if they increase costs by $5/user, that's a $10B expense. )
Does helping you look like potentially helping a hacker take over an account, recognizing that google deals with totally crazy state level attacks? Google faces some significant liability and risk here.
Would you pay google to make it worth their time to help you (I actually think this should be an option - if a physical in person visit + someones time is what it takes - then google should have some system for $500 + you get to their office somewhere to recover your account)
I've had relatives in this situation. If you do know someone at a large institution with an institutional relationship I think you can sometimes get help - I had a relative go this route, wasn't sure if the IT folks there just figured out how to fix / work within google, or could escalate somewhere to get it addressed.
Because google will worry about reps selling access to account resets - they may REALLY lock this stuff down, so even if a rep wanted to help, they may not be able to (insider attacks a big issue again especially state sponsored attacks).
It's pretty tone-deaf to tell someone who's posted about being poor and previously homeless that they should have to pay Google $500 to recover their account.
Honestly to be expected here. I opened up about my own homelessness while being employed in my field of study for over 20 years. I received a bunch of vitriol and downvotes for my honesty. If ever you need a reminder that you are surrounded by "anarcho-capitalists" just scroll through any HN comments field pertaining to the intersection of ethics and the economy.
There's a lot of abstract victim-blaming here re articles etc, and for sure the SV set for the most part is pretty clueless about the real world (though it looks like it's coming for them!).
But people here seem a bit less threatened by very poor individuals actually posting here than in most online places. I know from my own experience that mentioning you're homeless is usually a red rag to a bull. Add that you're an unemployed software developer, and the self-loathing middle class is often very quickly off on a hate-rampage. Less so here, for some reason. Perhaps just because people here are focused on topics of common interest, so if you're a loser (generally hated by the winners, worried that by the grace of providence they might have been you ..), at least you're one of our losers?
HN is a big forum, so you get all kinds here, but it is at least not mod policy to actively encourage membership to target and hate on its poorest members as was done to me elsewhere while I was homeless -- on a forum that gets chatted up an excessive amount as some wonderful online space.
I don’t know all the conditions of your devices, and your accounts, so I don’t know if this will even help. It’s probably too late for this advice and your Google account, but maybe for other accounts. If not you, hopefully someone else who reads this.
Many accounts that support 2FA let you download a few (commonly 10) static codes that don’t change. If you anticipate a situation where you may lose connectivity access like this, it may make sense to download the codes and store them in a physical notebook.
I use authy (free) for 2FA TOTP and have it set up on my work laptop, my home laptop, and my phone. As long as least one of those is still good, I should still be able to get in.
I honestly don't know what's going on behind the scenes to know if this is not as secure as it "should" be. But this was my reaction specifically to the non-SMS TOTP 2fa: Wait, if I lose my phone there's literally no way possible to get in? Oh there is, if I have the backup codes... yeah right, you think I can hold on to backup codes? Surely there's something I'm missing, what is everyone else doing here? Oh, everyone else is just hoping they never lose their phone? Really?
> Google has, in some cases, started requiring auth codes sent to specific devices, even if you're already using your own configured TOTP 2FA
This exact situation has been such a thorn in my side at my company lately. Does anyone know any way to disable this behavior, even just with Google Workspace accounts?
I had a similarly frustrating issue happen with PayPal, only they were refusing to let me log in with my YubiKey, insisting on SMS. But their phone system couldn't send a message to me by SMS. It errored before it even tried, because I could have gotten a code on that phone if they had actually sent it.
If I've agreed to use and keep track of a very small physical device to access my account, don't be going letting any ol' person who can access my phone number in there!
Many things are designed by roughly the same kind of people in roughly the same area. They are blind to a lot of use cases. Besides, it's a government's mandate to cover edge cases. Businesses only do it when compelled.
They're banking on you upgrading your device before it dies, as opposed to e.g. accidentally dropping it onto pavement and cracking the screen.
Had that happen to me, I was saved by still having the backup codes + having some unholy Tasker + Pebble automations that let me operate the phone without display - enough to launch AirDroid, use it as remote display/input to enable ADB over WiFi, and then finally use scrscpy over ADB as a remote display/input that doesn't blank out on security screens and in Google Authenticator. Only at this point I was able to transfer all the other TOTP entries in Authenticator to the new device.
Lesson learned: 2FA with TOTP is a responsibility to be taken seriously, despite what security professionals would make you believe.
I've still yet to see a single bit of proof of this outside of claims from people who couldn't bother to do the things you're supposed to do when setting up 2FA. I remain skeptical.
All these claims and not a single screenshot of this scenario. Meanwhile I've been in 4 countries in 8 weeks and Google hasn't bothered me once beyond the normal "tap my yubikey on my keychain".
There’s a fire or gas explosion or earthquake or something, and you need to leave all those behind. What do you do?
> Oh, everyone else is just hoping they never lose their phone? Really?
I would be very, very surprised if that’s not what the vast majority of the population is doing. Many people have a phone as their _only_ computing device, and no printer, and don’t really understand why they should be carrying around scrawled codes in their wallet.
I guess the right answer is that I have the backup codes carefully preserved.... off site! In case of natural disaster. Every time I sign up for a new account, I print out the backup codes, and take them to an off-site secure storage location, which of course i have... somewhere.
There's no way 90%+ of internet users are doing that.
I'm not even going to pretend I have any chance of doing that.
> I have the backup codes carefully preserved.... off site
Yeah f no. Most people just screenshot their backup codes and put it in a Google doc somewhere in plain text, at best. And at worst, they go "what the hell are these codes" and close the window.
Which, security-minded folks would know, is effectively equivalent to just writing passwords down in plain text.
Nobody thought to put even a tiny speck of product management into this system.
Although not as safe as a printout, I keep codes encrypted on a couple of flash drives, one stays in a drawer and one that's always on my person with my keys, yubikey etc. Haven't needed the codes thus far but feels like a decent compromise.
Considering that Authy relies on an SMS OTP for the account creation (and possibly account recovery), I prefer to use something else that provides the benefits of cloud syncing across devices and isn’t tied to a phone number. I understand that SMS OTP is simple for most people to handle (encouraged by many platforms over the years), but I just cannot get past that barrier to choose Authy over something else for personal use.
I'm literally only using it for things that require it. (including heroku, and rubygems). My thinking is: how do I meet this requirement with the least likelyhood of later locking myself out forever, and having HN threads blaming and shaming me for not carefully preserving my backup codes in a firesafe crypt?
If someone wants me enough to target Authy with an SMS reroute attack focused on me, they're gonna get me either way. I'm not Ed Snowden here, I'm just a guy trying not to lose his car keys.
But, what's the thing you use that provides the benefits of cloud syncing across devices and isn’t tied to a phone number? For anyone that might be interested, including me if it seems as easy and as idiot-proof. (and free or cheap).
I recently switched my laptop and my phone together, even though I have the same number, I cannot recover my account. SMS is better because even if you lose your phone, you can get a replacement sim card. Only if SMS is enough. In the case of Google accounts, no, it is not enough.
Also, it's kinda like Google corrupted 2FA TOTP's workflow : it should work on any device that implements the right algorithm and secret key. Instead Google sometimes turns it into MFA tied to a specific mobile device.
When that happens, Google asks to confirm with a known mobile device even though I have specifically configured 2FA TOTP since 2012 to be device independent (and I currently use keepassxc or mobile equivalent to generate the totp value). Google subsequently doesn't allow login by any other method and if the required device is lost or broken you lose access.
That just makes it even more likely you'll lose access. If you have 2fA, Google will just ask for your 2fa. If you don't have 2fa, Google will pick some random device you signed in on once ten years ago, and tell you that you can only ever log into your account again if it's from that device.
It seems possible to disable this by manually logging out of all your devices in google account management, then never using them to log into your google account again. I've done that, but the fact that this is the only solution is unbelievably insane.
I understand this view. Unlike every other reply to your comment I am not going to suggest various 2FA schemes that I would invariably screw-up and just add my voice to yours.
2FA might be good for security, but it's also very ableist.
I was able to answer something snarky to you, but then I gave it more thought and realized you're right. Anything beyond a simple password is very complicated when you're dirt poor. Printing is complicated. Having a physical vault is complicated. Buying a yubikey is complicated. Paying for the premium version of a password manager is complicated.
Just like with accessibility on the web, it's so easy to forget about that when you're not in the situation yourself. Thank you
Thanks for a lovely comment. I am privileged myself, which makes it hard for me to see what systems oppress those less fortunate. But I often "peak over the fence" when I deal with my ADHD and face the challenges of renting in a volatile market. I move often, and I forget/lose stuff constantly. I have to laugh when people suggest a physical yubikey - there is no way I am not going to lose it eventually.
I don't have a lot of sympathy for big tech when it so clearly fails to enfranchise those that need it most.
If you set a strong, long, unique password for every account, your chances of getting the account compromised are just about zero.
2FA is a good thing in most cases, but I do hate how the industry has blindly adopted it as some sort of mantra that you can't exist without. The reality is that if you chose 128+ bit passwords generated out of /dev/random, they cannot be brute-forced within the lifetime of the universe. You might get phished, which is entirely different, but if you're careful about that you'll do fine without 2FA.
Bitwarden will show if I'm not on the right domain. It's not perfect, but a USB key is a nonstarter for me (going back to "I'm more worried about locking myself out than someone else getting in.")
It's simple. If you assume the real possibility of losing your digital account, then act like you'll lose it tomorrow. Adjust your life and move on. I don't care about digital accounts. I switch my main mail and phone every few years just for the sake of it. I avoid buying stuff bound to digital account. My accounts are disposable and have zero value other than nostalgic one.
I didn't lose a single account yet. I have printed backup codes, I have password manager, I have passwords backup in a text file on thumb drive, two copies. I have my domain held by registrar in my country, so I can just visit their office with my ID and talk with them. So I take some reasonable measures to protect myself. But I have no fear of losing those digital assets.
I actually gave a thought about protecting myself by creating a single 100% reliable email and then bind other accounts to that mail. Believe it or not: I didn't find any provider which would satisfy me. My worst case scenario: I'm going to jail for 20 years. Every free provider will delete my account after few years of inactivity. Paid providers usually are small enough so I wouldn't trust them anyway. My current plan is using my own domain with autopayment and enough balance on account. But of course that's not reliable. Registrar might just go bankrupt. And I can't really reserve my domain for 50 years no matter how much money would I pay.
> But of course that's not reliable. Registrar might just go bankrupt
If you registered a gTLD, you're theoretically safe from registrar bankruptcy, or even from a registrar losing all their data for whatever reason. Per the ICANN agreement, the registrars have to send a copy of their database to a third party escrow agent regularly (where I worked before we sent a differential backup everyday and a full backup once a week). This way, if the registrar cannot assume its role anymore, another registrar takes over.
Note that this is not true for ccTLDs (ie. every 2 character TLD). That's a reason you should prefer gTLDs if you want to prevent a worst case scenario. I usually recommend a .com or .net because Verisign is, in my opinion, the most reliable registry in the world. If you stick with .com/.net, you're safe from any registrar failure, and there's not a single chance that anything happens to the registry.
ccTLDs might have an emergency plan but it will depend on the registry. So if you really want a ccTLD:
- get familiar with the registry and its rules
- do NOT get the ccTLD of a country other than your own. Eligibility rules can change, so you could lose your domain if the registry decides that they now want to only sell to residents. British people lose eligibility over .eu for example, not because a change in eligibility rules, but because of a change in their own status.
- do NOT get the ccTLD of a small country, unless the registry delegates the technical stuff to a reliable registry backend. Small countries have crappy infrastructures, so DNS resolution could get unreliable. This famously happened to Notion.so (so -> Somalia) a little while ago.
>This is why I will not use 2FA except on services where it is absolutely required
Software 2FA just computes a number based on a secret string. You treat the latter the same way you take care of your passwords. That's why it's best to handle them with your password manager. 2FA over SMS is even less of an issue (except maybe with a broken eSIM chip). Physical methods are a problem, so you have to spend money for a backup.
I could store the secret in my password manager if I paid for Bitwarden Premium (and at $10 a year, price isn't really the issue), but then what is even the point? If my password and my secret are stored in the same place then that's really just a single factor, so I'm making the login process more annoying for no reason.
I'd see it as a single point of failure, but not necessarily a single factor. If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.
Of course the threat model is kinda skewed because this case is more applicable when one's reusing passwords or using weak passwords, which shouldn't be happening if you're using a password manager.
Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP
> If the password is compromised due to a problem on the application side, they still can't get in to your account without the TOTP code.
But as you say, since I'm using a password manager, this doesn't feel like a legitimate concern. If the application's database leaks, my password is still safe, because no one will crack a randomly generated 20+ character password.
> Maybe a more relevant threat is password gets compromised from a MITM attack, in which case they still don't have access to your TOTP
But they'll have the code, so as long as they use it right away, they can still get into my account and download my data / spam my contacts / whatever.
How many well-formed passwords can and will you remember? How often are you willing to change them afterwards? How secure is your 2FA app? How secure is your device against keylogging? How sure are you no one will watch what you've typed in or when you reveal it to fix a typing error? And so on. It isn't as if there are no issues with the classic way.
That's why you maintain the knowledge-possession separation at the access to your password manager (file) with a combination of a password and either a key file or hardware key.
If you store your secrets in encrypted files rather than specialized server solutions, it's also easier to separate and store them in different locations.
Sorry, I don't understand where you're going with your questions. I do use a password manager (Bitwarden). I do not use 2FA. I don't understand how using so-called 2FA but storing my secrets in the same place as my passwords would make me more secure.
You should reread your own posts. I'm only responding to what you write yourself.
If you do not understand the purpose 2FA, there are plenty of online resources available.
As I explicitly wrote, you can store secrets in separate places, and if you don't, you still protect yourself against password recovery attacks or interception and add redundancy.
Really 2FA is just a complex way to give users a strong unique password. Everything else about it is security theatre (e.g. why do you care about your password and secret stored in the same place, when your session cookie is just stored in one place and all the attacker needs)
SMS is a much bigger issue if you are in another country, temporarily lose access to your phone, or work in a building without phone reception. It's prone to SIM swaps and could be intercepted by other apps on your phone. It requires having a fixed, serviced phone number, which people don't always have: children, homeless people and recent immigrants might struggle with that.
All of these scenarios happened to me, and I'm a fairly normal person.
But A FIDO2/WebAuthn token (yubikey or similar) would help you stay secure and independent from your phone. I agree that yubikey is a bit expensive, but there are alternatives. Token2 seems quite bit cheaper, but depends on shipping: https://www.token2.com/shop/product/token2-t2f2-fido2-and-u2...
I have broken my phone multiple times, but I always stick to SMS 2FA because as long as I keep paying I will get a new SIM card in 2-3 days, and not be locked out, because of a lost or broken device.
I would avoid a Yubikey if I were homeless and someone could steal it or I could lose it.
Just stick your 2FAs in your password manager, like I do with Bitwarden. I secure it with a Yubikey, but if I lost my house, I would just remove 2FA from it. My bigger concern would be to get cut out, than people somehow guessing my master password.
SMS 2FA is always a terrible idea, homeless or not. It's honestly better to just go 1FA in that case.
There are redundancy systems to avoid getting locked out of 2FA.
- 1st Backup Codes: Store a bunch of 2FA backup codes on a safe location, best not in YOUR home, in case it burns down.
- 2nd SMS verification: some services offer you a fallback to SMS in case you don't have your 2FA device with you. But keep in mind, that SMS is also one of the least secure 2FA methods.
- 3rd instead of having your auth codes only on one device, use a service for it like Authy, so you can install it on as much devices as you like, if one dies, it's easy to configure a new one.
> - 2nd SMS verification: some services offer you a fallback to SMS in case you don't have your 2FA device with you. But keep in mind, that SMS is also one of the least secure 2FA methods.
Isn't this a common complaint that SMS fallback cannot even be turned off? People say SMS is not secure enough so they switch to something better, but all the services do SMS fallback anyway so what is the point of using the more secure one?
I carefully store backup codes on my Bitwarden vault so I know where to find them. Also, I use Yubikeys for 2FA, those are reliable enough and you don’t need to rely on phones that could break.
Github is extremely insistant on sending me a 2FA push notification on the mobile app every time I want to connect to the desktop. I find it very annoying because I configured TOTP based 2FA and do not want to rely on any proprietary 2FA mechanism. I just can't seem to make it understand that I want to use my TOTP tokens and only that.
Am I worried about getting hacked? Absolutely! But when I weigh the likelihood of (1) someone else getting into my account without 2FA and (2) locking myself out of my own account with 2FA, the latter seems much more likely!
I understand how backup codes work. I promise you I will loose them.