Hacker News new | past | comments | ask | show | jobs | submit login

> As long as least one of those is still good, I should still be able to get in.

Google has, in some cases, started requiring auth codes sent to specific devices, even if you're already using your own configured TOTP 2FA.




> Google has, in some cases, started requiring auth codes sent to specific devices, even if you're already using your own configured TOTP 2FA

This exact situation has been such a thorn in my side at my company lately. Does anyone know any way to disable this behavior, even just with Google Workspace accounts?


I had a similarly frustrating issue happen with PayPal, only they were refusing to let me log in with my YubiKey, insisting on SMS. But their phone system couldn't send a message to me by SMS. It errored before it even tried, because I could have gotten a code on that phone if they had actually sent it.

If I've agreed to use and keep track of a very small physical device to access my account, don't be going letting any ol' person who can access my phone number in there!


Correct. I have a fully bricked tablet because of this.


I have uninstalled Google applications from most of the mobile devices that I use for this exact reason.


Google will send you codes to devices that don’t even have the app installed. Ask me how I know.


Wait, what? How does that work?


It doesn't :P


use AndOTP with QR code from fdroid. Go to account settings in desktop browser and remove the phone as 2FA. It will not ask any code to device.


Google somehow seems to think I own this device despite it not being one of the devices on my account.


Same! It was such an aggravation


They expect that none of your devices will ever die? This makes no sense.


It makes plenty of sense to Google: engineer for the 98% use case and the remaining 2% should just go away and stop wasting their time.


Many things are designed by roughly the same kind of people in roughly the same area. They are blind to a lot of use cases. Besides, it's a government's mandate to cover edge cases. Businesses only do it when compelled.


100% of devices will fail, eventually. It is kicking the can down the road.


They're banking on you upgrading your device before it dies, as opposed to e.g. accidentally dropping it onto pavement and cracking the screen.

Had that happen to me, I was saved by still having the backup codes + having some unholy Tasker + Pebble automations that let me operate the phone without display - enough to launch AirDroid, use it as remote display/input to enable ADB over WiFi, and then finally use scrscpy over ADB as a remote display/input that doesn't blank out on security screens and in Google Authenticator. Only at this point I was able to transfer all the other TOTP entries in Authenticator to the new device.

Lesson learned: 2FA with TOTP is a responsibility to be taken seriously, despite what security professionals would make you believe.


Enable debugging on your phone preemptively, then you can remote display over USB :).


Doesn't matter, if the current people can get promoted. Problem is for future Googlers </sarcasm>


Hey it worked for the UNIX epoch, till those guys retired.


I've still yet to see a single bit of proof of this outside of claims from people who couldn't bother to do the things you're supposed to do when setting up 2FA. I remain skeptical.

All these claims and not a single screenshot of this scenario. Meanwhile I've been in 4 countries in 8 weeks and Google hasn't bothered me once beyond the normal "tap my yubikey on my keychain".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: