Right, so why don't you believe that? A lot of people have lost their only second factor in the past. That's what the recovery flow is there for.
Why not at least wait that amount of time first before escalating to using HN as a support forum?
> Google is convinced I'm trying to break into my own accounts
That's like saying that the front door is convinced you're trying to break into your house, if you try the wrong key. First, it's not useful to anthropomorphize companies and systems like that. Second, "convinced" implies certainty. Of course there is no certainty that these attempts are coming from an attacker. They're even unlikely to. But for 2FA to be a useful security product, it needs to be predictable. It cannot be that there's a button that says "I've lost my phone and need access to this account right now", even if such a button would be very useful to legit users, because obviously attackers could click on that as well.
And that's why the 72 hour wait. If it's an attacker, the legit user will be notified and can reject the recovery attempt. If it's the legit user who really doesn't have access to the account any more, then the passage of time acts as additional proof of this.
> That's like saying that the front door is convinced you're trying to break into your house, if you try the wrong key.
How is that in any way comparable, your house is not a digital "thing" that exists on some megacorporation's servers and is completely inaccessible to anyone by any means except via being allowed in by the corporation in question.
Wanted to say exactly that - just wait for that amount of time. Had to help recover from successful phishing attack and deal with 24h recovery process and they DID send the link.
Right, so why don't you believe that? A lot of people have lost their only second factor in the past. That's what the recovery flow is there for.
Why not at least wait that amount of time first before escalating to using HN as a support forum?
> Google is convinced I'm trying to break into my own accounts
That's like saying that the front door is convinced you're trying to break into your house, if you try the wrong key. First, it's not useful to anthropomorphize companies and systems like that. Second, "convinced" implies certainty. Of course there is no certainty that these attempts are coming from an attacker. They're even unlikely to. But for 2FA to be a useful security product, it needs to be predictable. It cannot be that there's a button that says "I've lost my phone and need access to this account right now", even if such a button would be very useful to legit users, because obviously attackers could click on that as well.
And that's why the 72 hour wait. If it's an attacker, the legit user will be notified and can reject the recovery attempt. If it's the legit user who really doesn't have access to the account any more, then the passage of time acts as additional proof of this.