Any user that didn't pay attention when they were loudly and clearly told "SAVE THESE CODES OR YOU MAY LOSE YOUR ACCOUNT" probably doesn't actually care about their account that much.
Or maybe, when they're first setting this up, excited about the new thing in their life that is their first smartphone or something, they don't realize yet that couple years down the line, half the things in their life will be gated by the Google account login form.
When first set up, the Google account really isn't something to care about. It only over time, and you getting used to all the conveniences it offers, that it slowly but surely becomes important.
Uhm, really? Company punts on how to actually secure it by saying "store in a safe place" so now it's all on the user? Aren't we back to writing your long, complex PW on a post-it note then, with the extra step of "lock up your post it!"?
> Company punts on how to actually secure it by saying "store in a safe place" so now it's all on the user?
Yes, it's on the user, who else would be responsible for that? A Google employee isn't gonna go to your house to install a safe for you so you can store it securely. You can argue all day that the average person often can't be trusted with these things but I fail to see how this is anyone's problem except their own, at some point we need to stop treating adults like babies that need their hands held through everything and let them learn that their decisions have consequences.
99% of people don't need that kind of security any way, just keep a piece of paper with the codes somewhere hidden that you can remember, you don't need to have access to them all the time unlike a normal password.
> at some point we need to stop treating adults like babies that need their hands held through everything and let them learn that their decisions have consequences.
Never underestimate the massive market advantage gained from treating adults like babies and handling all manner of frustrations for them.
UX researchers would call that "A good user experience."
I much prefer this approach (and can take responsibility because I feel perfectly empowered to make as many copies and backups of my recovery keys as I need to make it effectively impossible for me to ever be locked out), but this whole thing points to how giving people the security they claim they want is at odds with their convenience at every touchpoint. I have repeatedly refused a family member's request to set a front door access code that is any family member's birthdate, a very common habit because that's the kind of thing people want to use.
I continue to believe that security for nontechnical users is not a solved problem. WebAuthN or whatever may someday help solve this puzzle, but only if someone packages it in a way that is so frictionless that it's easier than just using your birthday and initials as your password for every account like my dad did. And if the recovery story for the "All my electronic devices fell into a lake" situation is something less exploitable than the pathetic SMS. I'm thinking notarized letter as someone else pointed out.
Can't really blame the user when every (software) license agreement they have to click on also has more than 50% all caps. It's a form of fatique.
Even as a technician i stopped caring about all caps and the license agreement. It boils down to two choices "You want to use this? Click yes and agree on things you don't understand" or not use it at all.
