Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: It is impossible to disable Google 2FA using backup codes
657 points by gravitronic on Jan 19, 2023 | hide | past | favorite | 337 comments
I would like to inform the HN community, if your plan to recover your Google account in the event of losing your phone is to use a 2FA backup code, or SMS recovery, to remove the old 2FA setup and set up a new 2FA code, that that may not be possible.

My situation:

I had 2FA set up with my Google Account through Google Authenticator.

I lost my Google Authenticator settings when I broke my phone.

I have 2FA backup codes. These successfully log me into my Google Account.

In order to disable 2FA, or generate new 2FA backup codes, I need to access the 2FA settings page under the Security tab. When I try to load the Two-factor authentication page, I am forced to re-authenticate with Google.

When re-authenticating to access the 2FA page, there is no option to enter a 2FA backup code or SMS verification to pass the 2FA challenge. The only option under "Choose a way to verify" is to enter a 2FA code. Entering a backup code instead of a 2FA code returns an error.

What am I supposed to do in this situation?

Yes this is a classic "maybe I can get support through public shaming" attempt. Thanks in advance.




Oh my god. 2-Step verification on your Google Account is actually less secure than not using it at all.

I just posted about something similar maybe 3 months ago?[1]

> I kid you not. Google's actual official answer to this is... create another account![1][2][3]

> Edit: Now that I have your attention:

> PSA: Go create "Backup codes" for your Google Account in your 2-Step Verification settings.

> [1]: https://support.google.com/accounts/troubleshooter/2402620?h...

> [2]: https://support.google.com/accounts/answer/7682439

> [3]: https://support.google.com/accounts/answer/7299973

[1]: https://news.ycombinator.com/item?id=33692942


I have 2FA backup codes! They let me log into my account! But using only backup codes, I cannot remove the lost 2FA. So now I have 8 consumable backup codes and after that I will not be able to access the account.

To remove the lost 2FA, I need a fresh 2FA code. No alternatives given.


The solution (which is too late to help you with now) is to take a photo of the QR code that is first showed to you when you originally set up 2FA. Keep that safe somewhere and you can always go back. For anyone who is freaked out by this and currently still has access to their google Authenticator app, I suggest exporting all your codes to a big QR code in the app and keep that safe (maybe print it out).


You can do this, or you can write down the secret (Click to get the text), and use oathtool to generate codes rather than google's auth.

I keep all my 2fa secrets in pass for this reason. Never lose access again!


But be careful. If you access the passwords and 2fa secrets via the same credentials you are back to one factor authentication if secret + pass store ever get compromised.

Imho it's a different story if you use a separate gpg-key/secret to access the 2fa secrets (which should also only happen in emergency cases).

This can easily be done with pass.


Yeah... I do the same thing. 2FA secrets in my password vault.

I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them? I know from experience that printouts gets lost, and also that if someone were determined to hack me, the easiest route would be to break into my home and find the printouts.

So I guess I'm technically supposed to subscribe to a second password manager and store just my 2FA secrets inside of that, with a different master password. Or, put the 2FA secrets inside their own encrypted file stored in my password manager, but once again with their own password that... I can't keep in my password manager. But the biggest problem with both of these is I'm going to forget the password. I never forget my password manager master password because I use it weekly. But asking me to remember a password I last used 3 years ago because that's when I set up 2FA? It's not gonna happen.

It all feels so absurd that the UX side of me just rebels. Expecting users to store 2FA secrets in a different place from their passwords that is also just as secure... is just not something normal people are ever going to do.


It's misleading to say that storing your passwords and 2FA secrets in the same place defeats the purpose. There are several vectors here, right?

Enabling 2FA on a site (regardless of how or where the 2nd factor is stored) means if a malicious party were to obtain your plaintext password, they still wouldn't be able to access your account. So, outside of the entire discussion of password managers and secrets, 2FA does require a second factor.

Keeping your 2nd factor in the password vault does make the vault a much higher-value target. But it doesn't diminish the fact that if only your plaintext password is compromised (for example through a leak or re-use) the account is still protected until the point the 2nd factor is compromised.

Security is a spectrum, and often at odds with convenience. While demonstrating that something is provably secure is important, I feel we often fall victim to the nirvana fallacy when discussing the practical everyday use of these things.


Off topic: remarkable that you've made your first comment from a near-decade-old account!


Long-time lurker, first-time caller.


> store 2FA secrets in a different place from their passwords is just not something normal people are ever going to do

Normal people, in the sense of people who do what the interface says to do instead of layering anything else on top, are told 2FA means "something you know, and something you have."

"Know" means it exists only in your mind; it is not stored elsewhere. "Have" means you cannot possibly produce it with your mind; it's stored elsewhere.

When abiding by this concept, "storing 2FA secrets in a different place from their passwords" (the former in some electronic or printed format; the latter in one's mind) is simple. Things get complicated when people start storing both in some electronic or printed format, but that's not what any login interface tells people to do.

The neologism "passkey" (a string used in lieu of a password, but which is not memorable, and therefore is destined to be something you "have") will probably help to sort out this concept: there would be no confusion about the fact that combining a passkey with totp constitutes two "have" items, and therefore is 1FA until combined with something else (biometric, probably).


I think using a password manager is already 2FA.

Something you have: a password database on your PC.

Something you know: your master password.

TOTP is a nice addon, but you can store it in the same password manager. It will still help with some attacks (e. g. if a hacker manages to MITM your traffic, they only get the password + one code, which is not sufficient to log in again).


> I KNOW it defeats the purpose. But honestly, where the heck else am I supposed to put them?

Backing up my 2FA codes is one of the reasons that led me to create PortableSecret: https://news.ycombinator.com/item?id=34083366

Some people took issue with my comment regarding ‘not all secrets belong in your password manager’ but your comment is exactly what I meant.


My laptop, which contains all this secret information, is way, way more secure than my phone. There's the boot decrypt password, login password, then gpg password. My phone has ... A pin.

And besides, this is fine as an archived backup in case someone loses their phone. It just so happens it's faster for me to xsel the output of oathtool than it is to unlock my phone, open app, select account, and remember code, esp because I live in the terminal anyway.


Android phones are encrypted by default, but for encryption, they use the same PIN as your lock screen. There's some command you could run to replace it with a strong password while keeping screen lock PIN simple, but it didn't work for me last time I tried.


Surely the data is encrypted using a 128 bit key or better, and the key is stored on some secure enclave which rate limits PIN entries, is it not?


> Surely the data is encrypted using a 128 bit key or better

I think so, yeah.

> and the key is stored on some secure enclave which rate limits PIN entries, is it not?

That – I'm not so sure about. I didn't really think about it too much before you pointed it out, but it would make sense for the Android floks to have implemented it. I'll look into it a bit later!


How is a regular user supposed to think of all this in advance? It's ridiculous. Securely proving your identity in case of loss of proof of identity is hard enough with just passwords. With 2FA it's pretty much impossible.


I'm sure all of this will make sense to grandma, too.

(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)


It may not help grandma as much as someone who maintains some popular opensource library that you may happen to use or someone that puts parts of their savings into crypto.

Who is more likely to visit this page (and use tools like pass) is up for you to decide.

The point still stands. Storing passwords and 2fa secrets inside in the same box will weaken the 2 in 2fa.

(Gmail's main target is not devs, or even computer literate people. And owning a smart phone =! literate.)

Grandma can always print the 2fa seed or write down the alphanumeric value and store it not next to the sheet with her passwords – same principle (I think she won't use pass anyway as opposed to the person I was originally replying to which tells me they are most likely technically literate).


Grandmas usually don't set up two-factor authentication in the first place.


Google will leave grandmas no choice.


This is not entirely true.

https://security.stackexchange.com/a/194279 explains it better than I could.


I enrol any TOTP codes into 3 Yubikey's, and also keep the private key physically printed out.

Although, for Google, I'm using FIDO.


for the curious:

function 2fa(){

          local sec=$(pass show $1.secret)

          local code=$(oathtool -b --totp "$sec")

          echo $code | xsel -ib

          echo "Copied $code"
}

then call it as `2fa <account>`, and make sure you store each <account>'s secret as `pass insert <account>.secret -e`.

refs: https://www.cyberciti.biz/faq/use-oathtool-linux-command-lin...


You can do this, or you can just start using Microsoft Authenticator which will sync your Authenticator codes to your Microsoft account for when you reinstall the app elsewhere.


I just checked, and my MS Authenticator is backing up to... my Google account.

So, I thought I'd better change that... but it looks like you can't change your recovery account.

Why are 2FA apps so obtuse!


on iOS, MS Authenticator backups to iCloud. No way to retain the codes on an iOS->android migration (or the opposite).


MS Authenticator breaks if you have to do a factory reset on the phone.


this is also fine. I have a personal preference to never look at my phone while working, and I'm always in terminal anyway ...


Well I have a backup phone - where I would scan 2FA code with 2 phones.

Now it is not that necessary because google authenticator allows transfer of data.

But when authenticator had no such option I was quite terrified and came up with idea to get another phone just as a backup and scanning 2FA code with 2 phones always for all websites. Of course backup one is always on my desk - but I don't have offsite backup for these. Problem is I don't want these TOTP tokens offsite really so it is a bit of a challange :) to come up with everything proof plan.


There are a lot of options, including free software and no-cloud alternatives, to get backups without doing that manually in such a cumbersome or fearful way your are now.

For example:

> "Password Store" ('pass' compatible) for Android also supports TOTP to tokens and Gpg encryption.

> With Syncthing, 'gopass' and 'Android Password Store', I have a fully open source, very easy to reason about fully in my control, password and totp storage, accessible on all my devices. All of which can only be accessed with my Yubikey that I keep in my pocket and my GPG PIN.


I store them in a keepassxc database for syncing and alsomprotect it with a yubikey. Lets me back it up to other places while also allowing them to stay secure. Most other password manager solutions should also be able to be used to keep them secure and backed up.


And this has now just encouraged me to buy a Pixel 6A running GrapheneOS to have as a backup at all times for my important google accounts


i feel like I'm asking a dumb question but why not just use a password manager that syncs your stuff and handles 2FA like 1Password? Break the phone? no worries you've got the info on your desktop. House goes up in a fire, no worries, they've got it on the cloud and you can access from a friend's house / library / whatever.


You can't actually access your 1pw vault from wherever if you don't have an existing authenticated device or a copy of your secret key. That's intended to provide added security in case your master password is compromised. So to guard against the house burning down situation you need to either keep a printout of the secret key somewhere else (friend's house, bank box, etc.) or save it somewhere (secure) online where you can get it without using 1pw.


The QR that you mention, is just an encoding of an actual string key (edit: I'm reading now that it's called seed). If possible, it is better to get the string directly, instead of its QR encoded counterpart.

This is needed for example to store the TOTP in a device that has no camera. Or in your Bitwarden Pro account. Obviously you wouldn't be able to scan a QR with such an application, so the actual string is needed you just copy-paste it, so it should be provided by any service that offers 2FA (I confirmed Google does)


You are correct about the QR code just representing a (fairly short) string, but applications can handle QR code just fine - 1password can read it directly from the screen.


There may be a plugin for it but the KeePass clients I've used don't support this by default. Generally, it would be best to look for the string (and keep both the string and the image secret!).


KeepassXC lets you store the TOTP seed value associated with an entry by right-clicking on that key and selecting "Setting up TOTP".

Also, other TOTP generators like Authy and Aegis let you backup your tokens to restore to another device.


Yes, but be careful which totp app you're using to store seed values/secret keys : some store them as plain text! Personally on android I'm using keepass2android and keepassium on ios to store both the QR image and the string value. It will also generate the OTP value at login. As you know, the keepass password file can be backed-up anywhere.

https://raw.githubusercontent.com/blues-lab/totp-app-analysi...


You can scan any QR code with the iPhone default camera app and get the string back that way. But yeah, all QR codes are just encoded strings.


Sharing a useful app I found: The Orca Scan app on iPhone can scan and decode all kinds of barcodes and qr codes


Linux:

    xclip -sel clip -t image/png -o | zbarimg -
macOS:

    pngpaste - | zbarimg -


Why not both? Thanks for the clarification.


You can extract plaintext secret keys from google authenticator app and store them in user friendly format/password manager

https://github.com/scito/extract_otp_secrets


If you're using Authy: https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d... (be sure to read the comments if you see "appManager is not defined")


Warning: Samsung browser on Galaxy S10 hangs when opening this URL.


1Password stores QR codes and syncs them across any device that has access to your vault. I highly recommend this solution if you're worried about losing access to your 2FA codes. It is also easy to back up.


This article helped me to understand how totp works and how it can be implemented [1]

[1]: https://digitalbunker.dev/how-do-time-based-one-time-passwor...


If you use 1Password, the initial code (just a string) is always available in the app. You can use it to move TOTP to another app, if you wish.


Printing it out and putting it in some safe is what i did.

And works like a charm.

I mean, if it works for crypto wallets it might also work for 2FA...


I use VaultWarden to store my 2FA info which (aside from being very handy) replicates the codes offline on each device I sync my vault to.


This. I always keep that qr code screenshot & pharse in a seperate keypass database. Instant same 2fa anytime.

https://spa.bydav.in/otp.html

Shameless plug, I spinned up a local html javascript page to import export these code phrases anytime, with customization options, like issuer name, account name etc.


Best bet is to save those QR codes (or text codes) in a different vault. I use passwords in LastPass and QR codes in KeePass.


So if my MFA-secured Google account is working fine right now, is the best course of action to remove MFA, then re-add it with this QR picture and/or jotting down the key trick?


Fully understand why some people wouldn't want to do this given the LastPass hack, but some authenticators like Authy let you store a master backup password for all your codes.


And for authenticators that do not allow to export the secret, while your authenticator is not lost yet, add another authenticator: and during registration, save the QR code.


There is no option to add another authenticator app at https://myaccount.google.com/security (desktop UI). I think the only feasible option is to first remove Google Authenticator and then re-enable it.

Seriously, Google?

Might be micro, but this is not a sign of a healthy company on an upwards trajectory.


It's time to de-google. Seriously. Now it's from a self-preservation POV, not a political POV.


And this is how you turn a second factor into another first factor.


Wait, they have the authority to block your google auth app? Last I checked, the app is not connected to your google account. And the app's functionality is open source (TOTP). So how does enforcement work?


This assumes you are using TOTP.


Or save the TOTP hash directly.


I remember Google not letting me log in with my TOTP code when it insisted on me clicking a prompt I hadn't received. Only after two timeouts did it add the option to use a TOTP code. If I recall correctly, I had to let the thing fail and then click "let me try another way" or something similar. This leads me to believe that maybe Google hides certain options by default.

However, I also think that Google keeps track of a "security rating" for your session; when I don't log in for a while, Google asks me for my password but when I use that same session token on another physical address I also need to authenticate with 2FA.

This may imply that failed login attempts may flag your session as even worse than before. I have no idea if this is actually how it works or if this is purely coincidental, but it may be worth keeping in mind given that you have limited backup codes available to you.

My recommendation would be to first get a Google Takeout backup stored somewhere safe, then see if you can get another 2FA method that you have control over connected to your account.


Yep it absolutely ratchets up "suspicion" on your account, and failed attempts will quickly get your account in some sort of state where you're locked out. It's absolutely maddening.


Definitely - and I think now that I've gone to that 2FA page and let it time out (since I only have backup codes), I think it's racheted up suspicion higher as these login attempts count as "an attacker has the password but not the 2FA code!"


Definitely. I did that a few weeks ago and got an email from Google to my gmail saying something along the lines of "somebody has your password and is trying to log in!" even though it was just me on a different computer and after submitting password I realized I didn't have my phone on me so couldn't submit the 2FA. It was even a computer on the same LAN (with same WAN IP), so not like I had an active session in the US while the attempt came from Moscow...


Can't you add a security key like a Yubikey? Do they let you do that without requiring your Google Authenticator / TOTP secret?

What about adding someone who can get access to your email after six months of inactivity? Maybe they let you add that without your lost google authenticator? It'd be better than nothing.


Time for a Google Takeout while you still have access to the account then!


If you login on your phone, it’s possible your phone will automatically become a “second factor” if on Android, or if you have Google apps installed on iOS. This would resolve the problem, but I can’t promise it’ll work.

Note: I mean in mobile apps, not browsers.


Time to repeal 2FA. I can't believe it's required for SOC2 type 2 compliance.


2FA/MFA isn’t the problem. Google is just a pain to deal with when their products don’t work as expected. On one hand, security-wise, it’s good that they tend to design their algorithms to err on the side of being restrictive, but on the other hand, they have no legit support, so if you or their algorithms mess up and you’re locked out of your account, you’re basically on your own. For a company so many of us rely on so deeply, that’s awful!


Nobody should be forced into this terrible scheme if even Google can’t get it working. It’s a case of “this idea isn’t bad, people just implement it wrong”. If nobody can implement it right, it’s not right. Complexity kills.


The alternative is picking a smaller company that might be an easier hacking target or might go out of business when you're not paying attention. I have a Protonmail account but I do wonder how long they'll be around.


2FA is okay. But the practice of backup code sucks. Instead, save the TOTP hash and make extra sure to back it up. Then you can just reconfigure your 2FA app.


This really isn't a problem with 2FA. It is a problem with Google not understanding the reason for backup codes. It's just plain old bad design on Google's part.


Thank you for this. I will make extra backups of my 2fa seeds. I currently have all of them in my bitwarden vault which won't probably ever fail me but it's better to be extra safe


Without 2FA enabled, google can and will lock you out of your own account for no good reason with zero recourse, stating they "cannot identify you" or that "your browser is insecure". We lost several paid business gapps accounts due to this.


Whenever one of these threads about Google (or Apple) come up, I am shocked at the lack of response from people working at those companies. It seems reasonable that this site would be where you'd find someone from a team that interacted with logic that OP is having trouble with.

I'd expect to see something like a "hey, yeah, I know a guy on our team that might be able to get in touch with the team who maintains this. I've sent them this thread"...

I'm hoping OP got a private message.


Maybe when Google was an exciting place to work and a darling of the internet, possibly somebody working there would consider going out of their way to help a user out and considered themselves empowered to do so.

I get the feeling that anymore people just don't care. There might even be disincentives to report or try to address such issues. It's maybe just me, but it seems the excitement over the dotcom has subsided and we're all just in a technical slump right now. Corporate takeover of the internet has taken hold.


Anecdotally, my wife works for a pharmaceutical company and is mandated to report possible impacts that people report about a drug, even in casual conversation. People working under this mandate simply avoid these areas entirely. We avoid watching certain Instagram and Youtube personalities with certain conditions in the chance they might say something she has to report.


Is that for real? I'd love to hear more about this mandate.

Why would someone refuse to watch celebrity Youtube videos, in private with their husband, because of some mandated self-reporting by their pharma overlords?

I'm in awe at the level of corporate control and domestication implied.

On the face of it, your anecdote reminded me of that (apocryphal?) prank that natives played on early explorers: "Will he eat this disgusting food if we tell him it is our tradition? How far can we push him into abject nonsense before his common sense revolts?"


It's not a random Pharma company mandate, it's an FDA one. I think it's in here: 21 CFR Part 314.80 Postmarketing reporting of adverse drug experiences.

https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfCFR/CFR...

At its heart I get it — you don't want a company's employees to be burying reports of adverse events. But now the company is liable to ensure such things get reported. And thus they pass this liability onto their employees.


It is real. To my recollection, this isn't so much a matter of corporate control as it is following FDA guidelines to the letter.


Developers at large corporations are strictly informed that they are not the public face of the company and can't do that. These aren't mom and pop developer shops.


I agree to some extent but large companies do staff roles that have public outreach as part of their job description. Suggesting that no one is able to say "there is an internal ticket for this" is not the full answer.


Really? I've never seen anyone at Google or Apple who's in a "staff role with public outreach as part of their job". I don't think any big tech companies have those.


They do, and Google does.

Job descriptions are usually something like: "As a Technical Evangelist, you will be the face of the platform and often the first contact our customers have with us, both online and in person."

https://en.wikipedia.org/wiki/Technology_evangelist


Do tech evangelist roles really have the power to send things back to the product teams? They always seemed more like platform adoption/marketing people.


That's... not what technology evangelists do. Tech evangelists are the public face of a specific, often open-source, product/project. There are no tech evangelists for "all of Google". These are narrowly-defined roles, and they aren't empowered to be the public face of the company outside of that area.


They can't send a link to a colleague?


These places are large complex organizations. Event at small places it's difficult to find the right person the feedback would go to. That also assumes that the person who takes in feedback can actually change anything.

My guess is that they want to implement the feature but the security burden is so high that it's not worth it. When everyone's ${stereotypical_computer_illiterate_user_of_choice} starts using MFA and losing their 2FA solutions, it may be worth tackling, but until then, I imagine the number of impacted users is relatively low.


How can you possibly know they don’t do that?


You don't have to be mom and pop to give a crap about your reputation/perception.


Something similar but different happened to me. I know someone who works at Google in a distant dept. The best he could do was try to follow the internal escalation policy, which was broken, so he filed an internal bug about the process. I solved my issue a different way on the end.

I bet employees feel as disempowered about this stuff as civilians…


I would be surprised if they were allowed to do so by their workplace policies, and clearly they don't feel it's worth the risk to stick their neck out. Not only is there limited win scenario for themselves or their company, there are multiple lose scenarios - there's likely NO response that everybody will be happy with, and some percentage of these scenarios end up with more than initially meets the eye.


> I'm hoping OP got a private message.

I'm not. I have the same problem -- or I will if I ever lose my 2 factor identification keys, which are held by Authy NOT by myself. I always assumed that my one-time-codes (which I have carefully secured and protected) would be usable to regain control over my account. If that's not the case, then I want Google to fix it for EVERYONE.


Not sure if this is still accurate or not, but you used to be able to use the element inspector to export your keys from the Authy chrome extension (I can't find the original script I used, but I did find this one for developer mode [1]). This is how I migrated to WinAuth (dead project, but still works. Theoretically secured by windows itself, so shouldn't matter I think?). I've since migrated my mobile devices to Aegis[2], which I'm trusting sandboxing to secure; new otp are still added to Authy solely as backup.

Aegis supports importing from a bunch of apps, as does android-otp-extractor, both need root to do so. Aegis can also import backups from a bunch of different apps.

[1] https://gbatemp.net/threads/extract-your-totp-keys-from-auth... [2] https://github.com/beemdevelopment/Aegis [3] https://github.com/puddly/android-otp-extractor


Always back up the key/QR code before importing it into any app in case that device blows up.


Nothing yet, but I just added an email in profile if any helpful googlers are able to assist


I guess no one wants to be responsible, while at the same time having some of the highest paid employees of tech companies. No one wants to take the blame for the crap Google is pushing down people's throats. If Google started to actually deal with these things, instead of leaving it to "the algorithm", they probably would have lots of extra costs. Some number pusher needs to make their numbers, so nothing changes.

If one has the choice, one should never rely on Google for anything, unless one has a fetish for being victim of some algorithm with no way to change it. Most of their tooling is not worth that pain anyway and looks like a thin veil around user tracking. Never forget, that Google is an ads business company and that is how they make their money.


Any of these large companies are like governments. Assume you complain to a Chinese or US or European that your govt does this bad/crazy/illogical thing.

how do they respond?

Do you think if you tell an engineer from John Deere that they have unethical practices the are going to complain in the next meeting? Or a Volkswagen person that does care about pollution but will be quiet.

They just look at pay checks.

Any complaints. they just shrug or chuckle ...

The teams are big and finally they cant get involved. IIRC, even spouses of Googlers cant get special access.

At the same time if they did manage to reset account/password/etc that would be the best way to circumvent security.


Which could mean that these people have been outsourced.


Their billing collections dept is outsourced to Accenture (they say so in the email sig) and from my support conversations are pretty much siloed off.


If a random employee can do that, a random employee can do that and I guess it's better for everyone if no employees can bypass user security based on a forum post.


The suggestion isn't to bypass, but to surface a missing use case to the relevant folks


This is why I use SMS as my second factor for my Google account. Much harder to lose. It could be vulnerable to sim swapping attacks, but I consider Google locking me out of my own account a more likely threat (and frankly I'm probably not a high-profile enough target for anyone to bother with that, and in any case they'd still need my password).


Instead of Google Authenticator, I use Twilio Authy. It syncs the 2FA code across my devices. I keep a backup device at home.

Sure, it's not the most secure way but I trust this over carriers securing my number.


Don't use Twilio Authy. From https://raw.githubusercontent.com/blues-lab/totp-app-analysi... : "the Twilio Authy app and Zoho OneAuth app each store backups on their own servers. This means that any user of Twilio Authy or Zoho OneAuth who enables cloud backups is unknowingly sending those companies the names of the websites/services they use and the usernames for their accounts on those platforms."

And

"By default, each of Twilio Authy, Yandex.Key, and Salesforce Authenticator also relied solely on SMS OTP to authenticate users during recovery, but did encrypt TOTP backups using a key derived from a password before uploading them to the cloud. To compromise the backup, an attacker who hijacks the phone number will still need to conduct an offline attack to guess the backup password.


Me too. Although this thread is making me wonder if I'd be screwed if I somehow lost access to both of my authenticated devices. (The 'house burns down' scenario.)

Edit: looks like you can fall back to SMS (along with backups password) to add a new device.


Instead of SMS, get a pair of yubikey recommended by some other posters, so you are not depending on your mobile provider as they own the number and it is just "rented" to you.


...so you are not depending on your mobile provider as they own the number and it is just "rented" to you.

In the US, porting wireless numbers has been mandated by the FCC for almost 20 years. I'm feeling my age, as I remember being excited during the process and when it finally happened.

https://www.fcc.gov/general/wireless-local-number-portabilit...


And if you have an Android phone you don't even need a pair of hardware keys, one is enough as backup, just use your phone as the main key: https://www.youtube.com/watch?v=Nhz4YLay0zc

I think you can also do that with an iPhone and the Google Smart Lock app.


How does that work? Do you have to carry around a Yubikey/Dongle everywhere with your phone?


For my phone, I'm already logged in and never get any future challenges. I needed the Yubikey when I first logged into my phone, but after that the phone has been authenticated. If I unlink my phone to my Google account I'll need the Yubikey again, but I don't normally do that. So normally I don't carry a Yubikey with me, like when I go to the store and what not.

That said, I do keep a Yubikey with me in my bag when I travel in case my phone breaks and I need to authenticate into a new device. I do take a Yubikey with me going to and from the office as there are other services and platforms which do challenge my Yubikey more often.


I have a yubikey on my keyring. It's superior to sms 2fa in everyway. Its almost impossible to damage a yubikey- phones can easily be broken or stolen. You can have multiple keys linked to your account- Google only let's you have one phone. Yubikey can't be sim swapped. Never needs to be charged or have cell reception, no problems with sites not accepting international phone numbers.

The only downside is that Google is the only site I used that supports it.


I keep one on my keychain in my pocket and one at home in a fireproof box, plus a backup one that I haven't even opened next to the backup so if I lose the keychain one I have another ready to go as my "new backup".


As others have commented, on your phone you rarely ever need to authenticate, so I keep mine at home.

If you buy a Titan Key you get two (USB-A, USB-C), so sticking one of them in your safety deposit box, locked desk drawer at work or another secured space is a good backup.


Personally, I don't, since I've never wanted to log into my Google account on a device I encountered while out of the house. I'm not really sure why you'd ever do that IMO.


This should be fine: Using your phone as SMS 2 factor authentication is a separate thing as assigning the phone as "your phone" in your Google account (which works as an account recovery too).

If you don't have your phone setup as "your phone" and they clone your SIM they can use your number to get 2FA codes potentially, yes, but they still need your password to log in. Supposedly they won't have that


I mostly agree with you, but be careful how often you apply this logic. People who are not already a target can be just as useful, for example when needing to frame someone else for a crime. I mean, who'd care about nicoburns if they disappeared, right?


I just tested this.

You should not disable 2FA.

- Just click on the Authenticator app

- Change Authenticator app

- https://ibb.co/dPCMpdN

Just works.


Hey, thank you so much for trying to help me.

On what page do you see the Authenticator app listed? I suspect it's on the "Two Factor Auth" page. My problem is that I cannot even load that page. I click on "Security" in the menu, and it's when I click on "Two factor auth" to do any 2fa-related task, that's when I'm forced to log in and provide a 2fa code (which I do not have)


Just tested it.

- Private Browser Window - Log in using backup code - can change auth app without another login.


So weird, because I cannot!

Maybe it's because I haven't used a 2FA code on this account in the past year? I typically stay logged out of my Google account and just have the email forwarded to another provider.


> Maybe it's because I haven't used a 2FA code on this account in the past year?

Oh dear. You're almost certainly off the critical path of integration and end-to-end testing and may have hit a legit bug.


I guess could be that.

I too create a new chrome profile (and restarted my router) to get a different IP. (i.e) clean.

- Does this mean you are able to access emails but not change 2FA?

- If yes, do a take out ASAP.

- May be the backup codes are incorrect?

(Unless the machine learning folks on hn did some programming to prevent it!!!). For every one that complains about Google, I wonder how hn crowd pleasingly accepts pay check in the software industry.


The backup codes are what enabled me to log in, thankfully, so I know they work.

Thanks for the takeout advice.. onto that now!


Errr... so now the story comes out that this is more of a weirder case than everyday use.


There's probably a vague/inconsistent (possibly "AI") threat-score / heuristic. I've heard of extra security requirements being imposed for like 30 days or so when you haven't accessed for a long time (or on a new machine?) and it's just ironic how they currently put you in a catch-22


go to https://myaccount.google.com/security?hl=en

Then, https://myaccount.google.com/signinoptions/two-step-verifica...

There you can see Authenticator app.

(I am doing this on desktop. Not sure about phone)


Thanks for the followup. I'm also on desktop.

When I click the second link, I'm forced to reauthenticate. During that reauthentication my only option for 2-factor auth is... a valid 2FA code. Backup codes are not allowed.

I suspect since you originally logged in with a 2FA code (I'm guessing), your session is marked as "recently two factor verified", and when I logged in with a backup code, I was not marked the same level of "secure".


since you told me I am using a I tried without 2FA code but with backup-code

> When I click the second link, I'm forced to reauthenticate.

Here, I am being asked my password.

Then get that page.


Probably the difference, like parent says, is that you recently used 2FA, from the same OP address etc etc, so even though you have signed in with backup code now Google still trust your sign in more than OP.


I completely believe you. I got in a similar situation in 2020. In that case it was a change of password of the main account that went wrong. How?

Don't know, I have a password manager that captured the password I inputted and it was exactly as it should inputted. But when I put it in google it told me that it was incorrect.

When I commented to people, everyone told me that they could change their password doing this and that, but... I wasn't. Looks like there are different security levels based on arbitrary rules and what an user could do, I was unable to do it.

I only had the account logged in in my phone, and every day I kept restoring the account, every day to be unsuccesfully.

One day, after 5 weeks from the day it happened, doing exactly the same than the previous days, one of the recovery attemps worked out, and was able to reset my password.

It completely put me off using google services, but God, it is hard to abandon your first mail services, I got way too many things hooked up with them.


Maybe too late to give you any helpful advice, but setting up Advanced Protection may make sense. You need to buy at least two (preferably three) YubiKeys and the password plus any of these keys allow you to login to your account. Nothing more, nothing less. Costs a few bucks, but at least the auth flow is very clear.

Another thing you can do is to wait for a week and see if anything changes. Having the session last for more than a week may give you more options in passing the challenge.


One downside of Advanced Protection for Android users that intend on linking the account to their device is that you will not be able to install apps from "aftermarket" app stores, like F-Droid. You can still install apps with `adb install`, though.


I did this but I'm concerned about the recovery process.

Google says at https://landing.google.com/advancedprotection/faq that: >>> If you lose your key and are still signed in on one of your devices, visit account.google.com to add or replace a key. Otherwise, submit a request to recover your account. Google may take a few days to verify it’s you and restore your access.

I've assumed the risk of temporarily losing access to my account if I happen to lose all my hardware keys and devices for some reason while they confirm my identity, but from these posts I think that Google may not be of help at all and I could permanently lose access.

I'm starting to wonder if I shouldn't go back to regular 2FA since I can safely backup those codes.


Best advice in this thread:

https://landing.google.com/advancedprotection/


Keep in mind that this can make signing into some devices tricky. On devices which do not support webauthn (nintendo switch) it will prompt you to acknowledge the code sent to another device which does support webauthn.

You can't authenticate some Roku channels as well, such as PhotoView for Google Photos.


also many Google TVs do not support it


> What am I supposed to do in this situation?

This. Support systems in the world post computers eating everything is basically HN posts.


Maybe the next million new jobs is just rebuilding a reasonable level of customer support at all tech companies, funded by modest usage fees. $5/mo, $50/yr, or $500 for lifetime guaranteed permanent access so no lockouts are possible, I would definitely pay for Gmail or an equivalent service. And there are people who I’m sure would pay much more.

Another short term option: $500-1000 right now to get a couple hours of support to unlock an account.


Maybe, alternatively, this is just an indicator that ad-based "free" services aren't really realistically economical and we should all be paying google 50c/mo for our email addresses.

Also, I think it's unreasonable to accept "support just sucks now" as a norm - consumer protections exist to shield us from BS like this and the US has been far too lax in flexing those muscles lately.


Gmail is the ultimate root of way too many services for me, but I don’t really see any alternative. For example there are lots of nice paid services out there that look great, but eventually I’m going to forget to pay, or the company will go under, or whatever.

IMO we need USPS email addresses for the same reason we have mailboxes. The ability to be contacted digitally is just table stakes nowadays.


> For example there are lots of nice paid services out there that look great, but eventually I’m going to forget to pay, or the company will go under, or whatever.

Right, that's why I think there should be an option for a $500 permanent email address, or maybe $50 one-time payment that doesn't guarantee permanent access but does guarantee that the email address will sit there as long as it takes for you to be able to pay to restore your account, without being deleted or reassigned.


Purchase a domain and use your registrar's SMTP and IMAP servers. I have been doing this for about 5 years now and it feels great. I get to pay annually for a bundle of related services (domain, DNS, email, ...) instead of freeloading in a place where I'm the product and there is no support.

You could also purchase a domain and point MX records anywhere, preferably at some known-good mail service which you pay for.


You don't need to use your registrar. I'm grandfathered in with free G Suite, but there's other services that can do this on the cheap or free.


How grandfathered? I had a customer recently whose small business was "grandfathered" into G Suite's free plan... until Google started choking back hard on what features were available.. The free plan still exists but they were essentially forced into buying a subscription.


Maybe the next million new jobs is just rebuilding a reasonable level of customer support at all tech companies, funded by modest usage fees

This already exists.

It's why if you have a certain bank balance, when you call the bank a human in your own country picks up and speaks to you in your native tongue immediately. And if you don't have a certain bank balance, you sit on hold for 90 minutes and are repeatedly told how important your call is.


That's called competition. Banks interoperating with each other means competitors serving different segments of the market can spring up.

Google does not interoperate and effectively has a monopoly on web search, web video (YouTube) and is one of the two evils owning the mobile market (the other being Apple). There is no way for a competitor to emerge because it just wouldn't be able to interoperate with any of these services.


Buying Google One entitles you to general Google apps support.

https://one.google.com/about/support


I have Google One and tried their support once or twice but wasn't impressed. I strongly doubt their ability to help with any somewhat technical question.


My comprehension of the actual costs of the infrastructure required to run those services leads me to believe that Google One is essentially insanely overpriced. Perhaps it's due to high service needed customers self-selecting for the service or it's just price gouging - but the pricing for that is well above what such limited cloud storage offerings normally cost.


Does this really grant access to tech support for weird access issues like the OP?

Because if so, it’s cheap insurance at $20/year.


> I would definitely pay for Gmail

You already can. It’s called Google Workspace and comes with support.


High fees mean that most people even in places like the USA cannot afford it. Would be nice to have modest customer service options for everyone.


That’s expensive.


Won't somebody just think of Googles pocketbook. The only way they can stay afloat is telling people to go fuck themselves when Google messes something about their entire online identity up, clearly.


Or people could pay for the Workspaces account which come with support.

Basing someone’s entire online identity on a free account has always been pretty sketchy. We just haven’t come up with a better plan for most people yet.


Allowing customer service to bypass customer auth requirements is just weakening your system. There will always be a CS agent who is bribed, makes a mistake, etc. And besides, the agent following a flow chart has no better info to make the decision on than a computer.

Instead the auth requirements should be sane from the start, well publicised, and make a good tradeoff between letting bad guys in vs locking the real owner out.

There should be options beforehand to adjust the balance (eg. enabling 2FA).

To prevent lockouts, there should be some time-based weakening. Eg. if you are trying to access your account, and know only some of the required auth info, and have been unable to for 1 week, and, after blasting messages to every associated recovery phone/email address nobody else does either, then you should be allowed in.

That solves the classic "my house burnt down with my phone in. All I have is my email and password, but I have no devices left, no backup codes, no access to my phone number, nothing" case.


In this particular case I feel like it's a bug that backup codes are not treated as secure as 2fa codes, and that I need explicitly a 2fa code to disable 2fa is just broken (in my specific case)


It definitely seems like a 1FA backup instead of a 2FA backup in your case. :(

I used this horror story to move to Aegis from Authenticator and make an encrypted backup copy of the OTP vault, so thank you for posting. FWIW.


Right? Backup codes should be considered the most secure overrides for the other resources. What's the point of them being "backup" codes if you'll need something other than the backup for a break-glass event?


> Allowing customer service to bypass customer auth requirements is just weakening your system. There will always be a CS agent who is bribed, makes a mistake, etc. And besides, the agent following a flow chart has no better info to make the decision on than a computer.

This is true, but OTOH there will _always_ be edge case scenarios that no one anticipates until they actually happen. Or maybe someone did anticipate, but they were drowned out by the other voices in the room saying "that can't/won't happen," so it wasn't included in the requirements. What happens when a customer encounters a problem that doesn't fit neatly into one of the user journeys that the product team planned out? Are they just shit out of luck?


> Allowing customer service to bypass customer auth requirements is just weakening your system

I disagree, in regulated industries such as banking this is a solved problem. A combination of onshore staff, good career prospects, pay and working conditions and audit logs means I haven't heard stories of bank insiders breaching into accounts to steal. I'm sure it happened but nowhere near as frequently as fraudulent SIM swaps for example.

TLDR: don't outsource your customer service to the third world and you're already 80% of the way there.


I suspect that the level and sophistication of attacks on the banking sector is far lower than equivalent attacks for data/accounts.

In general, if you break into someones bank account and transfer money out, that money can be traced by authorities. In almost all cases, that money is recoverable by the government, even if individual banks like to shrug and tell the customer it isn't recoverable.

If you break into someone's email and steal their private info, it can't be traced. That makes the latter much more attractive.


Completely agree! Especially in consumer. I have two situations that are still unresolved.

1. Getting un-banished from Google ads after a failed credit card charge. No one will tell you why, appeal form doesn't tell you why and eventually I figured out a there had been a failed credit card charge 2 years ago.

2. Recovering a Facebook account with an email-password reset. The profile was frozen after it was hacked and all of a sudden a 5 year old phone number is required to unlock the profile after the password reset. --> Help page to submit a petition still tries to send you to login flow.

How can there be no way to talk to someone?!?


That or embarrass the company publicly in front of your large twitter audience


When I had a self-inflicted issue with my non-Google email service I context support and has the issue resolved within a couple hours.


How does one contact support? Every path I've tried leads to a support community forum. I haven't tried posting there yet as I assumed it was a black hole. Are you saying that that works?


He said non-google. There is no decent support from google.


My advice is only actionable for others, not OP.

You should have backups on places other than the phone.

I warmly recommend andOTP for managing your TOTPs. It's open source and available on F-Droid.

https://f-droid.org/en/packages/org.shadowice.flocke.andotp/


Even better would be Aegis which does backups for you, and (at least in my opinion) has the best UI for an aithenticator app. Also available on FDroid.

https://getaegis.app/


“How’s our 2FA working out?”

“Fantastic. We haven’t heard from anyone with a complaint!”


I lost a bunch of email addresses because they decided to start enforcing the use of security answers even when I had the correct password. Then I lost some more email accounts because I logged in from different locations (I moved) and they thought I was a fraud, even though I was able to confirm using the backup email address. I'm fairly concerned that eventually I'm going to lose all my email addresses due to these increasingly draconian requirements that are sprung upon us.


>due to these increasingly draconian requirements that are sprung upon us.

I'm all for improving authentication, but it's profoundly annoying when authentication requirements are not made clear before logging in.

For a user with a password manager, forcing a user to answer "security questions" will compromise UX at best, and reduce overall security at worst.


Many years ago, I lost my phone with Google Authenticator (which doesn't have a backup option like Authy does) and got locked out from AWS. The next day there was a production issue with our website. Long story short, our website was down for more than 2 weeks while I was trying to regain access to our AWS account. #2faneveragain


I feel like the lesson there isn't 2FA == bad, but rather it's important to have backups of your most important data and credentials, including TOTP seeds.


Your website was down for more than 2 weeks not because 2FA is badly designed, but because you bet everything on your phone not getting lost or damaged. And now you refuse to secure your accounts.


> And now you refuse to secure your accounts.

No, the big lesson for me is to have proper backups of credentials (like the other commenter mentioned) and ensuring multiple people have access to the prod environment. Don't just turn on 2FA without having these things in place.


Actually in this case it's likely AWS is also responsible for having trash 2fa restrictions. AWS will only allow you to setup one single 2fa method.

If you register with a yubikey, you can't register a 2nd yubikey as backup, nor can you register an authenticatior(TOTP) as a backup.


What is also very frustrating with AWS is that you can only set up one 2FA method. You have to choose between TOTP OR security key and can't have both at the same time. I wanted to add a yubikey to my account a couple of weeks ago, but had to switch back to TOTP. A lost Yubikey means you're looked out, TOTP secrets can be backed up at least.


To avoid a situation like this, I keep backup screenshots of the 2FA QR codes stored off-line on an encrypted USB drive.


You can also just store the data encoded in them - it's usually just a string.


I do something similar but sillier. I scan the QR code in a basic QR reader app, then regenerate it using a script I got years ago that renders a QR code using Unicode, then store that in a plaintext file (gpg encrypted) with all my other non-password-manager secrets. I started doing this after I had a bad experience with Google Authenticator not surviving the restore to a new phone.


Or just use Aegis - you can export all your codes as an encrypted backup.


What’s that?


It's an Android app. Its easier to manage OTP codes inside your password manager. Do everything with KeepassXC and KeepassDX. How to sync a file between computers and your phone is left as an exercise to the reader. However I recommend using Syncthing.


No need for screenshots even, right click and Save Image almost always works. I save them all and encrypt them in a separate archive with a different password. No, your probably shouldn’t save them to your password vault (unless you know what you’re doing).


You can also save the TOTP hash instead of the QR code (which basically just contains that hash)


I do the same. But lately, for some but not all sites, I've been putting 2FA codes in Bitwarden and using their app to fill the codes instead of using Authenticator apps.


I did the same, but I had not updated it since 2020, now I can't remember the passphrase I used back then, I probably should have kept a separate paper copy of the passphrase. Or I should have use my GPG private key to do the encryption. It is also possible that my keyboard was not in the right language or I made a typo, I have tested hundred of combinations with no luck so far.


And that is why I utilize the "very secure" flow of also keep the original qr codes ... in a keepass vault, but still.

Most of the security is theater. On the other hand I think that every tech savvy person should at least try to keep the TOTP seeds.


In Bitwarden you can just store the key itself and it'll generate the codes for you, right next to your password, so convenient!


I expect the "so convenient" is sarcastic, but yes it is more convenient and also more secure.

It helps to consider the threat model. 2FA is protection against (at least) several things: brute-force password guessing, a stolen password, a hijacked email account, etc. Since password vaults like bitwarden are designed to be uncrackable on their own, the only plausible way for an attacker to compromise one is to gain control of the user's device, at which point they don't really need access to the vault because they don't just have the keys to the kingdom, they have the kingdom.

Any technology that allows users to add security to their assets while still being convenient enough to use daily, leads to greater security overall.

Personally I think we're about a decade or two overdue to switch away from passwords (as currently implemented) and towards public/private keys managed by the browser or an extension, but I don't see that happening anytime soon as it's 100% certain that if it's ever tried, each FAANG will just try to push their own system, break the whole effort with fragmentation, and everyone will still just be using passwords in frustration for the next 100 years.


What's the word, tongue in cheek? I meant it sincerely but phrased in a sarcastic tone. I unironically do this and it's saved me from two phone breakages. I cannot understand how anyone would trust any of their accounts to a single physical device that is routinely lost, stolen, or broken.

My 2FA token is just a second password that doesn't get sent over the wire directly -- it's almost like a private key where you auth via challenge... wait a minute, thought you could sneak PAKE on me?!


Doesn't keeping the seed remove the whole point of one time passwords?

If an attacker steals at TOTP, its only good for (I think) less than a minute. If they steal the seed, its good forever.


Vaulting the seeds is fine - IMO.

They aren't accessed often, are not used during your normal login flow, and provide you a recovery mechanism that actually works.

Yes - you should store them as securely as you can, but I'd say this is better than disabling 2fa entirely, which seems like the other sane approach.


I think that’s the point, and why “very secure” is quoted.


> Doesn't keeping the seed remove the whole point of one time passwords?

You need to keep the seeds anyway to generate OTP codes. They are just keeping them in their vault in addition to keeping them in their OTP app.

As long as those storage methods are sufficiently secure, it's not a problem.


Yes. A lot of the common solutions to making TOTP more user-friendly defeat it. You might as well just use single-factor auth with a strong random password stored in your manager, which is what I do.


Well, we should move to multi-party computation when you can distribute secrets between different devices with redundancy and security.


the point is to have a second factor

which isn't really destroyed by having a printout of what you entered onto your phone somewhere secure

(now if you store both in your password manager: that completely defeats the point)


It doesn’t.

The threat model is someone gets your password, not somebody gets access to your password manager.

If the latter is your threat model then yes having your 2F in there is worse, but really the former is the more common thing to protect against and the tradeoff of not having 2F in your 1Password and getting locked out because your phone breaks is worse than the risk of having it in there.

It’s similar to the tradeoff of having a nano yubikey always in your laptop or a large one on your keys. For most people the nano is better (though you should have a second one in either case)


If you're using a password manager, you probably have one-time secure passwords, so the only probable way someone gets it is by stealing your password manager.


This isn't accurate - they don't get access to multiple stuff.

- Site0 leaks your password because they store it poorly.

- It's just one password, but it's still leaked.

- You have 2F in 1Password so even though it's picked up in an account list the attacker can't login.

- Weeks later you learn there was a breach.

This is the common case for most accounts and breaches. Though the sites most likely to leak are also ones unlikely to have 2F so it's not perfect.


So the attacker gets access to the plaintext passwords but not the rest of the database or the ability to skip the 2FA server-side, and the site doesn't notice. Guess I can see that happening still, since the password DB is likely separate.


Er, not one-time use passwords, I mean the password is only used on one website.


I have a spare cheap android phone with Google authenticator. I export accounts from my primary phone to this phone every quarter or so as a low tech backup.


I would love to save the QR codes, but Google bans screenshots in the Authenticator app.


Other apps will reveal the underlying seed string. No need to deal with QR codes after scanning them once.


Auhenticator has an option to generate back up codes. it creates one or two QR codes that you can scan in a new Authenticator app and it will clone all of your accounts.


Good luck trying to save those QR codes, though. I had to resort to pulling out my DSLR to take a photo of my phone with them.

All screenshot/print/save functionality is disabled when you have the codes up on your phone.

You need an actual camera on a second device to save them in most cases.


Not true, I just did it a few weeks ago when moving to a new phone. Just screenshotted the backup QR code and when I got my new phone later I used the screenshot.


At least on recent Android versions, it blocks you from screenshotting it, FWIW.


Not in iOS, apparently. I recently printed out my QR codes by screenshotting Authenticator's export screen on an iPhone. I just tested a moment ago and it still works.


An app can deny access to take screenshots in Android. In iOS, there's no way to deny screenshots, but apps can be notified if a screenshot is taken. What the app then does with that information... you may not know ahead of time. Be careful out there!


Take a photo with a second phone/webcam?


If you're on Android, get Aegis. It's better anyway and you can export backups.


Good idea! That had never occurred to me before this incident.


You have to take a photo of the screen on another phone, Google disallows you from screenshotting them.


Just use a different 3rd party authenticator app


Really? At what point do we blame the victim because this is so obvious to me.

I keep the TOTP and only sometimes keep the backup codes

I avoid the issue created from losing my phone, because the next device can generate codes immediately by importing or scanning the TOTP

I also don’t call it “2 factor” I just call it “one time passcode”


Nothing is "obvious" in tech any more, because there is simply too much. Two "tech savvy" people will often each have things they think is "obvious" that the other isn't familiar with.

And this isn't even a good example of something that is "obvious" to some people, because Google makes it very, very clear that saving the QR code is NOT a backup option. It is labeled only as a mechanism to transfer to a new phone, so one has no reason to believe that it's non-ethereal. Further, the app disallows taking a screenshot. You have to point a camera at your phone. It's mind-blowing to suggest that it might be appropriate to blame the user for not doing this.


all TOTP is the same

it doesn't matter what Google says is normal

is this really people's only experience with TOTP delivered via QR codes?


Do you have access to an Android device (or the gmail app on IOS)? If you can sign that device into your Google account with one backup code you may be able to get Google login prompts without explicitly authorizing that feature in the blocked account settings page. I know when I have set up crappy tablets with my credentials they automatically started showing prompts to approve logins from other devices. If nothing else it may save you from running out of backup codes.


Hey, so this is admittedly monday morning quarterbacking, but in the future, you can definitely consider moving from Google Auth to Twillio's authy [1]. It lets you move devices and all your secrets come with you (it's also got other cool features, but the one that is killer IMO is the ability to migrate from device to device).

https://authy.com/


I can’t recommend Authy enough. It’s multi device from the start and has cloud backup.

I once broke my phone with Google Authenticator on it and I spent 2 days locked out from my work accounts. Never risking that again.


One important note, though, is that the backup and multidevice requires their cloud servers* so the threat model is a little different. They've got a blog on how they do the cloud backup**, but since you need a password it either needs to be something you can remember or be stored in a password vault that doesn't rely on getting a 2fa code from authy for access.

* for the paranoid, there's a mode where it doesn't backup to the cloud, which makes it function the same as google auth, but that does defeat a lot of authy's benefits.

** https://authy.com/blog/how-the-authy-two-factor-backups-work...


I had this same issue just a few weeks ago. I recall being asked for my 2FA on a few separate occasions and could never disable it or switch to a new authenticator app even though I had backup codes. However, I tried it a 3rd time one day and for whatever reason I was able to do it. If I recall correctly, it suddenly gave me the option to instead authenticate with my password again, which I did. Good luck!


Makes sense. They delay 2fa changes on new devices so people don't get their accounts stolen permanently when they lose their backup codes.


Google's 2FA is an absolute embarrassment. Super annoying that Google hasn't yet done more to improve it.

See also: https://news.ycombinator.com/item?id=33895836


I gave a big long speech on security to my company, mentioned that SMS 2FA was junk and to use authentication apps instead, then made 2FA mandatory on our Google accounts… only to find out that you can’t even enable good authentication without enabling SMS 2FA first.

Absolute madness.


Actually there is a way, but instead of enabling SMS you have to enable U2F first, then it will allow you to turn on TOTP. If you don't have a U2F-capable device then you can use a program like softu2f that emulates one on your computer, even if it's just temporary in order to get TOTP turned on.


Good to know, but wow, that's wretched.


Then there is Facebook which won’t let you use your email or phone if hacker changes those. Your email was changed 20 minutes ago? Clearly the one you used for 15 years isn’t trustworthy anymore. Zero way to talk to a human about it.


I was recently trying to log into Slack on a new computer. It required a login and password, and then emailed a 2FA code to my login email. Then it _also_ wanted 2FA code from my mobile app, which it seems wasn't configured correctly on my new phone. The experience left me with multiple questions - what needed to be transferred from my 2FA app on my old phone to my new phone that didn't make it? Why wasn't the email code good enough (as that is literally already two factors?)

I've largely stuck with strong passwords for most of my accounts because of issues like these, and others I saw first hand - such as when my dad used to have a password db on a palm pilot. He had no backups, some point the device fails, everything was lost. I only felt comfortable moving to a password db once dropbox became a thing as a result - the balance of security vs. usability is pretty shit if there's a single point of failure with no recovery possible, and I'm not inclined to set up some backup process manually (dropbox has reliably been something I haven't had to think about for a decade.)

2FA feels a lot like that to me, except now with multiple points of failure that can be difficult to recover. Backup codes feel half-baked; it strikes me as the kind of thing that was tacked on to help the issues around hardware failure/human error that one _should expect and design for_; instead, we put the onus on the user with "your account may be unrecoverable" warnings as an excuse.

A better system, IMO, would have N factors and require one less. Keepass is the place where this has bothered me for some time - I can configure things so my db requires a password, and a file, and a Yubikey - but why can't I have two of three? Hell, why can't I have _one_ of two? If I'm in a car crash and die and I want one particular person to cleanup some aspects of my virtual life, it'd be nice if I could give them a key file and let them know there's a Yubikey in a safe deposit box. I feel secure, as no one has all three tokens but me and two are always needed; but I also feel the system is durable, in case something is forgotten, crushed, lost, etc. I dunno, maybe there's people or companies that already do stuff like this and I just don't know about it.


My fear (disclaimer: I'm a bit ignorant on the topic) is that system breaches will become more common, maybe with the help of AI. Maybe AI will help with social engineering. Maybe it will help with malware proliferation. Regardless, when I hear of groups like LastPass getting breached I'm suddenly much less keen on 1FA.

Besides, some services no longer offer 1FA at all. Google seems to require 2FA of some sort no matter what (although maybe that's just my settings?). So it becomes more important to at least weed out the "bad" 2FA like SMS or security questions. I've heard warnings about Google Authenticator before, something about the inability to make backups or something?


> I've largely stuck with strong passwords for most of my accounts

The problem is, it's virtually impossible for the average human to remember their password if they have a unique, strong password for every site.


> Why wasn't the email code good enough (as that is literally already two factors?)

Can a password reset be done with control of the email? If so, email isn't really a second factor.


It would be useful if people went to their Google Account page, clicked the Security tab, then tried to access the Two Factor Auth page and reported back what options they had to authenticate. Do you have options other than "enter a two factor auth code"? Can you authenticate on that page with SMS or a backup code?


Using the Google app on my Android phone (stock, unrooted, GPlay enabled), the Security, 2FA link launches a WebView screen. It has my username prefilled. When I click Next, I'm given a failure page saying "This browser or app may not be secure". The Web View app is up to date, version 108.


Wow, that's.. even worse than my experience.

It would probably work if you used the official browser, it's not a bad idea for the website to block webviews. But pretty funny that their app uses a webview which the service then blocks.


This is exactly my current situation, exacerbated by the fact that I cannot contact support as I am a user of legacy Gsuite.

To get support I would need to upgrade. To upgrade I need to enter my authenticator code. To enter my authenticator code I need to contact support...


I had much the same problem with AWS.

Their 2FA login was not working - my logins were rejected.

I think I needed to resync.

The resync pages were not working.

When 2FA breaks, for whatever reason, there is a form you use to let AWS know.

You cannot send a message - only a phone number. AWS will call you back.

Where I was at the time, a phone number was not available.

That was it. End of the road. 2FA not working, could not log in, the Support I could reach could not help. Support suggested "make new account", as of course they do what they can, which means offering options from within their power, and there was nothing they could do (except suggest a new account).

Fortunately, I had no servers running. I don't know what would have happened, if I had.

With email based accounts, the email used to make the account is the email used to recover the password, so making an account also proves the recovery mechanism.

With 2FA, this is not the case.

2FA is absolutely necessary for security, but flawed implementations are I would say much more of a risk than the security issues 2FA defends against.

I am very unlikely to be hacked - I am one in a billion - but if the 2FA mechanism is flawed, it is reasonably likely to affect me.

Large companies are totally unaware of end user experiences, so when for example 2FA recovery is broken, they have no idea this is occurring.

It is dangerous for end-users to rely on large companies to implement systems which can block end-user access to critical systems.


> I am very unlikely to be hacked

More likely to be framed for someone else's crime (maybe someone uses your AWS account to hack others), because, well, who would miss casenmgreen, right? There are non-obvious reasons people should still use 2FA even if they have "nothing to hide".


Microsoft Authenticator syncs across all instances so you just have to log in to a new Authenticator on the new phone and the codes are there. (I think it uses OneDrive).

I am sure that is less secure than a local only copy but this may be least bad of all alternatives.

You might even give a trusted person a login and have it on their phone so you can use theirs in an emergency.


How do you login to the authenticator itself? If it's MS-account-based doesn't that itself requires 2FA and you thus have a chicken & egg problem?


It doesn't need a login... only the syncing part uses your account.


just be happy you didn't get caught up in the g+ debacle. i did exactly what they told me to do to keep from using a real name across their services and they fucked me 10 ways to sunday for doing so.

brand account worked great up until ~2013, then they changed something and my settings are all greyed out. can't update phone numbers, can't view mature content, etc. all i can do is collect adsense while the account lasts.


Is the only viable solution to have 2FA setup on multiple devices, with at least device in a "break glass in emergency" type of vault storage?


Yup. I keep a cheap backup Android phone with Google Authenticator installed just for this purpose. Every time I add a 2FA code, I add it to the backup phone. I also print out the QR code, but a backup phone is far more convenient.

I dropped my main phone into the toilet a week ago, completely fried it. Moved the SIM card to my backup phone, and carried on like almost nothing happened. I then powered up my 10-year old Nexus 7 tablet, and duplicated all my 2FA codes to the tablet. When I get a new replacement phone, I will duplicate my 2FA codes again.


This is extremely inconvenient as it means if you're signing up for an account you need to have access to all those devices, even the one that's supposed to be in vault storage (potentially a bank vault, etc).

TOTP just isn't a good protocol for this. Last-resort 2FA should be based on public key crypto where your last-resort device has a public/private key and you can enroll it as a recovery token by providing the (static) public key - this means you do not need active access to the device to enroll it.


I'm trying to push adoption of 1Password in my workplace, and one of the things that drives me crazy about Google's sign-in process is that they obfuscate the 2FA functionality behind two confusingly-named links.

First they present 2FA via the Google Mobile app, and you have to click "Try another way", which makes it feel like something has already gone wrong.

Then they give you the option to the Google App again, to get an SMS message, to use a backup code, or to use "Google Authenticator".

So my instructions to a would-be 1Password user are: Sign in with your email address and password, click "Try another way", and then click "Use Google Authenticator", but don't actually use Google Authenticator; use 1Password.


The problem I had while my company phone got remote wiped: Google Authenticator uses a protobuf based export qr code, which any other 2FA app doesn't support.

I wrote a small cli tool that can export all data inside it, and that tries to generate qrcode images for each entry for re-import into another 2fa app.

I hope this can help someone with the same problem, I got stuck with a camera photo of this seemingly useless qrcode for a couple hours until I built my tool.

Always remember to backup google authenticator, and always make a physical backup of your encrypted passwords database!

[1] https://github.com/cookiengineer/qrcode-extractor


I've found in these situations that the most effective way to solve the problem is to contact a Google employee that you know personally. If you can do this, they can fill out a form where they vouch for you, and you can get the account unlocked.


I had a similar situation with Facebook.

Set up 2FA with an app called Duo-somethingorother.

Broke my phone.

Trying to use Facebook with new phone requires 2FA. Duo-somethingorother app on the new phone won't authorize my Facebook login because the app on the new phone isn't linked to my Facebook account.

Result: I'm locked out of Facebook

Every year or so I follow Facebook's login authentication steps, including sending photos of my government-issued ID, but nothing happens. Facebook support? What's that?

At this point, all I want to log in to Facebook for is to download the photos from my account. But I'm not in Europe, so I have no rights to my photos and nowhere to complain.

You get what you pay for.


> I'm not in Europe, so I have no rights to my photos and nowhere to complain.

If it makes you feel any better, Facebook doesn't care about the law and Europeans don't have any more luck than you do when it comes to this: https://ruben.verborgh.org/facebook/


An interesting read. Too bad the author made himself look like a kook in his correspondence, and thus ignoreable by Facebook.

I'd like to see an actual lawyer try it and document the effort with similar rigor. I wonder what the response from FB would be.


Considering the GDPR doesn’t really give you the right to sue by yourself and that the best you can hope is for the regulator to fight for your case, I’m not sure the profession of the data subject would matter.

Keep in mind that the regulator who’s supposed to regulate them is corrupt and complicit so it’s very unlikely anything would work.


I think that as a regular consumer there is not enough training on how to manage secrets. There is a lack of transparency about the implications of enabling/ignoring security settings. I should not have to be a certified security expert to manage my account properly.

The deeper issue is the situation is kafkaesque. Imagine explaining to a stereotypical elderly grandparent (with minimal computer experience) that you need to configure a 2FA TOTP on your mobile phone and save backup codes in a secure location. BTW don’t lose your phone or you will need to initiate a complex recovery procedure. Oh BTW you need to memorize a 20 character length passphrase along with the 30 other websites you use. Perhaps you could use a password manager, but it will need a 20 character length password and 2FA TOTP as well. Oh make sure you certify the password hashing function and iteration count follows current NIST-800 guidelines. It will need to reauthenticate periodically so don’t forget your password manager’s passphrase. Be sure to make it a sentence and sprinkle in a number and punctuation mark or two.

Oh Back to your original account: It might prompt you to log with a previously known authenticated mobile app at random. There is also a random AI agent scoring how secure your device is and can cancel you at anytime. Oh BTW if you want have extra protection buy this $30 hardware key we don’t advertise. Actually buy two hardware keys and keep one offsite just in case. Don’t use that key use this one. We might drop the other key for unknown reasons. The key might be exploitable since it has Bluetooth so keep it shielded in a faraday cage at all times.

The security policy can change at anytime with no warning or requirements notification update. Do not contact customer service, because you are not a customer but a product being sold at data mining auction. Instead you will need to plead your case on Twitter, Reddit, or Hacker News and pray someone working at the company sees it and is willing to help.


Tip: You can bulk export your google authenticator app secrets for a disaster recovery like this. I had not seen this functionality before but I'm glad it existed when setting up a new phone yesterday. I remember the old high friction way of having to deregister and reregister for each account.

Howto:

  ... menu in top right -> export accounts
  make sure all are selected, select export
  It will generate a series of dense QR codes.
  Screenshot / photograph / add to backup phone, save and print for your document safe, whatever.
Of course, this doesn't help if you're already in a loss situation. But recovery this way is SO much easier than typing in a backup code. Recovery is as quick as having the app scan each of the QR codes in sequence. For me it was just 3 dense QR codes.

I was a little surprised that it was this easy to extract all the secrets. I'm going to have to think even more carefully about what TOTP secrets go in there now.


OP: Do you still have adb running on the phone?

If yes, then you might be able to backup google authenticator's data using adb.

Alternatively maybe a tool like scrcpy [1] might be able to help when the screen is broken.

[1] https://github.com/Genymobile/scrcpy


I lost access to my Coinbase account a while back because I was using Authenticator on the iPhone and when I bought a new phone and set it up, my Authenticator codes did not transfer with the rest of my data. At that point I stopped using Authenticator. I hope that's still not an issue upgrading iPhones today.


This is by design with the app. There are other authenticator apps like authy that save/sync 2FA.


I use OTP Auth[1] and enable its iCloud sync function to guard against this specific scenario.

1: https://cooperrs.de/otpauth.html


Related: I recently bought some Yubikey Security Keys (U2F/FIDO2/WebAuthn only) and decided to update all websites I use with those keys. The problem is virtually no website supports them. I think out of the hundreds of accounts I have only Google, Cloudflare, and 1Password support them. But also the UX is a bit of a disaster:

https://blog.silverorange.com/web-authn-ux

I had an old set of YubiKeys which I used as a MFA option for LastPass. In comparison to WebAuthn, the process is dead simple. Input master password and LastPass prompts to touch yubikey. Dead simple with no scary dialogs. I have not seen any website offer an integration with Yubikeys like that. Is that only possible because LastPass was a Chrome extension? Or is it simply lack of demand?


The problem with these 2FA systems is that they require access to the 2FA device during enrollment which makes it very inconvenient/impossible to maintain a backup device in off-site secure storage as you'd need access to it every time you create a new account.

There needs to be a new 2FA standard which only needs the public key of the authentication instrument during enrollment - that way the actual instrument doesn't need to be accessed when creating new accounts and can be kept in secure storage, only accessed in an actual disaster situation.


Thank you for posting and reminding us that multiple 2FA methods are a good backup plan with Google.

I just added:

- SMS - Authenticator app (Authy, of course) - Generated backup codes

That in addition to my Pixel 4, and maybe 3-4 authorized devices (laptop, ubuntu desktop, windows desktop), I feel a bit better about this.

Sorry for your trouble though, I hope you figure it out.


This is horribly frustrating and I'm sorry you are facing this.

The thing I have taken away from these continual Tell HN posts about Google acounts getting locked up because of 2FA is that the "something you have" factor needs redundancy. I now have my phone, and 4 yubikeys on my household's carkeys and a trusted friends and a family member's firesafe. These have also given me enough stress that when I visited home for the holidays I added to my aging parents' Google accounts with a handful of additional security keys to go with their SMS 2FA.

Personally I would rather have accounts which are secure and can be lost if I am not careful with my 2nd factors than one that has vulnerabilities that the whole internet can attempt to exploit, but I realize others do not have that same priority.


Any possible way to upgrade to a paid account, personal or business, that would grant access to the proper level of support to fix this?

I realize it's paying the people holding the account hostage, just thinking of practical solutions to get in touch with the right support level who could assist.


I do recommend toget 2fas.com asap and export your codes to iCloud/G Drive.

If you lose the phone its easier to recover.


Yeah, apparently that 2FA handshake is crucial with some providers. I was not expecting this, I thought careful management of my 2FA backup codes would suffice!


I would also suggest https://authy.com It has apps for phones/tablet and desktop.


At the recommendation of some of those here, and with the help of a webcam to capture my Authenticator QR code, I successfully moved everything over to Aegis. I set up a strong password, stored in my password vault. Aegis lets you do biometric login.

Took a screenshot of Authenticator's export QR code via the webcam, then added it with Aegis. Then went to Aegis's Settings->Backup and exported a JSON backup, which is encrypted with the password.

That's a bit more peace of mind.


When I was 16 I locked the keys in my parents old car when I drove it so many times that my father, having grown tired of coming to my rescue, put a spare key on a dog tag chain and told me to wear it around my neck. I continued locking the keys in the car when I would drive it, but it was never a problem again.

Now I keep a key chain with a yubikey on it that serves as a redundant option for 2fa to authenticate my google account, in addition to the app in my phone. I actually have two of them and the other is in a secure remote location. If you are doing anything critical in your google services you must have multiple 2fa options for disaster recovery.


Every Google Authenticator entry I have I duplicate onto a second device that I keep in a safe. My fear of losing my phone has decreased quite a bit when I started doing this.

To export your codes, click top right ... and then "Export Accounts".


I've got a fully airgapped Raspberry Pi, an old version (one without WiFi capability), which has a copy of all my "Google Authenticator", TOTP style, secrets. I made a little terminal app (so no need for a mouse / no need to boot into a GUI), with my secrets protected by a password.

I use that in addition to Google Authenticator on my phone.

And in addition to paper backups of the secrets (I don't print the QR code: I write the secret down, like 16 letters) which I keep in a safe.

I've also set someone as the person of trust should I not access my email for 6 months.

And I set up webauthn as well.

It's a pain but I don't want to have to deal with an account I lost access too.


There are going to be way too many people affected by this within the next few years as warranties expire and it's not worth repairing phones. There is no way they won't come up with a better solution as they see engagement drop across all of their properties.

That said, this is probably a business oppurtunity for reverse engineering and recovering the 2fa code from broken phones. I suspect there is a key stored locally, and tied to the device id. If you could get a setup together for reliably extracting/cloning that info, people locked out of essential services would be willing to pay.


Here is an anecdote. I had my iPhone replaced last year due to a battery issue and I forgot to migrate my authenticator codes to the new phone (I did not realize they did not restore if you changed phones). I was able to log in via a known authenticated web browser and reset my 2FA TOTP. I am a little hazy on if it used my mobile gmail app as a second factor though (with content restored from backup). I did not need my backup code. Perhaps it would be good to get an additional hardware security key for the account just in case.


Another reason to root your phone first thing before you use it for anything.

Was in a similar situation, having a real backup of every apps data (including the "secret" data) saved me a couple of times.


If there is anything worse than having no 2FA, is to have 2FA with Google. Like, if something is messed up the only way (if any) to recover access to your account is by asking here on HN.


Get off Google so you dont have to deal with zero customer service:

https://github.com/tycrek/degoogle


I use fastmail almost entirely, this is a historical account. My wife just happened to share something to my Google docs leading me to log into this mess today


Add this to the list of reasons I don't fk with Google Authenticator. It used to be hard to even get the backup codes, or maybe it still is, idk.


Don’t trust any apps to handle backup and syncing TOTP keys for you. Gliches happen.

I encrypt and back up all TOTP secret key, which are used to generate six digit codes, to my local offline password store (usb key and paper). In fact, I mostly used my laptop as the second factor because it is more convenient. My phone also has the TOTP key and in case it is lost, I can just regenerate the QR code.


It’s worth mentioning that, although Google Authenticator allows one to export two factor authentication codes, it’s only in the format of a QR code that can be scanned by another phone. It doesn’t provide the option of exporting 2FA codes in an encrypted file that one could store in a safe place.

So it seems that the backup is intended that the user purchases a second phone!


Google's 2FA is terrible for Google workspace when you add a phone number. In that case, you are up to the whim of the country to allow your SMS to be received (serious consideration in some parts of the world). When a phone is added, you will not be able to use a device for 2fa, but always defaults to SMS!


Are you sure you didn't overlook the "try another way" button?


The person who successfully convinced people that 2FA is actually more security is the biggest scumbag in history.

The lost productivity dealing with shitty 2FA implementations and the subsequent shitty customer support is enough to build all 7 wonders of the world many times over.


I use Authy with a second backup phone. You can install Authy on two or more devices so you can recover from situations like this. After the backup phone is setup. I turn off the ability to add more devices in the settings.


Github sure does seem to have the best 2FA, methods, recovery options, etc. All super straightforward and reliable.

Has anyone experienced otherwise with Github?

I wish all platforms modeled their 2FA to be like Github's.


Interesting. I have to 2FA to get into my account but when I go to modify 2FA I only need my password.

Thank god I keep 2FA in Bitwarden. I did not realize I'm this close to losing my Gmail. Jesus.


This seems like a bug, not a feature.

Personally I have Authenticator for day to day use, a Yubikey for restoring access if something happens to my phone, and backup codes.


If you also have SMS codes enabled, in addition to the authenticator app, will the SMS codes with if you lose access to your authenticator app?


Same thing happened to me. The backup paper 2FA codes I kept failed when my Pixel phone spontaneously bricked itself.


Always backup your 2FA.

I keep a cold yubikey in a locked cabinet at work as well as my TOTP secret, encrypted and printed.


What you are supposed to do in this situation? Post on HN / Reddit


I hate current popular implementations 2FA and similar IT fads for this exact reason. They are inherently insecure, and any security professional who pushes them without serious thought through all the failure modes should be blacklisted from the industry.


This isn't a security flaw, this is incompetency. Google not allowing disabling or altering 2FA after resorting to a backup code is simply bad design.

They could've done the same with any method of authentication. Using a password isn't even enough for Google any more these days, look at Gmail+IMAP.

This is pure incompetency, not a flaw in 2FA. Whatever device this person is on has been flagged insecure enough to need repeated re-authentication of the highest level, locking them in a loop until the recovery mechanisms are exhausted.

Competent support would also have helped. Google doesn't do support for almost all of its customers but in a normal company, a support agent would've been able to help restore the account. Sure, Twitter has shown us that such support can also be a major risk to important or famous people, but that's why Google has a special program you can enable that will lock down security even more.


>Google not allowing disabling or altering 2FA after resorting to a backup code is simply bad design.

You would think that using a backup code would prompt a "Do you want to alter 2FA?" work flow since the user is already at the 2FA has gone wrong point.


I'm sorry, but when you lose control of and access to your data, but someone else has control and access, that is a security flaw. There is no meaningful difference between broken 2FA and ransomware.


Competently administering 2FA essentially requires human intervention to handle the "I lost all my credentials" case because it will happen with probability 1 eventually. Workplaces can do this because you can call IT and have an already established identity based in the real world.


100%. I've never had any issues with IRL 2FA. If I lose or damage my CAC card I can go to the ID card office with a different photo ID and get a new one with new certificates and set a new PIN. My old certificates will be revoked.

But that's not what's currently popular. What's currently popular is just to check a box with some poorly thought-out system and screw anyone who ever loses their phone number or 2FA device. That's dangerous and unprofessional.


The problem with this is that we are talking about pseudo-anonymous signup for websites. They can't go back and verify the credentials you used to create the account because you didn't provide any. But if this is the case then the help desk is a major security vulnerability, since just anybody can claim to be you and take over your account. The help desk has little to no way to actually verify your identity.

At the very least if the helpdesk does reset your account, there should be a 48 hour lockout and a message sent to the account allowing the owner to dispute the change. Yes it is inconvenient in cases where the actual owner lost all of their login credentials, but this is hopefully rare.


Passwordless is going to make this even worse - there's no migration path (yet) from platform ecosystems to each other. I've not seen any serious progress on how to switch from Apple to Google, which doesn't involve doing things one by one, site by site.

And more to the point, a way of handling "I've lost my phone and had to buy a new cheap one" seems to be a potentially problematic edge case. Bootstrapping trust and authentication for end users without any physical token is hard, but seems necessary, especially for non technical end users, for whom password reset processes might even be the default route of access.


2FA is any two of what you know, what you have, or who you are.

It would be so easy to have a Google Android/iOS app that lets you take a photo of a credit card matching a payment method from the Play Store or one of Google's paid services. That proves something you have in addition to your password.

Though, TBH, Amazon is probably in the best position to solve this problem. They have payment methods and they have physical presence everywhere. Companies like Google or whomever could hook into an Amazon API to verify identity with a one-time recovery code.

How do you get the recovery code? You show up at Whole Foods or Kohls or eventually even to an Amazon Hub Locker and prove your identity with a photo ID card. You're then provided a recovery code linked to one of your full legal name, an e-mail you've already had registered with your Amazon account, a phone number you've already had registered with your Amazon account, or a credit card number you've already had registered with your Amazon account.

A service that knows one of those things about you can then be recovered by submitting the key and selecting the link modality. (Keys submitted with the wrong link modality should be invalidated, obviously.)


Try enrolling another 2FA method while you're in there.


I cannot access the Two Factor authentication page at all - it is when attempting to access that page that I'm forced to log in again and provide a 2FA code.


Weird, this used to work... I guess they changed it at some point.


You might be surprised just how subtly corporations will break accounts that they are suspicious of. There is a whole world of anti-bot measures that come across to humans as just slightly odd behavior or weird bugs. It can be weirdly capricious as well. For example, I recently was having trouble logging into a website and was having to do a ton of SMS re-authentications. When logging into the website using Chrome I was given SMS messages with a 15 minute timeout. When logging in with Firefox the same SMS verification message only had a 5 minute timeout. Several times I would go through the authentication flow and then the service would seem to just crash, loading only a blank page, but I'm pretty sure that was just an anti-bot measure kicking in. I eventually only got it to work normally by switching over to my Phone's hotspot. The website was just hating on my IP address for no disclosed reason.


It's a mistake to believe that every user will uniformly see the same things on the same pages. Google's account abuse system will offer different options to different users based on how suspicious their behavior appears to be.


Which abuse system? I worked there and I wasn't aware of myaccount changing behavior based on how "suspicious" the session is. In fact, I didn't know sessions had such an attribute, assuming this is true. Granted, I didn't work on the account dashboard, but still.

I'd assume it's more likely the behavior really is changing, specifically because in the past, the user's login session was treated as a valid factor alongside the user's password for disabling 2FA, which was criticized as being less secure than expected. However, I'm not sure they intended for the fix to that to not allow backup codes...


Which non google 2FA app would folks recommend?


I hear Aegis is good. It allows backups.


It’s always good to have a Yubikey


Proton mail for the win


TOTP is bad 2FA. Google supports U2F security keys. Use them.


If you lose your U2F security key, are you sure you'll be able to remove it from your Google account? Because what I'm experiencing right now is that they support TOTP and you can't remove it if you lose it..


Specifically you need multiple registered keys, to prevent this current situation.

But yeah, this is why I dislike 2FA. There are clear security benefits, but it comes with the extreme downside of "what you know is not sufficient".

When it's e.g. a corporate-controlled account and your IT desk can just reset it to "password123!" to let you back in, it's quite a good trade-off. When it's your main email, i.e. your primary online identity, losing access is kinda a big deal, and Google has famously bad support.


> But yeah, this is why I dislike 2FA. There are clear security benefits, but it comes with the extreme downside of "what you know is not sufficient".

But that's not even the problem here. OP has the "what you have". Just because the secondary authentication device is made of paper doesn't mean it's any less valid. But google is rejecting it and demanding the lost device.


More moving parts means more failures (as demonstrated), and in this case what they have has a (possibly very short, depending on their upcoming needs and how Google decides to re-verify them) time limit until they no longer have it.

So... sorta yes, sorta no. What they have is a ticking time bomb which goes off at the whim of a company that clearly does not care about them. That's not really "an authentication device" that anyone would willingly choose.


I used to do this but it was a hassle to set up. I can't imagine a normal person (less interested in tech) to use this.


How does it work if you have 3 Gmail/Workspace accounts? Do you need multiple keys for each account?


The keys can be used on any number of accounts.


Yes, I lost a key 6 months ago and removed it from my Google account. I have multiple other U2F keys also registered.


Having those extra registered I think is the missing bit. The OP could have also registered additional 2FA methods, but didn’t thinking backup codes were as advertised.


> TOTP is bad 2FA

How so? The only downside is that you have to glance up and make sure you're on a google.com domain before entering it, in exchange for which you get massively simpler implementation, a wider variety of options, and the ability to back up token if you really want.


"just glance up at the address bar" is not phishing-proof, and is failure prone.


Google 2FA is a security feature that requires you to enter a code to access your account. It is a second layer of security to your account.


ChatGPT?


Side-comment: is there a type of shadowban with HN where my posts do not make it into the frontpage, even 2 or 3 or more pages deep?

I've seen this with a few of my posts recently where they appear in the 'new' and 'show' or 'ask' tabs, but not the frontpage.. even 300 posts deep while similarly aged and upvoted posts are on second page.

edit: now it's on the frontpage! Guess it just had to hit a vote threshold.


I clicked into this off the front page.


Just updated my comment, I guess there's some other criteria or age to hit before it gets ranked.


I believe that text posts are ranked lower than links.


Among other weighting factors, HN-as-customer-support-of-last-resort posts have recently started being downweighted.

See: <https://news.ycombinator.com/item?id=34444459>




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: