Oh my god. 2-Step verification on your Google Account is actually less secure than not using it at all.

I just posted about something similar maybe 3 months ago?[1]

> I kid you not. Google's actual official answer to this is... create another account![1][2][3]

> Edit: Now that I have your attention:

> PSA: Go create "Backup codes" for your Google Account in your 2-Step Verification settings.

> [1]: https://support.google.com/accounts/troubleshooter/2402620?h...

> [2]: https://support.google.com/accounts/answer/7682439

> [3]: https://support.google.com/accounts/answer/7299973

[1]: https://news.ycombinator.com/item?id=33692942

Whenever one of these threads about Google (or Apple) come up, I am shocked at the lack of response from people working at those companies. It seems reasonable that this site would be where you'd find someone from a team that interacted with logic that OP is having trouble with.

I'd expect to see something like a "hey, yeah, I know a guy on our team that might be able to get in touch with the team who maintains this. I've sent them this thread"...

I'm hoping OP got a private message.

This is why I use SMS as my second factor for my Google account. Much harder to lose. It could be vulnerable to sim swapping attacks, but I consider Google locking me out of my own account a more likely threat (and frankly I'm probably not a high-profile enough target for anyone to bother with that, and in any case they'd still need my password).

I just tested this.

You should not disable 2FA.

- Just click on the Authenticator app

- Change Authenticator app

- https://ibb.co/dPCMpdN

Just works.

I completely believe you. I got in a similar situation in 2020. In that case it was a change of password of the main account that went wrong. How?

Don't know, I have a password manager that captured the password I inputted and it was exactly as it should inputted. But when I put it in google it told me that it was incorrect.

When I commented to people, everyone told me that they could change their password doing this and that, but... I wasn't. Looks like there are different security levels based on arbitrary rules and what an user could do, I was unable to do it.

I only had the account logged in in my phone, and every day I kept restoring the account, every day to be unsuccesfully.

One day, after 5 weeks from the day it happened, doing exactly the same than the previous days, one of the recovery attemps worked out, and was able to reset my password.

It completely put me off using google services, but God, it is hard to abandon your first mail services, I got way too many things hooked up with them.

Maybe too late to give you any helpful advice, but setting up Advanced Protection may make sense. You need to buy at least two (preferably three) YubiKeys and the password plus any of these keys allow you to login to your account. Nothing more, nothing less. Costs a few bucks, but at least the auth flow is very clear.

Another thing you can do is to wait for a week and see if anything changes. Having the session last for more than a week may give you more options in passing the challenge.

> What am I supposed to do in this situation?

This. Support systems in the world post computers eating everything is basically HN posts.

My advice is only actionable for others, not OP.

You should have backups on places other than the phone.

I warmly recommend andOTP for managing your TOTPs. It's open source and available on F-Droid.

https://f-droid.org/en/packages/org.shadowice.flocke.andotp/

“How’s our 2FA working out?”

“Fantastic. We haven’t heard from anyone with a complaint!”

I lost a bunch of email addresses because they decided to start enforcing the use of security answers even when I had the correct password. Then I lost some more email accounts because I logged in from different locations (I moved) and they thought I was a fraud, even though I was able to confirm using the backup email address. I'm fairly concerned that eventually I'm going to lose all my email addresses due to these increasingly draconian requirements that are sprung upon us.

Many years ago, I lost my phone with Google Authenticator (which doesn't have a backup option like Authy does) and got locked out from AWS. The next day there was a production issue with our website. Long story short, our website was down for more than 2 weeks while I was trying to regain access to our AWS account. #2faneveragain

To avoid a situation like this, I keep backup screenshots of the 2FA QR codes stored off-line on an encrypted USB drive.

And that is why I utilize the "very secure" flow of also keep the original qr codes ... in a keepass vault, but still.

Most of the security is theater. On the other hand I think that every tech savvy person should at least try to keep the TOTP seeds.

Do you have access to an Android device (or the gmail app on IOS)? If you can sign that device into your Google account with one backup code you may be able to get Google login prompts without explicitly authorizing that feature in the blocked account settings page. I know when I have set up crappy tablets with my credentials they automatically started showing prompts to approve logins from other devices. If nothing else it may save you from running out of backup codes.

Hey, so this is admittedly monday morning quarterbacking, but in the future, you can definitely consider moving from Google Auth to Twillio's authy [1]. It lets you move devices and all your secrets come with you (it's also got other cool features, but the one that is killer IMO is the ability to migrate from device to device).

https://authy.com/

I had this same issue just a few weeks ago. I recall being asked for my 2FA on a few separate occasions and could never disable it or switch to a new authenticator app even though I had backup codes. However, I tried it a 3rd time one day and for whatever reason I was able to do it. If I recall correctly, it suddenly gave me the option to instead authenticate with my password again, which I did. Good luck!

Google's 2FA is an absolute embarrassment. Super annoying that Google hasn't yet done more to improve it.

See also: https://news.ycombinator.com/item?id=33895836

Then there is Facebook which won’t let you use your email or phone if hacker changes those. Your email was changed 20 minutes ago? Clearly the one you used for 15 years isn’t trustworthy anymore. Zero way to talk to a human about it.

I was recently trying to log into Slack on a new computer. It required a login and password, and then emailed a 2FA code to my login email. Then it _also_ wanted 2FA code from my mobile app, which it seems wasn't configured correctly on my new phone. The experience left me with multiple questions - what needed to be transferred from my 2FA app on my old phone to my new phone that didn't make it? Why wasn't the email code good enough (as that is literally already two factors?)

I've largely stuck with strong passwords for most of my accounts because of issues like these, and others I saw first hand - such as when my dad used to have a password db on a palm pilot. He had no backups, some point the device fails, everything was lost. I only felt comfortable moving to a password db once dropbox became a thing as a result - the balance of security vs. usability is pretty shit if there's a single point of failure with no recovery possible, and I'm not inclined to set up some backup process manually (dropbox has reliably been something I haven't had to think about for a decade.)

2FA feels a lot like that to me, except now with multiple points of failure that can be difficult to recover. Backup codes feel half-baked; it strikes me as the kind of thing that was tacked on to help the issues around hardware failure/human error that one _should expect and design for_; instead, we put the onus on the user with "your account may be unrecoverable" warnings as an excuse.

A better system, IMO, would have N factors and require one less. Keepass is the place where this has bothered me for some time - I can configure things so my db requires a password, and a file, and a Yubikey - but why can't I have two of three? Hell, why can't I have _one_ of two? If I'm in a car crash and die and I want one particular person to cleanup some aspects of my virtual life, it'd be nice if I could give them a key file and let them know there's a Yubikey in a safe deposit box. I feel secure, as no one has all three tokens but me and two are always needed; but I also feel the system is durable, in case something is forgotten, crushed, lost, etc. I dunno, maybe there's people or companies that already do stuff like this and I just don't know about it.

It would be useful if people went to their Google Account page, clicked the Security tab, then tried to access the Two Factor Auth page and reported back what options they had to authenticate. Do you have options other than "enter a two factor auth code"? Can you authenticate on that page with SMS or a backup code?

This is exactly my current situation, exacerbated by the fact that I cannot contact support as I am a user of legacy Gsuite.

To get support I would need to upgrade. To upgrade I need to enter my authenticator code. To enter my authenticator code I need to contact support...

I had much the same problem with AWS.

Their 2FA login was not working - my logins were rejected.

I think I needed to resync.

The resync pages were not working.

When 2FA breaks, for whatever reason, there is a form you use to let AWS know.

You cannot send a message - only a phone number. AWS will call you back.

Where I was at the time, a phone number was not available.

That was it. End of the road. 2FA not working, could not log in, the Support I could reach could not help. Support suggested "make new account", as of course they do what they can, which means offering options from within their power, and there was nothing they could do (except suggest a new account).

Fortunately, I had no servers running. I don't know what would have happened, if I had.

With email based accounts, the email used to make the account is the email used to recover the password, so making an account also proves the recovery mechanism.

With 2FA, this is not the case.

2FA is absolutely necessary for security, but flawed implementations are I would say much more of a risk than the security issues 2FA defends against.

I am very unlikely to be hacked - I am one in a billion - but if the 2FA mechanism is flawed, it is reasonably likely to affect me.

Large companies are totally unaware of end user experiences, so when for example 2FA recovery is broken, they have no idea this is occurring.

It is dangerous for end-users to rely on large companies to implement systems which can block end-user access to critical systems.

Microsoft Authenticator syncs across all instances so you just have to log in to a new Authenticator on the new phone and the codes are there. (I think it uses OneDrive).

I am sure that is less secure than a local only copy but this may be least bad of all alternatives.

You might even give a trusted person a login and have it on their phone so you can use theirs in an emergency.

just be happy you didn't get caught up in the g+ debacle. i did exactly what they told me to do to keep from using a real name across their services and they fucked me 10 ways to sunday for doing so.

brand account worked great up until ~2013, then they changed something and my settings are all greyed out. can't update phone numbers, can't view mature content, etc. all i can do is collect adsense while the account lasts.

Is the only viable solution to have 2FA setup on multiple devices, with at least device in a "break glass in emergency" type of vault storage?

I'm trying to push adoption of 1Password in my workplace, and one of the things that drives me crazy about Google's sign-in process is that they obfuscate the 2FA functionality behind two confusingly-named links.

First they present 2FA via the Google Mobile app, and you have to click "Try another way", which makes it feel like something has already gone wrong.

Then they give you the option to the Google App again, to get an SMS message, to use a backup code, or to use "Google Authenticator".

So my instructions to a would-be 1Password user are: Sign in with your email address and password, click "Try another way", and then click "Use Google Authenticator", but don't actually use Google Authenticator; use 1Password.

The problem I had while my company phone got remote wiped: Google Authenticator uses a protobuf based export qr code, which any other 2FA app doesn't support.

I wrote a small cli tool that can export all data inside it, and that tries to generate qrcode images for each entry for re-import into another 2fa app.

I hope this can help someone with the same problem, I got stuck with a camera photo of this seemingly useless qrcode for a couple hours until I built my tool.

Always remember to backup google authenticator, and always make a physical backup of your encrypted passwords database!

[1] https://github.com/cookiengineer/qrcode-extractor

I've found in these situations that the most effective way to solve the problem is to contact a Google employee that you know personally. If you can do this, they can fill out a form where they vouch for you, and you can get the account unlocked.

I had a similar situation with Facebook.

Set up 2FA with an app called Duo-somethingorother.

Broke my phone.

Trying to use Facebook with new phone requires 2FA. Duo-somethingorother app on the new phone won't authorize my Facebook login because the app on the new phone isn't linked to my Facebook account.

Result: I'm locked out of Facebook

Every year or so I follow Facebook's login authentication steps, including sending photos of my government-issued ID, but nothing happens. Facebook support? What's that?

At this point, all I want to log in to Facebook for is to download the photos from my account. But I'm not in Europe, so I have no rights to my photos and nowhere to complain.

You get what you pay for.

I think that as a regular consumer there is not enough training on how to manage secrets. There is a lack of transparency about the implications of enabling/ignoring security settings. I should not have to be a certified security expert to manage my account properly.

The deeper issue is the situation is kafkaesque. Imagine explaining to a stereotypical elderly grandparent (with minimal computer experience) that you need to configure a 2FA TOTP on your mobile phone and save backup codes in a secure location. BTW don’t lose your phone or you will need to initiate a complex recovery procedure. Oh BTW you need to memorize a 20 character length passphrase along with the 30 other websites you use. Perhaps you could use a password manager, but it will need a 20 character length password and 2FA TOTP as well. Oh make sure you certify the password hashing function and iteration count follows current NIST-800 guidelines. It will need to reauthenticate periodically so don’t forget your password manager’s passphrase. Be sure to make it a sentence and sprinkle in a number and punctuation mark or two.

Oh Back to your original account: It might prompt you to log with a previously known authenticated mobile app at random. There is also a random AI agent scoring how secure your device is and can cancel you at anytime. Oh BTW if you want have extra protection buy this $30 hardware key we don’t advertise. Actually buy two hardware keys and keep one offsite just in case. Don’t use that key use this one. We might drop the other key for unknown reasons. The key might be exploitable since it has Bluetooth so keep it shielded in a faraday cage at all times.

The security policy can change at anytime with no warning or requirements notification update. Do not contact customer service, because you are not a customer but a product being sold at data mining auction. Instead you will need to plead your case on Twitter, Reddit, or Hacker News and pray someone working at the company sees it and is willing to help.

Tip: You can bulk export your google authenticator app secrets for a disaster recovery like this. I had not seen this functionality before but I'm glad it existed when setting up a new phone yesterday. I remember the old high friction way of having to deregister and reregister for each account.

Howto:

  ... menu in top right -> export accounts
  make sure all are selected, select export
  It will generate a series of dense QR codes.
  Screenshot / photograph / add to backup phone, save and print for your document safe, whatever.

I was a little surprised that it was this easy to extract all the secrets. I'm going to have to think even more carefully about what TOTP secrets go in there now.

OP: Do you still have adb running on the phone?

If yes, then you might be able to backup google authenticator's data using adb.

Alternatively maybe a tool like scrcpy [1] might be able to help when the screen is broken.

[1] https://github.com/Genymobile/scrcpy

I lost access to my Coinbase account a while back because I was using Authenticator on the iPhone and when I bought a new phone and set it up, my Authenticator codes did not transfer with the rest of my data. At that point I stopped using Authenticator. I hope that's still not an issue upgrading iPhones today.

Related: I recently bought some Yubikey Security Keys (U2F/FIDO2/WebAuthn only) and decided to update all websites I use with those keys. The problem is virtually no website supports them. I think out of the hundreds of accounts I have only Google, Cloudflare, and 1Password support them. But also the UX is a bit of a disaster:

https://blog.silverorange.com/web-authn-ux

I had an old set of YubiKeys which I used as a MFA option for LastPass. In comparison to WebAuthn, the process is dead simple. Input master password and LastPass prompts to touch yubikey. Dead simple with no scary dialogs. I have not seen any website offer an integration with Yubikeys like that. Is that only possible because LastPass was a Chrome extension? Or is it simply lack of demand?

Thank you for posting and reminding us that multiple 2FA methods are a good backup plan with Google.

I just added:

- SMS - Authenticator app (Authy, of course) - Generated backup codes

That in addition to my Pixel 4, and maybe 3-4 authorized devices (laptop, ubuntu desktop, windows desktop), I feel a bit better about this.

Sorry for your trouble though, I hope you figure it out.

This is horribly frustrating and I'm sorry you are facing this.

The thing I have taken away from these continual Tell HN posts about Google acounts getting locked up because of 2FA is that the "something you have" factor needs redundancy. I now have my phone, and 4 yubikeys on my household's carkeys and a trusted friends and a family member's firesafe. These have also given me enough stress that when I visited home for the holidays I added to my aging parents' Google accounts with a handful of additional security keys to go with their SMS 2FA.

Personally I would rather have accounts which are secure and can be lost if I am not careful with my 2nd factors than one that has vulnerabilities that the whole internet can attempt to exploit, but I realize others do not have that same priority.

Any possible way to upgrade to a paid account, personal or business, that would grant access to the proper level of support to fix this?

I realize it's paying the people holding the account hostage, just thinking of practical solutions to get in touch with the right support level who could assist.

I do recommend toget 2fas.com asap and export your codes to iCloud/G Drive.

If you lose the phone its easier to recover.

At the recommendation of some of those here, and with the help of a webcam to capture my Authenticator QR code, I successfully moved everything over to Aegis. I set up a strong password, stored in my password vault. Aegis lets you do biometric login.

Took a screenshot of Authenticator's export QR code via the webcam, then added it with Aegis. Then went to Aegis's Settings->Backup and exported a JSON backup, which is encrypted with the password.

That's a bit more peace of mind.

When I was 16 I locked the keys in my parents old car when I drove it so many times that my father, having grown tired of coming to my rescue, put a spare key on a dog tag chain and told me to wear it around my neck. I continued locking the keys in the car when I would drive it, but it was never a problem again.

Now I keep a key chain with a yubikey on it that serves as a redundant option for 2fa to authenticate my google account, in addition to the app in my phone. I actually have two of them and the other is in a secure remote location. If you are doing anything critical in your google services you must have multiple 2fa options for disaster recovery.

Every Google Authenticator entry I have I duplicate onto a second device that I keep in a safe. My fear of losing my phone has decreased quite a bit when I started doing this.

To export your codes, click top right ... and then "Export Accounts".

I've got a fully airgapped Raspberry Pi, an old version (one without WiFi capability), which has a copy of all my "Google Authenticator", TOTP style, secrets. I made a little terminal app (so no need for a mouse / no need to boot into a GUI), with my secrets protected by a password.

I use that in addition to Google Authenticator on my phone.

And in addition to paper backups of the secrets (I don't print the QR code: I write the secret down, like 16 letters) which I keep in a safe.

I've also set someone as the person of trust should I not access my email for 6 months.

And I set up webauthn as well.

It's a pain but I don't want to have to deal with an account I lost access too.

There are going to be way too many people affected by this within the next few years as warranties expire and it's not worth repairing phones. There is no way they won't come up with a better solution as they see engagement drop across all of their properties.

That said, this is probably a business oppurtunity for reverse engineering and recovering the 2fa code from broken phones. I suspect there is a key stored locally, and tied to the device id. If you could get a setup together for reliably extracting/cloning that info, people locked out of essential services would be willing to pay.

Here is an anecdote. I had my iPhone replaced last year due to a battery issue and I forgot to migrate my authenticator codes to the new phone (I did not realize they did not restore if you changed phones). I was able to log in via a known authenticated web browser and reset my 2FA TOTP. I am a little hazy on if it used my mobile gmail app as a second factor though (with content restored from backup). I did not need my backup code. Perhaps it would be good to get an additional hardware security key for the account just in case.

Another reason to root your phone first thing before you use it for anything.

Was in a similar situation, having a real backup of every apps data (including the "secret" data) saved me a couple of times.

If there is anything worse than having no 2FA, is to have 2FA with Google. Like, if something is messed up the only way (if any) to recover access to your account is by asking here on HN.

Get off Google so you dont have to deal with zero customer service:

https://github.com/tycrek/degoogle

Add this to the list of reasons I don't fk with Google Authenticator. It used to be hard to even get the backup codes, or maybe it still is, idk.

Don’t trust any apps to handle backup and syncing TOTP keys for you. Gliches happen.

I encrypt and back up all TOTP secret key, which are used to generate six digit codes, to my local offline password store (usb key and paper). In fact, I mostly used my laptop as the second factor because it is more convenient. My phone also has the TOTP key and in case it is lost, I can just regenerate the QR code.

It’s worth mentioning that, although Google Authenticator allows one to export two factor authentication codes, it’s only in the format of a QR code that can be scanned by another phone. It doesn’t provide the option of exporting 2FA codes in an encrypted file that one could store in a safe place.

So it seems that the backup is intended that the user purchases a second phone!

Google's 2FA is terrible for Google workspace when you add a phone number. In that case, you are up to the whim of the country to allow your SMS to be received (serious consideration in some parts of the world). When a phone is added, you will not be able to use a device for 2fa, but always defaults to SMS!

The person who successfully convinced people that 2FA is actually more security is the biggest scumbag in history.

The lost productivity dealing with shitty 2FA implementations and the subsequent shitty customer support is enough to build all 7 wonders of the world many times over.

I use Authy with a second backup phone. You can install Authy on two or more devices so you can recover from situations like this. After the backup phone is setup. I turn off the ability to add more devices in the settings.

Github sure does seem to have the best 2FA, methods, recovery options, etc. All super straightforward and reliable.

Has anyone experienced otherwise with Github?

I wish all platforms modeled their 2FA to be like Github's.

Interesting. I have to 2FA to get into my account but when I go to modify 2FA I only need my password.

Thank god I keep 2FA in Bitwarden. I did not realize I'm this close to losing my Gmail. Jesus.

This seems like a bug, not a feature.

Personally I have Authenticator for day to day use, a Yubikey for restoring access if something happens to my phone, and backup codes.

If you also have SMS codes enabled, in addition to the authenticator app, will the SMS codes with if you lose access to your authenticator app?

undefined

undefined

Same thing happened to me. The backup paper 2FA codes I kept failed when my Pixel phone spontaneously bricked itself.

Always backup your 2FA.

I keep a cold yubikey in a locked cabinet at work as well as my TOTP secret, encrypted and printed.

What you are supposed to do in this situation? Post on HN / Reddit

I hate current popular implementations 2FA and similar IT fads for this exact reason. They are inherently insecure, and any security professional who pushes them without serious thought through all the failure modes should be blacklisted from the industry.

Try enrolling another 2FA method while you're in there.

Which non google 2FA app would folks recommend?

It’s always good to have a Yubikey

Proton mail for the win

[dead]

[flagged]

[flagged]

TOTP is bad 2FA. Google supports U2F security keys. Use them.

Google 2FA is a security feature that requires you to enter a code to access your account. It is a second layer of security to your account.

Side-comment: is there a type of shadowban with HN where my posts do not make it into the frontpage, even 2 or 3 or more pages deep?

I've seen this with a few of my posts recently where they appear in the 'new' and 'show' or 'ask' tabs, but not the frontpage.. even 300 posts deep while similarly aged and upvoted posts are on second page.

edit: now it's on the frontpage! Guess it just had to hit a vote threshold.