Hacker News new | past | comments | ask | show | jobs | submit login
G Suite Doesn't Let You Contact Support Until Logged In. Locked Out = Stuck
465 points by HelloThur 11 months ago | hide | past | favorite | 135 comments
I know my password for google suite admin (paid), but they have locked me out due to a suspicious login.

Google have locked me out with the following message:

"We detected an unusual sign-in attempt. To make sure that someone else isn't trying to access your account, your organization needs you to sign in using your corporate mobile device (the phone or tablet you normally use to access your corporate account).

If you don’t have your corporate mobile device with you right now, try again later when you have your corporate mobile device with you. If you continue to have problems signing in, contact your administrator. Learn more

Go back & use your corporate mobile device"

I am unable to get back in:

* Google support doesn't work if you are logged out

* I have no primary mobile or corporate device to complete the above step on.

What does Google expect customers to do here?

>What does Google expect customers to do here?


To the OP ( 'HelloThur ), this is the answer to your most immediate question. I found it here: https://news.ycombinator.com/item?id=17120223

> Greetings. This is Alex Diacre here from G Suite Support. This has been flagged for my team and we’re looking into it. If any G Suite customer has trouble accessing their account they can always contact Google Cloud Support here: https://support.google.com/a/contact/admin_no_access (this is a special form to use when you cannot access any admin account)

There's a similar url, but with different form fields, here: https://support.google.com/a/contact/recovery_form

And various forms of "googling" for where to go aren't super helpful.

That’s a url worth copying into a password manager...

Just to be clear, OP is factually incorrect. You can contact support using the above link if you are locked out.

Source: worked on the G Suite Support team for several years.

This is pedantic in the worst possible way. If you make it impossible to find that link, then it's as if it wasn't there.

It seems this link should be mentioned in the email the OP got.

If you cant find the link, you lose admin privileges. It's a test of merit.

This kind of thinking on behalf of Googlers is why every professional on earth thinks Google's customer support is shamefully terrible.

Practically, he's correct.

Google offered no such remedy in the reply detailing his options.

Umm, this link seems to take you to an account recovery form (I haven't tried putting in my account details, but it straight up asks for a username/phone)

I had this same issue with CloudFlare. Lost access to my email account. Had my CloudFlare username + password, but CloudFlare insisted that I verify with my email since I was trying to log in from a new IP (it wasn't a new IP, but maybe they time out after a few months?).

No way to make progress. Can't use support if you don't have an account. Tried making a separate account, so I could at least open tickets. Their ticketing system keeps closing my tickets before the issue is resolved, and it closes them as "resolved". The worst part is that I actually have both the correct username and password for the account, and I have admin access over every single domain associated with that account (via namecheap). Should be easy to prove that I'm the authentic owner of this account.

Happily using Route53 now. Still haven't figured out how to turn off the CloudFlare billing.

I had a similar experience. I like making distribution lists with the company name, so cloudflare@domain.com. I suspect something in their system thinks these are test emails and I could never receive any email. I couldn't verify my email and I couldn't log in to contact support. I eventually emailed them, but they basically responded to login and get support, which was never going to happen since I wasn't receiving emails from them. Sad thing for Cloudflare, I was representing a large client that was exploring an enterprise contract but I could never get an account setup and verified to evaluate Cloudflare.

I do the same with a domain catchall, and I've received emails from Cloudflare just fine.

Then again, if there were emails I've not been getting from them, I would be none the wiser.

I wouldn't be surprised if many people do username+cloudflare@gmail.com, so excluding it outright would be really silly.

If you file a chargeback, it should turn off billing forever (because you'd get banned).

God bless chargebacks.

So many worthless canceragenic corporate behemoth are hating this and the only thing they can retaliate it is with the "ban". Lol. Blow me.

That said - sometimes it's better to swallow the occasional bad service vs. filing chargeback. For example if Uber "adjusts" your past trip for a couple bucks not in your favor - it maybe better to just absorb this, otherwise filing chargeback because of $8 will get you inconveniently banned.

I too had the same issue with CloudFlare. The solution was to email support@cloudflare.com. You won't find this address on their website unless you're logged in.

I've definitely had zero luck emailing this address, tried for over a week. They tell you to log in and then they close the ticket.

Google isn't the only one.

Somebody must have used my domain to sign up for a Microsoft Teams something for some reason and NOBODY in my company can find out who or how. Microsoft is absolutely unhelpful in this regard, trying to activate our domain for Office Teams or whatever. Microsoft says it's for "security" reasons; but as CIO of a 50+ person org I should have some override on that in the event of erroneous signups.

I don't even need to access old content because none of us has used the service at all. Just delete the old domain. For all I know it was a troll signup.

I've since just forced my team to use Google Docs/Sheets because Microsoft is being so unhelpful that they won't even let us give them money, lol.

We had this problem with O365 a few years ago. Someone had signed up using our company domain and it created a mountain of heart ache. If I recall correctly we had to make a second domain our primary and then setup aliases for everything.


It's still not well supported for "external" takeover but it's disappointing that your support queue didn't point you to the docs on this. Per below though, if someone made it "managed" through DNS verification, yeah, that's hard.

Keywords to search in this scenario "viral admin takeover AAD"

To be honest, the alternative is someone being able to delete your organization on Teams.

I kinda wish you could do like google analytics makes you do to validate your URL (add a DNS record)

You can, the whole point is verifying the domain in O365 by modifying the PTR record and CNAME so that the o365 panel will see it is yours.

Support should've been able to remove it, I know I was able to do it on escalation cases when I was on Fast Track.

I know that the "ambassadors" are really next to worthless, and if you do not have premier or a TAM on your account, you are really SOL on O365/M365/Microsoft products, you need to email the ambassadors managers, continually, and then go up the ladder, if needbe, to the product manager of that support team and just keep doing it.

It really sucks.

But the reason you couldn't add your domain is 99% most likely someone added and verified it. There are tools on the backend (most easiest Viewpoint) and then billing (CMAT) that can verify if domain is added.

Having been an administrator for a Google business account in the past (and not a small one either) I can state from experience that if your problem doesn't have something to do with advertising or search, you are a distant (incredibly distant) third on Google's priorities. And search is a pretty distant second from advertising. Google is majority an ad company, that's what motivates them and it shows in their lackluster customer service for anything that isn't advertising.

Rely on them at your peril. They have slick products as long as they work but good luck if something goes sideways.

As a counterpoint: I’ve found the GCP paid support to be excellent, but that’s when spending thousands to millions of dollars a month.

(Although the $150/month option was also very good when I used it.)

Indeed, I've found GCP support to be excellent. And honestly, even Google One support over the phone has been pretty decent quality.

I have a G Suite account and GCP account that I barely spend, and I've always had an excellent experience with their support as long as they could solve the problem. The only time I grew frustrated had to do with Google Music and their support didn't have any answers or solutions at that time.

Google auth UX is quite hostile. For example, if your group admin enables 2A requirement, you can't login if it your account doesn't already have 2A, and you can't set up 2A if you are not logged in, of course. So the workflow goes like this: enable 2A requirement. Wait for people to scream, disable 2A, let them log in and hopefully enable 2A. Enable again, let the next group of people whose sessions by now expired to discover they can't log in, disable. Etc. until hopefully everybody enables it. That seems to be the officially endorsed process: https://support.google.com/a/thread/6090262

Sane approach would be to let people log in and immediately require them to set up 2A and then continue with their logged in lives, but I guess that was too hard.

If your org is small, you can run a report to see who hasn't enabled 2FA and then yell at them. They made it better for new users a while ago (you can now configure a grace perioid), but I don't know/remember if this helps for existing users. If you've got users you can't cutoff who don't setup 2fa, then you need to make an exception group. You can run automation to send nag emails if there's people in it, etc.

But then don't merge with another company with g suite, cause merging accounts isn't supported and you'll have a mess.

we're getting to the point where the only reasonable answer is to regulate this, as the tech giants have well demonstrated that their only concern is to do the bare minimum trust & safety work that's beneficial to their business. users are an afterthought at best.

if you provide identity services to more than 100k people or w/e, you need to have a defined dispute process, served by humans with the power to do shit, with legal recourse in the event that they fail to do so. the "run a flag up the pole on social media, hope you're important enough or friends with the right set of people if you want shit done" approach is terrible.

the inevitable "but that will be vulnerable to fraudsters" backlash is stupid--the existing systems are too; fraud prevention and such isn't something you can ever do perfectly, since it's inherently adversarial. the problem we have now is that EVERYONE is treated as if they're a mastermind professional fraud network from the outset, and this does seemingly little to prevent actual bad actors. Twitter's trust and safety team is an even more egregious example, where they very effectively and immediately suspended my attempt to create a single parody account, immediately suspended it again after unsuspending it, and said any future attempts to reach them would be blackholed because the first unsuspend request was still open (there's, of course, no way to see that ticket or respond to it--all you get are email notifications stating that the reply-to discards all inbound mail). this, of course, does seemingly nothing to deal with actual bot networks, since those are run by sophisticated actors who've figured out how to game the system.

something like Estonia's digital ID system is perhaps best, with, importantly, built-in protection against tracking: I should be able to generate an ID that a company can verify, but all they should be able to glean from that is that I have an ID and that I've authorized X other IDs for that company--it shouldn't be something that's traceable back to who I actually am or trace my actions across companies, which is very much not the case (and is something companies very obviously take advantage of for adtech purposes) for the de facto standard of using mobile phone numbers.

I agree; there's no way any of this will be resolved in our favor without regulatory intervention. There's no profit motive for service providers to get this right and businesses have very effectively insulated themselves from existing dispute resolution mechanisms such as chargebacks, and in the US, litigation.

Would you be ok if this law allowed a company to charge for the support request? Like, $50 to have a human review your dispute?

Allowing companies to charge their customers $50 to resolve account access issues would only give companies an incentive to make 'mistakes' so they can earn $50 by spending a few minutes 'fixing' the error.

Customers shouldn't be billed to fix mistakes that aren't their fault. In a functioning market, money is supposed to flow away from faults, not towards them.

You miss the point entirely.

Currently because the volume of bogus support requests is so enourmously high, and the fraud attempts also very high - the cost to properly do something like handle account lockout requests properly (on the scale of billions of users) would be EXTREMELY high.

Google is actually pretty clear for consumer accounts, if you lock yourself out your content is lost and they suggest setting up a new account.

Cell phone companies do handle this, you can do things like sim swaps etc with a real person - but you are usually paying $50 - $100 per MONTH with them. And even there plenty of folks have complained of having 2FA codes stolen as a result of this convenience.

If they could charge $50 or $100 to provide paid support (a situation that is actually very COMMON at the enterprise level) for at least some people this will be worth doing. Then the business case is there to staff / resource etc the fix.

Currently, with youtube / gmail etc, the revenue per user is so low it will NEVER make economic sense to have humans dealing with an account.

But keep on banning paid support and you'll keep on getting no support.

Access to online services, ranging from email to AWS, is now a vital component of contemporary life. Email is no longer a toy and losing access to a key email account can cause emotional hardship and severe financial losses. Access to paid online business services, such as Google advertising and cloud computing, is a vital component of modern business. Loss of access to these services will lead to severe financial losses and can lead to complete destruction of businesses.

It is unacceptable for service providers to damage peoples' livelihoods because the account in question is free or is used by a small business that doesn't spend >10k$ a month.

It is not reasonable to demand that customers pay $50 a month to protect themselves against capricious account closures. That is merely another way of a service provider saying 'nice email account you've got there, it would be a shame if something happened to it.' That's called extortion or even racketeering.

Alphabet's net profit for 2019 was $34 billion USD. The can afford to treat their customers financial interests with respect, and if Alphabet won't do that voluntarily, then it's time for governments to force them to.

> Google is actually pretty clear for consumer accounts, if you lock yourself out your content is lost and they suggest setting up a new account.

What if they lock you out? You make it sound like it's some transparent and easy to understand process based on publicly available rules, and it's just user violating some obvious documented rule, therefore locking himself out.

But maybe you just travel to africa for the first time, and they just decide that now you can't login, because "suspicious activity". Bye.

If they wish to reduce support costs, one other way is to make the service better and more predictable. Maybe add a checkbox to opt out out of this "you're too stupid to keep your credentials safe" banning system, or something like that.

> Currently, with youtube / gmail etc, the revenue per user is so low it will NEVER make economic sense to have humans dealing with an account.

Google made over $6 billion in profit in one quarter this year. YouTube had revenue over $5 billion in one quarter. They announced a $25 billion stock buyback.

Google doesn't offer support because they choose not to.

I work in a similar space and it is significantly complex and expensive to do this.

Back of the napkin math - * Lets say on average customers contact Google support once a year for each product they use. That's 0.25 tickets per user per quarter. * Consider Google has ~10billion monthly productuser combinations (9 products have 1B+, most have significantly more) That is 2.5M tickets/support requests a quarter. ~28M tickets a day * If we consider an average ticket take ~3 mins to resolve, thats ~155k hours a day * If we take an employee being productive for 7 hours a day, that's 22k employees * If you take a 1:10 ratio, that is 2205,220 and 22 - 1st, 2nd and 3rd line managers. * Take the cost to be an average of 30k,60k,150k and 300k for each of those layers, thats ($661, $132M, $33M, $6.6M) which totals to ~$833M per quarter * The real world costs for this will probably be anywhere between 2X to 3X of this because all of these people come with other costs like infrastructure, tooling, space, etc. So we are looking at ~$1.7B to $2.5B.

One might be tempted to say that money can be saved vs my estimates but keep in mind the challenges of localization, time zones, compliance etc is also significant and will probably mean an even larger expense.

So yeah, it would be ~40% of the quarterly profit.

Sure this is an expense so tax etc can be changed but my argument would be that we are severely underestimating the complexity and challenge at each step.

So yes, I do think it will never make economic sense unless you are on the platform with sufficiently high spend. Just like every single other economic system we have out there.

The context here is providing support to unlock accounts that have been wrongfully closed. The number of support incidents per user per year for this specific problem is likely to be at least one order of magnitude lower than one incident per year. Using your estimates as a base, the cost of this service would be no more than 250 million.

For Google, as a company that has recorded a yearly net profit of over $35 billion, this is chump change. The fact that they could afford to offer some customer service regarding such a critical issue as restoring access to lost accounts, yet choose not to, smacks of corporate entitlement.

> it would be ~40% of the quarterly profit

Another way to look at it is as just the cost to make that remaining profit, and that the cost has been externalized so far.

If people had utterly insisted on decent customer support from day one, companies like Google would have found a way to grow as big as they can while still providing support.

Then maybe don’t build your business on a model that makes it impossible to do the right thing for your users.

Maybe don't try to impose your preferences on other people; a lot of people would rather have a free service with no support than pay for support. It seems incredibly entitled to expect more from a service you're paying nothing for.

I know its not a popular opinion but as someone who comes from a non-western-rich country Googles business model is amazing for what it offers. Do they mess up a lot, for sure. But overall the fact that they can use capital expenses from big markets to deliver things globally has been positive for most people I know.

That aside, the business model has established that you can get great service if you spend $xM+ or $xxM+ per month (whatever the number is) - its just that we expect the same for a much lower cost.

> I work in a similar space and it is significantly complex and expensive to do this.

Hmmm. Could have sworn Google promotes itself as being "best in class" at solving complex problems. ;)

Haha.. that is true. Guess they are not "best in class" for this one. That being said, I do genuinely wonder if there are any companies which have managed to do customer service at such a scale. Amazon is probably the closest but that is different because the average revenue per user is >> that of Google.

Along those lines, possibly the more constructive way to view it is:

  Google has the scale of, and is acting like, a utility.
  eg power, water, gas.

  But without a legal obligation to fix problems for their
  users, they don't even attempt to.
The "But it costs people $0!" is correct, if it's that's not thought through.

In it's position as a utility, some people have (perhaps unwisely) managed to lock themselves out of a (critical) personal account.

With the corresponding problems that then occur when any other utility stops working.

The suggestion to allow people to pay for support in some situations - eg like those locked out of a critical personal account - would be one approach to solve the problem.

Because at the moment, these people have no recourse. :(

Which when it happens with any other utility, becomes a legal problem. eg Customer contacts relevant Ombudsman / gov oversight body to get it rectified

I was thinking about for free services... having to provide free human support for free services is going to make it impossible to support any free service.

They would actually provide support? That's amazing! Right now, the solution is to contact them through social media campaigns and hope the right people step in to fix.

$50 could be steep for many and trivial for others, but that's a different discussion.

How about I deposit $50, if they agree it's their fault, they give me the $50 back and fix it. If they don't agree it's their fault, they keep the $50 and fix it. If they don't agree there's a problem, I get $40 back.

If they keep my $50 and I still think they're wrong, an appeal process is available, etc.

Good idea!, or something nearby / a bit similar.

Sort of an insurance, for getting help if locked out

Not sure that would solve it.

Instead forcing companies to provide a free human based support channel for billing- and authentication issues related to paid services is a better option.

I believe it would take most companies very short time to invent working solutions to problems.

Right, I was thinking more for free services (like basic gmail)

Do you really want Google to have your real identity?

Yes, and if they (the company) are wrong, then the customer automatically gets several hundred times the amount.

Curious as to how you come up with the 100k number. (We're in general agreement.)

What does Google expect customers to do here?

As much as I enjoy bashing Google, I have to admit that Google is far from the only offender in this. I've seen it a number of time.

Even Saint Digital Ocean has a similar problem. If you're not logged in, the only ticket you can submit is that you can't log in.

I ran into this recently because it turns out that that DO's help system UI is completely borked in Safari. Type in a topic and click one of the suggestions, and instead of taking you to that topic, if just closes the suggestion list.

The suggestions list has a bunch of carriage return icons, suggesting that you can keyboard through it, but that doesn't work, either. And the system doesn't work on a MacBook Air because it can't deal with anything but massive monitors.

At the bottom of the suggestion list is the suggestion to submit a trouble ticket. But that doesn't work, either.

But what do I expect for $5/month? The last actual Digital Ocean support ticket I put in (a couple of years ago, when the system worked) came back with a very polite reply to the effect of, "You get what you pay for."

Similar issue if you cancel your GSuite account.

I cancelled my account and was still billed for it, but now there's no way to contact support since I don't have an active billing account.

I was debating whether to purchase extra storage for Google Apps email as I am getting close to the 15GB free limit. I decided that I would pay Fastmail instead. I would not want to make my life/business dependent on Google’s whims.

I have heard horror stories about declined credit card payments for things like extra storage or premium YouTube causing people to be locked out of their accounts with no recourse. Due to this, I am afraid to pay Google in case things go wrong, so I use competing services instead.

This is why I refuse to use google for most services. Support is absolute garbage.

I was debating whether to purchase extra storage for Google Apps email as I am getting close to the 15GB free limit. I decided that I would pay Fastmail instead.

Then you're in luck, because Fastmail's $5/month option has twice as much storage as you're using: $30GB.

I'm such a fastmail cheerleader that I feel like they should comp my account. But I love them.

If you cancelled your account and you were still being charged, did you reach out to your credit card company to let them know about the fradulent charges? They should be able to block billing on their end, once they contacted google's billing to verify you cancelled your account.

I'd consider this an absolute method of last resort for any of the large integrated providers like Amazon/Google/etc. There are reports where people have done seemingly legitimate chargebacks and while they get their money back, they also get all their myriad accounts closed that are associated with Amazon and new accounts made with work emails/etc also get closed.

Chargebacks seem to be appropriate when you truly no longer want to do any future business at all with a particular company - it might not be limited to just "G suite" or "GCP", or "AWS" or "Amazon", but the whole conglomeration.

Obviously YMMV, I'm sure people have had divergent experiences with this. I've always personally been able to get things resolved eventually through chat/email/phone, but I trust that not everyone has the same luck I do.

This is a useful litmus test for "is it too big?" trust busting purposes, by the way: if the majority of customers aren't doing chargebacks for the fear of losing access to company's services, then yeah, it's too big.

Brilliant, yet simple.

Was I willing to cut off the New York Times like this when all other means of canceling my subscription failed? Sure! Result: powerful, but not in need of breaking up.

Would I be willing to do this with YouTube, for fear of what it might do to my Gmail account, a service that is seemingly completely unrelated? Good God no, which is one reason I never signed up for a subscription. Result: absolutely needs to be broken up.

Yeah, this seems like the obvious next step. No need to worry about ruining your account's standing if you've already closed it, and the chargeback should hopefully alert someone at Google to look into your status.

Just don't try to use that card number to sign up for any other Google product.

On the other hand, that charge might just be the outstanding balance when you cancelled, so it might be legit.

Yeah that's what's really annoying, I can't contact support to figure out if the charge is legit or not. So I can either eat the cost or file a charge back and potentially deal with a bigger fallout on my other accounts that I have with Google. It's a shitty situation either way.

I wanted to speak to Google Support first and figure it out and make sure I wasn't misunderstanding the charge, but alas I could not contact support without a billing account active, so yes will be contacting my CC company.

Where in the world are you to have banks which promote fraud?

In my country (France) you can call your bank, declare that a fraud is going on and it then becomes their problem.

They will usually issue you a new card and call it a day.

Not necessarily true for this case.

I had a problem with a [very well known US-based bank] credit card where a re-curring monthly charge that I wanted stopped.. wouldn't be stopped by the bank because I had authorized the recurring charge at the outset.

Bank told me to contact the entity charging me, and when I said I couldn't reach them (which was true) and they didn't respond via their support channels, bank said I was SOL.

When I said I no longer authorized these charges, bank said I was SOL.

For a $10/monthly recurring charge, the bank wouldn't help me. So I used the same call to close all my bank accounts & credit card and moved my savings account funds to another bank account.

Bank still wouldn't do anything about that recurring charge.

I don't know where you live but there is likely a regulator you can file an officially complaint to. Not only would this cost the bank thousands of dollars to deal with they would quickly fix your issue.

In France this is not possible - you usually have a button on the bank web page to stop your authorized charges on the spot.

It is then up to you and the entity which wants to charge you to settle the case, but the bank will not issue the money.

I can call my CC company and declare fraud and get the money back and a new card, but then I'd have to update all other accounts that use that specific CC and it's a shitty experience.

Being able to at least email google support would resolve this.

Also you will likely never be able to do business with Google again. So make sure you're willing to never use another paid Google service again.

Yes, you are of course right. This is a pain in the ass.

I was referring to the fact that you are being defrauded, which I understood as "being defrauded and loosing money".

I use GSuite since 2004 and the more I read about support the more scared I am. Good luck.

This is the part where you have to launch a campaign to shame Google on social media or know someone on the inside to get your situation resolved.

When you do get back in my advice is to enable multiple 2FA factors as that seems to streamline the account recovery case.

I've had the exact same issue with Amazon. I had prime. Suspected suspicious activity. It's been 6 months without resolution. I just created another account but I've been calling in every day since. There is no escalation, I keep getting told the same thing: We have no power, we just submit the form to the Account Specialists. You should be called back in 24 hours. I've not once received a call back. My old account is still being used for fake reviews, while amazon had completely locked out the account from being able to login on any device. I can't log in. Whomever is in my account seems to have complete control through some other method, which would explain how they were able to access my old account, even though I have 2FA and mobile authentication. There is a vulnerability they are not talking about.

I'm so fucking pissed about this. I signed up for AWS with a personal Amazon.com shopping account. Enabled 2FA, lost the token. I can care less about the AWS account but no longer can I change my password on the shopping account I've had for 10 years.

I bet that more accounts and data have been lost to 2FA than have ever been saved by 2FA.

Follow proper practice. Always register two keys.

FWIW this is why it's a good idea to have two MFA mechanisms. If you can afford it I recommend getting 2 hardware tokens, and storing them separately (you can leave one in your computer, hard to lose).

That's a great plan, but AWS notably doesn't support multiple hardware u2f devices.

They've been sitting on the ask for about 7 years


Don't they have 2FA recovery codes?

This had become somewhat of the standard for 2FA in recent years.

Can you not manually set the two tokens to the same "seed"?

That works for TOTP 2FA on your phone. But most hardware tokens have an internal seed that's immutable.

Isn't that just the enterprise ones? I've been using personal hardware TOTP tokens[1][2] like this for years, where you can set the seed yourself using NFC.

[1] https://www.token2.com/shop/category/programmable-tokens

[2] https://www.protectimus.com/protectimus-slim-mini

The problem with totp is it's really just a second password. It eg doesn't protect you from phishing in the way that a yubikey does.

I think they meant hardware in the sense of U2F tokens like Yubikeys, not TOTP based ones.

Damn, that sucks. I use GSuite to SSO to AWS though.

And there is zero support to help you fix the problem.

There is a MFA reset process that requires a notary and what not. Wouldn't be an issue for the average Joe but since I've moved 3 times since signing up for AWS, I'm not sure which address they need and not even sure I can procure sufficient documents with those addresses on them.

I don't get this. You lost your MFA backup and you can not proof who you are and somehow this is amazons fault. What are you complaining about exactly?

I don't think he can't prove who he is. He is, after all, the same person. Rather, he can't verify to the service provider that he's the same individual that they have on file, despite being the same bag of flesh and bones he always was. And that is absolutely the service provider's fault.

Blaming him instead of Amazon would make sense if Amazon allowed you to have an MFA backup, or recovery codes.

I use Authy to backup my MFA codes, this works fine for amazon.

When I switched providers and phone at the same time I used my billing address as well as my CC to confirm my change in billing address.

Ensuring I can proof who I am is my responsibility.

You are responsible to ensure your identity. Make sure you backup your 2FA codes.

You can try and shift the responsibility but why would they be responsible for your shit?

It sounds like someone working for Amazon directly is abusing your account.

The best way to avoid this situation is to have more than 1 G Suite super admin per organization, each controlled by different people [0].

Also, you may want to enable Account Self-Recovery if it's not practical to have more than 1 admin user. [1]

[0] https://support.google.com/a/answer/9011373?hl=en&ref_topic=...

[1] https://support.google.com/a/answer/9436964

I wish a service existed.

"Our technology is so sophisticated even we can't handle it. But that's your problem, isn't it?.. We don't care, we don't have to." https://vimeo.com/355556831

Thanks, quite relevant though over 40 years old.

This is a pretty accurate representation of how people felt about the phone company back then. Being able to easily talk to people all over the world was amazing and the technology was appreciated. However, still prior to the mandatory breakup in the early 1980s, customer service was often a bit of a joke.

Haven't clicked the link (yet), but I'm pretty sure it's Lily Tomlin on Laugh-In as The Telephone Operator: "Is this the party to whom I am speaking? (Snort, snort.)"

Same character, but that one specifically is when she reprised it for SNL in the late 70s.

Before I clicked on the link, I had expected that to be a clip featuring the Central Services engineers from Terry Gilliam's Brazil.

A one time use recovery passwords you can generate(or are compelled to) in case you lose access or are locked out seems like a better option, I believe mega.nz & live.com do that, if it is available with google, it wasn't obvious to me.

I love Google's rational of locking people out.

I have pop3/imap access to an old secondary gmail account, but whenever I try to log in by the browser, it locks me out and asks me to confirm who I am by adding a phone number.

I never associated a phone number with the account and have no plans to do so. If somebody did get the password, they would be forced to add a phone number they are in control of if they wanted to take it over.

So what was the point of that? Other than compelling thieves to enable and setup 2FA on gmail accounts on old accounts without 2FA that they've gained access to, almost certainly ensuring the owner never gets it back if they ever decide to check their legacy account again.

But if you add a phone number, that makes it harder for someone to take over your account.

The more information you add, the harder it is for you to recover your account.

If you add your phone number, fine, as long as you still have access to it. But say you add a backup email. Now if you lose access to either your phone number or your backup email, you can never recover your account.

When I realized how this worked, I thought it was nuts. But it is.

Someone created a G Suite trial for a domain I own. There was no option for me to contact Google to tell them I did not create the trial account and do not want it, since all contact options required me to be logged into the trial account I did not create :)

Sounds like the Xfinity emails I receive. They end with "You cannot unsubscribe from these emails because they are account related".

The problem is, I don't have an account. I don't even live in an area where I could have an account. I've contacted them multiple times and they cannot find my email address in their system. They've escalated it, had engineering teams look into it, etc. Nobody knows how/why I'm getting emails.

If I was in a bad mood, I'd report them to the FTC -- the fines of $16k per email would be an enormous amount by now since this has been happening for 8 years.

But, I mention it because some of us here create system that send emails and we need to remember to always create a way for the user to self delete or at least some kind of audit system for finding that email address in a system later.

Oh ya, for about a year I've been getting someone's electricity bill from India too. Again, there's no way to unsubscribe, and worse I don't speak the language so my attempts to contact them have made no progress. Thankfully, it's easy to create email rules to dump these emails before I even see them.

To create a trial domain at example.com, you first get a domain at example.com.test-google-a.com and then you have to go through domain verification[0] for the real domain. Either they still have your domain as "pending" in G Suite, or they have access to your DNS/web server.

0: https://support.google.com/a/answer/60216?hl=en

They don't have access to my DNS/web server. That didn't stop Google from sending me 11 spam emails about G Suite.

I think the first step Google should take before DNS/web server verification is to verify the email address used for the setup.

This sounds like an avenue for miscreants to potentially hold domains hostage. :(

eg: Register likely target business domains for G Suite, O365, etc trials to lock them out.

Then blackmail/bribe/whatever the legit owner if they want access.

Doesn't sound like there'd be any workaround either, at least for the first few years. :(

Maybe the "Police contacting Google/MS" which would eventually happen could get it stopped at some point.

I've had similar issues with lost/forgotten passwords. I actually have a bricked Nexus device because of it. Any password reclamation attempts are supposed to send an email to my backup account for resolution but the email just never arrives. From my reading it sounds like a common problem as well. And yet I have a newer GSuite email through work and a personal Gmail account for about 14 years (since beta) and no issues otherwise.

Also at a loss.

I had this exact situation just 2-3 weeks back and had to use my personal Gmail account to start a community support thread and then got a link, which reset my G Suite account activation/verification process. I got access back in about 5 days from the start of the process.


Here is my thread on Google Community Help if it helps you or anyone else - https://support.google.com/a/thread/60347634?hl=en&dark=1

Does https://support.google.com/accounts/thread/5024607?hl=en help you?

Reading that comment thread makes it look like (a) "primary mobile or corporate device" just means "the last device you signed in on", not like a special device, and (b) maybe it's a problem when you don't have two-factor authentication enabled?

Have you tried account recovery? https://accounts.google.com/signin/recovery

the ability to ring up and speak to a person in case of difficulty is the only reason I'm paying Google for GSuite

with this revalation I won't be renewing

Google never said their phone support is for login issues and makes it clear you need to login for support, and the op (who is using a throway) said they didn't remember using a mobile number when signing up so it sounds like the problem is partly on them. If you've been a customer for almost a year and suddenly realized you don't have a number you can call for support, then there is no reason to be outraged since they never promised that in the first place before you signed up and you were too careless to look. They do have a help page regarding login issues:


What does Google expect customers to do here?

Learn to embrace the pain.

Oh yes, this happened to me once. Google has the least useful support of any large company in my experience. This is why I often go with AWS (or, depending on the nature of the company, Microsoft) despite Google's tools usually being more powerful/cutting edge.

On a similar topic: One of my friends got locked out of their Instagram account

He tried to fill in the form on his Android phone to get the decision reviewed, but when he hit submit it just showed an error.

He persevered, and after approximately half a year the form worked and he got access to his account again this summer!

It's a travesty that normal people have no way to get a fair treatment by the FAANGs when it comes to support. I hope some consumer ombudsman could put a stop to this

A friend had someone sign up for Instagram using her Gmail address by mistake. There's no way to unsubscribe and no way to contact Insta without logging in (and it was in another language). In the end she changed the password and took over the account; it was the only reasonable option.

Same with Paypal...if somebody used your credit card information to buy something via Paypal without creating a account - so credit card fraud - there is no way to contact their support without providing a valid Paypal account. If you don‘t have one, you first have to create one.

Sigh - try contacting Facebook because they've let some bozo sign up using your email address ....

I'm a Google One subscriber and so far I have only bad experience with Google's user support, so I'm not surprised that it isn't any better with G Suite. Bit sad though.

I had the exact same problem, wow. I'm very happy to see this on hnews.

Same thing with PayPal

the admins should have a phone number also, when I was a admin on a corp G suite account there was a phone number also for support that we had.

does the account have 2FA?

He said he set up 2FA and then lost the "corporate device" providing it.

This is why you always set up backup codes. The 2FA is doing its job here keeping the account safe from someone who doesn't have the token, which unfortunately is the account holder.

Wow, didn't expect this post to blow up like this.

For reference, I have no 2FA, nor did I lose my corporate device. I've always accessed it through a web browser, never through a mobile, therefore when it asks me to verify with my corporate mobile device, I do not know what device it is referring to.

Which device did you use when Google first asked you to verify your phone number? Your personal cell phone maybe?

Assuming it was their phone number.

What options do they have now, if they abruptly stopped using that phone number for some reason 10 years ago and had no realistic way to know which 275 utilities were hitched to the number (or even if they did, couldn't contact support for reasons described in the article), for example:

- because they couldn't afford to pay the bills for a while

- or moved country

- or changed contract and then found they couldn't port the number (happened to me) and lost the old number

- or someone took their phone and they were unable in practice to recover the number or continue using it

- or they were ill in hospital for long enough their phone contract expired and they could not have dealt with transfer issues at the time

They don't remember, which is probably how they got themselves into this mess, which everyone else uses as an opportunity to share their Google hate and call for regulation.

I'm not sure why everyone is up in arms in this thread. Even if you could contact Google support, they wouldn't be able to help you since it's up to your GSuite domain admin to verify your identity and reset your account/SSO/2FA.

In fact you were likely logged out in the first place due to policies set by your organization.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact